Archive | Payment Facilitator RSS feed for this section

The Supreme Court Weighs in on Merchant Surcharging

30 Mar

On March 29, 2017, the United States Supreme Court issued its long-awaited decision on the litigation surrounding the New York law that prohibits surcharges.  In Expressions Hair Design, et al. v. Schneiderman, Attorney General of New York, et al., the Supreme Court was asked to decide whether a New York law prohibiting merchants from charging credit card users a surcharge above the sticker price was constitutional.  The practical outcome of the Supreme Court decision is that it does not definitively  answer whether the 10 state laws that prohibit surcharges are unconstitutional.  The technical outcome is that the Court remanded, or sent back, the case to the lower court, requiring the lower court to determine whether the law is an unconstitutional violation of the First Amendment.

The Court first reviewed the history of efforts to pass along interchange costs to consumers.  The Court noted that merchant contracts historically barred merchants from charging credit card users higher prices than cash customers, which Congress put a stop to when it passed the Truth In Lending Act.  That law prevented surcharges and it prevented merchants from giving discounts to cash customers.  When Congress allowed the federal surcharge ban to expire, ten states, including New York, enacted their own surcharge bans.

The merchants in the Expressions Hair Design case were five New York businesses who wished to impose surcharges on customers who used credit cards.  As a result, they wanted to advertise their prices by posting a cash price and a price which included a surcharge.

The pivotal issue was whether the surcharge ban regulated conduct, i.e., was a price regulation, rather than speech.  Because the statute told merchants nothing about the amount they were allowed to charge, the Court concluded that the law regulates how sellers communicate their prices, not what they charge.  “In regulating the communication of prices rather than prices themselves, [the New York law] regulates speech.”

The Supreme Court, having determined that the law regulates speech, and not conduct, sent the case back to the lower court to analyze whether it violated the constitutional right to free speech.  The lower court had concluded that the law regulated conduct, and therefore did not analyze that issue.

As you may recall, ten states currently have laws banning surcharges.   Many of these statutes also have been challenged on First Amendment grounds.  In this case and in a parallel Texas case, the federal appellate courts upheld the state statute. In contrast, the Eleventh Circuit struck down Florida’s law governing surcharges.

The Supreme Court decision did not address whether the New York law was constitutional, but it did conclude that the statute regulated speech and had to be analyzed under First Amendment standards.  That decision is binding on other courts.  So, to the extent challenges to similar state statutes were rejected because the court did not think free speech was involved, those decisions will have to be revisited.  The ultimate effect of this decision will depend on whether the case makes its way back to the Supreme Court after the lower court rules again, and how the courts interpret the various state laws that prohibit surcharges.

For now, industry companies should act as though the ten state laws that ban surcharging are still effective.

But stay tuned.

–Eric Linden, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

htargan@jaffelaw.com

Cyber Insurance Shortfalls

20 Feb

If you store cardholder data, transaction information, or other personally identifiable information you may want to revisit your cyber insurance policy to verify the extent of your coverage.  A court recently found that the cyber insurance policy held by P.F. Chang’s did not cover many losses suffered in P.F. Chang’s data breach.  Based on the court’s findings in this decision and given the structure of the payments industry, many cyber insurance policies will not provide processors, ISOs, or payment facilitators with coverage against fees, fines, and assessments issued by the card brands.
 
On June 10, 2014, P.F. Chang’s learned that hackers had obtained approximately 60,000 credit card numbers belonging to its customers.  P.F. Chang’s turned to its cyber insurance policy to cover the costs of the data breach.  The policy had been advertised as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
 
Under the cyber insurance policy, P.F. Chang’s was reimbursed for approximately $1.7 million for the cost of an investigation and defending litigation.  However, the insurance company denied coverage of three assessments by MasterCard: a Fraud Recovery Assessment of $1,716,798.85; an Operational Reimbursement Assessment of $163,122.72; and a Case Management Fee of $50,000.  These assessments were technically received by Bank of America, and not by P.F. Chang’s.  P.F. Chang’s used Bank of America Merchant Services (“BAMS”) for its payment processing services.  The assessments were contractually passed through to P.F. Chang’s under its merchant agreement with Bank of America.  P.F. Chang’s filed a lawsuit seeking to recover the amount of the MasterCard assessment.
 
In its opinion, the court sided with the insurance company.  The court found that the Fraud Recovery Assessment was not covered because: P.F. Chang’s received the assessment from BAMS pursuant to its merchant agreement; BAMS did not suffer any privacy injury (as it was the issuing bank’s records that were breached rather than the acquiring bank’s records); and the policy only covered claims brought by those persons whose records were accessed without authorization.
 
In addition, the court found that all three MasterCard assessments were excluded from P.F. Chang’s coverage.  The policy excluded any liability contractually assumed, an exclusion commonly found in insurance contracts.  This exclusion means that any loss incurred by P.F. Chang’s as the result of a contractual relationship (in this case as a result of its merchant agreement with BAMS) would not be covered.
 
