Chris Willis and Joe Reilly delve into recent CFPB consent orders that penalize financial services companies for allegedly launching products before they were fully ready.
In this episode of The Consumer Finance Podcast, host Chris Willis and guest Joe Reilly delve into recent CFPB consent orders that penalize financial services companies for allegedly launching products before they were fully ready. They discuss the implications of these orders, the importance of thorough product testing and risk management, and the potential financial consequences of premature product launches. Tune in to learn valuable insights and best practices to avoid similar pitfalls in your organization.
The Consumer Finance Podcast – Launching a Product Too Soon? Lessons From Recent CFPB Orders
Host: Chris Willis
Guest: Joseph “Joe” Reilly
Date Aired: January 16, 2025
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper Locke's Consumer Financial Services Regulatory Practice. And today we're going to be talking about a couple of recent CFPB consent orders that seem to penalize financial services companies for releasing products onto the market "before they were ready." And we want to talk about what that means and what industry needs to be aware of with respect to these consent orders. But before we jump into that topic, let me remind you to visit and subscribe to our blogs, TroutmanFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. And don't forget about all of our other podcasts. We have FCRA Focus, all about credit reporting. The Crypto Exchange, obviously all about crypto. We have Unauthorized Access, our privacy and data security podcast. Payments Pros, which is all about the payments industry, and our auto finance podcast called Moving the Metal. All of those are available on all popular podcast platforms.
And speaking of those platforms, if you like this podcast, let us know. Leave us a review on the podcast platform of your choice and tell us how we're doing. Now as I said, we're going to be talking today about a couple of recent, what I consider to be somewhat unusual CFPB consent orders dealing with allegations by the Bureau that financial services companies sort of released products and put them out on the market before they were really ready to go. And joining me to talk about that is my partner, Joe Reilly, who's a member of our Consumer Financial Services Regulatory team and works out of our DC office. So, Joe, welcome to the podcast again today.
Joseph Reilly:
Thank you, Chris.
Chris Willis:
It's always great to be here on the podcast with you because you have such a great diverse set of knowledge to share with our audience. But let's talk first about what happened in these couple of consent orders. So, there was one involving a depository institution, and why don't you tell the audience what happened in that case?
Joseph Reilly:
Sure, Chris. The depository institution consent order, which was handed down by both the CFPB and the institution's prudential regulator, involved a change to the institution's virtual banking platform. That's a platform that customers can access in a web-based interface or through a mobile application interface. The institution hired a vendor to develop and install this new virtual banking platform, and unfortunately, the new platform crashed upon implementation. So customers could not access their accounts or make payments through the mobile application or the web-based interface. It took a week or so for the platform to come online in any form, but even when it did come back online, it lacked a lot of functionality and it actually took about six months from when it was first introduced until the point where it had adequate functionality. So according to the CFPB, the lack of access to the platform caused consumers to incur fees for failures to make timely payments on their credit obligations and it restricted access to their funds. And just generally, consumers could not effectively manage their accounts.
And so, in the CFPB's view, there was real consumer harm for the failure to get this platform online in a usable state. And in terms of legal theory, we'll talk a little bit about more particular facts behind the problems with this platform. But in terms of legal theory, the CFPB labeled this failure to implement an unfair practice, which of course, unfair imposes liability for an act or practice that causes substantial harm, which according to the CFPB this did, and also, which consumers cannot reasonably avoid. The CFPB also pretty plainly concluded that consumers could not avoid the harm here. So the CFPB was very critical of a number of actions taken by the institution that led to this problem. First, I want to start with service provider oversight. Unfortunately, the institution did not follow its usual protocols for requests for proposals, did not conduct its normal due diligence when it brought on the vendor who would install the platform.
And in addition, the vendor that the institution hired did not have experience with a platform of this complexity. I think the other key criticism of the CFPB is that the institution attempted to make the platform live despite a number of warning signs. Testing had indicated that the platform had a lot of bugs and a decision was made to do a fast follow on those bugs. In other words, put the platform into operation and try to fix the bugs later. And in addition, the institution's quality assurance officer would not sign off on the platform. And that was brushed aside on the theory that the quality assurance officer was overly risk averse. So a number of specific criticisms, but as you'll talk about Chris with the other example, we are seeing the CFPB look at the thoroughness of an institution's review of any new product or service before launch. And this was a specific example where the depository institution was fined and then shamed by the consent order.
Chris Willis:
And I think we will get into the other order in just a second, but just to react to what you mentioned, Joe, having that internal documentation essentially that things weren't ready and the quality control person wasn't signing off, and all that, just seems like such fodder for a regulator to CFPB or anybody else, honestly, who's looking to find fault with the decision later. And it seems to teach a pretty evident lesson that when you have that kind of internal discussion going on, that you launch at your peril, so to speak, because if things aren't perfect, then the case is sort of made against you that you did it knowingly in disregard of the risks, at least according to the regulator’s allegations in this case.
