Notwithstanding the DOJ’s abandonment of Operation Chokepoint in 2017, the Federal Trade Commission (“FTC”) has continued to treat ISOs as gatekeepers to the payments system, threatening them with liability where they fail to adequately police their merchants—while denying this policy publically. Yet earlier this month, one ISO took the offensive and, in a groundbreaking move, initiated a preemptive strike against the FTC rather than simply allowing itself to fall victim to these tactics.
On December 5, 2019, Complete Merchant Solutions LLC (“CMS”) filed suit against FTC in the federal district court of Utah—Case No. 2:19-cv-00963-CMR. The Complaint seeks a declaration and injunction to stop the FTC from engaging in conduct that CMS alleges “is not only unfair and harassing but also far beyond the express limitations of its jurisdiction and enforcement powers.”
One Of The Good Guys
CMS is an ISO for acquirers Commercial Bank of California, Chesapeake Bank, Deutsche Bank, Merrick Bank, and Wells Fargo. From soon after its founding in 2008, CMS focused on serving e-commerce businesses and other start-up technology companies. Over the past decade, CMC has grown from a tiny start-up to a highly successful company. CMS has won several awards, been recognized nationally and regionally, has attracted investment from blue-chip equity funds, and provides work for nearly 300 employees and independent contractors, while serving more than 5,500 merchant accounts that together produce over $3 billion in payments annually.
According to its Complaint, since 2013, CMS has maintained a chargeback rate well below the 1% mark. In 2018, CMS’ chargeback rates were just .58% by dollar and .23% by count. CMS employs rigorous underwriting practices, which have led it to decline approximately 16% of merchant applications since 2013. CMS also subscribes to costly merchant-monitoring tools, including G2 and TSYS Fraud, to identify suspicious payment activity, fraud, and other red flags; and also monitors the Mastercard Merchant Online Status Tracking (MOST) system.
A “Barrage” Of CIDs
Nonetheless, CMS alleges that, for the past two years, FTC has directed numerous Civil Investigative Demands (CIDs) to CMS “seeking vast amounts of information relating almost entirely to a handful of business which CMS and its sponsoring banks ceased working with years ago.” In response, CMS has produced over 45,000 documents—totaling over 475,000 pages—responded to numerous interrogatories, and produced multiple employees for depositions.
CMS contends that the evidence produced to FTC shows that: CMS declined applications for 21 merchants responsive to the CID (“responsive merchants”); responsive merchants were 3% of CMS’ total merchants in 2011, declining to only 0.5% in 2016 and 0.08% in 2017; by 2016 and 2017, less than 0.1% of CMS’ processing volume was for responsive merchants; the overwhelming majority of responsive merchants were terminated by CMS before any regulator filed a complaint or subpoenaed CMS; and, of the 37 responsive merchants later involved in FTC enforcement actions, CMS had terminated 34 prior to the time of suit.
Nonetheless, FTC was not satisfied.
FTC Threatens Suit
CMS alleges that, on February 4, 2019, FTC staff informed CMS that they planned to recommend enforcement action and sent CMS’ lawyers a proposed complaint and consent order. The proposed complaint’s theory is that CMS “failed to adequately screen and monitor its merchant-clients,” and thereby misled its sponsoring banks.
According to CMS, the FTC’s proposed consent order directed CMS to:
- Terminate all businesses that use telephones to induce the purchase of goods or services;
- Terminate all businesses that represented that their goods or services would help consumers earn income from home, obtain training or education on how to establish a business or make money from a business, obtain employment for an upfront fee, or obtain government grants or government income, benefits, or scholarships;
- Terminate all businesses that involve a subscription model where consumers have to tell the business to cancel their subscription (that is, every subscription product); and
- Engage in heightened screening of “High Risk Client[s],” a category defined as covering any merchant with more than 15% card-not-present transactions, more than $200,000 in card-not-present transactions a year, or any merchant that sells:
- Discount buying clubs;
- Foreclosure protection or guarantees;
- Lottery sales or sweepstakes;
- Medical discount benefits packages;
- Multi-level marketing distribution;
- Nutraceuticals (a category that includes vitamins);
- Payment aggregators;
- Third party payment processors;
- Penny auctions;
- Real estate seminars and training programs; and
- Computer technical support services.
