NEWS: Last week, the Consumer Financial Protection Bureau (CFPB) took enforcement action against VyStar Credit Union (a Florida state-chartered credit union) for engaging in unfair acts and practices in violation of the Consumer Financial Protection Act. The consent order is available here.
VyStar attempted to launch a new online and mobile banking platform back in May 2022. The credit union anticipated online banking services would be inaccessible for several days during the transition to the new platform, but instead, members had difficulty performing basic banking functions for weeks, with some features unavailable for more than six months. Affected members were unable to manage their accounts, were charged late fees when their online bill payments did not go through, and were in many cases unable to access their funds.
The CFPB found that VyStar failed to have adequate system development, implementation, and release controls in place; maintained policies and procedures that were deficient, out of date, and not followed by senior management; and was deficient in its service provider oversight.
“VyStar and its senior management bungled the credit union’s rollout of a new banking system and left customers stranded without online access to their accounts,” said CFPB Director Rohit Chopra. “VyStar’s careless errors inflicted financial harm on their credit union members.”
The CFPB found that VyStar violated the Consumer Financial Protection Act, specifically through:
- Depriving consumers access to money and accounts: VyStar ignored red flags and continued with the rollout that caused consumers to lose access to their accounts and funds. The new, dysfunctional platform’s frequent outages and limited functionality led to financial losses and other harm to consumers.
- Rushing a new platform online without appropriate testing: VyStar plowed forward to complete the platform conversion process ahead of an unrealistic deadline, despite warnings from its own development team. VyStar’s management and governance failures resulted in the virtual banking platform outage and sustained period of limited functionality.
The CFPB worked with the NCUA in its investigation and the CFPB’s order requires VyStar to:
- Refund fees to affected consumers: VyStar must ensure that the fees charged to its members as a result of the outage have been refunded, and reimburse any outstanding third-party fees or costs, including interest costs, imposed on members as a result of the outage.
- Clean up its broken process for updating its systems: For future updates to its banking systems, VyStar must create contingency plans to minimize the impact on consumers’ ability to use its banking platform. The plans must include sufficient customer service resources to address consumer problems, and ensure upgrades and maintenance for consumer-facing banking systems are performed in a timely manner.
- Pay a $1.5 million fine: VyStar will pay a $1.5 million civil penalty to the CFPB’s victims relief fund.