A single paragraph in a lawsuit filed by the Consumer Financial Protection Bureau is sparking fears by third-party payment processors that the agency is quietly and significantly expanding its authority over the industry.

In a June suit against Intercept, a Fargo, N.D., payment processor that processed electronic funds transfers on behalf of payday lenders, the CFPB for the first time asserted that a payment processor is a "covered person" under the Consumer Financial Protection Act.

That seemingly technical definition has big implications for the industry as whole, giving the CFPB far more leeway to investigate and pursue payment processors.

It's "an extraordinary and potentially far-reaching expansion of its authority," said Leonard Chanin, of counsel at Morrison & Foerster and a former CFPB assistant director of regulation.

At issue is just how far the CFPB can go when pursuing payment processors. Before the Intercept case, payment processors were defined by the agency as "service providers." Such a designation limits the CFPB to only investigating payment processors when it concerns transactions by lenders and other firms that offer consumer financial products.

But by defining Intercept as a "covered person," that theoretically means all payment processor transactions — including those with firms that have nothing to do with financial services — can be investigated by the CFPB. Chanin questioned whether a processor might now be required to conduct due diligence on all its merchant clients that do not offer financial products, such as health clubs, dry cleaners or bakeries.

"The implications are pretty dramatic in terms of what a payment processor potentially has to worry about," Chanin said. "They seem to be asserting wider jurisdiction over the payments system."

In the lawsuit, the CFPB argues that Intercept is a covered person because "it provides payments or other financial data processing products or services to consumers by technological means, including through a payments system or network used for processing payments data."

That could mean that "any entity that processes payments is responsible for monitoring the business practices of every person it processes payments for," Chanin said.

Some see the CFPB's move as similar to Operation Choke Point, the 2013 Justice Department initiative that targeted banks and payment processors that the agency thought were willfully doing business with fraudulent companies or actively ignoring fraud perpetrated by clients.

This is "a Choke Point-esque type of initiative that amounts to a crackdown on access to the electronic payments systems," said Joe Rodriguez, a partner at Davis Wright Tremaine. "They are not going after each individual bad actor, but rather are going after the gatekeepers, the payment processors and banks, that provide access to [automated clearing house] systems."

Payment processors are struggling to figure out how deep an analysis they have to conduct on their clients' businesses, including whether to monitor state laws or take other steps to investigate allegations of fraud.

In the lawsuit, the CFPB suggested that mere allegations of wrongdoing against a payment processor's clients would be enough to warrant investigating.

For example, the CFPB cited disputes from consumers in Georgia, which has strict regulations that effectively ban payday lending. The agency said Intercept should have investigated its payday lender client after receiving so many consumer complaints. The CFPB also cited a cease and desist order against a payday lender that Intercept "failed to take any action to investigate."

"The complaint doesn't say Intercept had an obligation to know the law in Georgia, but it implies it," said Ori Lev, a partner at Mayer Brown and a former deputy enforcement director at the CFPB. "It's a bit of a stretch to say that payment processors need to know all state laws applicable to their clients' business and to know their clients' business enough to know if the activities are potentially illegal."

The case also has attracted attention because Intercept filed a pre-emptive lawsuit in May against the CFPB in an attempt to halt a $12 million administrative proceeding against it.

The company said in its lawsuit that the CFPB's structure "permits the director to wield unconstitutionally outsized authority at every stage of the investigative and adjudicative process without sufficient accountability."

The CFPB declined to comment because of pending litigation.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.