On the Heels of Increased Enforcement: Regulatory Risks Facing the Payments Sector

While the CFPB has both enforcement and regulatory jurisdiction in the payments space, the payments market has not been a traditional CFPB priority. This is no longer true. Following the confirmation of CFPB Director Rohit Chopra in late 2021, the CFPB has made clear that it intends to closely examine all consumer payments products, whether offered by traditional financial service providers, Big Tech, or fintechs. How can providers of consumer financial products prepare for this massive shift?

Transcription:

Daniel Wolfe: (00:07)
Are we ready? Day two, Payments Forum. Everybody get their coffee. I have had my coffee. So I sound like I have had my coffee. I have had a little, maybe a little too much. So welcome back today too, here in Phoenix to Payments Forum from American Banker, I'm Daniel Wolfe, one of the many editors from American Banker you'll see here. And I think I'm already taking up too much time from our first panelists. So I will just hand it off to them as people filter in, I would like you all to give a warm welcome to Sujit Raman and Thomas Ward for our first session

Thomas Ward: (00:48)
Good morning everybody. My name's Tom Ward. I am a partner at Sidley Austin in Washington, DC. I joined Sidley in May, 2021. And with me is Sujit Raman, who was until Sunday, also my partner at Sidley. But he'll tell you why. It's only till Sunday in a moment. My practice is focused on consumer financial enforcement, particularly in matters involving the CFPB and state consumer financial protection agencies. Before joining Sidley, I was the CFPB's enforcement director and a deputy assistant attorney general at the department of justice. The most recent CFPB enforcement director and only one of two private practice. It's a small club and I am potentially at the last career enforcement director the CFPB will ever have. As the enforcement director, I oversaw the setting of the enforcement priorities in each of the bureau strategic markets.

Thomas Ward: (01:49)
I oversaw the legal factual strategy in hundreds of cases investigations immediately before serving at the CFPB. I was in leadership at DOJ as a deputy assistant attorney general leading towards consumer protection and commercial branch matters. Consumer protection. Most people don't know a criminal branch within the civil division. That is the CFPB's primary criminal referral partner. I'm the only one serving leadership in both a criminal and civil capacity consumer financial protection cases. Before that I was a trial lawyer at Williams Connolly in Washington for 20 years, serving lead counsel on both the plaintiffs and defense side in financial cases, usually in cases involving allegations of complex financial fraud. So I will turn it over to my former partner Sujit to introduce himself.

Sujit Raman: (02:42)
Tom, thanks so much. Everyone Good morning, as Tom mentioned until Sunday, he and I were law partners and it's always privilege to be on a stage with Tom. I am now the general counsel of TRM labs, which is a leading blockchain analytics firm started literally yesterday. So it's wonderful to be among all of you. I've probably seen more of you than many of my colleagues, so it's a good way to start. Before I joined TRM, I was at Sidley where I was in our white collar and privacy groups. And before that spent about 12 years at the US department of justice, where Tom and I overlapped, I was a prosecutor for many years, prosecuted fraud cases, public corruption cases. And then for about four years was the associate deputy attorney general at headquarters where I helped oversee all of the nation's cyber criminal and national security investigations prosecutions. So did a lot of work when it came to illicit actors to white collar crime to cryptocurrency enforcement and was very much involved in working involving sanctions compliance and cyber security. So I know we have a lot to talk about today and turn it back over to Tom.

Thomas Ward: (03:44)
Great, thanks Sujit. So we do have a lot to cover, so we're gonna move fast. So I'll start with the CFPB. CFPB is in the news a lot, and I'm not sure that people have a great sense of what a powerful agency. This is. There are a lot of announcements, a lot of enforcement announcements, a lot of press releases. So let me give a couple minutes of background. So first off the CFP has the most expansive jurisdiction of any federal financial regulator. It covers virtually every financial product or service offered to the American consumer, the infrastructure and technologies underlying those products and an astonishingly broad expanse of financial institutions. It has jurisdiction over payment processors banks with assets of more than 10 billion credit card companies, credit issuing credit card, issuing banks, marketplace, lenders, and platforms, credit reporting agencies, remittance providers, mortgage auto, student loan, originators, and servicers.

