Tucked away in a seeming innocuous paragraph in a complaint, the Consumer Financial Protection Bureau (CFPB) has asserted an extraordinary and potentially far-reaching expansion of its authority.

On June 6, 2016, the CFPB filed an action in a U.S. district court asserting that Intercept Corporation (Intercept) (and each of its owners) engaged in unfair acts and practices in violation of the Consumer Financial Protection Act (CFPA). Intercept initiates ACH transactions to consumer accounts on behalf of its merchant-customers. In doing so, Intercept acts as an agent of the merchant-customer, but not as an agent to the consumer whose account is being debited. Nevertheless, the CFPB complaint states that Intercept is a “covered person” under the CFPA because it provides “payments or other financial data processing products or services to consumers[.]” The complaint also states that Intercept processes transactions resulting in the transfer of funds, via the ACH system, from the deposit accounts of consumers to pay for loans and other transactions.

This is not the first complaint/enforcement order in which the CFPB has asserted that a payment processor has engaged in an unfair or deceptive practice, but this is the first action in which the CFPB has asserted that a payment processor is subject to the CFPB’s authority under this novel reading of the definition of a “covered person” under the CFPA.

A bit of background is needed to fully appreciate the significance of the CFPB’s coverage claim. The CFPB only has supervisory and/or enforcement authority over an entity that is a “covered person” or a “service provider” to a covered person. A covered person is a person that offers or provides a consumer financial product or service, such as a loan. This includes banks and credit unions with assets more than $10 billion, and other institutions such as finance companies or mortgage brokers, if those entities offer consumer financial products or services. A consumer financial product or service includes the provision of a payment or other financial data processing product or service to a consumer. Thus, a payment processor is a “covered person” if it provides payment services to a consumer. That is, if a payment processor engages in payment services for a consumer, it is a covered person because it is offering a consumer financial product or service to the consumer

In addition, a payment processor is subject to the CFPB’s authority if it is a “service provider” and offers payment services to covered persons. Specifically, a “service provider” is a person that provides a material service to a covered person or that processes transactions relating to the provision of a consumer financial service or product by the covered person. Thus, Intercept is a service provider to the extent it processes payments for a lender who makes loans to consumers; but not if it processes payments, for example, for a health club, since a health club isn’t a “covered person” because it does not offer consumer financial products or services to consumers.

Simply stated, an entity is subject to CFPB enforcement/supervisory authority only if: (1) the entity provides payment processing services to a person that offers consumer financial products or services, or (2) the entity itself provides payment services to a consumer. Conversely, if an entity offers payment processing services to a health club, a dry-cleaning business, a bakery, or any other person that does not offer consumer financial products or services, the CFPB does not have supervisory or enforcement authority over that payment processor. Yet, in its action against Intercept, the CFPB asserts that an entity is a covered person even if it does not provide payment or other financial data processing service to consumers as long as the payment processor engages in an activity that results, for example, in a debit to a consumer’s deposit or other account. In other words, the CFPB treats an entity as a “covered person” merely because the entity processes a transaction to a consumer’s account even when the entity is processing the transaction on behalf of a merchant and not on behalf of a consumer. In the abstract, this treatment might appear to make sense, but, in the context of payments law, it is contrary to the fundamental principles on which the ACH system and other debit payment systems are based.

So what does all this mean? If the CFPB prevails in its assertion that an entity is a “covered person” if that entity provides payment processing or “other financial data processing” services to businesses that do not offer consumer financial products or services, the CFPB can assert that the entity has violated the Dodd-Frank Act provisions that prohibit unfair, deceptive or abusive acts or practices. Practically speaking, it means that any entity that processes payments (or offers other financial data processing services) is responsible for monitoring the business practices for every person it processes payments for.

Companies that engage in fraudulent transactions, such as illegally withdrawing funds from a consumer account, should be held accountable. But, Congress determined in the Dodd-Frank Act which institutions the CFPB had jurisdiction over – that is, which entities the CFPB could bring enforcement actions against. Agencies, such as the CFPB, should not be able to expand their authority beyond that established in their enabling statutes. The CFPB should heed this principle, no matter what the conduct is.