Bad System Conversion Leads to CFPB Consent Order for Prepaid Card Provider and Vendor
The CFPB continues to flex its muscle and expand its reach, this time punishing a prepaid card provider and its vendor for a conversion to a new system that did not go as planned. The consent order, which was entered into without any admission of liability, requires UniRush and its vendor/payment processor to pay an estimated $10 million in restitution to affected consumers and a civil monetary penalty of $3 million.
According to the Consent Order, the problems began with a conversion by UniRush to a new payment processor owned by Mastercard. Despite having engaged in pre-conversion testing and multiple mock tests in preparation for the actual conversion, the conversion did not go as planned. Instead, the conversion took longer than expected and led to a number of issues for consumers. Further, despite having hired additional agents to meet an anticipated spike in customer needs, UniRush could not meet the increased customer service demand.
Of concern is the CFPB’s finding that UniRush engaged in unfair and deceptive practices by failing to ensure pre-conversion testing by its vendor. The CFPB found UniRush had engaged in unfair and deceptive practices despite noting that:
- UniRush tested the payment processing services provided by its vendor in the months prior to conversion; and
- UniRush’s requests to conduct a full additional mock conversion to validate and process new data files was denied by the vendor and instead, the vendor confirmed the data was formatted properly.
Despite these findings, the CFPB found that “UniRush failed to prepare a contingency plan that would enable it to scale its customer service response to meet the increased demand on its customer service system that resulted from the service disruptions it experienced following the conversion.” The CFPB concluded that “UniRush’s acts or practices in preparing for the payment processor conversion caused or were likely to cause substantial injury to consumers that was not reasonably avoidable or outweighed by countervailing benefits to consumers or to competition.” Consent Order, ¶ 35.
The Consent Order focuses, among other things, upon what the CFPB deemed to be an inadequate incident response program. The Order makes clear that the CFPB will not allow covered entities to rely solely on their vendors to ensure system conversions go as planned and the need for businesses to have plans in place to deal with system failures or service disruptions.
The Consent Order provides guidance for others in the financial services sector as to the CFPB’s expectations regarding response programs in place any time there is a system conversion which may impact consumers. The Consent Order suggests that entities, at a minimum, should have:
- An incident plan in place which includes the following documented phases:
- A preparation phase that ensures entities have a response plan in place prior to any incident;
- A documented identification phase that verifies whether an incident has happened and details the incident;
- A containment phase that ensures that after the incident has been identified and confirmed, information from the incident handler is effectively shared with all relevant stakeholders, both internal and external;
- An eradication phase that ensures that after containment measures have been taken, the entity identifies the root cause of the incident and eradicates it; and
- A recovery phase that ensures affected systems or services are restored to the conditions specified in their service delivery objections or business continuity plan.
- A disaster recovery plan reasonably designed to ensure it can restore data in the event of a systems failure in a manner that minimizes program or service disruptions likely to have an adverse impact on consumers;
- A contingency plan reasonably designed to ensure that its customer service can respond within a reasonable time to increased consumer calls or emails in the event of a systems failure or service disruption that will adversely impact consumers; and
- Policies and procedures reasonably designed to ensure the dissemination of timely and accurate information necessary for consumers in the event of a systems failure or service disruption.