Thomas Ward: (04:42)
Basically it covers every consumer financial product except insurance and trading. It's also the primary federal regulator for fintechs they're affiliated banks and neo banks or challenger banks. And now it's been tasked by president Biden with evaluating digital currencies through the lens of both consumer protection and fair competition. Even with such a pure broad jurisdiction though, the CFPB rarely turns down an opportunity to expand its reach. The bureau is aware that if it does not police a certain market, another regulator will financial regulators like nature of horror, a vacuum, and they rarely seed turf to one another. It enforces more than 20 enforcement statue or consumer financial protection enforcement, statutes, and regulations, as well as the CF P's UDAP, which is unfair, deceptive or abusive acts or practices. And that basically allows the bureau to investigate any product or conduct. It finds objectionable whether or not it also violates one of the enumerated statutes.

Thomas Ward: (05:47)
If the bureau finds violation has access to the broadest set of remedies of any financial regulator, including getting civil monetary penalties, which it uses to collect in one case to pay out consumers. In another case where a defendant may be judgment proof which is basically in the federal system, unique to the bureau. Finally this gets less attention than it should the bureau coordinates very closely with DOJ with consumer protection branch, with civil rights and with the commercial litigation branch. So talking to going to payments, which is why we're here. Payments has always been a sleepy space at the bureau. If you look on the Bureau's website, which the enforcement matters are all public, there is less than a handful of payments cases in the Bureau's history. So the news flash for today is sleep payments is no longer sleepy. Director Chopra has in fact made payments the top priority or atop priority.

Thomas Ward: (06:48)
So it's gonna get a lot of tension in the next few years, the highest profile payments action by the bureau of this administration. So far came in October a few weeks after director Chopra was confirmed. That's when the CFPB sent orders to six major technology companies seeking information about their payment systems and products. The payment orders were director Chopra's first major policy action, but they didn't come out nowhere. Rather it appears to be a continuation of his work at the FTC where he pushed for the FTC to more vigorously regulate major tech companies. In fact, when the bureau announced the payment orders, it gave a hat tip to the FTC saying it was building on the FTCs efforts to shed light on the business practices of major tech companies. They, interestingly the bureau issued the payments orders pursuant to its markets authority under section 10 22 of the CFPA.

Thomas Ward: (07:44)
It is not enforcement. It is not supervision. It is information gathering at this point and to the Bureau's credit, they've been clear about what they hope to learn from start. They wanna learn about data harvesting and monetization, whether it exists. And if so, how it's being done, access restrictions and user choice. This is the one that's most interesting to me. I think because the bureau is really pursuing a competition agenda in a way that it has never done before, and then they want to know about consumer protections. And so it's basically the bureau is concerned that there is a payments market operating and growing up outside its purview, and they wanna make sure that consumer protection such as fraud and payments made in error, data and privacy being protected, responsive, consumer service customer service for consumers, and to be treated equally under relevant law is all applying to these payment products.

Thomas Ward: (08:44)
The same as they are to the payment products that the bureau does supervise regularly and knows about. And in addition to sending inquiries to the American companies the bureau also said it'd be studying the Chinese payment companies Alipay and WeChat pay because they operate in a market where quote we can already see the long term implications of the ill effects, that unchecked growth of payments can have consumers markets. And so I think one can extrapolate from the Bureau's characterization of Alipay and WeChat that, director Chopra is concerned. Something similar could happen in the United States. So the takeaways from payments orders are many but I'll just run them down. Quick Payments is no longer sleepy space payments make the payments orders make clear that the bureau wants to have a big say in how the Biden administration regulates big tech.

Thomas Ward: (09:37)
And then third, the CFPB wants to know about payments from both a consumer and a competition angle. And so I think the competition angle, as I said, is the most interesting because even director rich Cordray at the CFPB as aggressive, a federal regulator, whoever served did not pursue competition cases, at least pure competition cases during his time at the bureau, but the Biden administration has taken a very different approach. So I think it'd be hard to dispute that the CFPB's competition bona fide days are not as clear as the FTCs or the antitrust division and director Chopra even said, it's not a core focus of the CFPB. He does view competition and consumer protection as intertwined, therefore, to do his job, the CFP has to be a competition regulator. He made that clear at his confirmation hearing.

