On July 21, the Federal Reserve Board of Governors announced the members of the Faster Payments and Secure Payments Task Force as described in the Strategies for Improving the U.S. Payment System white paper released earlier this year. The committees will advise the Federal Reserve task force chair on meeting agendas, and help prioritize various task force activities, among other payments initiatives. The members include various interest groups representing industry, tech, and government, among others. More information about the task forces and the Fed’s payments improvement initiatives can be found at fedpaymentsimprovement.org.
CFPB Settles with Payment Processor and Mortgage Servicer over Deceptive Mortgage Advertisement Allegations
On July 28, the CFPB announced that a Colorado-based payment processor, along with a Virginia-based mortgage servicer, agreed to pay a total of $38.5 million to resolve allegations that both entities used misleading advertisements related to a mortgage payment program. The CFPB alleged that both entities advertised the “Equity Accelerator Program” as a program that would help consumers save on interest payments by making mortgage payments biweekly rather than monthly. However, according to the CFPB, the program failed to make the biweekly payments, and no more than a “tiny” percentage of consumers enrolled in the program benefitted from the promised savings. Under the terms of the consent orders, the payment processor agreed to provide $33.4 million in restitution to affected consumers and pay a $5 million civil money penalty. The mortgage servicer will pay a $100,000 civil money penalty. Both entities also agreed to ensure that any advertisements concerning the mortgage program’s benefits complied with federal law.
Today, the DOJ unsealed an eighteen-count indictment in Brooklyn, New York charging a Turkish citizen (Defendant) with organizing worldwide cyberattacks against at least three U.S. payment processors’ computer networks. The Defendant’s organization allegedly used “sophisticated intrusion techniques” to hack the computer systems, stealing prepaid debit card data and subsequently using the stolen data to make ATM withdrawals in which standard withdrawal limits were manipulated to allow for greater withdrawals. According to the indictment, the Defendant managed a group of co-conspirators responsible for distributing the stolen card information to “cashing crews” around the world, who then used the information to conduct tens of thousands of fraudulent ATM withdrawals and fraudulent purchases. Within two days – February 27 and 28, 2011 – the DOJ alleges that the “cashing crews withdrew approximately $10 million through approximately 15,000 fraudulent ATM withdrawals in at least 18 countries.” The remaining two operations, occurring in late 2012 and early 2013, resulted in ATM withdrawals of roughly $5 million and $40 million, respectively. The Defendant, along with other high-ranking members of the conspiracy, received the funds from the fraudulent operations via wire transfer, electronic currency, and personal delivery of U.S. and foreign currency. The Defendant was arrested in Germany on December 18, 2013, and was extradited to the United States on June 23, 2015. The charges against the Defendant follow previous charges against members of the conspiracy, including the arrest of a member of the New York cashing crew.
CFPB Tackles Payment Processor for Charging Servicemembers Hidden Fees, Orders Over $3 Million in Consumer Relief
On April 20, the CFPB announced an enforcement action against a Kentucky-based third-party processor of military allotments and its subsidiary – together “Respondents” – for allegedly charging servicemembers millions of dollars in hidden fees. According to the Bureau, servicemembers set up allotment arrangements with the Respondents, and the Respondents were to pay creditors – auto lenders, installment lenders, and retail merchants – on behalf of deployed servicemembers. The Bureau alleges that from 2010 to 2014, the company violated UDAAP provisions of the Consumer Financial Protection Act by failing to (i) adequately disclose information about various fees associated with the Respondents’ services; and (ii) inform servicemembers when they were being charged residual-balance fees. The consent order requires that the Respondents pay approximately $3.1 million in relief to the affected servicemembers.
Tennessee Enacts Legislation Requiring Payment Service Providers to Provide Adequate Disclosures to Merchants
On April 17, the Tennessee Governor Bill Haslem signed H.B. 547, which requires the disclosure of fees and other details in contracts entered into by payment service providers with merchants located within the state. The legislation requires the payment service providers to provide merchants with information detailing where the merchant can obtain access to operating rules, regulations, and bylaws under the agreement. In addition, the law requires payment service providers to disclose (i) the effective date of the agreement; (ii) terms of the agreement; (iii) any provisions relating to early termination or cancellation of the agreement; and (iv) a full schedule of all payment services fees with respect to the credit card, debit card, or other payment services under the agreement. The law also requires payment service providers to supply merchants with a monthly statement of fees, total value of transactions, and in some cases the aggregate fee percentage.
On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
On July 28, the FDIC issued FIL-41-2014 to clarify its supervisory approach to bank relationships with third-party payment processors (TPPPs). In short, the letter removes the FDIC’s list of examples of merchant categories from its existing guidance and informational article. That list, which identified potential “high-risk” businesses, including firearms and ammunition merchants, coin dealers, and payday lenders, among numerous others, has been scrutinized and challenged by members of Congress in recent months. The new guidance explains the “lists of examples of merchant categories have led to misunderstandings regarding the FDIC’s supervisory approach to TPPPs, creating the misperception that the listed examples of merchant categories were prohibited or discouraged.” The FDIC’s letter continues to defend the list as “illustrative of trends identified by the payments industry at the time the guidance and article were released” and reasserts that it is the FDIC’s policy that insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law.
