The CFPB, in cooperation with the Office of the Comptroller of the Currency (OCC), recently issued a consent order against Bank of America and its credit card subsidiary, FIA Card Services, to pay an estimated total of $727 million for alleged UDAAP violations related to credit card add-on products in connection with identity protection and debt cancellation services. According to the order, the bank and its add-on product service providers marketed two credit card payment protection services with telemarketing scripts that contained misstatements and through telemarketers who went off script in a misleading manner, resulting in consumers being misled. The bank was also found to have charged consumers for products they did not receive, unfairly charged interest and improperly charged fees. With respect to the identity protection services, the bank, through its service providers, was accused of billing for credit monitoring and/or credit reporting services that ultimately were not provided.
In addition to the extensive civil money penalties, the consent order requires the bank to revise its UDAAP policy and take the following actions:
- Implement a written comprehensive UDAAP assessment, conducted annually, for existing or new add-on products;
- Develop and implement written policies and procedures to effectively manage, prevent, detect and mitigate, on an on-going basis, the risks identified in the written assessment;
- Record all calls in which add-on products are marketed or sold and record calls where a customer indicates that he did not authorize, does not want, does not need or wishes to cancel the add-on product. The recordings must be retained for at least 25 months from the date of the call;
- Create comprehensive written procedures for providing appropriate training on applicable federal consumer financial laws and the bank’s related policies and procedures regarding add-on products and unfair, deceptive, and abusive acts and practices; and
- Create comprehensive written policies and procedures and develop training materials for identifying and reporting violations of applicable federal consumer financial laws and policies and procedures related to add-on products sold by the bank’s employees and service providers’ employees or agents. This must be completed in a timely manner, with the support of an independent compliance unit to oversee the sale and marketing of add-on products.
The OCC’s order also requires the bank to improve governance of third-party vendors associated with the add-on products.
Being billed as the CFPB’s toughest UDAAP enforcement action involving add-on financial products to date, the consent order should serve as a strong reminder of the scrutiny that all financial services company falling under the CFPB’s jurisdiction may encounter. The CFPB’s investigation into past billing practices stretched back farther than in other investigations, and the bureau’s investigation into the bank’s marketing tactics and billing practices was no less than intrusive. All prepaid companies should consider the consent order’s call for an annual UDAAP policy assessment, the various written policies and procedures and the monitoring obligations as an indication of the CFPB’s general UDAAP-related expectations.