Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.
The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.
On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.
On May 21, the FTC announced a payment processor, its CEO and owner, and two other officers (collectively, “defendants”) agreed to settle charges that they knowingly processed fraudulent transactions to consumers’ accounts in violation of the FTC Act. According to the FTC’s complaint, the defendants allegedly assisted merchants, who were engaged in fraud, in hiding their activities from banks and credit card networks. The defendants allegedly (i) created fake foreign shell companies to open accounts in their names; (ii) submitted dummy websites and other false information to merchant banks; and (iii) worked to evade card network rules and monitoring designed to prevent fraud. The settlement order against the processing company and its CEO imposes a judgment of over $110 million, which is partially suspended due to the inability to pay. The settlement order against one officer imposes a judgment of over $300,000, which is suspended due to the inability to pay. The settlement order against the second officer, the company’s Chief Operating Officer, imposes a $1 million judgment. Each order imposes a permanent ban on the defendants from, among other things, engaging in payment processing and credit card laundering, whether directly or through an intermediary.
On April 16, the U.S. District Court for the Northern District of California granted final approval to a $7.5 million class action settlement resolving allegations that a payment processor and its sales representative violated the TCPA by using an autodialer for telemarketing purposes without first obtaining consumers’ prior express consent. The settlement terms also require the defendants to pay roughly $1.8 million in attorneys’ fees. According to the second amended complaint, the sales representative placed pre-recorded calls to potential clients on behalf of the payment processor through the use of an autodialer, including consumers who had not consented to receiving the calls. The plaintiff further alleged that the payment processor also violated the TCPA by sending facsimile advertisements that did not contain a “Compliant Opt Out Notice” to recipients. The parties reached a preliminary settlement last August following discovery and mediation.
On April 11, the FTC announced that a payment processing company and its owner agreed to a $1.8 million settlement resolving allegations that the company repeatedly violated a 2009 court order. That order found that the payment processer knowingly or consciously avoided knowing that debit card transactions it processed, on behalf of an allegedly fraudulent enterprise, were not authorized by the consumers. The FTC alleged that the company violated the 2009 order by, among other things, (i) failing to engage in a reasonable investigation of prospective clients before processing payments on their behalf; (ii) failing to monitor clients’ transactions to ensure that clients were not engaged in illegal behavior; and (iii) failing to adhere to administrative requirements of the order, including submitting a written compliance report to the agency. In addition to the monetary penalty, the new settlement permanently bans the company from working as a payment processor and subjects the company to reporting and recordkeeping requirements.
On March 25, the West Virginia governor signed SB 603, which adds exemptions from the currency exchange licensing requirements. Among other things, the bill exempts from the state’s currency exchange licensing requirements a person or persons operating a payment system that provides processing, clearing, or settlement services in connection with wire transfers, debit/credit card transactions, ACH transfers, or similar fund transfers. Additionally, the bill also exempts from licensing requirements a person or persons that facilitate payment for goods or services (not including currency or money transmission) pursuant to a contract and the payment obligation is satisfied or extinguished. The bill is effective June 7.
On December 11, the FTC entered into a proposed settlement with an Arizona-based company and its officer (defendants) relating to an allegedly deceptive credit card telemarketing operation. As previously covered by InfoBytes, the FTC alleged that the defendants—as part of a larger group of 12 defendants comprised of an independent sales organization, sales agents, payment processors, and identified principals—violated the FTC Act and the Telemarketing Sales Rule by assisting a telemarketing company in masking its identity by processing the company’s credit card payments and laundering credit card transactions on behalf of multiple fictitious companies. The proposed settlement, among other things, prohibits the defendants from engaging in credit card laundering and bans them from telemarketing, processing payments, or acting as an independent sales organization or sales agent. The order also stipulates a judgment of $5.7 million, which will be suspended unless it is determined that the financial statements submitted by the defendants contain any inaccuracies.
In March 2018, the FTC reached settlements with two of the other defendants (see InfoBytes coverage here). Litigation continues against the remaining defendants.
