CFPB Pursues Third Party Payment Processors with More Zeal
The Consumer Financial Protection Bureau’s (CFPB’s) definition of “covered person” has taken on new meaning with the repercussions of the CFPB’s civil action against Intercept EFT.
CFPB Demonstrates Authority to Prosecute TPPPs
In the Intercept complaint, the CFPB first establishes jurisdiction to prosecute Intercept in no uncertain terms. It does so with two statements (emphasis added):
- In paragraph 9, the CFPB states, “Intercept is a covered person under the CFPA because it provides payments or other financial data processing products or services to consumers by technological means, including through a payments system or network used for processing payments data.”
- In paragraph 10, the CFPB asserts, “Intercept is also a service provider to covered persons, such as payday lenders, debt collectors, and auto title lenders, because it processes transactions relating to consumer financial products or services.”
This is more of a clarification then a new pronouncement. As paragraph 10 expands onU.S.C. §5481(6), which define CFPB’s covered persons as “(A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person.” The intention of the CFPB to oversee new classes of entities over time has been indicated several times. In CFPB Bulletin 2012–03 from April 2012, the CFPB stated there is plenty of blame to go around when it perceives consumers are wronged.
“Depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank as well as with the supervised service provider,” wrote the CFPB.
TPPPs, TPSs and similar processors are now confirmed in the crosshairs of the CFPB.
Far Reaching Impact on Due Diligence Practices for TPPPs — If Upheld
Calling the pronouncement “an extraordinary and potentially far-reaching expansion of its authority,” Morrison & Foerster lawyer and former CFPB assistant director of regulation Leonard Chanin told American Banker, “The implications are pretty dramatic in terms of what a payment processor potentially has to worry about. They seem to be asserting wider jurisdiction over the payments system.”
Chanin indicated to American Banker that payment processors may now be obligated to conduct due diligence on all businesses — such as health clubs, dry cleaners or bakeries — not just those provided financial services, which was the understanding prior to this case. If this holds true, “any entity that processes payments is responsible for monitoring the business practices of every person it processes payments for,” Chanin said.
Further, the CFPB reminds banks and nonbanks in the Intercept complaint they are expected to fully understand their customers’ products and regularly review consumer complaints, negative news, and other KYC risk indicators. These are all markers that businesses may be engaging in UDAAP, or “unfair, deceptive, and abusive acts and practices,” that the CFPB frowns upon.
The Third Party Payment Processors Association (TPPPA) filed an amicus brief in support of Intercept. The brief contends unlike banks, which have clearly identified regulators, no federal regulator directly has supervised non-bank payment processors to this point. The conduct of non-bank payment processors is governed by NACHA Operating Rules. The CFPB’s complaint failed to provide substantive proof that Intercept violated the NACHA Rules that were in place at the time the alleged violations occurred
“We cannot stand idly by and allow payment processors and banks to be held accountable for laws, rules and regulations that did not exist when the alleged actions occurred,” said Marsha Jones, President of the TPPPA.
The Best Defense is Not Offense, It’s Superior Defense
It us unclear what defendants and their corresponding classes of “covered persons” can do to counter expanding CFPB authority.
According to Gibson Dunn, a Los Angeles law firm, the CFPB is required to consider the potential costs and benefits to consumers and covered persons, including any potential reduction of consumer access to financial products or services. This is backstopped by the Court of Appeals for the D.C. Circuit, which has vacated rules by federal agencies when they don’t run proper cost-benefit analyses.
Yet there is little evidence of hand-wringing by CFPB operatives concerned about overstepping bounds.Intercept filed a lawsuit in advance of the CFPB complaint, to which the CFPB replied its own enforcement action provided the means for resolving any disputes. Without much recourse to carry on a strong offense — most defendants settle rather than fight — banks, TPPPs and TPSs need to better understand their underlying customers through KYC and KYCC.