Gov't Relations Newsletter: Regulatory Quick Hits to Prepare You for Level Up 23

Posted By: Brian Reddoch APP Dispatch, Government Relations,

By: MAC Government Relations Strategic Information Group


As we head to MAC Level Up 23, recent developments in Washington have left no shortage of new cases, regulatory updates, or legislative proposals that impact merchant processing and related services.   Here are a few issues that have been among our most-discussed topics in recent months and make great conversation starters among your friends at MAC.

Transaction Routing.  On October 3, 2022, the Federal Reserve finalized a rule expanding Regulation II (Debit Card Interchange Fees and Routing), the implementing regulation for the Durbin Amendment.  The final rule (effective July 1, 2023, requires online (card not present) debit card transactions to be enabled for processing on at least two unaffiliated payment card networks.  In order to comply with the rule, issuers must enable at least two unaffiliated payment card networks to process an electronic debit transaction for each geographical area, specific merchant, particular type of merchant, and particular type of transaction, and does not restrict merchants’ ability to route such transactions over any such network. The requirement of at least two enabled and unaffiliated payment card networks does not require the condition to be satisfied for each method of cardholder authentication (e.g., signature, PIN, biometrics, any other method of cardholder authentication).

Dark Patterns.  “Dark Patterns” are manipulative tactics that induce consumers to complete an action that they would not have otherwise completed if they understood what they were acting on at the time.  In an increasing number of law enforcement actions, the FTC and the CFPB have invoked dark patterns allegations against merchants who enrolled consumers in subscription programs without their knowledge or consent or sneaked items into to the consumer’s shopping cart.  In November 2022, for example, the FTC entered into a $100 million settlement with Vonage after alleging that Vonage used dark patterns to intentionally hide disclosures about an early termination fee that would apply to consumers who cancelled their subscription.  A few months earlier, the CFPB filed an action against TransUnion and alleged that TransUnion used “an array of dark patterns to trick people into recurring payments,” including by integrating “deceptive buttons” into an online interface that gave consumers the impression that by entering their card information, they could get a free credit score, when in actuality the button signed consumers up for recurring monthly charges.  There are dozens of other examples that may be worthy of review by risk management and underwriting teams.

Extending Consumer Protections to Small Business Merchants.  Law enforcement efforts to protect small- and medium-sized businesses from unfair and deceptive business practices under traditional consumer protection principles continues to be noteworthy.  In 2022, the FTC announced a $4.9 million settlement with a payment processor alleged to have deceived merchant customers about how much they would pay for merchant processing services and failed to adequately disclose that an early termination fee would apply to merchants who wanted to cancel their services agreement early.  This case was particularly noteworthy because, in addition to claims that the processor allegedly engaged in unfair or deceptive conduct, the FTC also charged the processor with violations of the Restore Online Shoppers Confidence Act (referred to as ROSCA).  Congress enacted ROSCA to protect online shoppers on the Internet by requiring certain disclosures, consent, and cancellation requirements for online subscription sales.  In the merchant services context, the FTC alleged a merchant services agreement was subject to ROSCA because it had an automatic renewal clause and could be executed electronically online.  Because the case settled, there were no findings or conclusions of law that the processor violated any laws.

CFPB Registry of Terms and Conditions.  Consistent with its proposals to monitor nonbanks (including banking-as-a-service or BaaS providers), in January of this year, the Consumer Financial Protection Bureau (CFPB) proposed a rule that would establish a public registry of supervised nonbanks’ terms and conditions in non-negotiable form agreement that claim to waive or limit consumer rights and protections, like bankruptcy rights, liability amounts, or complaint rights. Under the proposed rule, entities offering BaaS subject to the CFPB’s supervisory jurisdiction would need to register with the CFPB.  The CFPB proposes that this rule would allow it to identify and collect information of “form agreements” that waive or limit customer rights and increase market transparency as well as improve risk-based oversight. submit information on terms and conditions in form contracts they use that seek to waive or limit individuals’ rights and other legal protections. That information would be posted in a registry that will be open to the public, including to other consumer financial protection enforcers. The comment period on the proposed rule is set to expire by mid-March 2023.  With the CFPB’s increasing interest in payments companies and potential scope-creep of its “consumer” protection mission, it remains to be seen whether and how this may impact agreements for payments services.

Safeguards Rule.   In 2021, The FTC issued final regulations to amend the standards for the protection of Customer Information (as defined under the Gramm Leach Bliley Act). These regulations require financial institutions under FTC jurisdiction (many of which institutions “pass through” such obligations to their service providers) to develop, implement and maintain an information security program to protect the security of customer information (including of course, account information).  The amendment requires certain specific parameters with respect to an information security program.  Whether the Safeguards Rule could apply to a payments company depends on a various facts and circumstances, but this issue is one that may generate questions within your own company.

Junk Fees and Surprise Charges.  The CFPB maintains an ongoing initiative to reduce “exploitative junk fees” charged by banks, non-bank financial companies, debt collectors, and others on deposit accounts, student loans, credit card agreements, and other products.  In October 2022, FTC announced that it was considering a rule to crack down on what it described as “unnecessary, unavoidable, or surprise charges that inflate costs while adding little to no value.”  One category of fees in the FTC’s sights include “surprise charges that secretly push up the purchase price.”  The FTC’s advance notice of proposed rulemaking reflects on hotel surcharges, airport surcharges, and other mandatory fees that are often obscured until the customer is paying and too far into the purchase to exert the effort to understand the components of a final price.  It may only be a matter of time until these initiatives to combat “junk fees” are targeting surcharges added by merchants that may not be properly disclosed or reported.

We look forward to seeing you at MAC Level Up 23.  Be sure to join members of our Government Relations Strategic Interest Group at 8:10am PT on Day 2 of Level Up 23 for discussion on some of these and various other issues impacting payments regulation and law enforcement.