On July 26, the Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, testified before subcommittees of the U.S. House Committee on Oversight and Government Reform regarding the FTC’s program to combat consumer fraud. The prepared testimony discusses the FTC’s anti-fraud program and highlights the agency’s enforcement actions against illicit companies that pose as government agents, such as the IRS, to convince consumers and small businesses to send them money. The FTC touts the steps taken to spur development of technological solutions to unlawful robocalls, including call-blocking and call-filtering products. The testimony also focuses on the FTC’s efforts to curb payment processors from assisting fraudulent actors in violation of the FTC Act. The FTC notes that the Commission has brought 25 actions against payment processors that failed to comply with requirements to ensure their systems were not being used to process fraudulent merchant transactions. The FTC emphasized that while the “overwhelming majority” of payment processors abide by the law, when certain processors do not, they cause “significant economic harm to consumers and legitimate businesses.”
On March 12, the U.S. District Court for the Northern District of California denied a company’s post-trial motions to set aside September 2017 judgments in a lawsuit brought by the CFPB for alleged violations of the Consumer Financial Protection Act (CFPA). Specifically, the bi-weekly payments company requested that the court set aside its injunction and reconsider a $7.93 million penalty in light of “new evidence” that demonstrated the company’s inability to pay the penalty. As previously covered by Infobytes, the CFPB filed the lawsuit in 2015, alleging, among other things, that the company made misrepresentations to consumers about its bi-weekly payment program by overstating the savings provided by the program and creating the impression the company was affiliated with the consumers’ lender. In denying the company’s motion, the court held that the company failed to present new evidence that would justify the relief. Additionally, the court rejected the argument that the permanent injunction placed on the company was overly burdensome, stating “in light of the evidence of defendants[’] prior practices…the limitations of the injunction reflect appropriate safeguards ‘to avoid deception of the consumer.’”
On March 9, the FTC entered into a settlement with a credit card merchant and its individual officer (collectively, “defendants”) relating to an allegedly deceptive credit card telemarketing operation. According to the FTC’s amended complaint, the defendants violated the FTC Act and the Telemarketing Sales rule by assisting a telemarketing company in masking its identity by processing the company’s credit card payments through multiple fictitious companies. The FTC previously had banned the telemarketing company from selling fraudulent “work-at-home” opportunities in 2015. The settlement, among other things, prohibits the defendants from processing payments or acting as an independent sales organization. The order also stipulates a judgment of approximately $1.3 million, which will be suspended unless it is determined that the financial statements defendants submitted to the FTC contain any inaccuracies.
On September 8, a federal judge in the U.S. District Court for the Northern District of California issued an opinion and order against a company after a seven-day bench trial, finding that the company misrepresented its bi-weekly payment program in violation of the Consumer Financial Protection Act (CFPA). As previously covered in InfoBytes, the CFPB filed a complaint in 2015 against the company, its wholly owned subsidiary, and the company’s founder, alleging that the company’s false and misleading marketing practices were abusive and deceptive when it minimized the existence or amount of the program’s setup fee, misled borrowers on the amount of actual savings, and created the impression that the company was affiliated with the lender. The payment program allowed the defendants to contract with borrowers to make their mortgage, credit card, or other loan payments for them. The program automatically debited their accounts every two weeks in an amount equal to one-half of the monthly payment on the loan. This resulted in 26 payments per year, with the extra payments going towards paying down the principal on the loan. The judge granted the $7.9 million civil penalty proposed by the CFPB but denied the restitution of almost $74 million that the CFPB had sought—a full refund of all setup fees—because it found that “the CFPB has not proved that defendants engaged in the type of fraud commonly connoted by the well-worn phrase ‘snake oil salesmen,’” and specifically had “not shown, and could not show, that the [payment] program never provid[ed] a benefit to consumers, or that no fully-informed consumer would ever elect to pay to participate in the program.” The court found that further injunctive relief is warranted but directed the parties to meet and confer to determine the specific terms of the relief. The court noted that the CFPB had only sought civil penalties under the “basic tier” of the CFPA’s civil penalties provision and speculated that the CFPB did not propose higher penalties because it also expected to obtain a large amount of restitution. Nevertheless, the court found that higher penalties for reckless or knowing violations were not warranted because the defendants had taken “affirmative steps such as training, quality control, and seeking legal counsel, in an effort to stay on the right side of the line.”
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference