On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.
In 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:
- Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
- Reviewing the service provider’s policies, procedures, internal controls, and training materials
- Including clear expectations in written contracts
- Establishing internal controls and on-going monitoring procedures
- Taking immediate action to address compliance issues
Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution. Read more…
On July 21, the CFPB announced a nearly $700 million settlement against a leading financial institution and its subsidiaries. According to the consent order, the Bureau alleges that the entities engaged in deceptive marketing, billing, and collection practices related to various credit card ancillary products, including debt protection and credit monitoring services. Specifically, the Bureau alleges that the institution or its vendors marketing practices, consisting of telemarketing calls, online enrollment, point-of-sale application, and direct enrollment at retailers, mislead consumers into enrolling for certain ancillary products. The Bureau further alleges that, in some instances, telemarketers failed to accurately disclose the cost and fees associated with the ancillary products. With respect to the unfair billing allegations, the Bureau contends that the institution or its vendors improperly charged consumers, without authorization, for services that were not rendered, and failed to provide full product benefits of the services marketed to consumers. In addition, the Bureau alleges that the institution misrepresented payment fee information to consumers by failing to disclose the actual purpose of the fee associated with making payments by phone on delinquent credit card accounts. Under terms of the settlement, the institution and its subsidiaries agreed to (i) provide $479 million in consumer relief related to its marketing practices; (ii) pay roughly $220 million in restitution related to its payments collection practices and for consumers not receiving the full benefits of services promised; and (iii) pay a $35 million civil money penalty.
In a parallel enforcement action, the OCC imposed a separate $35 million civil money penalty against the institution for engaging in similar practices, and requires the institution to strengthen its oversight of third-party vendors and develop a comprehensive risk management program for ancillary products marketed or sold by the bank.
Today, the CFPB filed proposed consent orders against two credit card add-on product vendors for allegedly billing consumers for credit monitoring and identity theft protection services they did not receive. Under the proposed consent orders, one vendor will provide nearly $7 million in restitution to the holders of approximately 73,000 accounts, and pay a $1.9 million civil money penalty. The other vendor will provide almost $55,000 in restitution to consumers who were incorrectly billed for identity theft or credit monitoring services, and pay a $1.2 million civil money penalty. The Bureau specifically noted that today’s announcement is the “first time the Bureau has brought actions directly against the companies” that market or administer ancillary products.
On June 19, the OCC released recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with national banks and federal savings associations. Among the actions was the issuance of a consent order for a civil money penalty against a national bank for allegedly violating the Federal Trade Commission Act. During its investigation, the OCC discovered deficiencies relating to the bank’s billing and marketing practices, specifically with regard to identity protection and debt cancellation products. According to the consent order, since April 2004, the bank, along with an identity protection product vendor, marketed and sold various types of identity theft protection products to its customers. Before customers could access the credit monitoring service of the identity theft product, they “were required to provide sufficient personal verification information and consent before their credit bureau reports could be accessed.” However, the OCC found that the vendor (i) billed the bank’s customers the full fee for the products, even if they were not receiving all of the credit monitoring services; (ii) billed the customers prior to receiving the customers’ information and consent and establishment of credit monitoring; and (iii) failed to ensure that customers received electronic benefit notifications. The bank retained a portion of the fees that the customers paid. Additionally, the bank’s vendors incorrectly informed customers during telemarketing calls that only one of the products offered had the ability to access identity protection benefits electronically. As a result, some customers purchased the more expensive Enhanced Identity Theft Protection, as opposed to the less expensive Identity Theft Protection, under the mistaken belief that this was the only way they could access the product’s benefits online. Finally, the OCC also alleged that, from August 2005 through November 2013, the bank’s debt cancellation product vendor’s billing practices, which posted recurring payments on the same day of the month regardless of the payments’ due dates, resulted in some customers paying recurring late fees. The bank will pay $4,000,000 to resolve the OCC’s allegations.
Illinois AG Madigan Announces $1 Million Settlement Regarding Company’s Management of Foreclosed Properties
On June 3, Illinois AG Madigan announced a $1 million settlement with an Ohio-based company that mortgage lenders hire to manage properties throughout the foreclosure process and ensure that the properties retain their value. The settlement resolves a 2013 lawsuit by Madigan that alleged that the company wrongly deemed homes vacant, and instructed its contractors to shut off utilities, change the properties’ locks and illegally remove residents’ personal belongings even though they actively remained in their homes. Under the settlement, the company agreed to overhaul its business practices by using objective standards to ensure that homes are vacant, such as: (i) requiring its inspectors to support their inspections with photographs and an affidavit; (ii) posting notice to the occupant that the property has been deemed vacant; (iii) not misrepresenting the occupants’ rights to stay in their home, even if they are behind on their mortgage payments and in foreclosure; (iv) increasing its oversight and quality control of its subcontractors; (v) providing consumers with access to a 24-hour hotline for submitting complaints; and (vi) unless the company obtains a court order, not removing any personal property prior to foreclosure.
In addition to the $1 million agreement, which will be paid in restitution to consumers who filed complaints with respect to the company’s business practices, the company agreed to adhere to ongoing monitoring by Madigan’s office to ensure compliance with the settlement.
Spotlight on Vendor Management: Mortgage Industry Continues To Bear Brunt of CFPB Regulatory Burdens
Mortgage industry players have had to adapt quickly in recent years to the evolving regulatory environment, and the latest scramble for mortgage lenders includes the various downstream effects of pending rule changes set to take effect on August 1, 2015, related to disclosures required under the implementing regulations of the Truth-in-Lending Act (“TILA”) and the Real Estate Settlement Procedures Act (“RESPA”). A critical factor to successful implementation of this historic set of rule changes, known as the TILA-RESPA Integrated Disclosure (“TRID”) rule, is coordinating with various vendors to address new timing and information requirements for Loan Estimates and Closing Disclosures, which are creating project management nightmares for mortgage professionals growing weary of the regulatory onslaught of revised regulations and enforcement actions.
