The United States District Court for the District of North Dakota recently dismissed the Consumer Financial Protection Bureau’s (CFPB) complaint against a payment processor, Intercept, in a case McGuireWoods has been monitoring. The Court held that the CFPB failed to adequately plead an unfair, deceptive, or abusive act or practice under the Consumer Financial Protection Act (CFPA). According to the Court, the CFPB failed to show that Intercept violated any industry standards, injured any consumers, interfered with consumers’ ability to understand the terms of their dealings with Intercept’s clients, or took unlawful advantage of consumers.

In CFPB v. Intercept Corp., the CFPB alleged that Intercept violated the CFPA by failing to heed warnings from banks and consumers, failing to monitor and respond to high return rates, and failing to investigate red flags when vetting its clients. The Court’s decision hinged on whether the CFPB alleged facts sufficient to meet the definition of “unfair” and “abusive” acts in the CFPA. According to the CFPA, an act is “unfair” if it substantially injures consumers, or is likely to do so, and the injury is not outweighed by countervailing benefits to consumers. An act is “abusive” if it interferes with a consumer’s ability to understand the terms of a consumer financial product or takes unreasonable advantage of a consumer’s lack of understanding.

The CFPB’s complaint failed for a lack of detail. As the Court explained: “A close review of the complaint yields a conclusion that the complaint does not contain sufficient factual allegations to back up its conclusory statements regarding Intercept’s allegedly unlawful acts or omissions.” The Court summed up the paucity of detail in the CFPB’s complaint: “The Complaint simply does not sufficiently identify particular clients whose actions provided ‘red flags’ to Intercept or how Intercept’s failure to act upon those ‘red flags’ caused harm or was likely to cause harm to any identified consumer or group of consumers.”

We previously wrote about the broader implications of the CFPB’s case against Intercept, specifically the issues raised in briefs filed by Intercept and the Third Party Payment Processors Association (“TPPPA”) in support of the motion to dismiss. We highlighted two issues in particular implicated by the Court’s order: (1) whether unfair acts and practices under the CFPA required direct interaction with consumers; and (2) whether unfair acts and practices had to be predicated on underlying rules violations. While the Court’s order dismissing the CFPB’s complaint does not tackle these issues head-on, it provides some guidance and indicates that in suits against payment processors the CFPB must do more than simply allege that a payment processor harmed consumers.

On the question of whether violations of the CFPA require direct interactions with consumers, the court’s opinion is a mixed bag. Intercept and the TPPPA both argued that payment processors are not “covered persons” within the meaning of the CFPA because they do not offer services directly to consumers. The Court tacitly rejected the argument that payment processors can never be considered “covered persons” under the CFPA, finding that the CFPB alleged sufficient facts that if proven would support a finding that Intercept was a “covered person.” But the Court’s holding demonstrates that the CFPB must do more than merely allege that a payment processor’s conduct harmed a consumer. According to the Court, the CFPB must allege harm to an “identified consumer or group of consumers.” The nature of payment processors’ business, which is inherently not consumer-facing, could render proving harm to particular consumers difficult.

The Court likewise did not definitively hold that the unfair acts or practices under the CFPA must be predicated on violations of underlying rules or regulations, but its holding does signal that the CFPB cannot merely allege the existence of industry rules and standards in order to state a claim. Rather, the CFPB must allege facts showing that a defendant’s conduct violated those rules. This requirement comports with the TPPPA’s concern that absent a requirement of a rule violation, payment processors could be liable for conduct that “was not unlawful or forbidden by the rules in place at the time of the alleged conduct.”

What’s next? The Court dismissed the CFPB’s complaint without prejudice, meaning that the CFPB can attempt to re-plead its complaint with sufficient detail. But the Court’s order teaches that sufficient detail in this case requires a showing that Intercept violated a particular rule that harmed an identifiable group of consumers. If future courts follow the district court of North Dakota’s lead and find that payment processors can be liable under the FCPA, they should impose, at a bare minimum, the same standards exacted by the North Dakota court in dismissing the CFPB’s complaint against Intercept. Otherwise, the CFPB could pull within its purview companies that have no direct contact with consumers, whose actions do not harm consumers, and whose actions did not violate any established standard or rule.