The Consumer Financial Protection Bureau (CFPB) entered into a Consent Order on January 31 with UniRush, a prepaid debit card company, and its processor over a breakdown in October 2015 that left RushCard holders unable to access their funds.

What happened

In October 2015, holders of the RushCard, a reloadable prepaid debit card, suddenly faced problems. Some consumers saw their balance drop to zero despite having money in the account; in other cases, direct deposits made to their accounts were returned while other consumers were completely locked out of their accounts even though funds were available.

According to UniRush, LLC, program manager for the RushCard, technical problems stemming from a switch in its payment processors was the cause of the problems faced by over 650,000 active cardholders. But the problems continued even for a few weeks after the conversion took place. As a result of a large number of consumer complaints, the CFPB started an investigation into the problems RushCard cardholders were experiencing.

As a result of the investigation, the Bureau concluded that there were "a rash of preventable failures" by UniRush and its processor, and ordered the companies to pay an estimated $10 million in restitution to affected customers as well as a $3 million civil penalty. Their failures "cut off tens of thousands of vulnerable consumers from their own money, and threw some into a personal financial crisis," CFPB Director Richard Cordray said in a statement. "The companies must set things right for consumers and make sure such devastating service disruptions are not repeated."

Despite the fact that the companies spent 13 months preparing for the switch to the new payment processing platform, the CFPB received hundreds of complaints from cardholders in the weeks that followed the change. The actions of the companies harmed tens of thousands of active cardholders, the CFPB alleged.

The CFPB claimed that UniRush did not accurately transfer all of the accounts to the new payment processer, leaving many consumers unable to access the funds stored on their cards for days or weeks. It also found that UniRush exacerbated the problem by delaying cash deposits, shutting off access to certain funds and failing to issue a working replacement card for consumers whose cards were lost or stolen during this period.

Of the 270,000 cardholders whose pay or government benefits were deposited onto the cards, an estimated 45,000 cardholders had their direct deposits delayed, while another 2,000 cardholders had their deposits improperly returned or not processed at all, the CFPB alleged. Some cardholder deposits were double-posted, some cardholders were incorrectly told their balance was zero when there were funds in the account, and other debit transactions were not promptly processed, leaving consumers with falsely inflated account balances that resulted in "thousands" of cardholders spending more than they had, the CFPB alleged.

Communication between the company and the processor was also problematic, the CFPB said, with the payment processor failing to ensure it sent accurate information to UniRush when it declined to authorize transactions. Finally, the CFPB chastised both companies for poor customer service. UniRush did not have adequate plans in place to handle the increased demand caused by the service disruptions, the CFPB alleged, and even though it hired additional personnel, it did not provide proper training. Cardholders waited on hold for hours during the breakdown and were often unable to obtain information about their funds and accounts, the CFPB claimed.

The CFPB took action under the Consumer Financial Protection Act, which prohibits unfair, deceptive or abusive acts or practices. Pursuant to the Consent Order, the companies must pay an estimated $10 million restitution to "tens of thousands" of cardholders who could not access their funds or who suffered other problems created by the breakdown. The amount to be received by any individual cardholder will range from $25 to $250, depending on the particular failure the cardholder experienced.

In addition, under the Consent Order, each company must institute, maintain and test a series of written policies and procedures, such as: avoiding program disruptions, providing for disaster recovery and contingency plans and ensuring that proper and accurate information is provided to cardholders. Also, they must improve their audit procedures and are required to submit to Board oversight.

Why it matters

The incident has drawn attention to problems consumers face with prepaid cards. In a press call about the $13.5 million deal, Cordray noted that the Bureau's Prepaid Card Rule is set to take effect in October 2017, adding that "we are putting the prepaid industry on notice that companies will face the consequences if consumers are denied access to their money or to the services they pay for and on which they have the right to depend."

Perhaps more significantly, the case has further defined the standards by which the CFPB measures what constitutes unfair, deceptive or abusive acts and practices. In the instant case, the failure to conduct adequate testing and preparation for conversion to a new processor, and poor administration of customer accounts post-conversion, were deemed unfair acts and practices under the statute.