BLOOMBERG LAW INSIGHTS: CFPB and Payment Processor Enforcement Actions

ENFORCEMENT
Kevin  Petrasic Benjamin Saul Helen Lee Joshua Garcia

By Kevin Petrasic, Benjamin Saul, Helen Lee, Joshua Garcia

Kevin Petrasic is a banking partner in the Washington, DC office of White & Case LLP, and head of the firm's Global Financial Institutions Advisory practice. He has extensive experience with bank regulatory, transactional, bank insolvency, compliance, supervisory, enforcement, legislative, and policy issues and matters.*

Benjamin Saul is a partner in the Washington, DC office of White & Case LLP. He represents banks and non-banks, including financial technology and regulatory technology companies, in a wide range of matters, with a focus on those relating to retail bank and consumer nancial products and services.

Helen Lee is a counsel in the Financial Institutions Advisory Practice Group of White & Case LLP based in the firm's Washington, D.C. office. She advises U.S. as well as non-U.S. banking organizations and other financial service providers on regulatory and transactional matters arising under the U.S. banking laws.*

Joshua Garcia is an associate in the New York office of White & Case LLP. He represents financial technology companies, banks and non-banks in a broad range of matters, with a focus on developing solutions to regulatory and transactional issues involving complex problems posed by financial services laws and regulatory requirements.

*Kevin Petrasic and Helen Lee are the authors of Bloomberg BNA Banking Practice Portfolio 437, Federal Reserve Regulation of Foreign Banks, available on Bloomberg Law.

Payment processors have been facing increased scrutiny over the past year from the Consumer Financial Protection Bureau (CFPB or the Bureau). Whether this will continue remains to be seen but, for now, recent CFPB litigation and enforcement activities have spotlighted a heightened regulatory focus on payment intermediaries, i.e. processors, and their role as “gatekeepers.”

As highlighted by the CFPB in a complaint filed against a payment processor in June of this year, payment processors provide “access to the banking system” and the means for businesses—including potentially unscrupulous ones—to extract money from consumers' bank accounts. In connection with that action, the Bureau emphasized the unique role and attendant responsibilities of payment processors, noting that, “[a]s gatekeepers to a system in which so much money changes hands, third-party payment processors as well as the banks they work with have responsibilities to monitor their transactions for suspicious activity and not enable fraud on the ACH network.”

Recognizing the unique role that payment processors play as entry points into the financial system, the CFPB has taken a carefully tailored and calibrated approach to supervising these firms. Understanding the Bureau's nuanced perception of payment processors will help industry players avoid or prepare for potential regulatory inquiries regarding a firm's operations, including potential issues that may not necessarily be obvious in the consumer financial protection context. For instance, CFPB lawsuits in recent years have showcased the need for payment intermediaries, including firms with payment processing activities incidental to their core business, to remain vigilant in the face of increased regulatory scrutiny and, particularly, to maintain adequate compliance and monitoring systems, and engage in pro-active risk mitigation strategies. These cases also reference the Bureau's aggressive use of jurisdictional hooks, to date, to pursue litigation and enforcement activities against payment processors.

How the CFPB Reaches Payment Processors

Since its inception, the CFPB has had various available means to exercise authority to oversee payment processors and their principals. In recent actions, rather than relying on new jurisdictional hooks, the Bureau has simply turned to novel or expanded uses of old authority to assert its jurisdiction. In relevant part, the Bureau has broad authority to exercise jurisdiction over:

  •  Covered persons, service providers, and related persons, and
  • Any person providing “substantial assistance” for a violation of the prohibition against UDAAPs (defined below)

Covered Persons, Service Providers, and Related Persons

Pursuant to Title X of the Dodd-Frank Act, the Consumer Financial Protection Act (the “CFPA”), the CFPB is charged with the responsibility of enforcing the federal consumer financial protection laws enumerated in the CFPA. Generally, under the CFPA, it is unlawful for “any covered person or service provider” to “offer or provide to a consumer any financial product or service not in conformity with [applicable] federal consumer financial [protection] law[s], or otherwise commit any act or omission in violation of a federal consumer financial [protection] law;…or to engage in any unfair, deceptive, or abusive act or practice (“UDAAP”).” 12 U.S.C. §§5536(a)(1)(A) and (B). On this latter point and of particular note for payment processors, any person who “knowingly or recklessly provide[s] substantial assistance to a covered person or service provider in violation of the [prohibition on UDAAPs]… shall be deemed to be in violation of that section to the same extent as the person to whom such assistance is provided.” 12 U.S.C. §5536(a)(3).

A “covered person” is the most direct route to CFPB jurisdiction and includes “any person that engages in offering or providing a consumer financial product or service.” 12 U.S.C. §5481(6). The CFPB also has jurisdiction over companies that are “service providers,” including anyone offering a “material service” to covered persons “in connection with [a consumer financial product or service] offering.” A “service provider” is “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that … processes transactions relating to the consumer financial product or service.” 12 U.S.C. §5481(26). This includes lenders, debt collectors and other providers of consumer financial products or services. (Notably, a company can be both a “covered person” and a “service provider.” 12 U.S.C. §5481(26)(C)). Finally, a “related person” is defined as a covered person—and subject to CFPB jurisdiction as such—and includes “any director, officer, or employee charged with managerial responsibility for, or controlling shareholder of, or agent for, such covered person.” 12 U.S.C. §5481(25)(i).

As highlighted in the definitions of persons and entities potentially subject to the CFPB's oversight, a “consumer financial product or service,” as defined, must be involved for the CFPB to have and exercise its jurisdiction. For these purposes, the defined term includes “any financial product or service that is described in one or more categories under [the CFPA] and is offered or provided for use by consumers primarily for personal, family, or household purposes.” 12 U.S.C. §5481(5).

The categories of financial products or services include:

  • providing payments or other financial data processing products or services to a consumer by any technological means, including processing or storing financial or banking data for any payment instrument, or through any payments systems or network used for processing payments data, including payments made through an online banking system… 12 U.S.C. §5481(15)(A)(vii).

Thus, companies—whether or not they self-identify as payment processors—that engage in the broad category of payment processor activities described above are generally subject to the CFPB's jurisdiction with respect to activities used by consumers primarily for personal, family or household purposes. In various enforcement actions against payment processors, the CFPB has invoked this authority to reach covered persons, service providers and/or related persons.

Any Person Providing Substantial Assistance for UDAAP violations

In addition to its jurisdiction over covered persons, service providers and related persons, the CFPB can take action against any entities that “knowingly or recklessly provide substantial assistance” to covered persons violating the prohibition against UDAAPs. This sweeps in any entities or individuals that provide such assistance when they know or should have known of a covered person's allegedly harmful activity. The CFPB has asserted that payment processors who know (or consciously avoid knowing) that their customers are charging illegal fees, yet process those fees, provide substantial assistance to covered persons in violation of applicable law. For example, in two relatively recent payment processor cases the CFPB leveraged the “substantial assistance” argument to bring actions against executives managing the defendant companies.

The CFPB's reliance on the “substantial assistance” reference suggests a need for greater clarity on the Bureau's jurisdictional authority in this context, particularly given the provision applies to any person and not just covered persons. The law itself does not define what constitutes “substantial assistance,” nor does the law specify any boundaries of proof for the “knowingly or recklessly” standard. While there must be a UDAAP violation for there to be substantial assistance liability, the CFPB has settled claims where it alleged entities provided “substantial assistance” to a covered person violating non-UDAAP rules such as the Telemarketing Sales Rule (TSR) and the Real Estate Settlement Procedures Act (RESPA). While the TSR has a separate “substantial assistance” grant of authority upon which the CFPB can rely (see 16 C.F.R. §310.3(b)), RESPA does not.

The CFPB v. Payment Processors
Pending Action: Payment Processor Jurisdiction and Reach

The CFPB's recent actions involving payment processors illustrate the Bureau's efforts to pursue payment processors that fail to remain sufficiently alert—in their activities as gatekeepers—in monitoring the activities of their consumer-facing customers. In one such pending action, the CFPB alleged payment processor Intercept (and two of its executives) enabled unauthorized and illegal withdrawals by merchant clients from consumer accounts. According to the CFPB, the company ignored “blatant warning signs of potential fraud or lawbreaking by its clients,” and disregarded complaints from banks and consumers. The Bureau asserted jurisdiction over the company (and the two executives) as “covered persons,” “related persons” and/or “service providers.” In addition, the Bureau alleged that company executives knowingly or recklessly provided “substantial assistance” to the company in the conduct of certain UDAAP violations.

In response, the company argued that the CFPB lacked jurisdiction over the company because it is neither a “covered person” nor a “service provider,” and over its executives because they are neither “covered persons” nor “related persons.” According to the company, there could be no “substantial assistance” liability because there was not a requisite person or entity to commit a UDAAP violation. Specifically, the company asserted the CFPB lacks jurisdiction in the case because the company's payment processing services are not provided directly to consumers “primarily for personal, family, or household purposes;” rather, the company's customers are businesses that include lenders, finance companies and debt collectors. Thus, in the company's view, the lawsuit improperly exceeds the CFPB's jurisdiction, which does not include products and services between “business-to-business companies.”

In countering the company's pending motion to dismiss, the CFPB argued that the relevant question is not whether the company contracts directly with consumers for the payments it processes, but rather whether it provides its services “to a consumer” and “for use by consumers” for a personal, family, or household purpose. According to the CFPB, the law does not require that a covered person contract directly with a consumer for the Bureau to have jurisdiction. Rather, as stated by the agency, when payment processors transmit payment requests authorized by consumers, processors are providing a convenience service of “fast electronic payment processing both ‘to’ and ‘for use by’ consumers regardless of whether they do so directly or via third-party arrangements.”

How the court decides on the company's pending motion to dismiss will likely frame the tenability of the CFPB's view on payment processor accountability going forward. If the court agrees with the CFPB on the covered person jurisdictional issue, the ruling could significantly expand the universe of companies traditionally thought of as providers of consumer financial products or services to include companies offering products and services to businesses with downstream consumers. And this would confirm the CFPB's jurisdiction over middlemen entities such as payment processors, notwithstanding the lack of a direct consumer relationship to such firms.

Settled Actions: Expanding the Scope of Payment Processors

Exercising its authority pursuant to the broad jurisdictional language of the CFPA, the CFPB asserted that two major wireless telecommunications carriers were payment processors subject to the Bureau's jurisdiction. In similar suits filed against Sprint and Verizon (both settled in mid-2015), the CFPB alleged that, although the companies outsourced compliance and payment processing functions to billing aggregators, they each maintained “control over the collection, processing, and distribution of payments” and were “covered persons” by virtue of processing payments “for consumers in connection with third-party goods.”

According to the CFPB, the companies adopted a flawed billing system that permitted third parties to place unauthorized charges on consumers' mobile phone bill. The CFPB also alleged that the companies automatically enrolled customers into billing systems that allowed third parties to submit charges that billing aggregators placed on customer bills, with the phone companies receiving approximately 30 to 40 percent of the gross revenue from such charges.

Notably, the phone companies did not initiate the unauthorized charges; these came from unaffiliated businesses claiming to have received authorization from phone company customers to initiate the charges. However, the phone companies provided the platform for such businesses to initiate the charges, and in so doing, outsourced certain payment processing functionality to process the charges. According to the CFPB, the phone companies each exercised a sufficient degree of control with respect to their respective payment processes to be considered “providing payments or other financial data processing products or services” and profited from the unauthorized payments. In agreeing to settle the actions, the companies paid a combined total of $120 million in consumer redress and $38 million in federal and state fines.

