Archive by Author

The Surcharge Muddle: NY Ban Law Survives Lawsuit

18 Jan


The legality of surcharging keeps getting more confusing.  Recent reports seem to indicate that New York’s law prohibiting surcharging was overturned.  Unfortunately that overstatement confuses the actual status of the statute.

As you may recall, the card brand rules allow merchants to add a fee on top of the regular price for goods and services, also known as a surcharge, if a consumer pays by credit card.  The rules require merchants to follow certain conditions and requirements if they surcharge credit card transactions. 

But ten states have laws on the books that prohibit surcharges.  Those laws have been contested in court.  Merchants argue that the statutes violate the constitutional First Amendment right to free speech.

In 2013, a court agreed with the merchants and declared the New York surcharge ban law unconstitutional.  The court interpreted the statute to prohibit merchants from calling the price difference a surcharge, while allowing merchants to call it a discount.  Similarly, in 2015 a California court approved an injunction preventing enforcement of California’s surcharge ban.  Other courts have upheld state laws prohibiting surcharges.

This threw the validity of those state surcharge ban laws into disarray.

Ultimately the New York case ended up in the U.S. Supreme Court, which ruled that the New York statute may be unconstitutional as a violation of the First amendment right to free speech. 

The case was remanded back to the Court of Appeals, which then asked a lower court to determine a very specific question:  Does a merchant comply with the New York law if it posts the total dollars and cents price to credit card users?  The lower court ruled in 2018 that yes, a merchant complies with the New York statute so long as the merchant posts the total dollars and cents price charged to credit card users.

Most critically, the court also opined that merchants may describe the difference in price any way they like.  Therefore there is no basis for the merchants’ argument that the statue violates the First Amendment right to free speech.

The merchants saw the writing on the wall.  On January 8, 2019 the merchants and the New York Attorney General asked the court to vacate the lower court decision that found the law unconstitutional, and to dismiss the case.  The merchants are backing away from challenging the New York statute that prohibits surcharges. This means that the New York law prohibiting surcharging stands. 

Here are the takeaways:  1) the recent action clarifies that New York merchants can charge two different prices, one for credit cards and one for cash; 2) the higher price charged to credit card users must be posted in total dollars and cents form; and 3) merchants can call the price differential anything they wish.

As of this writing the case is not quite over, because the court still has to approve the request to vacate the lower court decision (which found New York’s law unconstitutional).

It remains to be seen how this will affect other state’s laws that prohibit surcharging.  There are no clear answers quite yet.  Keep an eye out for further developments. 

In the meanwhile, know that most jurisdictions permit surcharging, ten states have statutes on the books that ban it, and the New York law prohibiting surcharging is still enforceable.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

GDPR Applicability to U.S. Merchants, Processors and Acquirers

2 Jan

The EU General Data Privacy Regulation (GDPR) was adopted in 2016 and went into effect on May 25, 2018. The GDPR is a framework regulation that is designed to provide a uniform regime to protect the privacy of an individual of the European Union (“data subject”) whose personal data is collected, stored, or processed.   

At first glance, there would seem to be no need for a merchant, processor, or acquirer operating in the United States to worry about the GDPR.  But the GDPR provides for extra-territorial jurisdiction beyond the EU. There can be significant obligations and penalties imposed on U.S. entities which fail to fully comply with the GDPR if they collect, store, or process personal data of a data subject.  

The GDPR is extremely broad in scope.  Accepting or processing payments may be classified as the collection and processing of personal data under the GDPR. As such, any company involved in processing payments from consumers should take steps to determine whether they or any of their business partners are collecting, storing, or processing personal information of a data subject. 

The good news is that in order for the GDPR to apply to a U.S. entity, there must be an intent to market to an EU resident.

In-person transactions occurring in the U.S. that involve EU residents visiting the U.S. are unlikely to involve the GDPR. However, the application of the GDPR to online activity can be much more treacherous. For example, if a merchant sells goods or services online and markets to residents of the EU (as opposed to merely allowing purchases from residents of the EU), then the GDPR is likely to apply. Similarly, if a merchant maintains a website in the language of an EU country, it is more likely that the GDPR could apply to those online commerce activities. And, since the merchant could be collecting personal data of a data subject, all of participants in the chain that process or assist with processing a payment transaction could be unintentionally subject to the GDPR.

