Pub. 11 2016-2017 Issue 6

www.nebankers.org 14 Extraordinary Service for Extraordinary Members. ■ Counselor’s Corner — continued from page 13 reasonably attainable goal. Effective plans to mitigate adverse customer impacts are crucial. Does anyone think the CFPB or other regulators will not ask about testing and contingency planning when customers are seri- ously impacted by the next failure to achieve perfection? UniRush is expected to have an incident response program with a preparation phase, a documented identification phase, a containment phase, an eradication phase, and a recovery phase. This is in addition to disaster recovery plan- ning and contingency planning to ensure customer service can respond within a reasonable time to increased volume. 4 Vendor Management, Vendor Management, Vendor Management Does this sound like a broken record (the kind that gets tuned out after a while)? Once again, a consumer financial services provider is zapped with an enforcement action arising out of activities that involved a service provider. The lesson is not that banks’ service providers keep get- ting them in trouble. Consumer financial service products require a lot of machinery to run smoothly in the back- ground. Banks are not always the ones operating all that machinery. When they rely on others to do so, they must accept ultimate responsibility. It is not clear what exactly UniRush may have done wrong with regard to vendor management. It is interesting to note, however, that the CFPB did not merely refer to its past service provider guidance relevant to customer-facing service providers and consumer compliance. The Consent Order requires UniRush in general terms to monitor and supervise its service providers, including via on-site visits (with or without notice), document collection, interviews of service provider personnel, monitoring of complaints, and oversight of curative action. None of this should be news; the broken record continues to play. If they haven’t already, bank product teams (not just vendor management and internal audit departments) must hear this message. Negligence = Unfairness? What is the main message of the RushCard Consent Or- der? Does this Consent Order mark something new, where negligence becomes actionable unfairness? Legally actionable unfairness has a long history and did not start with Dodd-Frank. The Federal Trade Com- mission (FTC) Act passed in 1914 made unfair competi- tion unlawful. Some decades passed before Congress recognized that consumer protection (not just business competition) should be covered. For a long time, the FTC generally did not distinguish between unfairness and deception. An early formulation of unfairness (adopted in connection with cigarette advertising) included, among oth- er things, consideration of whether a practice was unethical, immoral, oppressive, or unscrupulous. Eventually, the FTC arguably overreached in this area in connection with a proposed ban on certain advertising to children. There was a backlash against the FTC acting as a “National Nanny.” Congress reacted by refusing to fund the agency and the FTC had to close its doors briefly. Eventually, the FTC adopted a 1980 policy statement on unfairness that found its way into the FTC Act, and ultimately into Dodd-Frank. 5 Modern unfairness requires substantial consumer injury, not outweighed by countervailing benefits, which is not reasonably avoidable by the consumer. 6 The use of unfairness in financial services also has a fairly long history. Unfairness was a basis for the holder in due course rule (to preserve consumer claims and de- fenses), the credit practices rule (to prohibit confessions of judgment, wage assignments, pyramiding of late charges, etc.), and the Telemarketing Sales Rule. Unfairness also has been used in various enforcement actions, including actions pertaining to processing consumer payments, mak- ing certain unilateral contract modifications, and certain loan servicing practices. 7 According to the Consent Order, poor project imple- mentation was unfair and therefore unlawful. This differs from past enforcement actions where unfairness determi- nations were grounded on intentional decisions to take certain actions. Perhaps the CFPB is not acting as a “na- tional nanny” but in this Order, it seems to assume the role of federal arbiter of proper project management. Is the CFPB the appropriate authority for specifying reasonable business practices? If negligence is an Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) violation, does the three-part test for unfairness (substantial injury, not out- weighed by a benefit, which is not reasonably avoidable) help guide a bank in trying to figure out how careful it must be? Or is the CFPB really saying that banks will be liable for failed technology implementations that satisfy the three-part test, regardless of how careful they are in the lead-up? Some initial reactions to the Consent Order have questioned whether it means there is no room for error in technology implementations. If so, the financial services business begins to look like a strict liability industry when it comes to technology implementations. Banks negotiating for technology implementation services should contemplate the possibility of a failed implementation with follow-on litigation and enforcement action. That prospect should be addressed in relevant con- tract provisions on service provider duties, limitations of liability, and indemnity, if possible. Effective Regulation by Enforcement