How Third-Party Oversight and Complaint Management Could Have Prevented an $11.5 Million UDAAP Enforcement Action—and What It Means for Your Vendor Management
Defining unfair, deceptive, and abusive acts and practices (UDAAP) can be tricky, but sometimes you come across a case that’s so egregious there is no doubt of a UDAAP issue.
That’s the case with GreenSky, a fintech that lets merchants (often home improvement contractors) offer financing to consumers. The loans are dispersed directly to merchants, bypassing consumers.
Now the Consumer Financial Protection Bureau (CFPB) says that GreenSky let contractors and other merchants take out $9 million in loans to thousands of consumers without their knowledge or consent from 2014 and 2019. Consumers that had never even heard of GreenSky were shocked to receive billing statements, collection letters, and calls from the company. As a result, GreenSky will have to refund or cancel up to $9 million in loans and pay a $2.5 million civil penalty.
How does something like this happen?
It stems from a lack of appropriate and effective:
- Controls throughout the loan process
- Third-party oversight
- Complaint management
Lack of controls throughout the loan process. Lending should be a very process-oriented activity, and that just wasn’t the case with GreenSky. Consumers weren’t required to sign and return loan documentation. If GreenSky approved a loan, the loan application was complete. Merchants were supposed to obtain written authorization from consumers before submitting a loan application, but GreenSky didn’t ask for or review this documentation before disbursing loan proceeds.
Takeaway: Consumer authorization is a basic tenet of consumer protection. Collecting and documenting this consent should be a no-brainer. It’s a necessary control that helps guard against fraud and compliance risk. If merchant agreements don’t even include baseline controls, I can only imagine what other risk management controls are weak or missing.
Poor complaint management. GreenSky received at least 6,000 complaints from consumers who said they didn’t authorize loan applications. In at least 1,600 cases, it was the merchant’s fault. Due to understaffing and high turnover, these investigations often took as many as 75 days to resolve (and in some cases 6 months or never), despite a policy saying they’d be handled in 15 days.
When it received a complaint, GreenSky’s agreement required merchants to provide proof of consumer authorization, but sometimes merchants were unable to provide documentation. Investigations of some complaints found that merchants entered their own email addresses as the consumer’s own when filling out the loan application without the consumer’s knowledge.
Takeaway: Good complaint management analyzes data to uncover patterns. It shows where problems exist and can reveal systemic weaknesses. When reviewing complaints, GreenSky should have noticed a significant number of complaints related to unauthorized loans. Further, it should have connected the dots and realized:
- Merchants sometimes couldn’t provide documentation of consumer authorization
- Merchant email addresses in the consumer address field correlated with fraudulent applications
Unauthorized applications could have been identified and prevented by adding basic risk management controls such as requiring proof of consumer authorization and verifying the consumer email address didn’t match the merchants’.
Bad vendor management. Working with third parties requires strong vendor management, and GreenSky fell short on oversight. In addition to the weak policies already mentioned, GreenSky didn’t exactly take strong, swift action when it found out a merchant had been violating those policies. High-volume merchants were held to lower standards and were less likely to be terminated or suspended. Sometimes the companies that took out the unauthorized loans weren’t disciplined or terminated. Investigators weren’t trained consistently and didn’t follow written guidelines.
Takeaway: There is no escaping the blame or consequences when a third-party is operating on your behalf. That means there needs to be strong third-party oversight, including vendor management controls. Contracts should include provisions to ensure all parties are compliant with all laws, regulations, and internal policies—especially those with consumer-facing vendors. If controls aren’t clearly defined in the contract, an FI’s ability to oversee the relationship will be extremely restricted.
Related: Vendor Management Resources
Insufficient training. GreenSky let merchants submit loan applications for up to two months before completing loan application training. Only one person from the merchant had to attend training, and GreenSky had no way of knowing whether individual merchant employees were trained. In addition, they didn’t necessarily do anything when it found out employees hadn’t been trained.
The training provided by GreenSky was also problematic. Not all trainers explained that consumer authorization is required, and in some cases, they taught merchants how to directly access the consumers’ loan proceeds using a shopping pass number.
Takeaway: Training must be appropriate and specific to an employee’s role, and there should be a mechanism in place to ensure training occurs. It’s so essential that it’s a requirement of any compliance management system (CMS).
Disparate treatment. There was no policy or procedure for determining which consumers got loan write-offs due to fraudulent loan applications, resulting in an inconsistent response. Sometimes it took so long to respond to a complaint that the transaction processor’s window for chargebacks had expired, meaning legal action was the only recourse left to the consumer.
Takeaway: Always have policies and procedures specifically defining the eligibility circumstances for refunds and write-offs. While fair lending didn’t come up in this case, this is the type of scenario that can easily lead to disparate treatment. If the write-off data was analyzed for fair lending, it wouldn’t be surprising to see questionable patterns since there were no guidelines for eligibility. It came down to personal discretion, which often introduces bias into the process.
What does this mean for my FI?
I know what you’re thinking. Your financial institution would never do something as egregious as letting third parties take out thousands of unauthorized loans on behalf of consumers that didn’t want them, so this enforcement action doesn’t concern you.
And yet, there are lessons here if you set aside the outcome and focus on the root cause of the violation. The bottom line: it’s all about having and monitoring risk management controls to detect problems early on and then take action on those findings.
Make sure that you have a strong vendor management program, vendor contracts with specific performance expectations, and that you analyze your complaint management program for patterns—especially when it comes to vendors. Ignorance of a problem is not an adequate defense, and knowing about a problem and not doing anything is just as bad.
Topics: Risk & Compliance