InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB bans payment processor for alleged fraud
On January 18, the CFPB filed a proposed stipulated judgment and order to resolve a complaint filed last year against an Illinois-based third-party payment processor and its founder and former CEO (collectively, “defendants”) for allegedly engaging in unfair practices in violation of the CFPA and deceptive telemarketing practices in violation of the Telemarketing Act and its implementing rule, the Telemarketing Sales Rule. As previously covered by InfoBytes, the CFPB alleged that the defendants knowingly processed remotely created check (RCC) payments totaling millions of dollars for over 100 merchant-clients claiming to offer technical-support services and products, but that actually deceived consumers—mostly older Americans—into purchasing expensive and unnecessary antivirus software or services. The tech-support clients allegedly used telemarketing to sell their products and services and received payment through RCCs, the Bureau claimed, stating that the defendants continued to process the clients’ RCC payments despite being “aware of nearly a thousand consumer complaints” about the tech-support clients. According to the Bureau, roughly 25 percent of the complaints specifically alleged that the transactions were fraudulent or unauthorized.
If approved by the court, the defendants would be required to pay a $500,000 civil penalty, and would be permanently banned from participating in or assisting others engaging in payment processing, consumer lending, deposit-taking, debt collection, telemarketing, and financial-advisory services. The proposed order also imposes $54 million in redress (representing the total amount of payments processed by the defendants that have not yet been refunded). However, full payment of this amount is suspended due to the defendants’ inability to pay.
FTC permanently bans payment processor from debt relief processing
On November 8, the FTC announced the permanent ban of a payment processor from processing debt relief payments and ordered payment of $500,000 in consumer redress. According to the FTC’s complaint, the payment processor and its owner (collectively, “defendants”) allegedly processed roughly $31 million in consumer payments on behalf of a student loan debt relief operation charged by the FTC in 2019 for allegedly engaging in deceptive practices when marketing and selling their debt relief services. As previously covered by InfoBytes, the FTC claimed the operators (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. The FTC alleged the defendants processed payments from tens of thousands of consumers even though they were aware of numerous issues with the scheme and had received complaints from consumers and banks. The FTC further alleged that the defendants continued to process payments until the FTC took enforcement action against the operation.
Under the terms of the settlement, the defendants are permanently prohibited from processing payments for debt relief services and student loan entities and are banned from processing payments for any merchant unless there is a signed, written contract. The defendants are also required to screen prospective high-risk clients to determine whether such clients are, or are likely to be, engaging in deceptive or unfair activities. In addition, the settlement imposes a $27.5 million judgment against the defendants, which is largely suspended following the payment of $500,000, due to the defendants’ inability to pay the full amount.
CFPB and debt relief company agree to permanent injunction
On October 20, the U.S. District Court for the Northern District of Georgia entered a default judgment and order against five participants in an allegedly illegal debt collection scheme involving certain payment processors and a telephone broadcast service provider (collectively, “default defendants”) for their role in the operation. As previously covered by InfoBytes, in 2017, the U.S. District Court for the Northern District of Georgia dismissed claims brought by the CFPB against the default defendants. (See additional InfoBytes coverage here.) According to a complaint filed in 2015, the defendants “knew, or should have known” that the debt collectors were contacting millions of consumers in an attempt to collect debt that consumers did not owe or that the collectors were not authorized to collect by using threats, intimidation, and deceptive techniques in violation of the CFPA and the FDCPA.
The court entered a $5.1 million judgment against the default defendants, who are jointly and severally liable with the non-default defendants. The default defendants must pay civil monetary penalties ranging from $100,000 to $500,000 to the Bureau. The judgment also, among other things, permanently bans the default defendants from attempting collections on any consumer financial product or service and from selling any debt-relief service.
DOJ charges payment processing executives involved in $150 million scheme
On August 26, the DOJ unsealed an indictment in the District of Massachusetts against four individuals, charging them with “conspiring to deceive banks and credit card companies into processing more than $150 million in credit and debit card payments on behalf of merchants involved in prohibited and high-risk businesses, including online gambling, debt collection, debt reduction, prescription drugs, and payday lending.” According to the announcement, executives of a Los Angeles-based payment processing company secured payment processing for these high-risk businesses through fraudulent misrepresentations about merchant clients. As a payment processor, the company “enabl[ed] merchant clients to accept debit and credit card payments over global electronic payment networks run by major card brands” and “served as an intermediary between its merchant clients and financial institution members of the card brand networks.” Two of the individuals were charged with conspiring to commit wire fraud, and two others were charged with conspiring to commit wire fraud and bank fraud. Among other things, the DOJ asserts that the individuals and their co-conspirators allegedly made fraudulent misrepresentations to financial institutions, card brands, and others about the type of transactions that were being processed along with the true identities of the merchant clients, created shell companies and fake websites to make it appear that they were selling low-risk goods, and “miscategorized the true nature of the transactions” by using industry-standard codes.
