FTC Hammers Offshore Processor for “Unfairly” Enabling Deceptive Free Trials

We think of the Federal Trade Commission as an anti-deception agency, and it is just that.  The vast majority of its cases are brought against deceptive business practices.  By statute, however, the FTC is also empowered to prevent practices that are “unfair.” This authority comes in handy when the FTC may not be able to make a deception charge stick.  It is a particularly convenient tool to use against third parties who allegedly facilitate deception but are not involved in the deceptive conduct itself and may be able to defeat a deception count on that ground.       

As interpreted by the FTC, a business act or practice is unfair if it: (a) causes substantial consumer injury; (b) the injury is not “reasonably avoidable;” and (c) the injury is not outweighed by any benefit to consumers or competition.  This standard has been upheld against third party facilitators of consumer deception, including payment processors.  In the 2009 case of FTC v. Interbill, Ltd. et al, a federal district court found that a processor engaged in unfair conduct by processing sales that resulted in substantial and unavoidable consumer injury with knowledge that the merchant was billing consumers without authorization.  The court ordered redress of $1.7 million and prohibited Interbill from processing unless it first conducted a “reasonable investigation” of a prospective client and instituted a compliance monitoring system.   

Since Interbill, the FTC, using its unfairness authority, has obtained more settlements against payment processors for facilitating consumer fraud or deception by their merchant clients.  Last month, extending its global reach over the payments industry, it announced a settlement of charges it had brought against a Latvian-based processor, SIA Transact Pro, and its owner, for processing allegedly deceptive and unauthorized free trial negative option offers for dietary supplements and personal care products sold by a U.S. company, Apex Capital Group, which had previously settled with the FTC. In an amended complaint adding the Transact Pro defendants to the case, the FTC alleged that they committed unfair acts by engaging in “credit card laundering” by providing processing for dozens of shell companies fronting for Apex, and by helping Apex evade excessive chargeback monitoring, resulting in substantial and unavoidable consumer injury.   

After failing to knock out the complaint on jurisdictional grounds (the court having found sufficient contacts between defendants and the U.S. even though the company is in Latvia and the owner is a Latvian citizen), Transact Pro, to settle, agreed to pay $3.5 million.  Equally if not even more significantly, it also agreed to a truly startling set of restrictions on its business – more sweeping and intrusive than in any previous FTC payment processor settlement.  They include categorical bans on payment processing for: negative option and free trial offers; several specifically named verticals; and merchants on the MATCH list for excessive chargebacks or fraud.  Also imposed are a ban on credit card laundering and numerous merchant account practice prohibitions, including on misrepresentations, use of shells and nominees to obtain processing, and “load balancing”, transaction splitting and “microtransactions” to evade fraud and risk monitoring.  Most striking of all, however, are a set of incredibly detailed and prescriptive requirements for screening and monitoring of high risk” and other “covered” merchant clients. A “high-risk” client is one who processes 15% or more “Card Not Present” transactions generating $500,000 or more in revenue.  A “covered client” is anyone doing business in one or more of 15 named verticals or who sells through outbound telemarketing.

The screening requirements include obtaining: (1) exact information on clients’ owners and controlling persons; (2) a list of all business and trade names and websites used in marketing; (3) the name of every acquiring bank and payment processor used in the preceding two years, and all merchant identification numbers used; (4) past chargeback rate and total return rate (for ACH or RCPO transactions) for the preceding 3 months and estimates of future rates; (5) trade and bank references; and (6) whether the client has ever been placed in a chargeback monitoring program the preceding 2 years or been the subject of an FTC or other law enforcement agency complaint.  Defendants must also take reasonable steps to assess the accuracy of the information, including reviewing: the client’s websites; recent monthly processing statements; and marketing materials. They must reject any client who appears to be engaged in deceptive marketing or billing practices.

The monitoring requirements include: (i) seeing if current clients are “high-risk” and, if so, promptly screening them as required; (ii) regularly reviewing all such clients’ websites, chargeback rates and total return rates; (iii) regularly calculating and updating their chargeback and total return rates; (iv) immediately stopping processing and closing all accounts for any “covered client” whose total return rate exceeds 2.5% and whose total number of returned ACH Debit or RCPO transactions exceeds 50; or whose monthly chargeback rate exceeds 1% and whose total  chargebacks exceeds 50 in 2 of the past 6 months; (v) immediately conducting an exhaustive investigation of any “high-risk” client, excluding a covered client, whose total return rate exceeds 2.5% and whose total number of returned ACH Debit or RCPO transactions in any month exceeds 50; or whose monthly chargeback rate exceeds 1% and whose total chargebacks exceed 50 in 2 of the past 6 months; (vi) stopping processing and close all accounts for any such investigated high-risk client within 60 days, unless defendants establish, by clear and convincing evidence, the absence of an FTC violation; (vii) and immediately stopping processing and closing all accounts where defendants know or should know the client is engaged in fraud and risk monitoring evasion.

