Merchants, Payment Processors and Financial Institutions Face Increasing Scrutiny for Unauthorized Consumer Payment Transactions

Tuesday, April 03, 2012

By Tom Quinn and Ryan Stinneford, Hudson Cook LLP

Over the past several years, consumer payment transactions and the allegedly fraudulent acts of payment processing companies and their merchant clients who process such transactions have drawn an increasing amount of attention from federal regulatory agencies and state attorneys general.  Two recent actions by the Federal Trade Commission (“FTC”)[1] and Federal Deposit Insurance Corporation (“FDIC”)[2] reinforce the importance of the statutory and regulatory requirements applicable to these transactions.  In light of this renewed focus payment processors, merchants and financial institutions would be wise to review their existing business practices, policies and procedures to ensure that their activities are not only permissible but are also properly documented under the statutory and regulatory requirements.

What Are Payment Processors?

At their core, payment processors handle payment transactions for purchases that consumers make over the phone or online.  When providing these services the payment processor will use its bank either to deposit or create payment instruments – often in the form of “remotely created checks” [3] or automated clearing house (“ACH”) transactions[4] – that debit funds from the deposit accounts of the consumer purchasers.  Large payment processing companies may have a significant portfolio of merchant clients, resulting in a large numbers of such payment transactions.

Some payment processors have increased the size of their merchant client base by enlisting independent sales organizations (“ISOs”) to develop new client relationships with merchants.  While most of the merchants using payment processors are entirely legitimate, decentralized sources of merchant business development coupled with the recent economic downturn have resulted in some payment processors aligning themselves with merchants engaged in potentially illegal or fraudulent activities.[5]

Statutory and Regulatory Requirements Governing Payment Processors

Consumer payment systems are subject to a wide variety of statutory and regulatory protections.  Although the specific requirements of these protections vary, virtually all of them have two (2) underlying themes:  (a) that consumer payment transactions must be properly authorized and (b) if they are not, that the consumer must be made whole.

Several of the consumer protections are rather directly applicable to the payment processing industry, with their requirements intertwining to some degree.  The first is the Telemarketing Sales Rule (“TSR”) issued by the FTC.[6]  Under the TSR, a telemarketer must ensure that it has the consumer’s “express verifiable authorization” before attempting to collect payment.[7]  Failure to obtain express verifiable authorization is a deceptive telemarketing practice under the TSR.  Any party that provides “substantial assistance or support” to a telemarketer is also guilty of a deceptive telemarketing practice when that party “knows or consciously avoids knowing” that telemarketer’s practices violate the requirements of the TSR.[8]  As a result, if a payment processor has turned a blind eye to the acts of its merchants conducting telemarketing services, both the merchant and the payment processor may be in violation of the TSR.[9]  Similarly, if a financial institution turns a blind eye to the acts of its deposit customers who initiate such payments, it may also be in violation of the TSR.

In addition to these requirements, Federal Reserve Board Regulation CC (which implements the federal Expedited Funds Availability Act) imposes a presentment warranty on the bank depositing remotely created checks.  Under the terms of this warranty the bank of first deposit affirms that the remotely created check was properly authorized by the consumer on whose account it was drawn.[10]  The policy behind this warranty is that, as the financial institution maintaining the deposit relationship with the party creating the remotely created check, the bank where such items are deposited is in the best position to “know its customer” and implement appropriate due diligence and transaction monitoring.  Well-advised financial institutions often contractually shift the economic risk of such warranty provisions to their merchant or payment processor depositors who are creating remotely created checks.

If the payments initiated from the consumer’s account are electronic (such as an ACH payment) additional consumer protections exist to limit the consumer’s liability for unauthorized transfers.  Under Regulation E (which implements the Electronic Fund Transfer Act) consumers have limited liability for “unauthorized electronic fund transfers.”[11]  Such transfers are those “made by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.”[12]  If a consumer claims that a transaction was unauthorized, the burden rests with his/her financial institution to prove that the transaction was properly authorized.[13]  If it cannot meet this burden of proof, the financial institution holding the consumer’s deposit account must credit the consumer’s deposit account.  As a result, if a merchant transaction to debit a consumer’s account is not properly authorized, the consumer will generally be held harmless for the transaction.

