The Federal Trade Commission (FTC) announced a settled action on April 22 with Canadian company RevenueWire (the Company) and its CEO to resolve allegations that the Company assisted and facilitated two tech-support scams that the FTC had previously targeted. Under the alleged scheme, consumers were marketed tech support services to “fix” nonexistent computer problems, leading to hundreds of millions of dollars of consumer injury. The FTC’s complaint and consent judgment maintain that, in addition to serving as a lead generator for the alleged fraudsters, the Company processed consumer credit card charges on their behalf.
For traditional payment processors and fintech companies, the complaint’s most significant allegations are that the Company did not do enough to prevent fraud and failed to exercise due diligence to monitor the propriety of its customers’ activities. Admittedly, this was an extreme case where, in the FTC’s view, the Company existed largely to further the tech-support frauds. However, of note are the legal theories in the case that the FTC asserts regarding its authority to impose secondary liability for allegedly deceptive practices through the “unfairness” doctrine under Section 5 of the FTC Act along with the explicit “substantial assistance” provisions of the Telemarketing Sales Rule (TSR).
The FTC’s renewed use of its unfairness authority to pursue payment processors should be of particular interest; the agency began aggressively using this secondary liability theory in 2008, and the US Court of Appeals for the Ninth Circuit has endorsed its use. This theory has also played a key role in past FTC settlements made in conjunction with other federal agencies and state attorneys general and consumer protection agencies. At the same time, the FTC has employed it more sparingly in recent years. Should the agency—or the myriad other state and federal enforcement authorities that have “unfairness” authority under consumer protection laws prohibiting unfair and deceptive acts and practices (UDAP)—seek to use this theory more broadly going forward, startups, including smaller fintech companies, and those partnering with them should take careful note.
There is an important lesson here for companies in the rapidly evolving fintech space. These developing companies sometimes lack the compliance infrastructure that banks and large nonbank payment processors have, which likely would be necessary to avoid compliance missteps under the FTC’s broad legal theories used in this case. For example, the consent judgment against the Company and its CEO, in addition to imposing a civil money penalty of $6.75 million alongside compliance reporting and recordkeeping obligations, mandates enhanced screening of the Company’s current and prospective customers. These screening requirements are extraordinarily detailed and include ongoing monitoring of the Company’s clients’ chargeback and return rates, thorough investigations of clients with high levels of either, and an obligation that the Company cease processing sales transactions for any suspect customers unless it can prove that the customer is not violating the UDAP laws or the TSR.
Although onerous, to a certain extent, the requirements imposed upon the Company in this settlement offer a playbook for third-party payment processors regarding the FTC’s apparent views on the minimum required due diligence and ongoing monitoring activity. Smaller payment processors and fintech companies may consider adopting at least some of these in their own compliance programs and clearly document why others were not undertaken.