Viewpoint: Does the CFPB Expect Payment Processors to Enforce State Regulatory Requirements?

By David Beam, Ori Lev and Jeremy McLaughlin, Mayer Brown LLP

Are payment processors for consumer financial service providers required to understand the complex regulatory regimes to which their clients are subject, and verify that clients are complying with those requirements? A lawsuit recently filed by the Consumer Financial Protection Bureau (CFPB) against Intercept Corporation and two of its owners suggests the agency’s answer to that question might be “yes.”

The CFPB faulted Intercept for failing to review its clients’ loan product terms to ensure they complied with state regulatory requirements, and for failing to ensure its clients held required lending licenses in every state. Check out the recorded Mayer Brown Webcast on the enforcement actions.

The FTC and other agencies previously have brought enforcement actions against payment processors for ignoring red flags that clients were initiating unauthorized payments or engaged in fraud. But the CFPB goes further by suggesting that payment processors must ensure clients’ compliance with the vast array of regulatory requirements applicable to their clients—even in the absence of any indications of unauthorized payments or fraud directly connected to individual payments.

The CFPB’s allegations are disconcerting for payment processors. It would be a huge burden on payment processors to conduct thorough regulatory reviews of all their clients providing consumer financial services.

Overview of the Complaint

On June 6, 2016, the CFPB filed a complaint against Intercept Corporation and two of its owners and officers in North Dakota federal district court, which is where Intercept is based. The complaint alleges that “Intercept is a third-party payment processor that has systematically enabled its clients to withdraw millions of dollars’ worth of unauthorized or otherwise illegal charges from consumers’ bank accounts.” The complaint says the defendants “processed transactions for many clients when they knew or consciously avoided knowing that many of the transactions initiated by those companies were fraudulent or illegal.” Red flags identified in the complaint include:

• Repeated consumer complaints;
• Warnings about potential fraud or illegality raised by banks involved in the transactions;
• Unusually high return rates; and
• State and federal law enforcement actions against clients.

The complaint also alleges the defendants “performed only perfunctory due diligence regarding the legitimacy and legality of their clients’ underlying transactions and have ignored indicia of fraud or illegality revealed through even their minimal due diligence.”

These sweeping introductory allegations may suggest the CFPB’s action is only about fraudulent and illegal transactions. And, to be sure, the CFPB does allege that some of the transactions processed by Intercept fell into this category. However, not all of the CFPB’s specific allegations involve what one would normally think of as a fraudulent or illegal transaction. In some instances, the “illegal” transaction was processing a payment for a lender that, the CFPB alleges, was not operating in full compliance with regulatory requirements for consumer loans.

The CFPB implies that Intercept should have conducted a regulatory review of each potential client’s products in order to ensure compliance with state and federal laws. Specifically, the CFPB alleges:

Intercept did not require copies of a merchant’s policies and procedures to ensure compliance with federal and state laws and regulations. Intercept would not ask for a description of loan terms, fees charged to consumers, a list of the Web addresses used by the lender or lead generator, or whether a consumer lender possessed the requisite state lending licenses. This type of information would have alerted Intercept to possible fraudulent or illegal activity by its clients.

The CFPB elaborates on this allegation by alleging that, “prior to 2012, Intercept did not ask about the states in which its consumer lender clients did business, whether lending on the offered terms was allowed in those states, or whether they possessed the requisite state lending licenses in those states, even when the client provided loan agreements that included triple or quadruple digit” annual percentage rates. The CFPB also says that Intercept “ignored indicia of illegality” in the materials that it did receive from clients. It specifically says that if “Intercept’s due diligence revealed that a lender was unlicensed, that should have been a red flag that prompted further inquiry.”

The CFPB also alleges that Intercept should have taken action in response to enforcement actions by state financial regulators, which the CFPB refers to as “law enforcement actions.” These actions appeared to involve allegations by state regulators that the clients were not complying with regulatory requirements. For example, the CFPB alleges that, in 2012, Intercept learned that one of its clients was the subject of a cease and desist order from the State of Georgia related to the client’s consumer lending activities.

