In the first court decision to opine on the “service provider” and “substantial assistance” provisions of the Dodd-Frank Act, a federal district court in Georgia denied a motion to dismiss brought by payments processors that had been sued by the Consumer Financial Protection Bureau for their role in an alleged phantom debt collection scheme. The decision addresses two novel areas of the CFPB’s jurisdiction — its ability to enforce the prohibition against unfair, deceptive, and abusive acts and practices (UDAAPs) against “service providers,” and its ability to go after those individuals and entities that “knowingly or recklessly provide substantial assistance” to the commission of a UDAAP. While grounded in the specific facts pled in the CFPB’s detailed complaint, the opinion nevertheless provides insight into how the federal courts may interpret these provisions, and serves as a warning sign to companies about the importance of implementing robust compliance programs.
The case involves claims by the CFPB that certain individual and corporate defendants engaged in a phantom debt collection scheme by which they threatened and convinced consumers to make payments on debt that was not owed. The court had previously entered a preliminary injunction against the primary defendants who are alleged to have orchestrated the scheme. In addition to suing these primary defendants (the “debt collectors”), the CFPB also sued three payment processors: Global Payments Inc., Pathfinder Payment Solutions Inc. and Frontline Processing Corp.
Global Payments is a payment processor that processed payments for the defendant debt collectors. Pathfinder and Frontline are “independent sales organizations” that allegedly entered into merchant services agreements with a Global Payments subsidiary to market Global Payments’ processing services to merchants and to engage in certain underwriting activities with respect to merchants who applied for accounts to utilize Global Payments’ processing services.
In a detailed, 64-page complaint, the CFPB alleged that the payment processor defendants ignored numerous red flags both in accepting the debt collector defendants as clients and in processing their payments. The factual allegations, which are recounted in detail and were heavily relied upon by the district court, detail how the processors allegedly ignored warning signs in the merchants’ applications, such as use of home addresses for purported business locations, the fact that some of the applications were faxed from a FedEx Office location, the absence of customer service numbers for the businesses, the use of overlapping addresses for different business entities, and the fact that some of the principals of the businesses were ex-felons.
The complaint also contains detailed allegations about red flags that the processors ignored once the debt collectors began processing payments, including the fact that MasterCard had issued a MATCH (MasterCard Alert to Control High-Risk Merchants) about one of the defendants, that Visa had prohibited another defendant from using its network, chargeback rates as high as 31 percent, and detailed consumer disputes concerning fraudulent transactions.
The CFPB asserted both direct and indirect UDAAP claims against the payment processors. For the direct claims, the CFPB asserted that the payment processors were themselves subject to the Dodd-Frank Act’s UDAAP prohibition and that their conduct constituted unfair practices. For the indirect claims, the CFPB asserted that the payment processors had provided “substantial assistance” to the UDAAPs committed by the debt collectors. The payment processors moved to dismiss both sets of claims.
Service Providers, Proximate Cause and Direct Liability
The Dodd-Frank Act renders it unlawful for a “covered person” or a “service provider” to engage in any unfair, deceptive, or abusive act or practice. That is, the act’s UDAAP prohibitions only apply to individuals and entities that are “covered persons” or “service providers.” The CFPB alleged that the payment processors fit both definitions. The district court did not rule on whether the payment processors were covered persons, although it intimated that they were not, noting that the statute’s definition of payment processing (one of several activities that can render a party a “covered person”) requires that the payment processing be provided “to a consumer” and that the CFPB only alleged that the payment processors had offered their services to the debt collectors rather than consumers. Instead, the district court focused on whether the payment processors are appropriately considered “service providers” under the act (and thus directly subject to its UDAAP prohibitions), holding that they are.
The Dodd-Frank Act defines “service provider” as:
any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that — * * *
(ii) processes transactions relating to the consumer financial product or service (other than knowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes).
The statute expressly excludes from the definition of service provider the offering or providing to a covered person of “a support service of a type provided to businesses generally or a similar ministerial service.”
