On May 19, 2015, the CFPB announced that it was filing a complaint and proposed consent order in federal court against PayPal, Inc., based on allegations that PayPal Credit (fka “Bill Me Later”), had violated the prohibition against unfair, deceptive, abusive acts and practices (UDAAP).  This filing is noteworthy for two reasons. First, it was the CFPB’s first action against an online payment company. Second, it sheds some light on what regulators consider to be “abusive” under UDAAP, which continues to be a fairly ambiguous area of the law.

The CFPB Takes First Action Against an Online Payment Company
In May, 2014, the CFPB touted its supervision activities in nonbank markets as having returned more than $70 million to 775,000 consumers. A “nonbank” is any company that offers or provides consumer financial products or services but does not have a bank, thrift, or credit union charter. As previously discussed on this blog, the CFPB has the authority to oversee nonbank businesses, regardless of size, in certain markets, such as mortgage origination, mortgage brokers and servicers, and payday lenders. The CFPB also has the authority to define and regulate “larger participants” in other consumer financial markets, which to date has included regulation of:  consumer reporting (effective September 2012), international money transfers (effective December 2014), student loan servicing (effective March 2014), and consumer debt collection (effective January 2013). The CFPB’s rationale is that in order to protect consumers, the CFPB must supervise both banks and nonbanks in order to ensure that there exists a fair and transparent marketplace for consumers.

Banks are used to being examined by regulators and have built compliance systems, policies and procedures, and risk management plans in order to comply. But for many nonbanks, this infrastructure is foreign, costly, and daunting. A review of PayPal’s SEC filing is striking in the number of risk factors describing regulatory risk that the online payment company must grapple with, all of which are typically found in a bank filing. Not only did PayPal disclose that it had become “subject to CFPB supervision and examination pursuant to new regulation that allows the CFPB to supervise all companies, including PayPal, that provide more than one million international money transfers per year,” but it also listed risk factors relating to compliance with Anti-Money Laundering Rules, Electronic Fund Transfer Act, Regulation E, and other consumer laws and regulations. In addition, the CFPB found that PayPal’s business practices were deceptive and abusive and violated the prohibition against UDAAP in the marketplace.

What Counts as “Abusive” Conduct?
Of the six charges alleged against PayPal, the one that is most noteworthy is the allegation that PayPal was “abusive” in its method of applying payments. The CFPB has thus far declined to define what constitutes “abusive” conduct, so that a determination of the agency’s standards must be gleaned from the enforcement actions that it takes. In this case, it appears that “abusive” actions are those in which a company seems to be taking unreasonable advantage of a consumer.  In this case, the CFPB alleges that PayPal:

  • Enrolled consumers in credit products without their consent;
  • Forced consumers to pay for items using PayPal Credit by not making other payment options available;
  • Did not clearly explain how payments were applied to deferred-interest promotions;
  • Applied different interest rates to pending charges but did not permit consumers to direct their payments to the charges that were subject to the highest interest rates;
  • Gave consumers misinformation about how much they needed to pay to avoid interest charges;
  • Mishandled billing and payment disputes and misallocated payments; and
  • Did not make customer service representatives available to help consumers with the application of payments.

By engaging in these actions, the CFPB determined that this amounted to “abusive” conduct that harmed the consumer. The common theme in all these allegations is that because the consumer was powerless to change the outcome, the actions were therefore considered “abusive.” In addition, PayPal was found to have engaged in “deceptive” actions, including failing to honor advertised promotions and deceptive marketing. Also significant is the long “look-back” period that the CFPB used in examining the “deceptive and abusive” conduct. The CFPB is looking for PayPal to reimburse consumers who were harmed in the last four and a half years, from January 2011 through May 2015.

Payment Processors Being Sued Because They “Should Have Known”
It is also worth mentioning that the CFPB has recently taken action against several payment processors for violations of debt-collection laws that were allegedly committed by third-party debt collectors. In these cases, the third-party debt collectors apparently engaged in harassment of consumers and collected payments from them using payment processors that were not directly involved in the debt collection. Significantly notwithstanding the payment processors’ lack of knowledge of the illegal conduct, the CFPB is holding the payment processors responsible because they “should have known” that their services were being unlawfully used. In order to find out and stop this conduct going forward, this will require payment processors and payment companies to monitor the accounts for illegal conduct, which is a formidable task. Click here to review the CFPB’s filed complaint against Meracord and Remsberg.