<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Three Years and Many Millions Later: Paying the Price When a Vendor Fails to Deliver

Risk & Compliance

Three Years and Many Millions Later: Paying the Price When a Vendor Fails to Deliver

Posted by Michael Berman on Oct 17, 2016 10:06:54 PM
Michael Berman

There is such a thing as too little, too late—especially if you’re a bank that made the mistake of failing to oversee a vendor that didn’t deliver billed services to customers.

That’s the lesson $18.4 billion-asset First National Bank of Omaha is learning after the Consumer Financial Protection Bureau (CFPB) slapped the bank with $27.5 million in customer reimbursements plus $4.5 million in civil money penalties for flaws in its credit card add-on products program. The CFPB says the bank:

  1. Used deceptive marketing to lure consumers into debt cancellation add-on products; and
  2. Charged consumers for credit monitoring services they did not receive.

While the deceptive marketing was executed by the bank’s own staff, the unfair billing problem—which also earned FNB a $3 million penalty from the Office of the Comptroller of the Currency (OCC)—involved a vendor.

Specifically, it involved third-party vendor Affinion, which administered “Privacy Guard” and “IdentitySecure,” products FNB sold from 1997 to 2012 or 2013. These products were meant to monitor for identity fraud and give customers copies of their credit reports, but customers were required to “provide personal verification and consent” before service began. Many never turned in consent and never received the service, but were still charged its full price, the OCC says, and FNB is to blame.

That’s because regulators don’t distinguish between financial institutions and the entities they outsource to. Every bank—including FNB—is responsible for the actions of its vendors as though they were its own. In fact, the CFPB’s press release on the enforcement action never mentions a third-party vendor—just FNB. Only when you dig into the actual consent order can you find a mention of Affinion. Meanwhile, the OCC’s consent order requires FNB to improve governance of third party-vendors.

It also didn’t matter that FNB stopped selling the product in 2012 or 2013—perhaps cutting ties after a probe into Affinion’s practices resulted in Capital One paying a $210 million settlement—one of the CFPB’s first big enforcement actions. Meanwhile US Bank was fined $57 million in 2014 for unfair billing of the product, and last year the CFPB fined Affinion $10 million for “for unfairly charging consumers for credit card add-on benefits they did not receive.”

FNB has changed its ways, but it still has to deal with the consequences of its earlier behavior. Fortunately, the bank knew a penalty was coming and had been putting aside cash for the past two years, the bank president told the Omaha World-Herald. He also took responsibility, saying, “While the bank did not intentionally mislead our customers, our oversight of the products and the vendor that administered these products was lacking.”

If only FNB has taken more responsibility for vendor management a decade ago, it might not be paying to clean up a mess today.

Topics: Risk & Compliance, Integrated Risk Blog

Share This Page
Search Blog
    subscribe to nsight blog