December 28, 2015 Practice Points

A Tightening Chokehold: The FTC and CFPB Continue to Take Aim at the Payments Industry

The Federal Trade Commission (FTC) has been joined in its effort, dubbed by some as "Operation Choke Point," by the Consumer Financial Protection Bureau (CFPB) to pursue businesses perceived as serving as merchant "on-ramps" to the payments grid by businesses that inflict harm on consumers

by Edward A. Marshall and Theresa Y. Kananen

Beginning in earnest in 2013, the Federal Trade Commission (FTC) began to exert pressure on the payments industry—including payment card processors and independent sales organizations (ISOs)—to stamp out businesses engaged in consumer fraud. More recently, it has been joined in its effort, dubbed by some as "Operation Choke Point," by the Consumer Financial Protection Bureau (CFPB). Together, these government agencies have pursued businesses perceived as serving as merchant "on-ramps" to the payments grid for allegedly facilitating the acceptance of credit and debit cards by businesses that inflict harm on consumers.

Initially, enforcement actions against players in the payments ecosystem were designed principally to capture "reserve funds" they might be holding to satisfy consumer-initiated chargebacks or to force a disgorgement of fees received from processing the transactions of "bad actors." More recently, however, the FTC and the CFPB have become more aggressive. They have attempted to put payment processors and ISOs on what amounts to the same plane of culpability as the merchants deceiving consumers themselves, seeking joint and several liability for the entirety of the consumer injury allegedly perpetrated by third parties. See, e.g., CFPB v. Universal Debt & Payment Solutions, LLC, Civil Action No. 1:15-CV-00859-RWS (N.D. Ga. filed 2015); FTC v. CardFlex, Inc., Civil Action No. 3:14-cv-00397 (D. Nev. filed 2014). And following a recent decision by the United States District Court for the Northern District of Georgia, it appears that such liability is at least theoretically possible—at least where a payments defendant engaged in "severe recklessness" by engaging in "an extreme departure from the standards of ordinary care." See CFPB v. Universal Debt & Payment Solutions, LLC, Civil Action No. 1:15-CV-00859-RWS (N.D. Ga. Sep. 1, 2015) (denying a motion to dismiss).

Critics have argued that pursuing such extreme relief against the payments industry is unwarranted and, at a minimum, disproportionate to the limited role the industry plays in authorizing and settling payment card transactions (without direct consumer contact). And, at least in part, that criticism stems from a lack of clear guidance about the standards by which culpability is to be measured. Forcing the rapid or reflexive exclusion of certain businesses from the payments ecosystem based on amorphous standards (and with the risk of being a complete insurer against merchant fraud if one makes the wrong call) presents a very real risk that even legitimate companies will be put out of business (without due process safeguards).

Clearer standards will not eliminate those concerns. But they may ameliorate them. And to that end, there are two emerging sources from which to draw.

First, the payments industry itself is working to provide guidance regarding "best practices" for underwriting and monitoring risk. The Electronic Transactions Association, for example, has published Guidelines on Merchant and ISO Underwriting and Risk Monitoring, which is continuing to evolve as a source of normative standards to protect against consumer injury.

Second, there are the enforcement actions initiated by the FTC and the CFPB. Surveying the allegations of these cases begins to paint a somewhat clearer picture of practices that regulators perceive as taking a payments company across the line from unwitting facilitator of consumer fraud to deserving (whether justifiably or not) equally harsh treatment as the perpetrators of fraud themselves. These practices, which internal underwriting and risk-monitoring should be sure to either prohibit or limit, include:

1. Ignoring dramatically high chargeback ratios, including double-digit ratios between transactions made and transactions charged back by disappointed consumers;

2. Failing to investigate disturbing chargeback narratives (e.g., consumer allegations that a merchant coerced payments of fictional debts by making unlawful threats), such as through calls to consumers who initiated the same;

3. Activity assisting merchants in avoiding card brand detection by purposeful lack of transparency and load balancing;

4. Relying on personal guaranties of merchant principals to bypass or disregard internal credit risk policies;

5. Accepting merchants that had previously been terminated or rejected by the processor or ISO based on unseemly business practices; and

6. Failing to follow up on obvious errors or discrepancies in merchant applications (including, e.g., merchant location, type of business, or principal identities).

Again, clearer standards alone will not address all the valid concerns being raised by critics of "Operation Choke Point." But, so long as the government's initiative continues, better understanding what perceived "red flags" exist in the mind of regulators can help industry players avoid the fallout of being made unwilling guarantors against merchant fraud.

Edward A. Marshall and Theresa Y. Kananen are with Arnall Golden Gregory LLP in Atlanta, Georgia.

Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).