CFPB Enters Consent Order with Credit Union Over Lengthy System Outage Which Blocked Account Access

The CFPB entered into a consent order with a credit union whose customers lost access to their accounts and account features due to a faulty system upgrade.

In May 2022, the credit union—one of the largest in the country—attempted to transfer the platform which controlled its online and mobile banking systems to a new system.  The process was expected to interrupt services for about two days as the old system was taken offline and the new system was activated.  Shortly after coming online, the new system began malfunctioning.  Many customers were unable to access their online accounts, and they were unable to use features such as: viewing account statements and transaction histories; transferring money between accounts; accessing credit card and loan payment functions; and setting up recurring payments.

Full functionality was not restored for several months.  During this period, customers often faced long wait times to use the online systems which were available, as well as for telephone customer service and in-person service at branches.  Due to the outages and the inability to access accounts, some customers were unable to make payments on time, and other customers incurred fees and expenses, such as insufficient funds fees, overdraft fees, late fees, bounced check fees, and fees for using alternate payment methods.

The CFPB alleged that the lengthy outages and difficulties faced by customers were due to the credit union’s failure to establish reasonable management and governance processes and procedures.  Among other things, the credit union allegedly: failed to properly assess risks which could arise during the system conversion; required a rushed implementation timeline; used poor project management practices and ignored red flags in the run-up to the conversion; failed to have contingencies in place in case of disruptions; hired an inexperienced vendor for the new system without using normal procurement procedures; lacked a Chief Information Officer during the project implementation, while having senior leadership without sufficient technical knowledge make key decisions; performed insufficient testing and ignored critical bugs and defects in the software; and did not keep the board of directors and senior executives informed about the implementation process.

The CFPB asserted that collectively, these problems constituted an unfair act or practice under UDAAP.  The consent order requires the credit union to pay a $1.5 million civil money penalty, provide redress to affected customers, and implement significant compliance changes.