PayPal to Pay $25M to Resolve CFPB Allegations of “Abusive” Conduct in First Action Against Online Payments Company
Why it matters
In a not-unexpected announcement, the Consumer Financial Protection Bureau (CFPB) revealed a $25 million settlement with PayPal resolving allegations that the company illegally signed consumers up for its online credit product. The CFPB alleged that PayPal deceptively marketed and illegally registered consumers in PayPal Credit (formerly known as Bill Me Later), a line of credit that could be used when making an online payment. But the CFPB went further, and charged that PayPal’s conduct was not just deceptive but abusive, asserting that the terms of PayPal Credit relating to deferred-interest promotions were unclear or consumers were provided with misinformation, and as a result consumers “could not protect their interests” in using the product, which Dodd-Frank establishes as abusive. The CFPB has not defined abusive behavior by regulation, and instead the parameters of what the CFPB may view as abusive is slowly developing through actions like this against PayPal. But this approach, where allegations of abusive behavior turn on numerous facts, continues to leave financial services providers uncertain as to what practices the CFPB may claim are abusive. Industry should also take note that this was the Bureau’s first public action against an online payments company. “Online shopping has become a way of life for many Americans and it’s important that they are treated fairly,” CFPB Director Richard Cordray said in a statement. “The CFPB’s action should send a signal that consumers are protected whether they are opening their wallets or clicking online to make a purchase.”
Detailed discussion
The recently announced $25 million settlement between the Consumer Financial Protection Bureau (CFPB) and PayPal, Inc., began years ago.
In 2013, eBay—which acquired PayPal for $1.5 billion in 2002 and Bill Me Later, Inc., in 2008 for $945 million, which later became known as PayPal Credit—revealed in a filing with the Securities and Exchange Commission (SEC) that the CFPB had launched an investigation into the Bill Me Later feature.
While the Bureau declined to take public action at that point, the company disclosed in SEC filings in August 2014 and again in January 2015 that the CFPB made additional Civil Investigative Demands requesting testimony and documents from PayPal about Bill Me Later.
Ending all the speculation, the CFPB filed a complaint and proposed consent order in federal court, alleging that PayPal deceptively advertised promotional benefits that the company did not honor, signed users up for credit without their permission, forced them to use PayPal Credit in lieu of other options, and mishandled billing disputes.
Consumers can use PayPal Credit to pay for online and other purchases as it operates as a line of credit, incurring interest, late fees, and other charges. Enrollment in PayPal Credit typically occurs when consumers are purchasing a good or service online or when creating a PayPal account, the CFPB explained.
The Bureau alleged that since 2008, “many consumers” were signed up for PayPal Credit without realizing it, sometimes during the process of enrollment or while making a purchase. Some consumers only found out after a credit report inquiry or receiving a debt collection call for amounts past due.
According to the complaint, the company automatically set or preselected PayPal Credit as the default payment method for all purchases made through PayPal so that consumers were unable to select another payment method. Late fees and interest were charged to some consumers who were unaware they had made a purchase with PayPal Credit, the CFPB said.
PayPal also failed to honor advertised promotions—such as a $5 or $10 promised credit toward consumer purchases—and abusively charged consumers deferred interest. In some instances, the Bureau said, PayPal offered consumers limited time, deferred interest promotions and said users would have the chance to pick how payments would be applied to the promotional balances. But consumers who attempted to follow up with the company or make a request about how to apply their payments were unable to make contact or given inaccurate information leading to deferred interest fees. The CFPB asserted that consumers were therefore unable to protect their interests in selecting and using PayPal Credit, which Dodd-Frank defines as an example of “abusive” conduct.
Other problems with the product: The company failed to properly post payments (sometimes taking more than a week to process a check), lost payment checks, neglected to remove late fees and interest charges due to website failures, and mishandled billing disputes, the CFPB said.
To settle the allegations, the parties agreed to a consent order. PayPal will reimburse affected consumers to the tune of $15 million as well as improve its consumer disclosures for PayPal Credit enrollment and use of the product. The company will also pay $10 million to the CFPB’s Civil Penalty Fund.
