In a separate case, Bank of America is setting aside $200 million to account for fines it expects the Securities and Exchange Commission and the Commodity Futures Trading Commission to impose for failing to monitor the use of unapproved personal devices by employees. The SEC has been looking into whether Wall Street banks have been adequately documenting employees’ work-related communications, such as text messages and emails, during the work-from-home period of the pandemic.
Last week, the Consumer Financial Protection Bureau (CFPB) ordered Bank of America to pay a $100 million penalty that “reflects the severity and scope of the consumer harm caused by the bank’s practices,” the CFPB stated. In a separate action, in coordination with the CFPB, the Office of the Comptroller of the Currency (OCC) fined the bank $125 million to be paid to the U.S. Treasury for violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices.
According to the findings of the CFPB’s investigation, “Bank of America automatically and unlawfully froze people’s accounts with a faulty fraud detection program and then gave them little recourse when there was, in fact, no fraud,” the CFPB stated.
In September 2020 and continuing through mid-2021, Bank of America changed its practices for investigating prepaid debit card fraud on the unemployment insurance benefit accounts, according to the CFPB. Instead of conducting investigations, the bank implemented a fraud filter that “set a low bar to freeze the unemployment insurance benefits of many people, harming thousands of legitimate cardholders needing the money,” the CFPB stated.
“The bank also retroactively applied its fraud filter to deny some notices of error submitted by prepaid debit cardholders that the bank had previously investigated and paid,” the CFPB stated.
Additionally, the bank made it difficult for consumers to unfreeze their prepaid debit cards or report fraudulent use of their cards. Those with unemployment insurance benefit prepaid debit cards could not make reports online or in person at bank branches.
Compliance Deficiencies
The OCC also found several compliance deficiencies, including inadequate risk management practices in both the front-line units and independent risk management, including ineffective oversight, risk assessment, monitoring, and reporting; inadequate internal controls, including those relating to contract management; inadequate oversight, risk management, and monitoring of prepaid card unemployment benefits vendors; and inadequate oversight and coverage by the bank’s independent audit function.
In addition to providing remediation to harmed consumers whose access to unemployment benefits was denied or delayed, the OCC order also requires Bank of America to “perform a comprehensive and holistic risk assessment … that shall address all significant risks to include at a minimum transaction and card volumes and trends; operational risks, including capacity limitations or obstacles with product service or delivery; requisite staffing skills and expertise; compliance with applicable consumer protection and information security laws and regulations; and fraud risk volume, fraud sources, and types of fraud.”
The OCC consent order further orders the bank to conduct a program gap analysis that, at a minimum, “shall address the adequacy of operational controls, fraud investigations, fraud rules and/or strategies, claims intake and processing, accounting practices, complaints management, claims and complaints quality assurance processes, systems and data management, and program vendor risk management.”
Unapproved Communications
The bank is still waiting on final action from the SEC on the improper use of personal devices by BofA employees to conduct official business. Regulators require banks to keep records of all business-related communications. To comply, financial firms typically ban the use of personal email, text messaging, and social media channels for work purposes, although bankers do not always follow those rules.
Late last year, the SEC and the CFTC fined J.P. Morgan Securities $200 million for “widespread” failures to preserve employee communications on personal devices, such as mobile phones, and messaging apps and email systems. Other top banks including Morgan Stanley and Citigroup have also put aside cash to cover similar expected regulatory fines, the banks have stated.
History of Misconduct at Bank of America
Bank of America has a history of misconduct and engaging in fraudulent practices: In April 2014, the CFPB ordered Bank of America to pay $727 million in redress to consumers harmed by the bank’s deceptive marketing and unfair credit card billing practices; In August 2014, Bank of America reached a $16.65 billion settlement—the largest civil settlement with a single entity in U.S. history—for financial fraud that played a central role in the 2008 financial crisis; and in May 2022, the CFPB ordered Bank of America to pay a $10 million civil penalty for processing illegal, out-of-state garnishment orders against its customers’ bank accounts. 
PHOTO: BANK OF AMERICA (RESIZED), BY MIKE MOZART, USED UNDER CC BY 2.0
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.