The CFPB recently issued a $37.5 million fine by consent order against a large national bank for using consumer data to open checking and savings accounts, credit cards, and lines of credit without customers’ consent or knowledge. According to the CFPB, the bank imposed sales goals on bank employees as part of their job requirements and implemented an incentive-compensation program that financially rewarded employees for selling products and services. These sales goals were used as a factor in evaluating employee performance and included a point-based system that assigned point values to products primarily based on the revenue that each product generated for the bank. The CFPB determined that this pressured and incentivized employees to engage in unlawful activity by accessing customers’ credit reports and sensitive personal data to apply for and open unauthorized accounts from 2010 to 2020. The CFPB’s investigation concluded that the bank knew that its incentive-compensation program and the pressure to meet sales goals led employees to open accounts without authorization, and that the bank lacked adequate procedures to prevent and detect unauthorized accounts.
Specifically, the CFPB found that the bank violated:
- the CFPA and TILA by opening deposit accounts, credits cards, and lines of credit without permission from customers;
- FCRA by accessing credit reports without a permissible purpose or customers’ permission; and
- the Truth in Savings Act by failing to provide the required disclosures in the course of opening the unauthorized deposit accounts.
In addition to the $37.5 million penalty, the consent order requires the bank to stop the practices and develop a plan to remediate all harmed consumers by forfeiting and returning all unlawfully charged fees and costs, plus interest. The accompanying press release can be found here.