inform. educate. connect. Issue #5 - December 2012  

The CFPB Takes Aim at Third-Party Products Offered to Customers

By Peter G. Weinstock, Hunton & Williams LLP

On July 26, 2012, the Consumer Financial Protection Bureau (CFPB) announced a $210 million settlement with a large national bank. The bank agreed to pay $150 million in restitution and $25 million of fines assessed by the CFPB, and $35 million assessed by the Office of the Comptroller of the Currency (OCC). The action concerned credit add-on products that are offered by many financial service companies, including:

  • debt forgiveness plans in the event of death or disability

  • payment protection plans allowing cancellation of 12 months of payments

  • credit monitoring plans providing identity theft protection

Notably, the CFPB did not take issue with the products themselves, but instead, with how they were being marketed. This settlement is notable not only because it represents the first enforcement action by the CFPB, but for its subject matter. Specifically, the sanctions are for conduct of a third-party provider, rather than direct actions of a financial services company.

This onus on what ramifications there can be on a financial services company from the actions of its service provider is not new. In June 2012, the CFPB issued a bulletin advising financial institutions of their responsibility to police the actions of companies with which they contract. Perhaps the CFPB was echoing earlier pronouncements by other regulators. For instance, in 2008, the FDIC issued FIL 44-2008, “Guidance for Managing Third-Party Risk.” The FIL Guidance noted eight risk areas for third-party service providers, including transaction risk (service or product delivery deficiencies), reputation risk (adverse public opinion or adverse publicity) and compliance risk (conduct of the third party fails to comply with the law or is inconsistent with the financial services company’s policies or procedures or business standards).  In my June 2012 client alert entitled, “Increased Regulatory Scrutiny of Third-Party Vendors and Their Contracts,” I set forth the regulatory expectations for agreements with third-party providers.

The CFPB’s position in this recent enforcement action was that the third-party provider was deceiving consumers, which warranted enforcement action based on the authority to penalize unfair, deceptive or abusive acts or practices (UDAAP). All financial services companies should consider the CFPB’s allegations. Specifically, the CFPB alleged that customers were routed to a different process to activate their credit cards depending upon their credit score and credit limits. The activation process went through a call center.  The bank developed call-center scripts for each product to be used by call-center representatives in each solicitation. Call-center representatives, however, frequently deviated from the scripts. According to the CFPB, the call-center employees:

  • indicated that having the add-on product would improve credit scores and assist customers in receiving a credit limit increase

  • referred to the payment protection product as a “back-up fund” providing protection that would automatically kick in if the consumer missed a payment

  • misrepresented the cost of the product by:

    • implying it was free

    • indicating that it would only have a charge if the consumer missed a payment

    • only costs “99 cents”

    • holding back information regarding the product’s terms and conditions until the consumer activated the product

    • indicating that individuals on government assistance, such as unemployment insurance, would be deemed self-employed for purposes of the protection

    • failing to indicate to unemployed consumers that they would first have to become employed before they would receive product benefits

    • stating unsubstantiated statistics such as “identity theft is the number one crime”

    • failing to inform the customer that the product was optional

    • failing to obtain the customer’s affirmative consent

The CFPB was also greatly concerned about rebuttal tactics that were used to try to convince customers to continue the product when they had tried to cancel it. These tactics allegedly included many of the issues alleged above.

The CFPB deemed such conduct to represent deceptive marketing materials and activities, and thus, was a UDAAP violation. The Order mandated that in any customer presentation, there could not be any misrepresentations related to:

  • any fees, costs, expenses and charges associated with the product

  • that the product is optional

  • that the product will improve the customer’s credit score or assist customers in receiving a credit limit increase

  • that accessing the product’s benefits requires no action

  • the benefits of the product

  • any material conditions, benefits and restrictions related to the product,

  • the purpose of the sales call

  • payment terms

  • a fee or charge that would be added to the customer’s balance even if the customer paid off the outstanding balance in full

Moreover, the Order prohibited:

  • deceptive promotional practices or marketing products, including failing to adequately disclose (“clearly and prominently”) important product terms and conditions

  • consumers from being enrolled in programs without affirmative consent

  • requiring payment for programs when the consumer may not have realized that they had been enrolled in the program

Thus, the CFPB mandated corrective action that arguably went beyond the misconduct cited.

The CFPB also provided instruction for disclosures, including a definition for “clearly and prominently” with regard to disclosures. Specifically, written information must be in a type size and location sufficient for an ordinary consumer to read and comprehend it.

In CFPB Bulletin 2012-06, the CFPB indicated that it evaluates the effectiveness of disclosures by whether:

  1. the statement is prominent enough for the consumer to notice

  2. the information is presented in an easy-to-understand format that does not contradict other information in the package and at a time when the consumer’s attention is not distracted elsewhere

  3. the information is located where the consumer can be expected to look or hear

  4. the information is in close proximity to the claim it qualifies

The CFPB also stated that it will closely examine employee incentive or compensation programs that might result in incentives for employees to provide inaccurate information.

When the CFPB announced the enforcement action, its director, Richard Cordray, noted that, “[w]e know these deceptive marketing tactics for credit card add-on products are not unique to a single institution.” In light of the OCC’s complimentary action, financial service companies (regardless of size) that offer these products should re-examine the disclosures and marketing practices as well as the agreements with such parties and terms of such products, especially if the third-party provider has customer contact. Even if the add-on products are offered by the financial institution itself, the approach to them should be re-evaluated. The CFPB’s allegations should form a template for evaluating such products and the way they are being sold.

<back to December 2012 Compliance Digest>

Peter Weinstock is practice group leader of the Financial Institutions section of Hunton & Williams LLP ( He writes and speaks frequently on topics of interest to community bankers and can be reached at 214-468-3395 or