The CFPB has filed a new lawsuit against TransUnion, two of its subsidiaries (TransUnion Interactive, Inc. (TUI) and TransUnion, LLC (TULLC)), and a former TUI executive alleging that the defendants violated the CFPB’s 2017 consent order with the corporate defendants.

The consent order settled the CFPB’s claims that TransUnion had engaged in deceptive marketing of credit-related products.  The inclusion of a former TUI executive as a defendant, which has been rare in the CFPB’s lawsuits to date involving large corporate actors, appears intended to demonstrate that Director Chopra’s recent statement regarding the his intent to impose liability on officers and directors of repeat offenders was not an idle threat.  In the CFPB’s press release about the lawsuit, Director Chopra stated: “TransUnion is an out-of-control repeat offender that believes it is above the law.  I am concerned that TransUnion’s leadership is either unwilling or incapable of operating its businesses lawfully.”

TransUnion’s subsidiary, TUI, generates, markets, and sells consumer-facing credit-related products that include credit scores, credit reports, and credit monitoring.  One such product cited in the CFPB’s complaint is “TU Credit Monitoring,” a bundled monthly subscription that includes access to a credit score, credit report, credit monitoring, and the ability for a consumer to lock and unlock their TransUnion and Equifax credit reports.  A consumer who enrolls in TU Credit Monitoring is charged a monthly enrollment fee until the consumer affirmatively cancels the subscription. TULLC is the arm of TransUnion that generates, markets, and sells consumer reports to commercial users.  The individual defendant served as TUI’s President from 2004 to 2021 and as TUI’s Executive Vice President thereafter.

According to the CFPB’s complaint, in October 2018, in connection with an examination of TransUnion, CFPB examiners requested information about the corporate defendants’ compliance with the 2017 consent order.  In addition to requiring payment of $13.9 million in restitution and $3 million in civil penalties, the consent order required the corporate defendants to take various actions including obtaining consumers’ “express informed consent” before enrolling them in credit-related products with a negative option feature (i.e., a transaction in which the seller markets an offer for a trial period and then enrolls the customer in a longer subscription in the absence of affirmative action rejecting or cancelling the agreement); simplifying the cancellation process; and providing certain disclosures in connection with selling credit scores.

In May 2019, CFPB examiners informed the corporate defendants that they were violating several requirements of the consent order.  In June 2020, and again in June 2021, the CFPB’s Office of Enforcement informed the corporate defendants that they continued to violate the consent order’s requirements as identified in the 2018 examination and were violating additional requirements and federal consumer financial laws.  In June 2021, the Office of Enforcement also informed the individual defendant that he was violating the consent order.

In its complaint, the CFPB alleges that the corporate defendants violated the consent order in various ways, including by (1) giving consumers the misleading impression that their payment information was requested for purposes other than payment, (2) offering negative option enrollments without using a checkbox to affirmatively enroll in such products as required by the consent order, and (3) failing to provide an appropriate method for consumers to cancel their enrollment.  Following its pattern of using heated rhetoric in its media statements and more neutral language in its complaints, the CFPB alleged in its press release that TransUnion “used an array of dark patterns to trick people” and “cheated customers.”

With regard to the individual defendant, the CFPB alleges that he knew of the consent order, knew of or recklessly disregarded TUI’s violations of the order, and failed to ensure the corporate defendants’ compliance with the order despite his personal legal obligations under the consent order.  The CFPB also alleges that, along with others, he “determined that complying with the Order would reduce TUI’s revenue and created a plan to delay or avoid implementation of the requirements …of the Order [regarding use of a checkbox],” and violated the order through his omissions or failure to act.

In Counts I and II of the complaint, the CFPB asserts claims against all defendants under the CFPA based on their alleged violations of the consent order, which, as  “an order prescribed by the Bureau, ”is included in the CFPA’s definition of “Federal consumer financial law” subject to enforcement under the CFPA.  The complaint also includes claims that (1) the corporate defendants engaged in deceptive acts and practices in violation of the CFPA separately from the alleged consent order violations, (2) TransUnion violated the CFPA by substantially assisting TULLC’s and TUI’s CFPA violations, and (3) TULLC violated the CFPA by substantially assisting TUI’s CFPA violations.  Further, the complaint includes claims that the corporate defendants violated (1) the EFTA and Regulation E by failing to comply with the requirements for preauthorized electronic fund transfers, (2) Regulation V (which implements the Fair Credit Reporting Act) by using advertisements that interfered with or undermined consumers’ rights to obtain a free credit report annually, and (3) the CFPA by way of the alleged EFTA/Reg E/Reg V violations.

Although Director Chopra has spoken about the need for agencies to consider imposing non-monetary “bright-line structural remedies” on large firms that are repeat offenders, the CFPB’s demand for relief in the complaint does not expressly seek such remedies.  The complaint does, however, seek unspecified injunctive relief.

In response to the lawsuit, TransUnion issued a statement in which it called the CFPB’s claims against TransUnion and the former TUI executive “meritless.”  TransUnion stated that shortly after entering into the 2017 consent order with the CFPB, it submitted to the CFPB for approval a plan detailing how it would comply with the order.  According to TransUnion, “[t]he CFPB ignored the compliance plan, despite being obligated to respond and trigger deadlines for implementation.  In the absence of any sort of guidance from the CFPB, TransUnion took affirmative actions to implement the consent order.”  TransUnion stated further:

We have been in compliance with our obligations and we remain in compliance with the consent order today.  Rather than providing any supervisory guidance on this matter and advising TransUnion of its concerns – like a responsible regulator would – the CFPB stayed silent and saved their claims for inclusion in a lawsuit, including naming a former executive in the complaint.  Despite TransUnion’s months-long, good faith efforts to resolve this matter, CFPB’s current leadership refused to meet with us and were determined to litigate and seek headlines through press releases and tweets.  The CFPB’s unrealistic and unworkable demands have left us with no alternative but to defend ourselves fully.