CFPB Orders Restitution and Civil Penalties for Unfair Practices in Billing for Add-On Identity Theft Protection Products
In the CFPB’s most recent administrative adjudication issued September 18th, Chase Bank USA, N.A. and JP Morgan Chase Bank, N.A (Chase) entered into a Consent Order with the Bureau related to its billing and administration of Identity Theft Protection products (IPP) marketed to Chase card and other retail customers.
Although Chase did not admit liability in the Consent Order (the Order), the Bureau found that Chase and its third-party vendors had engaged in unfair acts and practices in violation of Dodd-Frank by billing and accepting monthly fees for credit monitoring services which were not provided. Specifically, consumers were billed before the credit reporting agencies (CRAs) had processed authorizations given to Chase or its vendors to access their credit information, a prerequisite to provide those services. The CFPB also found that the bank’s compliance monitoring service provider failed to identify, prevent, or correct those billings.
Chase took steps to correct the practices by ending the marketing of the IPP before March, 2012 and issuing some consumer refunds in October, 2012. But the Order prohibits Chase from further marketing or solicitation of IPP absent presentation and approval to the CFPB of a Compliance Plan detailing how consumers would be informed that such services would not be activated until authorization was given to access their credit information, and how the bank would ensure that customers would not be billed in the future for such products before the credit reporting agencies had processed the consumers authorizations to access their credit information.
The Order also required Chase to:
1. Develop a vendor management policy designed to insure products sold through vendors would comply with applicable federal consumer financial law, including adding requirements to comply with such laws in vendor contracts and implementation of procedures for ongoing call monitoring of vendors;
2. Complete refunds of approximately $309 million, plus interest, to more than two million consumers who enrolled in the credit monitoring product and were charged for services they did not receive. In addition to the amount paid for the product, Chase was required to refund interest and any over-the-limit fees resulting from the charge for the product.
3. Submit to an independent audit.
4. Pay a $20 million penalty to the CFPB’s Civil Penalty Fund.
The Office of the Comptroller of the Currency undertook a separate action and separately ordered restitution and civil money penalties of an additional $60 million.
The Order serves as a road map on what the CFPB expects with regard to third party marketing vendor management and compliance auditing, and again demonstrates the Bureau’s willingness to assess penalties against covered entities for practices found to be in violation of the law but carried out by third-party vendors.
In April, 2012, the CFPB issued a bulletin stating that it expected covered entities to monitor their service providers, and would hold them responsible for violations by service providers of Federal consumer financial laws.