Third Party Payment Processors as ‘Covered Persons’: A Return to CFPB Regulation by Enforcement?

Alston & Bird

A&B ABstract: The CFPB has recently asserted extraordinary authority to make any payment processor monitor the activities of any merchant for which it processes payments, even if that merchant does not provide consumer financial products or services. Does its argument hold up?

The CFPB’s Complaint Against BrightSpeed

On March 3, 2021, the Bureau of Consumer Financial Protection (Bureau or CFPB) announced that it had filed a complaint in federal court against BrightSpeed Solutions Inc. and its founder and former CEO (collectively, BrightSpeed). The Bureau’s complaint alleges that before ceasing operations in 2019, BrightSpeed was a privately owned third-party payment processor that processed remotely created check payments for its merchant-clients. According to the Bureau, these merchant-clients purported to provide antivirus software and technical-support services to consumers, but actually scammed consumers into purchasing unnecessary and expensive computer software.

The Bureau alleges that despite numerous indicators of fraudulent activity by their tech-support merchant-clients, BrightSpeed continued to do business with and earn processing fees from them. These actions, the Bureau alleges, were “unfair” practices in violation of the Consumer Financial Protection Act of 2010 (the CFPA, also known as Title X of the Dodd-Frank Act) and deceptive telemarketing practices in violation of the Telemarketing Sales Rule.


Importantly, under Sections 1031 and 1036 of the CFPA the Bureau can only bring unfairness claims against (1) a “covered person”; (2) a “service provider”; or (3) a person who knowingly or recklessly provides substantial assistance to a covered person or service provider. Section 1002 of the CFPA defines a “covered person” as a person that offers or provides a “consumer financial product or service,” which is in turn defined to include “providing payments or other financial data processing products or services to a consumer by any technological means,” provided that such products or services are “offered or provided for use by consumers primarily for personal, family, or household purposes.”

Section 1002 of the CFPA also defines a “service provider” as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” In plain English, this means that a payment processor is only subject to CFPB “unfairness” authority if it provides payment processing services to a person that offers consumer financial products and services (and is therefore a service provider) or itself provides payment services to a consumer (and is therefore a covered person).

BrightSpeed’s merchant-clients were providing antivirus software and technical-support services, which are not consumer financial products and services. Accordingly, BrightSpeed does not appear to be (and the Bureau did not allege in its complaint that it is) a service provider. However, the Bureau claims that BrightSpeed is a covered person even though it provided its payment processing services only to its merchant-clients, not to consumers.

Current Status of the BrightSpeed Case

 BrightSpeed, citing ongoing settlement discussions with the Bureau since at least November 2020, sought and was granted multiple extensions of time to file its answer to the Bureau’s complaint. Acting with uncharacteristic leniency, given the length of time involved, the Bureau did not oppose BrightSpeed’s motions. On June 30, the parties reported they had reached an “agreement in principle” to resolve the Bureau’s claims, including injunctive relief, consumer redress, and the payment of a civil penalty, but that BrightSpeed was trying to obtain accelerated repayment of a loan in order to facilitate settlement.

BrightSpeed filed its answer on July 12, denying most of the Bureau’s allegations and argued in defense that: (1) the Bureau’s claims exceeded its statutory authority and (2) are barred by the statute of limitations; (3) the Bureau is aware that BrightSpeed is not subject to the Telemarketing Sales Rule but brought its action in bad faith in an effort to coerce monetary relief out of Defendants against the backdrop of the expense of a federal lawsuit; and (4) the Bureau was aware of BrightSpeed’s conduct since the inception of its business but waited until the business had closed and was in financial distress to bring its action in an effort to gain strategic leverage against the company’s position. On July 13, the court ordered the parties to submit a joint status report on the status of settlement negotiations by August 27.

Prior Cases

Because the BrightSpeed case has yet to advance past the pleading stage, the Bureau has not articulated why it believes BrightSpeed is a covered person. However, two prior cases that advanced to the motions stage shed some light on the arguments the Bureau would likely make in response to BrightSpeed’s defense that it is not a covered person for purposes of the CFPA.


For instance, in 2016 the CFPB filed a complaint against Intercept Corporation and two of its executives (collectively, Intercept) for allegedly enabling unauthorized and other illegal withdrawals from consumer accounts by their clients. Intercept filed a motion to dismiss the Bureau’s complaint, arguing among other things that:

  • it is not a covered person, service provider, or related person;
  • the Bureau’s claims were time-barred under the CFPA’s three-year statute of limitations;
  • the Bureau failed to allege the necessary unfairness elements; and
  • the Bureau lacked authority to bring its enforcement action because it was unconstitutionally structured.

Intercept and the Third Party Payment Processors Association (as amicus) both filed briefs arguing that the language of the CFPA plainly excludes business-to-business companies such as Intercept from its reach and that a payment processor must offer its payment processing services directly to consumers to be considered a “covered person,” and those services must be used “primarily for personal, family, or household purposes.”