To read the complaint in CFPB v. PayPal, Inc., click here.
To read the proposed consent order, click here.
back to top
Comptroller Supports More CRA Credit for Small Business Lending while CRA Protests Continue to Stall M&A Deals
Why it matters
In recent remarks at the State Small Business Credit Initiative Conference, Comptroller of the Currency Thomas J. Curry discussed the state of small business credit programs, emphasizing the “crucial role that small businesses play in creating jobs and stimulating the health of our economy.” Comptroller Curry gave a shout out to community banks, which “play a very significant role” in providing small business credit. Smaller community banks with less than $1 billion in assets made one-third of outstanding bank loans to small businesses, he said, citing figures from the Independent Community Bankers Association, and midsize community banks with less than $10 billion in assets made another 18 percent of outstanding bank loans to small businesses.
The Comptroller addressed pending changes to the federal bank agencies’ guidance under the Community Reinvestment Act (CRA) proposed last September, including the addition of loans to or investments in Community Development Financial Institutions (CDFIs) that finance small businesses or small firms as activities presumed to support economic development. The agencies have suggested that when assessing certain small business loans and investments, more detail and additional examples of activities that “promote economic development” should be provided in the guidance. “It is our goal that, once finalized, this CRA guidance will encourage banks to engage in more economic development activities that strengthen small businesses,” Curry told attendees.
Unfortunately, the generally broad support by the banking agencies for community banks’ CRA compliance has not deterred some community activist groups from demanding increased donations and public disclosure of future competitive plans for CRA compliance as quid pro quo for receiving their nonobjection to even modest community bank mergers.
Detailed discussion
Comptroller of the Currency Thomas J. Curry recently celebrated the importance of small businesses to the U.S. economy and provided his perspective on small business lending. Working collaboratively with the Department of the Treasury, the Office of the Comptroller of the Currency (OCC) is working to broaden banks’ awareness of State Small Business Credit Initiative (SSBCI), he told attendees of the annual conference. As part of those efforts, the OCC has developed a publication for banks to identify various opportunities for small business lending and released a Frequently Asked Questions document together with the Federal Deposit Insurance Corporation (FDIC).
Enacted as part of the Small Business Jobs Act, the program encourages banks to make loans to small businesses. “The SSBCI program has been particularly effective because it focuses on results,” Curry said. “SSBCI has supported over 12,000 transactions and for every $1 in federal funding, $7.40 has been generated in private lending or investment.”
Despite these statements, Curry recognized that banks are concerned about how regulators will view loans made under such programs that might not otherwise meet the bank’s standard underwriting guidelines. “The OCC has emphasized in our guidance that as long as a bank’s actions reflected a prudent, comprehensive review of a borrower’s financial condition, generally, the bank would not be subject to supervisory criticism for participating in an SSBCI program,” he explained. The agency “also expects banks to ensure that their participation in the SSBCI or other federal small business programs is consistent with, and supports, their institution’s overall strategic goals and objectives.”
To encourage participation in the SSBCI program, the OCC intends to step up its outreach and training, Curry said. In addition to having examiners speak to their banks about small business lending opportunities, the agency proposed some tweaks to its guidance under the Community Reinvestment Act (CRA).
The CRA, enacted in 1977, encourages banks to meet the credit needs of all community members, including residents of low- and moderate-income neighborhoods. Financial institutions periodically receive ratings from federal regulators on their CRA compliance, which “is important both as a matter of public reputation and for a variety of business reasons,” Curry said. The banks’ ratings, which the agencies are required by the CRA to consider in approvals of bank merger applications, include donations, investments and service tests as well as how a bank is meeting the lending needs of its communities. While the banking agencies must remain neutral in processing merger application protests by community groups, they have rarely found that the protest groups have identified CRA compliance shortcomings that should prohibit a proposed merger. Instead, acquirer banks generally enter into enhanced cooperation agreements with the protesting community groups which sometimes include increased commitments of funds to remedy assertions made by the community groups in public correspondence. The experience of Banc of California covered in the banking press in 2014 is an example of such encounters.