Processors, ISOs, and payment facilitators are typically liable for card brand assessments incurred by their sponsor financial institution under their sponsorship agreement.  If you suffer a breach, you may incur card brand assessments.  If one of your merchants suffers a breach, and the merchant isn’t able to pay the related assessments from the card brands, you will likely be liable for the assessment.  Would your cyber insurance policy cover such expenses?  It would be worth your time to check on your insurance coverage and, if appropriate, work with your broker to adjust your insurance policy accordingly.
 
– James Kramer, Attorney, Jaffe Raitt Heuer & Weiss, P.C.

James Kramer

James Kramer

James is a member of the firm's Electronic Payment Group, Corporate Group and Business Transactions Group. James counsels clients on contractual, regulatory, and compliance matters as well as on purchases, sales, mergers, and acquisitions. He routinely advises and negotiates on behalf of financial institutions and entities in the electronic payments industry.

jkramer@jaffelaw.com

Money Transmitter Regulatory Developments

25 May

The controversy swirling around the application of state money transmitter laws to payments companies just won’t abate. The difficulty stems from state regulators grappling with applying old statutory language to the new world of payments. And it leaves payment companies struggling to keep up with those new interpretations.

Next week the Electronic Transactions Association (ETA) will be facilitating the conversation by hosting a Money Transmitter Policy Day in Washington, D.C. A state regulator and FinCEN representative will speak. I am looking forward to participating by presenting a talk there, on June 2nd, on where things stand in “The Changing Regulatory Landscape”. If you are concerned that the myriad of state money transmitter laws may apply to your business, I hope you will join us.

Historically, the states regulated money transmission companies to protect the “unbanked” – consumers that used non-banks for financial services such as check cashing and wire transfers. The goal was to provide oversight of companies holding consumer money. Regulated companies were required to obtain a state license. The regulated activity typically was defined as selling or issuing stored value or receiving monetary value for transmission. That wording is so broad that it arguably brings within its sweep unintended links in the payments chain, such as independent sales organizations.

Barely a week goes by without another state money transmitter development. Some state legislators are taking a fresh look at their statutes, amending the laws to apply to new technologies, such as virtual currencies. Other states are interpreting existing laws in new ways, focusing the application of the licensing requirements on payment processors. And others are recognizing that the purpose of the money transmitter laws was never to regulate the card processing business. Those regulators are publishing guidance indicating that various arguments support the interpretation that the money transmitter laws do not apply to payment processors.

It will be some time before the issue of the extent to which state money transmitter laws apply to payment processors is settled. A vigilant eye on developments is critical to the payments industry. The policy day organized by the ETA, and panel discussions at other industry conferences, is exactly what is needed to keep the conversation flowing and the industry informed.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

htargan@jaffelaw.com

Upcoming Events

11 Apr

 

With so much going on in the electronic payments arena, the gathering next week (April 19 – 21) at TRANSACT16 in Las Vegas at Mandalay Bay is a perfect opportunity to keep up with the latest developments. In the 20 years we have been attending the Electronic Transactions Association’s (ETA) annual meeting, we have found it to be the place where serious business gets done. And Jaffe is honored to be sponsoring three signature events taking place that week.

The first is Payment Facilitator Day on Tuesday, April 19.  The PayFac event will contain a full day of content-rich programming focused solely on the payment facilitator model.  I will be participating on the “What You Should Ask Your Payments Attorney” panel at the meeting.  For more information, click here.

Second, Jaffe is also sponsoring the W.net SuperLINC, also on Tuesday, April 19, from 1:00 to 4:00.  The topic of the meeting is Diversity in the Workplace.  The discussion, on how diversity has reached the attention of the boardrooms of America, will feature Phyllis James, Chief Diversity Officer of MGM Resorts and Sharon Brogdon, Director of Global Diversity at Intel, and will be moderated by my W.net co-Founder Linda Perry of Linda S. Perry Consulting.  This event is free to TRANSACT16 attendees.  To register, click here.

And finally, I’m proud that Jaffe is also a Bronze sponsor of TRANSACT16 itself.  The Firm has been committed to the ETA for years in multiple ways, and our sponsorship reaffirms our dedication to the goals of the organization.

We look forward to seeing you at one or all of these events next week.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

htargan@jaffelaw.com

New Nebraska ATM Interchange Law

1 Apr

Beginning April 1, 2016, a new Nebraska law goes into effect that makes it easier for Nebraska financial institutions to vary ATM fees based on the interchange rates charged by their switches. This ends the moratorium that has been in place since May 2015, when amendments to Nebraska’s ATM law went into effect.

Under the Nebraska Banking Act, ATMs in the state must be available on a “nondiscriminating basis,” meaning that ATM usage fees must be the same for cardholders of all Nebraska-based accounts. In September 2014, four Nebraska banks filed a lawsuit against Metro Health Services FCU, an Omaha-based credit union, alleging discrimination in ATM usage fees in violation of state law. Metro FCU defended the lawsuit by arguing that the different rates charged to customers were not for its own fees but instead were “switch fees” set by the switches that route ATM transactions between financial institutions. In May 2015, the Nebraska legislature amended the law to clarify when financial institutions are permitted to vary ATM fees charged to other Nebraska financial institutions. An important piece of that law that allows financial institutions to implement the new changes takes effect April 1, 2016.