So, what are some important questions to pose regarding your operations?

If you are a merchant:

  • Do you market to countries in the EU?
    • Do you maintain your website in alternate languages?
    • Do you accept currencies such as the Euro for purchases?
    • Do you allow EU residents to participate in your loyalty and awards programs?

If you are a processor or acquirer:

  • Do you monitor the online activities of your merchants?  If so, do any of your merchants answer “yes” to the above questions?
    • Have you updated your merchant agreements to address GDPR concerns?

Merchants answering “yes” to any of the questions above should seek legal guidance to determine if and to what extent the GDPR may apply to them.

Processors or acquirers that do not monitor the online activities of merchants or that have not updated merchant agreements would be well advised to consult with knowledgeable counsel to ensure that they are not unintentionally subject to the GDPR through the activities of their merchant portfolios.

–Holli Targan, Nicole Meisner, and Daniel Unger,
Attorneys, Jaffe, Raitt, Heuer & Weiss, P.C.

The above is intended as general information only and should not be construed as legal advice or as creating or soliciting an attorney-client relationship. You should consult your attorney for guidance with respect to any particular issue or legal inquiry.

Holli Targan

Attorney & Partner

The Third Stark Lesson: ISO Liable Under TSR For All Merchant Fraud Damages

23 Jan

On December 13, 2017, the United States Court of Appeals for the Eleventh Circuit held that an independent sales organization can be held liable for all damages suffered by consumers as a result of a merchant’s violation of the Telemarketing Sales Rule (“TSR”).  The court rejected the ISO’s argument that its liability should be limited to the fees it received from the merchants as a result of the merchants’ processing activities.

We previously reported on this case when the action was first filed by the FTC, back in 2013.  The complaint alleged that Newtek Merchant Solutions, the ISO, and its President, violated the TSR.  The TSR provides that it is a deceptive telemarketing act, and a violation, for a person to provide substantial assistance or support to any telemarketer when that person knows or consciously avoids knowing that the telemarketer is engaged in a deceptive telemarketing act, as defined in the regulation.

Lesson One:  An officer of an ISO may be held personally liable for violations of the TSR.

The FTC maintained that Newtek’s payment processing services enabled the charges on consumers’ card accounts to clear through the card networks, and that without the ISO’s assistance, it would have been impossible for the merchant to charge consumers fees for its deceptive interest rate reduction services.  Further, Newtek allegedly knew that many of the merchants’ accounts were connected to operations that were likely engaged in fraud. The underlying scheme involved the merchants’ promises that they would reduce the interest rates on consumers’ credit cards if they paid between $600 – $1,000 to the merchants.  The scheme generated more than $2.5 million in credit card payments.

According to the Court, “despite several glaring red flags” including an unusually high number of chargebacks, the ISO opened one and then a second merchant account.  In a previous action, the FTC prevailed against the ISO and its President in holding them liable for the fraud perpetrated by the merchants.

Lesson Two:  An ISO may be liable under the TSR for the fraud perpetrated by one of its merchants.  Be careful who you agree to process for.

The issue in the December action was the amount of the damages to be awarded against the ISO.

The Court of Appeals held that “a violation of the TSR’s substantial assistance rule can support joint and several liability to the extent of the unjust gains.”  It rejected the ISO’s argument that damages should be apportioned between the defendants or that the ISO should only be obligated to disgorge the amount of the fees the ISO retained from processing credit card transactions.

Lesson Three:  An ISO may be liable for all damages incurred as a result of its fraudulent merchant.

This opinion appears to be the first of its kind interpreting the liability provisions of the TSR as applied to ISOs.  It is a wake-up call that ISOs must listen to in order to avoid potential exposure far exceeding the amount of processing revenues.


–Holli Targan and Eric Linden, Attorneys and Partners, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

The Supreme Court Weighs in on Merchant Surcharging

30 Mar

On March 29, 2017, the United States Supreme Court issued its long-awaited decision on the litigation surrounding the New York law that prohibits surcharges.  In Expressions Hair Design, et al. v. Schneiderman, Attorney General of New York, et al., the Supreme Court was asked to decide whether a New York law prohibiting merchants from charging credit card users a surcharge above the sticker price was constitutional.  The practical outcome of the Supreme Court decision is that it does not definitively  answer whether the 10 state laws that prohibit surcharges are unconstitutional.  The technical outcome is that the Court remanded, or sent back, the case to the lower court, requiring the lower court to determine whether the law is an unconstitutional violation of the First Amendment.

The Court first reviewed the history of efforts to pass along interchange costs to consumers.  The Court noted that merchant contracts historically barred merchants from charging credit card users higher prices than cash customers, which Congress put a stop to when it passed the Truth In Lending Act.  That law prevented surcharges and it prevented merchants from giving discounts to cash customers.  When Congress allowed the federal surcharge ban to expire, ten states, including New York, enacted their own surcharge bans.

The merchants in the Expressions Hair Design case were five New York businesses who wished to impose surcharges on customers who used credit cards.  As a result, they wanted to advertise their prices by posting a cash price and a price which included a surcharge.

The pivotal issue was whether the surcharge ban regulated conduct, i.e., was a price regulation, rather than speech.  Because the statute told merchants nothing about the amount they were allowed to charge, the Court concluded that the law regulates how sellers communicate their prices, not what they charge.  “In regulating the communication of prices rather than prices themselves, [the New York law] regulates speech.”

The Supreme Court, having determined that the law regulates speech, and not conduct, sent the case back to the lower court to analyze whether it violated the constitutional right to free speech.  The lower court had concluded that the law regulated conduct, and therefore did not analyze that issue.

As you may recall, ten states currently have laws banning surcharges.   Many of these statutes also have been challenged on First Amendment grounds.  In this case and in a parallel Texas case, the federal appellate courts upheld the state statute. In contrast, the Eleventh Circuit struck down Florida’s law governing surcharges.

The Supreme Court decision did not address whether the New York law was constitutional, but it did conclude that the statute regulated speech and had to be analyzed under First Amendment standards.  That decision is binding on other courts.  So, to the extent challenges to similar state statutes were rejected because the court did not think free speech was involved, those decisions will have to be revisited.  The ultimate effect of this decision will depend on whether the case makes its way back to the Supreme Court after the lower court rules again, and how the courts interpret the various state laws that prohibit surcharges.

For now, industry companies should act as though the ten state laws that ban surcharging are still effective.

But stay tuned.

–Eric Linden, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

Money Transmitter Regulatory Developments

25 May

The controversy swirling around the application of state money transmitter laws to payments companies just won’t abate. The difficulty stems from state regulators grappling with applying old statutory language to the new world of payments. And it leaves payment companies struggling to keep up with those new interpretations.

Next week the Electronic Transactions Association (ETA) will be facilitating the conversation by hosting a Money Transmitter Policy Day in Washington, D.C. A state regulator and FinCEN representative will speak. I am looking forward to participating by presenting a talk there, on June 2nd, on where things stand in “The Changing Regulatory Landscape”. If you are concerned that the myriad of state money transmitter laws may apply to your business, I hope you will join us.

Historically, the states regulated money transmission companies to protect the “unbanked” – consumers that used non-banks for financial services such as check cashing and wire transfers. The goal was to provide oversight of companies holding consumer money. Regulated companies were required to obtain a state license. The regulated activity typically was defined as selling or issuing stored value or receiving monetary value for transmission. That wording is so broad that it arguably brings within its sweep unintended links in the payments chain, such as independent sales organizations.

Barely a week goes by without another state money transmitter development. Some state legislators are taking a fresh look at their statutes, amending the laws to apply to new technologies, such as virtual currencies. Other states are interpreting existing laws in new ways, focusing the application of the licensing requirements on payment processors. And others are recognizing that the purpose of the money transmitter laws was never to regulate the card processing business. Those regulators are publishing guidance indicating that various arguments support the interpretation that the money transmitter laws do not apply to payment processors.

It will be some time before the issue of the extent to which state money transmitter laws apply to payment processors is settled. A vigilant eye on developments is critical to the payments industry. The policy day organized by the ETA, and panel discussions at other industry conferences, is exactly what is needed to keep the conversation flowing and the industry informed.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

State Operation Choke Point Efforts

15 Apr

Regulatory Alert: State governments are now getting into the Operation Choke Point mode. Over the last few years the Federal Trade Commission and other federal agencies have tried to enforce their laws and regulations by cutting off fraudsters’ access to electronic payments networks. By choking off the flow of funds, the federal government puts the fraudsters out of business. This has come to be known as “Operation Choke Point.” Now state governments are getting into the act.

The most recent example comes from Arizona. The Arizona Attorney General has decided to target processors and acquirers in its attempt to enforce its ban on tobacco sales without state licensure. Relying on an Arizona law which prohibits any person from knowingly providing “substantial assistance” to a person who violates a tobacco product sales ban, the Arizona Attorney General seeks to have processors and acquirers prohibit the completion of any tobacco sales into Arizona by unlicensed merchants. In other words, the Arizona Attorney General, like the FTC before it, wants to turn processors into policemen.

And Arizona’s efforts are paying off. On April 14, 2016, Visa released an announcement advising acquirers that they must take immediate action to ensure that their merchants comply with all applicable laws related to the sale and shipping of cigarettes. Visa advised that acquirers must identify and terminate merchants that engage in illegal online cigarette sales. The Visa bulletin further noted that it is the acquirers’ responsibility to confirm that all transactions introduced into the Visa system by their merchants are legal in both the buyers’ and sellers’ jurisdictions.

To protect the integrity of the payments system, acquirers and ISOs are required to review their merchant portfolios to identify any merchants that sell cigarettes online and then take the following concrete actions:

  • Underwrite the principal owners to validate their eligibility to hold a merchant account;
  • Carefully examine the merchant’s website to make sure they are not engaged in illegal activities, have appropriate shipping restrictions in place, and are not circumventing cigarette tax laws;
  • Use a mystery shopper to confirm compliance;
  • Confirm the merchant is not on the list created under the Prevent All Cigarette Trafficking Act;
  • Recheck the MATCH list; and
  • Terminate merchants that are identified as violating applicable laws.

Visa warns that violations of Visa Rules will result in substantial non-compliance assessments.

We expect that other states and agencies will jump on the band wagon in the near future and use the payment networks as leverage to put an end to conduct that they may not have a capacity to regulate on their own. Higher scrutiny of merchants engaged in regulated activities prior to on-boarding is well-advised.

–Eric Linden and Holli Targan, Attorneys and Partners, Jaffe, Raitt, Heuer & Weiss, P.C.


Holli Targan

Attorney & Partner

Upcoming Events

11 Apr


With so much going on in the electronic payments arena, the gathering next week (April 19 – 21) at TRANSACT16 in Las Vegas at Mandalay Bay is a perfect opportunity to keep up with the latest developments. In the 20 years we have been attending the Electronic Transactions Association’s (ETA) annual meeting, we have found it to be the place where serious business gets done. And Jaffe is honored to be sponsoring three signature events taking place that week.

The first is Payment Facilitator Day on Tuesday, April 19.  The PayFac event will contain a full day of content-rich programming focused solely on the payment facilitator model.  I will be participating on the “What You Should Ask Your Payments Attorney” panel at the meeting.  For more information, click here.

Second, Jaffe is also sponsoring the SuperLINC, also on Tuesday, April 19, from 1:00 to 4:00.  The topic of the meeting is Diversity in the Workplace.  The discussion, on how diversity has reached the attention of the boardrooms of America, will feature Phyllis James, Chief Diversity Officer of MGM Resorts and Sharon Brogdon, Director of Global Diversity at Intel, and will be moderated by my co-Founder Linda Perry of Linda S. Perry Consulting.  This event is free to TRANSACT16 attendees.  To register, click here.

