On July 12, 2021, the CFPB announced that it issued a consent order against GreenSky, LLC (GreenSky) for enabling contractors and other merchants to take out loans on behalf of thousands of consumers who did not request or authorize them. Per the consent order, Greensky, which is a non-bank institution located in Atlanta, GA, will be required to pay a $2.5 million civil penalty and refund or cancel up to $9 million in loans.
The CFPB alleged that Greensky used merchants, primarily those providing home improvements, to promote and offer financing to customers before making on-the-spot lending decisions based on criteria provided by its partner banks. Merchants gathered information from consumers and submitted the loan applications to GreenSky. Once a loan was approved, proceeds from the loans bypassed the consumers and were distributed directly to the merchants. Consumers were not required to sign-off or take any other action to complete the loan process; instead, the loan application process was complete upon a successful qualification for the loan. If a consumer qualified for a loan, they would only be able to view the approved loan terms if the merchant chose to share the loan approval screen with the consumer.
Per the consent order, merchants applied to participate in GreenSky’s programs. Once accepted, GreenSky trained the merchants on marketing and promoting GreenSky’s loans, taking consumer information, and submitting loan applications. However, merchants were allowed to submit loan applications for up to two months before they completed training. Only certain merchants were trained by a live person; the rest received online training only. According to the CFPB’s findings, the training did not adequately address consumer protection laws, annual compliance training was not required, and GreenSky sometimes failed to inform merchants when it changed its programs.
The net result of the above is that at least 6,000 consumers complained that they never applied for a loan or even heard of GreenSky before receiving billing statements, collection letters, and calls from the company. The CFPB’s investigation showed that in at least 1,600 instances, merchants were at fault. In some cases, the merchants used their email addresses instead of the consumer’s email address on the application. Generally, GreenSky only required merchants to provide proof of consumer authorization after a consumer filed a complaint and did not discipline or terminate merchants known to have submitted unauthorized loan applications. According to the CFPB, employees in GreenSky’s merchant risk department were not adequately trained or guided by a consistent set of principles; they were allowed autonomy in dealing with merchant infractions.
Further, the CFPB found that GreenSky failed to timely or adequately respond to complaints. Until at least 2018, GreenSky lacked policies and procedures regarding how to resolve complaints related to unauthorized loans; thus, resolutions were inconsistent. It took over 75 days to respond to complaints in many instances, and in some cases, it took over six months. Some complaints were closed without ever being resolved or informing consumers of the result of the investigation. Greensky often told consumers they needed to attempt to resolve their issue with the merchant before GreenSky would investigate their complaint.
In addition to the financial penalties, GreenSky must enhance its practices regarding consumer identification, implement an effective consumer complaint management program, exercise effective oversight of third-party merchant partners, and implement consistent standards to govern the write-off of illegal loans.
The full consent order can be found here.
Deficient policies and procedures appear to be at the root of many of the allegations against GreenSky. Inconsistent or missing procedures resulted in a lack of oversight of their merchant partners, consistent training, and proper complaint handling. The apparent failure to adequately capture these crucial business functions snowballed into the allegations seen in this consent order, and ultimately the fines and penalties issued by the CFPB.
This cannot be said enough: entities subject to CFPB oversight must have compliance management systems that include comprehensive written policies and procedures. Verbal, employee-to-employee training is simply insufficient in the current regulatory environment. Written procedures are necessary to ensure uniform compliance leads to inconsistent results. As evidenced by this consent order, the failure to take this crucial step can snowball into a less than desirable outcome for an organization.
This consent order also reiterates that entities subject to CFPB oversight need to continue to ensure that their vendors or partners who interact with consumers remain supervised. It is not sufficient to provide quick training and let the chips fall where they may. Therefore, a comprehensive compliance management system should include written vendor/partner management policies and procedures which detail auditing protocols and how to handle vendors or partners who fail to adhere to legal or other compliance standards.