CFPB Aims for More Enforcement Muscle in Payment Processor Case

All Banking Law, All in One Place. Bloomberg Law: Banking is the comprehensive research solution that powers your practice with access to integrated banking-related legal news, analysis,...

By Chris Bruce

Sept. 22 — A case against a Fargo, N.D.-based payment processor could give the Consumer Financial Protection Bureau (CFPB) more enforcement muscle, even against companies that don't deal directly with consumers ( Cons. Fin. Protection Bureau v. Intercept Corp., D. N.D., No. 16-cv-00144, complaint filed 6/6/16 ).

In June, the CFPB sued Intercept Corp. and two executives in the U.S. District Court for the District of North Dakota, saying Intercept “systematically enabled its clients to withdraw millions of dollars’ worth of unauthorized or otherwise illegal charges from consumers’ bank accounts.”

Intercept asked the court to dismiss the case, saying the CFPB doesn't have authority over it because Intercept only provides “business-to-business” services, and doesn't deal with consumers.

The case sets the stage for a major test of how the CFPB interprets and applies important provisions under the Consumer Financial Protection Act (CFPA), a section of the Dodd-Frank Act, Erin F. Fonte, a member with Dykema Gossett, told Bloomberg BNA.

“Everyone who works in the payment space will be watching this case very carefully,” said Fonte, who heads up the financial regulatory and fintech practices in the firm's Austin offices. “It is a bit of a novel reading of the statute.”

ACH Network

At the core of the case is the automated clearing house (ACH) network, which moves more than 23 billion payment transactions each year totaling more than $40 trillion.

According to the CFPB, Intercept and other third-party processors have a duty to monitor their transactions for suspicious activity, and not to enable fraud on the ACH network.

Intercept failed to meet its responsibilities, according to an Aug. 29 brief filed by the CFPB. It said the company debited consumer bank accounts on behalf of its merchant clients “despite numerous red flags that the payment requests they were submitting were fraudulent or illegal.”

UDAAP Authority Tested

The case raises a host of important questions. Among others, Intercept said the CFPB is barred from bringing the case because the Federal Trade Commission could have brought a case years ago but didn't. The company also says the CFPB is unconstitutional, echoing claims now being tested in other cases involving the CFPB.

But one question in particular is getting extra attention — the CFPB's assertion that Intercept provides “payments or other financial data processing products or services to a consumer” under 12 U.S.C. 5481(15)(A)(vii) and therefore is a “covered person” under the CFPA.

Ori Lev, a former CFPB official and now a partner with Mayer Brown in Washington, said that's important because the CFPB's authority to enforce prohibitions against unfair, deceptive or abusive acts or practices (UDAAP) only applies to covered persons and service providers to covered persons.

According to Lev, a ruling for the CFPB on the “covered person” question could mean wider enforcement action by the agency.

“If the CFPB’s theory is accepted, then third-party payment processors would be subject to UDAAP prohibitions under Dodd-Frank and the CFPB could potentially bring enforcement actions against payment processors for processing payments that have nothing to do with financial products,” Lev told Bloomberg BNA.

Attorney David M. Bizar also sees the case as a bid to expand the CFPB's jurisdiction and said that's likely to continue. More broadly, the case highlights the fact that the CFPB is no longer a fledgling regulator, he said.

“This is now a mature agency, and they’re becoming less shy about flexing their muscles,” said Bizar, a partner in the Boston office of Seyfarth Shaw who chairs the firm’s consumer financial services litigation practice.

Business to Business?

But according to Intercept, that muscle-flexing is going too far, which is why the case should be thrown out.

In an Aug. 8 brief accompanying its motion to dismiss, Intercept said the CFPA only assigns “covered person” status to payment processors that offer their services “directly to consumers” primarily for personal, family, or household purposes.

But Intercept doesn't deal with consumers, according to the brief. It said the company provides payment processing services to 68,000 merchants and businesses, including accounting firms, churches, payroll processors and other enterprises.

The fact that Intercept contracts with merchants, not consumers, means it can't be a covered person under Dodd-Frank, it said.

“The language of the CFPA dictates the limits of the Bureau’s jurisdiction, and plainly excludes business-to-business companies such as Intercept from its reach,” the brief said.

