WASHINGTON — Regulatory actions taken against U.S. Bank on Thursday proved once again that vendor relationships, even former ones, can cost a bank for years to come.

The Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau issued separate orders against U.S. Bank in Cincinnati for allegedly illegally charging more than 420,000 consumer accounts for add-on products, namely identity theft and credit monitoring, through a vendor. U.S. Bank ended the relationship with its vendor, Affinion, two years ago as other cases against the firm arose but it was too late to avoid the $57 million in fines and restitution that regulators charged for activities dating back as far as 11 years ago.

"Regulators care about your vendor relationships regardless of when they ended. Just because you had a relationship at one time and broke up doesn't mean necessarily that your ex can't come back to haunt you," said Ed Kramer, executive vice president of regulatory affairs for Wolters Kluwer Financial Services.

To be sure, most enforcement actions relate to activity that has already been addressed, often years earlier, and the OCC and CFPB said this one stemmed from exams in years past.

But the regulatory focus on vendor relationships and add-on products has intensified in recent years. Just this week, U.S. Bank Chief Executive Richard Davis gave a speech at American Banker's Regulatory Symposium on how banking agencies' expectations have broadened to focus as much on overall compliance as on credit losses.

"What I'm worried about now is the compliance risk of picking up someone else's problems that could in hindsight accrue to me even if they weren't my problems," Davis said on Tuesday, discussing why he's wary of a larger merger. "It's not okay to say 'My bad,' or 'I'm sorry'."

Following the release of the enforcement actions, a spokesman for U.S. Bank said in a statement that the institution regrets "that errors occurred when our customers purchased credit monitoring and identity theft products from a third-party vendor, Affinion and its subsidiary Trilegiant, and that some of our customers did not receive the full benefit of those products."

"As soon as we became aware of the issues with Affinion, we took swift action to protect our customers, and ultimately, discontinued our relationship with Affinion approximately two years ago," he said. "We will be compensating customers who did not receive full services from Affinion, and providing our apology."

The vendor's owner, Affinion, has been involved in several cases in recent years where regulators took action against large banks.

U.S. Bank joins Bank of America and Capital One Financial for having been cited by regulators for activities that involved using add-on product services through Affinion's subsidiary. Most recently, Bank of America was charged $772 million in restitution and fines by the CFPB and OCC in April over add-on products marketed by Trilegiant on activities dating as far back as 2001. Bank of America said it stopped marketing those products between late 2011 and early 2012.

U.S. Bank ended its relationship with Affinion the same year that Capital One was charged by the OCC and CFPB in June 2012 for wrongfully marketing add-on products partly through Affinion. It was the first public enforcement action made by the CFPB and set the industry on guard over marketing and selling add-on products.

A spokesman for Affinion said Thursday that the company has long since addressed the core problem raised by regulators. In U.S. Bank's case, the company was cited partly for allowing consumers to be charged for add-on products and subsequent fees who did not initially authorize in writing for the service, as required by law.

"We proactively built and implemented a solution over two years ago to obtain the required authorizations upon enrollment to our service, which allows consumers immediate access to their credit reports and credit monitoring," said Michael Bush, a spokesman for Affinion, in an emailed statement. "This solution addresses the concerns outlined by both the CFPB and the OCC.  We continue to support any measures that enhance the user experience for consumers and provides them with the information they need to protect themselves against the very real dangers of identity theft."

Regulators have warned for years about having proper vendor oversight and that banks would be held responsible for compliance regardless of whether the illegal activity spurred from the vendor. Actions are expected to amplify even more so now that the OCC has finalized its "Heightened Expectations" guidance for large banks on risk management that included a focus on vendor oversight.

Comptroller of the Currency Thomas Curry reiterated such a warning Monday when speaking at the symposium on a broad range of topics. He also said that regulators would be looking at individual vendors through the Bank Service Company Act.

"We really do expect you to manage those vendors," Curry said. "There's a certain due diligence and oversight that we expect and especially something as so critical to the business of banking as technology and how that's delivered."

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.