Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 19, the FTC filed a complaint against a large payment processing company and its former executive for allegedly participating in deceptive or unfair acts or practices in violation of the FTC Act and the Telemarketing Sales Rule (TSR) by processing payments and laundering, or assisting in the laundering of, credit card transactions targeting hundreds of thousands of consumers. The FTC’s complaint alleges, among other things, that the payment processing company received and ignored repeated “warnings and direct evidence” dating back to 2012 showing that the former executive was using his company to open hundreds of fake merchant accounts and shell companies, and allowed him to continue to open merchant accounts until 2014. According to the FTC, the “schemes included, but were not limited to, a debt relief scam that used deceptive telemarketing, business opportunity scams that used deceptive websites, and a criminal enterprise that used stolen credit card data to bill consumers without their consent” in which the both defendants received fees for processing the scheme’s payments. The FTC also claims that the payment processing company violated its own anti-fraud policies by failing to adequately underwrite, monitor, or review its sales agents and their risk management processes, and failed to timely terminate the merchant accounts involved in the scheme.
The payment processing company’s proposed settlement imposes a $40 million monetary judgment and prohibits the company from assisting or facilitating TSR and FTC Act violations related to payment processing. Additionally, the company will be required to (i) screen and monitor prospective restricted clients; (ii) establish and implement a written oversight program to monitor its wholesale independent sales organizations (ISO); and (iii) hire an independent assessor to monitor the company’s compliance with the settlement’s ISO oversight program.
The former executive’s proposed settlement imposes a $270,373.70 monetary judgment, and bans him from payment processing or acting as an ISO for certain categories of high-risk merchants. He is also prohibited from credit card laundering activities, making or assisting others in making false or misleading statements, and assisting or facilitating violations of the FTC Act or TSR.
Neither defendant admitted or denied the allegations, except as specifically stated within the proposed settlements.
On April 13, the CFPB released a Supplemental Decision and Order partially granting a payment technology company’s request for confidential treatment of its petition that sought to set aside a 2019 CID seeking information related to, among other things, the company’s payment processing activities. The CFPB noted in its supplemental decision and order that while the company’s initial confidentiality arguments were rejected, it provided the company an opportunity to make an additional submission following a U.S. Supreme Court decision that clarified the standard for determining what information may be withheld under Exemption 4 of FOIA. The Bureau ultimately granted the company’s confidentiality request with respect to its payment processor information only.
The supplemental decision and order is related to the company’s now-published original petition to set aside the CID, in which it asserted that it is not a covered person under the Consumer Financial Protection Act because even though it sells various products and services, it does not provide payment processing services. The company also argued that it is not a service provider because it does not offer or provide consumer financial products or services, nor does it provide services to a covered person. Furthermore, because it is not a financial institution, the company claimed that the CFPB has no EFTA authority over it. The original petition requested that the CID be set aside because it exceeds the Bureau’s jurisdictional authority. The Bureau responded that the company’s arguments did not warrant setting aside the CID because the investigation was “not patently outside” its authority, but it partially modified the CID’s Notification of Purpose to provide greater detail about the conduct the Bureau was investigating. The Bureau also contended that the fact that the company is not a financial institution does not affect whether the Bureau can conduct an investigation into potential violations of section 1005.10(b) of Regulation E (EFTA), which “applies to any person.”
On April 22, the FTC filed a complaint against a Canadian company and its CEO (defendants) for allegedly participating in deceptive and unfair acts or practices in violation of the FTC Act and the Telemarketing Sales Rule (TSR) by, among other things, laundering credit card payments for two tech support scams that were sued by the FTC in 2014. The FTC alleges in its complaint that the defendants entered into contracts with payment processors to obtain merchant accounts to process credit card charges. While these contracts prohibited the defendants from submitting third-party sales through its merchant accounts, the FTC claims that the defendants used the accounts to process millions of dollars of consumer credit card charges on behalf of the two tech support operators and also processed charges for lead generators that directed consumers to the tech support scam. The FTC alleges that the defendants were aware of the unlawful conduct of at least one of the two operators and attempted to hide these charges from the payment processors.
Under the proposed settlement, the defendants neither admitted nor denied the allegations, except as specifically stated within the settlement, and (i) will pay $6.75 million in equitable monetary relief; (ii) are permanently enjoined from engaging in any further payment laundering or violations of the TSR; and (iii) will screen and monitor prospective high risk clients.
On April 1, the Louisiana Office of Financial Institutions issued a bulletin urging financial institutions to review their disaster recovery/business continuity plans and update them as needed to ensure that all interdependent operations are considered. The guidance includes a list of considerations, including, among other things: supplying staff with protective equipment and training; updated contact information for third party services and consideration of third party services that might become impaired in an incident; contingency communication process; remote work possibilities; identification of critical operations, including as examples, core processing systems, ATM processing and replenishment, online banking systems, payment processing, and wire processing; cross-training for continuity; and liquidity and cash considerations.