Transact Pro is the latest but surely not the last reminder that payment processors continue to have a big FTC bullseye on their chests and that those located offshore are not beyond the FTC’s reach.  It is also a warning that if they don’t redouble their risk underwriting and monitoring efforts voluntarily, the FTC is more than ready to impose its own set of onerous and laborious due diligence measures, of the type that Transact Pro is now under a federal court order to conduct.

Is the FTC’s Most Fearsome Power Now in Peril Before the Supreme Court?

The thunderbolt that struck the Federal Trade Commission last August still reverberates, with the full impact of its force still to be determined.

As I wrote then (“In Historic Ruling, 7th Circuit Bars FTC Money Claims”), the thunderbolt was a decision by the Seventh Circuit Court of Appeals, in FTC v. Credit Bureau Center et al., that rejected decades of FTC jurisprudence to hold that the FTC lacks the authority to obtain a monetary judgment against alleged violators in federal court.  Reversing the district court, the Seventh Circuit held that Section 13(b) of the FTC Act, the relevant statutory provision, expressly authorizes only injunctions and does not implicitly authorize equitable monetary relief, such as disgorgement or restitution.  The individual defendant in the case, who had been ordered to pay $5.2 million after being found liable for deceptively promoting a credit monitoring service, now owes nothing.

The decision was a thunderbolt for two reasons.  One, for nearly 40 years, dating to the decision by the Ninth Circuit Court of Appeals in FTC v. H.N. Singer in 1982, the unanimous judicial consensus has been that the FTC has implied “ancillary” equitable authority to obtain disgorgement and restitution – and by extension provisional monetary relief such as asset freezes – under Section 13(b). That consensus has now been shattered by the Seventh Circuit in Credit Bureau Center. Two, in reliance on that seemingly bedrock authority, the FTC has made the pursuit of monetary relief in court — and unconditional monetary settlement demands – the centerpiece of its consumer protection enforcement and deterrence strategies.  What inspires fear in FTC targets and brings them to the bargaining table is not a tough injunction or even a ban on involvement with a particular product category or marketing technique, though they certainly aren’t “pleasant” and can cramp a company’s competitiveness and bottom line.  What brings them to their knees is MONEY – the power to force someone to disgorge all their “unjust gains” from an allegedly unfair or deceptive business practice.  The FTC has been cold-bloodedly ruthless and enormously effective in the application of this power, having extracted hundreds of millions of dollars from defendants in just the last few years.

Since the legal justification for that power was repudiated by the Seventh Circuit five months ago, FTC watchers and industry participants have been anxiously waiting to see how the FTC would respond to this potentially existential blow to its enforcement clout.  Would it treat the decision as a “one off” and hope that other circuits would regard it as an outlier and not be persuaded by it?  Or would it seek review by the Supreme Court and, if so, would the Court grant it and reverse the Seventh Circuit? 

After months of speculation, we now know the answer.  Last month, the FTC filed a petition with the Supreme Court asking that it take the case.  This could be a risky gamble by the agency given that the Court is dominated by conservative “textualists” who could be sympathetic to the Seventh Circuit’s faithful adherence to the text of Section 13(b), which provides only for an “injunction” and says nothing about “disgorgement.”  (One is Justice Neil Gorsuch, who at oral argument in a case in which the question of the Security and Exchange Commission’s authority to obtain disgorgement came up, answered: “Well, here we don’t know, because there’s no statute governing it. We’re just making it up.”) The FTC had a tough strategic call to make and now, having made it, we have to wait and see if the Court accepts the case and, if so, if the call was a smart one.

Credit Bureau Center isn’t the only case pending before the Supreme Court that could have perilous ramifications for the FTC’s monetary authority. The Court is also set to hear oral argument in March in Liu v. SEC, which will resolve whether the SEC can obtain disgorgement under federal securities statutes (the same question Justice Gorsuch was pondering in an earlier SEC case that set up this one). Because the securities statutes at issue in Liu are arguably similar to Section 13(b), the Court’s decision and reasoning in that case could carry persuasive weight on the Section 13(b) issue.  It also, conceivably, could affect its decision whether to grant review in Credit Bureau Center and, if it does, foreshadow its ruling in that case. 

