March 31, 2013

2012: The CFPB Set Its Sights on Credit Card Companies

Steven Forry

Through three significant consent orders against credit card companies in 2012, the Consumer Financial Protective Bureau (CFPB) signaled its intentions to vigorously pursue enforcement actions against marketing practices and debt collection practices that the CFPB deems deceptive, unfair, or abusive. The consent orders with Capital One Bank, Discover Bank, and American Express are essential reading for all companies within the CFPB's jurisdiction.

What is a "Deceptive" Act or Practice?

The CFPB and the Federal Trade Commission (FTC) each have authority to regulate Unfair and Deceptive Acts or Practices (UDAP), pursuant to the Consumer Financial Protection Act (12 U.S.C. §5531 et seq.), and the Federal Trade Commission Act (15 U.S.C. §45), respectively. In fact, the CFPB's jurisdiction is arguably broader than the FTC's by virtue of the CFPB's mandate to also regulate "[a]busive" acts or practices, thus transforming the descriptive acronym for the CFPB's mandate from UDAP into UDAAP (Unfair, Deceptive, or Abusive Acts or Practices). But that distinction is a topic for another article. The 2012 consent orders addressed in this article were each rooted in the CFPB's jurisdiction over "deceptive" acts or practices.

The CFPB and FTC agree on what factors must exist to show an act or practice is "deceptive": (1) there was a representation, omission, or practice that is false, misleading, or likely to mislead consumers, (2) the consumer acted reasonably under the circumstances, and (3) the representation, omission, or practice was material, i.e., likely to affect the consumer's conduct or decision with regard to a product or service. As discussed below, the CFPB concluded those factors were present relating to credit card add-on products marketed by each of Capital One Bank, Discover, and American Express.

In the Matter of Capital One Bank, (USA) N.A.

The Capital One matter revolved around the marketing and sale of a Payment Protection Product and a Credit Monitoring Product (Products). In the Matter of Capital One Bank, (USA) N.A., issued July 18, 2012, The consent order explained that Capital One advertised the Payment Protection Product as allowing an enrolled customer to cancel a credit card balance upon the occurrence of a triggering event (e.g., unemployment, sudden disability). The consent order further explained that Capital One advertised the Credit Monitoring Product as providing a customer with reports, updates, and monitoring of information reported to a credit reporting agency as well as coverage for lost wages and expenses caused by identity theft.

The consent order focused not on Capital One's marketing scripts, but instead on Capital One's alleged failure to supervise third-party servicers' (Servicers) use of those scripts. As the consent order explained, Capital One required its customers to activate cards by telephone to the Servicers. If a customer fell within a threshold of high credit score and/or high credit limit, the customer's activation call was brief and solicitation-free. However, customers "in the Bank's subprime portfolio or in its prime portfolio with an initial credit line of $5,000 or less" were routed to representatives with a script containing a solicitation of the Products. The activation calls for this second class of customers lasted on average between three and four times longer than the prime portfolio customers.

According to the consent order, the Servicers "frequently engaged in improper sales practices, deviating from the script's instructions or misinterpreting the [S]cripts in explaining the products, their terms and eligibility." For example, the CFPB alleged that the Servicers:

  • Falsely stated or implied that the Products were not optional, but were a normal benefit associated with the credit card, and that the Products were free or that customers could avoid fees by making timely payments.
  • Falsely stated or implied that customers need not be employed or capable of working to be eligible for benefits.
  • Misled customers into thinking that buying the Products would improve their credit scores and their eligibility for a higher credit limit.
  • Misled customers into thinking the Product would be activated automatically if the customer missed a payment, without penalty or cost.
  • Withheld additional information unless the customer first purchased the Products.
  • Misrepresented statistics, such as "identity theft is the number one crime," and misinformed customers that they would have access to "federally certified agents," in order to sell the Credit Monitoring Products.
  • Failed to obtain consent from the customers before activating the Products.
  • Aggressively rebutted customers' cancellation calls, including by repeating the incorrect statements described above.