Bankers have expressed to the OCC that the existing CRA guidance was deterring some types of economic development activity, in particular providing financing to Community Development Financial Institutions (CDFIs) and other financial intermediaries that assist start-up businesses. Last September, the OCC and other federal agencies proposed changes to the CRA guidance that the regulators hope will spur greater funding for CDFIs and small businesses. Curry told attendees the proposed changes would add more detail and additional examples of activities that “promote economic development,” and add loans to or investments in CDFIs that finance small businesses or small farms to the list of activities that are presumed to support economic development. “It is our goal that, once finalized, this CRA guidance will encourage banks to engage in more economic development activities that strengthen small businesses,” Curry said.
The Comptroller also highlighted the Service Test for providing small businesses with technical assistance on financial matters as another route for banks to receive CRA consideration. A bank may not be able to approve a loan for a small business applicant, Curry said. But the bank can still receive CRA consideration for providing technical assistance directly to a small business owner or for providing financial support to a partner that will help the small business owner improve business operations to become more bankable.
“Instead of simply saying ‘No,’ a bank can help a small business owner improve the chances of getting to ‘Yes,’ ” Curry said. After receiving technical assistance, the small business owner can then be referred back to the bank, a financial intermediary (such as a CDFI), or another bank participating in SSBCI programs, he added.
The Comptroller also reminded his audience that banks can receive CRA consideration under the Service Test for providing small businesses with technical assistance on financial matters.
To read Comptroller Curry’s prepared remarks, click here.
The 2014 supplemental guidance proposed by the federal banking agencies is linked here.
back to top
FFIEC: Beware Cyber Attacks, Destructive Malware
Why it matters
In a pair of joint statements, the Federal Financial Institutions Examination Council (FFIEC) cautioned financial institutions about cyber attacks compromising credentials and destructive malware. The member agencies reiterated the importance of risk mitigation techniques such as ongoing information security risk assessments, security monitoring, the implementation and testing of controls around critical systems on a regular basis, and conducting awareness and training programs for employees. The FFIEC noted that the days of IT specialists exclusively handling cybersecurity concerns are over, with expectations that management take the necessary steps “to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber attack.” The regulators also encouraged participation in industry information sharing forums, which “can improve an institution’s ability to identify attack tactics and to successfully mitigate cyber attacks involving destructive malware on its systems.” While the joint statements did not establish new regulatory obligations, financial institutions should review the FFIEC’s alerts and ensure that their data security is in line with the best practices presented in the documents.
Detailed discussion
Financial institutions, take note: Cyber attacks compromising credentials and destructive malware are presenting serious risks, the Federal Financial Institutions Examination Council (FFIEC) warned in a pair of joint statements.
Alerting banks to cyber attacks compromising credentials, the member groups—the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee—noted “an ongoing and increasing trend” by cyber criminals to obtain large volumes of credentials.
Stealing passwords, user names, and e-mail addresses, criminals use the identification to authenticate themselves to systems or steal system credentials. The theft of each type of credential presents different risks, the FFIEC said, from fraud and identity theft using a customer’s account information to access to internal systems with employee credentials, with possibilities like system disruption or modification or the destruction or corruption of data.
How to mitigate risk?
While the statements did not purport to contain any new regulatory expectations (referring financial institutions to the FFIEC Information Technology Examination Handbook, the Interagency Guidelines Establishing Information Security Standard, and the Guidance and Supplement on Authentication in an Internet Banking Environment for specific guidance), the FFIEC did offer some best practices.
“Financial institutions should design multiple layers of security controls to establish several lines of defense,” the regular wrote, with consideration of additional steps such as:
- Information security risk assessments. Assessments should be conducted on an ongoing basis to consider new and evolving threats, the FFIEC advised. “Identify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures.” Third-party service providers should also be subject to regular testing of their security controls and contractually obligated to provide security incident reports when issues arise.
