The Office of the Comptroller of the Currency (OCC) has levied a $1.5 million civil money penalty against a Missouri-based bank for alleged violations of Section 5 of the Federal Trade Commission Act.

What happened

Between June 2009 and February 2013, the bank marketed and sold to bank customers an identity protection product offered through a third-party vendor and dubbed “Fraud Protection Plus.” The bank advertised the product through direct mail campaigns until April 2011 and continued offering the product on its website and in branch locations until February 2013.

Fraud Protection Plus included services such as credit monitoring and credit report retrieval services. But according to an examination by the OCC, the bank billed customers the full price of the product—even though not all customers were receiving all of the services—over an almost five-year period, from June 2009 to April 2014, and retained a portion of the fees collected.

“By reason of the billing practices for the Fraud Protection Plus product … which were the result of deficient vendor management practices, the Bank engaged in unfair practices in violation of Section 5 of the FTC Act,” the OCC stated in a Consent Order, a violation that “caused substantial consumer injury or was likely to cause substantial consumer injury” and was “part of a pattern of misconduct that resulted in financial gain to the Bank.”

Although the bank neither admitted to nor denied the OCC’s allegations, it agreed to a civil money penalty of $1.5 million as well as a Consent Order instituting several changes to its practices and procedures.

The bank must form a Compliance Committee (of at least three members, with a majority composed of outside directors) responsible for monitoring and overseeing the financial institution’s compliance with the Consent Order, including the submission of written reports to the OCC.

A written Comprehensive Action Plan—with a complete description of the actions necessary to achieve compliance with the Consent Order, accompanied by timelines for the completion of each requirement—along with a revised, written, enterprise-wide Unfair and Deceptive Acts and Practices risk management program for all consumer products offered by the bank (or through third parties) are both required.

The UDAP program must include an annual comprehensive assessment of the UDAP risk posed by the products currently offered by the bank, the development and implementation of written policies and procedures to manage and prevent such risks, and the designation of an executive risk manager, independent of the unit overseeing the sales and marketing of the products.

Given the bank’s “deficient vendor management practices,” the Consent Order also featured provisions with regard to third-party vendor monitoring. A new policy with regard to third-party vendor management shall, at a minimum, require the bank to conduct an analysis of the third party prior to entering into a contract and to use a contract that delineates the third party’s specific performance responsibilities, provides the bank with the authority to conduct periodic on-site reviews and grants the bank the power to terminate the contract for failure to comply with the contract terms.

Full reimbursement of eligible customers (defined to include those enrolled in the Fraud Protection Plus program and billed for it between June 2009 and April 2014 despite not receiving all the features) pursuant to the Consent Order requires the bank to pay the full amount of product fees, credit card over-limit fees, finance charges, and overdraft or negative balance fees, less any amount previously refunded.

To read the Consent Order, click here.

To read the Consent Order for a Civil Money Penalty, click here.

Why it matters

This is a reminder of the dangers of ancillary product sales, and most financial institutions have dramatically reduced or eliminated these products. Here, while the bank neither admitted nor denied the allegations, it agreed to a pair of Consent Orders totaling $1.5 million in civil money penalty (plus additional funds for consumer reimbursement) and will make changes to its policies and procedures with regard to third-party vendor management as well as UDAP risk management after the OCC said the financial institution billed customers for a credit monitoring or credit report retrieval service they did not receive.