Florida District Court of Appeals partially affirms and partially reverses ruling against national bank
On August 13, a Florida District Court of Appeals affirmed in part and reversed in part a judgment against a national bank (defendant) awarding a payment processor approximately $2 million in compensatory damages and $5 million in punitive damages. The judgment, based on a jury verdict, awarded punitive damages as a result of the conduct of the bank’s relationship manager, who negligently misrepresented to a payment processor (plaintiff) that the account of the bank’s customer, a check authorization service, was in good standing when really the bank had previously terminated the relationship. On appeal, the court found that the relationship manager was considered a mid-level employee with limited managerial authority. Therefore, the appeals court determined that the defendant could not be held directly liable for his conduct, stating that “[the employee] was not a managing agent for purposes of imposing direct liability for punitive damages,” and “the trial court erred in denying [the defendant’s] motion for judgment notwithstanding the verdict on [the plaintiff’s] punitive damage claim.”
FTC settles with payment processors in student loan debt relief scam
On July 12, the FTC announced a settlement with two Florida-based payment processing companies and their CEO (collectively, “defendants”) accused of participating in a student loan debt relief scam. As previously covered by InfoBytes, in 2018, the FTC alleged the student loan debt relief operation violated the FTC Act and the Telemarketing Sales Rule (TSR) by, among other things, falsely claiming borrowers had pre-qualified for federal loan assistance programs that would reduce their monthly debt payments or result in total loan forgiveness and accepting monthly payments that were not applied towards student loans. A settlement was reached last December (covered by InfoBytes here). According to the FTC’s most recent complaint, the defendants allegedly “applied for and obtained merchant accounts for the [scam] by knowingly and repeatedly providing false information to payment processors about the [operation’s] three companies.” The defendants’ payment processing applications, the FTC contended, concealed the fraudulent activity, denied that the operation was offering consumers prohibited debt relief services, and repeatedly ignored warnings and direct evidence that the operation was defrauding consumers.
Under the terms of the settlement order, the defendants are permanently banned from payment processing or acting as an independent sales organization or sales agency. The defendants are also prohibited from assisting and facilitating any unfair and deceptive trade practice, including to obtain payment processing services. In addition, the order imposes a $28.6 million judgment against the defendants, which is partially suspended following the payment of $20,493, due to the defendants’ inability to pay the full amount.
Defendant obligated to indemnify bank in data breach suit
On May 10, the U.S. District Court for the Southern District of Texas ordered a defendant hospitality company to reimburse a national bank and its payment processor (collectively, “plaintiffs”) for $20 million in assessments levied against the plaintiffs by two payment brands following a data breach announced by the defendant in 2015. An investigation into the data breach determined that the defendant failed to require two-factor authentication on its remote access software, which contributed to the data breach and violated the payment brands’ security guidelines. The bank paid roughly $20 million to the payment brands and asked the defendant to indemnify it for the assessments. The defendant refused, arguing that its agreement with the bank was not breached because the payment brands’ rules “distinguish between actual and potential data comprises.” Moreover, the defendant stressed that “[b]ecause no evidence indicates that the attackers used the cardholder information” it was not obligated to indemnify the bank. However, the plaintiffs claimed that under the agreement, the defendant agreed to indemnify the bank “if its failure to comply with the brands’ security guidelines, or the compromise of any payment instrument, results in assessments, fines, and penalties by the payment brands.” The plaintiffs filed suit and moved for partial summary judgment on a breach of contract claim. In granting the plaintiffs’ motion for partial summary judgment, the court determined that the hospitality company is contractually obligated to cover the costs, ruling that actual data compromise is not necessary to trigger the agreement’s indemnification guidelines and that the bank does not need to show that the attackers used the payment information.