Coupled with the requirements under Regulation E discussed above are rules governing use of the ACH network.  Under the National Automated Clearing House Association (“NACHA”) rules, a financial institution that initiates ACH transactions through the ACH network (the “Originating Depository Financial Institution” or “ODFI”) is responsible for such entries.[14]  ODFIs warrant to other users of the ACH network that such entries are properly authorized under the NACHA rules, and indemnify other parties in the network including the consumer’s bank (the “Receiving Depository Financial Institution” or “RDFI”) when these warranties are breached.[15]  In the end, these warranties and indemnification serve to shift the loss for an unauthorized ACH transaction to the ODFI.  ODFIs typically shift this risk of loss by contract to the party who requested the initiation of the ACH.  To the extent that a payment processor is initiating ACH transactions through its bank, it is virtually certain that the payment processor will contractually bear the ultimate risk of loss for any unauthorized ACH transactions.  Of course, such a contractual shift of the risk of loss may not relieve an ODFI of risk, if the payment processor does not have the financial wherewithal to stand behind its contractual obligations.

The central theme that each party involved in the creation of these payment instruments must take steps to ensure those directly interfacing with consumers do so in a manner that protects the consumer from losses caused by unauthorized transactions is reinforced in the most recent regulatory pronouncements. 

Recent Regulatory Actions Underscore the Need for Appropriate Due Diligence and Monitoring

In its December 28, 2011, settlement with Landmark Clearing, Inc. (a payment processor located in Texas, but transacting business on a nationwide basis), the FTC permanently enjoined Landmark Clearing from future processing of any remotely created checks or payment orders and from working with any merchant clients it knows (or should have known) was violating the TSR.

To accomplish this latter goal, the FTC settlement imposes a number of screening and monitoring obligations on Landmark Clearing, such as:

  1. Rigorous screening of prospective merchant clients to determine if their business practices violate either the TSR or the Federal Trade Commission Act;
  1. Monitoring merchant client transactions for any unusual patterns, values or volumes and to quantify the number and reasons why any transactions might be returned; and
  1. Investigating merchant clients with rates of returned items exceeding 2.5% of transactions initiated, and suspending services for those clients while the investigation is pending.  Landmark is prohibited from recommencing payment processing services for such merchant clients unless and until it publishes a written report concluding that such parties are not engaged in any activities that violate either the Federal Trade Commission Act or the TSR.

Clearly the expectation of Landmark settlement is that payment processors must ensure that the actions of their merchant clients are appropriately authorized by the consumer.

At the end of January 2012, the FDIC followed the FTC’s lead in the Landmark Clearing settlement by issuing revisions to its 2008 guidance regarding bank relationships with payment processing companies.[16]  As revised, the guidance requires FDIC-regulated institutions to (among other things):

  1. Develop an approval program for payment processor relationships that requires a background check of the payment processor, its principal owners and merchant clients.
  1. Conduct risk assessments for payment processors that:
    1. Identify the payment processor’s major business lines and customer volume;
    1. Review the payment processor’s corporate documentation, policies, procedures, and promotional materials;
    1. Determine if the payment processor resells its services to third parties and whether the processor’s due diligence procedures applied to those entities are sufficient;
    1. Include site visits to the payment processor’s operations center;
    1. Review databases to ensure that the processor and its principal owners and operators have not been the subject of any law enforcement actions; and
    1. Determine if any conflicts of interest exist between management of the payment processor and the applicable financial institution’s directors and executive officers.
  1. Have appropriate wording in its agreements with payment processors that permit the financial institution not only to gain an appropriate level of visibility into its operations, but also to require the payment processor to maintain adequate reserve requirements to cover anticipated charge-backs; and
  1. Monitor payment processing accounts to identify any increases in consumer complaints or an increase in the number of charge-backs (which may suggest that the merchant originating the payment transactions through the payment processor is engaged in unfair or deceptive practices).

Like the FTC settlement with Landmark, the goal of the revised FDIC guidance is to ensure that financial institutions facilitating payments from consumer accounts have sufficiently robust controls and risk mitigation techniques to ensure that “bad actor” merchants interfacing with consumers in creating unauthorized transactions, and the payment processors assisting those bad actors, are identified and weeded out of the mix.

What Happens Next?

Although these concepts (due diligence, underwriting, monitoring) are not new to the financial services industry or to the management of payment processor relationships specifically, it is likely that the recent FTC settlement and the revised FDIC guidance will prompt both financial institutions and payment processors to look at these services and merchant relationships with renewed vigor.  In the short term, this will mean increased scrutiny and documentation requirements imposed on merchants (by their payment processors), on payment processors (by their financial institutions) and on financial institutions (by the FDIC and perhaps other regulators).

