With record heat this summer, and no new regulatory effective dates to entertain us in August or September, one might wonder… Is anything going on?
From an enforcement action perspective, there is plenty going on.
There seems to be a wave of press releases lately involving actions taken against institutions or fintech companies related to activities resulting in consumer harm. Compliance staff are encouraged to familiarize themselves with these actions and consider some takeaways that could benefit their own institution and their Compliance Management System (CMS).
A Summer Reading List
In looking at actions taken in July and August, these five items captured our attention:
Collectively, these actions represent over $306 million in fines.
While each action can be used as a case study for us to learn some important lessons in deficient or illegal practices and resulting harm, one case in particular really caught our attention. That is, the CFPB fining U.S. Bank for illegally exploiting personal data to open sham accounts. That description reminded us of a 2016 revelation where another one of the nation’s largest banks, Wells Fargo, ended up with a $3 billion fine related to a Justice Department action for a fake account scandal.
CFPB Fines U.S. Bank $37.5 Million
So let’s take a closer look at the U.S. Bank-related action. At a high level, the CFPB shared their initial observations that the Bank, in order to increase sales of certain products and services, imposed sales goals and implemented incentives that rewarded employees for selling those products and services.
While that sounds like a typical sales program, problems arose. And, one might wonder… how did the Bank go from incenting employees to sell, to creating an environment resulting in unlawful practices?
Well, the Bureau observed that this program applied pressure to Bank employees to reach their goals and obtain rewards. But, it was noted that in response to that pressure, employees… ”opened deposit accounts, submitted applications for and issued credit cards, and opened lines of credit linked to deposit accounts without consumers’ knowledge and consent.” The CFPB concluded that the Bank’s processes were not reasonably designed to prevent improper sales acts or practices. Another factor that exacerbated this environment was that when a consumer or employee alleged improper action, the process for elevating such complaints or allegations was often stalled at the branch level, which resulted in many complaints not being escalated or acknowledged.
Besides the opening of non-authorized accounts, the resulting consumer harm was apparent in a variety of ways, for example: the charging of fees, negatively impacting consumer reports, loss of control over use of personal information, as well expending time and effort to resolve unauthorized accounts.
So, What Can an Institution Takeaway from this Enforcement Action?
While reading the Bureau’s consent order will be helpful (linked above), some questions to ask yourself and consider in your own environment might include these:
- How is my institution’s compensation plan documented, in either policy, procedures, or job descriptions?
- Do those documentary controls clearly include a prohibition against opening accounts without a permissible purpose or authority?
- What controls are in place to ensure a customer authorized an account opening?
- Are FCRA-related policies and procedures robust enough to ensure credit reports are not used for non-permissible purposes?
- What controls are in place to ensure credit reports are obtained only with a permissible purpose?
- Do complaint procedures limit reporting in a manner which would keep allegations from being seen by anyone above the branch level?