Joseph Reilly:
Right. And I would really suggest circulating this particular CFPB order to any team at a financial services institution that is designing a new product or a new service. The order really ticks off a list of things the CFPB found deficient, but that can turn into a checklist going forward for new products and services before they're launched.
Chris Willis:
Yeah. Well, let me just pick up with the theme on the other consent order that you alluded to, and I did too at the beginning of the program, which is also a recent one from the CFPB. This one involved a credit card issuer. And the allegations just in sort of the concept of them are so similar to the one that you described, Joe. The CFPB's allegation was that the credit card issuer launched a new card product, that there were specific functionalities of the product involving billing disputes that were not fully built out and not fully functional, and that the issuer decided to launch the product anyway because of the desirability of doing so.
And the Bureau then, of course, did an enforcement investigation and alleged that there were not just UDAP violations, as you mentioned in the depository institution case, but also violations of the Fair Credit Billing Act because that's what governs credit card billing disputes, then levied a pretty large civil penalty against the issuer arising from this sort of same alleged fact pattern of launching a product before it was fully baked and ready to go. So, I think we've now got two recent CFPB consent orders that drive this message home. And so, I think, Joe, what I'd like to ask and talk about with you next is what does that mean for financial services companies? This obviously isn't limited to any particular product, but what's the takeaway for people in the financial services business?
Joseph Reilly:
Yeah, I think there are a couple of takeaways. One is something that regulators have been focused on really for the past decade, and that is third-party oversight with all the third-party oversight guidance that the CFPB and the prudential regulators have issued. In the case of the allegations against the depository institution, there were just real failures to follow what the regulators expect in terms of vetting the vendor that they brought on. I think the CFPB even seems to think that the vendor was just unqualified because it never worked on something this complex before. The institution had a third-party oversight policy, but for some reason just didn't follow it in this particular case. And then I think the other takeaway and something the CFPB specifically focused on was a failure to follow what the CFPB called industry standard risk management engineering practices. In that case, the CFPB alleged that there was no formal statement of work covering the technical aspects of the platform. There were not risk and issue management plans and logs or enforceable benchmarks and completion standards. So really just your basic blocking and tackling when it comes to risk management engineering practices.
Chris Willis:
And I think reacting to the idea of the financial reason to move forward with the products, I think now we have to say to the industry in weighing the financial consequences of not launching a product, on the other side, there's weighing the potential financial consequence of launching the product if there are in fact functionality problems with it. Because the civil penalties in both of these cases were quite large. That has to enter the equation now, so to speak, and it can't be given a zero value in a future decision where a company's faced with a similar situation because I'm sure it will present itself again.
Joseph Reilly:
No question. I mean, look, to make money, you have to get products and platforms out in a reasonable timeframe, and sometimes that's reasonably quickly, but you just can't skip over following industry standards and standards from regulators or you're going to get into kind of trouble these two entities got themselves into.
Chris Willis:
Yeah, and let me address one other thing too. Both of these are coming sort of at the very tail end of this administration. And so there might be a view among some in the industry that, well, this is just a feature of the Rohit Chopra CFPB, and we're not going to see this kind of punitive action by the CFPB under a Republican administration, but I'll just put my own view in on that, which is I don't believe that's something we should rely on because this is a theme that I think could easily have been acted upon by the last Trump-era CFPB. There were certainly instances when the CFPB of 2017 to 2021 found inappropriate conduct and levied large penalties, including against large financial institutions. And so I personally don't view this one as idiosyncratic to the tail end of the current administration. And I personally also believe that this is one that has a warning for industry that will transcend into the next administration. I don't know how you feel about it, Joe.
Joseph Reilly:
No, I agree. And I think there's also an indication of that from the fact the prudential regulator also participated in the proceedings against the depository institution.
Chris Willis:
So I think the takeaway for industry is this is something that regulators are now going to be especially on the lookout for having seen it in two public consent orders. And that's not just the CFPB looking for it in the future, but the FTC, the state attorneys general, even the prudential regulators. And so I think it calls for heightened attention from companies that are in the industry to make sure that they're not putting themselves in harm's way by launching when they have these internal signs that the product may not be quite ready for prime time.
So Joe, thank you for being on the podcast today, and thanks for sharing your insights and experience with respect to this issue with our audience. And of course, thanks to our audience for listening in today as well. Don't forget to visit and subscribe to our blogs, TroutmanFinancialServices.com And ConsumerFinancialServicesLawMonitor.com. And while you're at it, why not visit us on the web at troutman.com and add yourself to our Consumer Financial Services email list? That way we can send you copies of the alerts and advisories that we send out from time to time, as well as invitations to our industry only webinars that we also hold. And of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.