Whether this approach of “trickle down regulation” will have the desired result of minimizing the number of bad actors (whether merchant or payment processor) in the payment processing system remains to be seen.  Regardless of the success of this approach, it will undoubtedly cause the systemic administrative and operating costs associated with these relationships to rise.  Given other economic constraints imposed on financial institutions, payment processors and merchants, it is probable (if not certain) that this burden will ultimately be imposed on the person that all of these regulatory requirements are designed to protect:  the consumer.

[1] On December 28, 2011, the FTC announced a settlement with Landmark Clearing, Inc. (published on the FTC website on January 5, 2012).

[2] On January 31, 2012, the FDIC issued revisions to its 2008 guidance regarding relationships with payment processors.  See:  FDIC FIL 03-2012 (revising guidance issued at FIL 127-2008).  The FDIC was not alone in issuing such guidance in 2008.  See:  OCC Bulletin 2008-12.

[3] A “remotely created check” is a check that is not created by the paying bank and that does not bear a signature of the party on whose account it is drawn.  See:  12 C.F.R. § 229.2(fff).  Also referred to as “demand drafts,” these payment instruments are authorized by a party electronically or over the telephone and usually bear a legend on the signature line (such as “Authorized by Drawer” or “Signature on File”).

[4] An ACH transaction is an electronic fund transfer (to either debit or credit funds to a deposit account) that is sent using the ACH Network.  The ACH Network is a batch processing system that accumulates ACH transactions for electronic data transmission between financial institutions.  See:  12 C.F.R. § 1005.3(b)(1) and Official Staff Comment 1005.3(b)(1)-1(ii); NACHA Operating Rules § 8.7; NACHA Operating Guidelines Section I, Chapter 1, p. OG 1.

[5] FDIC FIL 03-2012 identifies the following types of merchants that have higher incidence of consumer fraud:  credit repair services, debt consolidation and forgiveness programs, online gambling related operations, government grants or will-writing kits, payday and other forms of subprime credit, pornography, online tobacco or firearms sales, pharmaceutical sales, sweepstakes and magazine subscriptions, among others.

[6] 16 C.F.R. Part 310.

[7] To qualify as an “express verifiable authorization,” the consent must either be:  (a) in a writing signed by the consumer, (b) in an audio recording that includes (i) the number of debits to the account (if more than one), (ii) the date that each such debit will be submitted, (iii) the amount of each such debit, (iv) the consumer’s name and telephone number; (v) information that clearly identifies the account that will be debited and (vi) the date of the authorization; or (c) in a written confirmation that is sent via first class mail to the consumer before his/her account will be debited and which includes all of the data points required of an audio recording as well as a clear and conspicuous statement of how the consumer can request a refund in the event the confirmation is inaccurate.  See:  16 C.F.R. § 310.3(a)(3)

[8] 16 C.F.R. § 310.3(b).

[9] Both private and state attorneys general actions are expressly authorized for violations of the TSR.  See:  16 C.F.R. § 310.7.

[10] 12 C.F.R. § 229.34.

[11] 12 C.F.R. § 1005.6.  The amount of responsibility that a consumer may bear for an unauthorized electronic fund transfer depends, in part, on how quickly the consumer notifies the financial institution of an allegedly fraudulent transfer or the loss or theft of an access device (such as ATM or debit card) that can be used to create electronic fund transfers.  Regulation E previously was under the administration of the Federal Reserve Board.  However, rulemaking authority for this (and a number of other consumer protection regulations) was transferred to the Consumer Financial Protection Bureau (“CFPB”) pursuant to Title X of the Dodd-Frank Act.  The CFPB issued an interim final rule to effectuate this transfer on December 27, 2011.  See:  76 Fed. Reg. 81020 (Dec. 27, 2011).  The Commonwealth of Massachusetts also has a state statute governing electronic fund transfers, Chapter 167B of the General Laws.  It generally limits consumer liability for unauthorized electronic fund transfers to no more than $ 50.  See:  167B M.G.L.A. § 18(a).

[12] 12 C.F.R. § 1005.2(m); 167B M.G.L.A. § 1.

[13] 15 U.S.C. § 1693g(b); 167B M.G.L.A. § 18(b).

[14] NACHA Operating Rules §§ 2.1 and 2.3.1.

[15] NACHA Operating Rules §§ and

[16] This FDIC guidance also builds off guidance previously issued, at FIL 127-2008.