E-Commerce and Emerging Payment Systems Under Regulatory Scrutiny by the CFPB

Over 90% of American adults own a mobile phone according to the Pew Research Center.¹ That figure increases to 98% for Americans between 18 - 29 years old.²  We increasingly use mobile phones and tablets to purchase a variety of goods, such as music, movies, and games, as well as to conduct transactions, such as sending money and paying bills.  Analysts estimate that U.S. retail sales through mobile devices reached $58 billion in 2014.³  That's nearly one-fifth of last year's $304 billion in total revenue from online retail sales.⁴

Many players in this fast-growing space are companies that fall outside of traditional bank-centric regulation.  The Consumer Financial Protection Bureau (CFPB or Bureau) is aggressively filling that gap.  It has broadly asserted its jurisdiction and wielded a wide array of regulatory tools to position itself as the primary regulator for e-commerce and emerging-payment systems.  After focusing on mortgages and other areas mandated by Congress in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the CFPB turned to mobile-financial services during the second half of 2014, culminating in its lawsuit against Sprint Corporation for allegedly "cramming" unauthorized third-party charges onto customer bills.⁵  We expect the CFPB to continue to scrutinize these cutting-edge products and services as they gain greater popularity.

CFPB Jurisdiction

Title X of Dodd-Frank:

• transferred to the Bureau the rulemaking and enforcement authorities of nineteen pre-existing federal-consumer-financial laws, such as the Truth in Lending Act (TILA), the Electronic Fund Transfer Act (EFTA), and the Real Estate Settlement Procedures Act (RESPA) (defined by Dodd-Frank as the "Enumerated Consumer Laws");  and
• gave the CFPB new power to take action against unfair, deceptive, and abusive acts and practices (UDAAP).⁶

This alert focuses on the CFPB's UDAAP authority because it is the vehicle the Bureau may rely on to reach companies, shareholders, joint venture partners, service providers, and individuals even if they don't touch consumers.

The CFPB can bring an enforcement action for UDAAP violations against any person or entity that offers or provides a consumer financial product or service ("Covered Person" under Dodd-Frank).  The list of consumer financial products and services in Title X of Dodd-Frank may include certain forms of online commerce, including:

1.    extending credit and servicing loans;⁷

2.    selling, providing, or issuing stored value or payment instruments (e.g., reloadable accounts and P2P payment systems);⁸ and

3.    payment processing by "any technological means . . . or through any payments systems or network used for processing payments data, including payments made through an online banking system or mobile telecommunications network . . . ."⁹

The Bureau will likely assert that Congress intended for the agency to regulate online and mobile commerce because Dodd-Frank explicitly references technological systems and networks, online banking systems, and mobile telecommunications networks.

The CFPB's jurisdiction does not end with Covered Persons, however.  The Bureau's UDAAP power appears to extend, vertically and horizontally, to (i) shareholders, consultants, joint venture partners, and others who materially participate in the affairs of Covered Persons;¹⁰ (ii) directors, officers, shareholders, and other individuals with managerial responsibility over Covered Persons;¹¹ (iii) service providers who provide a material service to Covered Persons (e.g., vendors);¹² and (iv) any other individual or entity who knowingly or recklessly provides substantial assistance to a Covered Person or service provider in committing a UDAAP.¹³

CFPB Activity Involving E-Commerce and Mobile-Financial Services

The Bureau's interest in online commerce grew throughout 2014, resulting in several actions:

1. In June 2014, the Bureau launched an inquiry into the use of mobile-financial services.¹⁴
2. In August 2014, the Bureau released a consumer advisory, warning people about the potential risks associated with bitcoin and other virtual currencies, and began accepting consumer complaints about them.¹⁵
3. In November 2014, the Bureau issued a proposed rule, amending TILA, EFTA, and their implementing regulations (Regulations Z and E), to extend protections to prepaid financial products, which potentially includes certain value-holding accounts and mobile wallets.¹⁶
4. In November 2014, Director Richard Cordray delivered remarks at The Clearing House (TCH), which provides payment-system infrastructure and helps operate the Automated Clearing House (ACH).  He said, in part:

[W]e have concerns that electronic payment systems can be misused to victimize consumers unless banks and the system administrators work to police and enforce safeguards.  * * *  We must shine a light on the murkier corners of electronic payment systems and related practices, and we must be vigilant about preserving consumer protections no matter how these approaches may evolve in the future.¹⁷

1. In December 2014, the Bureau filed a complaint against Sprint in the U.S. District Court for the Southern District of New York, alleging that the company provided credit and payment processing to consumers who bought third-party goods and charged the items on their cellphone accounts.¹⁸

The CFPB has powerful tools at its disposal.  It has only begun to use them to regulate emerging financial products and services.  Arnold & Porter LLP's Financial Services; Telecommunications, Internet, and Media; and Corporate and Securities practice groups will continue to monitor these developments.