Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 12, NACHA, which manages the development, administration, and governance of the ACH network, released two proposed rules that it describes as complementary approaches to improving ACH Network quality by reducing the incidence of exceptions. The first proposal would improve NACHA’s ability to identify and enforce rules against “outlier” originators by: (i) reducing the existing return rate threshold for unauthorized debits from 1% to 0.5%; (ii) establishing a 3% return rate threshold for account data quality returns, and an overall debit return rate threshold of 15%; (iii) clarifying permissible and impermissible practices for the collection of ACH debits returned for insufficient funds and other reasons; and (iv) explicitly applying certain risk management rules to third-party senders. In addition, the proposed rule would expand NACHA’s authority to initiate enforcement proceedings for a potential violation of the NACHA Rules related to unauthorized transactions. The second proposal would establish economic incentives for originating institutions and their originators to improve origination quality, and provide partial cost-recovery to receiving institutions for handling exceptions. Specifically, the rule would apply fees when: (i) the proposed economic incentives are fees that would be applied to instances when a receiving institution; (ii) returns an ACH transaction due to incorrect account data within the transaction; (iii) corrects information within an ACH transaction and sends the correction back; or (iv) returns an ACH transaction due to a problem with the receiver's authorization. NACHA is accepting comments on the proposals until Monday, January 13, 2014.
On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 10, the Federal Reserve Banks issued a public consultation paper that identifies “key gaps and opportunities” in the U.S. payment system. They include: (i) payment recipients prefer other forms of payments than checks but exercise little control over the sender to request a preferred form of payment, (ii) the system lacks a “near-real-time” payment capability, (iii) innovations have not gained significant market penetration while legacy systems tend to be more ubiquitous, (iv) legacy systems lack certain desired features, including, for example, assurance that a payment will not be returned or reversed, (v) cross-border payments are slow and costly, and lack fee and timing transparency, (vi) some digital wallet applications reduce the visibility and choice of payment instrument at the point of sale, (vii) businesses’ legacy payment and accounting systems make straight-through processing difficult, but are costly to change, and (viii) data security fears inhibit adoption of electronic payments. The paper outlines certain desired outcomes and seeks input on strategies and tactics to address the perceived gaps and shape the future of the domestic payment system. Interested stakeholders can submit comments until December 13, 2013.
On August 6, the New York Department of Financial Services (DFS) sent letters to 35 online lenders, including lenders affiliated with Native American Tribes, demanding that they cease and desist offering allegedly illegal payday loans to New York borrowers. The letters demand that within 14 days the companies confirm that they are no longer soliciting or making payday loans in excess of the state usury caps. Under New York law, it is civil usury for a company to make a loan or forbearance under $250,000 with an interest rate exceeding 16% per year, and a criminal violation to make a loan with an interest rate exceeding 25% per year. The letters also remind recipients that it is illegal to collect on loans that exceed the usury cap; a separate letter to third-party debt collectors included the same notice. The DFS previously warned third-party debt collectors about collecting on illegal payday loans in March. In addition, the Department of Financial Services sent letters to 117 banks and NACHA requesting that they work with the DFS to create a set of model safeguard procedures to deny ACH access to the targeted lenders and provide the DFS with information about steps the institutions are taking to halt the allegedly illegal activity.
The role of banks in processing payday loan payments was identified as an enforcement priority earlier this year by the DOJ’s Financial Fraud Enforcement Task Force. The DOJ, the CFPB, and other federal agencies reportedly have issued subpoenas to banks and other entities as part of a broad investigation of online payday lending.
On July 12, the FTC extended the comment deadline on proposed changes to its Telemarketing Sales Rule (TSR). In May, the FTC proposed to prohibit the use of certain payment methods it believes are favored by “fraudulent telemarketers,” and sought comments by July 29, 2013. Because a slightly modified version of the original proposal was published in the Federal Register on July 9, 2013, the FTC now will accept comments through August 8, 2013.
