72
Government watch
CFPB’s Enforcement Lessons for the Payments Industry
- Developing reasonable procedures to select and retain service providers
- Conducting an annual data-security audit
collect more than $11 million in illegal, upfront fees from consum- ers in violation of the Telemarket- ing Sales Rule, which prohibits debt-settlement companies from charging advanced fees before settling consumer debts. Although the debt-settlement companies initiated the illegal fees, the CFPB alleged that Meracord was com- plicit in processing those illegal advance fees and responsible for the debt-settlement companies’ violations of law. The processor entered into a consent order that required it to: 1) no longer process payments for debt-settlement companies; 2) be subject to CFPB monitoring and special reporting requirements; and 3) pay a civil money penalty of $1.376 million.
In another case in May 2015, the CFPB brought enforcement actions against two large wireless carriers, characterizing them as payment processors for their role in collect- ing and processing payments through billing systems that en- abled multiple third-party mer- chants to place charges on wireless customers’ bills without the cus- tomers’ consent. The companies allegedly enrolled customers in such third-party billing without their consent, which facilitated the wrongdoing of merchants imposing wrongful charges on consumers’ bills since customers were unaware that third-party charges could appear on their bills. The compa- nies also allegedly failed to require that third parties using their pay- ment processing platform had adequate consumer authorization
for charges and failed to ade- quately respond to “red  ags,” including high levels of com- plaints and disputes related to the third-party charges. The consent orders required one company to pay $70 million and another company to pay $50 million in consumer refunds, and both carriers were required to clearly and conspicuously disclose third-party charges, obtain in- formed consent from customers before allowing third-party billing, and improve dispute procedures and customer service training.
Most recently, the CFPB  led a complaint against another pay- ments processor, Intercept Corp., alleging that the company enabled unauthorized and illegal withdraw- als from consumer accounts and ignored warning signs of fraud and illegality by payday lenders, auto- title lenders, debt collectors and sales  nancing companies. Going forward, payment processors and other similarly situated companies that the CFPB views as facilitating the illegal conduct of others likely will be considered e4 ective en- forcement targets.
Defendants Are Taking
Their Gloves o 
Some subjects of CFPB investi- gations and enforcement actions are  ghting back, disputing the CFPB’s claims of jurisdiction and authority. In CFPB v. Accrediting Council for Independent Colleges and Schools, a for-pro t college accreditation service received a civil investigative demand (CID)
Notably, the case did not involve
a data breach or complaints from customers regarding data security; the harm (or potential for harm) was that the alleged deception likely a ected consumers’ decisions to use the company’s services. Never- theless, the consent order resulted in a $100,000 civil money penalty in addition to the remedial conduct identi ed above. The case suggests that the CFPB may focus on covered persons’ claims regarding their data-security practices, including encryption standards, PCI compli- ance, and compariso3ns against other products or companies.
Payment Processing: ‘Chokepoints’ as E ective Enforcement Targets
The CFPB continues
ment processors as “chokepoints” because merchants often depend on payment processors to accept payments. Regulators e ectively can target multiple merchants engaging in allegedly illegal conduct at once by holding a payment processor responsible for the misconduct
of a series of merchants for whom
it has processed transactions.
For example, the CFPB entered
an enforcement action against a payment processor, Meracord LLC, in 2013, alleging that the company helped debt-settlement companies
to view pay-