On September 3, the CFPB published Bulletin 2014-02 warning credit card issuers of the risk of engaging in deceptive or abusive acts and practices in connection with solicitations offering a promotional annual percentage rate (APR). In particular, the bulletin discusses the risk associated with balance transfer solicitations that fail to clearly disclose all material costs of the promotional APR offer, including the failure to disclose that consumers will lose their interest-free grace periods on new purchases if the entire statement balance—including the transferred balance—is not paid in full. The bulletin warns that, depending on the facts and circumstances, card issuers’ solicitations may be considered deceptive and/or abusive if they do not disclose that transferring an outstanding balance may result in additional interest charges for new purchases until a consumer’s grace period is restored by paying in in full. Furthermore, the bulletin notes that while Regulation Z does not require marketing materials to include additional disclosures alerting consumers to the potential effect of accepting a promotional APR offer, some offers may risk being deceptive or abusive even if Regulation Z is not violated. In a press release regarding the bulletin, Director Cordray stated, “[W]e are putting credit card companies on notice that we expect them to clearly disclose how these promotional offers apply to consumers so that they can make informed choices about their credit card use.” Finally, the bulletin states that the CFPB expects card issuers to incorporate adequate measures into their compliance management systems in order to prevent violation of Federal consumer financial laws, including the prohibition on deceptive, unfair, or abusive practices. These measures should include steps to ensure that all marketing materials clearly, prominently, and accurately describe the effect of promotional APR offers on the grace period for new purchases.
On December 17, the CFPB announced it filed suit against a Texas-based company for allegedly deceiving consumers into paying fees to sign up for a “sham” credit card. According to the complaint filed in the Northern District of Texas, the CFPB alleges that the company falsely advertised a general-use credit card that, in actuality, could only be used to buy products from the company. The CFPB further alleges that the company deceptively implied an affiliation with unions by, among other things, using pictures of nurses, firefighters, and other public servants in its advertising. The complaint seeks compensation for consumers, a civil penalty, and an injunction against the company.
Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach
On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.
The Federal Reserve Bank of Philadelphia recently published a discussion paper on credit card fair lending risks. The paper reviews qualitative fair lending risk assessment methods and potential quantitative analysis that may be performed to assess fair lending risk exposure in each of the following areas: (i) marketing; (ii) underwriting; (iii) credit line assignment; (iv) pricing; (v) servicing and collection; (vi) secured cards; and (vii) affinity partners. The authors note that the methods discussed are also applicable to other consumer credit products that utilize credit scoring models. The paper states that although statistical testing can be an important component of fair lending compliance management for credit card lending, “statistical analysis approaches in this area—and particularly disparate impact testing approaches—are not well established, and there are no formal regulatory guidelines for conducting such analysis.” With regard to quantitative risk assessments, the authors discuss the utility of proxy testing and explain the likelihood of false positives and false negatives as well as unassigned consumers. The authors state that “these limitations suggest that results derived from a proxy-based analysis should be treated with an appropriate degree of caution.”
On July 17, the New York Department of Financial Services (NYDFS) proposed a rule intended to govern the virtual currency marketplace. The proposed rule is extremely broad and as currently drafted would appear to capture products provided by traditional brick and mortar banks and other regulated financial institutions. For example, as proposed, the rule could regulate:
- Reward programs, “thank you” offers, or digital coupons that offer cash back or statement credits;
- Generated numbers that access cash;
- Prepaid access and other cards that will allow customers to receive cash, including those customarily exempt such as government funded transfers;
- P2P transfers; and
- Wallet providers where the customer can access cash.