The CFPB concluded that Capital One's (through the Servicers') conduct was "false and misleading" and constituted deceptive marketing acts or practices.

The CFPB immediately banned Capital One from marketing or selling any of the Products until the CFPB approved a rigorous compliance plan to eliminate the allegedly deceptive acts surrounding the Products. Among other things, the consent order:

  1. Prohibits Capital One from directly or indirectly misrepresenting or omitting material terms of any offer related to the Products.
  2. Imposes a compliance plan requiring Capital One to mail specific disclosures to customers within three business days after purchase of a Product, and requires that Servicers:
    1. Specify the marketing and sale of the Products during activation calls, including prohibiting marketing/selling the Products until after notice that the activation is complete and the customer has agreed to an optional presentation regarding the Products.
    2. Clearly and prominently assess a customer's eligibility for the Products before charging any Product fees.
    3. Obtain a customer's affirmative request or consent to buy the Product after hearing disclosures.
    4. Agree to provide additional Product information to customers upon request, without requiring the customer purchase the Product first.
  3. Requires Capital One to refund all Product charges to a customer requesting cancellation of a Product within 30 days of the first periodic statement containing a charge for the Product.
  4. Requires Capital One, in the event of a customer dispute regarding the purchase of a Product, to immediately cancel the Product and issue a refund, or investigate the customer's consent to the purchase.
  5. Prohibits Capital One from trying to re-sell a Product, if a customer calls to cancel it.

The monetary relief imposed by the consent order was substantial. Pursuant to 12 U.S.C. §5565(a)(2)(C), the CFPB ordered Capital One to make restitution of Product fees plus interest, refund finance charges and over-the-limit fees, and pay claims made by eligible customers under the Payment Protection Product if the claim was denied for the customer's actual ineligibility at the time of registration. In total, the restitution totaled approximately $140 million. The consent order also imposed a $25 million penalty, pursuant to 12 U.S.C. §5565(c).

The CFPB was not the only regulator to weigh in. The Office of the Comptroller of the Currency (OCC) charged Capital One with a $150 million restitution demand (payment of which would also constitute payment of the CFPB's restitution order) and imposed a separate penalty of $35 million, pursuant to the Federal Deposit Insurance Act, 12 U.S.C. §1818(i)(2).

In the Matter of Discover Bank

The Discover Bank consent order resulted from a joint action of the CFPB and FDIC and revolved around the scripts for four add-on products: (1) Payment Protection, (2) Identity Theft Protection, (3) Wallet Protection, and (4) Credit Score Tracker (the Products). In the Matter of Discover Bank, issued September 24, 2012, Between December 1, 2007, and August 31, 2011, Discover and its third-party vendors sold the Products to 4.7 million customers through either affirmative outbound sales solicitations or incoming customer service calls or activation calls. Discover implemented specific scripts to be used in the calls, as well as scripts to answer questions about the Products.

The regulators' charges against Discover resulted from omissions or misleading implications in the scripts, alleged in the consent order as:

  • In outbound sales calls, introductory statements falsely implied the Products were free benefits rather than for-cost Products.
  • Text asking customers if they agreed to be "enrolled" in a Product, but omitting that enrollment equaled consent to buy the Product.
  • Text seeking interest in "enrollment" in a Product before disclosing material terms and conditions.
  • Regarding the Payment Protection Product, text falsely implying that the customer would receive materials regarding the Product's material terms and conditions before being obligated to pay for the Product.
  • Text responding to customer questions about comparison-shopping by falsely stating that the customer could receive a comprehensive disclosure regarding the Product before enrolling in the Products.
  • Failure to disclose that customers are not eligible for the Payment Protection Product if, at the time of enrollment, the customers were self-employed, unemployed, employed part-time, or suffering from a pre-existing medical condition.

