What We Know

Bad System Conversion Leads to CFPB Consent Order for Prepaid Card Provider and Vendor

February 27, 2017 | by Caren D. Enloe

The CFPB continues to flex its muscle and expand its reach, this time punishing a prepaid card provider and its vendor for a conversion to a new system that did not go as planned. The consent order, which was entered into without any admission of liability, requires UniRush and its vendor/payment processor to pay an estimated $10 million in restitution to affected consumers and a civil monetary penalty of $3 million.

According to the Consent Order, the problems began with a conversion by UniRush to a new payment processor owned by Mastercard. Despite having engaged in pre-conversion testing and multiple mock tests in preparation for the actual conversion, the conversion did not go as planned. Instead, the conversion took longer than expected and led to a number of issues for consumers. Further, despite having hired additional agents to meet an anticipated spike in customer needs, UniRush could not meet the increased customer service demand.

Of concern is the CFPB’s finding that UniRush engaged in unfair and deceptive practices by failing to ensure pre-conversion testing by its vendor. The CFPB found UniRush had engaged in unfair and deceptive practices despite noting that:

  • UniRush tested the payment processing services provided by its vendor in the months prior to conversion; and
  • UniRush’s requests to conduct a full additional mock conversion to validate and process new data files was denied by the vendor and instead, the vendor confirmed the data was formatted properly.

Despite these findings, the CFPB found that “UniRush failed to prepare a contingency plan that would enable it to scale its customer service response to meet the increased demand on its customer service system that resulted from the service disruptions it experienced following the conversion.” The CFPB concluded that “UniRush’s acts or practices in preparing for the payment processor conversion caused or were likely to cause substantial injury to consumers that was not reasonably avoidable or outweighed by countervailing benefits to consumers or to competition.” Consent Order, ¶ 35.

The Consent Order focuses, among other things, upon what the CFPB deemed to be an inadequate incident response program. The Order makes clear that the CFPB will not allow covered entities to rely solely on their vendors to ensure system conversions go as planned and the need for businesses to have plans in place to deal with system failures or service disruptions.

The Consent Order provides guidance for others in the financial services sector as to the CFPB’s expectations regarding response programs in place any time there is a system conversion which may impact consumers.  The Consent Order suggests that entities, at a minimum, should have:

  • An incident plan in place which includes the following documented phases:
  • A preparation phase that ensures entities have a response plan in place prior to any incident;
  • A documented identification phase that verifies whether an incident has happened and details the incident;
  • A containment phase that ensures that after the incident has been identified and confirmed, information from the incident handler is effectively shared with all relevant stakeholders, both internal and external;
  • An eradication phase that ensures that after containment measures have been taken, the entity identifies the root cause of the incident and eradicates it; and
  • A recovery phase that ensures affected systems or services are restored to the conditions specified in their service delivery objections or business continuity plan.
  • A disaster recovery plan reasonably designed to ensure it can restore data in the event of a systems failure in a manner that minimizes program or service disruptions likely to have an adverse impact on consumers;
  • A contingency plan reasonably designed to ensure that its customer service can respond within a reasonable time to increased consumer calls or emails in the event of a systems failure or service disruption that will adversely impact consumers; and
  • Policies and procedures reasonably designed to ensure the dissemination of timely and accurate information necessary for consumers in the event of a systems failure or service disruption.

Caren Enloe leads Smith Debnam’ s consumer financial services litigation and compliance group. In her practice, she defends consumer financial service providers and members of the collection industry in state and federal court, as well as in regulatory matters involving a variety of consumer protection laws.  Caren also advises fintech companies, law firms, and collection agencies regarding an array of consumer finance issues. An active writer and speaker, Caren currently serves as chair of the Debt Collection Practices and Bankruptcy subcommittee for the American Bar Association’s Consumer Financial Services Committee. She is also a member of the Defense Bar for the National Creditors Bar Association, the North Carolina State Chair for ACA International’s Member Attorney Program and a member of the Bank Counsel Committee of the North Carolina Bankers Association. Most recently, she was elected to the Governing Committee for the Conference on Consumer Finance Law. In 2018, Caren was named one of the “20 Most Powerful Women in Collections” by Collection Advisor, a national trade publication. Caren oversees a blog titled: Consumer Financial Services Litigation and Compliance dedicated to consumer financial services and has been published in a number of publications including the Journal of Taxation and Regulation of Financial Institutions, California State Bar Business Law News, Banking and Financial Services Policy Report and Carolina Banker.  ...LEARN MORE

Shape919.250.2000 Shapemail@smithdebnamlaw.com noun_20940@smithdebnamlaw