For the past few years, prudential bank regulators have hit banks with enforcement actions over consumer compliance concerns involving third-party technology partnerships. But a duo of October enforcement actions raises the specter of a new enforcement body scrutinizing partnerships — the Consumer Financial Protection Bureau.
The CFPB’s interest in third-party partnerships only heightens the scrutiny banks and credit unions face on these projects. While it’s unclear how President-elect Donald Trump and his nominee to the CFPB will approach supervision and enforcement, advisors say financial institutions must remain vigilant when dealing with third-party partnerships and their customer impact.
On Oct. 23, the CFPB issued enforcement actions against Goldman Sachs Bank USA and Apple for their credit card partnership. According to the CFPB’s press release, Goldman Sachs Bank and Apple launched the Apple Card despite warnings shared with the bank’s board of directors that the card’s dispute system had tech issues and wasn’t fully ready. Once live, the dispute system caused long waits for consumers to receive refunds for disputed charges, and some consumers had incorrect negative information added to their credit reports. The CFPB assessed Apple a civil money penalty of $25 million. Goldman must pay at least $19.8 million in consumer redress to consumers, a $45 million civil money penalty and is banned from launching a new credit card until it can provide “a credible plan” that the product will comply with applicable laws.
“We worked diligently to address certain technological and operational challenges that we experienced after launch and have already handled them with impacted customers,” says a Goldman Sachs spokesperson in an emailed statement to FinXTech. “We are pleased to have reached a resolution with the CFPB and are proud to have developed such an innovative and award-winning product alongside Apple.”
On Oct. 31, the CFPB issued an enforcement action against Jacksonville, Florida-based VyStar Credit Union, which had $14.72 billion in assets as of July, for consumer harms associated with a failed online and mobile banking conversion in 2022. In a press release, the agency cites VyStar’s management and governance failures as contributors to the premature and failed launch, which “made it difficult for credit union members to perform basic banking functions for weeks, with some features unavailable for more than six months.”
The failed conversion deprived consumers of access to their money and accounts, and the credit union also struggled to accommodate members in other channels, such as the telephone, the agency said. The CFPB assessed a $1.5 million fine and ordered the credit union to ensure it had correctly identified and refunded fees to consumers associated with the outage.
“VyStar’s intent was always to provide an enhanced banking experience for members by making improvements to its online and mobile banking platforms,” reads part of the credit union’s statement to FinXTech. “When disruptions occurred during the conversion process, VyStar moved swiftly to mitigate any impact on its members and ensure that no member suffered financial harm as a result of the outage. Additionally, VyStar proactively worked in good faith to address regulatory inquiries.”
The statement specifies that the credit union without regulatory prompting “proactively and voluntarily” reimbursed or waived all of its fees until services were restored, initiated a process for reimbursement of any third-party fees incurred as a result of the outage and paused credit reporting during the outage.
Consumer reliance on mobile banking heightens the risks that financial institutions must manage. In the Federal Deposit Insurance Corp.’s recently released 2023 National Survey of Unbanked and Underbanked Households, nearly half of respondents in households that had a bank account in 2023 said mobile banking was the primary way they accessed their account, and 70% said remote channels like online, mobile or telephone banking were the primary way they accessed their account.
Andrew Grant, a regulatory attorney at Runway Group, notes that both financial institutions receiving enforcement actions faced “contractual financial risk” in the form of financial penalties for missed deadlines and delayed launch dates. The CFPB found that Goldman’s partnership agreement gave Apple the right to impose a $25 million penalty for each 90-day delay caused by the bank. VyStar had been under the gun to replace its digital platform or face a $1 million monthly cost associated with an upgrade of its existing platform.
Grant says financial institutions interested in third-party partnerships need to know what they’re agreeing to and how that contract could dictate their incentives and actions as they move forward.
“You can suffer harm, not just from the contract, but also from using that as your barometer to make decisions,” he says.
While the institutions in these orders are under the agency’s direct supervisory authority, smaller financial institutions are still subject to the bureau’s enforcement powers when it comes to unfair, deceptive or abusive acts or practices, or what’s commonly known as UDAAP. The inability to access banking services isn’t inherently abusive or unfair, Grant says, but the denial of access created subsequent consumer harm.
Serious or numerous consumer complaints submitted to the CFPB’s complaint database involving institutions under $10 billion in assets could lead to an agency inquiry, such as a civil investigative demand, says Grant. A civil investigative demand is a type of subpoena that permits federal agencies to request information without going through formal court processes.
The CFPB’s orders draw an “important” link between how poor project management and financial incentives can lead to operational risk and consumer harm, says Jonah Crane, a partner at financial advisory firm Klaros Group. The project management failures are especially interesting to Crane, given that Klaros works with financial institutions to launch projects and programs with third parties. He says executives undertaking projects like these may have to modify their implementation and testing programs, given the new risks they face.
“If you’re doing something for the first time, you need to be extra clear on where the potential gaps might be and extra rigorous in terms of your testing before anything goes live,” he says.
Crane is working with a bank that is launching a new program with an existing partner and says the amount of testing they’ve done is “intense.” The project is already two months behind the targeted launch date, and the bank still isn’t ready to launch. But, he says, that’s something “everybody’s got to live with because it’s the responsible thing to do.”
Previous