The Enforcement
The enforcement against Intercept, announced earlier this summer, was in response to what the CFPB claims is a violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act’s prohibition of unfair acts and practices. The CFPB particularly takes issue with Intercept’s turning of a blind eye to the numerous red flags indicating their clients were perpetuating fraud, but also that Intercept leadership took an active role in the unlawful conduct by giving their clients access to the banking systems so that they could pull money from consumer bank accounts.
The Details
Intercept is a third-party payment processor, and provides ACH payments for its clients, meaning it gets access to consumers’ bank accounts in order to facilitate transactions for its clients (payday lenders, auto title lenders and debt collectors, among others) without using paper checks.
A typical transaction for Intercept would be initiated by the client who instructs Intercept to withdraw a payment, telling them which borrower, the bank account and the amount of the payment. The borrower’s bank (the RDFI or Receiving Depository Financial Institution) then remits the payment to Intercept’s bank (the ODFI, or Originating Depository Financial Institution), where they then transfer the money to their client.
Industry rules place responsibility on third-party processors ike Intercept to monitor its clients’ return rates and any other suspicious activity in an effort to prevent fraud across the ACH network.
Ignoring the Problem
According to the CFPB’s complaint, Intercept should have caught wind of potential issues with the merchants very early on during their own due diligence process, which the CFPB deemed minimal, but adequate enough that it revealed problems that shouldn’t have been ignored.
Once they began processing for the clients though, the red flags became more and more prominent. ODFIs, or the banks Intercept was using for their own funds, sent repeated warnings to the company about their clients’ business activities, or that the debits were not authorized by consumers. The ODFIs reported discrepancies between dates, discrepancies in amounts debited vs what was authorized, and high return rates. In some cases the ODFI would terminate its relationship with Intercept altogether, but Intercept would just find a new financial institution. Between 2008 and 2014, Intercept had relationships with eight different financial institutions, sometimes using three different institutions at the same time.
The CFPB specifically cites an instance where Intercept signed up with an ODFI for a trial for a limited number of transactions, and instead ran millions of dollars in ACH debits through the ODFI, which generated huge volumes of disputes and returns. When these issues were reported to Intercept, the defendants ignored the warnings and just told the ODFI that they were working on transferring those clients to a different financial institution.
In 2012, the overall return rate for payment processors was around 1.5%; Intercept’s during that time period was as high as 21%. Some of its individual clients had monthly return rates as high as 70% or 80%.
What This Means
A legal alert from Sutherland called this enforcement “another warning shot for processors to be aware of their merchants’ activities.” They cite a 2015 enforcement against a processor for similar issues, but with credit and debit payments.
Based on the number of consumer complaints, warnings and complaints from bank partners, high rate of return transactions and legal enforcement against the merchants themselves, Intercept either should have known, or consciously avoided knowing that their clients were engaged in illegal activity.
According to CFPB director Richard Cordray, “Companies cannot turn a blind eye to wrongdoing when they process payments from consumer banking accounts on behalf of clients that are breaking the law,” and this recent enforcement certainly reinforces that ruling.
To learn more about the state of payment fraud in 2016 and how to best protect consumers, check out Rippleshot’s white paper below: