Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • UK's FCA secures £2,000,000 account forfeiture order against fintech start up

    Federal Issues

    On April 21, the UK’s Financial Conduct Authority (FCA) secured a £2,000,000 account forfeiture consent order against a fintech startup that purportedly offers due diligence and underwriting services. The FCA noted that the funds were supposedly an investment received from a software firm, but observed that the fintech company moved the money repeatedly to different bank accounts in several countries in transactions with no legitimate business purpose. The funds, which the FCA had already frozen in October and December 2020, were allegedly “the proceeds of illegal activity connected to criminal proceedings in the United States of America concerning an alleged conspiracy to commit wire fraud against banks, credit card companies and other financial service providers in the USA.” While the FCA is not alleging that the fintech company was involved in the conspiracy, it flagged concerns in response to the company’s application to become a regulated firm. The company has since withdrawn its application to be regulated by the FCA.

    Federal Issues Of Interest to Non-US Persons UK FCA DOJ UK Payment Processors Fintech Forfeiture Order

    Share page with AddThis
  • FTC fines payment processor $2.3 million for helping online discount clubs bilk consumers

    Federal Issues

    On March 10, the FTC reached a settlement with a payment processing company and two senior officers (collectively, “defendants”) whereby the company would pay $2.3 million in restitution as part of their role in allegedly helping the operators of a group of marketing entities enroll consumers into online discount clubs and debit more than $40 million from consumers’ bank accounts for membership without their authorization. As previously covered by InfoBytes, the FTC’s 2017 complaint claimed that the online discount clubs claimed to offer services to consumers in need of payday, cash advance, or installment loans, but instead enrolled consumers in a coupon service that charged initial fees ranging from $49.89 to $99.49, as well as monthly recurring fees of up to $19.95. However, the FTC’s complaint stated that “99.5 percent of the consumers being illegally charged for the ‘discount clubs’ never accessed any coupons, and that tens of thousands called the defendants to try and cancel the charges, while thousands more disputed the charges directly with their banks.” The FTC accused the defendants of providing “substantial assistance or support” in the way of payment processing services while “knowing or consciously avoiding knowing” that the actions being supported were in violation of the Telemarketing Sales Rule (TSR). The FTC further detailed how defendants ignored several indications of fraudulent activity, including the consistently high return rates generated by the discount club transactions and that a primary client of their services had already been the subject of previous FTC enforcement actions for engaging in similar conduct.

    Under the terms of the settlement, which is pending court approval, the defendants are banned from, among other things, (i) processing remotely created payment orders; (ii) processing payments on behalf of clients whose business involves outbound telemarketing, discount clubs, or offers to help consumers with payday loans; (iii) processing payments on behalf of any client that the defendants know or should know is engaging in deceptive or unfair acts or practices or violating the TSR; and (iv) processing payments for any existing or prospective clients without first conducting a reasonable screening to ensure clients are not violating federal law.

    Federal Issues FTC Enforcement Payment Processors TSR FTC Act Consumer Finance Settlement

    Share page with AddThis
  • DFPI addresses several MTA licensing exemptions

    Recently, the California Department of Financial Protection and Innovation (DFPI) released two new opinion letters covering aspects of the California Money Transmission Act (MTA) related to the purchase and sale of digital assets and agent of payee rules. Highlights from the redacted letters include:

    • Purchase and Sale of Digital Assets; Payment Processing Services. The redacted opinion letter examines whether the inquiring company’s client is required to be licensed under the MTA. The letter describes two types of transactions proposed to be conducted on the client’s online trading platform: (i) transactions in which customers purchase and sell digital assets from the company in exchange for fiat currency (Direct Purchase Transactions); and (ii) transactions in which merchants use the platform as a payment processor to accept digital assets from customers in exchange for non-fungible tokens (Payment Processing Transactions). DFPI concluded that the Direct Purchase Transactions do not require an MTA license because they do not “involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.” DFPI similarly concluded that the Payment Processing Transactions do not require licensure at this time because DFPI has “not yet determined that payment processing transactions involving digital assets constitute receiving money for transmission[.]” Notwithstanding, DFPI added that it has been “studying the cryptocurrency industry closely” and that “[a]t any time, the Department may determine these activities are subject to regulatory supervision. The Department may also adopt regulations or issue interpretive opinions that significantly restrict [the contemplated] business operations.”
    • Agent of Payee. The redacted opinion letter addresses whether the inquiring company’s proposed payment processing activities are exempt from the MTA’s licensing requirements. The letter explains that the company proposes to process payments related to purchases of apps through a virtual marketplace that operates on the company’s point of sale terminals. Through the virtual marketplace, customers (generally small businesses or merchants) may purchase apps that are developed and licensed to customers by third-party developers. Pursuant to a developer agreement, the company is appointed by such third-party developers to act as an “agent” of the developers “to collect and hold all Gross Revenue on [the developers’] behalf and to remit the Remittance Amount to [the developers’] Payment Account.” DFPI concluded that receiving funds from a customer for the purposes of transmitting payments to the developer “constitutes ‘receiving money for transmission.’” However, DFPI noted that these activities also satisfy the “agent of payee” exemption requirements because, pursuant to the developer agreement, the company acts as an agent of the developer, and the company’s receipt of payment satisfies “the customer’s (payor’s) obligation to the Developer for goods or services.” Accordingly, DFPI concluded that while the activities described constitute “money transmission” the company is exempt from the MTA’s licensure requirement.

