When Fraud Risk Management Practices Lead To Consent Orders - A Lesson For Banks And Fintechs

By Christina Hunt-Fuhr

Recent Consumer Financial Protection Bureau (CFPB) and Office of the Comptroller of the Currency (OCC) enforcement actions against Bank of America BAC might seem narrow in scope due to their specificity, but their implications are broad.  The actions highlight how fraud risk management activities, even when well-intended (for example, to reduce the risk to a company’s earnings and capital arising from fraud losses), can lead to significant UDAAP concerns and consequences.  Banks and fintechs should carefully review their fraud risk management programs in the wake of these actions.

The CFPB Order specifically concerned the prepaid debit cards the bank provided to consumers to deliver unemployment insurance and other government benefits through contracts with 12 states. The CFPB found that a flawed fraud filter caused BofA to engage in unfair acts or practices and to violate the Consumer Financial Protection Act by improperly denying cardholders’ claims related to incorrect or unauthorized prepaid debit card transactions and freezing cardholder accounts (in some cases without proper notice to the cardholder).  The CFPB also found that BofA violated the Electronic Fund Transfer Act and its implementing Regulation E by failing to conduct reasonable investigations and to timely investigate and resolve the claims.  

The alleged transgressions aren’t cheap.  In terms of the obvious financial impact, BofA must:

• Pay back the money wrongly denied cardholders due to the faulty fraud filter;

• Provide each affected cardholder with a lump sum consequential harm payment determined through a methodology that considers the amount of time the cardholder’s account was frozen or blocked; 

• Provide affected cardholders the opportunity to receive additional redress through an individualized review process;

• Pay a $100 million dollar penalty to the CFPB, for deposit into the victims relief fund; and 

• Pay a $125 million dollar fine to the Treasury related to the OCC’s separate Order.  

There is also the significant cost and burden of complying with the CFPB’s additional requirements related to compliance and redress plans and Board oversight, and the OCC’s requirements related to:

• A Board Compliance Committee;

• An oversight and risk management program;

• An enterprise-wide complaints risk management framework;

• A contract approval and review process; and

• Internal Audit oversight.

As noted in the CFPB’s order, related to the prepaid debit cards, BofA: 

• Must not deny claims or freeze accounts solely based on the results of an automated fraud filter; and 

• Must, during the course of a claim investigation, reasonably consider all information relevant to a cardholder's claim, including, but not limited to, information within the bank’s own records.

While BofA’s case may seem egregious because it involved much needed relief funds at the height of the pandemic, it has broad implications that touch on fraud risk management strategies more generally, particularly strategies implemented to address newly identified fraud schemes or spikes in cardholder claims.  

While automation is essential to efficient fraud risk management and error resolution investigations, the potential for customer impact requires strong governance over these activities even when they are highly automated.  The OCC issued guidance regarding sound fraud risk management principles in 2019.  All institutions, regardless of their primary federal banking regulator, should review this guidance and take the following actions to reduce the risk of UDAAP claims related to their fraud risk management activities:

• Develop policies that establish clear roles, responsibilities, and minimum requirements;

• Establish key risk indicators for fraud to ensure alignment with the Board’s risk appetite;

• Conduct on-going monitoring to determine the effectiveness of fraud risk management activities, including the monitoring of false positive rates;

• Perform comprehensive risk assessments;

• Involve the risk and compliance functions in the review of new or modified fraud risk management strategies to assist with the consideration of risks and appropriate mitigating controls;

• Notify the customer service function of new or modified fraud rules and relevant customer resolution options to ensure customer service representatives are able to address customer concerns timely and effectively; 

• Communicate with customers with regard to any actions taken against their accounts and their options to resolve any account blocks; 

• Review complaints to identify any relevant trends and potential issues; and

• Subject the fraud risk management program to independent review by the internal audit function. 

In its order against BofA, the CFPB noted that the only time BofA took additional steps to assist customers with unfreezing their accounts was when the customers filed complaints through various third parties that reached the attention of bank executives.  Banks and fintechs need to treat all customers similarly, regardless of how loudly they speak up.  While fraud risk management strategies will always result in false positives and customer impacts, the key is to ensure good customers have simple and effective resolution options to reduce the potential for harm.