On July 9, 2015, the Consumer Financial Protection Bureau ("CFPB") continued its focus on payment processing and joined the Federal Reserve's efforts to develop faster and more secure payment systems by releasing its "Vision of Consumer Protection in New Faster Payment Systems" ("Principles"). Although the CFPB has expressed its support for faster payments, FinTech businesses and other industry stakeholders should heed the CFPB's warning that they must consider consumer protection issues, including data privacy and security, fraud prevention, and error resolution. The warning carries the weight of enforcement actions in which the CFPB recently held payment processors responsible for harm caused by others. The CFPB's Principles, coupled with its most powerful and versatile tool - the power to take action against unfair, deceptive, and abusive acts and practices ("UDAAPs") - puts the industry on notice that they cannot wait for more detailed prescriptive guidance or regulations, and instead, must adapt to the CFPB's evolving policy and enforcement approach.
CFPB Jurisdiction Over Payment Systems and Recent Enforcement Actions
The CFPB has broad enforcement jurisdiction over businesses that violate federal consumer financial laws. Because most regulations are behind the rapidly developing innovations in the payment systems space, the CFPB will likely wield its flexible UDAAP authority to regulate FinTech businesses. That authority covers any entity that offers or provides a consumer financial product or service ("covered persons" under Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act).1 The list of consumer financial products and services in Title X includes payment processing:
[P]roviding payments or other financial data processing products or services to a consumer by any technological means . . . or throughany payments systems or network used for processing payments data, including payments made through an online banking system or mobile telecommunications network . . . .2
The CFPB has increased its scrutiny of FinTech businesses during the past twelve months. During the summer of 2014, it launched an inquiry into mobile-financial services,4 and began accepting consumer complaints about mobile wallets5 and virtual currencies.6The CFPB's jurisdiction may also extend to shareholders, joint venture partners, service providers, and individuals connected to "covered persons" even if they don't directly touch consumers.3
In November 2014, CFPB Director Richard Cordray foreshadowed enforcement actions against businesses providing electronic payment systems in his remarks at The Clearing House:
[W]e have concerns that electronic payment systems can be misused to victimize consumers unless banks and the systemadministrators work to police and enforce safeguards. * * * We must shine a light on the murkier corners of electronic paymentsystems and related practices, and we must be vigilant about preserving consumer protections no matter how these approaches may evolve in the future.7
More recently, in April 2015, the CFPB sued a group of companies that allegedly harassed consumers to collect phantom debts. The lawsuit notably named payment processors and telemarketing companies that provided services to the debt collectors. The CFPB's theory is that "by enabling the debt collectors to accept payment by credit and debit card, the payment processors helped to legitimize the collectors' business and facilitated millions of dollars in ill-gotten profits."9One month later, the CFPB filed its first lawsuit involving FinTech payment processing, alleging that Sprint Corporation unfairly harmed consumers by recklessly processing unauthorized charges for fraudulent merchants.8
Federal Reserve Payment System Policy Initiatives
The CFPB's actions are part of a broader federal effort to improve (i.e., regulate) payment systems. As noted in our prior client advisory "US Policy Developments in FinTech and Payment Systems: Federal Reserve Establishes Task Force on Faster Payments and Secure Payments," the Federal Reserve is in the process of developing its own principles for a faster, safer payment system. The Federal Reserve established five desired outcomes for an improved payment system:
- A ubiquitous, safe, and fast electronic solution for processing commercial and personal payments;
- Robust system security and incident response protocols;
- Heightened efficiency through a larger proportion of electronic payments;
- A greater degree of international payment processing; and
- Collaboration across all payment system participants.
Part of the Federal Reserve's strategic approach is the creation of its "Faster Payments Task Force," which is tasked with identifying and evaluating alternative approaches for implementing safe, ubiquitous, faster payments capabilities in the US. The charter of the Faster Payments Task Force provides that the Chair of the Task Force will be advised by a Steering Committee consisting of approximately 15 elected Task Force members, one of which is a representative of the CFPB. This structure, together with the CFPB's growing interest in the payments industry, will likely strengthen the prevalence of consumer protection mechanisms in innovative approaches to faster payments.