Thomas Ward: (10:34)
In July of last year, the president issued an executive order telling the bureau to use its UD app authority to look at competition cases which was, pretty groundbreaking for the white house to suggest to an independent agency, how it interpret its legal authority. And as most people would do when the white house suggests something to you, the bureau has taken it and run with it. And so in the payments order, a number of the questions are competition related. Things like small businesses feel coerced into participating in the payment platform at a fear being suppressed or hidden in search or product listings will the payment platforms be truly neutral or will they use scale to extract rents from market participants. So the Bureau's doing this, I think taking it ATS word, because there's a significant consumer payments market developing outside its supervisory oversight.

Thomas Ward: (11:33)
And in order to fulfill its duty to the American consumer, it needs to get up to speed on it. And the market's mechanism is one way to do that. It's novel, but not without precedent director Cordray used it in a big way to collect information on American credit card data. And it was challenged, but I think it actually went through so, but it is pretty novel. And so where is it heading? I think that at the end of the day, the bureau is gonna issue some kind of report saying whether it's concerns were valid. And so who knows when that will be or what form it will take, but that is a big priority for the bureau in this administration. And then moving on quickly. The bureau is also, and I think the federal government generally is looking at money sharing platforms and apps.

Thomas Ward: (12:23)
And so in December, for example, 33 state attorney general sent a letter to director Chopra calling for stronger consumer safeguards for money sharing platforms and apps. As a class, the AGS said that they saw a rise in consumer complaints, including from consumers having difficulty reaching customer service representatives, not being able to retrieve funds and being subject to fraudulent money transfers by third party scammers. They also noted that payment platforms are sometimes marketed as a solution for consumers without access to traditional banks, even though they're not banks. And so in that space, PayPal has disclosed that Venmo has received a civil investigative demand from the CFPB block, the parent of square disclosed in March of this year that the CFPB and multiple state AGS are looking at its cash app wallet. And on April 25th last or two weeks ago, senators, Warren and Menendez wrote a letter to early warning systems about what they said was a disturbing rise of reports fraud scams on Zelle along with failure to address the scams or provide redress to defraud consumers.

Thomas Ward: (13:35)
And they, with that letter, they have a very Folsom list of questions. They want early warning systems to answer, including things like water L's policies for determining which consumers receive refunds for fraudulent claims. And so those in the money transfer space, the payment space should be looking at Senator Warren and Senator Menendez letter and seeing how they would answer similar questions. Because when Senator Warren focuses on an area as the acknowledged architect of the CFPB, it's usually the case CFPB is, or will become also interested in that area. And so with that, I will pass the mic over to Sujit.

Sujit Raman: (14:20)
Tom, Thanks very much. Tom has laid out a very comprehensive scenario for what the CFPB is up to these days. Obviously the title of our panel here is regulatory risk facing the payment sector. So let me talk about some of the other regulatory risks that the sector faces. And when I talk about these risks, I like to divide them into two kind of overarching sets of buckets. The first are cybersecurity risks, access to data issues, hackers sort of that category of how do you protect the information that you have in your possession and what are some of the regulatory developments in that area? And the second is illicit actors use of payment processes to do bad things, right? So two kind of distinct sets of risks, but interestingly, we're starting to see areas where the two are coming together.

Sujit Raman: (15:10)
And that area honestly is crypto. That is one area where you've got cybersecurity risks, concerns about hacks people stealing large amounts of crypto. You also have concerns about illicit actors using crypto to do illicit things like drugs or trial pornography or terrorist financing, or other types of illit activity. Let me take a minute to talk about some of the cybersecurity risks. I think everyone in this room is familiar with the fact that, people's personal information, including financial information is constantly under attack. what we've seen in the last few years, and this is actually really interesting is that ransomware attacks are on the rise. Again, something that is not news to people in this room, but what is interesting is how the government has responded. When I served at the justice department, I helped oversee the work we were doing to confront cyber crime including ransomware activity.

Sujit Raman: (16:02)
And traditionally speaking, what we saw were organized criminal enterprises, typically based in Eastern Europe that were using Bitcoin or other means of anonymous or pseudo anonymous payment to receive money in return for stealing data, right, or holding data hostage, typically a criminal issue. What has really become apparent over the last few years is that national security sponsored or nation state sponsored actors are also very much in the ransomware game. The colonial pipeline incident that everyone is familiar with about a year ago, is something that sort of brought to the idea that nation state actors can actually be behind some of this malign cyber activity. And that there's a national security component to defending ourselves. It's not just a question of criminal law. It's not just a question of criminals in Eastern Europe or other parts of the world transacting on the dark web.

