Processing for Debt Collectors Means Big Risk to Payment Processors and ISOs

In November 2015, the Federal Trade Commission (“FTC”) reported its spearheading of a nationwide crackdown (known as Operation Collection Protection) along with more than 70 federal and state law enforcement partners against businesses engaged in deceptive and abusive debt collection practices, which resulted in more than 115 actions being filed against debt collectors in 2015 alone.

According to the FTC, many of these actions have targeted phantom debt schemes, and the failure of some collectors to give consumers legally required disclosures and notices, or to follow state and local licensing requirements.

This should be a wakeup call to those who process payments for debt collectors, particularly in light of the government’s increasing tendency in recent years to sue payment processors alongside bad merchants for enabling consumer fraud by extending them access to the payments system – especially where authorities identify deficient merchant underwriting or monitoring practices.

But what is a “debt collector” and what practices does the law prohibit?

FDCPA Covers Third-Party Debt Collectors Who Collect Consumer Debt

The Fair Debt Collection Practices Act (“FDCPA”) (15 U.S.C. §1692 et seq.) is the primary federal law that regulates the collection activities of debt collectors. The FDCPA broadly defines a “debt collector” as any person who regularly collects “consumer debt” owed to others, or collects its own consumer debts under a different name. Thus, the FDCPA generally covers hired or “third party” collectors, but not “first party” collectors (including company officers and employees) working internally to collect a consumer debt on behalf of an “original creditor.”

“Consumer debt” means personal, family, and household debts, such as money owed by a consumer on a personal credit card account, a car loan, a medical bill, or a mortgage, but does not include debts owned by businesses or by individuals for business purposes.

“Debt collectors” covered by the FDCPA include collection agencies, lawyers who collect third party debts on a regular basis, any company that regularly collects consumer debts for an unrelated company, and companies that buy delinquent debts and then try to collect them.

On the other hand, the FDCPA does not cover banks, credit card issuers, doctors, healthcare service providers, and other parties that collect: their own debts in their own name; debts which they originated and sold but continue to service (such as mortgage and student loan debts); or debts that were not in default when obtained by the purchaser.

FDCPA Prohibits Covered Parties from Using Abusive, Deceptive, and Unfair Practices to Collect Consumer Debt

The FDCPA prohibits debt collectors from engaging in conduct that harasses, oppresses, or abuses the debtor or any third party they contact.

Prohibited activities include threatening arrest, or threatening any other legal action against a debtor (e.g. wage garnishment or property attachment) unless they are permitted by law to take the action and intend to do so; and/or using deceptive means to collect a debt, including but not limited to publishing false credit information about a debtor, using “official-looking” documents to mislead the debtor, or using a false company name.

The FDCPA also prohibits covered parties from collecting “any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.” (§1692(f)(1).) Most courts read this section to flatly prohibit debt collectors from charging transaction or convenience fees to consumers for accepting debit or credit cards to pay their debt unless expressly permitted under the contract that created the debt, or applicable state law. A number of other states have also enacted their own laws prohibiting debt collectors from charging such transaction fees, including Colorado, Washington and Wyoming among others.

“Original Creditors” Are Now Subject To Many Of The Same Standards Pursuant To The Consumer Financial Protection Act (“CFPA”) And Various State Statutes

The Consumer Financial Protection Bureau (“CFPB”) has also endeavored in recent years to extend many of these same standards to “first-party” debt collectors pursuant to its authority under the CFPA (Title X of the Dodd-Frank Act) to prevent “unlawful, deceptive, and abusive acts and practices” (“UDAAPs”). CFPB has repeatedly taken the position that many of the same types of activities proscribed by the FDCPA often constitute UDAAPs. Moreover, CFPB has plainly stated: “Original creditors and other covered persons and service providers under the Dodd-Frank Act involved in collecting debt related to any consumer financial product or services are subject to the prohibition against UDAAPs in the Dodd-Frank Act.” (CFPB Bulleting 2013-07.) Thus, while the FDCPA does not cover “first-party” collectors, CFPB has interpreted the CFPA’s prohibition against UDAAPs to embrace the same essential standards.

Furthermore, a federal district court in Georgia has recently agreed with CFPB and held that payment processors may be directly liable as service providers under the CFPA for proximately causing consumer injury if they process payments for merchants engaged in fraudulent activity that should have been detected by appropriate underwriting or monitoring practices.

State Law Varies Widely In Its Treatment Of Debt Collection Activities

Of course, the FDCPA’s protection extends to consumers in every state. Yet many states, including California, have also enacted their own consumer protection statutes (e.g. the California Fair Debt Collection Practices Act) extending many of the same prohibitions contained in the FDCPA to “original creditors.” Moreover, each state and U.S. territory has different licensing requirements for collection agencies, attorneys, and debt buyers, further complicating the legal backdrop against which such businesses operate.

Card Brand Rules Are Less Than Clear

MasterCard Rules prohibit a “Merchant from submitting to its Acquirer, or a Customer from submitting to the Interchange System, any Transaction that: 1. Represents the refinancing or transfer of an existing MasterCard Cardholder obligation that is deemed to be uncollectible; or 2. Arises from the dishonor of a MasterCard Cardholder’s personal check.” However, MasterCard Rules permit a Merchant to “submit a transaction with MCC 6051 (Quasi-Cash-Merchant) for the payment of an existing Cardholder obligation owed to the Merchant.” (MasterCard Rules (11 Dec. 2014), Rule 5.9.5 at p.85.)

