The CFPB and the OCC issued separate but related consent orders for “unfair billing practices” involved in a bank’s marketing of identity theft products, largely as add-on products for credit cards. The OCC’s order includes a $60 million civil money penalty for billing practices that violated Section 5 of the FTC Act, which prohibits unfair and deceptive acts or practices. The CFPB’s actions ordered the bank, JPMChase, to pay $20 million to the CFPB’s Civil Penalty Fund primarily due to an Identity Theft Protection Program that was marketed to bank customers by a third-party vendor. According to the CFPB consent order, the program fees were billed incorrectly to many consumers who had not provided written authorization as required by law or for whom authorization could not be processed. Both agencies found that this occurred from October 2005 through June 2012.

The orders also include restitution to affected customers, which regulators estimate at $309 million paid to roughly 2.1 million customers, as well as a cease and desist order that, among other things, requires the bank to correct compliance deficiencies, institute governance and risk management of consumer products and improve its oversight of third-party vendors that sell products related to its credit cards.

Of significance, the CFPB consent order sets forth what the CFPB requires for a vendor management policy whenever a bank offers an “add-on product,” defined as “…[certain] consumer financial product[s] or service[s] … offered as an optional add-on product to [b]ank credit cards and/or as an optional add-on product to co-branded consumer products of the [b]ank.” (emphasis added)  Required vendor management policies include:

  • An analysis conducted prior to contract, on the ability of the vendor to perform all services (e.g., marketing, sales, delivery) in compliance with ALL applicable federal consumer financial laws and the bank’s policies.
  • A written contract requiring (i) the vendor to maintain adequate internal controls, (ii) the vendor to provide adequate training to employees and agents that complies with ALL applicable federal consumer financial laws and (iii) the bank’s right to terminate for vendor’s material failure to comply.
  • Periodic onsite review of the vendor’s controls, performance and information systems.


A copy of the CFPB consent order may be found here.

A copy of the OCC consent order may be found here.

A copy of the OCC’s cease and desist may be found here.