- Security monitoring, prevention, and risk mitigation. Financial institutions should first establish a baseline environment to enable the ability to detect anomalous behavior, with monitoring of protection and detection systems and firewalls to follow. Penetration testing and vulnerability scans should be conducted as necessary and vulnerabilities managed promptly.
- Unauthorized access. To mitigate risk, the number of credentials—particularly those with elevated privileges—should be limited, with periodic reviews to ensure approvals are appropriate to job function. Stringent expiration periods for unused credentials should be established, as well as authentication rules with multifactor protocols for web-based control panels. Secure connections for remote access of systems and regular changes to the default password and settings for credentials will also help, the FFIEC said.
- Controls for critical systems. Appropriate controls for critical systems (such as access control, segregation of duties, and fraud detection systems) should be reviewed and tested regularly, with results reported to senior management and the board of directors if necessary. Data in transit—and where appropriate, at rest—should be encrypted and the number of sign-on attempts for critical systems limited and locked after thresholds are exceeded.
- Security awareness and training. “Conduct regular, mandatory information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts,” according to the FFIEC. “Ensure training reflects the functions performed by employees.”
- Information sharing forums. Because threats and tactics can change rapidly, participation in forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) “can improve an institution’s ability to identify attack tactics and to successfully mitigate cyber attacks,” according to the statement.
A second joint statement warned institutions specifically about the dangers of destructive malware, which can be introduced into systems from employees downloading attachments, connecting external drives, or visiting compromised websites.
“An institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber attack involving destructive malware,” the FFIEC said. “A financial institution should develop appropriate processes that enable recovery of data and business operations and that address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber attack. This should include the ability to protect offline data backups from destructive malware.”
Much of the advice presented in the cyber attack statement was reiterated by the FFIEC, including securely configuring systems and services; reviewing, updating, and testing incident response and business continuity plans; conducting ongoing information security risk assessments; performing security monitoring, prevention, and risk mitigation; protecting against unauthorized access; the implementation and regular testing of controls around critical systems; enhanced information security awareness and training programs; and participation in industry information-sharing forums.
To read the statement on Cyber Attacks Compromising Credentials, click here.
To read the FFIEC statement on Destructive Malware, click here.
back to top
FinCEN Enforcement and Regulatory Focus—Transparency in Real Estate Transactions, Virtual Currency and More
Why it matters
Transparency in the financial system was underscored as a key focus for the Financial Crimes Enforcement Network (FinCEN) by Director Jennifer Shasky Calvery in a speech before the West Coast AML Forum in May. Emphasizing the value of the partnership between the government and the industry in keeping illicit actors out of the financial system, she outlined her agency’s recent efforts to create more transparency in the virtual currency space with the agency’s first enforcement action against a virtual currency company, her concerns about the lack of transparency in the real transactions because of the use of shell companies and the threat from third-party money launderers (3PML) who help criminal organizations gain access to the financial system. She also provided an update on FinCEN’s proposed beneficial ownership.
Detailed discussion
With a goal to ensure “an appropriate level of transparency in our financial system,” the director of the Financial Crimes Enforcement Network (FinCEN), Jennifer Shasky Calvery, outlined at the West Coast Anti-Money Laundering Forum several areas in which the regulator “has been harnessing its authorities.”
First up: efforts in the virtual currency space. Calvery highlighted FinCEN’s first civil enforcement action against a virtual currency business, Ripple Labs. FinCEN, which coordinated the action with the Department of Justice, ordered the company and a subsidiary to pay a $700,000 fine for the failure to register as a money services business, comply with certain reporting requirements, implement an effective anti-money laundering (AML) compliance program and undertake certain remedial actions. The CMP was partially offset by a $450,000 asset forfeiture to the DOJ.
“Virtual currency exchangers—like all members of regulated industry—must bring products to market that comply with our anti-money laundering laws,” Calvery said. “Innovation is laudable but only as long as it does not unreasonably expose our financial system to tech-smart criminals eager to abuse the latest and most complex products.”
