Compliance Blog

Feb 13, 2017

Heads Up: Another UDAAP Consent Order

Written by Pamela Yu, Special Counsel for Compliance and Research

Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued another consent order for unfair, deceptive, or abusive acts or practices (UDAAP), this time against UniRush and Mastercard for failing to conduct adequate testing and preparation for a planned payment processing platform conversion. The CFPB ordered UniRush and Mastercard to pay an estimated $10 million in restitution to affected consumers, as well as $3 million in civil money penalties to the CFPB.

This latest UDAAP enforcement action stems from data processing glitches that took place in October 2015 when UniRush, which manages the reloadable prepaid RushCard, transitioned to its new payment processor. RushCard, which was co-founded by famed hip-hop mogul Russell Simmons, experienced service disruptions during the botched processor conversion, which the bureau asserts left tens of thousands of economically vulnerable RushCard users unable to access their own money to pay for basic necessities.

UniRush and Mastercard spent 13 months preparing for the processing platform switch, but the scheduled 2-day conversion did not go as planned.  According to the CFPB:

In October 2015, a rash of preventable failures by Mastercard and UniRush meant that many customers could not use their RushCard to get their paychecks and other direct deposits, take out cash, make purchases, pay bills, or get accurate balance information. UniRush then failed to provide customer service to many consumers who reached out for help during the service breakdown.

The bureau indicates that, at the time of the switch, RushCard had approximately 650,000 active users, of which about 270,000 received direct deposits on their prepaid card.  It is worth noting that the bungled direct deposits included government benefits or payroll funds.

According to the CFPB's press release, as a result of its lack of preparation and testing and multiple preventable failures, UniRush and Mastercard violated UDAAP as follows:

  • Denied consumers access to their own money: UniRush did not accurately transfer all accounts to Mastercard. As a result, thousands of consumers could not access funds stored on their cards for days, or in some circumstances, weeks. Because of Mastercard's actions, accounts of about 1,110 consumers were incorrectly suspended. UniRush also delayed crediting cash deposits to consumers' accounts and shut off access to certain funds that consumers put aside for savings. UniRush did not issue a working replacement card to consumers whose cards were lost or stolen during this period.
  • Botched the processing of deposits and payments: UniRush delayed processing direct deposits for more than 45,000 consumers, and did not process or improperly returned deposits of 2,000 others. As a result, consumers could not access their paychecks or government benefits. UniRush also erroneously double posted deposits and did not promptly process electronic debit transactions, which falsely inflated those RushCard holders account balances. As a result, thousands of consumers accidentally spent more money than was loaded on their RushCard. With no advance notice to consumers, UniRush used funds consumers subsequently loaded onto their RushCards to offset negative balances caused by its processing errors.
  • Gave consumers inaccurate account information: Mastercard did not make sure it was sending accurate information about consumers' account balances to UniRush when it declined to authorize certain transactions. As a result, some consumers received incorrect information telling them their account balances were zero, when the consumers actually had funds stored on their cards.
  • Failed to provide customer service to consumers impacted by the breakdowns: UniRush did not have an adequate plan to step up its customer service response to meet the increased demand caused by service disruptions. Even after hiring additional personnel, UniRush failed to train customer service agents in time to meet the surge in demand. As a result, some consumers who called customer service waited on hold for hours and could not obtain critical information about the status of their funds and accounts.

Several observations about this latest enforcement action: First, it is interesting to note that the CFPB's big focus here was the alleged lack of, or inadequacy of, the pre-launch testing prior to the scheduled processor conversion. The parties prepared for the conversion for over a year, but the CFPB says they goofed before, during, and after the payment processor conversion and adversely impacted consumers as a result (See, p. 6 of the Consent Order). This is significant because the CFPB seems to be expanding its focus beyond cracking down on deceptive or abusive activities to now insisting on robust pre-launch preparations for processor conversions as a matter of fairness.  Essentially, the bureau is sending a clear message that inadequate IT functionality testing is an unfair practice in violation of UDAAP.

Second, much was made of UniRush's inability to handle the unanticipated surge in customer service demands that resulted from the conversion glitch.  While UniRush prepared for the planned 2-day service disruption, the conversion took longer and the disruption was more widespread and significant than anticipated. The CFPB says UniRush should have been ready to step up its customer service response, noting that even after hiring additional personnel, UniRush failed to train customer service agents in time to meet the surge in demand.  (Emphasis added).

But this seems to beg the question: Is it reasonable to expect the unexpected? The CFPB seems to be indicating that card issuers must be sufficiently prepared in advance for any unexpected contingencies during a processor conversion.  But can we ever really be adequately prepared for the unexpected? Here, UniRush's response to hire more staff was not enough because new staff could not be trained in time to assist customers during the unexpected service disruption.  The message here?  Beware of Murphy's Law. Be ready for anything, folks.