Are you a consumer financial services provider? Do you tell your customers that your data security practices are “best in class”? If so, it had better be true, or Richard Cordray and his colleagues at the Consumer Financial Protection Bureau (CFPB) may want to talk with you.

On March 2, the CFPB initiated and settled by consent an administrative action against an online consumer payments provider (Respondent) for what the CFPB charged were deceptive acts and practices arising out of representations that the Respondent made about its data security practices.

In the Consent Order, the CFPB charged that Respondent (which offers funds transfer services to consumers) made numerous representations about its data security practices that were not true, including statements that

  • its network and transactions were safe and secure,
  • its transactions were safer than credit cards,
  • its data security practices “exceeded industry standards,”
  • customer information was safely encrypted, and
  • its data security measures were Payment Card Industry (PCI) compliant.

On February 26, the Office of the Comptroller of the Currency (OCC) released its revised Policies and Procedures Manual policy for assessing civil money penalties (CMP Policies). The CMP Policies are used as a reference tool for examiners in assessing the severity of any identified unsafe and unsound banking practices, violations of laws, regulations, orders, conditions imposed in writing, and formal agreements (“violations”) by institutions and persons subject to OCC’s supervision (national banks, federal savings associations, federal branches and agencies, and bank service companies and service providers). The CMP Policies replace the prior OCC policies and procedures regarding civil money penalties (CMP Matrix) that were issued in 1993 and prior Office of Thrift Supervision policies for federal savings associations that were issued in 2009.


The CMP Policies—like the predecessor CMP Matrix used by the OCC—assigns a positive numerical score and a factor weight to each of 11 factors that are taken into account in determining whether to assess a CMP and the amount of the CMP (e.g., intent, concealment, financial gain, loss to the bank, or loss/harm to consumers or the public). In addition, the CMP Policies assign what is in effect a negative risk weighting to 3 specified mitigating factors—good faith, cooperation, and restitution. For each factor, the numerical score is multiplied by the factor weight to arrive at a component factor score, and the component scores are then summed to arrive at a composite CMP matrix score upon which the OCC relies in making its final CMP decision.

As the Consumer Financial Protection Bureau (CFPB) completes its fifth year as a fully operating entity in 2016, distinct enforcement patterns have emerged that can assist businesses and individuals that have or may become targets of the agency in assessing penalties and their impact should they elect to settle with the CFPB.

The CFPB’s Settlement Precondition Provisions

Key provisions required by the CFPB as a precondition for settlement deeply impact the bottom line result of a settlement and are different in material respects from those typically required by other federal and state financial services enforcement agencies. These key provisions include the following:

  • Prohibitions on the settling party (Respondent) claiming favorable tax treatment for monetary penalties
  • Prohibitions on the Respondent claiming any part of the monetary penalties against available insurance
  • Prohibitions against the Respondent asserting a setoff for payments made to the CFPB against any judgment in a related private action or, in the alternative, the payment of any such setoff to the US Treasury

The specific language is comprehensive, but will vary somewhat depending on whether the matter is a resolution in US District Court or in an administrative proceeding, as well as if the matter involves entities, individuals, or both.