Outsourced Call Center Violates Consumer Protection Laws: Bank Liable for $200 Million
Do you have a “Compliance Management System” to prevent “unfair deceptive abusive acts and practices” (UDAAP) by your call centers? You might need one now, especially for credit cards, and other consumer financial products.
Businesses that use, manage or deliver call center services (and other “service providers” to financial institutions such as transaction processors) now have a new roadmap for operational excellence. If they neglect the roadmap, they risk legal enforcement action against unfair trade practices, illegal sales scripts, booking sales to unqualified buyers, deceptive bill collection services and abuses in marketing credit cards and other consumer financial products. The roadmap was set forth in a Stipulation and Consent Order against Capital One Bank (U.S.A.), N.A. (the “bank”) in July 2012.
“Capital One is strengthening its internal quality control processes and its monitoring of its vendors.” With these humble words, Capital One Bank (U.S.A.), N.A. announced on July 18, 2012, its Stipulation and Consent Order to pay customers $140 million in restitution plus interest, plus $60 million in regulatory civil penalties, for consumer fraud and deceptive practices by the bank and its call center vendors. The bank did not admit or deny the allegations.
Regulatory Action. On July 16, 2012, the bank signed a consent decree with the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) to resolve “previously disclosed” issues related to Capital One’s inadequate oversight of outsourced call center vendors’ sales practices relating to Payment Protection and Credit Monitoring products offered in connection with credit card services. The bank acknowledged that it had not adequately monitored its outsourced call centers. The bank effectively admitted that, between August 2010 and January 2012, its “third party vendors did not always adhere to company sales scripts and sales policies for Payment Protection and Credit Monitoring products.”
Consumer Protection Laws. The case is the first enforcement action by the new CFPB, which was established to enforce the Dodd-Frank Consumer Financial Protection Act, 12 USC 5481 et seq. (“Dodd-Frank”) and other consumer financial laws, 12 USC 5481(14). The OCC enforced Section 5 of the Federal Trade Commission Act, which prohibits any deceptive trade practices, for harm to additional consumers by unfair billing practices between May 2002 and June 2011. The OCC’s enforcement under the FTC Act makes clear that all businesses and all call centers must respect the compliance principles set forth in the Capital One consent order.
Compliance Program. As discussed below, the bank agreed to a compliance program involving changes in call center scripts and sequencing of discussions with customers, mandatory disclosures to customers, post-call mailings, internal governance and external third-party monitoring, pre-contract and post-contract procedures and specific outsourcing contract provisions, internal and external training, audit trails and record keeping.
Restitution. The CFPB required Capital One to refund “approximately $140 million to all of the estimated two million consumers who either initially enrolled in a product on or after August 1, 2010, or who tried to cancel a product on or after August 1, 2010, but were persuaded to keep the product after speaking with a call center representative. In addition to the amount paid for the product, cardmembers will receive a refund of the associated finance charges, any over-the-limit fees resulting from the charge for the product, and interest.”
Civil Penalties. The bank also consented to pay civil penalties of $60 million ($25 million to the CFPB’s Civil Penalty Fund and $35 million to the OCC Civil Penalty Fund).
Deceptive Tactics. In its July 18, 2012 press release, the CFPB described the bank’s deceptive practices in detail:
“Through the supervision process, CFPB’s examiners discovered Capital One’s call-center vendors engaged in deceptive tactics to sell the company’s credit card add-on products. These products included “payment protection,” which allows consumers to request that the bank cancel up to 12 months of minimum payments – roughly one percent of their credit card balance – if they encounter certain life events like unemployment and temporary disability. It also provides debt forgiveness in the event of death or permanent disability. Another product was “credit monitoring,” with services such as identity-theft protection, access to “credit education specialists,” and, in some cases, daily monitoring and notification.
Consumers with low credit scores or low credit limits were offered these products by Capital One’s call-center vendors when they called to have their new credit cards activated. As part of the high-pressure tactics Capital One representatives used to sell these add-on products, consumers were:
- Misled about the benefits of the products: Consumers were sometimes led to believe that the product would improve their credit scores and help them increase the credit limit on their Capital One credit card.
- Deceived about the nature of the products: Consumers were not always told that buying the products was optional. In other cases, consumers were wrongly told they were required to purchase the product in order to receive full information about it, but that they could cancel the product if they were not satisfied. Many of these consumers later had difficulty canceling when they called to do so.
- Misled about eligibility: Although most of the payment protection benefits kicked in when consumers became disabled or lost a job, some call center representatives marketed and sold the product to ineligible unemployed and disabled consumers. Despite paying the full fees, they could not get all the benefits of payment protection; some later filed claims that were denied because their “loss” (e.g. loss of job or onset of disability) occurred prior to enrollment.
- Misinformed about cost of the products: Consumers were sometimes led to believe that they would be enrolling in a free product rather than making a purchase.
- Enrolled without their consent: Some call center vendors processed the add-on product purchases without the consumer’s consent. Consumers were then automatically billed for the product and often had trouble cancelling the product when they called to do so.”