On June 23, the DOJ released a transcript of a message delivered by Attorney General Eric Holder in which he pledged to continue investigations of financial institutions “that knowingly facilitate consumer scams, or that willfully look the other way in processing such fraudulent transactions.” These investigations are part of the DOJ’s “Operation Choke Point,” which has faced criticism from financial institutions and their advocates on Capitol Hill, and which payday lenders recently filed suit to halt. Opponents of the operation assert that the DOJ investigations, combined with guidance from prudential regulators, are targeting lawful businesses and cutting off their access to the financial system. In his remarks, the AG promised that the DOJ will not target “businesses operating within the bounds of the law,” but vowed to continue to pursue “a range of investigations into banks that illegally enable businesses to siphon billions of dollars from consumers’ bank accounts in exchange for significant fees.” Mr. Holder stated that he expects the DOJ to resolve some of these investigations in the coming months.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
On June 9, Darrell Issa (R-CA), Chairman of the House Oversight Committee, and Jim Jordan (R-OH), an Oversight subcommittee chairman, sent a letter to FDIC Chairman Martin Gruenberg that seeks information regarding the FDIC’s role in Operation Choke Point and calls into question prior FDIC staff statements about the agency’s role. The letter asserts that documents obtained from the DOJ and recently released by the committee demonstrate that, contrary to testimony provided by a senior FDIC staff member, the FDIC “has been intimately involved in Operation Choke Point since its inception.” The letter also criticizes FDIC guidance that institutions monitor and address risks associated with certain “high-risk merchants,” which, according to the FDIC, includes firearms and ammunition merchants, coin dealers, and payday lenders, among numerous others. The letter seeks information to help the committee better understand the FDIC’s role in Operation Choke Point and its justification for labeling certain businesses as “high-risk.” For example, the letter seeks (i) all documents and communications between the FDIC and the DOJ since January 1, 2011; (ii) all FDIC documents since that time that refer to the FDIC’s 2012 guidance regarding payment processor relationships; and (iii) all documents referring to risks created by financial institutions’ relationships with firearms or ammunition businesses, short-term lenders, and money services businesses.
On May 29, the House Oversight Committee released a staff report on Operation Choke Point, DOJ’s investigation of banks and payment processors purportedly designed to address perceived consumer fraud by blocking fraudsters’ access to the payment systems. The report provides the following “key findings”: (i) the operation was created by DOJ to “choke out” companies it considers to be “high risk” or otherwise objectionable, despite the fact that those companies are legal businesses; (ii) the operation has forced banks to terminate relationships with a wide variety of lawful and legitimate merchants; (iii) DOJ is aware of these impacts and has dismissed them; (iv) DOJ lacks adequate legal authority for the initiative; and (v) contrary to DOJ’s public statements, Operation Choke Point is primarily focused on the payday lending industry, particularly online lenders. The findings are based on documents provided to the committee by DOJ, including internal memoranda and other documents that, among other things, “acknowledge the program’s impact on legitimate merchants” and show that DOJ “has radically and unjustifiably expanded its [FIRREA] Section 951 authority.” The committee released the nearly 1,000 pages of supporting documents, which are available in two parts, here and here.
On May 22, House Financial Services Committee Chairman Jeb Hensarling (R-TX) sent letters to the Federal Reserve Board, the OCC, the FDIC, and the NCUA asking the regulators to explain their use of “reputational risk,” and citing Operation Choke Point as an example of the potential for “reputation risk” to become “a pretext for the advancement of political objectives, which can potentially subvert both safety and soundness and the rule of law.” Congressman Hensarling asked each regulator to explain (i) whether it consider reputation risk in its supervision of depositories, and, if so, to explain the legal basis for such consideration and why it is appropriate; (ii) what data are used to analyze reputational risk and why such data are not already accounted for under CAMELS; and (iii) whether a poor reputation risk rating could be sufficient to warrant recommending a change in a depository’s business practices notwithstanding strong ratings under CAMELS.
On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC’s Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.
On February 26, Senators Jeff Merkley (D-OR), Elizabeth Warren (D-MA), and other Democratic Senators, together with Representatives Elijah Cummings (D-MD), Maxine Waters (D-CA), and other Democratic House members, sent a letter to Attorney General Eric Holder encouraging the DOJ to “continue a vigorous review of potential payment fraud, anti-money-laundering violations, and other illegal conduct involving payments by banks and third-party payment processors.” The lawmakers highlighted a number of specific issues on which the DOJ should focus: (i) know-your-customer obligations, which they believe should include a review of whether a lender holds all required state licenses and follows state lending laws; (ii) use of lead generators, including those that auction consumer data; (iii) high rates of returned, contested, or otherwise failed debits or the regular use of remotely created checks, which they state may indicate payment fraud; and (iv) lenders’ failure to incorporate or maintain a business presence in the U.S., which they assert can be indicative of fraud and other payment system violations, including money-laundering.