Credit cards draw regulators’ focus in review of unauthorized accounts
Following the discovery of widespread employee misconduct at Wells Fargo, federal banking regulators wanted to learn whether unauthorized customer accounts were a single bank’s problem or an industrywide concern.
A subsequent examination of sales tactics at more than 40 large and midsize banks ended earlier this year with little fanfare and scant information released to the public.
But an Office of the Comptroller of the Currency document obtained by American Banker includes one notable, previously undisclosed finding from the agency’s review. The document states that credit cards — rather than bank accounts — were the most frequently identified source of accounts that were opened without the customer’s authorization.
That finding stands in contrast with the two-year-old revelations about phony accounts at Wells Fargo. According to disclosures made by regulators in September 2016, credit cards accounted for about 27% of the estimated 2.1 million potentially unauthorized accounts opened by thousands of Wells employees. Bank accounts made up the remaining 73%.
The San Francisco bank has a smaller footprint in the card business than its big-bank peers, which could help explain the discrepancy.
The OCC document, obtained under the Freedom of Information Act, is a high-level summary of the agency’s findings from its multibank sales practice review.
The report stops short of stating that customers were harmed by banks’ actions, and it does not detail the extent of the problems, but it does shed new light on the operational shortcomings that regulators uncovered at some banks.
Specifically, it found that some banks were unable to prove that employees had always opened accounts in accordance with customers’ wishes. The document also calls attention to bank employees who, motivated by the promise of incentive pay, opened accounts without customers’ permission.
And it describes the kinds of actions that banks — under regulatory pressure to eliminate the possibility that their employees will wrongly issue credit cards and other products — are taking to address the problems.
“Even with well-designed programs, controls, and oversight monitoring, some will try to game the system to maximize their earnings potential,” the document states.
The OCC declined to elaborate, beyond its previous comments, on what its sales practice review uncovered. Several banks with large credit card operations also declined to comment.
But industry sources said that numerous card-issuing banks have made changes to their enrollment processes as a result of the regulatory scrutiny.
In response to its fake account scandal, the $1.9 trillion-asset Wells Fargo revised its credit card application procedures to require the applicant’s documented consent before his or her credit report is pulled.
Wells also began sending automated emails to customers shortly after they get a credit card, in order to verify that the account was properly authorized.
JPMorgan Chase has also made changes to its credit card enrollment procedures, requiring customers who sign up in branches to check a box that memorializes their consent.
Other methods that banks can use to document the customer’s authorization include recording phone calls and sending automated text messages that require a customer response.
The OCC is emphasizing the need for banks not only to obtain the customer’s authorization, but also to retain it.
“In many cases, banks believed that customers had consented to the product, but they did not have anything to evidence the customer’s consent,” the document summarizing the OCC’s findings stated. A 2009 federal law that focused on the credit card industry did not require issuers to obtain or retain customer signatures, according to the OCC document.
The issue of whether a bank customer consented to receive the plastic card issued in his or her name is almost as old as the industry itself.
Sixty years ago this month, Bank of America mailed 60,000 credit cards to customers in the Fresno, Calif., market — cards they had not requested — in an event remembered as the “Fresno Drop.”
Some angry Fresno residents reportedly cut the cards into small pieces and mailed them back to the bank, while others withdrew their money from the bank.
Today, of course, the credit card industry looks quite different than it did in the late 1950s. Unsolicited credit cards are prohibited under federal law. And consumers, particularly those who are customers of big banks, frequently open their credit card accounts over the internet.
Alex Johnson, director of solution marketing at FICO, said that card issuers are seeking to update their digital account opening processes in ways that give them an audit trail demonstrating the customer’s consent.
“It’s something that has permeated the consciousness of all the banks we’re talking to,” he said.
Marla Blow, the CEO of FS Card, a subprime credit card issuer, agreed that the industry is focusing more on the issue of customer consent than it did previously. She said that apart from regulatory scrutiny, having reliable documentation is important in situations where loans go to collections.
“You’re in a much harder position to collect if you don’t have the documentation,” she said.
After its review of sales practices at dozens of banks, the OCC said that it did not identify any “systemic issues” involving bank employees opening accounts without customer consent.
The agency has not revealed the contents of various industrywide warnings that it issued. Nor has it said how many unauthorized customer accounts it found at the dozens of banks that it examined.
But the summary of the OCC’s findings stated that bad employee behavior can be motivated by compensation plans that link worker pay with sales targets.
“The record was not perfect, nor did we expect it to be,” the document said. “We’re talking about processes involving people and money.”
The risks are seemingly smaller for companies that entered the credit card business in recent years and are relying on newer technology.
Brex is an 18-month-old firm that offers credit cards to startups. Michael Tannenbaum, the firm’s chief financial officer, said that Brex employs technology that is designed to prevent fraudsters from creating a company for the purpose of racking up credit card charges that they do not intend to repay.
He said that the same processes, which include the validation of the customer’s phone number, email address and bank account, would also prevent the creation of a new account without the customer’s permission.
“It would mean that salespeople couldn’t create fake accounts,” Tannenbaum said.