    DFPI reminded the companies that its determinations are limited to the presented facts and circumstances and that any change could lead to different conclusions.

    Licensing State Issues State Regulators DFPI California Money Transmission Act Money Service / Money Transmitters Payment Processors Fintech Digital Assets Cryptocurrency California

    Share page with AddThis
  • CFPB bans payment processor for alleged fraud

    Federal Issues

    On January 18, the CFPB filed a proposed stipulated judgment and order to resolve a complaint filed last year against an Illinois-based third-party payment processor and its founder and former CEO (collectively, “defendants”) for allegedly engaging in unfair practices in violation of the CFPA and deceptive telemarketing practices in violation of the Telemarketing Act and its implementing rule, the Telemarketing Sales Rule. As previously covered by InfoBytes, the CFPB alleged that the defendants knowingly processed remotely created check (RCC) payments totaling millions of dollars for over 100 merchant-clients claiming to offer technical-support services and products, but that actually deceived consumers—mostly older Americans—into purchasing expensive and unnecessary antivirus software or services. The tech-support clients allegedly used telemarketing to sell their products and services and received payment through RCCs, the Bureau claimed, stating that the defendants continued to process the clients’ RCC payments despite being “aware of nearly a thousand consumer complaints” about the tech-support clients. According to the Bureau, roughly 25 percent of the complaints specifically alleged that the transactions were fraudulent or unauthorized. 

    If approved by the court, the defendants would be required to pay a $500,000 civil penalty, and would be permanently banned from participating in or assisting others engaging in payment processing, consumer lending, deposit-taking, debt collection, telemarketing, and financial-advisory services. The proposed order also imposes $54 million in redress (representing the total amount of payments processed by the defendants that have not yet been refunded). However, full payment of this amount is suspended due to the defendants’ inability to pay.

    Federal Issues CFPB Enforcement Telemarketing Elder Financial Exploitation Payment Processors CFPA Unfair Telemarketing Sales Rule Deceptive UDAAP Consumer Finance

    Share page with AddThis
  • FTC permanently bans payment processor from debt relief processing

    Federal Issues

    On November 8, the FTC announced the permanent ban of a payment processor from processing debt relief payments and ordered payment of $500,000 in consumer redress. According to the FTC’s complaint, the payment processor and its owner (collectively, “defendants”) allegedly processed roughly $31 million in consumer payments on behalf of a student loan debt relief operation charged by the FTC in 2019 for allegedly engaging in deceptive practices when marketing and selling their debt relief services. As previously covered by InfoBytes, the FTC claimed the operators (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. The FTC alleged the defendants processed payments from tens of thousands of consumers even though they were aware of numerous issues with the scheme and had received complaints from consumers and banks. The FTC further alleged that the defendants continued to process payments until the FTC took enforcement action against the operation.

    Under the terms of the settlement, the defendants are permanently prohibited from processing payments for debt relief services and student loan entities and are banned from processing payments for any merchant unless there is a signed, written contract. The defendants are also required to screen prospective high-risk clients to determine whether such clients are, or are likely to be, engaging in deceptive or unfair activities. In addition, the settlement imposes a $27.5 million judgment against the defendants, which is largely suspended following the payment of $500,000, due to the defendants’ inability to pay the full amount.

    Federal Issues FTC Enforcement Payment Processors Debt Relief Fees Consumer Finance

    Share page with AddThis
  • CFPB and debt relief company agree to permanent injunction


    On October 20, the U.S. District Court for the Northern District of Georgia entered a default judgment and order against five participants in an allegedly illegal debt collection scheme involving certain payment processors and a telephone broadcast service provider (collectively, “default defendants”) for their role in the operation. As previously covered by InfoBytes, in 2017, the U.S. District Court for the Northern District of Georgia dismissed claims brought by the CFPB against the default defendants. (See additional InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the CFPA and the FDCPA.

