Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 7, the U.S. Court of Appeals for the 6th Circuit affirmed a lower court’s ruling that an agreement between a Texas-based merchant and a payment processor did not require the merchant to pay millions of dollars in damage-control costs related to two card system data breaches. After the data breaches, the payment processor withheld routine payment card transaction proceeds from the merchant, asserting that the merchant was responsible for reimbursing the amount that the issuing banks paid to cardholders affected by the breaches. However, the merchant refused to pay the payment processor, relying on a “consequential damages waiver” contained in the agreement.
The payment processor argued that, under the agreement’s indemnification clause and provision covering third-party fees and charges, the merchant retained liability for assessments passed down from the card brands’ acquiring bank. The district court, however, granted summary judgment to the merchant, finding that the merchant was not liable for the card brands’ assessments. The court further ruled that the payment processor materially breached the agreement when it diverted funds to reimburse itself.
On review, the 6th Circuit agreed with the lower court that the assessments “constituted consequential damages” and that the agreement exempted consequential damages from liability under a “conspicuous limitation” to the indemnification clause. According to the 6th Circuit, the “data breaches, resulting reimbursement to cardholders, and levying of assessments, though natural results” of the merchant’s failure to comply with the Payment Card Industry's Data Security Standards, “did not necessarily follow from it.” In addition, the appellate court agreed with the district court’s holding that third-party fees and charges in the contract refer to routine charges associated with card processing services rather than liability for a data breach. The appellate court also concurred that the payment processor’s decision to withhold routine payment card transactions, constituted a material breach of the agreement.
On June 6, the New York Attorney General announced a $65,000 settlement with an online retailer resolving allegations that the company failed to provide notice of an online data breach to over 39,000 customers, including nearly 3,000 New Yorkers, for over three years. According to the announcement, unauthorized parties placed malicious code designed to steal credit card information in the company’s software in September 2014. The company discovered the code in November 2014, but did not remediate it until January 2015 (or February 2015, after the code was mistakenly reintroduced and permanently deleted). The Attorney General alleges that the company did not notify its affected customers until May 2018, and that, because the company did not notify New York authorities or its affected customers “in an expedient time-period, and without unreasonable delay,” it violated New York’s General Business Law § 899-aa.
The company offered potentially affected customers two years of free credit monitoring, fraud consultation, and identity theft restoration services, which is not required by law. In addition to the penalty, the settlement requires the company to conduct trainings for appropriate employees and conduct thorough investigations of any future data security breaches involving private information to ensure compliance with state law.
On June 3, a consumer filed a class action complaint against a national bank alleging that the bank charges interest on credit card accounts even when consumers’ balances are paid in full by the billing cycle due date, in breach of the bank’s cardholder agreement. The complaint alleges that the cardholder agreement and monthly billing statements disclose to consumers that interest will not be charged on new purchases if those new purchases are paid off by the billing cycle’s due date, but that in practice the grace period is eliminated for new purchases “[i]f a consumer leaves even $1 on her account balance after a billing period due date.” The complaint alleges that the bank’s practice of only providing a grace period on new purchases for consumers “who have paid off their balances in full for two prior months” directly contradicts the cardholder agreement and consumer disclosures. In addition to breach of contract, the consumer alleges a violation of Delaware’s Consumer Fraud Act and breach of the covenant of good faith and fair dealing. The consumer is seeking certification of a class of similarly situated consumers; damages and restitution; and injunctive relief.
On April 30, the Oklahoma governor signed HB 1425, which, among other things, bans surcharges on credit or debit card transactions. The ban prohibits sellers from increasing the price of any sales transaction for buyers who pay with a credit or debit card instead of a check, cash, or similar means. HB 1425 takes effect November 1.
On April 12, the Appellate Court of Illinois published an opinion affirming the dismissal of a consumer’s counterclaims against a lender in a lawsuit seeking to collect the consumer’s alleged debt from a store credit card. According to the opinion, in January 2017, the lender filed a small claims action seeking to collect credit card debt on which the consumer allegedly defaulted in July 2012. The consumer filed a putative class action counterclaim against the lender alleging, among other things, that the lender’s collection action violated the FDCPA and various Illinois laws because it was time-barred under the four-year statute of limitations period provided to enforce a sale of goods under Section 2-725 of the UCC. The lender moved to dismiss the counterclaims, alleging that its complaint was timely filed within the five-year statute of limitations period applicable to credit card agreements under Section 13-205 of the Illinois Code of Civil Procedure. The lower court granted the lender’s motion to dismiss, holding that the credit card agreement was governed by the five-year statute of limitations applicable to credit card agreements under Section 13-205 of the Illinois Code of Civil Procedure, rather than the four-year statute of limitations under the UCC’s sale of goods provisions. On appeal, the appellate court affirmed the lower court’s decision, rejecting the consumer’s argument that the UCC should apply to the agreement because the consumer could only use the credit card to purchase goods at a single retailer. Specifically, the appellate court held that the type of credit card was immaterial to the analysis and that Section 13-205 of the Illinois Code of Civil Procedure clearly controlled in this case because a tripartite relationship existed among the bank, the cardholder, and the merchant, and the payments made by the bank to the merchant pursuant to the cardholder agreement constituted a loan to the cardholder. As a result, the lender’s complaint was timely filed.