Based on the CFPB's action, companies engaging in similar outsourcing activities should be aware that billing practices for consumer products or services may be scrutinized both for their own actions and for those of their business partners, for which they may be held accountable. Companies should review the extent of their control over payment processing functions, including the collection, processing and distribution of payments, particularly with respect to the imposition of any third-party charges.

Lessons Learned from CFPB Payment Processor Actions

As evidenced by several recent actions, and despite recent setbacks, the CFPB continues to have, at least for now, broad jurisdiction over payment processors' activities that directly and indirectly impact consumers. This reach includes “traditional” providers of consumer financial products and services, as well as companies providing financial products and services to businesses that have a tangential or downstream impact on consumers.

While traditional providers are familiar with consumer protection rules and practices intended to mitigate consumer harm, payment processors providing services to businesses and/or operating outside the financial services industry are less likely to be aware of the heightened supervisory scrutiny and risk attendant to activities that may indirectly but adversely impact consumers. For instance, in a March 2016 enforcement action taken against payment processor Dwolla for alleged deceptive data security practices, the CFPB noted that, among other alleged deficiencies, the company did not require applications developed through its affiliated software development operation to comply with the company's own stated security practices, thereby exposing consumers to potential harm in relying on representations to the contrary.

Given this backdrop, companies engaging directly or indirectly in payment processor activities that potentially impact consumers should consider and apply the following lessons learned from recent CFPB enforcement actions:

  • Monitoring for High Refund and Chargeback Rates. An important red flag to watch out for involves circumstances where merchants have refund or chargeback rates substantially higher than relevant industry averages for their sector. Payment processors, and companies working through payments processors, should actively monitor for such activities. Notably, NACHA guidelines emphasize the responsibility of all participants in the ACH system to monitor merchant return rates to detect and prevent fraud; thus, a formal monitoring program may be appropriate.
  • Reviewing for Date and Amount Discrepancies. Similarly, payment processor firms and other companies should periodically review and take appropriate action upon discovering discrepancies between dates and amounts debited from consumers' accounts compared to what the consumer originally authorized.
  • Customer and Consumer Complaint Monitoring. An extremely important source of information to a payment processor or a company working through a payment processor is the data, volume and distribution of merchant customer and consumer complaints related to payment processor activities. In the CFPB's pending action against Intercept, the agency alleged that the company ignored various consumer complaints that revealed payment processor deficiencies. Similarly, in the Bureau's actions against the two mobile telephone carriers discussed above, advocacy groups submitted complaints on behalf of a large group of consumers regarding third-party cramming activities. Payment processors and companies working through such firms should actively monitor both merchant customer and consumer complaints to detect possible payment processor deficiencies. In particular, payment processors should have a formal program through which they collect data on consumer complaints ( e.g., complaint information about the merchant, merchant's industry and merchant's customer base would all help track trends), as well as a structured consumer complaint response system that assures attention to addressing specific issues evidencing compliance and other program deficiencies.
  • Monitoring Law Enforcement Actions. Payment processors (and firms working through them) should also monitor for and review law enforcement actions against business customers that could be indicative of underlying consumer harm, and should adjust relationship with such merchant customers accordingly.
  • Suspicious and Illegal Activity Monitoring. Finally, payment processors should monitor for and be wary of arrangements that could involve the processing of illegal payments or fees, even if they do not initiate such fees.In the CFPB's actions against payment processors Global Client Solutions and Meracord, the CFPB alleged that, although the companies did not initiate challenged fees in violation of the TSR, the payment processors offered a platform on which third parties were able to successfully have such fees processed. Based on this, both companies were found by the CFPB to be liable for providing “substantial assistance” to the entities that charged the illegal fees.In the other actions discussed above, the CFPB argued that when payment processors process illegal or unauthorized fees or unauthorized debits to consumer accounts, such firms engage in “unfair acts” UDAAP violations.

What Else Can Payment Processors Do?