The CFPB fired back Aug. 29, saying “nothing in the statutory text even implies that a covered person must contract directly with the consumer.”

“When payment processors transmit legitimate credit and debit requests that were authorized by consumers, those processors provide the service of convenient and fast electronic payment processing both `to' and `for use by' consumers regardless of whether they do so directly or via third-party arrangements,” the agency said.

`A Radical Interpretation.'

Intercept isn't buying it. In a Sept. 12 brief, the company described the CFPB's stance as a “radical interpretation” of the CFPA. It said the CFPB “seeks authority over pure `business-to-business' companies whose customers engage with consumers, a dramatic expansion of power for which the Bureau does not—and cannot—cite any precedent.”

Oliver I. Ireland, a partner with Morrison & Foerster in Washington, said a ruling for the CFPB could widen the agency's jurisdiction, with important implications for bank processors as well.

“If the court agrees with the CFPB that a payment processor is acting as an agent for the consumer instead of on behalf of the merchant that initiates an ACH debit or card payment, that really broadens their jurisdiction,” he said. “It seems to me to be inconsistent with the basic understanding of agency relationships in the payment system. It opens up banks as payment processors to all kinds of claims by the CFPB, because it essentially makes you liable for your customers’ actions.”

Early-Stage Debate

The case is at an early stage, but already it's kicked off a significant debate among attorneys, academics, and others on the CFPB's role.

Richard M. Alderman, director of the Center for Consumer Law at the University of Houston Law Center said the facts of the case show that the CFPB is on solid ground.

“I think that while this may be viewed as an `extension' of the apparent authority of the CFPB, it is not outside of the language or the intent of the law,” he said in an e-mail to Bloomberg BNA. “This is not a pure `business to business' transaction. It is a transaction with a direct impact on and implication for consumers.”

According to the CFPB, banks and payment processors, which it described as “gatekeepers” to the ACH system, have been on notice for years by the Federal Deposit Insurance Corporation and other regulators that failure to watch for fraudulent activity can result in liability for payment processors and banks alike.

“Processors and banks that shirk these responsibilities or look the other way by giving fraudsters and criminals access to the ACH system can, in doing so, amplify the resulting harm to consumers by orders of magnitude above what their clients would be capable of with cash or paper checks alone,” the CFPB said.

Policy Questions Raised

Law professor Christopher L. Peterson, who served as a CFPB special adviser between 2012 and 2016, said those responsibilities have long been clear. The FDIC, the Federal Trade Commission, the Office of the Comptroller of the Currency, and the Department of Justice have all brought cases like this one, Peterson said.

Peterson, who now teaches at the S.J. Quinney College of Law at the University of Utah in Salt Lake City, said the Intercept case is important, but not because it's based on a radical theory as alleged by Intercept.

“I think that is nakedly false,” Peterson told Bloomberg BNA. “Payment processors have been liable for aiding and abetting fraud for years, and for collaborating with wrongdoers or for acting as an entry point for fraudulent action,” said Peterson, who recently authored a study on the CFPB's enforcement efforts so far (175 BBD, 9/9/16).

And broader policy questions also are at stake, according to Peterson.

“It seems to me that Intercept wants payment processing companies to be able to take money out of consumer bank accounts but without being covered by the consumer protection laws,” he said. “What they want is power without responsibility. And so the Bureau is going to be the enforcement regulator but doesn’t have any authority over people who hold the key to payment accounts? That doesn’t make any sense.”

Awaiting a Ruling

It's not clear when the court will rule on the motion to dismiss, though Intercept has asked for a hearing.

According to Intercept, the case poses an array of questions that are untested by any court in the Eighth Circuit.

The court's ruling on motion to dismiss itself could be telling, according to Mayer Brown's Lev. If the court denies the motion, it's hard to know how the case might play out. But it's pretty clear what happens if the court grants the motion to dismiss, he said.

“If the court grants the motion, it’s almost certain that the CFPB would appeal and the question of whether payment processors are covered persons would likely be teed up on appeal,” he said.

To contact the reporter on this story: Chris Bruce in Washington at

To contact the editor responsible for this story: Mike Ferullo at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.