On September 24, the CFPB announced a consent order with a large national bank to address alleged unfair practices related to add-on identity theft protection products marketed by the bank and sold and administered by a third-party service provider to the bank’s customers from 2003–2012. Specifically, the CFPB alleged that customers were unfairly billed by the service provider for certain products that offered credit monitoring and credit report retrieval services without receiving the full benefit of the services. Customers who enrolled in these add-on identity theft products were required to provide sufficient written authorization and personal verification before the customers’ credit bureau reports could be accessed. However, according to the Bureau, in many instances time passed before a customer’s authorization was obtained or a customer’s authorization was never obtained. In other instances, the credit bureau could not match the customer’s identification information with its records. Although the bank’s vendor, rather than the bank itself, was directly responsible for selling and administering the products, the CFPB found that the bank’s compliance monitoring, service provider management, and quality assurance functions had failed to prevent, identify, and correct the unfair practices, resulting in substantial injury to more than 420,000 consumers. According to the CFPB’s order, this injury was not reasonably avoidable by consumers, and was not outweighed by any countervailing benefit to consumers or competition, and, therefore, the bank engaged in unfair practices.
The consent order requires the company to pay $47,900,000 in redress to compensate consumers injured by the alleged unfair billing practices, as well as a $5 million penalty to the CFPB. In addition, the consent order requires the bank to: (i) correct all unfair practices related to improper customer billing for add-on identity protection products and take numerous additional corrective actions to ensure that neither the bank nor its service providers or affiliates engage in such practices in the future; (ii) obtain CFPB non-objection prior to marketing, selling, or referring customers to identity protection products in the future; and (iii) review and, if necessary, revise the bank’s third-party risk management and responsible banking programs to ensure that, among other things, the bank conducts periodic onsite reviews of any add-on service provider’s controls, performance, and information systems. A separate OCC consent order also requires the bank to pay an additional $4 million civil money penalty to the OCC.