The district court first rejected Pathfinder’s arguments that it was not a service provider because it fit into the exceptions or exclusions noted above, relying on Pathfinder’s role in underwriting merchants, approving their applications and monitoring them for risk. As a result of this conduct, the court rejected Pathfinder’s contention that it merely “process[ed] financial data” or that it engaged only in the ministerial type of activity exempted by Section 5481(26)(B)(i). In reaching this conclusion, the court focused heavily on the statute’s use of the term “ministerial,” apparently reading that adjective into the first part of the exclusion (which speaks only of “a support service of a type provided to businesses generally”). In so doing, the court adopted a narrow view of the exclusion from the definition of “service provider,” reading it as applying only to those support services that require no exercise of discretion or judgment.
An equally plausible reading would have focused on the “provided to businesses generally” clause of the exclusion, which can be read to cover more substantive services if they are not specifically tailored to the consumer financial service being provided. Under this broader reading of the exemption, an ISO such as Pathfinder arguably would not be deemed a service provider if the claims at issue related to services it provided to “businesses generally.” The district court’s construction thus represents an expansive view of the CFPB’s authority with respect to service providers.
Having held the payment processors to be “service providers” subject to the act’s UDAAP prohibitions, the court then turned to whether the complaint sufficiently pled that they had engaged in “unfair” acts or practices. This analysis focused on the question of proximate cause, and whether the payments processors’ alleged acts on behalf of the debt collectors proximately caused the alleged injury to consumers. Relying heavily on the Ninth Circuit’s decision in Federal Trade Commission v. Neovi, the district court held that the payment processors could be held liable for practices that “facilitate, or contribute to, ill intentioned schemes if the injury was a predictable consequence of those actions.” Finding that the complaint alleged sufficient facts to support a conclusion that the harm to consumers was a “predictable consequence of ignoring consumer complaints about unauthorized charges and signs the debt-collection merchants were not legitimate businesses,” the court held that the complaint alleged that the payment processors engaged in acts that proximately caused consumer injury.
The district court’s reliance on FTC precedent in this context is not surprising, as the Dodd- Frank Act’s unfairness prohibition is based on the FTC Act. Unlike Dodd-Frank, however, the FTC Act does not contain a “substantial assistance” provision authorizing enforcement action against secondary actors whose conduct does not directly cause consumer injury. Absent such a provision, it is understandable that courts would adopt a broad reading of the applicability of the substantive legal prohibition, so as to capture secondary actors (like the defendants in Neovi) whose conduct facilitated the underlying legal violation. Dodd-Frank, by contrast, does contain a provision expressly prohibiting knowingly or recklessly providing substantial assistance to the commission of a UDAAP (discussed in greater detail below).
Relying on FTC precedent that imposes primary liability on those who “facilitate, or contribute to, ill intentioned schemes if the injury was a predictable consequence of those actions” serves to collapse the standard for direct UDAAP liability under Dodd-Frank with indirect liability for “knowingly or recklessly providing substantial assistance” to a covered person’s UDAAP conduct. Especially insofar as service providers are concerned, it is hard to see what conduct might constitute knowing or reckless substantial assistance that wouldn’t also meet the standard for primary liability articulated in Neovi and adopted by the district court.
Substantial Assistance, Recklessness and Indirect Liability
In addition to opining on the scope of service provider liability, the court also provided the first judicial gloss on Dodd-Frank’s “substantial assistance” provision applicable to UDAAPs. Section 1036 of the Dodd-Frank Act renders it unlawful for any person to “knowingly or recklessly provide substantial assistance” to a covered person or service provider committing a UDAAP. The CFPB alleged that the payment processors had done just that with respect to the debt collectors’ illegal conduct, and the payment processors moved to dismiss the substantial assistance claims.
Absent directly applicable precedent, the district court looked to cases interpreting a similar substantial assistance provision under Section 20(e) of the Exchange Act of 1934 to ascertain what constitutes “knowing or reckless” substantial assistance. Until it was amended by a separate provision of Dodd-Frank, the Exchange Act provision only prohibited “knowing” substantial assistance. Dodd-Frank added a prohibition on reckless substantial assistance under the Exchange Act and also created the prohibition on knowing or reckless substantial assistance to a UDAAP violation in Section 1036. The CFPB argued that “recklessly” providing substantial assistance must require a lower showing of intentionality than had been required under the pre-Dodd Frank “knowing” standard that then applied to the Exchange Act. The district court disagreed, finding that Congress’ amendment of the Exchange Act to add “reckless” substantial assistance to the Exchange Act was not a substantive change in the law, but merely intended to clarify that actual knowledge was not required. Thus, the court concluded, the same standard that applied to the pre-amendment Exchange Act also applies to the prohibition on “knowingly or recklessly providing substantial assistance” in commission of a UDAAP under Section 1036.
