OPINION-LEG-REG-2

Guest Analysis: A Tightening Chokehold – The FTC and CFPB Continue to Take Aim at the Payments Industry

EDWARD A. MARSHALL & THERESA Y. KANANEN

Beginning in earnest in 2013, the Federal Trade Commission (“FTC”) began to exert pressure on the payments industry—including payment card processors and independent sales organizations (“ISOs”)—to stamp out businesses engaged in consumer fraud. More recently, it has been joined in its effort, dubbed by some as “Operation Choke Point,” by the Consumer Financial Protection Bureau (“CFPB”). Together, these government agencies have pursued businesses perceived as serving as merchant “on-ramps” to the payments grid for allegedly facilitating the acceptance of credit and debit cards by businesses that inflict harm on consumers.

Initially, enforcement actions against players in the payments ecosystem were designed principally to capture “reserve funds” they might be holding to satisfy consumer-initiated chargebacks or to force a disgorgement of fees received from processing the transactions of “bad actors.” That is, the government leaned on processors and ISOs principally to contribute to a pool of funds designed to redress consumer harm. To the extent businesses providing payment card services had actually received revenue or profits associated with those transactions, they were called upon to release them (to varying degrees) to help alleviate the injury caused by the merchants with which they did business.

Within the past year, however, the FTC and the CFPB have become more aggressive. They have attempted to put payment processors and ISOs on what amounts to the same plane of culpability as the merchants deceiving consumers themselves, seeking not merely reserve funds or disgorgement, but joint and several liability for the entirety of the consumer injury allegedly perpetrated by third parties. See, e.g., CFPB v. Universal Debt & Payment Solutions, LLC, Civil Action No. 1:15-CV-00859-RWS (N.D. Ga. filed 2015); FTC v. CardFlex, Inc., Civil Action No. 3:14-cv-00397 (D. Nev. filed 2014). And following a recent decision by the United States District Court for the Northern District of Georgia, it appears that such liability is at least theoretically possible—at least in instances in which a payments defendant engaged in “severe recklessness” by engaging in “an extreme departure from the standards of ordinary care.” See CFPB v. Universal Debt & Payment Solutions, LLC, Civil Action No. 1:15-CV-00859-RWS (N.D. Ga. Sep. 1, 2015) (denying a motion to dismiss).

Critics have argued that pursuing such extreme relief against the payments industry is unwarranted and, at a minimum, disproportionate to the limited role the industry plays in authorizing and settling payment card transactions (without any direct consumer contact). And, at least in part, that criticism stems from a lack of clear guidance about the standards by which culpability is to be measured. Forcing the rapid or reflexive exclusion of certain businesses from the payments ecosystem based on amorphous standards presents a very real risk that even legitimate companies will be put out of business (without due process safeguards). And it also has the potential to involuntarily offload regulatory responsibility from the public to the private sector—forcing payment processors and ISOs to determine whether and when to exclude a business from the ecosystem under threat of being a complete insurer against consumer injury if they make the wrong call.

Clearer standards alone will not eliminate those concerns. But they may ameliorate them. And to that end, there are two emerging sources from which to draw.

First, the payments industry itself is working to provide detailed guidance regarding “best practices” for the industry in underwriting and monitoring risk. The Electronic Transactions Association, for example, has published Guidelines on Merchant and ISO Underwriting and Risk Monitoring, which is continuing to evolve as a source of normative standards to protect against potential consumer injury.

Second, there are the enforcement actions initiated by the FTC and the CFPB. Surveying the allegations of these cases begins to paint a somewhat clearer picture of particular practices that regulators perceive as taking a payments company across the line from unwitting facilitator of consumer fraud to deserving (whether justifiably or not) equally harsh treatment as the perpetrators of fraud themselves. These include:

  • Ignoring dramatically high chargeback ratios, including double-digit ratios (as high as 30%) between transactions made and transactions charged back by disappointed consumers;
  • Failing to follow up on or investigate disturbing chargeback narratives (e.g., consumer allegations that a merchant coerced payments of fictional debts by making unlawful threats), such as through calls to consumers who initiated the same;
  • Activity assisting merchants in avoiding card brand detection by purposeful lack of transparency and load balancing—i.e., cycling through different merchant identification numbers so that no one merchant id is identified as problematic by the card brands;
  • Relying on personal guaranties of merchant principals to bypass or disregard internal credit risk policies;
  • Accepting merchants that had previously been terminated or rejected by the processor or ISO based on unseemly business practices; and
  • Failing to follow up on obvious errors or discrepancies in merchant applications (including, e.g., merchant location, type of business, or principal identities).
Again, clearer standards alone will not address all the valid concerns being raised by critics of “Operation Choke Point.” But, so long as the government’s initiative continues, better understanding what perceived “red flags” exist in the mind of regulators can help industry players avoid the fallout of being made unwilling guarantors against merchant fraud.
[team id=”652″]
The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.