On August 28, the U.S. District Court for the District of Arizona denied motions to dismiss an enforcement action brought by the FTC against a group of individuals and entities that allegedly facilitated a telemarketing scheme that previously resulted in the principal actors in the scheme settling with the FTC and later pleading guilty to state criminal charges. The alleged scheme involved “credit card laundering”—the creation of fictitious entities to process customer credit card transactions so that the actual entity receiving the funds would not be identified. The defendants in the current matter are an Independent Sales Organization and several of its officers allegedly involved in that effort (prior Info Bytes coverage here). The defendants first argued that the relevant part of the FTC Act only permits injunctive relief and that the FTC’s requests for restitution and disgorgement were improper because those forms of relief are penalties, not equitable relief, under Kokesh v. Securities and Exchange Commission. The court noted, however, that the Supreme Court in Kokesh expressly limited the holding to the question of the statute of limitations applicable to the SEC, and that the Ninth Circuit has subsequently approved decisions granting restitution and disgorgement under the FTC Act. The defendants also argued that injunctive relief was not warranted where the unlawful conduct in question ceased in 2013, but the court ruled that the FTC need only show that it has “reason to believe” that a defendant is violating or is about to violate the law. The court declined to address the FTC’s argument that its “reason to believe” decision is unreviewable, but it found that the FTC had pled sufficient facts to establish that it has reason to believe that the defendants would violate the statute. In particular, the court noted that a “court’s power to grant injunctive relief survives the discontinuance of illegal conduct,” that “an inference arises from illegal past conduct that future violations may occur,” and that “courts should be wary of a defendant’s termination of illegal conduct when a defendant voluntarily ceases unlawful conduct in anticipation of formal intervention.” Those factors were all present, along with the fact that the defendants “remain in the same professional occupation.”
On July 29, the FTC and the Ohio attorney general announced temporary restraining orders and asset freezes issued by the U.S. District Court for the Western District of Texas against a payment processor and a credit card interest-reduction telemarketing operation (see here and here). According to the FTC, the payment processor defendants allegedly violated the FTC Act, the Telemarketing Sales Rule (TSR), and various Ohio laws by, among other things, generating and processing remotely created payment orders or checks that allowed merchants—including deceptive telemarketing schemes—the ability to withdraw money from consumers’ bank accounts. The FTC asserted that the credit card interest-reduction defendants deceptively promised consumers significant credit card interest rate reductions, along with “a 100 percent money back guarantee if the promised rate reduction failed to materialize or the consumers were otherwise dissatisfied with the service.” However, the FTC claimed that most customers never received the promised rate reduction, were refused refund requests, and often received collection or lawsuit threats. Additionally, the credit card interest-reduction defendants allegedly violated the TSR by charging advance fees, failing to properly identify the service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.
The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.
On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.
On May 21, the FTC announced a payment processor, its CEO and owner, and two other officers (collectively, “defendants”) agreed to settle charges that they knowingly processed fraudulent transactions to consumers’ accounts in violation of the FTC Act. According to the FTC’s complaint, the defendants allegedly assisted merchants, who were engaged in fraud, in hiding their activities from banks and credit card networks. The defendants allegedly (i) created fake foreign shell companies to open accounts in their names; (ii) submitted dummy websites and other false information to merchant banks; and (iii) worked to evade card network rules and monitoring designed to prevent fraud. The settlement order against the processing company and its CEO imposes a judgment of over $110 million, which is partially suspended due to the inability to pay. The settlement order against one officer imposes a judgment of over $300,000, which is suspended due to the inability to pay. The settlement order against the second officer, the company’s Chief Operating Officer, imposes a $1 million judgment. Each order imposes a permanent ban on the defendants from, among other things, engaging in payment processing and credit card laundering, whether directly or through an intermediary.
On April 16, the U.S. District Court for the Northern District of California granted final approval to a $7.5 million class action settlement resolving allegations that a payment processor and its sales representative violated the TCPA by using an autodialer for telemarketing purposes without first obtaining consumers’ prior express consent. The settlement terms also require the defendants to pay roughly $1.8 million in attorneys’ fees. According to the second amended complaint, the sales representative placed pre-recorded calls to potential clients on behalf of the payment processor through the use of an autodialer, including consumers who had not consented to receiving the calls. The plaintiff further alleged that the payment processor also violated the TCPA by sending facsimile advertisements that did not contain a “Compliant Opt Out Notice” to recipients. The parties reached a preliminary settlement last August following discovery and mediation.
On April 11, the FTC announced that a payment processing company and its owner agreed to a $1.8 million settlement resolving allegations that the company repeatedly violated a 2009 court order. That order found that the payment processer knowingly or consciously avoided knowing that debit card transactions it processed, on behalf of an allegedly fraudulent enterprise, were not authorized by the consumers. The FTC alleged that the company violated the 2009 order by, among other things, (i) failing to engage in a reasonable investigation of prospective clients before processing payments on their behalf; (ii) failing to monitor clients’ transactions to ensure that clients were not engaged in illegal behavior; and (iii) failing to adhere to administrative requirements of the order, including submitting a written compliance report to the agency. In addition to the monetary penalty, the new settlement permanently bans the company from working as a payment processor and subjects the company to reporting and recordkeeping requirements.
- Melissa Klimkiewicz to discuss "Lender town hall" at the National Flood Conference webinar
- Daniel P. Stipano to discuss "BSA for BSA seasoned officers" at an NAFCU webinar
- Sherry-Maria Safchuk to discuss "The CCPA: Successes, failures, and practical considerations for compliance" at a American Bar Association webinar
- Jon David D. Langlois to discuss "LIBOR transition: Preparations for legal professionals" at a Mortgage Bankers Association webinar
- Garylene D. Javier to discuss "Navigating workplace culture in 2020" at the DC Bar Conference