The CFPB announced that it has entered into a consent order with First National Bank of Omaha to settle charges that the bank engaged in unfair or deceptive acts or practices in connection with the marketing and sale of credit card add-on products and the billing of consumers for such products.  The consent order requires the bank to pay at least $27.75 million to provide restitution to approximately 257,000 consumers. The restitution will include the full amount paid for the products, plus any associated late fees, over-limit fees, and finance charges.  In addition, the bank must pay a $4.5 million civil money penalty to the CFPB.

The CFPB’s announcement stated that its enforcement action was conducted in coordination with the Office of the Comptroller of the Currency (OCC), which entered into a separate consent order with the bank.  According to the CFPB, its enforcement action represents “the eighth action the Bureau has taken in coordination with another regulator to address illegal practices with respect to credit card add-on products and the 12th action the Bureau has taken in total to address these practices.”

The CFPB’s consent order states that from approximately 2002 until August 2013, the bank marketed debt cancellation products to its credit card holders and, from approximately December 1997 to September 2012, it marketed credit monitoring/identity theft protection products to its cardholders.  According to the consent order, the bank engaged in deceptive or unfair acts or practices in violation of the Consumer Financial Protection Act (which violations the bank does not admit or deny) that included the following:

  • Misrepresenting the length of the card activation process to cause consumers to listen to solicitations for debt cancellation products and misrepresenting the existence of a purchase transaction when obtaining consumer consent
  • Misrepresenting the terms, exclusions and benefits of the debt cancellation products through conduct that included failing to inform cardholders or correct confusion on the part of cardholders who had disclosed information suggesting they would be ineligible for some product benefits (such as that they were retired, self-employed or employed for less than 30 hours a week)
  • Misrepresenting the ease of cancelling debt cancellation products by conduct that included instructing representatives to attempt to rebut cardholder cancellation requests, thereby causing consumers to be unable to cancel without making multiple demands for cancellation
  • Administering the debt cancellation products in a way that obstructed cardholders from obtaining benefits, such as by imposing various restrictions, eligibility requirements, and administrative hurdles (for example, denying benefits to a cardholder who was employed for less than 30 hours a week or self-employed and defining a “pre-existing condition” to include any condition diagnosed or appearing for up to six months after enrollment)
  • Billing cardholders for credit monitoring products when the product benefits were not provided, such as where the bank did not obtain the cardholder’s authorization for his or her credit reports to be released by the credit reporting company or where the credit reporting company did not process an authorization because it could not match the cardholder’s identification information to its records.

In addition to the payment of restitution and a civil money penalty, the consent order prohibits the bank from marketing any debt cancellation or credit monitoring/identity theft products until it submits an “Add-on Compliance Plan” to the CFPB and receives “a determination of non-objection.”  The consent order details the items that must be included in the compliance plan.  It also requires the bank to submit a written policy governing the management of service providers “with respect to the offering of consumer financial products and services” to the CFPB for a determination of non-objection and develop a written, enterprise-wide “Unfair, Deceptive, and Abusive Acts or Practices risk management program for any consumer financial products or services” offered by the bank or through service providers.  While the CFPB has required banks to have UDAAP policies in other consent orders in enforcement actions involving credit card add-on products, those policies appear to have been limited to the sale of such products and did not appear to cover any consumer financial products and services offered by the bank.

The OCC’s consent order with the bank settles charges that bank’s billing practices for the credit monitoring/identity theft protection products violated Section 5 of the FTC Act.  The OCC’s consent order requires the bank to pay a $3 million civil money penalty and make restitution to customers who paid for identity theft protection they did not receive.  In its announcement of the consent order, the OCC stated that restitution payments made by the bank pursuant to the OCC’s order “will also satisfy identical obligations required by the CFPB action.”