Sujit Raman: (16:56)
It's a question also of nation states using cyber space to advance their geopolitical interests at their own benefit and to the detriment of American companies and Western companies. So what has the government been doing? We've seen the Biden administration issue, a pretty aggressive cyber security executive order. And if you essentially have any kind of a contract with federal government, you need to meet certain heightened cybersecurity standards. In my view, that's actually a positive thing, for so long cybersecurity in our country has been pretty decentralized. It's been pretty voluntarily voluntary. If you have certain obligations, typically it's because you've signed a contract with federal government, but it's been much harder to have rules for private sector entities dealing purely on private transactions. So what the cybersecurity executive order does is if you have any nexus with the federal government, and if you're essentially contracting in any way with the federal government, you have to certify that you meet certain cyber security standards.

Sujit Raman: (17:51)
So that is one significant way in which the private sector's standards are being heightened just a bit. We've also seen regulations or guidance coming out of agencies like OFAC office of foreign asset control. It's a division in the treasury department and OFAC has become much more vigilant about ransomware payments. The law hasn't changed, it's still illegal to interact with a sanctioned to party. For example, let's say your data's been held hostage and there's a demand and you essentially pay ransomware to a sanctioned entity. Somebody that's on the SDN list, that is a violation of the OFAC rags. Even if you had no intent, even if you didn't know that the person on the other end of the transaction is a sanctioned party because OFAC rags are a strict liability regime that exposes parties to tremendous potential liability also potential criminal liability.

Sujit Raman: (18:46)
If you willfully do it, then the justice department, my old colleagues might get involved. So OFAC clarified in guidance that was issued last fall, that in the context of making a ransomware payment, it doesn't matter. Who's on the other side and you actually have certain diligence requirements to make sure that the person on the other side, isn't a bad actor. That's a segue actually to my, my current role. One of the reasons why I moved into my current role at TRM labs is what digital analytics companies do is helped the payment industry figure out who was on the other end of those transactions, right? There's a lot going on the blockchain. There are a lot of pseudo anonymous people on the blockchain, Bitcoin wallets, typically just strings of letters and numbers. How do you know that you're not interacting with a bad actor?

Sujit Raman: (19:30)
On the other side. The field of blockchain analytics helps figure that out in a privacy protecting way. It builds intelligence and helps players in the payments industry figure out whether or not there are bad actors or fraudsters or criminals on the other end of those transactions. So we've seen that OFAC, we've seen Sen, we've seen other regulatory bodies heightening awareness and heightening penalties for parties that are on the other end of ransomware payments. So that's one area where cybersecurity and the fact that bad actors are penetrating into networks, stealing information, holding it hostage sometimes with nation state backing has had an immediate impact on the regulatory environment. We've also seen the S sec, the security's an exchange commission turning on the screws. Some of you might be familiar with the fact that the S sec currently has a proposal out that would essentially require companies to make disclosures to the government.

Sujit Raman: (20:23)
If they've been breached in a very tight window, I think it's 48 hours. That is untenable. And as part of the notice and comment process, that timing will be adjusted a little bit, but that's an area again, if you're a public company and you're suffering any kind of significant cyber incident, that term is undefined. So it's still a question of where the regulator's gonna end up and that's where industry needs to actively engage with the S sec file a comment letter, make sure they understand what your concerns are but we're moving in a direction. I think there is no turning back where if you have a cyber incident, you're gonna have to report it. You're gonna have to make sure the authorities know about it and be very prompt in your remediation.

Sujit Raman: (21:03)
So that's, I think one key take away point from the cybersecurity issue turning to the second half, which is illicit actors using payment processes to do bad things. There have been a number of developments really in just the last few months. I think everybody obviously is familiar with what's going on in Russia and Ukraine right now. Sanctions enforcement is now much more of a priority for the government than typically it's always been something that the government's been focused on, but now the justice department has issued two separate task forces to focus on enforcing the sanctions laws. We're seeing that a lot of energy is going into sanctions enforcement, making sure that companies that are in the payment system are aware of how their architectures, how their processes are being used. And as I said before, ensuring that there's awareness of who is transacting, who's doing what complying with the regulations, and we're not seeing it just on the federal government side.

Sujit Raman: (21:58)
The state governments are also getting involved. New York DFS issued just a few days ago, a guide in saying essentially, it is a best practice now to use blockchain analytics, right? If you're in the business of processing these payments, or if you're interacting with crypto in any way, it is now expected of you to be using companies that are essentially gonna help you figure out who's on the other end of these transactions. So we're seeing again, regulators who are finding their way in this very new and uncertain area. The regulations are not always clear. There's a fair amount of interpretation that has to be done. And yet it's also clear that the regulators aren't gonna wait, even though there's been pushes from president Biden and issued an executive order on digital assets a few weeks ago, saying basically come back to me and report in six to nine months with various legislator proposals, while that process plays out, we're not gonna see regulators just sitting on their hands.

Sujit Raman: (22:52)
They're gonna keep bringing cases, whether it's the S sec, whether it's the CFTC, whether it's state regulators. And again, it's not just New York, Texas has become much more aggressive on crypto enforcement. Alabama, we've seen other state regulators as well. It's a really interesting time. So it's very important for everyone in this room, make sure you're tied in with your legal advisors and make sure that everyone is saying on top of the latest regulatory guidance that's coming out. And that's where folks like Tom and my former colleagues at SI Austin can be obviously very, very helpful. We've got about five minutes left, Tom. I don't know if we want to take questions or maybe take a pause there and we're happy to engage with all of you.

Thomas Ward: (23:34)
Sure, Yeah. We'd love to take questions.

Audience Member 1: (23:49)
I think this one, I'll just be that this one's for Tom. So you mentioned a agenda. Is there any discussion about the secure, relevant on the iPhone and recent apple? Do you see that as something that might become to the us?

Thomas Ward: (24:15)
So, the bureau or the FTC has spoken about that. And I don't know how that's going to play out if at all in the states, I mean the payments orders which are directed at six big tech companies have a lot of competition elements in them. Director Chopra in many of his announcements is making a competition agenda central. And so I don't know where it's going to go. Ultimately, it seems that the bureau is gonna want to use its UDAP authority to pursue a fair competition case or investigations but it really will be novel there. They do not have infrastructure that antitrust and FTC does to look at whether there is actually competition in a space. So maybe they would do joint actions in the space, but, as enforcement director that was not something that the bureau has an enormous strike zone. It has a massive remit and that was not in it, does that help.

Audience Member 2: (25:36)
NSF, NSF OD has been a big topic with Chopra in talking about that any guidance in, as we have a lot of financial institutions and how they can balance not having to give up all their revenue, but complying with a middle position. Any thoughts around that?

Thomas Ward: (25:53)
Can you put a finer point on that? who's that applying to?

Audience Member 2: (25:58)
So they're talking about with financial institutions with NSFOD that they feel it's targeting the financially vulnerable. So they're asking to reduce the fees or do something more significant, which could have a financial impact for financial institutions.

Thomas Ward: (26:14)
So, you know, it's an interesting thing. The director has made what he calls junk fees, like a 10 pole of his directorship, and I am not sure where it's going, cuz currently you have only a request for information out there for consumers and it's basically asking them, what don't you like? What do you think are junk fees? And so, on that type of thing we're ways away from actually getting some rubber hitting the road on what the bureau is going to pursue, but then you have got to look at what's within regulatory safe harbors which the bureau for example, certain fees that the bureau sets and so it has the ability to move on them. And so will it do so and are these fees a violation?

Thomas Ward: (27:10)
If they were a violation, they could be pursued right out of the gate by enforcement and I am not seeing public enforcement actions in that space. And I am not sure if this is a bully pulpit effort for now or whether there will actually be regulation or enforcement attached to it. It's clearly the director was very vocal in the overdraft space, a lot of depositories change their practices. And I don't want to guess whether that was in response to him directly or whether things were in the works but seeing that he may think well, there was activity in that space that I liked changes in overdraft. Maybe I can do the same thing in other young fee spaces. Does that help anybody else? We have 34 seconds, 33 32 and then they're gonna bum rush us up here, so well, great. Thank you everybody. Sujit and I will be mulling around, if you want to grab us, we are thrilled to have the chance to speak to you. This is a great conference and this is a fantastic time to be in the consumer financial space so much interesting, fascinating things are happening. So thank you everybody.

Sujit Raman: (28:42)
Thank you.