The compliance landscape has changed for payment processors in recent years. Regardless of whether a company serves consumers directly or works with businesses that serve consumers, the CFPB (and likely other regulators) is paying close attention to activities or operations that have the potential to lead to consumer harm. And there are various risks that should be considered in this context, not the least of which are business and reputation risks. To respond to this changed landscape, payment processors and other firms have taken various actions to adopt a proactive stance toward risk management. These include the “lessons learned” action items discussed above, as well as the following:

  • Implementing Automated Compliance Programs. Companies subject to higher risk exposure due to the nature of their payment processor operations or business volumes should consider adopting automated compliance solutions to assist in monitoring and managing such risks. In recent years, regulatory technology (regtech) has advanced to offer low-cost automated compliance monitoring solutions. Such technology could easily capture, for example, a change in date or amount authorized from an initial authorization to subsequent authorizations. It could also automatically trigger user-defined limits on merchant access to the payment system or send high-priority alerts once return rates exceed a specified percentage of overall merchant volume.
  • Actively Monitor and Review Internal Compliance Programs. In order to implement changes and actively respond to consumer complaints, payment processors should establish and maintain a robust internal compliance management system. Payment processors should work with third-party vendors to develop and formalize such systems.
  • Review and Strengthen Standardized Contractual Provisions. Payment processors should also ensure that form agreements with prospective customers include standardized provisions (applicable law, etc.) in order to minimize third-party legal risks. Depending on the risk level of the customer and the compliance system of the payment processor, payment processors should also consider strengthening standard contractual provisions regarding audit rights or providing access to consumer complaints.
  • Improve Regulatory Relations. Regulated companies, as well as firms potentially subject to oversight or supervision by the CFPB or other federal/state banking regulators should consider establishing a dialogue with such agencies. The advent of offices such as the CFPB's Project Catalyst and the OCC's new Office of Innovation, both of which are dedicated to working with banks and other financial firms to identify and develop innovative solutions, may provide opportunities for payment processors to address existing issues or system vulnerabilities, as well as obtain certainty around potential liability issues raised by innovative products or services. While this option may not be suitable for every situation, it may become more of an option as regulators become more sophisticated and seek increased communication with the payments industry.

Conclusion

The CFPB has broad authority to pursue enforcement actions against payment processors and has shown a clear willingness to do so. Companies engaging in payment processor activities that impact consumers—whether directly or indirectly—should be aware of the increasing regulatory risks attendant with such activities. Although the precise limits of the CFPB's jurisdiction over payment processors that serve businesses (rather than directly serving consumers) are currently being tested and may be scaled back by a new Administration, the overall landscape remains unclear. Nonetheless, prudent risk management suggests that payment processors engaged in activities that have the potential to result in consumer harm should review and adjust, as appropriate, their activities and operations in light of recent CFPB actions to ensure the adequacy of their compliance and risk management systems.

* * * * *

Kevin Petrasic is a banking partner in the Washington, DC office of White & Case LLP, and head of the firm's Global Financial Institutions Advisory practice. He has extensive experience with bank regulatory, transactional, bank insolvency, compliance, supervisory, enforcement, legislative, and policy issues and matters.*

Benjamin Saul is a partner in the Washington, DC office of White & Case LLP. He represents banks and non-banks, including financial technology and regulatory technology companies, in a wide range of matters, with a focus on those relating to retail bank and consumer nancial products and services.

Helen Lee is a counsel in the Financial Institutions Advisory Practice Group of White & Case LLP based in the firm's Washington, D.C. office. She advises U.S. as well as non-U.S. banking organizations and other financial service providers on regulatory and transactional matters arising under the U.S. banking laws.*

Joshua Garcia is an associate in the New York office of White & Case LLP. He represents financial technology companies, banks and non-banks in a broad range of matters, with a focus on developing solutions to regulatory and transactional issues involving complex problems posed by financial services laws and regulatory requirements.

*Kevin Petrasic and Helen Lee are the authors of Bloomberg BNA Banking Practice Portfolio 437, Federal Reserve Regulation of Foreign Banks, available on Bloomberg Law.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.