A recent US District Court decision dismissing a claim brought by the Consumer Financial Protection Bureau (CFPB) against a third-party processor and two of its executives deals a setback to the agency’s ability to pursue enforcement actions against third-party processors.1 The defendants, Intercept Corporation (Intercept) and two of its executives, had hoped for a broader victory protecting third-party processors from CFPB enforcement actions. However, the United States District Court for the District of North Dakota instead chose to narrowly focus its decision on only the pleading standards and requirements and specifically did not address larger questions of statutory construction or the constitutionality of the CFPB—arguments raised by Intercept.

The CFPB’s original complaint alleged that defendants violated the Consumer Financial Protection Act (CFPA) by engaging in “unfair acts and practices,” including the processing of transactions for clients (including consumer lenders) when defendants knew or should have known that those transactions were fraudulent and illegal. Specifically, the CFPB alleged:

  • “Defendants ignored warnings from [banks] and consumers that some of Intercept’s clients’ business activities were likely illegal or that debits were not authorized by consumers”;2
  • “Defendants failed to adequately monitor and respond to high return rates”;3
  • “Defendants ignored red flags, such as government law enforcement activity relating to its clients . . . and continued to process for these clients despite this knowledge”;4 and
  • “Defendants failed to investigate red flags during the client application process that should have caused [Intercept] to conduct further investigation or perform enhanced due diligence.”5

In its amicus brief, the Third Party Payment Processors Association (TPPPA) strongly criticized the CFPB for its attempt at what it called “one-off rulemaking” through enforcement actions, noting that enforcement actions such as this “[a]dd greater confusion, complexity and costs to the already complex and rapidly evolving electronic payment ecosystem.” Instead, the TPPPA argued that any enforcement action brought by the CFPB would necessarily require an allegation identifying a violation of the industry rules promulgated by the National Automated Clearing House Association (NACHA), which the CFPB itself acknowledged are the rules governing the conduct of third-party payment processors. According to the TPPPA, “any allegation that the payment processors engaged in unfair conduct must be grounded in an alleged violation of the NACHA Rules. Otherwise, payment processors . . . would be deprived of their due process rights.”6 Intercept and its executives similarly argued in their motion to dismiss that the CFPB failed to identify specific violations or acts to support its claim that “it is an unfair act or practice under the CFPA to process payments on behalf of a merchant in the face of certain red flags suggesting that the merchant was engaged in fraudulent or illegal practices.”7

The Order focuses its relatively succinct discussion on the issue of whether the Complaint sufficiently states a cause for “unfair, deceptive, or abusive acts or practices.” The court noted that “[w]hile the complaint indicates that Intercept was required to follow certain industry standards, it fails to sufficiently allege facts tending to show that those standards were violated,” nor does the Complaint plead “facts sufficient to support the legal conclusion that consumers were injured or likely to be injured.”8 The court further found that the Complaint failed to sufficiently identify “how Intercept’s failure to act upon [alleged] ‘red flags’ caused harm or was likely to cause harm to any identified consumer or group of consumers.”9 Accordingly, the court found that a proper claim had not been stated and dismissed the Complaint.

The ruling establishes that the CFPB must provide greater details of alleged misconduct and underlying violations of law, placing a heavier burden on the agency for bringing such actions. The court specifically compared the Complaint filed against Intercept with a 344-paragraph complaint filed in 2015 by the CFPB against payment processors and their marketers that survived a similar motion to dismiss. In that case, the Bureau “identified by name and address the thirteen merchants alleged to have been engaged in fraud over the course of sixty-five detailed allegations” and “explicitly described the alleged misconduct with statutory citations.”10

Notably, the court remained silent on important arguments involving statutory construction and the constitutionality of the agency. Intercept challenged the notion that payment processors are “covered persons” and/or “service providers” under the CFPA, and thus the CFPB could not bring an unfair act and practice claim against Intercept. The CFPA specifically defines a “covered person” as “any person that engages in offering or providing a consumer financial product or service,” and the CFPB argued that Intercept satisfied this definition by providing payments “or other financial data processing products or services to consumers by technical means, including through a payments system or network used for processing payments data.” Intercept argued, in turn, that payment processors “do not contract with individual consumers, and its consumers do not use its services for ‘personal, family or household purposes,’” as the law requires. Rather, payment processors provide services to “business customers in need of bulk ACH processing services.”11 However, the court concluded that Intercept is “a ‘covered person’ and a ‘service provider’ under the CFPA,” citing only the Complaint and the relevant statute, without any additional discussion.12

Intercept also argued that the Complaint should be dismissed in its entirety because the CFPB “is an unconstitutional entity and thus lacks authority to bring this enforcement action,” citing its structure and lack of oversight.13 The court did not address this argument at all, other than to say it may be addressed as appropriate if the CFPB decides to renew the action.

What comes next may shed light on how aggressively the CFPB will pursue enforcement actions against payment processors and others. The CFPB may see the court’s holding that the third-party payment processor in this case was a “covered person” as a green light to pursue third-party payment processors and other entities considered gatekeepers to the automated clearing house system. Such enforcement actions would be in line with the Department of Justice’s “Operation Choke Point” initiative meant to cut off access to banking services for companies considered high risk for fraud, money laundering or other violations of law.

Alternatively, because the case was dismissed without prejudice, the CFPB may renew the action, alleging additional facts in support of its allegations. A renewed action would also likely place the constitutional challenge to the CFPB back in front of the court. It would also provide an opportunity for defendants—and potentially other interested parties—to renew their challenges of some of the statutory interpretation in the court’s original order and to challenge the premise that a payment processor could be held liable under the CFPA as a “covered person” for unfair acts and practices engaged in by its merchant customers.