• OCC Fines Wachovia for UDAP Activities of Third Parties
  • May 16, 2008 | Authors: Richard P. Eckman; Travis P. Nelson
  • Law Firms: Pepper Hamilton LLP - Wilmington Office ; Pepper Hamilton LLP - Princeton Office
  • Last month, the Office of the Comptroller of the Currency (OCC) settled a major enforcement action with Wachovia Bank, N.A. The precedential impact of this settlement was not merely in the amount – $144 million – or that it involved one of the largest banks in the country, but rather that the OCC held a major national bank accountable for deficiencies in the bank’s oversight of its business relationships with third parties that, in the OCC’s view, were engaged in unfair or deceptive practices.

    The practices cited by the OCC involved the use of remotely created checks (RCCs) by telemarketers and payment processors that maintained account relationships with Wachovia. An RCC is a check that is not created by the accountholder and does not bear the accountholder’s signature. Instead, the signature block of the check includes text such as “authorized by your depositor, no signature required.” Telemarketers obtained bank account information over the phone by offering consumers a range of products and services such as grant-writing kits, identify theft certificates, medical discount plans and vouchers for discount travel and groceries. With the account information obtained during the call, the telemarketer or payment processor creates an RCC and deposits the instrument into an account at Wachovia, in many cases overdrawing the consumers’ accounts at another institution. In some cases, the RCCs returned to the bank exceeded 50 percent of the total deposited.

    Under the settlement agreement with the OCC, Wachovia must pay $125 million in restitution, approximately $8.9 million to consumer education programs directed at the elderly, and a $10 million civil money penalty to the U.S. Treasury. Wachovia also is required to develop new policies and procedures with respect to RCCs and telemarketers. These policies are to include requirements for enhanced due diligence and underwriting on these higher risk customers, regular monitoring of return rates, better coordination of risk management efforts, and targeted consumer protection policies.

    Pepper Points – This case represents an increased vigilance amongst the banking regulators, particularly the FDIC, as to banks’ oversight of their relationships with their customers and third parties. Regulators have demanded that banks police their third-party contractors through contractual agreements to comply with applicable consumer protection laws (including contract termination for non-compliance), using software to monitor the third parties’ activities, and even requiring on-site visits by the bank to the third parties’’ premises.

    This development would be troubling enough were it only about requiring banks to monitor third parties’ compliance with objective laws, such as Regulation Z or the Privacy Rule, where there is arguably little disagreement over the requirements for compliance. This case ventures into the often murky area of “unfair or deceptive acts or practices” (UDAP), where, aside from a few standards set forth in case law and agency guidance, institutions are frequently left to the regulatory fiat of their examiners as to whether or not a practice constitutes a UDAP violation.

    This case also is notable in view of the Federal Reserve Board’s and the Office of Thrift Supervision’s proposed regulations on UDAP to implement in Section 5 of the Federal Trade Commission Act (the general federal UDAP statute). Although the proposed rule does not mention the practices addressed in the OCC’s present enforcement action, this case certainly suggests that the OCC will be looking beyond the topics of the proposed rulemaking in enforcing Section 5.

    This also adds another dimension to banking institutions’ general compliance protocols and policies. Again, not only will institutions need to conduct self-assessments to correct violations of the more technical compliance issues, but compliance officers will also have to learn the bounds of UDAP precedent and regulatory expectations in UDAP compliance in order to devise a good faith UDAP compliance program.