Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
February 29, 2016
Warning! This Vehicle Has Been Immobilized
Imagine my frustration when, after a long day at work followed by a nice dinner catching up with an out-of-town friend, I found my vehicle booted in a parking lot 30 miles from home, at 9 p.m. on a Tuesday. The boot immobilized my car because I violated a 6 p.m. curfew. Those details were printed in small print on the receipt I received after paying the automated kiosk and did not read. I pleaded with the boot company attendant to waive the $75 removal fee to no avail. He was a third-party to the lot owner. A man who lived in the apartment building next door was walking his dog and sympathetically shouted, "This happens all the time."
Being deceived is damaging, especially when it comes with a price tag. I felt like a victim. In fact, deceptive acts or practices are unlawful by Section 5 of the Federal Trade Commission (FTC) Act and Section 1031 of the Dodd-Frank Act. Deception is defined as representation, omission, or practice that is likely to mislead a consumer acting reasonably in the circumstances, to the consumer's detriment.
Deception—or alternatively, forthrightness—is circumstance-driven and involves subjectivity, leading us to base judgments on precedent and personal perspective. A practice can't be decidedly deceptive with a yes or no. The Federal Trade Commission (FTC) and federal banking regulators have applied deception interpretation standards through case law, official policy statements, guidance, examination procedures, and enforcement actions.
Two recent interpretations came by way of consent orders from the FDIC (or Federal Deposit Insurance Corporation) at the end of December 2015, both including deceptive practices. My analysis mixes in themes from recent proposed regulation. Deception appears to exist when layering circumstances mislead and cause injury, and when consumers may have chosen differently but for deception. The orders state that (1) consumers shouldn't be forced into receiving funds via one payment type; give them a choice; (2) before consumers make a choice, give them information about fees, features, and limitations, as well as how to use the product; (3) provide error resolution; (4) be clear about account termination and fee practices; (5) pay attention to complaints, and make this a program; and (6) you can't blame noncompliance on the third party.
I would not have parked in the lot if I had known about the 6 p.m. curfew with a $75 penalty. Will UDAAP compliance be an active project for your financial services, or could your most rewarding business vehicle get the boot?
By Jessica J. Trundley, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 22, 2011
Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule
Financial institutions and other financial service providers commonly provide products and services through arrangements with third parties. When appropriately managed, third-party relationships can enhance competitiveness and diversification of goods and services. However, these third-party arrangements, absent adequate risk management controls, can expose companies to reputational, operational, and compliance risks.
One possible measurement of a financial institution's reputational risk is how well the institution complies with the Unfair and Deceptive Acts and Practices (UDAP, or Regulation AA). While UDAP applies more specifically to credit card issuers and consumers regarding disclosure rules and restrictions on lender practices, it can also apply to third parties when a financial institution outsources functions of its card programs—for example, credit or stored value.
Increased use of third-party arrangements in consumer products
The Federal Deposit Insurance Corporation (FDIC) recently examined how financial institutions have used third-party providers to roll out new and innovative products and services during the current economic challenges. The FDIC released its findings in the Supervisory Insights Winter 2010 newsletter, which revealed that financial institutions are increasingly relying on third-party vendors. Specifically, over 60 percent of credit card programs that financial institutions offer are the assets of third parties. Additionally, of the 19 percent of financial institutions surveyed that offered stored-value cards, 94 percent involved a third-party service provider.
Costly lessons for violating UDAP
Noncompliance with UDAP generally occurs when a financial institution outsources the development and administration of a new credit card product to a third party unfamiliar with the necessary disclosure requirements regarding finance charges and fees, for example. Complaints alleging UDAP violations generally stem from credit card marketing products released by a financial institution’s third party vendor. These types of practices can potentially expose a financial institution to a host of legal and regulatory sanctions.
Recent enforcement actions against financial institutions that have violated UDAP due to poor oversight of third-party service providers have proven costly. If a financial institution insufficiently supervises a third-party vendor engaging in acts that meet the standards for deception—for example, the third party knowingly uses representations or omissions likely to mislead a consumer—it could face enforcement action.
Incorporating UDAP risk into an existing vendor-management risk tool kit
Data security is certainly an integral aspect of managing third-party service provider risk, but it is only one part of the picture. By also including UDAP risk management in their tool kits, financial institutions can better position themselves to manage their overall risk in relation to third-party service providers.
In recent years, the FDIC and the Board of Governors of the Federal Reserve System released joint guidance on the need for a financial institution to include UDAP risks with regard to third-party service providers. Some of the key components the guidance identifies are maintaining awareness of the risks associated with outsourcing, establishing controls over such relationships, exercising proper due diligence when identifying, selecting, and maintaining a third party, and creating comprehensive written contracts.
The joint guidance recommends that the financial institutions relying on third-party service providers maintain UDAP compliance by paying close attention to the service providers' card program promotional materials, advertisements, claims, and representations that could mislead a target audience regarding the cost, availability, or terms of the product or service.
Taking the needed precautions
By outsourcing to a partner, a financial institution places a great deal of trust in that provider, but that's no excuse for poor due diligence and oversight, which could readily lead to violations of the UDAP. The financial institution successfully monitoring its UDAP compliance specifically tailors its approach to the third party with which it has a relationship.
Financial service providers must look beyond the data protection measures of third-party service providers to ensure they are also in compliance with UDAP requirements.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud