The CFPB continues to flex its muscle and expand its reach,
this time punishing a prepaid card provider and its vendor for a conversion to
a new system that did not go as planned.
The consent order, which was entered into without any admission of
liability, requires UniRush and its vendor/payment processor to pay an
estimated $10 million in restitution to affected consumers and a civil monetary
penalty of $3 million.
According to the Consent Order, the problems began with a
conversion by UniRush to a new payment processor owned by Mastercard. Despite having engaged in pre-conversion
testing and multiple mock tests in preparation for the actual
conversion, the conversion did not go as planned. Instead, the conversion
took longer than expected and led to a number of issues for consumers. Further, despite having hired additional agents to
meet an anticipated spike in customer needs, UniRush could not meet the
increased customer service demand.
Of concern is the CFPB’s finding that UniRush engaged
in unfair and deceptive practices by failing to insure pre-conversion testing
by its vendor. The CFPB found UniRush
had engaged in unfair and deceptive practices despite noting that:
·
UniRush tested the payment processing services
provided by its vendor in the months prior to conversion; and
·
UniRush’s requests to conduct a full additional
mock conversion to validate and process new data files was denied by the vendor
and instead, the vendor confirmed the data was formatted properly.
Despite these findings, the CFPB found that “UniRush failed to prepare a
contingency plan that would enable it to scale its customer service response to
meet the increased demand on its customer service system that resulted from the
service disruptions it experienced following the conversion.” The CFPB concluded that “UniRush’s acts or
practices in preparing for the payment processor conversion caused or were
likely to cause substantial injury to consumers that was not reasonably
avoidable or outweighed by countervailing benefits to consumers or to
competition.” Consent Order, ¶ 35.
The Consent Order focuses, among other things, upon what the
CFPB deemed to be an inadequate incident response program. The Order makes clear that the CFPB will not
allowed covered entities to rely solely upon their vendors to insure system
conversions go as planned and the need for businesses to have plans in place
to deal with system failures or service disruptions.
The Consent Order provides guidance for others in the
financial services sector as to the CFPB’s expectations regarding response programs in place any time there is a system conversion which may impact consumers. The Consent Order
suggests that entities, at a minimum, should have:
·
An incident plan in place which includes the
following documented phases:
·
A preparation phase that insures entities have a
response plan in place prior to any incident;
·
A documented identification phase that verifies
whether an incident has happened and details the incident;
·
A containment phase that insures that after the
incident has been identified and confirmed, information from the incident
handler is effectively shared with all relevant stakeholders, both internal and
external;
·
An eradication phase that insures that after
containment measures have been taken, the entity identifies the root cause of
the incident and eradicates it; and
·
A recovery phase that insures affected systems
or services are restored to the conditions specified in their service delivery
objections or business continuity plan.
·
A disaster recovery plan reasonably designed to
insure it can restore data in the event of a systems failure in a manner that
minimizes program or service disruptions likely to have an adverse impact on
consumers;
·
A contingency plan reasonably designed to insure
that its customer service can respond within a reasonable time to increased
consumer calls or emails in the event of a systems failure or service
disruption that will adversely impact consumers; and
·
Policies and procedures reasonably designed to
insure the dissemination of timely and accurate information necessary for
consumers in the event of a systems failure or service disruption.