WIXLIB

2013-CFPB-0007Document 1Filed 09/19/2013Page 1 of 26UNITED STATES OF AMERICACONSUMER FINANCIAL PROTECTION BUREAUADMINISTRATIVE PROCEEDINGFile No. 2013-CFPB-0007In the Matter of:JPMorgan Chase Bank, N.A.; andChase Bank USA, N.A.CONSENT ORDERThe Consumer Financial Protection Bureau ('' C FPB"). throug h its staff, examined theaffa irs of Respo ndents JPMo rgan C hase Bank, N.A . and Chase Bank USA, N.A ., (co llect ively.the "Bank" as defined be low) with regard to its bill ing and administrati on of Ide ntity Protect ionProducts (as de fined be low) and identifi ed violations of law. T he C FPB he reby issues, pursuantto 12 U .S.C. §§ 5563 and 5565, this Consent Order ("Order").I.OverviewT he CFPB find s that the Bank has engaged in violations of Sectio ns I 03 1 a nd I 036 of theCFPA (collecti vely, ·'Sectio n I 036"), 12 U.S.C. §§ 553 1, 553 6, in connection w ith its billing andadmini stratio n of Identity Protectio n Products to C ustomers (as defined below), w hi ch occurredduring the period between Octobe r 2005 and June 20 12.II.JurisdictionI.T he C FPB has jurisdictio n over thi s matte r pursuant to Secti ons I 053 and I 055 of theConsumer Financial Protecti on Act (''CFPA"), 12 U.S.C. §§ 5563. 5565.

2013-CFPB-0007Document 1Filed 09/19/2013Page 2 of 26Ill.Stipulation2.The Bank has executed a ''Stipulatio n and Consent to the Issuance of Consent Order,"dated September J.Q , 20 13 ("Stipul atio n"), which is incorporated by reference and isacce pted by the CFPB. By this Stipulation, the Bank has consented, witho ut admitting ordeny ing any findings of fact, any vio lation of law or any wrongdo ing, to the issuance ofthi s Consent Order ("Order'') by the C FPB pursuant to Sections I053 and I 055 of theC FPA, 12 U.S.C. §§ 5563 and 5565, and admits the C FPB 's jurisdictio n over the subjectmatter and the Bank in this actio n.IV.Definitions3.For purposes of this Orde r, the fo llowing de finit ions sha ll a pply:a."Add-On Product" or " Product" shall mean any consumer fina nc ia l product orservice. as defined by Section I 002(5) of the C FPA. 12 U.S .C. § 548 1(5), w hichis offered as an o ptio nal add-on product to Bank credit cards and/or as an o ptionaladd-on product to co-branded consume r products of the Bank.b.··sank'' sha ll collecti ve ly mean JPMo rgan Chase Bank, N.A. and C hase BankUSA, N .A., and their successors a nd assigns.c." Board" shall mean the Bank 's duly e lected and acting Board o r Directo rs.d."Custo mer'' means a ny person w ho enro lled in an Identity Protecti on Product.e."Effective Date. sha ll mean the date o n which the Order is issued.f. Enfo rcement Directo r·· sha ll mean the Assistant Director of the O ffi ce ofEnforcement for the Consumer Financ ia l Protectio n Bureau.2

2013-CFPB-0007g.Document 1Filed 09/19/2013Page 3 of 26" Identity Protection Product" shall mean either of the two identity theft protectionproducts. "Chase Identity Protection" and ''Chase Fraud Detector:' whichincluded cred it monitoring and cred it report retrieval services and were marketedand sold to Bank customers and other consumers by the Bank or its Vendor. Forpurposes of this Order, Chase Fraud Detector was an " Identity ProtectionProduce on ly to the extent that it included cred it monitoring and credit reportretrieval services, which were offered to certain customers beginning in 2009.h.·'Regional Director" shall mean the Regional Director for the Northeast Regionfor the Office of Supervision for the Consumer Financial Protection Bureau.1.··vendor'' sha ll mean a third party vendor that provided marketing, sales, delivery,servicing, and/or fu lfillment of services for Add-On Products offered pursuant toa contractual obligation to the Bank.CFPB FINDINGSV.The CFPB finds the following:4.JPMorgan Chase & Co. (JPMC) is a financial holding company incorporated inDelaware, with 2.4 trillion in total assets as of January 20 13. JPMorgan Chase Bank.N.A. and Chase Bank USA, N.A. are national banks and subsidiaries of JPMC.5.From October 2005 to March 20 12, the Bank and its Vendors marketed, offered for sa le,and so ld Identity Protection Products that purported to monitor Customers· creditinformation to ale11 Customers to activity that could indicate fraud ulent use of theirfinancial information or identities. The Bank, in its offering for sa le and sale of IdentityProtection Products represented that in exchange for a monthly fee, the Bank, through itsVendors. would provide features that included a service to monitor Customers· credit3