    The court entered a $5.1 million judgment against the default defendants, who are jointly and severally liable with the non-default defendants. The default defendants must pay civil monetary penalties ranging from $100,000 to $500,000 to the Bureau. The judgment also, among other things, permanently bans the default defendants from attempting collections on any consumer financial product or service and from selling any debt-relief service.

    Courts CFPB Payment Processors CFPA FDCPA UDAAP Debt Collection Enforcement

    Share page with AddThis
  • DOJ charges payment processing executives involved in $150 million scheme

    Federal Issues

    On August 26, the DOJ unsealed an indictment in the District of Massachusetts against four individuals, charging them with “conspiring to deceive banks and credit card companies into processing more than $150 million in credit and debit card payments on behalf of merchants involved in prohibited and high-risk businesses, including online gambling, debt collection, debt reduction, prescription drugs, and payday lending.” According to the announcement, executives of a Los Angeles-based payment processing company secured payment processing for these high-risk businesses through fraudulent misrepresentations about merchant clients. As a payment processor, the company “enabl[ed] merchant clients to accept debit and credit card payments over global electronic payment networks run by major card brands” and “served as an intermediary between its merchant clients and financial institution members of the card brand networks.” Two of the individuals were charged with conspiring to commit wire fraud, and two others were charged with conspiring to commit wire fraud and bank fraud. Among other things, the DOJ asserts that the individuals and their co-conspirators allegedly made fraudulent misrepresentations to financial institutions, card brands, and others about the type of transactions that were being processed along with the true identities of the merchant clients, created shell companies and fake websites to make it appear that they were selling low-risk goods, and “miscategorized the true nature of the transactions” by using industry-standard codes.

    Federal Issues DOJ Indictment Payment Processors Fraud Credit Cards Debit Cards

    Share page with AddThis
  • Florida District Court of Appeals partially affirms and partially reverses ruling against national bank


    On August 13, a Florida District Court of Appeals affirmed in part and reversed in part a judgment against a national bank (defendant) awarding a payment processor approximately $2 million in compensatory damages and $5 million in punitive damages. The judgment, based on a jury verdict, awarded punitive damages as a result of the conduct of the bank’s relationship manager, who negligently misrepresented to a payment processor (plaintiff) that the account of the bank’s customer, a check authorization service, was in good standing when really the bank had previously terminated the relationship. On appeal, the court found that the relationship manager was considered a mid-level employee with limited managerial authority. Therefore, the appeals court determined that the defendant could not be held directly liable for his conduct, stating that “[the employee] was not a managing agent for purposes of imposing direct liability for punitive damages,” and “the trial court erred in denying [the defendant’s] motion for judgment notwithstanding the verdict on [the plaintiff’s] punitive damage claim.”

    Courts Appellate Payment Processors

    Share page with AddThis
  • FTC settles with payment processors in student loan debt relief scam

    Federal Issues

    On July 12, the FTC announced a settlement with two Florida-based payment processing companies and their CEO (collectively, “defendants”) accused of participating in a student loan debt relief scam. As previously covered by InfoBytes, in 2018, the FTC alleged the student loan debt relief operation violated the FTC Act and the Telemarketing Sales Rule (TSR) by, among other things, falsely claiming borrowers had pre-qualified for federal loan assistance programs that would reduce their monthly debt payments or result in total loan forgiveness and accepting monthly payments that were not applied towards student loans. A settlement was reached last December (covered by InfoBytes here). According to the FTC’s most recent complaint, the defendants allegedly “applied for and obtained merchant accounts for the [scam] by knowingly and repeatedly providing false information to payment processors about the [operation’s] three companies.” The defendants’ payment processing applications, the FTC contended, concealed the fraudulent activity, denied that the operation was offering consumers prohibited debt relief services, and repeatedly ignored warnings and direct evidence that the operation was defrauding consumers.

    Under the terms of the settlement order, the defendants are permanently banned from payment processing or acting as an independent sales organization or sales agency. The defendants are also prohibited from assisting and facilitating any unfair and deceptive trade practice, including to obtain payment processing services. In addition, the order imposes a $28.6 million judgment against the defendants, which is partially suspended following the payment of $20,493, due to the defendants’ inability to pay the full amount.

    Federal Issues FTC Enforcement Payment Processors Student Lending Debt Relief Consumer Finance UDAP FTC Act Telemarketing Sales Rule

    Share page with AddThis
  • Defendant obligated to indemnify bank in data breach suit


    On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.

    Courts Privacy/Cyber Risk & Data Security Data Breach Payment Processors Credit Cards

    Share page with AddThis