On April 15, the CFPB issued a final rule temporarily suspending credit card issuers’ obligation to submit their card agreements to the CFPB, as required by the Credit Card Accontability, Responsibility, and Disclosure Act (CARD Act). The CARD Act, as implemented by TILA and Reg. Z (12 C.F.R. 1026.58), requires credit card issuers to submit credit card agreements to the Bureau on a quarterly basis. The first submission was set to be the first business day on or after April 30, 2015, but under the one-year reprieve, credit card issuers will not be required to begin submitting credit card agreements to the Bureau until April 30, 2016. According to the CFPB, during the temporary suspension, the regulator will “work to develop a more streamlined and automated electronic submission system.” The CFPB contends that the new system will allow for easier submission of credit card agreements than the manual submission system currently in place. Other requirements in Section 1026.58, including the requirement that credit card issuers post their credit card agreements on their own public website, remain unaffected by the temporary suspension.
Tennessee Enacts Legislation Requiring Payment Service Providers to Provide Adequate Disclosures to Merchants
On April 17, the Tennessee Governor Bill Haslem signed H.B. 547, which requires the disclosure of fees and other details in contracts entered into by payment service providers with merchants located within the state. The legislation requires the payment service providers to provide merchants with information detailing where the merchant can obtain access to operating rules, regulations, and bylaws under the agreement. In addition, the law requires payment service providers to disclose (i) the effective date of the agreement; (ii) terms of the agreement; (iii) any provisions relating to early termination or cancellation of the agreement; and (iv) a full schedule of all payment services fees with respect to the credit card, debit card, or other payment services under the agreement. The law also requires payment service providers to supply merchants with a monthly statement of fees, total value of transactions, and in some cases the aggregate fee percentage.
On April 15, retail company Target agreed to set aside up to $19 million to settle claims brought by MasterCard and its credit card issuers to cover operational costs and fraud-related losses resulting from a data breach incident in 2013. According to a press release issued by Target, the agreement is dependent upon, among other things, 90 percent of eligible Mastercard accounts accepting their alternative recovery offers, either directly or through their sponsoring issuers by May 20, 2015. Eligible issuers, mostly comprising of banks and credit unions, who accept the offer will be required to release any current or future claims towards Target with respect to the data breach. All eligible issuers will receive full details of the Settlement Agreement at a later time.
On February 24, the CFPB announced a proposed rule that would reduce the burden of credit card issuers by suspending – for one year – their obligation to submit credit card agreements to the CFPB on a quarterly basis. The proposed rule would be in effect while the CFPB works to establish a “more streamlined and automated electronic submission system” that would make it easier for issuers to submit the agreements. The proposal amends the 2009 CARD Act, which established the requirement that issuers submit consumer credit card agreements to the CFPB. During the proposed one-year suspension, other requirements of the CARD Act would remain in place, such as the issuers’ “obligations to post currently-offered agreements on their own websites.” Comments on the proposed rule are due by March 13. Credit card issuers would resume submitting credit card agreements on a quarterly basis to the CFPB starting on April 30, 2016.
On February 4, the CFPB announced a consent order with a Delaware-based credit card company, ordering the company to refund an estimated $2.7 million to approximately 98,000 consumers and pay a civil penalty of $250,000 for allegedly charging consumers illegal credit card fees. According to the consent order, the CFPB alleged the company charged customers fees during the first year after customers opened the account that exceeded the 25% credit limit imposed by the CARD Act. The CFPB further alleged that the company, offering the credit cards through a state-chartered credit union, misled customers about paper statement fees associated with their credit cards and falsely claimed that certain security deposits were “FDIC insured” when they were not. In addition to the refund to customers and civil penalty, the consent order requires the company (i) to refrain from charging fees that exceed 25% of a customer’s credit limit in the first year of the account and (ii) subjects itself to CFPB supervisory authority for the first time.
On February 3, the CFPB asked a federal district court to enter a consent order against a Texas-based company for allegedly misleading thousands of consumers into signing up for a “sham” credit card. Under the terms of the consent order, the company would be prohibited from offering any future credit products and services and a $70,000 civil money penalty. For more, please refer to our InfoBytes as this development was previously covered on December 19.
On December 17, the CFPB announced it filed suit against a Texas-based company for allegedly deceiving consumers into paying fees to sign up for a “sham” credit card. According to the complaint filed in the Northern District of Texas, the CFPB alleges that the company falsely advertised a general-use credit card that, in actuality, could only be used to buy products from the company. The CFPB further alleges that the company deceptively implied an affiliation with unions by, among other things, using pictures of nurses, firefighters, and other public servants in its advertising. The complaint seeks compensation for consumers, a civil penalty, and an injunction against the company.
On September 3, the CFPB published Bulletin 2014-02 warning credit card issuers of the risk of engaging in deceptive or abusive acts and practices in connection with solicitations offering a promotional annual percentage rate (APR). In particular, the bulletin discusses the risk associated with balance transfer solicitations that fail to clearly disclose all material costs of the promotional APR offer, including the failure to disclose that consumers will lose their interest-free grace periods on new purchases if the entire statement balance—including the transferred balance—is not paid in full. The bulletin warns that, depending on the facts and circumstances, card issuers’ solicitations may be considered deceptive and/or abusive if they do not disclose that transferring an outstanding balance may result in additional interest charges for new purchases until a consumer’s grace period is restored by paying in in full. Furthermore, the bulletin notes that while Regulation Z does not require marketing materials to include additional disclosures alerting consumers to the potential effect of accepting a promotional APR offer, some offers may risk being deceptive or abusive even if Regulation Z is not violated. In a press release regarding the bulletin, Director Cordray stated, “[W]e are putting credit card companies on notice that we expect them to clearly disclose how these promotional offers apply to consumers so that they can make informed choices about their credit card use.” Finally, the bulletin states that the CFPB expects card issuers to incorporate adequate measures into their compliance management systems in order to prevent violation of Federal consumer financial laws, including the prohibition on deceptive, unfair, or abusive practices. These measures should include steps to ensure that all marketing materials clearly, prominently, and accurately describe the effect of promotional APR offers on the grace period for new purchases.
Nebraska Federal Court Refuses To Dismiss Suit Claiming Breach Of Contract, Violation of State Law for Unauthorized Credit Card Transactions Following Bank Data Breach
On August 20, the U.S. District Court for the District of Nebraska denied motions to dismiss filed by a Nebraska bank and two credit card processing companies in response to a purported class action filed by a merchant alleging that it suffered damages following a data breach at the defendants’ premises. Wines, Vines & Corks, LLC v. First Nat’l of Neb., Inc., No. 8:14CV82 (D. Neb. Aug. 20, 2014). According to the merchant’s complaint, the merchant maintained a credit card processing account with the defendants and, following the breach, had unauthorized credit card transactions processed and fees withdrawn from its account. The merchant alleged breach of contract, negligence, and violations of the Nebraska Consumer Protection Act and the Nebraska Uniform Deceptive Trade Practices Act based on the defendants’ failure to adequately secure and protect account information and refusal to refund the fees. In denying the motions to dismiss, the court determined that the merchant sufficiently pled the existence of a contract and resulting damages in support of its breach of contract claim, as well as a breach of the duty of due care in support of its negligence claim. Also, the court found that the merchant’s state law claims were adequately supported and determined that the defendants’ argument that the economic loss doctrine barred these claims was misplaced.
The Federal Reserve Bank of Philadelphia recently published a discussion paper on credit card fair lending risks. The paper reviews qualitative fair lending risk assessment methods and potential quantitative analysis that may be performed to assess fair lending risk exposure in each of the following areas: (i) marketing; (ii) underwriting; (iii) credit line assignment; (iv) pricing; (v) servicing and collection; (vi) secured cards; and (vii) affinity partners. The authors note that the methods discussed are also applicable to other consumer credit products that utilize credit scoring models. The paper states that although statistical testing can be an important component of fair lending compliance management for credit card lending, “statistical analysis approaches in this area—and particularly disparate impact testing approaches—are not well established, and there are no formal regulatory guidelines for conducting such analysis.” With regard to quantitative risk assessments, the authors discuss the utility of proxy testing and explain the likelihood of false positives and false negatives as well as unassigned consumers. The authors state that “these limitations suggest that results derived from a proxy-based analysis should be treated with an appropriate degree of caution.”
On July 17, the New York Department of Financial Services (NYDFS) proposed a rule intended to govern the virtual currency marketplace. The proposed rule is extremely broad and as currently drafted would appear to capture products provided by traditional brick and mortar banks and other regulated financial institutions. For example, as proposed, the rule could regulate:
- Reward programs, “thank you” offers, or digital coupons that offer cash back or statement credits;
- Generated numbers that access cash;
- Prepaid access and other cards that will allow customers to receive cash, including those customarily exempt such as government funded transfers;
- P2P transfers; and
- Wallet providers where the customer can access cash.
If left unaddressed, these apparent unintended consequences could create a confusing regulatory environment for certain bank and card products. It is also noteworthy that the rule does not provide any customary exclusions for chartered entities, raising substantial preemption questions. Read more…
On August 1, the U.S. Court of Appeals for the Ninth Circuit held that neither the federal question statute nor the Class Action Fairness Act provide a federal district court with subject matter jurisdiction over the Hawaii Attorney General’s (AG) suit against credit card issuers over allegedly deceptive marketing of add-on products. Hawaii v. HSBC Bank Nev., N.A., No. 12-263, 2014 WL 3765697 (9th Cir. Aug. 1, 2014). The Hawaii AG filed suits in state court against several credit card issuers asserting three state law causes of action based on allegations that the issuers deceptively marketed and enrolled Hawaii cardholders in various debt protection products. After the issuers removed the cases to federal court, the district court refused to remand, holding that at least one claim in each case was preempted by the National Bank Act. The court reasoned that the AG implicitly challenged the “rate of interest” on outstanding credit card balances by alleging the issuers charged “significant fees” for “minimal benefits” and had “increased profits by substantial sums,” and explained that the National Bank Act completely preempts state laws regulating the interest rates charged by nationally chartered banks. The appeals court disagreed, concluding—as the Fifth Circuit did last year in a similar case—that regardless of how state law labels the claims, the AG’s complaints did not challenge the “rate of interest” that issuers charged and are not preempted. Further, the court held that CAFA does not provide an alternative basis for federal jurisdiction because the AG’s suits are common law parens patriae suits that specifically disclaimed class status, and, as such, they are not class actions.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.