The CFPB’s complaint does not describe the content of the order. In particular, the complaint does not say that Georgia regulators alleged that the client was initiating unauthorized transactions or using fraud to procure authorizations. The CFPB also alleges that the State of Maine issued cease-and-desist orders to two other Intercept clients in 2011 and 2012.

According to the CFPB, these orders required the clients to stop offering payday loans in Maine until the clients were properly licensed. The complaint then notes that, notwithstanding these orders, Intercept did not investigate the companies or stop processing transactions with Maine consumers for the companies. The CFPB’s description of the Maine orders describes only allegations that the clients were operating without required licenses.

As with the Georgia order, the CFPB does not allege that the regulators claimed that the clients were initiating unauthorized transactions or procuring authorization through fraud. Also, the CFPB does not allege that Intercept had actual knowledge of the Maine orders; the complaint merely states that the orders were “publicly-issued.”

What to Infer from the CFPB’s Allegations

The CFPB implies that a payment processor has an obligation to obtain information about the products of the processors’ clients, including loan terms, and which licenses the client holds. The CFPB then implies that the processor should be evaluating this information and making judgments about whether these loan terms comply with applicable law and whether the client holds the required licenses. It also says outright that a payment processor “should” investigate if its client doesn’t hold any licenses.

The allegations related to the enforcement actions by state regulators further imply that a payment processor has an obligation to cut a client off if a state regulator determines that the client is not operating in compliance with state regulatory requirements—even if the regulator does not allege that the specific payments being processed are initiated fraudulently or without authorization.

Also, as noted above, the CFPB does not allege that Intercept had actual knowledge of the Maine orders. The CFPB merely asserts that the orders were publicly available. This suggests the CFPB believes a payment processor has some sort of ongoing obligation to scour the Web sites of its clients’ regulators to be on the lookout for enforcement proceedings relating to compliance with licensing requirements or other regulatory rules.

So What’s Wrong with All That?

To be clear, none of the authors of this article intends to be dismissive of regulatory violations. Our practice involves helping clients—including both payments companies and consumer lenders—comply with the complex array of state and federal regulatory rules that apply to their operations.

The question, though, is whether and to what extent payment processors should be required to police compliance by their clients with these regulatory requirements. To date, actions by the FTC, CFPB, and state attorneys general against payment processors for processing payments on behalf of wrongdoers have typically involved allegations of fraud or illegality in connection with the actual payments—e.g., that payments were unauthorized, or the authorizations were procured through deception, etc.

When the CFPB alleges that the payment was “illegal” because the payment processor’s client had not complied with all regulatory requirements in connection with the underlying loan transaction, the relationship between the alleged violation and the payment being processed is more attenuated. And, as a practical matter, the processor has to dig deeper and further to evaluate whether a client is complying with these regulatory requirements than the processor does to ensure that there is no fraud directly in connection with the payment.

That’s an extraordinary level of diligence to expect of a payment processor. Consumer financial service providers are subject to a vast and complex array of federal and state regulations. For some providers, like mortgage lenders and servicers, these laws regulate the minutiae of the providers’ operations. Evaluating whether the companies are properly licensed and operating in compliance with laws in all 50 states would be a daunting and resource-consuming process for a payment processor even if the proper interpretation and application of these laws was always clear cut. And, as discussed above, it often isn’t.

The CFPB might object that a client is engaged in fraud and illegality if the client attempts to put through payments in connection with a loan with respect to which there was a regulatory violation because the regulatory violation might have rendered the payment obligation unenforceable. The CFPB might contend that this is therefore no different than a client obtaining authorization through deception, such as by telling the consumer that he or she owed money in connection with a phantom debt.

However, there are two principal differences between attempting to collect a debt in connection with which there was a regulatory violation and attempting to, e.g., collect a phantom debt.

