The FDIC, OCC and CFPB have each recently taken enforcement actions against banks for unfair or deceptive acts or practices (“UDAPs”) in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”). The OCC and the CFPB both announced on September 25 that each agency has entered into consent orders with the same bank for unfairly billing consumers for identity protection and credit monitoring services that the consumers did not receive. According to the agencies, the services were marketed and administered by third-party service providers as add-on products to credit cards and other bank products, including mortgage loans and checking accounts, under a joint marketing agreement with the bank. The bank will pay a $5 million civil money penalty to the CFPB and a $4 million penalty to the OCC, in addition to about $48 million in restitution to more than 420,000 consumer accounts. The consent orders also require the bank to improve its management of third-party vendor relationships and to submit to increased oversight by the OCC and CFPB of the bank’s third-party vendor management program. Section 5 of the FTC Act prohibits UDAPs in or affecting commerce and grants the federal banking agencies authority to enforce Section 5 for the institutions they supervise. The Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) granted similar – but broader – authority to the CFPB to take enforcement action against financial services providers for UDAPs – as well as “abusive” practices – in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.
Nutter Notes: The FDIC announced on September 29 that it has entered into a consent order with a state-chartered bank for UDAPs related to marketing and servicing of credit card add-on products in violation of Section 5 of the FTC Act. Under the consent order, the bank will pay a civil money penalty of $1.1 million to the FDIC, and will pay restitution to consumers of approximately $15 million. The consent order also requires the bank to improve its compliance management and third-party vendor oversight programs. In this case, the bank was involved in marketing a payment protection credit card add-on product administered by a third-party vendor that provided a benefit payment toward a consumer’s monthly credit card payment following certain life events such as involuntary unemployment, disability or hospitalization. The FDIC determined that the bank violated Section 5 of the FTC Act by, among other things misrepresenting that the monthly benefit of the add-on product would equal the consumer’s minimum monthly payment, misrepresenting that the product would protect the consumer’s credit rating, and misrepresenting that payments would be made automatically. The FDIC also determined that the bank failed to adequately disclose to consumers material conditions and restrictions of the product and the terms and conditions for accessing the product’s hospitalization benefit. The FDIC, OCC and CFPB UDAP enforcement actions follow last month’s release of Interagency Guidance Regarding Unfair or Deceptive Credit Practices by the CFPB and the federal banking agencies, which announced that the agencies would continue to enforce UDAPs involving consumer credit products and services despite the repeal of the agencies’ credit practices rules for banks and savings associations.