A Missouri bank is facing a $1.5 million civil money penalty as part of an OCC enforcement action after allegedly violating Section 5 of the Federal Trade Commission (FTC) Act by incorrectly billing customers who purchased an identity theft product. The OCC blames it on “deficient vendor management practices” and is requiring the bank to improve its vendor management processes.
Between 2009 and 2013, the bank marketed and sold a product called “Fraud Protection Plus” that provided credit monitoring and retrieval services. Customers who enrolled had to provide personal verification and consent to receive and be billed for the product, yet the bank billed some customers the full cost of the product even though they weren’t receiving them. The bank kept a portion of these fees, the OCC says.
The OCC describes it as “part of a pattern of misconduct that resulted in financial gain to the bank” and that it “caused” or “was likely to cause substantial customer injury.”
Rather than trust the bank will correct the problem on its own, the OCC is requiring the bank to submit a policy for overseeing the management of third-party providers with an emphasis on marketing, sales, delivery, servicing and fulfillment of products. It must include:
An analysis of the third party’s ability to comply with consumer protection laws and bank policies and procedures.
Specific guidelines for written contracts, including detailed performance responsibilities and internal controls; provisions guaranteeing onsite bank reviews of vendor controls, performance and IT systems; and termination provisions.
Criteria for significant vendors and a requirement for onsite reviews of such vendors.
The board will be responsible for ensuring the policy is followed and the internal audit department will assess how these policies are applied.
The OCC is also requiring the bank to appoint a three-person compliance committee. The committee must submit a report on what the bank is doing to comply with the consent order and an action plan for compliance with Section 5 of the FTC Act. That includes timely board reports and follow up and corrective action for noncompliance. The bank, which neither admitted or denied wrongdoing, will also reimburse customers.
This is just another example of what happens when bankers ignore a risk because of the faulty logic based on their experience with vendor management and their experience with prior exams. This fine is another example of what happens if vendor management is not handled appropriately. Clearly there are some institutions that haven’t put much thought into vendor policies, procedures, due diligence, and monitoring, and as a result they are allowing vendors to introduce substantial risks—in this case, reputation, financial and compliance risk, among others.
Does your institution have strong vendor management policies and procedures? Do you have contract provisions and programs in place to ensure proper oversight? If not, don’t waste time. It will take time and resources to build out a program, but it’s definitely cheaper than paying a $1.5 million fine.