2013-CFPB-0007Document 1Filed 09/19/2013Page 4 of 26in formation at three credit repo rting agenc ies daily to identify and a lert C ustomers toacti vity that could suggest fraudulent use of the ir identities. The Bank called thi s productfeature "3 -Bureau C redit Monito ring."6.The Bank offered fo r sale and sold Identity Protection Products as "add-on'' features tonew or existing customer c redit card accounts as we ll as to retail bank c ustomers andnon-c ustomers. Once the C ustomer was enrolled in Identity Protectio n Prod ucts, theBank delegated the serv icing of these Custome rs to certain third party Vendo rs:Core logic, Inc . (formerly known as First Advantage Membership Services, Inc. (FAMS))fo r C hase Fraud Detecto r, True C redit fo r the C hase Ident ity Protectio n (Chi Ps). andIntersect ions, Inc. fo r C hase Identity Pro tectio n (IPS).7.To acti vate the ·'3-Bureau C redit Monitoring" feature ofthe Identity Protecti on Products,the Bank, th rough its Vendors, was required by the Fair C redit Reporting Act (FCRA), I 5U.S.C. § 168 1b. to have a " permiss ibl e purpose" to o bta in Custo mers ' credit info rmationfrom the cred it repo rting agenc ies. A credit reporting agency may re lease a c redit reportin accordance w ith a Customer' s '' wri tten in structio ns'' for the cred it repo rting age ncy tore lease a credit report. I 5 U.S.C. § 1681 b(a)(2). According ly, the Vendor providedC usto me rs the materia ls necessary to grant the Vendor autho rization to access the ir creditinfo rmati on fro m the credi t reporting age nci es in order to acti vate "3- Bureau CreditMonito ring.''8.In many cases, however. some period of time passed before C ustomers prov ideda utho rization, o r the Bank 's Vendors never obtained the Custo mers ' a utho rizatio n. OtherC ustomers provided their autho rizatio n but o ne or more credit repo rting agenc ies wouldnot process the authorizatio n if they were unable to match custo mer identification4

2013-CFPB-0007Document 1Filed 09/19/2013Page 5 of 26information with the agency's own record s. In these circumstances, while the Bank andits Vendors were unable to provide part or all of the credit monitoring serv ices, the Bankcontinued to bill these Customers full month ly fees.9.The Bank's compliance monitoring, service provider management and quality assurancefailed to prevent, identify, or correct the billing for serv ices that were not provided.I0.The Bank has begun corrective action, and is comm itted to taking al l necessary andappropr iate steps to remedy the violation of law identified by the CFPB.II.The Bank is an insured depository instituti on with assets greater than 10,000,000,000within the meaning of 12 U.S.C. § 5515(a).12.The Bank is a ·'covered person·· as that term is defined by 12 U.S .C. § 5481 (6).13.Section I036(a)( I)(B) of the CFPA prohibits " unfair, deceptive, or abusive" acts orpractices ("UDAAP''). 12 U.S.C. § 5536(a)( I)(B).14.The Bank's acceptance of monthly payments wh ile failing to provide credit monitoringservices has resulted in substantial injury to more than 2. 1 million consumers in theamount of at least 270 milli on in fees and over-limit charges, as well as more than 39million in associated interest fees. This injury was not reasonably avoidable byconsumers and is not outweighed by any countervailing benefit to the consumers or tocompetition.15.Therefore, by reason of the forego ing billing practices for its Identity Protection Productsas described in Paragraphs 5 to 14. the Bank. through its Vendors, engaged in unfair actsand practices in violation ofSection l036(a)( I)(B), 12 U.S.C. § 5536(a)( I)(B).5

2013-CFPB-0007Document 1Filed 09/19/2013Page 6 of 26CONDUCT PROVISIONSVI.Order to Cease and Desist and to Take Other Affirmative ActionIT IS HEREBY ORDERED, pursuant to Sections I053 and I055 of the CFPA, that theBank and its officers, agents, servants, employees, and attorneys, whether acting directly orindirectly. shall cease and desist and shall take reasonable measures to ensure that its Vendorsand other agents cease and desist from engaging in violations of law or regulations in the bi!lingand administration of Identity Protection Products, and that the Bank has taken or will take thefollowing affirmati ve actions:16.The Bank represents that it stopped marketing, so liciting, offering for sale, and sellingIdentity Protection Products on or before March 20 12. The Bank shall be prohibitedfrom marketing, so liciting, offering for sale and selling Identity Protection Products,unless it submits to the CFPB a compli ance plan (the "Compliance Plan .) specificallydesigned to prevent all violations of Section I036 in the administration of IdentityProtection Products.17.Any Compliance Plan concerning Identity Protection Products shall:a.Address the manner in which the Bank informs Customers that any cred itmonitoring services will not be activated until Customer authorization for theBank to access their credit information at credit reporting agencies;b.Describe how the Bank wi ll avoid billing Customers during a period before theBank or Vendor receives authorization to access credit information from eachcredit reporting agency and during a period when the credit reporting agency hasnot yet processed authorizati ons submitted by Customers.6

2013-CFPB-000718.Document 1Filed 09/19/2013Page 7 of 26T he Bank shall submit any Compliance Plan to the Regional Director at least 90 daysprior to marketing, solic iting, offering for sa le, or selling Identity Protection Products rorpri or determination of supervisory non-objection.19.Within 90 days ofth e Effective Date, the Bank shall submit a plan to address the actionsthat are necessary and appropri ate to achieve compliance with this Order (the ''ActionPlan . ). The Board or a Committee thereof shall ensure the Action Plan is submitted tothe Regional Di rector for prior determ ination of supervisory non-obj ection.20.The Action Plan shall include the development or revision of a written Vend orManagement Policy designed to ensure that all Add-On Products which are marketed andso ld by the Bank or through Vendors comply with applicable Federal consumer fi nanciallaw, inc luding but not limited to Section I036, 12 U.S.C. § 5536. At a minimum , theVendor Management Policy shall require:a.An analysis to be conducted by the Bank, prior to the Bank entering into acontract with the Vendor, of the abil ity of the Vendor to perform the marketing.sales, delivery, servicing, and fulfillm ent of services fo r the Product(s) incompliance with all appl icable Federal consumer fin ancial laws and the Bank'spolicies and procedures;b.For new and renewed contracts, a written contract between the Bank and theVendor, which sets fo rth the responsib ilities of each party, especially:i.the Vendor's specific performance responsibilities and duty to maintainadequate internal controls over the marketing, sa les, delivery, servicing,and fulfillm ent of services fo r the Products;7