Since its creation in July 2011, the Consumer Financial Protection Bureau (CFPB) has entered into five public consent orders with financial institutions and, in one case, a service provider, to correct alleged consumer protection violations. While these orders involved some of the biggest institutions in the industry (Capital One, Discover and American Express), there are valuable insights to be gleaned from these orders for both institutions directly monitored by the CFPB and institutions that are examined for consumer protection compliance by their prudential regulators (especially since the Federal Deposit Insurance Corporation (FDIC) joined in two of the orders). Below are some lessons to be learned from these orders:
1. UDAAP Is Everywhere
It seems everywhere bank professionals look there are discussions regarding the new focus on unfair, deceptive or abusive acts or practices (UDAAP). The CFPB’s first enforcement actions are no exception. All five consent orders cite UDAAP violations. Further, in two of the five orders, no other law violation is cited. This means that a financial institution should not assume that if it is compliant with all other consumer protection laws, such as the Truth in Lending Act and the Real Estate Settlement Procedures Act, it is in the clear. UDAAP is a hot-button issue for regulators, so it should also be a hot-button issue for financial institutions. Noticeably, none of the CFPB orders cited “abusive” practices, so we will need to wait a bit longer to see what regulators determine fits under that category.
2. Say What You Mean, and Mean What You Say
Several of the violations cited related to the language and practices used in marketing products. While there were several different practices cited, the general theme was that these institutions were not giving their customers accurate, clear and complete information prior to the customer’s purchase of a product. In some cases, it appears the product materials were not necessarily inaccurate, but the sales staff, which was sometimes outsourced, was not adequately trained on the product. To try to avoid these problems, it is important for financial institutions to spend sufficient time training frontline staff regarding the features and limitations of the institution’s product offerings.
3. Watch Over Third-Party Providers
As mentioned above, some of the violations arose out of mistakes that financial institutions’ third party providers made. This includes any third party that communicates with institution customers, such as marketers, payment processors, or debt collectors. Their mistakes will be attributed to the institution, and it can be more challenging to monitor these parties’ activities from afar. Financial institutions should ensure that their contracts with these parties allow the institution to monitor and audit these parties’ activities. Third parties should also be required to forward any customer complaints they receive to the institution so the financial institution can promptly investigate and respond to potential problems. Further, contracts should include termination clauses that allow the financial institution to walk away from the relationship if it is harming the institution’s reputation or leaving the institution open to potential UDAAP violations.
4. The Usual Suspects Still Trigger Violations
The CFPB’s first orders also deal with some historically common missteps that institutions still need to work to avoid, such as charging unauthorized or excessive fees or tripping over Fair Credit Reporting Act requirements. Further, sometimes the issue was not whether the financial institution provided the required disclosures but rather the manner of disclosure. Speeding through mandatory disclosures or downplaying their importance is never a good idea. Again, this is a training issue for frontline staff.
In the coming days and months we will no doubt get additional glimpses of issues upon which the CFPB and its prudential regulator counterparts are focusing. Paying attention to these cues provides you with the opportunity to ensure your institution is not making the same mistakes.
Financial institutions should take note of the issues addressed in the first CFPB enforcement actions to avoid being cited for similar violations.