Stage Set for Payment Services Providers Challenge to FTC Authority

CMS is an independent sales organization (“ISO”) for banks that offer merchant payment accounts and bankcard processing services, known as “acquiring banks.” As an ISO, CMS sells the acquiring banks’ services to merchants (e.g., retailers) who want to set up business bank accounts and be able to accept credit and debit card payments from customers. Beyond simply referring the merchants to the acquiring bank, ISOs also often help the banks manage their relationships with the merchants.

Since 2017, the FTC has been investigating CMS for its role in soliciting and helping set up accounts for a number of merchants who later became the subject of FTC enforcement actions for engaging in unfair and deceptive practices. According to the FTC, the purpose of its investigation of CMS – the ISO – is to determine if CMS itself has “engaged in deceptive or unfair acts or practices by providing payment processing services to merchants engaged in fraud.” Petition to Enforce Civil Investigative Demand and Memorandum of Law at ¶ 13, F.T.C. v. Complete Merchant Solutions, LLC, No. 2:19-cv-00996-HCN-EJF (D. Utah Dec. 23, 2019) (“FTC Petition”).

But CMS’s complaint contends that CMS works diligently to detect and prevent fraudulent activity by merchants – which activity only hurts ISOs and the acquiring banks because fraudulent charges have to be refunded to the consumers. As a result of its fraud prevention efforts, CMS asserts its merchant portfolio has a chargeback rate “well below the 1% mark that is generally viewed as the industry standard.” Complaint at ¶ 41, Complete Merchant Solutions, LLC v. F.T.C., No. 2:19-cv-00963-HCN-EJF (D. Utah Dec. 5, 2019) (“Complaint”). CMS also contends that the bad merchants who were targets of the FTC’s investigations have made up less than 1% of CMS’s merchant portfolio since 2016, and that before any suit was filed CMS had already identified and terminated the vast majority of the merchants the FTC was investigating. Id. at ¶ 64. In short, CMS contends there is no support for the FTC’s investigation of CMS, and no facts “showing that CMS has violated, is violating, or is about to violate any law.” Id. at ¶ 22.

More to the point, however, CMS argues the FTC does not have authority to make ISOs like CMS “vicariously liable for failing to prevent merchants from committing fraud.” Complaint ¶ 6. While the FTC contends it has the right to investigate whether CMS engaged in unfair practices “by providing payment processing services when [it] knew or should have known that charges to consumers’ account were unauthorized” (Petition at 17), CMS claims there is no evidence it was knowingly complicit in any merchant’s misconduct and, in all events, “the FTC is expressly prohibited from regulating banks, whose relationships with ISOs are regulated by the FDIC and other banking regulators.” Complaint ¶ 6.

On February 3, 2020, the FTC moved to dismiss CMS’s complaint, arguing (i) neither the FTC Act nor the Declaratory Judgment Act (“DJA”) grants the court jurisdiction over CMS’s claims; (ii) CMS has not satisfied the Administrative Procedure Act’s (“APA”) prerequisites for filing suit; (iii) CMS has other adequate remedies via its ability to challenge the FTC’s investigation in the pending CID enforcement proceeding, and to defend itself on the merits in any resulting enforcement action, and (iv) CMS’s claims are, in any event, not ripe for adjudication.

CMS responded on March 2, 2020, arguing the DJA provides a mechanism to have its rights determined in federal court, given the FTC has repeatedly threatened federal litigation against CMS. CMS also argues the APA is inapplicable and does not restrict the court’s jurisdiction since federal jurisdiction exists under the DJA. Last, CMS claims the case is ripe under the Tenth Circuit’s test in Abbott Laboratories v. Gardner, 387 U.S. 136 (1967). Specifically, CMS argues that (i) delaying judicial review would cause CMS immense hardship because the FTC is demanding that CMS either agree to the FTC’s proposed consent order or face an enforcement action; (ii) judicial intervention will not inappropriately interfere with further administrative action because the requested relief (preventing the FTC from continuing its actions aimed at CMS’s ISO services) will not prevent the FTC from investigating the merchants suspected of defrauding consumers, and (iii) further factual development is unnecessary because CMS’s complaint raises purely legal issues regarding the scope of the FTC’s authority and the FTC has already threatened litigation against CMS (indicating the FTC believes it has sufficient facts from its investigation to date to establish CMS’s liability).

This case presents an issue of immense importance to ISOs and the payments industry. While ISOs and acquiring banks have every incentive to prevent dishonest conduct by their merchants, some such activity will undoubtedly go undetected despite reasonable efforts to weed it out. Whether and to what extent an ISO should be held responsible for such merchant conduct (whether for allegedly abetting it, failing to prevent it, or otherwise) will have far-reaching and potentially costly implications for the numerous ISOs operating throughout the nation.