On Compliance: Cross-Selling Risks After Wells Fargo

The news stories following the Wells Fargo incentive scandal continue—negatively impacting the bank and its auditors and examiners—with no end in sight. While the likelihood we will see a credit union embroiled in a Wells Fargo-type cross-selling scandal is small, the legal and compliance risks related to cross-selling products and services has certainly increased. Below are three areas of future focus by examiners and auditors. Credit unions can stay ahead by reviewing their compliance in these areas and fixing deficiencies as they are identified.

Incentive Programs and UDAAP

In response to the Wells Fargo scandal, the Consumer Financial Protection Bureau issued Compliance Bulletin 2016-03, which focuses on the potential consumer harm from production incentives. CFPB acknowledges the benefits of incentives—including those tied to cross-selling—but also warns of the possibility for “overly aggressive marketing, sales, servicing, or collection tactics.” The agency indicated that past examinations have identified accounts being opened without consumer consent and situations in which consumers were misled to purchase products they did not want.

While only a handful of credit unions are directly examined by CFPB, the expectations from the Compliance Bulletin—including management oversight, policies and procedures, training, and monitoring—will surely trickle down to credit union examiners and auditors. Credit unions with incentive programs should take steps now to review their incentive programs and make the necessary adjustments to manage compliance and reputation risks.

Fair Credit Reporting Act

The Fair Credit Reporting Act is a complex law with numerous tentacles impacting credit union operations. One FCRA requirement is that a credit union must have a “permissible purpose” whenever it obtains or uses a consumer report. The term “consumer report” is defined broadly to include credit scores and reports from TransUnion, Equifax and Experian, as well as nationwide specialty consumer reporting agencies, such as ChexSystems. Thus, any time a credit union wants to obtain or use a consumer report, it must be able to point back to its permissible purpose.

FCRA outlines the specific permissible purposes for obtaining a consumer credit report and cautions that consumer reporting agencies cannot release consumer reports for any other reasons. In the case of a consumer applying for membership or a member applying for a loan, the credit union will have a clear permissible purpose based on FCRA’s plain language. That being said, it remains a best practice to incorporate specific consent provisions in membership and loan applications (as well as language in the underlying agreements giving the credit union the ability to obtain and use future consumer reports for review purposes).

Importantly, outside of the prescreening process, FCRA does not provide an explicit permissible purpose for marketing or cross-selling purposes. The Federal Trade Commission confirmed this in a 1999 opinion referred to as the Gowen Letter (Advisory Opinion to Gowen 04-29-99). In the Gowen Letter, the agency stated there was not a permissible purpose related to marketing and a creditor using the consumer report for a marketing purpose would be violating the certification it must provide to the consumer reporting agency.

In light of the Gowen Letter, how can credit unions use consumer reports for marketing or cross-selling purposes? If a credit union obtains a consumer report for an auto loan, its permissible purpose for that consumer report is limited to that auto loan application and the Gowen Letter will not allow the credit union to cross-sell a credit card. However, there is a stronger permissible purpose FTC did not analyze in the Gowen Letter. Pursuant to FCRA, credit unions have a permissible purpose to obtain and use consumer reports “in accordance with the written instructions of the consumer to whom it relates.” Therefore, credit unions should be obtaining the member’s written consent to use a consumer report it obtains for cross-selling other financial products and services to the member. 

Telephone Consumer Protection Act

The Telephone Consumer Protection Act has caused numerous headaches for credit unions following the Federal Communication Commission’s 2015 Declaratory Order. FCC’s expanded interpretation of the term “auto-dialer” increased risk for credit unions. While examiners do not necessarily review for TCPA compliance, this area has been a hotbed for litigation, as the statutory penalties are $500 per call or text.

Since 2013, TCPA has required a specific and detailed “prior express written consent” for auto-dialed or prerecorded telemarketing calls or text messages to cell phone numbers.

Importantly, the member’s prior express written consent must be a separate and specific authorization (with the member’s signature), allowing the credit union to initiate telemarketing calls and text messages. Further, the member’s consent must identify the member’s phone number(s) that are subject to the consent, and the member retains the ability to revoke his or her consent at any time and via any reasonable method. Finally, the member’s consent must be 100 percent voluntary and cannot be required to obtain a particular product or service.

In light of TCPA risks, credit unions should analyze what types of calls and texts they are making and, if necessary, take steps to obtain prior express written consent before initiating telemarketing campaigns.

While cross-selling efforts have not been a focus of examiners and auditors in prior years, the increased exposure and increased risks are likely to bring the spotlight to these areas. Credit unions can manage and mitigate risks by reviewing their current practices and adopting the necessary changes prior to a negative exam finding or costly lawsuit.

Steve Van Beek is an attorney at Howard & Howard Attorneys PLLC in Royal Oak, Mich. He focuses his practice on helping credit unions serve their members by successfully managing their compliance, legal and strategic risks. He can be reached at SVB@h2law.com.