While MasterCard does not define the phrase, a debt typically is “deemed to be uncollectible” when it has virtually no chance of being paid, and has been written off and/or farmed out to a collections agency by the original creditor. Thus, MasterCard Rules appear to prohibit a Merchant from accepting MasterCard in connection with “third-party” collection activities, but permit a Merchant to accept MasterCard in connection with “first-party” collection activities.

So, for example, it appears fairly clear that a dentist may charge a patient’s card for the past due balance on a root canal, or a lawyer may charge a client’s card for a past due services invoice, without violating MasterCard Rules, provided they use MCC 6051 for the transaction.

The result is murkier under Visa Rules.

Visa Core Rules prohibit a Merchant from accepting its cards to “collect or refinance an existing debt unless either: the Transaction results from the conversion of a Merchant’s existing card program to the Visa Program;” or “the Merchant is a government agency and the Transaction represents a loan payment.” (Visa Rules (Apr. 15, 2015), Rule 1.5.5.4 at p. CR-59.) Yet a standalone paragraph in the same Rule further states that:

At the option of Visa, a Merchant may accept a Visa Card … as payment for an existing debt. A Merchant must not accept a Visa Card … as payment for a debt that is considered uncollectible (for example: payments to a collection agency). This does not apply to a US Merchant.

(Rule 1.5.5.4 at p. CR-59.)

Okay, so what does that mean?

The ambiguous drafting of the latter clause means that Visa may subjectively interpret the Rule to permit or prohibit such transactions at its whim. As drafted, it is unclear whether or not the dentist or lawyer in our foregoing example can accept Visa as payment for an existing patient/client debt, and/or whether or not lawful debt collection agencies or other “third-party” debt collectors that comply with US law are acceptable Visa merchants, or may be under certain circumstances.

American Express identifies “debt collection agencies” as a prohibited merchant category (MCC 7322). But what exactly is the scope of that classification? Again, the lack of an accompanying definition means that American Express may subjectively interpret the term “debt collection agencies” to prohibit a far broader range of merchants than the name of the classification might otherwise imply.

Of course, MasterCard, Visa and American Express all plainly prohibit their acquirers from submitting any illegal or brand-damaging transactions to the payments system. Thus, given the complexity of the legal landscape surrounding collections activities, processing for debt collectors always carries a heightened risk of running afoul of both the law and the card brands, even in the case of “first-party” collections.

Consequences of Deficient Underwriting and Monitoring

In March 2015, the CFPB filed suit in US District Court for the Northern District of Georgia against several individuals and companies (the “Debt Collectors”) for running a fraudulent debt collection scheme using deceptive, abusive and unfair practices to trick consumers into making debit and credit card payments on “phantom debt” (i.e. debt that was not owed) in violation of both the FDCPA and CFPA, in an action styled CFPB v. Universal Debt & Payment Solutions, LLC, et al., Civil Case No.1:15-cv-00859-RWS.

CFPB also sued the payment processor and two of its ISOs (the “Payment Processors”) for boarding Debt Collectors, and allegedly failing to discharge their respective merchant underwriting and monitoring obligations. Notably, CFPB contends Payment Processors are both (1) directly liable for their own unfair practices as “service providers” under the CFPA, and (2) secondarily liable for “substantially assisting” Debt Collectors’ scheme, based on their role in facilitating the Debt Collectors’ access to the payments system by approving and continuing to process for Debt Collectors in plain violation of their own merchant underwriting and monitoring policies.

Among other things, CFPB alleges that Payment Processors approved Debt Collectors as merchants despite the fact they listed home addresses as purported business locations on their merchant applications, faxed their applications from a FedEx Office, listed the same business addresses for different businesses, and had an ex-felon for a CEO, who shared the same home address with another of Debt Collector’s principals who had low income and bad credit; and despite the fact the processor specifically identified “collection agencies” as “prohibited merchants” under its own credit policy.

CFPB further alleges that Payment Processors continued to process payments for Debt Collectors, despite high chargeback rates, detailed chargeback complaints of UDAAP violations and other fraudulent activity, and evidence of factoring, and even after MasterCard issued a MATCH alert for one defendant, Visa prohibited another defendant from using its network, and Discover demanded the termination of another of defendant’s merchant accounts.

Significantly, in September 2015, the district court denied Payment Processors’ motion to dismiss the action, holding that CFPB’s allegations plausibly supported its claims against them. As the district court stated: “[Payment Processors] knew the risks debt collectors pose, had a duty to investigate suspicious activity, and in the face of numerous warning signs of a debt-collection scheme permitted the Debt Collectors to continue to process payments anyway. In this way [Payment Processors] facilitated the Debt Collectors’ unlawful acts by giving them the tools they needed to use bankcard information to draw on consumers’ accounts-predictable consequences of ignoring consumer complaints about unauthorized charges and signs the debt-collection merchants were not legitimate businesses.”

The action is still pending

Yet given the government’s intense focus on the debt collection industry, and avowed eagerness to extend liability to processors who knowingly or recklessly facilitate bad merchants’ access to the payments system, we should certainly expect to see more payment processor and ISO defendants in further actions by the CFPB, FTC and other federal and state regulatory authorities as they continue to move forward with Operation Collection Protection in 2016.