The district court then adopted the Eleventh Circuit’s “severe recklessness” standard:
Severe recklessness is limited to those highly unreasonable omissions or misrepresentations that involve not merely simple or even inexcusable negligence, but an extreme departure from the standards of ordinary care, and that present a danger of misleading buyers or sellers which is either known to the defendant or is so obvious that the defendant must have been aware of it.
While on its face this legal holding might appear to be a victory for the payment processors, they won the proverbial battle only to lose the war. Because — after recounting the detailed allegations in the complaint concerning the payment processors — the district court held that the CFPB’s complaint adequately pled facts meeting this standard. Whether this will be a pyrrhic victory for the CFPB remains to be seen. It succeeded in part because of the detailed factual allegations in the complaint. In so doing, the CFPB set itself a potentially high bar to meet in subsequent cases involving allegations of substantial assistance.
In addition to addressing the question of the requisite intentionality necessary to meet the “knowing or reckless” requirement, the district court also discussed what constitutes “substantial assistance.” As with the question of whether the payment processors could be held directly liable for unfair conduct, this issue turned on the question of causation. Here too, the court looked to precedent in the securities law context, relying on the Second Circuit’s ruling in U.S. Securities and Exchange Commission v. Apuzzo (which interpreted aiding and abetting liability under the Exchange Act) in holding that to plead substantial assistance, the CFPB must allege that “the defendant in some sort associated himself with the venture, that the defendant participated in it as something that he wished to bring about, and that he sought by his action to make it succeed.” Applying this standard, and relying again on the numerous red flags alleged in the complaint, the court held that the payment processors’ conduct was not simply regular business activity of a third party but rather constituted actionable substantial assistance.
In many ways, the court’s analysis of substantial assistance parallels its analysis of the payment processors’ direct liability for unfair conduct as service providers. In both instances, the court was focused on the payment processors’ knowledge of the consequences of their actions and the nature of the service they provided to the debt collectors. And in both instances, the court relied heavily on the allegations of myriad warning signs to distinguish the conduct alleged from that of third parties providing a true arm's-length service to a covered person.
In the direct liability context, the questions were couched as whether the payment processors were service providers performing more than ministerial tasks and whether their conduct was the proximate cause of consumer harm. In the substantial assistance context, the questions were couched as whether the payment processors acted “knowingly or recklessly” and whether their conduct constituted “substantial assistance.” In both cases, however, the court’s analysis ultimately focused on the nature of the services provided by the payment processors and the detailed allegations of warning signs that the payment processors ignored. Those facts underpinned the court’s conclusions with respect to all of these issues, and allowed the court to conclude that application of both the “service provider” and “substantial assistance” provisions were appropriate in this case, even though they may not be in the case of other third parties providing a service (or “assistance”) to a covered person.
Because of the robustness of the CFPB’s allegations, the court was not forced to make difficult decisions about the outer edges of the CFPB’s authority. In this respect, the CFPB chose wisely, bringing a well-pled case to begin developing precedent in this area. On the other hand, the CFPB has set itself a high bar in this regard for future cases.
The practical takeaways of the case are more clear than the legal takeaways: the CFPB will seek to hold secondary actors responsible for their role in allegedly illegal conduct and entities should take steps to protect themselves from liability. Those steps should include robust compliance systems designed to detect and act upon counterparty risk, as well as a culture of compliance that recognizes the new legal regime that seeks to hold companies to a heightened standard of care.
 12 U.S.C. § 5481(26)(A).
 12 U.S.C. § 5481(26)(B)(i).
 604 F.3d 1150 (9th Cir. 2010).
 Opinion at 54 (quoting Neovi, 604 F.3d at 1156).
 Opinion at 22, quoting Woods v. Barnett Bank of Ft. Lauderdale, 765 F.2d 1004, 1010 (11th Cir. 1985) (quoting Broad v. Rockwell International Corp., 642 F.2d 929, 961-62 (5th Cir. 1981)).
 689 F.2d 204 (2d Cir. 2012).
 Opinion at 38, quoting Apuzzo, 689 F.3d at 212 (quoting United States v. Peoni, 100 F.2d 401, 402 (2d Cir, 1938)).