Supreme Court review of the FTC’s monetary authority under Section 13(b) also has been sought by the defendants in the Ninth Circuit case of FTC v. AMG Capital Management, based on a concurring opinion in the decision there which expressed doubt over the existence of that authority.  The Solicitor General, however, acting on behalf of the FTC, has sought a stay of defendants’ review petition, arguing that the question it presents overlaps with the question presented in Liu.  Should the Court decide to take one of the FTC cases, the odds would therefore seem to heavily favor Credit Bureau Center.

As powerful and even invincible as the FTC has felt over the longest time since the courts granted it the authority to seek money under Section 13(b) decades ago, if it is in touch with reality at all, it can’t help but be a little nervous as the fate of that authority, and the immense enforcement power it confers, potentially hangs in the balance in these pending cases before the Supreme Court.  That fate could be known soon.  2020 promises to be an exceptionally important and consequential year for many reasons.  This could be one of them, at least for advertisers and marketers presently and in the future having to tangle with the FTC.

FTCAdLaw’s Rothbard to Speak at Affiliate Summit, Jan. 27, 2020, Las Vegas, NV

William Rothbard and FTCAdLaw are proud to announce that he will be a speaker at Affiliate Summit West at the Paris Las Vegas Hotel on January 27, 2020. The topic of his talk is, “California’s Tough New Privacy Law is Here.  Are You Ready?

Rothbard will hold free consultations with attendees to discuss how he can use his decades of experience in advertising and marketing law to assist them with their legal compliance needs, including FTC regulation, text marketing (TCPA), data privacy (GDPR and CCPA), social influencers,transactions, and more.

To schedule a meeting, contact Rothbard@FTCAdLaw.com.  

T-Minus 30 to California’s New Landmark Privacy Law

On New Year’s Day, the California Consumer Privacy Act of 2018 (“CCPA”) goes into effect.  The strictest privacy law in the country, the CCPA could become the de facto data privacy standard in the United States, which, unlike Europe, with its General Data Privacy Regulation (“GDPR”), has yet to enact a national consumer privacy law. 

Though different from the GDPR in its approach to consumer consent (opt out vs. opt-in), the CCPA is based on the same principles of a consumer’s “right to know” what companies know about them and the “right to be forgotten.” Like Europe, California is seeking to return to its residents some real measure of autonomy and control over the personal information that is collected, used and shared about them on the Internet as they go about their daily digital lives.   

The CCPA gives California consumers four basic rights over their personal information:

1. the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;

2. the right to “opt out” of allowing a business to sell their personal information;

3. the right to have a business delete their personal information; and

4. the right to receive equal service and pricing, even if they exercise their privacy rights.

Businesses must disclose consumers’ rights under the CCPA, including the right to deletion of their personal data; the categories of personal information they collect; the purposes of collection; and the categories of personal information that they sold or disclosed in the preceding 12 months.  Unless they are operating exclusively online, they need to provide at least two methods (including, at a minimum, a toll-free telephone number and website) for consumers to use to request information about their personal data.  The requested information must be provided free of charge within 45 days. 

To make it easy for consumers to prevent the sale of their personal data, the CCPA requires companies to place an opt-out link entitled “Do Not Sell My Personal Information” on their home pages.  For consumers under 16, affirmative “opt in” consent is needed to sell their personal information (for those under 13, consent must come from a parent or guardian).

Businesses cannot “discriminate” against consumers for exercising their privacy rights under the CCPA, meaning they cannot treat them differently in their product offerings and pricing from consumers who don’t exercise their privacy rights.  However, they are allowed to offer financial incentives to consumers for the collection, sale, or deletion of personal information.

The CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in California, and: (a) have annual gross revenues over $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices annually; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.  Non-profits, small companies, and/or those that do not earn most of their money from the sale of Californians’ personal data, are thus exempt.

As a practical matter, because so many online companies have California customers, those meeting these jurisdictional thresholds, wherever located, and without any physical presence in California, will be subject to the law.  The CCPA is enforceable by the California Attorney General, with civil penalties of up to $7500 for each intentional violation.  Subject to notice and a cure period, consumers also have the right to enforce it, individually or as a class, and seek damages for mistreatment of their sensitive (i.e., health, financial) personal information or for a business’s failure to implement and maintain reasonable security procedures.

If the CCPA applies to you, are you ready?  Have you updated your privacy policy and practices to be compliant?  If not, you have 30 days left.  To get ready, and thereby reduce the risk of being targeted by the California AG or a class action attorney for violations, consulting appropriate counsel can be helpful.

  • Newsletter Sign Up

    join our mailing list
  • Recent Posts

  • Archives


  • Categories

  • Tags