The Consumer Financial Protection Bureau Celebrates First Birthday By Flexing Its Enforcement Muscles: Settlement Costs Capital One $210 Million

by Pepper Hamilton LLP

[authors: Stephen G. Harvey and Leah J. Greenberg]

Financial institutions have spent a year anticipating and predicting when the Consumer Financial Protection Bureau (CFPB) would put its broad enforcement powers to use. The anticipation ended on July 18, 2012, when the CFPB announced its first enforcement action with the entry of a consent order against Capitol One Bank. See, Stipulation and Consent Order, available at /f/201207_cfpb_consent_order_0001.pdf. The subject of the consent order was Capital One’s marketing practices for credit card add-on products, such as payment protection and credit monitoring. Capitol One used third-party agents to market these products. The CFPB alleged that Capital One’s third-party agents used deceptive marketing tactics to pressure or mislead consumers to pay for these add-on products and that Capitol One had failed to provide proper oversight. In a press release, Capitol One stated that its “third-party vendors did not always adhere to company sales scripts and sales policies for Payment Protection and Credit Monitoring products, and the bank did not adequately monitor their activities.” As part of its settlement with the CFPB, Capital One will refund $140 million to customers and pay a $25 million penalty to the CFPB. In addition, Capitol One’s prudential regulator, the Office of the Comptroller of the Currency (OCC), assessed a $35 million civil penalty and ordered a $10 million refund, in addition to that required by the CPFB. In total, the enforcement action cost Capital One $210 million, ten times more than the largest settlement ever obtained by the Federal Trade Commission.

In existence for just over a year, the CFPB was created by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. It aims to consolidate federal consumer financial protection authority and, in its own words, “watch[] out for American consumers in the market for consumer financial products and services. ” The CFPB has a range of powers including the power to write regulations under federal consumer financial laws and the power to gather information about matters relating to financial services. Among other things, it receives consumer complaints (more than 45,000 so far this year), maintains a database of consumer complaints, and shares complaints with other federal and state agencies.

The CFPB also has the power to supervise (i.e., conduct periodic examinations) and bring enforcement actions against a wide range of financial services companies with respect to the federal consumer financial laws. This includes banks, thrifts, and credit unions with more than $10 billion in assets (and their affiliates and service providers) as well as certain nondepository entities that had never before been subject to supervision by any federal financial regulators, such as nonbank mortgage lenders, servicers, and brokers; payday lenders; student lenders; and others.1 The combination of supervisory and enforcement powers is significant because information obtained through the supervisory process can quickly become the basis for an enforcement action, as was the case with Capitol One.

The CFPB used its supervisory power to initiate an investigation into Capital One’s marketing practices for add-on products. Through this investigation, the CFPB found that Capital One’s call center representatives used deceptive and inconsistent marketing tactics to pressure consumers into purchasing add-on products, including “payment protection,” which allows consumers to request that the bank cancel up to 12 months of minimum payments if they encounter certain life events like unemployment and temporary disability; debt forgiveness in the event of death or permanent disability; and “credit monitoring,” with services such as identity-theft protection, access to “credit education specialists,” and, in some cases, daily monitoring and notification.

The CFPB Consent Order with Capitol One requires it to cease and desist from any further marketing and solicitation of add-on products until it submits a compliance plan to the CFPB, pay restitution and a civil penalty, and hire an independent auditor to verify compliance. The Consent Order does contain a provision that Capitol One does not admit liability, which could be useful in any civil litigation brought by consumers.

In an effort to put companies on “notice” of permissible practices for the marketing of add-ons and other similar consumer financial products, the CFPB also issued a compliance bulletin addressing the CFPB’s concern about credit card add-on products and providing guidance for best practices related to these products. While the bulletin specifically focuses on add-on products, its recommendations can serve as guidance for the marketing of similar products. Specifically, it notes that if an institution uses call center marketing it should have explicit scripts from which no deviation is permitted. It also suggests increased oversight of third-party service providers and training programs for employees.

Pepper Points

Clearly, the CFPB intended the Capitol One settlement to be a warning to industry. CFPB Director Richard Cordray said in a press release: “We are putting companies on notice that these deceptive practices are against the law and will not be tolerated.” Financial services companies subject to the CFPB’s supervisory and enforcement jurisdiction would be well advised to take note of the Capitol One settlement and consider whether they can take appropriate action to prevent themselves from becoming the target of a CFPB enforcement action before it’s too late. The CFPB has a broad range of enforcement tools and options, including the power to bring an administrative or a federal court action and the power to issue subpoenas and civil investigative demands. It also has a range of remedies that it can use to force a settlement, such as civil money penalties of up to $1 million per day for willful violations; rescission, reformation, refunds, and restitution; disgorgement and damages; and limitations on the activities or functions of a financial services company. The only remedy not available to it is punitive damages, but even without that option it still has plenty of muscle to force a settlement.

Companies subject to the CFPB’s jurisdiction should be proactive in ensuring that their practices comply with CFPB regulations and guidance, such as the bulletin issued with the Capitol One Consent Order. They should establish best practices and compliance mechanisms. And, if they become aware of non-compliance, they should take quick and effective action to correct the situation and thereby avoid the possibility of crushing penalties imposed by the CFPB.


1 The CFPB’s supervisory authority over nonbank entities includes nonbanks (and the service providers of such nonbanks) that offer or provide to consumers: (1) origination, brokerage, or servicing of residential mortgage loans secured by real estate, and related mortgage loan modification or foreclosure relief services; (2) private education loans; and (3) payday loans. In addition, the CFPB has the authority to supervise any “larger participant of a market for other consumer financial products or services,” as defined by rule by the CFPB. On July 20, 2012, the CFPB issued a final rule to define larger participants of a market for consumer reporting. This is the first in what the CFPB intends to be a series of rules to define “larger participants” of specific markets for purposes of establishing, in part, the scope of coverage of the CFPB’s nonbank supervision program.



DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pepper Hamilton LLP | Attorney Advertising

Written by:

Pepper Hamilton LLP

Pepper Hamilton LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.