If left unaddressed, these apparent unintended consequences could create a confusing regulatory environment for certain bank and card products. It is also noteworthy that the rule does not provide any customary exclusions for chartered entities, raising substantial preemption questions. Read more…
On August 1, the U.S. Court of Appeals for the Ninth Circuit held that neither the federal question statute nor the Class Action Fairness Act provide a federal district court with subject matter jurisdiction over the Hawaii Attorney General’s (AG) suit against credit card issuers over allegedly deceptive marketing of add-on products. Hawaii v. HSBC Bank Nev., N.A., No. 12-263, 2014 WL 3765697 (9th Cir. Aug. 1, 2014). The Hawaii AG filed suits in state court against several credit card issuers asserting three state law causes of action based on allegations that the issuers deceptively marketed and enrolled Hawaii cardholders in various debt protection products. After the issuers removed the cases to federal court, the district court refused to remand, holding that at least one claim in each case was preempted by the National Bank Act. The court reasoned that the AG implicitly challenged the “rate of interest” on outstanding credit card balances by alleging the issuers charged “significant fees” for “minimal benefits” and had “increased profits by substantial sums,” and explained that the National Bank Act completely preempts state laws regulating the interest rates charged by nationally chartered banks. The appeals court disagreed, concluding—as the Fifth Circuit did last year in a similar case—that regardless of how state law labels the claims, the AG’s complaints did not challenge the “rate of interest” that issuers charged and are not preempted. Further, the court held that CAFA does not provide an alternative basis for federal jurisdiction because the AG’s suits are common law parens patriae suits that specifically disclaimed class status, and, as such, they are not class actions.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
On May 29, the CFPB published a notice and request for comment on an updated plan to conduct a credit card arbitration survey. The following day, the OMB made available the documents submitted by the CFPB in support of the survey.
The amended survey notice follows an initial notice last year that the CFPB planned to conduct a telephone survey of 1,000 credit cardholders to assess (i) the extent of their awareness of dispute resolution provisions in their credit card agreements and (ii) the cardholders’ “assessments of such provisions.” At the time, the CFPB released draft survey questions as part of its information collection request supporting statements. The initial public comment period closed August 6, 2013. During the comment period, banking trade groups objected to the survey and suggested the CFPB instead pursue peer-reviewed research that compares consumer dispute resolution methods.
In its latest notice, the CFPB states that the survey “will explore (a) the role of dispute resolution provisions in consumer card acquisition decisions and (b) consumers’ default assumptions (meaning consumers’ awareness, understanding, or knowledge without supplementation from external sources) regarding their dispute resolution rights vis-a-vis their credit card issuers, including their awareness of their ability, where applicable, to opt-out of mandatory pre-dispute arbitration agreements.”
The supporting statements and attachments thereto detail the CFPB’s rationale for conducting the survey. Appendix A provides the final survey questions, and Appendix B provides the justification for the questions
The public comment period on the notice and supporting materials closes June 30, 2014.
On April 3, Martin Wheatley, Chief Executive of the UK Financial Conduct Authority (FCA), which took over responsibility for overseeing consumer credit markets in the UK on April 1, 2014, identified the FCA’s most “immediate priority” as ensuring “providers of credit, as well as satellite services like credit broking, debt management and debt advice, have sustainable and well-controlled business models, supported by a culture that is based on ‘doing the right thing’ for customers.” He explained that the FCA wants to expand financial service providers’ focus on compliance with specific rules to include “wider FCA expectations of good conduct.” Referencing a paper the FCA published on April 1, the day it began overseeing consumer credit markets, Mr. Wheatley stated that consumer credit providers need to consider how they engage with consumers in vulnerable circumstances. On this issue, the FCA also announced a “competition review” of the UK credit card market to determine, among other things, “how the industry worked with those people who were in difficult financial situations already.”
On March 19, the U.S. Court of Appeals for the Seventh Circuit held that a retailer’s credit card upgrade program that replaced existing customers’ limited use store charge cards with unsolicited general use credit cards did not violate TILA, and affirmed the district court’s dismissal of a putative class action. Acosta v. Target Corp., No. 13-2706, 2014 WL 1045202 (7th Cir. Mar. 19, 2014). Under the upgrade program, the retailer automatically issued new general purpose cards to existing store card customers and closed the old account upon either the activation of the new account or rejection by the consumer of the new card. The class representatives claimed that the program constituted an offer to change the underlying account relationship and violated TILA’s prohibition on the mailing of unsolicited credit cards. The court held that the program fell within TILA’s exemption for substitute cards based on the common understanding of “substitution” and the Federal Reserve Board staff’s Regulation Z commentary. The court also rejected the cardholders’ argument that they were fraudulently induced to accept the new card. The court determined that the retailer disclosed the reasons for a change in the APR and did not raise the rate unless payments were missed, and sufficiently disclosed the potential for a change in credit limit. The court also held that the retailer’s omission of the fact that cardholders could take steps to retain their store card account was not fraudulent, and added that to hold otherwise would require the retailer “to disclose any condition that could theoretically be negotiated with the card issuer.” The court also affirmed the dismissal of the cardholders’ breach of contract and tortious interference claims.
On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
On March 3, South Dakota enacted HB 1131, which amends state banking laws to make clear that banks can offer revolving lines of credit not tied to the issuance of a credit card.
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.