FinCEN “regularly” engages with the virtual currency industry through administrative rulings and outreach efforts, Calvery explained, and recently launched a series of supervisory examinations of businesses in the industry “working closely” with “our delegated” Bank Secrecy Act (BSA) examiners at the Internal Revenue Service. “[T]hese exams will help FinCEN determine whether virtual currency exchangers and administrators are meeting their compliance obligations under the applicable rules.”
Key elements of the Ripple order that she cited were (1) compliance with the Funds Transfer and Funds Travel Rule for transactions of $3000 or more, and (2) a three-year “look-back” of records to identify and report “overdue” suspicious activity.
Another area Calvery identified as in need of transparency: The use of real estate—particularly shell companies used to purchase high-value properties—“has been a recurring theme throughout my professional career,” she noted, from transnational criminal organizations purchasing personal residences in large cities throughout the United States in the 1990s to the “endemic” use of narcotics proceeds to fund the purchase of luxury real estate in Miami.
The laundering of funds through real estate is a mainstay, Calvery told attendees. “Through our analysis of BSA reporting and other information, FinCEN continues to see the use of shell companies by international corrupt politicians, drug traffickers, and other criminals to purchase luxury residential real estate in cash,” she said. Wire transfers originating from banks in offshore havens provide the funds for the real estate purchase, which is made in the name of a shell company to obfuscate the identity of the owner.
Calvery notes that the BSA established AML obligations for financial institutions involved in real estate transactions. “By including these businesses in the BSA’s definition of financial institution, Congress acknowledged the potential money laundering and financial crime risks in the real estate industry,” Calvery said.
In light of Congress’s mandate, FinCEN has established AML requirements for nonbank lenders and originators that issue mortgage-backed securities and has seriously considered issuing rules for the broader category of “persons involved in real estate closings and settlements.” In 2003, the regulator published an advance notice of proposed rulemaking to solicit comment on the issue and the scope of coverage for settlement and closing attorneys and agents, appraisers, title search and insurance companies, escrow companies, and possibly mortgage servicers and corporate service providers. But based on the comments received, FinCEN elected not to move forward “until we better identified the money laundering risks and activities involved.”
“So, even today, FinCEN’s task remains: to define the money laundering risks associated with certain persons involved in real estate closings and settlements, and consider appropriate initiatives to address these risks,” Calvery said. “Outreach and engagement with our regulatory, law enforcement, and real estate industry partners will be an important component of our efforts as we determine if additional AML requirements are needed.”
In the meantime, “an area of particular focus” remains greater transparency of beneficial ownership information to make it harder for criminals to hide their purchases of real estate through the use of shell companies. That focus brought Calvery to two other priorities for FinCEN: third-party money launderers and the issue of beneficial ownership.
3PMLs—including professional gatekeepers like attorneys and accountants—are used by criminals to gain access to financial institutions. A wide variety of schemes and methods are used, including shell companies and shelf corporations, layering financial transactions, and exerting improper influence on employees in financial institutions.
“FinCEN will pursue financial institutions that we believe facilitate third-party money laundering activity,” Calvery promised, citing an action earlier this year against Banca Privada d’Andorra charging that the bank facilitated transactions for 3PMLs involved in organized crime, corruption, smuggling, and fraud. “We cannot permit institutions and their associated 3PMLs to act as gateways to the U.S. financial system for criminal and other bad actors.”
Calvery also provided an update on FinCEN’s rulemaking on beneficial ownership “to help prevent the use of shell and shelf companies to engage in or launder the proceeds of illegal activity in the U.S. financial sector.”
“As proposed, the rule would clarify and strengthen customer due diligence obligations of banks and other financial institutions, including brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities,” Calvery detailed. “The proposed amendments would add a new requirement that these entities know and verify the identities of the real people who own, control, and profit from the companies they service.”
Since the public comment period on the proposed regulation closed last October, FinCEN has been reviewing 126 comments and is considering in the next step of the process. “We want to get this right,” Calvery emphasized.
To read the prepared remarks, click here.
back to top
Industry Weighs In on Data Security, Cybersecurity Legislation
Why it matters
Members of the financial industry were able to share their positions and voice concerns at a recent hearing held by the House Committee on Financial Services. Discussing “Protecting Consumers: Financial Data Security in the Age of Computer Hackers,” representatives from the Financial Services Roundtable, the Electronic Transaction Association, and the PCI Security Standards Council (as well as a voice from the retail industry and tech sector) talked about the elements of the multiple data security and privacy bills currently pending before Congress. While the speakers agreed that federal legislation would prove beneficial to counter the current patchwork of state laws, disagreement arose about the scope of federal preemption. Testimony also covered possibilities to mitigate the risk of data breaches, ranging from the use of tokenization to industry-specific cyber threat information sharing. The hearing provided industry with the chance to present their perspectives; what lawmakers do with the information remains to be seen.
Detailed discussion
Continuing the legislative focus on data security and privacy, the House Committee on Financial Services held a hearing on “Protecting Consumers: Financial Data Security in the Age of Computer Hackers.”
With two bills having passed in the House already this term, lawmakers offered industry a platform to voice concerns and provide insight and analysis on its increasingly scrutinized industry. Former Governor Tim Pawlenty (now head of the Financial Services Roundtable) joined Laura Moy of the Open Technology Institute, Retail Industry Leaders Association (RILA) representative Brian Dodge, Jason Oxman of the Electronic Transaction Association (ETA), and PCI Security Standards Council rep Stephen Orfei in testifying at the hearing.
For the most part, Pawlenty and Moy were in agreement that federal legislation is necessary to help regulate the protection of consumer data; Moy also took the position that state laws with higher standards should not be preempted by a federal bill, with states allowed to adopt higher standards (similar to the healthcare industry and the Health Insurance Portability and Accountability Act).
While the ETA acknowledged that federal “legislation that creates uniform, national data breach and data protection standards that are industry neutral” was necessary, Oxman countered that any bill should completely preempt state law. RILA representative Dodge agreed. “RILA supports federal data breach notification legislation that is practical, proportional, and sets a single national standard that replaces the often incongruous and confusing patchwork of state laws in place today [to] reduce the state-level burden on interstate commerce,” he told the legislators.
ETA used forensic data to support the position that some simple technology solutions could resolve many data breach incidents, such as point-to-point encryption (including EMV chips, verification, and tokenization) as well as public-private information sharing to help secure consumer data. Oxman’s suggestions contradict recent statements by law enforcement agencies that have argued against corporate end-to-end encryption. Instead, he pointed to a variety of factors for many information compromises such as weak third-party security, lack of segmentation, and misconfiguration, or poor password protection.
The Federal Trade Commission (FTC)—the agency tasked with oversight and enforcement of many privacy and data security standards and statutes in the United States—was highlighted by RILA as the preferred authority on mandating data breach response and penalty enforcement over Congress or state statutes. Dodge cited the FTC’s consent decrees as meaningful proxies for law enforcement on data security.
RILA also reinforced the self-regulatory initiatives in the data security ecosystem such as the formation of the Retail Cyber Intelligence Sharing Center (R-CISC) and identified the Financial Services Information Sharing and Analysis Center (FS-ISAC) to provide a cyber threat sharing platform. “Key to this effort is the ability to design systems to meet actual threats rather than potentially outdated cybersecurity standards that may be enshrined in law,” Dodge testified, adding that “development of any technical cybersecurity standards beyond a mandate for reasonable security must be voluntary and industry-led.”
Orfei of the PCI Security Standards Council echoed the support of industry-regulated standards that are responsive to the community (its membership of payment card companies and consumers alike), but disclaimed “there is no silver bullet to securing payment card data.” Public-private information sharing was another cornerstone of Orfei’s position.
Pawlenty suggested that improved technology solutions such as global adoption of EMV and tokenization could certainly mitigate breach risk. He also took a strong position on data security. “Congress should pass legislation creating a strong, meaningful data security requirement for all companies that handle sensitive customer information but currently have no federal requirement to protect it,” Pawlenty advocated. With respect to the enactment of a data security law, any legislation should “create a framework of complementary federal requirements and self-regulatory standards, such as those put forth by the PCI Security Standards Council,” he added.
back to top