In response to Intercept’s motion, the CFPB argued that nothing in the statutory text even implies that a covered person must contract directly with the consumer, and when payment processors transmit credit and debit requests that were authorized by consumers, those processors provide the payment processing both “to” and “for use by” consumers regardless of whether they do so directly or via third-party arrangements. The CFPB then cited instances in which the Congress used the word “directly” in the Dodd-Frank Act to support a negative inference that the legislation did intend to capture as covered persons other companies that engage in financial data processing activities—even if those companies do not contract directly with consumers.

The district court dismissed the CFPB’s complaint in March 2017 for failure to state a claim on which relief can be granted but the court’s opinion did not examine whether Intercept was a covered person, noting only that under the applicable standard of review of Intercept’s motion to dismiss, the court considered and accepted the facts alleged in the CFPB’s complaint – including the allegation that Intercept was a covered person – as true.

Universal Debt Solutions

In 2015, the CFPB also filed a complaint against a number of individuals, their debt collection companies, and several payment processors (collectively Universal Debt Solutions). The Bureau alleged that the alleging unlawful conduct related to a phantom debt collection operation. The Bureau alleged that the debt collectors, acting through a network of corporate entities, used threats and harassment to collect phantom debt from consumers. The Bureau alleged that the payment processors should be held liable because, among other things, they should have recognized that chargebacks connected with the alleged phantom debt scheme were suspicious and likely connected to fraud. The Bureau alleged that the payment processors were covered persons and service providers that provided substantial assistance to the debt collectors in violation of the CFPA’s UDAAP prohibitions.

The payment processors filed motions to dismiss the CFPB’s complaint, arguing among other things that they were not covered persons because they did not offer their services to consumers but to merchants. In its response to the motions, the CFPB argued that while the payment processors may not interact directly with consumers, they “play a key role in the consumer payment processing network,” and while they may not have directly contacted the debt collectors’ victims, “their work enabled consumers to pay the [d]ebt [c]ollectors with bank and credit cards and they thus fit squarely within the statutory definition of a ‘covered person.’”

The court denied the payment processors’ motions to dismiss, finding that “even if the [p]ayment [p]rocessors are not covered persons, they could still be subject to liability for unfair acts or practices if they are service providers” and that they were service providers to the debt collectors. However, in August 2017, the court sanctioned the CFPB by striking the counts in the complaint against the payment processors and dismissing them from the lawsuit, citing the CFPB’s repeated willful violations of the court’s discovery orders, including its instructions to identify the factual bases for its claims, its refusal to present a knowledgeable 30(b)(6) witness in depositions, and its continued use of privilege objections in response to questions that the court expressly identified as permissible.

Implications for Merchants and Third Party Payment Processors

Because the Intercept and Universal Debt Solutions cases were resolved on other grounds, trial courts have not reviewed on the merits the Bureau’s contention that third party service providers are covered persons for purposes of the CFPA. And, of course, the ultimate disposition of the BrightSpeed case remains unknown. However, the implications of the Bureau’s assertion of authority in these cases is significant.

If the Bureau succeeds in asserting jurisdiction over payment processors that provide services only to merchants and not consumers (and especially over those merchants that do not even offer consumer financial products and services), it can make any payment processor monitor the activities of any company or person for which it processes payments. This would constitute a choke-point-style deputization of payment processors to regulate merchant activity, which would appear at odds with the express exclusion from the Bureau’s rulemaking, supervisory, enforcement or other authorities granted to merchants and retailers in Section 1027(a) of the Dodd-Frank Act. This would also appear to intrude upon the jurisdiction and enforcement priorities of the Federal Trade Commission (FTC), which in recent years has engaged in a concerted effort to combat merchant fraud enabled by payment processors. And this also echoes the Bureau’s prior efforts – which Congress soundly rejected – to coerce indirect auto lenders into regulating compensation paid to automobile dealers, another category of merchant similarly excluded from Bureau jurisdiction.


Companies  and individuals engaged in fraud should be held accountable. However, Congress has carefully established the limits of the Bureau’s jurisdiction and has left states and other federal agencies like the FTC with ample authority to combat fraud that falls outside of that authority. The efficient functioning of financial markets, including the payments system, depends on the CFPB honoring the rule of law.

Agencies would normally be expected to clearly announce their legal position in advance of taking enforcement action, such as by issuing an interpretive rule to explain how providing payment processing services “to a merchant” rather than “to a consumer” renders a third party payment provider a “covered person” for purposes of the CFPA. Such a rule could at least be challenged under the Administrative Procedures Act as contrary to law. However, the Bureau appears poised to establish a potentially far-reaching new precedent by entering into a consent order with a company that has already gone out of business. If the proposed BrightSpeed settlement is approved by the district court judge, such an outcome could be characterized as a muscular return of the Bureau’s dormant “regulation by enforcement” doctrine.


All third-party payment providers may soon have to monitor the payment activities of all of their merchant-clients for compliance with CFPB UDAAP prohibitions, whether or not those merchant-clients offer consumer financial products and services. This development would be an extraordinary expansion of the CFPB’s authority and potentially reach merchant activity previously thought to fall outside of its jurisdiction.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.