OneMain has agreed to issue interest refunds to the fewer than one percent of our customers who, within the last four years, received a refund of their premium or fee through a check rather than a statement credit after canceling an optional product within 30 days of purchase. “OneMain is pleased to resolve this matter related to our refunding practices for some optional products, even though we do not agree with the CFPB’s conclusions. (NYSE: OMF) today commented on an agreement reached with the Consumer Financial Protection Bureau (CFPB) relating primarily to the handling of interest refunds for certain optional products that our customers purchased, but later canceled within the first 30 days.
In addition to the $4.25 million penalty it will pay, OneMain must also write policies designed to remediate the cybersecurity shortcomings identified in the consent order and, once executed, submit a report to the department to prove it had done so.OneMain Agrees to Extend Industry-Leading Refunding Practices to Purchasers of Optional Non-Credit Insurance and Third-Party Membership Plans Will Also Extend Full-Refund Period to 60 Days for all Optional Products The company did not specify how many customers received these letters. One set of notifications went to New Jersey residents in 2018 the other set went to California residents in 2022. The OneMain spokeswoman said of the data privacy incidents it had suffered since 2018, "we are not aware of any customers who were harmed by any of these incidents." However, OneMain has sent notices to customers telling them that their personal information had been compromised on at least two occasions since 2018. The department outlined two other incidents from 2018 and one from 2020 in the consent order against OneMain. Another involved hackers compromising OneMain customer emails to access their account information, according to notices sent to New Jersey customers. One of these incidents involved only one person's private information, according to a nonprofit that tracks data privacy incidents. In 2018 alone, the company suffered at least four data privacy incidents. OneMain, which the department said in the consent order had $4.37 billion in annual revenue and 2.45 million customer accounts in 2021, acknowledged that it has suffered multiple cybersecurity incidents and data breaches in recent years.
These risks "resulted in zero customer harm," she said. The spokeswoman acknowledged that OneMain did permit employees to share privileged accounts that had access to customer information and that these accounts were allowed to use the default passwords they were initially set up with. "Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators," the spokeswoman said. A spokeswoman for OneMain said the company was "pleased to have resolved this historical matter," which it "has long since addressed." She said OneMain is "committed to being a leader in cybersecurity" and would continue investing in its data protection programs.
0 kommentar(er)