On July 15, the Electronic Payments Association (NACHA), the organization that manages the ACH Network, issued a bulletin that describes the provisions of NACHA’s operating rules regarding the “reinitiation” of returned ACH debit entries and the collection of return fees. With respect to the “reinitiation” of returned ACH debit entries the bulletin outlines the limited circumstances under which the rules permits originators and originating depository financial institutions (ODFIs) to reinitiate returned entries. First, an originator or an ODFI may reinitiate a returned entry up to two times if the entry was returned for reasons of insufficient or uncollected funds. Second, an originator or an ODFI may reinitiate a returned entry for reason of stop payment, but only if the receiver of the entry reauthorized the reinitiation after the return of the original entry. Finally, unless authorization has been revoked, an originator or an ODFI may reinitiate an entry returned for any other reason, as long as the originator or ODFI has corrected or remedied the reason for the return. In instances where authorization has been revoked, an originator or ODFI may not be reinitiated. Additionally, in order for a reinitiation of a returned entry to take place within the ACH Network, it must take place within 180 days of the settlement date of the original entry. With respect to the collection of return fees, the bulletin explains that (i) a return fee entry may be initiated only to the extent permitted by applicable law, and only for an entry that was returned for reasons of insufficient or uncollected funds; (ii) originators and ODFIs must provide specific prior notice prior to charging return fees; (iii) return fees must be specifically labeled as return fees in any entry description; (iv) only one return fee may be assessed with respect to any returned entry; and (v) a return fee may not be assessed with respect to the return of a return fee entry (i.e., no “fees on fees”).
On June 5, the FTC announced that it has added a payment processor as a defendant in an existing suit against a debt relief firm that the FTC alleges operated a credit card interest rate reduction scam. The FTC claims that the debt relief firm cold-called consumers and charged them up-front fees for promises of credit card interest rate reductions that the firm never obtained. The FTC charges that the payment processor knew, or consciously avoided knowing, the supposedly illegal nature of the operation and facilitated allegedly deceptive and abusive telemarketing acts or practices in violation of the Telemarketing Sales Rule. The FTC also alleges that the processor ignored the “alarmingly high” chargeback rates.
District Court Holds Gift Cardholders Suffer No Damages from Inability to Apply Unexhausted Balances
On August 17, the U.S. District Court of the Southern District of New York dismissed a putative class action alleging deceptive sales practices under New York law against gift card distributors. Preira v. Bancorp Bank, No 11-1547, 2012 WL 3541702 (S.D.N.Y. Aug. 17, 2012). The plaintiff alleged that the defendants advertised that the gift cards could be used like debit cards, but that in fact merchants would not allow cardholders to conduct split transactions where the card was used to pay for a portion of a transaction and other means were used to pay the remaining balance. This restriction, the plaintiff claimed, prevented cardholders from completely depleting the value of the gift cards. The court rejected the plaintiff’s claim, holding that she failed to allege a cognizable injury because (i) some merchants do accept split transactions, (ii) the cardholder agreement provides that cards can be returned to the issuer in exchange for the unused balance, which never expires, and (iii) even if the damages are not based on the loss of the remaining value of the cards but on misleading statements that lead cardholders to believe the cards function like debit cards, the plaintiff failed to allege that debit cardholders can make split purchases at any retailer and, in any event, deception itself, without further injury, is not a cognizable harm under state law.
Recent developments at the FTC and CFPB provide some guidance on how regulators may approach disclosures on smartphones and other mobile devices.
The recent CFPB Remittance Rule on international remittance transfers indicates some flexibility in the provision of disclosures in the remittances context via a mobile device. Additionally, the FTC’s recent report on best practices in consumer data privacy notes the difficulty in providing privacy notices on the smaller screens of mobile devices and encourages shorter, more effective privacy policies as a result.
These developments raise a series of questions for corporate counsel to consider when advising on the drafting and delivery of mobile disclosures. Specifically, questions include:
- Is the length of the mobile disclosure document as brief and succinct as it can be? Does it use concrete, everyday words and the active voice? Do the disclosures avoid multiple negatives, technical jargon and ambiguous language?
- Are the mobile disclosures presented in a logical sequence? Are they laid out in clear, concise sentences, paragraphs and sections? Are they placed in equal prominence to each other, absent any other specific regulatory format or placement requirements? Is the content placed on a particular page appropriate for the sizing of the page on the mobile screen? If not, are textual or visual cues used to encourage scrolling?
- Does the mobile disclosure "call attention to itself?" Is it on a screen the mobile user must access or will likely access frequently? If not, is it behind a hyperlink on an introductory screen that is clearly labeled so as to convey the importance of the linked disclosure? Is it presented with a clear, visible heading and an easy-to-read typeface and typesize?
- Have various technical and other applicable industry standards been consulted in the process of designing, developing and displaying mobile disclosures?
- Daniel A. Bellovin to discuss “Perspectives on proposed private flood insurance” at a CoreLogic webinar
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable