The Consumer Financial Protection Bureau’s (“CFPB”) lawsuit against payment processor Intercept Corporation remains pending, and recent briefing sheds light on what could result in broad implications for the payment processing industry and CFPB enforcement at large.
We previously reported on the CFPB’s suit against Intercept, pending in district court in North Dakota. The CFPB alleges that Intercept violated the Consumer Financial Protection Act (“CFPA”) by engaging in unfair acts and practices. Intercept moved to dismiss the CFPB’s complaint, and that motion is now fully briefed. The Third Party Payment Processors Association (“TPPPA”) filed an amicus curiae brief in support of Intercept’s motion to dismiss. The pleadings highlight concerns regarding both the scope of the CFPA and the ability of the CFPB to reach businesses that do not interact directly with consumers.
First, Intercept and the TPPPA raised the threshold issue of whether a payment processor is subject to the CFPA even though it is not consumer-facing. To be governed by the CFPA as a “covered person,” one must engage in “offering or providing a consumer financial product or service.” Intercept argues this requires that services be provided directly to consumers; however, Intercept provides its ACH processing services to businesses, not consumers.
This holds true for all payment processors, as pointed out in the TPPPA’s amicus brief. Payment processors do not interface with consumers and only have scant information about the consumer. As summed up by the TPPPA in arguing that payment processors are not “covered persons” within the meaning of the CFPA: “Payment processors like Intercept never interact with consumers, nor do they provide payments or other financial data processing products to consumers. Third party payment processors only provide these services for merchants and merchants are not consumers.”
Not surprisingly, the CFPB disagrees with Intercept’s and the TPPPA’s position that a person must interface directly with a consumer to be a covered person under the CFPA. The CFPB acknowledges that the statutory language contemplates “use by consumers,” but posits that the statutory language does not differentiate between direct and indirect contact. To reach its conclusion that covered persons can include people that interact only indirectly with consumers, the CFPB relies on rules of statutory interpretation, such as the use of the term “directly” in nearby provisions and an exemption for web-hosting companies from the definition of financial products or services for consumers.
Intercept warns that the CFPB’s interpretation of covered persons under the CFPA can have far-reaching effects if it is allowed to police companies that provide services to other businesses. For instance, Intercept argues, the CFPB’s interpretation would extend the CFPB’s authority to consumer-facing businesses unrelated to consumer finance, such as grocery stores, hotels, veterinarians, churches, and hospitals. This, Intercept continues, will lead to the anomalous result that payment processors would have to learn the laws relevant to each of its customers’ businesses and then monitor its customers’ interactions with consumers to ensure compliance with those laws.
Second, the TPPPA points out what it believes is a “glaring omission” in the CFPB’s claim that Intercept engaged in unfair acts and practices – the failure of the CFPB to allege that Intercept violated a National Automated Clearing House Association (“NACHA”) rule. NACHA is the industry association that provides industry rules and guidance for ACH transactions. The NACHA rules incorporate relevant federal rules and regulations. The TPPPA argues that the CFPB’s omission raises due process concerns because any allegation of unfair practices must be predicated on a violation of the NACHA rules. Otherwise, a payment processor, or any business that finds itself in the CFPB’s crosshairs, could be liable for conduct that “was not unlawful or forbidden by the rules in place at the time of the alleged conduct.”
The CFPB counters that a person need not violate industry practices or guidance in order to engage in unfair acts or practices, describing the TPPPA’s position as an “everyone else is doing it” defense that “would have the perverse effect of immunizing exactly the harmful conduct that is most widespread.” But, the TPPPA’s concern remains, if a payment processor is acting within the confines of established rules and regulations, what stops the CFPB from effectively legislating around conduct ex post.
Finally, Intercept argues that the CFPB discovered the conduct at issue in the 2016 complaint through an FTC investigation from 2012. Intercept provided documents to the FTC in 2012 pursuant to a subpoena, and the FTC did not pursue any action at that time. Because the CFPB is the FTC’s successor, Intercept argues that the FTC’s knowledge is imputed to the CFPB because the two agencies share regulatory priorities. Intercept also contends that if the rule were otherwise, the FTC and CFPB would be able to “stack” their statutes of limitations – doubling the time period in which to bring a claim – to bring claims alleging unfair acts or practices. The CFPB denies that it has imputed knowledge of facts learned by the FTC in its earlier investigation.
If the court reaches any of the issues above, it could have far-reaching implications beyond payment processors: (1) do unfair acts and practices under the CFPA require direct interaction with consumers; (2) must unfair acts and practices claims be predicated on underlying rules violations; and (3) can other agencies’ knowledge be imputed to the CFPB to cut off the statute of limitations for bringing claims.