Road Map for “Best Practices” for Call Center Operations and Monitoring. For at least a decade, U.S. bank regulators have required the banks to monitor and be responsible for the operations of their subcontractors such as call centers. This CFPB and OCC enforcement action is no different. It serves as a wake-up call for “best practices” in inbound (and outbound) call center selling, not only for regulated financial institutions, but also for any commercial business. The OCC’s reliance on the FTC Act means that any business must pay heed to this regulatory enforcement action.
The Capital One consent order contained a series of remedial actions under a Compliance Plan.
Enterprise-Wide Compliance Program. The compliance program must cover the entire enterprise that sells consumer products or services under Section 1036 of the Dodd-Frank act.
Application of Compliance Program to all “Service Providers.” Dodd-Frank requires covered financial institutions to be responsible for the actions of their “service providers.” Section 1002 of that law, 12 USC 5481(26), defines “services providers” broadly:
“(26) Service provider
(A) In general
The term “service provider” means any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that—
(i) participates in designing, operating, or maintaining the consumer financial product or service; or
(ii) processes transactions relating to the consumer financial product or service (other than unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes).
The term “service provider” does not include a person solely by virtue of such person offering or providing to a covered person—
(i) a support service of a type provided to businesses generally or a similar ministerial service; or
(ii) time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.
(C) Rule of construction
A person that is a service provider shall be deemed to be a covered person to the extent that such person engages in the offering or provision of its own consumer financial product or service.”
How to Avoid Further Deception. In its press release, the CFPB announced that it will not tolerate deceptive marketing practices, and financial institutions will be held responsible for the actions of their third-party vendors. “Companies engaging in deceptive practices will be expected to refund fees paid by consumers and, particularly where practices are widespread, pay an appropriate penalty.” The consent order (Para. 2) listed specific rules to avoid future deceptive practices:
“The Bank or its agents or representatives shall not make, or allow to be made, any material deceptive representation, statement, or omission, expressly or by implication, in the marketing materials, telemarketing scripts and/or sales presentation used to solicit any Cardmember or prospective Cardmembcr, or in any similar communication in connection with any Product, including but not limited to misrepresentations as to the following:
a. any and all fees, costs, expenses and charges associated with the Products;
b. that a product is optional and not required for the Cardmember to activate or use their credit card;
c. that a Product will improve a Cardmember’s credit score or assist them in receiving a credit limit increase on their Capital One Card;
d. that accessing the Payment Protection Product’s benefits requires no action by the consumer;
e. the benefits of Credit Monitoring Product;
f. any material conditions, benefits and restrictions related to the Products;
g. the purpose of sales calls and/or sales portions of servicing or other calls;
h. payment terms for a Product, including the actual date a Cardmember will be charged for a Product or incur charges for a Product; or
i. the balance upon which any fee or charge for the Payment Protection Product would be based and that the Cardmember will be charged a fee for the Payment Protection Product even if the Cardmember pays the outstanding balance in full on the due date thereof.”
Optional Purchases after Completion of Customer’s Requested Purchase. A call center cannot offer to sell “additional” services until the cardmember’s activation process was confirmed to be complete. (Para. 3)
Disclosure “Clearly and Prominently. In addition to defining what is a clear and prominent disclosure to a consumer, the CFPB defined it in terms for call center agents:
“As to information presented orally, [the disclosure must be] spoken or disclosed in a volume, cadence and syntax sufficient for an ordinary consumer to hear and comprehend.” (Para. 4). [Emphasis added.]
Scripts with Verbal Confirmation by Customer. The bank must develop scripts that “clearly and prominently” explain and accurately assess the customer’s eligibility for the offered products. Where the customer is not eligible, the customer must confirm that the specific conditions of ineligibility do not apply.
Scripts to Confirm Purchase, Charges to Credit Card, Cancellation Policy and Refund Policy. The scripts must cover these disclosures after the eligibility tests.
Script for Customer’s Affirmative Consent or Request. The script must require that the customer express an affirmative request or consent to the purchase, after the reading of disclosures required under Federal consumer financial laws. Such disclosures may be as described by the regulatory agencies.
Required Disclosures of Material Conditions of a Product or Service. “Under the Compliance Plan, for any Cardmembcrs who request information about a Product prior to purchasing it, the Bank shall provide the Cardmember with information about the Product, including but not limited to its material conditions, benefits and restrictions, and shall not condition in any way the provision of such materials on the Cardmember agreeing to purchase or enroll in a Product. The materials may be in electronic or hard copy format.”