And finally, I’m proud that Jaffe is also a Bronze sponsor of TRANSACT16 itself.  The Firm has been committed to the ETA for years in multiple ways, and our sponsorship reaffirms our dedication to the goals of the organization.

We look forward to seeing you at one or all of these events next week.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

CFPB Strikes New Ground

16 Mar

A few weeks ago the Consumer Financial Protection Bureau (CFPB) struck new ground when it entered into a consent order with online payment platform Dwolla. The CFPB found that Dwolla misrepresented its data security practices and the safety of its system. The CFPB ordered Dwolla to pay a $100,000 penalty and revise its internal practices.

This represents the first time that the CFPB has used its authority to prevent unfair, deceptive or abusive acts against a company’s data security practices. It is remarkable because the action was taken by the CFPB in the absence of any data breach. In other words, the fact that Dwolla’s representations about its security practices were inaccurate was enough to warrant the CFPB action.

The CFPB found that Dwolla falsely represented to its customers that its network was safe and secure, that Dwolla transactions were safer than credit cards, that Dwolla’s data security practices exceed industry standards, and that all information on the Dwolla platform is securely encrypted and stored.

In particular, the CFPB alleged that Dwolla:

  • Failed to adopt appropriate data security policies for the collection and storage of consumer personal information,
  • Failed to conduct adequate, regular risk assessments,
  • Failed to train employees on responsibilities for handling and protecting consumer personal information, and
  • Failed to encrypt consumer personal info, and required consumer information submission in clear text.

Further, Dwolla’s software development of apps was not tested for data security.

Dwolla was ordered to establish data security plans and policies, conduct data security risk assessments twice annually, conduct mandatory employee training on data security policies, develop security patches to fix vulnerabilities, develop customer identity authentication at the registration phase and before effecting a funds transfer, develop procedures to select service providers capable of maintaining security practices, and obtain an annual data security audit.

Two lessons come through loud and clear. First, companies should be very careful about statements made concerning the safety of its system and its security practices. All representations about such issues need to be validated by management to ensure accuracy. Second, the actions mandated by the CFPB, set forth in the paragraph immediately above, point to a new standard. This indicates the types of actions the CFPB will be looking for. Consider this guidance from the CFPB on security practices that should be adopted.

We recommend that all companies heed the lessons gleaned from the CFPB Dwolla action by: 1) reviewing representations to the public to be sure those representations are entirely accurate, and 2) auditing current practices to confirm compliance with the actions ordered by the CFPB.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

Five Critical Issues in a Payments Company Sale

24 Feb

If you are contemplating selling your payments business, there are a few key questions to keep in mind. The sale of merchant acquiring and payments company assets presents concerns that are significantly different than the sale of other businesses.   Below are five important issues to consider.

1.  What do you want to sell?

Selling the company is a very different deal than selling a merchant portfolio. If you sell all or part of a portfolio, you may continue to work under your existing processing agreement. That means minimum deal count or revenue obligations will continue to apply. And a right of first refusal by the processor and non-solicitation clauses may kick in. Further, the buyer may want to convert the merchants to its processing platform. Check to see if your processing agreement permits this.

Selling the entire company will attract a greater multiple, because goodwill and sales rep relationships are also being sold. The buyer may be more interested in the sponsorship relationship itself than in the merchant contracts. If you were savvy enough to obtain a dedicated BIN or have a desirable processor relationship, don’t underestimate the value of that “asset”. A purchase/merger transaction tends to be more involved than a portfolio sale, because there are more assets and contractual relationships to take into consideration.

2.  What will you get in exchange?

The most lucrative deal will give you all the money up front. But more typical is that you will get some cash up front and then the remaining amount of cash at some point in the future. During this lag, the buyer has the right to offset against that future cash payment anything you may owe to the buyer, such as trailing chargeback amounts. Or the future payment may be used to satisfy attrition guarantees. Cash/stock deals are also being struck. Here the seller gets some cash at closing, and also stock in the buyer. You are banking on the fact that the purchaser will increase in value, or you will get the benefit of the buyer’s eventual sale. When receiving stock you become an investor in that company, so insist on obtaining representations and warranties from the buyer to back up the stock you will receive.

