For those of you wondering why financial institutions have been so worried about the enforcement powers of the CFPB, you now have your answer. The CFPB recently celebrated its one-year anniversary by announcing its first enforcement action. The $210 million dollar action against Capital One was not only meant to punish Capital One for what the CFPB believes were "deceptive practices," but was also meant to send a message to financial institutions that: (i) the CFPB intends to use enforcement actions aggressively to discourage conduct that it deems to “deceptive practices;” and (ii) more actions are coming.

The action against Capital One Bank alleges that the bank's third-party vendors marketed various credit card related services deceptively. To settle these charges, Capital One has agreed to pay a total of $210 million to reimburse customers ($150 million) and as fines for the alleged deceptive practices ($25 million to the CFPB and $35 million to the Office of the Comptroller of the Currency (OCC)). In addition to being the CFPB’s first, this enforcement action is significant for several reasons—each of which carries important lessons and warnings for financial institutions.

Third Party Liability: The CFPB’s enforcement action put financial institutions on notice that it intends to hold them strictly accountable for the conduct of their third-party vendors. The action against Capital One is not based on Capital One’s marketing tactics, but those of its third-party vendors. In a press release, the CFPB explained that the enforcement action “results from a CFPB examination that identified deceptive marketing tactics used by Capital One’s vendors.” Capital One, which has denied any liability, appears to have had little at all to do with the alleged deceptive practices. Instead, Capital One contends that the alleged conduct was the result of a third-party vendor that failed to adhere to Capital One’s own sales scripts. Since its inception, the CFPB has warned financial institutions of their obligations to oversee their third-party service vendors and the CFPB’s intention to hold the institutions accountable for the actions of these vendors (see CFPB Bulletin 2012-03 (April 13, 2012) discussed in CFPB Alert, V. 2, No. 7). The enforcement action not only reaffirms the CFPB’s intentions, but also emphasizes the Bureau’s position in the Bulletin that, according to the CFPB, “establishes that institutions will be held responsible for the actions of their third-party vendors.”   

Fines As A Deterrent: The $210 million fine is not only significant because it dwarfs fines issued by other government regulators (the Federal Trade Commission’s largest fine against a single entity is $22.5 million), but it also suggests that the CFPB intends to continue issuing significant fines to deter other banks from engaging in similar conduct. Industry insiders believe that the CFPB is upping the ante when it comes to fines because it believes that past penalties were viewed by financial institutions as nothing more than the cost of doing business. Significant fines will be more problematic for smaller institutions that lack the resources of larger financial institutions. 

Airing of Dirty Laundry: In connection with the enforcement action, the CFPB publicly issued a consent order that described in painstaking detail the violations that formed the basis of the CFPB’s action. Institutions should not only be concerned that the CFPB will use enforcement actions to publicly detail their practices and procedures, but that they will also be subjected to thorough examinations and required to produce sensitive documents that may be turned over to other regulators and state law enforcement officials.

Being Told How To Conduct Business: In connection with the enforcement action, the CFPB also issued Compliance Bulletin 2012-06 that outlines the steps that the CFPB believes that financial institutions “should take . . . to ensure that they market and sell credit card add-on products in a manner that limits the potential for statutory or regulatory violations.” (See article above.) In other words, the CFPB is setting the standard for how financial institutions should conduct their business. With each new enforcement action, it is anticipated that the CFPB will issue additional Compliance Bulletins that further proscribe how financial institutions may conduct their business.

No One Is Safe From the CFPB:  By targeting Capital One—one of the nation’s largest and most well-known banks—the CFPB demonstrated that no financial institution, large or small, is safe from scrutiny.

More Enforcement Actions Are Coming: In announcing the enforcement action, the CFPB was not shy in warning financial institutions that this was only the beginning. CFPB Director Cordray warned “We expect announcements about other institutions as our work continues to unfold.” Cordray also forewarned that the CFPB knows the alleged deceptive market practices “are not unique to a single institution,” and that the “compliance bulletin puts all financial institutions on notice about these prohibited practices and reinforces that they must make sure their service providers are complying with the law.”

With the first enforcement action under its belt, it is not clear what institution or issue the CFPB will target next, but two things are certain: (i) concern over the CFPB’s enforcement powers was well founded; and (ii) CFPB does not intend to slow down any time soon; America’s financial institutions (and their customers) will undoubtedly pay the price.