Thus, CMS argues that, under the FTC’s first proposal, CMS would not be able to solicit Amazon as a merchant, because it sells books by Princeton Review about how to get scholarships for college. CMS would not be able to solicit Brigham Young University as a merchant because it has a business school that represents that its services can assist students in starting or running a business. CMS would have to subject CVS or Walmart to heightened scrutiny, because they sell multivitamins. And, CMS would have to subject Best Buy or Apple to heightened scrutiny, because the Geek Squad and the Genius Bar provide computer technical support services.
CMS further alleges that, while the FTC narrowed some of the categories in response to comments from CMS’ attorneys, the FTC indicated that it would insist on a ban on serving businesses that fall into certain categories, including any company (like Amazon) who sells nutraceuticals with an option to purchase via subscription (like Amazon’s “Subscribe and Save” program). The FTC also kept the list of suspect categories requiring heightened scrutiny and monitoring virtually identical apart from moving subscriptions (for all products other than nutraceuticals, which would still be subject to the outright ban), the business-related education and grants categories, and businesses that use telephones to induce sales from the categories subject to an outright ban to one requiring heightened scrutiny. The FTC rejected any further proposal to narrow these categories.
And the FTC sought to set the threshold for chargebacks (which would trigger a duty to “immediately” investigate) at just 55 chargebacks per month, a level well below even the “early warning” thresholds set by the card brand guidelines. What’s more, the FTC’s various draft orders all sought to impose a “strict liability” standard— meaning that CMS could be in violation of the terms of the order without any knowledge of the facts giving rise to that liability.
FTC Overstepping Its Authority
CMS argues that this is not what the law intends and is far beyond any reasonable bounds of the FTC’s authority.
The FTC Act empowers the FTC to police unfair business practices. According to CMS, however, the vague term “unfair” does not confer upon the FTC the power to make banks’ ISOs vicariously liable for failing to prevent merchants from committing fraud. And, the FTC has no authority to eject thousands of law-abiding merchants— which themselves are not the subject of any legal action—from the payment systems on which they depend based on nothing more than the FTC staff’s biases against particular industries.
CMS also points out that the FTC is expressly prohibited from regulating banks, whose relationships with ISOs are regulated by the FDIC and other banking regulators. Thus, CMS argues that FTC is seeking an end-run around this limitation of its authority by going after the ISOs—who act as a sales arm for the acquiring banks, and are there to simply facilitate the connections between merchants and banks, the entities responsible for the processing of merchant transactions.
Accordingly, the Complaint asks the Court to put an end to the FTC’s overreach and threatened legal claims by granting CMS’ request for declaratory relief, and issuing an injunction prohibiting the FTC from bringing (or threatening to bring) any action against CMS in connection with the provision of its ISO services as described herein, premised on a violation of 15 U.S.C. § 45(a) or § 53(b), as such statutes give the FTC no authority to bring such actions.
Why It Matters
This is a bold move by CMS. By filing suit against the FTC rather than waiting for FTC to commence an enforcement action, CMS has taken the initiative and framed the argument on its own terms as a champion of ISOs throughout the payments industry. This challenge is also set against the backdrop of a split among the federal circuit courts as to whether 15 U.S.C. § 53(b)—which codifies section 13(b) of the FTC Act—empowers the FTC to seek monetary relief, including restitution—an issue that has recently put the FTC on its heels in enforcement actions. This lawsuit may represent a blow to FTC’s ability to police ISOs and hold them liable for their merchants’ actions absent strong evidence of complicity.
The industry should also take note that—as evidenced by FTC’s proposed consent order to CMS—all nutraceutical, tech support, and negative continuity merchants, along with the ISOs that extend services to them, remain very much within the FTC’s crosshairs.
Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law, Digital Marketing and FTC Issues.