The Federal Reserve Bank of Philadelphia recently published a discussion paper on credit card fair lending risks. The paper reviews qualitative fair lending risk assessment methods and potential quantitative analysis that may be performed to assess fair lending risk exposure in each of the following areas: (i) marketing; (ii) underwriting; (iii) credit line assignment; (iv) pricing; (v) servicing and collection; (vi) secured cards; and (vii) affinity partners. The authors note that the methods discussed are also applicable to other consumer credit products that utilize credit scoring models. The paper states that although statistical testing can be an important component of fair lending compliance management for credit card lending, “statistical analysis approaches in this area—and particularly disparate impact testing approaches—are not well established, and there are no formal regulatory guidelines for conducting such analysis.” With regard to quantitative risk assessments, the authors discuss the utility of proxy testing and explain the likelihood of false positives and false negatives as well as unassigned consumers. The authors state that “these limitations suggest that results derived from a proxy-based analysis should be treated with an appropriate degree of caution.”
Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach
On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.
On July 17, the New York Department of Financial Services (NYDFS) proposed a rule intended to govern the virtual currency marketplace. The proposed rule is extremely broad and as currently drafted would appear to capture products provided by traditional brick and mortar banks and other regulated financial institutions. For example, as proposed, the rule could regulate:
- Reward programs, “thank you” offers, or digital coupons that offer cash back or statement credits;
- Generated numbers that access cash;
- Prepaid access and other cards that will allow customers to receive cash, including those customarily exempt such as government funded transfers;
- P2P transfers; and
- Wallet providers where the customer can access cash.
If left unaddressed, these apparent unintended consequences could create a confusing regulatory environment for certain bank and card products. It is also noteworthy that the rule does not provide any customary exclusions for chartered entities, raising substantial preemption questions. Read more…
On August 1, the U.S. Court of Appeals for the Ninth Circuit held that neither the federal question statute nor the Class Action Fairness Act provide a federal district court with subject matter jurisdiction over the Hawaii Attorney General’s (AG) suit against credit card issuers over allegedly deceptive marketing of add-on products. Hawaii v. HSBC Bank Nev., N.A., No. 12-263, 2014 WL 3765697 (9th Cir. Aug. 1, 2014). The Hawaii AG filed suits in state court against several credit card issuers asserting three state law causes of action based on allegations that the issuers deceptively marketed and enrolled Hawaii cardholders in various debt protection products. After the issuers removed the cases to federal court, the district court refused to remand, holding that at least one claim in each case was preempted by the National Bank Act. The court reasoned that the AG implicitly challenged the “rate of interest” on outstanding credit card balances by alleging the issuers charged “significant fees” for “minimal benefits” and had “increased profits by substantial sums,” and explained that the National Bank Act completely preempts state laws regulating the interest rates charged by nationally chartered banks. The appeals court disagreed, concluding—as the Fifth Circuit did last year in a similar case—that regardless of how state law labels the claims, the AG’s complaints did not challenge the “rate of interest” that issuers charged and are not preempted. Further, the court held that CAFA does not provide an alternative basis for federal jurisdiction because the AG’s suits are common law parens patriae suits that specifically disclaimed class status, and, as such, they are not class actions.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
On May 29, the CFPB published a notice and request for comment on an updated plan to conduct a credit card arbitration survey. The following day, the OMB made available the documents submitted by the CFPB in support of the survey.
The amended survey notice follows an initial notice last year that the CFPB planned to conduct a telephone survey of 1,000 credit cardholders to assess (i) the extent of their awareness of dispute resolution provisions in their credit card agreements and (ii) the cardholders’ “assessments of such provisions.” At the time, the CFPB released draft survey questions as part of its information collection request supporting statements. The initial public comment period closed August 6, 2013. During the comment period, banking trade groups objected to the survey and suggested the CFPB instead pursue peer-reviewed research that compares consumer dispute resolution methods.
In its latest notice, the CFPB states that the survey “will explore (a) the role of dispute resolution provisions in consumer card acquisition decisions and (b) consumers’ default assumptions (meaning consumers’ awareness, understanding, or knowledge without supplementation from external sources) regarding their dispute resolution rights vis-a-vis their credit card issuers, including their awareness of their ability, where applicable, to opt-out of mandatory pre-dispute arbitration agreements.”
The supporting statements and attachments thereto detail the CFPB’s rationale for conducting the survey. Appendix A provides the final survey questions, and Appendix B provides the justification for the questions
The public comment period on the notice and supporting materials closes June 30, 2014.