“Despite the relative speed with which many companies have adapted to various rule changes since the CFPB came online, there seems to be a new rule change waiting in the wings at almost every turn,” observed Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “To make matters worse, managing service providers through the changes has undoubtedly tested the strength of deep industry relationships that have been in place for decades.”
Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management. First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers. The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties. In holding the carrier responsible, the FCC issued its largest data security enforcement action to date. Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.
“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.” Read more…
On April 30, the SEC’s Division of Investment Management issued IM Guidance Update No. 2015-02 which highlights measures that investment companies and advisers may wish to consider in addressing cybersecurity risks. The guidance urges firms to adopt a three-pronged approach including, among other things: Conducting a periodic assessment of (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. Second, creating a strategy designed to prevent, detect, and respond to cybersecurity threats, and third, implementing the strategy through written policies and procedures. The Division’s guidance also warned investment companies and advisers about third-party vendor agreements that could potentially lead to unauthorized access of investors’ information.
CFPB Files Suit and Obtains Injunction Against Participants of Alleged Illegal Debt Collection Scheme
On April 8, the CFPB announced that it filed a lawsuit in the United States District Court for the Northern District of Georgia on March 26 against participants in an allegedly illegal debt collection operation, involving certain payment processors and a telephone broadcast service provider. The complaint alleges that several individuals and the companies they formed, based in New York and Georgia, attempted to collect debt that consumers did not owe or that the collectors were not authorized to collect. The complaint further alleges uses of harassing and deceptive techniques in violation of the CFPA and FDCPA. Specifically, the collectors allegedly placed robo-calls through a telephone broadcast service provider, also named in the complaint, to millions of consumers stating that the consumers had engaged in check fraud and threatening them with legal action if they did not provide payment information. The CFPB asserts that as a result, the debt collectors received millions of dollars in profits from the targeted consumers. The complaint also names certain payment processors used by the collectors to process payments from consumers. The CFPB obtained a preliminary injunction to halt the debt collection activities and freeze the assets of all defendants named in the lawsuit. Consistent with prior enforcement actions and guidance, the CFPB’s complaint in this matter underscores the importance of exercising thorough due diligence and ongoing oversight of third parties engaged to provide material services in connection with the offering or provision of a consumer financial product or service. For an in-depth analysis of the CFPB’s expanding scrutiny in this area, please see the recently published article Regulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management, authored by BuckleySandler Partner Elizabeth McGinn and Counsel Moorari Shah.
On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.
On April 9, the NYDFS released a report finding potential cyber security vulnerabilities with banks’ third-party vendors, based on a survey of 40 banking organizations regarding the cyber security standards in place for their vendors. Notable findings from the report include (i) nearly one in three banks surveyed currently do not require third-party vendors to notify them in the event of an information security breach or other cyber security breach; (ii) less than half of the banks conduct any on-site security assessments of their third-party vendors; (iii) about one in five of the banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements; (iv) only one-third of the banks require information security requirements to be extended to subcontractors of the third-party vendors; and (v) nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products. According to the press release, NYDFS plans to strengthen cyber security standards for banks’ third-party vendors through regulations, including addressing the representations and warranties banks receive about cyber security protections in place.
In April 2012, the Consumer Protection Financial Bureau issued Bulletin 2012-03, a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. Since then, the Bureau has often referenced the Service Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.
“The CFPB has voiced its dissatisfaction on a number of occasions with supervised entities that fail to perform adequate vendor oversight,” according to Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In particular, nonbanks and service providers that are still coming up-to-speed on federal agency supervision and enforcement have to be alert and aware of important trends in recent enforcement actions that challenge outdated notions of vendor management.” Read more…
On March 25, Department of the Treasury’s Deputy Secretary Raskin delivered remarks regarding the agency’s efforts to enhance cybersecurity as the number of cyber-attacks continue to increase. Raskin outlined three specific areas where financial institutions can better prepare for cyber threats and enhance “cyber resilience” in the event of a cyberattack: (i) increase information sharing among financial institutions, thereby making this a priority for the financial sector worldwide; (ii) ensure that safeguards are in place for all third-party vendors with access to the financial institution’s data and systems; and (iii) design a cyber-preparedness “playbook” that has a “detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery and time costs, and instill confidence in outside stakeholders and the public.”
CFPB Announces Enforcement Action Against Telecommunications Company for Alleged Unauthorized Third-Party Charges
On December 17, the CFPB filed a complaint in the Southern District of New York against a telephone company for allegedly charging its customers tens of millions of dollars in unauthorized third-party charges. According to the CFPB’s press release, for roughly a decade the company “crammed” consumers’ wireless bills with illegal charges by outsourcing payment processing for digital purchases – such as apps, games, and movies – to vendors known as “billing aggregators.” The CFPB alleges that the company failed to properly monitor the aggregators’ billing of customers as a payment processor for the third parties, and violated Dodd-Frank and the CFPA by (i) allowing third party vendors to attach illegitimate charges to consumers’ bills; (ii) billing customers for the unauthorized charges without their consent; (iii) failing to heed red flags showing that the system “was a breeding ground for unauthorized charges”; and (iv) failing to respond to consumer complaints. The complaint seeks refunds for consumers and penalties.