Pushing the limits of its already broad and undefined consumer protection authority, the Consumer Financial Protection Bureau (CFPB) issued a Consent Order stating that MasterCard and UniRush, a prepaid card issuer, have engaged in “unfair acts or practices” by failing to conduct adequate testing and preparation for the conversion of UniRush’s RushCard prepaid card onto the Mastercard Payment Transaction Services (MPTS) platform. The CFPB has required the two respondents to pay $10 million in consumer restitution and $3 million in civil penalties, and to create a plan to avoid such problems in the future.

According to the consent settlement reached by MasterCard and UniRush, when technical problems arose during the transfer of RushCard’s operating platform to the MPTS platform in October 2015, many consumers who rely on RushCard for services such as direct deposit of their payroll were unable to access funds in a timely manner. In announcing the action, CFPB Director Richard Cordray stated that this failed systems conversion falls under the CFPB’s authority to penalize unfair, deceptive, and abusive acts and practices (UDAAP) under operative provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The CFPB press release announcing the action put the matter prosaically, saying, among other things, that the respondents “botched the processing of deposits and payments” during the conversion.

The Dodd-Frank Act says that an act or practice is “unfair” when (i) it causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers; and (ii) the substantial injury is not outweighed by countervailing benefits to consumers or to competition. The term “unfair,” however, is not further—or meaningfully—defined in rules promulgated by the CFPB’s unitary director, although it is generally addressed in opaque Guidance on debt collection practices issued by the CFPB in 2013. This Guidance, however, sheds little actionable light for businesses subject to the CFPB’s authority.


What the CFPB has done by taking this action is to convert a simple systems conversion failure into an actionable violation of the Dodd-Frank Act. Taking the CFPB’s Consent Order allegation as true, what emerges is a tale of a payment processing conversion afflicted by a serious case of Murphy’s Law, but certainly there were no indications of intentional or willful misconduct or misrepresentation by the respondents. In turn, it bodes ill for the technology-dependent financial services industry if events of this nature can be bootstrapped into UDAAP violations.

In addition, while the CFPB’s consumer protection authority is broader than that of the Federal Trade Commission and many other agencies, including state attorneys general, a large number of federal and state agencies share an “unfairness” authority in common. If, as here, “unfairness” applies to a misbegotten technology transfer, it may apply to many other situations within the jurisdiction of those agencies. In turn, one can expect complaints to those agencies and private civil actions under state consumer protection statutes for similar technology failures in the face of presumed competence.

Making a one-time technology mistake into a UDAAP enforcement action, complete with civil penalties and a strongly worded press release—rather than a less formal supervisory resolution—also risks sending the signal to the industry that there is literally no room for error in handling customer accounts. While in keeping with the CFPB’s aggressive positions in other areas, that message could lead to the unfortunate outcome of companies hiding or refusing to admit errors, rather than disclosing and resolving them voluntarily.

Given the inherent complexities of developing and using financial technology, avoiding regulatory actions for technology failures has now become more difficult for financial services firms. While this particular technology failure, as alleged, was unfortunate, it is fair to ask whether the CFPB’s use of its UDAAP authority in this case is really what the drafters of the Dodd-Frank Act had in mind.