On March 21, the U.S. District Court for the Southern District of Florida granted a debt collector’s motion for summary judgment in an action alleging that the debt collector violated the FDCPA by failing to name the creditor to whom the debt was owed. According to the opinion, the debt collector sent a consumer an initial demand letter stating it was attempting to collect a debt and named the department store associated with the credit card as the current and original creditor. The consumer initiated an action against the debt collector alleging violations of the FDCPA for failing to specifically name the creditor associated with the department store credit card. Both parties moved for summary judgment. Because the department store’s name was on the credit card, the application, and the billing statements, and consumers are directed to make payments to the department store by mail or online, the court determined that using the creditor’s name “could very well cause confusion and influence a consumer’s decision to pay or challenge the debt.” Using the department store’s name, while potentially a technical misrepresentation, is not a material misrepresentation under the FDCPA because it “would not mislead the least sophisticated consumer or influence a decision about whether to pay or challenge the debt,” as it named the entity the consumer had conducted business with in connection with the debt.
On March 22, the U.S. District Court for the Eastern District of Pennsylvania ruled that a debt collector (defendant) who purchased a consumer’s credit card account failed to establish that the sale of the account included the sale of the right to arbitrate disputes relating to the account. According to the ruling, a bank sold a consumer’s credit card account to the defendant after the plaintiff defaulted on his payments. The agreement between the consumer and the bank included a mandatory arbitration clause, as well as a class action waiver. When the defendant sent a collection letter to the plaintiff, the plaintiff filed a lawsuit alleging the letter violated the FDCPA because, among other things, it included ambiguous language regarding discount payment options. The defendant moved to compel arbitration. The court denied the defendant’s motion, stating that the sale of the accounts does not axiomatically include the right to arbitrate disputes relating to them, and that the defendant had not provided adequate documentation to support the conclusion that it did in this case. The court found that “subject to further argument and possible evidence clarifying possible ambiguity in the use of the term ‘account’ in the assignment,” the court would not presume that the sale of the accounts included the bank’s rights to compel arbitration.
On March 20, the CFPB published in the Federal Register two requests to renew information collections, one on the “Report of Terms of Credit Card Plan,” which collects data from at least 150 financial institutions on credit card pricing and availability, and the other on ECOA and Regulation B. For both information collections, the Bureau is seeking comments on (i) whether the information collections are necessary for the proper function of the Bureau; (ii) if the Bureau accurately estimates the burden of the collection and how to minimize that burden; and (iii) how the Bureau can “enhance the quality, utility, and, clarity of the information” collected. Comments on both requests must be received by May 20.
On March 8, the U.S. Court of Appeals for the 3rd Circuit issued a precedential opinion holding that, without concrete evidence of harm, a consumer lacks standing under the Fair and Accurate Credit Transactions Act (FACTA) to sue a merchant for including too many digits of his credit card account number on a receipt. According to the opinion, the plaintiff claimed that he received receipts from three different stores owned by the defendant, all of which included both the final four digits and the first six digits of his account number. The plaintiff filed a class action lawsuit alleging the defendant willfully violated FACTA, which prohibits printing more than the last five digits of credit card number on a receipt. The plaintiff alleged that this violation, which he also claimed increased the risk of identity theft, constituted an injury-in-fact sufficient to confer Article III standing as required under the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert). The district court dismissed the suit.
On appeal, the 3rd Circuit agreed with the lower court, holding that the plaintiff failed to allege actual harm from the defendant’s practice. The appellate court held that the defendant’s technical violation of FACTA did not give the plaintiff standing to sue. Moreover, in the absence of actual harm, or a material risk of actual harm (the plaintiff did not allege that anyone—aside from the cashier—saw the receipt, that his credit card number had been misappropriated, or that his identity was stolen), the plaintiff would not have suffered the injury-in-fact that created federal court jurisdiction.
On March 6, the North Dakota governor signed HB 1204, which allows a collection agency to collect a transaction fee for processing a credit card payment. Under the amended law, a collection agency may collect, in addition to the principal amount of the claim, a transaction fee up to two and half percent for processing a credit card payment if: (i) the transaction fee is not otherwise prohibited under the law; (ii) a no-cost payment option is available to the debtor; and (iii) the no-cost payment option is disclosed to the debtor at the same time and in the same manner that the credit card information is taken. The law takes effect on August 1.
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference