Risk Profiling Becomes Risky: The CFPB's Choke Point Operation
The Consumer Financial Protection Bureau ("CFPB") recently filed a lawsuit against more than a dozen debt collectors, payment processors and related entities for failing to stop fraudulent collection tactics. The complaint was filed under seal on March 26th and accuses certain Georgia and New York debt collectors of harassing consumers about "phantom" debts.
Of much greater significance, the CFPB sued several payment processors, including worldwide processor Global Payments, Pathfinder Payment Solutions, Frontline Processing Corp. and Electronic Merchant Services, because they "should have known" about the alleged violations. The American Banker refers to this as the CFPB's version of "Operation Choke Point" which has been discussed in the prior Business Advocate posts (A Stripper, An Ambassador, and Gun Dealer Walk Into A Bank ... And No One Can Open An Account, Operation Choke Point -- One Man's Government Investigation Is Another's Government Persecution, Will Operation Choke Point Get A Taste of Its Own Medicine?). Per the Complaint, "The Payment Processors facilitated the Debt Collectors' large scale fraud by enabling the Debt Collectors to accept payment by consumers' bank cards when the Payment Processors knew, or should have known, that the Debt Collectors were engaged in unlawful conduct." As the American Banker properly notes:
To be sure, Operation Choke Point is different in that the Justice Department has targeted banks for not stopping third-party payment processors from making unauthorized ACH withdrawals. And the CFPB has included payment processors in enforcement actions in the past but not to the degree of the larger network named in the new case. In the case filed by the CFPB, the agency instead faults several payment processors for not stopping the fraudulent activities of a handful of debt collectors, even though the processors had monitoring systems in place that the agency claims should have unearthed such illegal activity. Because of that, the CFPB said the "debt collection scheme depended upon the participation of" the payment processors and a telemarketing company.
This Complaint is another example of the CFPB's transmogrifying limited powers into enforcement fiat. In this case, the CFPB is attempting to use internal Know Your Customer and other AML/BSA risk management policies to create obligations to investigate potential violations of the Consumer Financial Protection Act. Like Operation Choke Point and other AML/BSA enforcement actions based upon Ponzi schemes (see The Government Sanctions JPMorgan for Not Catching Madoff: Why All Banks Should Be Worried), this case tells an entire industry that if you work with someone who may be doing something illegal – and you have policies encouraging risk profiling of clients – you can face dire consequences for not ferreting out improper activity.
And, whenever the government throws a red flag, private parties often pick it up and wave it (see for example, "There Is A Reason That RICO is a Four Letter Word"). Many victims of fraud sue financial institutions based upon the CFPB's current theory: had the institution been more vigilant, it would have caught the bad guy and stopped his allegedly abusive/fraudulent practices before they began. In cases against banks, victims attempt to use the BSA/AML requirements to establish common-law duties owed to them and attempt to use these alleged duties to assert negligence, fraud, RICO and/or aiding and abetting claims against the banks. The CFPB's decision to use the same tact will likely be mimicked by creative debtor's counsel in the very near future.