This week the Consumer Financial Protection Bureau (“CFPB”) announced the first-ever civil enforcement action alleging that payment processors substantially assisted in a fraud because they processed debit and credit payments by consumers who were tricked out of their money by phony debt collectors who targeted the victims through robo-calls.[1] Although the CFPB does not allege that the payment processors were complicit in the phony debt collectors’ scheme, it nonetheless seeks to hold the payment processors responsible for assisting in the fraud because they “knew, or should have known, that the Debt Collectors were engaged in unlawful conduct.”[2] In other words, the payment processors are alleged to have enabled the fraud because they failed to respond to red flags and identify those transactions as fraudulent.

The Complaint, filed under seal on March 26, 2015 and unveiled earlier this week, describes a scheme where debt collectors, using aliases and placing automated phone calls to consumers, deceived them into believing that they had to pay debts that they in fact did not owe. According to the Complaint, the calls were threatening and harassing, and were achieved through a telemarking company.   

In announcing the enforcement action, CFPB Director Richard Cordray noted that in the regulators’ view, the payment processors shared culpability with those actors who are alleged to have designed and carried out the underlying fraud: “The ringleaders of the scheme, the telemarketing company that broadcast millions of robo-calls, and the companies that processed the payments should all be held accountable for taking advantage of vulnerable consumers.”[3]

The CFPB’s Complaint charges four entities for their role in processing the fraudulent transactions: (1) Electronic Merchant Services (“EMS”); (2) Global Payments Inc. (“Global Payments”); (3) Pathfinder Payment Solutions (“Pathfinder); and (4) Frontline Processing Corp. (“Frontline”). While EMS and Global Payments are themselves payment processors, Pathfinder and Frontline are independent sales organizations that contract with Global Payments to provide marketing services, as well as screening and monitoring processing activity to detect fraud and manage risk.

According to the Complaint, each of these entities is a “covered person” and a “service provider” under the Consumer Financial Protection Act (“CFPA”), 12 U.S.C. §§ 5481(15)(A)(vii), (26). The Complaint alleges that the payment processors violated the CFPA in two ways. First, they “knowingly or recklessly provided substantial assistance” to the unlawful conduct of the debt collectors, under 12 U.S.C. § 5536(a)(3).[4] Second, their practices constituted “unfair acts or practices,” under 12 U.S.C. § 5531(a) and (c)(1), and 5536(a)(1)(B), in that they provided material services to the debt collectors and failed to conduct reasonable due diligence that would have detected the debt collectors’ unlawful conduct, and this caused, or was likely to cause, “substantial injury to consumers that was not reasonably avoidable by consumers and was not outweighed by countervailing benefits to consumers or completion.”[5]

The Complaint alleges that the payment processors facilitated the fraud in part because by enabling the debt collectors to accept credit and debit card payments, the payment processors gave the debt collectors an “air of legitimacy,” which helped convince consumers that the debt collectors were credible merchants.[6] The Complaint also maintains that the payment processors are liable in part because they violated their own policies and procedures designed to minimize their own credit exposure that results from chargebacks associated with disputed or fraudulent charges.[7] In other words, the CFPB alleges that if the payment processors were following their own policies and procedures, they should have picked up on the red flags that the debt collectors’ activities presented.

According to the payment processors’ policies, collection agencies are high-risk or prohibited merchants that warrant enhanced scrutiny, but the Complaint alleges that none was applied. The Complaint further alleges that Pathfinder and Frontline (on behalf of Global Payments) and EMS were each deficient in their underwriting and risk monitoring, and the Complaint sets forth a series of facts and circumstances that, if properly monitored and investigated by Pathfinder and Frontline, would have alerted them to the fraud.[8]  The Complaint also alleges that Global Payments, Frontline and Pathfinder failed to monitor the recurring chargeback activity that should have raised red flags and alerted them to the fraud.[9]

In concept, the Complaint is similar to the U.S. Department of Justice’s “Operation Choke Point” initiative, which sought to hold banks responsible for failing to stop third-party payment processors from making ACH withdrawals. Both enforcement strategies target parties who may not be participating in illegal activity but are deemed responsible because they should have known the conduct was illegal and acted to prevent it rather than facilitate it. But the CFPB’s Complaint is also consistent with a larger trend in the current enforcement environment, especially in the financial services industry, where the failure to monitor suspicious activity and respond to red flags can carry more serious consequences than the underlying conduct that went unchecked.[10]