3.  What will your role be after the transaction?

The role of the former owners after the sale is often the most negotiated aspect of the deal. Usually the buyer will want key players to stay on for a year or two to transition the relationship with merchants and agents. Your expertise may be an attractive asset. Try to determine early in the process what you are willing to do after the deal has closed.

4.  What kind of guarantees can you live with?

It’s hard to argue that you should not be liable for certain events that occurred prior to the closing date. More difficult is to figure out whether you are willing to owe some of the purchase price back to the buyer if the portfolio experiences attrition or excessive chargebacks. This may depend on the nature of your portfolio: if the portfolio has a low loss rate, you may be okay with this guarantee. If you won’t be able to sleep at night knowing that one large merchant termination or loss will do you in, you should sell the portfolio “as is”, spelling out that you are not guaranteeing the attrition rate or revenue that will be generated from the portfolio.  

5.  Whose consent do you need?

This issue gets glossed over, but it takes the most time to sort out and has the greatest potential to gum up the deal. Look at all of the contracts involved in the business to determine whether you are free to assign a particular agreement to the buyer. ISO or sales representative contracts may require you to buyout the contract or obtain consent. Look at each contract to determine what is required.   Even if you don’t need the contracting party’s consent, you will still need to legally assign some contracts to the purchaser.

These are just a few of the big-picture issues to consider when selling a merchant portfolio or payments business. Every deal has its own peculiarities and stress points. You’ve worked hard to be able to cash in: now take the time to negotiate the deal that maximizes the value of your company.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

State Law Mandates New Merchant Contract Requirements

3 Feb

The payments world is in a constant state of change, and the requirements surrounding clauses that must be included in card processing agreements with merchants are no exception.  Typically, language that must appear in merchant contracts is handed down from the card brands.  To remain compliant with those constantly-evolving requirements a close eye on card brand rule revisions has been essential.  But now states are getting into the act as well.     

Tennessee provides the latest example.  Effective March 1, 2016, Tennessee requires that all merchant agreements disclose certain terms, such as the effective date and term of the contract,  the circumstances surrounding early termination or cancellation, and a complete schedule of all fees applicable to card processing services.  These requirements are benign enough, as the vast majority of commercial contracts already contain those provisions. 

But here comes the sticky part.  In addition to the above, the Tennessee statute requires the payment acquirer to provide monthly statements.  So far so good – everyone provides monthly statements.  However, the law mandates that certain data points be included in each monthly statement, including an itemized list of all fees assessed since the previous statement, the total value of the transactions processed, and, if the acquirer is not a bank, an indication of the “aggregate fee percentage”.  The aggregate fee percentage is calculated by dividing the fees by the total value of processed transactions during the statement period.

The troubling requirement is the last one:  that any non-bank payment acquirer include in monthly statements the fees imposed, calculated as a percentage of the total value of the transactions processed during the statement period.  Currently such a calculation is not determined, so systems will need to be revamped to include that information in statements. 

And a determination will need to be made as to who, exactly, this requirement applies to.  The law says it is imposed on non-bank payment acquirers.  Certainly that includes payment facilitators.  But if both an ISO and a bank are a party to a merchant agreement and provide the statement, does the aggregate fee percentage need to be included in the monthly statement?  It’s not clear.  A conservative interpretation would suggest that if any non-bank is a party to a merchant agreement, the aggregate fee percentage should be disclosed each month.

Interestingly, the remedy for non-compliance with the Tennessee law is limited to an option by the merchant to terminate the contract.  Before the merchant may cancel the agreement, it must give the acquirer 30 days’ notice.  If the non-compliance is cured, then the merchant is not permitted to terminate the agreement.

ISOs, banks, and processors should review the new Tennessee statute to ensure compliance with its provisions.  And now that the payments industry is on the radar of state legislators, card processors will need to monitor state law developments to keep up with shifting obligations. 

–Holli Targan, Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner