Washington, D.C. (May 25, 2021) -  On March 3, 2021, the Consumer Financial Protection Bureau (CFPB or Bureau) filed a lawsuit that has significant implications for the payment processing industry. The complaint alleges that BrightSpeed Solutions, Inc. and its founder and former chief executive officer, Kevin Howard, (collectively BrightSpeed) knowingly processed payments for companies that purported to offer technical-support services and products over the internet, but actually tricked consumers into purchasing expensive and unnecessary software or services. The Bureau's action is based on the CFPB's broad authority over unfair, deceptive, or abusive acts or practices (UDAAP) in violation of the Consumer Financial Protection Act of 2010, and deceptive telemarketing practices in violation of the Telemarketing Sales Rule. The case suggests a new CFPB aggressiveness in enforcement actions against payment processors that should be a signal for heightened awareness in the marketplace.

Specifically, the Bureau charges BrightSpeed with UDAAP violations for providing substantial assistance to its customers, whose actions violated telemarketing regulations. Additionally, the Bureau alleges that Brightspeed's actions or practices violated provisions of the Dodd-Frank Act in unfairly processing hundreds of payments from consumers who were defrauded into purchasing unnecessary anti-virus software and services.

What makes the case significant for processors is that the Bureau's allegations are not the standard charge of fraudulent acts committed directly against consumers, but instead that BrightSpeed processed payments for merchants that committed the fraud. The complaint alleges that the return rate on transactions processed by BrightSpeed averaged between 22% and 24%; the Bureau compared this to the return rates for typical clearing house transactions. The National Automated Clearing House Association (NACHA), which sets the rules for clearing house transactions, has set a limit of 15% as the maximum return rate for legitimate business transactions. Anything above this level of returns would require an investigation, according to NACHA rules. The Bureau used the NACHA analogy to raise a red flag that BrightSpeed should have been more diligent in its operations.

BrightSpeed's willingness to turn a blind eye to this and several other indicia of fraudulent activity engaged in by its customers forms the basis of the Bureau's complaint. The CFPB alleges that BrightSpeed failed to monitor and promptly suspend bad actors among its clients after learning that they were likely defrauding consumers or engaging in other illegal activity. Further, the complaint alleges, BrightSpeed failed to put reasonable controls in place to meaningfully vet its clients and rarely investigated disputed transactions.

Implications for Payment Processors

BrightSpeed has not yet answered the complaint, and the litigation is far from over. But the complaint shows that the payment processing industry is on the Bureau's radar and that the CFPB is prepared to prosecute companies based on a failure to exercise oversight of customer practices.

The complaint also indicates that the Bureau is once again bringing enforcement actions not because a specific regulation was violated, but based on acts or practices that it considers unfair or abusive to consumers. These developments raise questions as to how much diligence and oversight a payments processor must implement in dealing with its customers. Is its function to process payments in an orderly fashion, or is it responsible for policing the actions of its customers? These are serious questions for payment processors to consider, particularly in light of the CFPB's newly reinvigorated enforcement aggressiveness under its broad and controversial UDAAP authority.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.