The CFPB's Principles for Consumer Protection in New Payment Systems
The CFPB's vision for ensuring consumer protection in emerging payment systems consists of nine principles:
- Consumer Control. Payment systems must allow consumers to authorize when, how, and under what terms a payment is processed. Such authorization must be reliable and secure as to all aspects of a transaction.
- Data Security and Privacy. The risks involved with data collection, transmission, and storage must be well managed and transparent. Proper protections against unauthorized access and misuse must be implemented.
- Fraud Protection and Error Resolution. Payment systems must contain mechanisms for identifying fraud and reversing erroneous and unauthorized transactions.
- Transparency.Consumers should have access to real time information about the status of transactions, including confirmations of payment, receipt of funds, funds availability, and security measures.
- Cost.Use of payment systems must be affordable and fees must be disclosed in a manner that allows consumers to compare available payment options.
- Access.Payment systems must be widely accepted by businesses and consumers, while also maintaining security protocols and preventing against unauthorized access and misuse.
- Funds Availability. Faster payment systems should provide greater access to funds, which decreases the risk of overdraft and declined transactions.
- Security and Payment Credential Value. Payment system architecture must include features that help detect and limit errors and unauthorized transactions. The use of credential value limits is one method of securing transferred and stored data.
- Accountability Mechanisms. Participants must be held accountable for the risks, harm, and cost they introduce to payment systems. Incentives should be implemented to encourage participants to prevent and correct fraudulent or erroneous transactions and other misuse.
The substance of the CFPB's Principles is in many ways similar to that which underlies the Federal Reserve's strategies for achieving its stated desired outcomes in improving US and global payment systems. Each agency advocates for a fast, dynamic, and globally accessible payment system, but emphasizes security and consumer protection, particularly with respect to data security and privacy, consumer education and access, and cost efficiency.
Enforcement Implications and Industry Best Practices
The CFPB's Principles, viewed in light of the evolving policy and enforcement context in which it was released, is instructive as to what the industry can expect looking forward and what actions it might take to best prepare.
- Heightened Enforcement Activity. The CFPB's scrutiny of FinTech businesses and recent enforcement actions demonstrate that the CFPB will not be shy in bringing enforcement actions against FinTech businesses. With the release of its Principles, the CFPB has put the industry on notice as to the areas of focus the CFPB will be concerned with and where UDAAP actions may focus.
- Flexible Compliance Options.FinTech businesses that analyze their product offerings and compliance programs holistically will likely face less scrutiny, and bear lower regulatory risk, than their industry counterparts. Rather than enumerate prescriptive standards for how policies and procedures ought to be implemented, the CFPB, in recognition of the evolving FinTech space, and likely to preserve its own enforcement and UDAAP flexibility, stated, "a variety of system components, including system architecture, operator covenants and warranties, requirements for participants and intermediaries, rules, and other mechanisms may play critical roles in providing consumer protection, utility, and value."10 Thus, each FinTech business will need to tailor its compliance to its individual circumstances in a way that maximizes business flexibility and minimizes regulatory risk.
The FinTech and payment systems industries, and their regulatory regimes, are undergoing dramatic innovation and change. As evidenced by the CFPB's recent actions, the emerging payments authorities, and the commonality of issues and concerns among the regulators, consumer protection must be a key element to any successful payments approach. Given the CFPB's track record of bringing after-the-fact UDAAP enforcement actions, FinTech businesses and other industry participants should consider consumer protection risks, especially data privacy and security, fraud prevention, error resolution, and what may be deemed unfair, deceptive or abusive practices in light of the CFPB's Principles, when developing their payment systems and their compliance programs.