Required Mailing of Confirmation within 3 Business Days. Under the Compliance Plan, within three business days after a Cardmember purchases a Product, the Bank shall mail the Cardmember a disclosure that clearly and prominently presents the following information:
“a. the fact that the Cardmember has purchased a Product, the date on which
the Cardmember purchased the Product and the amount of the fee for the Product;
b. the Product’s material conditions, benefits and restrictions;
c. the fact that the Cardmember’s credit card account has incurred fee charges for the Product and the date when those charges were first incurred, if applicable;
d. the date on which the Product fee charges will appeal on the Cardmember’s account statement;
e. the total cost of the Product, how the fee is calculated, and as to the Payment Protection Product, that the Cardmember will be charged a fee at the end of each billing cycle during which the Cardmember maintains a balance, regardless of whether the Cardmember pays the balance in full during the applicable grace period;
f. the Product’s cancellation policy and the phone number the Cardmember may use to cancel; and
g. the Product’s refund policy, including the date by which the Cardmember must cancel before incurring a fee. The Bank shall clearly and prominently include a message on the first periodic statement on which a Product charge appears that highlights inclusion of the charge, and notifies the consumer of the right to cancel. The statement shall be positioned in a clear and prominent manner and shall be in 12-point font or any larger type.”
Full Refund within 30 Days after Invoice. “For any Cardmember who requests cancellation of a Product within 30 days of receiving the first periodic statement on which a Product charge appears, the Bank shall issue a full refund of any and all charges related, to the Product, including any interest or finance charge that accrued to the account as a result of the Product charges.”
Cancellation upon Request (or Disclosure of Justification for Refusal to Cancel. “In any telephone conversation in which a Cardmember indicates, in substance, that he or she did not authorize a Product, the Bank shall either:
a. immediately agree to cancel the Product without attempting to re-sell the Product, and refund all of the Product fees and charges incurred by the Cardmember since enrollment; or
b. review whether the Cardmember authorized purchase of the Product. If the Bank determines that the Cardmember did not authorize purchase of the Product, the Bank shall refund all of the Product fees and charges incurred by the Cardmember since enrollment. If the Bank determines that the Cardmember did authorize the purchase of the Product, the Bank shall provide the Cardmember with all information providing the basis for this determination, including but not limited to any audio calls recording. The Bank shall make any such determination by reviewing all relevant information, including any audio recording, and this determination shall only be made by a Bank employee who is specifically trained to determine whether a telemarketing sales call complied with the provisions of this Consent Order and all other disclosures required by law.”
No Re-Sale Efforts if Customer Wants to Cancel. In any telephone conversation in which a Cardmember indicates, in substance, that he or she does not want, does not need, or wishes to cancel, a Product, the Bank shall immediately agree to cancel the Product without attempting to re-sell the Product.
Compliance Management System. The bank must update its “Compliance Management System” to include developing an enterprise-wide program to comply with Dodd-Frank’s consumer protection provisions.
New Products and Marketing Initiatives Governance (“NPMIG”). The bank must appoint a “NPMIG” “or other appropriate independent qualified group” within the bank to prepare a written analysis of the governance of consumer products that are at high risk for “unfair deceptive abusive acts and practices” (UDAAP) that are marketed or sold by the bank or through “service providers.” Such analysis must include:
- “any changes to the governance, control, marketing, sales, delivery, servicing and fulfillment of services for consumer products considered to be at high risk” of UDAAP
- “any new consumer products considered to be at high risk for UDAAP”
- “an assessment of the UDAAP risks of the product and the governance, control, marketing, sales, delivery, servicing and fulfillment of services for the product, including the marketing and sales for the product; and
- an evaluation of the adequacy of the bank’s internal controls and written policies and procedures to identify, measure, monitor and control the associated UDAAP risks”
Such analysis must be completed before implementing any changes to existing consumer products and prior to the involvement of the bank in any new consumer products.
Bank’s “Service Provider Management Policy.” Before entering into a contract with a bank “service provider,” the bank must conduct an internal analysis of its ability to perform the marketing, sales, delivery, servicing and fulfillment of services for the products in compliance with applicable consumer protection laws and the bank policies and procedures.
Terms of Call Center “Service Provider” Contracts. As already required under other federal banking regulations, for consumer protections, the “service provider” contract must set forth the following conditions:
(i) “the Bank Service Provider’s specific performance responsibilities and duty to maintain adequate internal controls over the marketing, sales, delivery, servicing, and fulfillment of services for the products;
(ii) the Bank Service Provider’s responsibilities and duty to provide adequate training on applicable consumer protection laws and Bank policies and procedures to all Bank Service Provider employees or agents engaged in the marketing, sales, delivery. servicing, and fulfillment of services for the product(s);
(iii) granting the Bank the authority to conduct periodic onsite reviews of the Bank Service Provider’s controls, performance, and information systems as they relate to the marketing, sales, delivery, servicing, and fulfillment of services for the product(s); and
(iv) the Bank’s right to terminate the contract if the Bank Service Provider materially fails to comply with the terms specified in the contract, including the terms required by this Paragraph”
Onsite Audits. The bank must conduct periodic onsite audits of the service provider’s controls, performance and information systems.
Recordkeeping. The consent order adopted a two-year recordkeeping period for individual records and a six-year period for records evidencing compliance with the consent order.
Further Analysis of Open Questions. The consent order and press release omitted the names of the call center operators, their geographical locations, the languages (whether English or Spanish), and the usual questions of liability of the call center service providers and indemnifications for losses due to consumer fraud. The case raises other questions, such as why the same alleged misconduct was persistent across multiple outsourced call center vendors.