First, the premise upon which this argument is based (a regulatory violation renders the debt invalid, and the collection of a payment in connection with it therefore illegal) will not always be true. Not all regulatory violations will render a loan obligation void or unenforceable. In fact, voiding of an obligation is an extreme and relatively uncommon remedy in regulatory schemes, even for licensing requirements. Moreover, the CFPB does not articulate a distinction in its complaint between regulatory violations that void the debt and regulatory violations that do not. The CFPB seems to suggest that collecting payments on a loan is an “illegal transaction” if there were any regulatory violations in connection with the loan.

Second, even if the CFPB drew a distinction based on whether a regulatory violation voids a loan—and, again, it isn’t clear that the CFPB does—processors still would need to dive deeply into the morass of laws that regulate their clients just to separate the rules that void a loan from the rules that don’t. This would be a big undertaking, and one which payment processors are not really equipped to perform.

Another objection the CFPB might raise is that the CFPB doesn’t expect payment processors to do a thorough regulatory diligence of all consumer lenders—just lenders the CFPB doesn’t like, such as payday lenders. In fact, we suspect that this is an important (but unstated) factor that affects which actions the CFPB decides to bring. But the CFPB’s legal theory of liability doesn’t—and probably can’t—make this distinction. If payment processors have an obligation to conduct a regulatory analysis of payday lenders, then there is no logical reason that they don’t have a similar obligation for mortgage servicers, auto lenders, broker-dealers and almost any other regulated company that receives payments from consumers.

What’s Next?

One question that remains is whether the CFPB would bring an action against a payment processor based solely on allegations that the processor facilitated payments for a company that was not properly licensed or that had product terms that did not comply with state regulatory requirements. As noted above, the CFPB’s allegations against Intercept were not limited to claims that Intercept failed to verify its clients’ compliance with regulatory requirements. The CFPB does allege that Intercept failed to take action in response to indicia that some of its clients were engaged in fraudulent practices. It is possible that the allegations that Intercept failed to verify its clients’ compliance with regulatory requirements were included by the CFPB to be thorough, but that the CFPB would not have pursued an action against Intercept based on these allegations alone.

Hopefully this will be the case. But for now, the CFPB’s allegations against Intercept raise troubling questions for processors about the extent of their obligations to verify their clients’ compliance with regulatory requirements.

Related stories:

• CFPB Enforcements: Processors Face High Standards, Uncertainty
• Suit Wars: Processor Challenges CFPB’s Constitutionality; CFPB Sues for Ignoring Fraud Red Flags
• Viewpoint: No-Action Letters from the CFPB: What to Consider Before You Ask for One

David L. Beam is a partner in Mayer Brown’s Washington, DC, office. His practice encompasses a broad range of matters related to payments and credit regulation. He provides clients with regulatory compliance and related business planning advice; conducts regulatory due diligences of investment and acquisition targets; structures joint ventures and other business arrangements; obtains approvals, licenses and regulatory guidance from US federal and state financial regulators; and prepares terms and conditions for financial products and services. David may be reached at [email protected].

Ori Lev is a partner in Mayer Brown’s Washington, DC, office. He has more than 20 years of public service experience at a variety of government agencies, and his practice includes litigation, government enforcement and regulatory compliance affecting banks and other consumer financial services companies. He has served as deputy enforcement director for litigation at the CFPB. He also served as the chief of enforcement for the Department of the Treasury’s Office of Foreign Assets Control and as litigator for the DOJ and the FTC. Ori may be reached at [email protected].

Jeremy M. McLaughlin is an associate in Mayer Brown’s Palo Alto office. His practice focuses principally on regulatory compliance and government enforcement for consumer financial products and services, with particular attention on payment and emerging payment issues. He represents and advises financial technology companies, internet marketplaces, and commercial and consumer lenders. Jeremy may be reached at [email protected].

In Viewpoints, payments professionals share their perspectives on the industry. Paybefore’s goal is to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore. This article is intended for general information purposes only and should not be construed as legal advice. Readers are urged not to act upon the information without first consulting an attorney.