CFPB sues payment processor for fraudulent practices
On March 3, the CFPB filed a complaint against an Illinois-based third-party payment processor and its founder and former CEO (collectively, “defendants”) for allegedly engaging in unfair practices in violation of the CFPA and deceptive telemarketing practices in violation of the Telemarketing Sales Rule. According to the complaint, the defendants knowingly processed remotely created check (RCC) payments totaling millions of dollars for over 100 merchant-clients claiming to offer technical-support services and products, but that actually deceived consumers—mostly older Americans—into purchasing expensive and unnecessary antivirus software or services. The tech-support clients allegedly used telemarketing to sell their products and services and received payment through RCCs, the Bureau stated, noting that the defendants continued to process the clients’ RCC payments despite being “aware of nearly a thousand consumer complaints” about the tech-support clients. According to the Bureau, roughly 25 percent of the complaints specifically alleged that the transactions were fraudulent or unauthorized. The Bureau noted that the defendants also responded to inquiries from police departments across the country concerning consumer complaints about being defrauded by the defendants. Further, the Bureau cited high return rates experienced by the tech-support clients, including an average unauthorized return rate of 14 percent—a “subset of the overall return rate where the reason for the return provided by the consumer is that the transaction was unauthorized.” The Bureau is seeking an injunction, as well as damages, redress, disgorgement, and civil money penalties.
Court says Kansas credit card surcharge ban is unconstitutional
On February 25, the U.S. District Court for the District of Kansas granted in part and denied in part a plaintiff’s motion for summary judgment in an action concerning whether a state statute that bans credit card surcharges violates the First Amendment. Kansas law prohibits merchants from imposing a surcharge on customers who pay with credit cards instead of cash, and allows merchants to offer discounts to consumers who pay with cash. The plaintiff, a payment processing technology company, provides “software that allows merchants to display prices, including cost surcharges on purchases made by credit card,” which “allows consumers to comparison shop among payment types.” The plaintiff challenged the constitutionality of the law, claiming it is an unconstitutional restriction on commercial speech since it “effectively limits” what the plaintiff and merchants “can treat as the ‘regular price’ of an item and the corresponding information about prices and credit card fees that can be conveyed to consumers.” The Kansas attorney general—who has the authority to enforce the state’s no-surcharge statute—countered, among other things, that the statute furthers substantial state interests by (i) encouraging merchants to charge lower prices to customers who pay with cash; (ii) lowering the amount of consumer credit card debt through the use of cash discounts; and (iii) providing benefits to merchants by encouraging cash purchases, thereby allowing them to receive immediate payments, avoid credit card fees, and incur lower costs.
The court disagreed, ruling that none of the AG’s arguments advanced a substantial state interest—a requirement in order to not be considered a violation of the First Amendment. “Plaintiff's desire to display a single price while informing customers that credit card purchasers will be charged an additional fee would logically tend to support whatever interest the state may have in encouraging lower prices for cash customers,” the court wrote. “The statute nevertheless effectively prohibits this type of disclosure. Clearly, this restriction on speech is more extensive than necessary to further the asserted state interest.” Moreover, the court noted that “‘surcharges and discounts are nothing more than two sides of the same coin; a surcharge is simply a ‘negative’ discount, and a discount is a ‘negative’ surcharge.”
FTC settles with credit card laundering defendants
On February 10, the FTC announced settlements with several defendants that allegedly violated the FTC Act and the Telemarketing sales Rule by assisting an operation responsible for laundering millions of dollars in credit card charges through fraudulent merchant accounts. As previously covered by InfoBytes, the defendants engaged in a credit card laundering scheme with the operation to process credit card charges through merchant accounts set up by the operation under fictitious company names instead of processing charges through a single merchant account under the operation’s name. According to the FTC’s complaint, the defendants purportedly (i) underwrote and approved the operation’s fictitious companies; (ii) set up merchant accounts with its acquirer for the fictitious companies; (iii) used sales agents to market processing services to merchants; (iv) processed nearly $6 million through credit card networks; and (v) transferred sales revenue from the transactions to companies controlled by the defendants.
The settlements (see here, here, and here) permanently ban three of the defendants from payment processing and telemarketing or acting as independent sales organizations or sales agents in the payment processing industry. A previously issued settlement against a fourth defendant banned him from payment processing or acting as an independent sales organization or sales agent in the payment processing industry. Monetary judgments totaling more than $10.7 million collectively have been suspended due to the defendants’ inability to pay.