The regulators also alleged that telemarketers speed-read mandatory disclosures such as price and terms and conditions and downplayed the disclosures, implying to customers that the disclosures were unimportant. The CFPB and FDIC were particularly concerned that in many calls, Discover could charge the customers without even asking for credit card numbers, since these were existing customers.

The joint consent order imposed restrictions on Discover's sales calls, numerous compliance and oversight obligations, and monetary remedies. For example:

  1. In solicitation calls:
    1. In outbound sales calls, Discover must promptly disclose at the outset that the call relates to an "optional Product"; on inbound calls, Discover must make the same disclosure after beginning discussion of a Product.
    2. Prior to purchase, Discover must clearly disclose the cost of the Product, the frequency of charges, how the fee is calculated, the specifics of when the fee will be charged, and all material terms and conditions.
    3. Discover must clearly disclose material restrictions on eligibility for benefits.
    4. The customer must affirmatively acknowledge that the Products are optional and the customer wishes to purchase the Product.
  2. After the customer agrees to purchase a Product, Discover must clearly disclose:
    1. That the customer has purchased the Product.
    2. That the customer will be charged within two billing cycles, but no sooner than 15 days from the purchase date and that the charge will appear on the billing statement.
    3. The cancellation policy and the telephone number to cancel the Product.
    4. The refund policy, including timeframe to cancel without a fee.
  3. Discover cannot require purchase of a Product before Discover will transmit information containing material conditions, benefits, and restrictions of the Product upon purchase of the Product.
  4. Discover may not market the Products during an activation call unless, prior to the marketing, Discover informs the customer that activation is complete, informs the customer that listening to the sales pitch is optional, and informs the customer that card activation is not contingent upon purchasing the Product.
  5. If a customer calls to cancel or dispute enrollment in a Product, Discover "shall immediately agree to cancel the Product," stop charging any fee for the Product, and "not attempt to re-sell the Product" during that same call.
  6. Discover must implement a comprehensive Compliance Management System within 60 days of the consent order.

Similar to the Capital One consent order, the CFPB and FDIC imposed substantial monetary remedies against Discover. Discover was ordered to provide restitution to all customers who purchased the Products, and refund or credit customers at least 90 days' worth of fees. In total, the restitution amount was at least $200 million. Pursuant to 12 U.S.C. §1818(i)(2) and 12 U.S.C. §5565(c), the FDIC and CFPB respectively also imposed penalties against Discover in the amount of $14 million.

American Express Affiliated Companies

The CFPB - alone and in concert with other regulators - issued three separate consent orders against American Express affiliated companies, each relating to alleged deceptive marketing practices: American Express Centurion Bank (AECB), American Express Bank, FSB (AEBFSB), and American Express Travel Related Services Company, Inc. (AETR). In the Matter of American Express Centurion Bank; In the Matter of American Express Bank, FSB; In the Matter of American Express Travel Related Services Company, Inc.; issued October 1, 2012,

AECB Action

Against AECB, the CFPB joined forces with the FDIC to target allegedly deceptive debt collection practices and deceptive solicitations for the American Express Blue Sky credit card program. The regulators also alleged violations of the Credit CARD Act, the Truth in Lending Act, the Fair Credit Reporting Act, and the Equal Credit Opportunity Act.

The regulators principally targeted three allegedly deceptive acts or practices. First, they alleged that AECB deceptively persuaded defaulted customers to pay old debts by misrepresenting that settlement of the debts would be reflected on the customer's credit report and that payment would improve the customer's credit score - in fact, those particular debts were too old to be reported to a consumer reporting agency anyway. Second, the regulators alleged that AECB issued misleading debt settlement letters indicating that, after settlement, the customer's remaining debt would be "waived" or "forgiven" - in fact, AECB would not process any future credit or applications for the customer until the entire balance was paid in full, facts that were not disclosed prominently enough.

Third, the regulators alleged that AECB marketed the Blue Sky credit card with direct mailings that listed a "$300 bonus Offer" and/or "22,500 bonus points - receive a bonus $300," or "22,500 bonus points - earn a bonus $300." In fact, customers qualifying for the bonus only received the points, not the money.

