Compliance Blog

We recently blogged about a speech given by Rohit Chopra, Director of the Consumer Financial Protection Bureau (CFPB). In the speech, Chopra noted that the CFPB would be looking at “repeat offenders” and the blog discussed which institutions may qualify for that term, as well as the various remedies and enforcement tools that the bureau could wield against them. Last week, the CFPB made good on Chopra’s promises, announcing a lawsuit the bureau had filed against TransUnion, two of its subsidiaries and a former executive.

For some background, the CFPB previously entered into a consent order with TransUnion and its two subsidiaries (TransUnion LLC and TransUnion Interactive, Inc.) in 2017. According to that order, TransUnion marketed “free” credit scores and “$1” credit reports. However, the order alleged that TransUnion actually enrolled consumers who sought those products into a credit monitoring service that charged them monthly unless they cancelled the service – a practice the bureau alleged was deceptive. Additionally, the 2017 order also claimed that TransUnion misleadingly marketed its VantageScore credit scores by making inaccurate statements about the usefulness or accuracy of those scores.  The 2017 order prohibited TransUnion from engaging in deceptive marketing and required TransUnion to, among other things, obtain a consumer’s “express informed consent” before enrolling a consumer in a subscription service.

In the press release for the new lawsuit, the CFPB asserts that TransUnion ignored the requirements of the 2017 order and committed additional violations of consumer protection laws. The press release also quotes Director Chopra as referring to TransUnion as “an out-of-control repeat offender that believes it is above the law.” The complaint (the CFPB’s legal filing initiating the lawsuit) alleges that TransUnion violated the 2017 order by continuing to enroll consumers in a credit monitoring subscription service without their informed consent, without receiving authorization for recurring charges, and through advertisements for free credit scores or $1 credit reports. Additionally, the complaint alleges that TransUnion violated Regulation V, which requires a credit reporting agency to provide one free credit report per year, by misleadingly advertising a “free credit score” along with the free credit report, when enrollment in a subscription service was required to receive the “free” score. Additionally, the complaint alleges that TransUnion violated the 2017 order and engaged in deceptive acts or practices by making it difficult for consumers to cancel the subscription. Additional violations – such as recordkeeping violations – are also alleged in the filing.

Notably, the new lawsuit doesn’t just go after TransUnion and its subsidiaries, but also adds an individual – John Danaher, the former President of TransUnion Interactive, Inc. The CFPB alleges that Danaher had knowledge of the 2017 order, failed to ensure TransUnion’s compliance with the order, and actively attempted to delay or avoid compliance with the order. The CFPB is asking the court to enjoin TransUnion and Danaher from committing future violations of certain federal laws, and to require them to refund money to consumers, to pay restitution to consumers, to pay the CFPB’s legal costs for the lawsuit, and to pay civil money penalties.

This lawsuit is notable for a few reasons. First, the lawsuit claims that the CFPB noticed violations of the 2017 order as far back as 2019, and informed TransUnion of violations in June 2020 as well. Thus, it seems that this lawsuit was a long time in the making, and most likely Director Chopra already had TransUnion in mind when he made his comments about “repeater offenders” a few weeks ago – the quote in the press release that referred to TransUnion as an “out-of-control repeat offender” was certainly no accident and signals that the CFPB is pursuing repeat offenders as Chopra promised. It also invites the question of whether there are any other “repeat offenders” which are already in the bureau’s sights but which haven’t been made public yet. Secondly, the action also shows that the bureau is willing to pursue actions against individual executives if they play a role in violations and the institution’s “repeat offender” status.

As far as credit unions are concerned, the lawsuit shows that the CFPB is taking its previous orders seriously. Any credit unions that have a previous consent order or other agreement with the bureau may want to ensure that they are complying with the requirements imposed by those agreements. Many of the violations alleged focus on marketing and advertising, and the press release discusses TransUnion’s use of “digital dark patterns” – which are “hidden tricks or trapdoors companies build into their websites to get consumers to inadvertently click links, sign up for subscriptions, or purchase products or services.” As always, credit unions may want to review their advertisements for possible UDAAP implications, and may want to ensure that their websites are free from deceptive links or “digital dark patterns.”

Stay tuned to the Compliance Blog as NAFCU continues to monitor the CFPB’s enforcement activities and trends.