On April 3, Martin Wheatley, Chief Executive of the UK Financial Conduct Authority (FCA), which took over responsibility for overseeing consumer credit markets in the UK on April 1, 2014, identified the FCA’s most “immediate priority” as ensuring “providers of credit, as well as satellite services like credit broking, debt management and debt advice, have sustainable and well-controlled business models, supported by a culture that is based on ‘doing the right thing’ for customers.” He explained that the FCA wants to expand financial service providers’ focus on compliance with specific rules to include “wider FCA expectations of good conduct.” Referencing a paper the FCA published on April 1, the day it began overseeing consumer credit markets, Mr. Wheatley stated that consumer credit providers need to consider how they engage with consumers in vulnerable circumstances. On this issue, the FCA also announced a “competition review” of the UK credit card market to determine, among other things, “how the industry worked with those people who were in difficult financial situations already.”
On March 19, the U.S. Court of Appeals for the Seventh Circuit held that a retailer’s credit card upgrade program that replaced existing customers’ limited use store charge cards with unsolicited general use credit cards did not violate TILA, and affirmed the district court’s dismissal of a putative class action. Acosta v. Target Corp., No. 13-2706, 2014 WL 1045202 (7th Cir. Mar. 19, 2014). Under the upgrade program, the retailer automatically issued new general purpose cards to existing store card customers and closed the old account upon either the activation of the new account or rejection by the consumer of the new card. The class representatives claimed that the program constituted an offer to change the underlying account relationship and violated TILA’s prohibition on the mailing of unsolicited credit cards. The court held that the program fell within TILA’s exemption for substitute cards based on the common understanding of “substitution” and the Federal Reserve Board staff’s Regulation Z commentary. The court also rejected the cardholders’ argument that they were fraudulently induced to accept the new card. The court determined that the retailer disclosed the reasons for a change in the APR and did not raise the rate unless payments were missed, and sufficiently disclosed the potential for a change in credit limit. The court also held that the retailer’s omission of the fact that cardholders could take steps to retain their store card account was not fraudulent, and added that to hold otherwise would require the retailer “to disclose any condition that could theoretically be negotiated with the card issuer.” The court also affirmed the dismissal of the cardholders’ breach of contract and tortious interference claims.
On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
On March 3, South Dakota enacted HB 1131, which amends state banking laws to make clear that banks can offer revolving lines of credit not tied to the issuance of a credit card.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On January 21, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s dismissal of a constitutional challenge to certain credit card fees. In re Late Fee and Over-Limit Fee Litig., No. 08-15218, 2014 WL 211729 (9th Cir. Jan. 21, 2014). A group of credit card holders filed a class action suit claiming that credit card overlimit fees and late fees are analogous to punitive damages imposed in the tort context, and therefore such fees are subject to substantive due process limits. The card holders asserted that because banks are compensated through high penalty interest rates for the lost time value and collection costs associated with any breach of the credit contract, the other charges are duplicative and therefore punitive. The court explained that its decision hinged on the similarities and differences between liquidated damages and punitive damages, and determined that the penalty clauses at issue originate from the parties’ private credit card contracts, and are distinct from the jury-determined punitive damages awards. The court held, therefore, that the “jurisprudence developed to limit punitive damages in the tort context does not apply to contractual penalties, such as the credit card fees at issue in this case.”
On December 23, the CFPB announced a coordinated enforcement action taken by federal regulators against a major credit card company and certain subsidiaries alleged to have violated multiple consumer protection laws with respect to credit card add-on products. The action, which is the fourth action taken by the CFPB relating to credit card add-on products, and the fifth add-on product action overall, extends the CFPB’s intense supervisory and enforcement focus on ancillary products and oversight of third-party service providers.
In coordination with the FDIC and the OCC, the CFPB ordered the companies to refund an estimated $59.5 million to more than 335,000 customers for certain credit card practices, including allegedly unfair billing tactics and deceptive marketing. The company must also pay an additional $9.6 million in civil penalties, submit to an independent review of other credit card add-on products, and continue to implement enhanced third-party oversight.
The consent orders allege that the company misled consumers about the benefits, fees, length of coverage, and terms and conditions of certain payment protection products, and that the company billed consumers for services they did not receive, unfairly charged consumers for interest and fees, and failed to comply with federal requirements to inform consumers about their right to a free credit report.
The coordinated action follows another taken by federal regulators last year, in which the same companies were ordered to refund approximately $85 million in connection with alleged UDAAP violations related to the offering of a rewards card and certain debt collection practices.