The CFPB sued payment processor Intercept Corporation, its owner, and its CEO on June 6, 2016, for allegedly enabling unauthorized withdrawals and other illegal activities of Intercept’s clients.  The complaint, filed in district court in North Dakota, accuses Intercept of processing transactions for its clients that it knew or “consciously avoided knowing” initiated fraudulent or illegal transactions.  Based on Intercept’s conduct, the CFPB alleges Intercept violated the Consumer Financial Protection Act (“CFPA”).

Intercept is a third-party payment processor that processes electronic fund transfers through the ACH network.  Intercept counts among its clients payday lenders, debt collectors, and auto title lenders.  The complaint described Intercept’s typical transaction:  Intercept’s client instructs Intercept to withdraw loan repayments from a borrower’s bank account; Intercept instructs its bank to contact the borrower’s bank to withdraw the money; the borrower’s bank debits the account, remits the money to Intercept’s bank, and Intercept remits the money to its client.

The CFPB alleges that Intercept violated the CFPA by engaging in unfair acts and practices by failing to heed warnings from banks and consumers; failing to adequately monitor and respond to high return rates; and failing to investigate red flags when vetting its clients.  The CFPB further contends that Intercept’s owner and CEO violated the CFPA by providing substantial assistance to Intercept.  According to the CFPB, Intercept falls under the CFPA for two reasons: (1) it provides payments or other financial data processing products or services to consumers by technological means; and (2) it provides services to cover persons.

Intercept’s banks notified it on multiple occasions that it was concerned with Intercept’s clients’ high return rates of disputed transactions, which the CFPB contends can be indicative of illegal or fraudulent activity.  But Intercept allegedly ignored its own banks’ warnings.  When one of Intercept’s banks would end its relationship with Intercept, Intercept would move on to another bank, never stopping to investigate the banks’ concerns or take a look at its relationships with its trouble clients.  Intercept’s clients’ rates of return for unauthorized transactions exceed industry standards.

The CFPB cited to industry rules and guidelines requiring participants in ACH transactions to monitor return rates and other suspicious activity.  The implication in the complaint is that Intercept should have investigated or terminated its relationships with clients with high return rates.

Intercept also allegedly failed to act in the face of significant numbers of consumer complaints to its banks about unauthorized withdrawals by Intercept’s clients and legal action taken against its clients.  Consumer complaints and legal action should have also triggered an investigation by Intercept of its clients, according to the CFPB.

Notwithstanding Intercept’s alleged failure to investigate high return rates or consumer complaints and legal action against its clients, the CFPB alleges that Intercept should have been more thorough in its due diligence of potential clients.  Intercept disregarded government investigations and negative Better Business Bureau rankings during the client intake process.

While CFPB v. Intercept Corp., et al. involves extreme facts, its implications for payment processors may be more broadly applicable.  It is evident that the CFPB expects payment processors to be proactive in monitoring their clients’ transactions.  It is not evident where the CFPB will draw that line.