After a busy 2018, the Federal Trade Commission (FTC) has lost no time in making known its investigation and enforcement priorities for 2019. In a recent blog post, the FTC highlighted the areas that will likely guide its enforcement priorities for the remainder of the year.
Understanding these priorities is critical for the payments industry – over the years, the FTC (and other regulators) have targeted payment processors and ISOs for the allegedly fraudulent activities of their merchant clients. Payments companies are expected to perform diligence on their merchants and monitor transactions for signs of suspicious or unlawful activity. Payments companies should heed the FTC's statement of priorities for 2019 by reviewing their compliance policies and procedures and ensuring appropriate safeguards are in place to mitigate potential risk.
FTC's Areas of Focus Relevant to Payments
The FTC has affirmed its commitment to challenging unsubstantiated health claims in connection with the sale and marketing of various products and services. This focus is important for payment processors that work with merchants that sell or market dietary supplement, food, and other products touting health benefits. When consumers are induced to purchase products based on deceptive or misleading health claims, the payments processor may be caught in the crossfire for facilitating transactions. To mitigate risk, payments companies should implement robust underwriting and diligence programs aimed at verticals that are susceptible to deceptive or misleading claims, such as dietary supplements and anti-aging remedies. Any company that seeks to process for merchants making health claims should perform thorough due diligence on the merchants and their claims and marketing practices, in addition to ongoing monitoring of transactions for red flags, such as high chargeback ratios and return rates.
For payment processors that work with negative option and continuity merchants, the FTC's blog post confirms that regulators will continue to take an aggressive approach to merchants that market "free trials" and similar programs. The Restore Online Shoppers' Confidence Act (ROSCA) prohibits any post-transaction third-party seller from charging any financial account in an internet transaction without clearly disclosing all material terms of the transaction and without the consumer's express consent to the charge. This applies to online sellers of "negative option" features that stipulate that a consumer's silence or failure to affirmatively cancel or reject the products or services constitutes acceptance.
The FTC has previously sued payment processors in connection with their processing for online sellers that violated ROSCA. And, as we noted in a recent blog post, Mastercard recently issued its own bulletin tightening the requirements for processing for merchants in the negative option and continuity space. The bottom line is that payments companies that process for these types of merchants should ensure that the merchants' sales and marketing practices comply with applicable legal and card brand requirements.
The payments industry should continue to monitor the FTC's interest in how financial technology plays a role in enabling consumer access to financial services and products. The FTC has warned that "fraudsters often try to sneak in the side door" through new financial technologies that result in consumer injury. The FTC's blog post cited a recent case against a peer-to-peer lender in which customers were allegedly charged additional amounts despite an advertisement of "no hidden fees." The amended complaint also alleges internal documentation of issues of unauthorized money transfers from consumers' bank accounts and complaints about the payoff process and payment processing in general. The FTC has also gone after a mobile payment service for failing to disclose material information pertaining to the availability of consumers' funds. These cases underscore the importance for payments companies to evaluate the adequacy of their own consumer disclosures (if consumer facing), particularly as they pertain to material terms or limitations, and to remain vigilant about monitoring for potential red flags and complaints.
Data Security and Protection
As it has in the past, the FTC will continue to bring cases focused on privacy and data security concerns. This has become an important issue for payments companies, especially following the Consumer Financial Protection Bureau's 2016 enforcement action against Dwolla, in which the CFPB alleged that the payments company had misrepresented to the public its data security practices. So, what might an FTC investigation of a payment processor focus on? In addition to any misrepresentations of data security, a natural question would be whether the processor followed reasonable standards for the industry, including, for example, the Payment Card Industry Data Security Standard (PCI DSS). The FTC may dig even deeper into what safeguards a processor has implemented, what areas for improvement were highlighted by independent audits or assessments in years past, and what programs and plans for remediation a processor instituted in response to these third-party opinions.
What Does This All Mean for Payments Companies?
The FTC has unveiled an ambitious consumer protection mandate for 2019. Previous lawsuits that sought to hold the payment processors jointly and severally liable for the harms to consumers serve as notice to the payments industry that passivity and a lack of knowledge of illegal activity are not a shield from regulatory scrutiny. Although the potential for merchant fraud and bad acts remains a reality, payment processors can take steps to mitigate risk by performing diligence on their customer's business structure and monitoring merchant transactions for indications of illegitimate activity. In addition, we cannot understate the importance of establishing a compliance management system that sets company-wide compliance responsibilities, requires robust due diligence at underwriting, implements internal policies and monitoring, and ensures corrective action is taken when the need arises.
Visit our website for more compliance recommendations for the payments industry.