In a recent Consent Order, the Consumer Financial Protection Bureau (CFPB) addressed how companies will be held accountable for unlawful acts or practices regarding access to customers’ credit reports and personal information. In an action against a national bank for illegally exploiting personal data to open sham accounts without customers’ permission, the CFPB indicated that the following actions are subject to penalty:
Applying for and issuing credit cards and lines of credit for consumers without their knowledge and consent;
Using or obtaining consumer reports of consumers who were not seeking an extension of credit from or involved in any form of credit transaction, account review, or account collection with Respondent, where the Respondent had no other permissible purpose for the consumer reports if used or obtained;
Opening consumer deposit accounts without consumers’ knowledge and consent, and;
Creating sales pressure on its employees that led to employees opening credit cards, lines of credit, and deposit accounts without consumers’ knowledge and consent.
The basis for the allegations stem from, what the CFPB described as, the banks’ sales pressure methods. This allegedly led employees to open accounts without consumers’ authorization, which apparently were only possible via illegally accessing its customers’ credit reports. According to the Bureau, these actions violate the following laws:
Violations of the Consumer Financial Protection Act (CFPA)
The CFPA prohibits “unfair, deceptive, or abusive” acts or practices. Taking unreasonable advantage of the consumers’ inability to protect their interests in selecting or using a product or service by opening lines of credits without consumers’ knowledge and consent violates CFPA prohibitions.
Violations of the Fair Credit Reporting Act (FCRA)
Under the FCRA, a consumer reports may be used or obtained only for permissible purposes enumerated in the statue. Using or obtaining consumer reports to consider consumers for new credit products not voluntarily requested by or applied for by consumers violates FCRA prohibitions.
Violations of the Truth in Lending Act (TILA)
TILA and its implementing regulation, Regulation Z, require that no credit card shall be issued except in response to a request or application thereof (oral or written). Issuing credit cards to consumers without their knowledge and consent violates these prohibitions.
Violations of the Truth in Savings Act (TISA)
TISA and its implementing regulation mandate that companies must provide required disclosures to the account-holder consumers, such as the annual percentage yield and interest rate, compounding and crediting information, balance information, fees, and more prior to an account opening or a service is provided. Opening accounts without consumer authorization means that a company has failed to provide the required disclosures as well, violating TISA.
The CFPB suggests that it is prohibited to participate in practices that increase sales at the expense of unnecessary consumer fees, consumer-credit profiles, sensitive consumer data, and consumers’ time and effort to close related accounts. It also proposes that financial institutions should have proper compliance and procedures in place to prevent unauthorized accounts from being opened or detected to avoid heavy penalties.
Firstline would like to remind you that we are not privy to all the details and information that occurred here, and this is not guidance about acts that will imperil a company. Instead, our takeaways may be only as follows. First, this serves as a reminder to not abuse the “permissible purpose” provision when using credit reports. Also, in developing compensation plans, consider how the plan may have the unintended consequence of causing behavior that may even remotely foster an environment of lesser commitment to compliance. And finally, remember, good internal controls are not about getting it right – it is about how you cannot get it wrong.