By Mary Crotty, freelance writer for banks and third-party service providers
Over the course of the last nine days, two financial institutions have settled allegations by federal regulators that their disclosures consisted of unfair and deceptive acts or practices, otherwise known as UDAP.
FDIC Settles with The Bancorp Bank
On March 7, the Federal Deposit Insurance Corporation (FDIC) published a settlement agreement with The Bancorp Bank, an issuer of prepaid cards to non-bank entities. In addition to a $2 million civil money penalty, the institution must also pay almost $1.3 million in restitution to approximately 243,000 impacted consumers.
The alleged violations of unfair and deceptive practices, which the bank neither admits nor denies as part of the settlement agreement, involve multiple laws and regulations.
First and foremost is the violation of “Section 5 of the Federal Trade Commission (FTC) Act as a result of practices regarding the disclosure and assessment of transaction fees for point-of-sale signature-based transactions without a personal identification number” for debit and other reloadable cards. Specifically, “transactions assessed on behalf of the Bank by the Bank’s third party payment processor for PINless transactions were greater than the Bank disclosed to consumers for such transactions.”
In addition, the settlement order claims that the alleged unfair and deceptive practices violated the Electronic Funds Transfer Act, Regulation E, the Truth in Savings Act, Regulation DD, and the Electronic Signatures in Global and National Commerce Act.
This case also underscores the importance of financial institutions implementing and maintaining adequate vendor management risk programs. The FDIC noted the bank’s ultimate responsibility for compliance in its press release, saying that, “As the issuing bank for these various prepaid cards, The Bancorp Bank was responsible for ensuring that these programs were operating in compliance with all applicable laws.”
FTC Proposes Settlement with Paypal
On February 27, the Federal Trade Commission (FTC) issued a press release announcing its Consent Order against fintech Paypal in regard to consumer disclosures related to its peer-to-peer payment service known as Venmo. The order, published in the Federal Register on March 5, requests comment from the public through March 29. Based on the comments collected, the FTC will either move forward with the Consent Order or “withdraw it and take appropriate action.”
As published within the Federal Register, the order outlines five key areas where the alleged unfair and deceptive practices violated Section 5 of the FTC Act and the Gramm-Leach-Bliley Act (GLBA).
- Timing of Credited Funds: The FTC alleges that Venmo “represented to consumers that money is credited to their Venmo account and can be transferred to an external bank account after other Venmo users have sent funds to those consumers but failed to disclose, or failed to disclose adequately, that funds could be frozen or removed because Venmo has not yet approved the underlying transaction.”
- Privacy Settings: The order asserts that the Fintech “failed to disclose material information to consumers about the operation of Venmo’s privacy settings.”
- Security Systems: “Venmo represented until approximately March 2015 that it protected consumers’ financial information with ‘bank grade security systems’ but in fact failed to implement basic safeguards necessary to secure consumer accounts from unauthorized transactions and did not provide ‘bank grade security’.”
- Privacy Notice: Among other things, Venmo failed “to provide users with a clear and conspicuous initial privacy notice” in violation of the GLBA Privacy Rule and Regulation P.
- Information Security: Finally, the FTC claims that Venmo “violated GLBA’s Safeguards Rule by failing to have a comprehensive written information security program before August 2014,” and by “failing to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of consumer information.”
The FTC order requires that Paypal implement various measures within Venmo to remediate the alleged violations going forward. These include the prohibition of further disclosure misrepresentations and violations of the GLBA’s Privacy and Safeguards rules. It also requires Venmo to provide “clear and conspicuous” disclosures about the availability of funds and consumer privacy, as well “obtain biennial data security assessments for 10 years.” The order is to remain in effect for 20 years.
UDAP and UDAAP Violations Frequently Intersect with Those of Other Regulations
In both of these cases, the underlying violation of UDAP within consumer disclosures coincided with violations of several other laws. This is not unusual with UDAP or it’s Dodd-Frank mandated cousin–Unfair, Deceptive and Abusive Acts or Practices (UDAAP). Ultimately, UDAP and UDAAP provide federal regulators an additional vehicle through which they can impose monetary and/or reputational punishments for alleged unfair and misleading actions toward consumers.