Regarding the debt collection activities, the consent order required AECB to clearly and prominently disclose to debtors how long the law permits a debt to be reported to a credit reporting agency and that payment/non-payment of the particular debts would not affect the customer's credit score. The CFPB additionally defined what it deems to be a "clear and prominent" disclosure, including among other things a requirement that disclosures be made on the first page of multi-page documents.

Regarding the Blue Sky program, the consent order required AECB to "take all action necessary" to revise solicitations (oral or written) relating to the rebate and points benefits and to disclose clearly and prominently all material conditions, benefits, and restrictions of the offers.

The consent order also imposed significant monetary remedies. The order required AECB to make restitution in a total amount of at least $75 million to all customers affected by the various violations in the consent order (including the TILA, FCRA, and ECOA claims). The restitution includes (1) AECB's reimbursement to customers of payments made in response to deceptive debt collection activities plus 1.3 percent interest, as well as payment of $100 and possible additional interest, and (2) AECB's payment of $300 to each customer who opened a Blue Sky account after receiving the allegedly deceptive solicitation.

Additionally, the consent order imposed a total civil money penalty of $7.8 million, with payment to be split equally between the United States Treasury and to the CFPB.


The CFPB charged AEBFSB with the same alleged misconduct that was the subject of the AECB consent order relating to deceptive debt collection practices. In addition to the alleged UDAAP violation, the CFPB charged AEBFSB with violations of the Truth in Lending Act, Credit CARD Act, and Fair Credit Reporting Act.

The CFPB ordered AEBFSB to comply with the same remedies as those imposed upon AECB regarding allegedly deceptive debt collection practices.

Additionally, the consent order imposed restitution in a total amount of at least $10 million to all customers affected by the various alleged violations in the consent order, including AEBFSB's reimbursement of payments made in response to the allegedly deceptive debt collection activities plus 1.3 percent interest as well as payment of $100 and possible additional interest. Further, the CFPB imposed a total civil money penalty of $1.2 million.

Separately, the OCC imposed restitution upon AEBFSB in an estimated amount of $6 million (which "will also satisfy identical payment obligations required by the CFPB"), and an additional civil penalty of $500,000.

AETR Action

AETR is a parent company to AECB and AEBFSB, and also "marketed, processed, and serviced" the credit card portfolios of AECB and AEBFSB. The CFPB charged AETR with the same alleged violations as those charged against its subsidiaries because AETR "developed, managed, and administered marketing and promotional programs" for AECB and AEBFSB.

Additionally, for the consumer credit cards that AETR operated itself, the CFPB charged AETR with the same deceptive debt collection activities as those charged against AECB and AEBFSB.

The CFPB directed AETR to conform to the compliance directives issued in the AECB and AEBFSB consent orders, and ordered AETR to prepare a Restitution Plan for consumers affected by the allegedly improper activities. Additionally, the CFPB charged AETR a civil penalty of $9 million and prohibited AETR from seeking indemnification of that amount from any third party.

Separately, pursuant to 12 U.S.C. §1818(i)(2), the Federal Reserve imposed a $9 million civil money penalty jointly against AETR and the holding company American Express Company for the same conduct described in the CFPB enforcement action.


These three out-of-the-gate, high-profile consent orders signaled the CFPB's intentions to vigorously exercise its UDAAP authority and to ensure that financial sector participants take notice. The monetary punishments are noteworthy, of course. But companies within the CFPB's authority should also note that the compliance programs imposed by the consent orders are comprehensive and onerous, and that the CFPB is going to hold companies responsible for UDAAP violations by third-party servicers - companies can send the marketing work to third-parties but cannot unload the associated UDAAP duties. Although one cannot predict the CFPB's future plans, companies within the CFPB's jurisdiction are wise to study the recent past and adjust their practices accordingly.



Steven Forry

Steven Forry is a partner at Ice Miller LLP in Columbus, Ohio.