Compared to other agencies, the Federal Reserve hasn’t handed down very many enforcement actions for unfair and deceptive practices violating the Federal Trade Commission Act (FTC Act). Why then is the Fed requiring a community bank to pay $4.75 million in restitution to 11,000 consumers for violating this law?
Based on the order from the Federal Reserve, it is primarily because of a failure in third-party risk management. The bank used a vendor with a history of UDAAP violations and was punished for not conducting adequate vendor management due diligence or using sufficient vendor management processes.
What went wrong?
From November 1994 to January 2017, the bank used a third party to provide bundled account add-ons like payment card protection, lost key protection, and medical emergency data cards. The Fed found two flaws with the product:
- The bank’s marketing said the benefits would begin upon enrollment without adequately disclosing there was a two-step enrollment process to activate some benefits.
- It didn’t tell customers they would still be charged monthly fees for the product even if they hadn’t activated all the benefits.
While the enforcement action doesn’t name the vendor, it does name some of the products the bank was using. That points to a vendor that has gotten in trouble for similar violations in the past. If the bank had been monitoring this vendor, they would have been aware of these issues.
A history of problems
Just look at $18.4 billion-asset First National Bank of Omaha, which used the same vendor for a credit card add-on program. The Consumer Financial Protection Bureau (CFPB) slapped the bank with $27.5 million in customer reimbursements plus $7.5 million in restitution and civil money penalties. The CFPB says the bank through its third-party vendor:
- Used deceptive marketing to lure consumers into debt cancellation add-on products; and
- Charged consumers for credit monitoring services they did not receive.
Sound familiar? It was not an isolated case.
In 2015 the CFPB fined the same vendor $1.9 million for charging credit card consumers for benefits they didn’t receive and made the company pay almost $7 million. In 2017 an OCC bank was given a cease and desist order after the company marketed and billed customers for an identity protection product even when customers didn’t submit authorization to access credit reports. U.S. Bank had the same issue in 2014. In 2012 it settled with N.Y. state, agreeing to pay $8 million in refunds and civil money penalties for billing New Yorkers for discount club programs without consent. In 2013, 48 states obtained a $30 million judgement against the company for similar discount club program issues.
Shoddy vendor risk management
This particular vendor clearly had a history of a specific type of compliance violation. That leads me to believe that the bank’s third-party vendor management process couldn’t have followed best practices. Specifically, I wonder:
Did the bank know about the vendor’s history? Ongoing third-party vendor due diligence should have made the bank aware it was contracted with a vendor that was repeatedly dinged for a series of similar violations. Other banks using its services were subject to large fines and restitution. Maybe the vendor had a sterling reputation when the relationship began, but it was no longer intact, and the bank should have recognized that fact.
Did the bank assess the risk? Maybe the bank knew the vendor had faced regulatory issues, but it didn’t consider the possible risks of the relationship, including compliance risk, financial risk, and reputation risk, among others. Or perhaps it was aware of the risk, but felt the risk was worth the fee income generated.
What kind of controls did it have in place? If a bank is going to take on a risk like working with a vendor with a history of regulatory enforcement actions, there needs to be controls in place to prevent known issues from occurring. A Google search of the vendor easily generates a pattern of past problems. A bank with a strong vendor management process would have systems in place to monitor the vendor to ensure it followed all applicable laws, regulations, policies, and procedures. It would take action if a shortcoming was found.
The enforcement action indicates the answer to my questions. Not only is the bank facing steep costs, it’s required by the Fed to update its risk management program.
As part of the agreement, the bank agreed to enhance its program so that third-party offerings comply with consumer protection laws and regulations, including those dealing with marketing, processing, and servicing. The bank needs to review all marketing materials prepared by third parties. It specifically mentions the importance of receiving “all materials documenting the service-level standards for services provided by” vendors and companies those vendors work with. This includes consumer complaints, how the relationship fits with the bank’s strategic plan, compliance risk assessments as part of vendor due diligence, appropriate controls, updated policies to keep pace with regulations, and internal controls. Due diligence reports and audit results are mentioned as well.
The bank also needs a consumer compliance committee. The Fed must approve a plan to improve board oversight of the bank’s compliance risk management program, including communicating expectations; ensuring policies and procedures are followed; providing senior management oversight and enough consumer compliance staff; and following up on audit and exam findings.
Failing to follow basic third-party vendor risk management can be expensive. The Fed came down on the bank because it used a vendor with a questionable history for years and didn’t have the vendor management processes to identify, measure, monitor, and mitigate the risk accordingly. Each news release highlighting a violation should have triggered a review of the vendor, but the bank didn’t take any action to protect its customers. As a result, the bank must pay back decades of add-on income in restitution.