The new law provides that each switch must have a uniform interchange rate that it charges for all Nebraska-based financial institutions for essentially the same service, but each switch may decide its own rate. The financial institution that establishes or sponsors an ATM may contract with multiple switches for routing ATM transactions, and a new provision provides that it is not considered a discriminatory practice for the financial institution to charge different ATM usage fees based on which switch handles the transaction, if the switches’ fees differ from one another.

In addition, the law now excludes surcharge-free networks among affiliate institutions from the anti-discrimination requirements, so a financial institution may charge one rate for surcharge transactions and a different rate for surcharge-free transactions (even if routed over the same switch). If an ATM offers different transaction services from other ATMs, then differences in usages fees would also not constitute unlawful discrimination.

The law set a moratorium on changes to ATM usage fees and new agreements until April 1, 2016, with existing contracts still subject to the old law. Beginning on April 1, 2016, ATM-sponsoring financial institutions and switches can once again sign new customers and modify existing contracts. All new (or newly amended) contracts made after this date must be in compliance with the new law. While existing contracts are temporarily grandfathered in under the old law, beginning November 1, 2016, all ATM usage must comply with the new provisions, so even existing contracts will need to be modified if they do not currently comply.

This law does not affect fees charged to customers of financial institutions outside of Nebraska, or fees charged by financial institutions outside of Nebraska.

The new law makes it easier for Nebraska financial institutions to vary ATM fees based on the interchange rates charged by their switches. Now that financial institutions and switches can resume contracting for ATM services, it is important to ensure that new contracts comply with the law’s new provisions.

—Daniel Ungar, Attorney, Jaffe Raitt Heuer & Weiss, P.C.

Daniel Ungar

Daniel Ungar

Daniel M. Ungar is a member of the Firm's Electronic Payments and Corporate Practice Groups. His practice is in corporate, commercial, and intellectual property matters, including business contracts, technology licensing, M&A, and startup/emerging companies matters such as entity formation and venture financing. Daniel is a former patent examiner and holds an advance computer science degree from Johns Hopkins University and a J.D. from Harvard Law School.

dungar@jaffelaw.com

CFPB Strikes New Ground

16 Mar

A few weeks ago the Consumer Financial Protection Bureau (CFPB) struck new ground when it entered into a consent order with online payment platform Dwolla. The CFPB found that Dwolla misrepresented its data security practices and the safety of its system. The CFPB ordered Dwolla to pay a $100,000 penalty and revise its internal practices.

This represents the first time that the CFPB has used its authority to prevent unfair, deceptive or abusive acts against a company’s data security practices. It is remarkable because the action was taken by the CFPB in the absence of any data breach. In other words, the fact that Dwolla’s representations about its security practices were inaccurate was enough to warrant the CFPB action.

The CFPB found that Dwolla falsely represented to its customers that its network was safe and secure, that Dwolla transactions were safer than credit cards, that Dwolla’s data security practices exceed industry standards, and that all information on the Dwolla platform is securely encrypted and stored.

In particular, the CFPB alleged that Dwolla:

  • Failed to adopt appropriate data security policies for the collection and storage of consumer personal information,
  • Failed to conduct adequate, regular risk assessments,
  • Failed to train employees on responsibilities for handling and protecting consumer personal information, and
  • Failed to encrypt consumer personal info, and required consumer information submission in clear text.

Further, Dwolla’s software development of apps was not tested for data security.

Dwolla was ordered to establish data security plans and policies, conduct data security risk assessments twice annually, conduct mandatory employee training on data security policies, develop security patches to fix vulnerabilities, develop customer identity authentication at the registration phase and before effecting a funds transfer, develop procedures to select service providers capable of maintaining security practices, and obtain an annual data security audit.

Two lessons come through loud and clear. First, companies should be very careful about statements made concerning the safety of its system and its security practices. All representations about such issues need to be validated by management to ensure accuracy. Second, the actions mandated by the CFPB, set forth in the paragraph immediately above, point to a new standard. This indicates the types of actions the CFPB will be looking for. Consider this guidance from the CFPB on security practices that should be adopted.

We recommend that all companies heed the lessons gleaned from the CFPB Dwolla action by: 1) reviewing representations to the public to be sure those representations are entirely accurate, and 2) auditing current practices to confirm compliance with the actions ordered by the CFPB.

–Holli Targan, Attorney and Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

htargan@jaffelaw.com

State Law Mandates New Merchant Contract Requirements

3 Feb

The payments world is in a constant state of change, and the requirements surrounding clauses that must be included in card processing agreements with merchants are no exception.  Typically, language that must appear in merchant contracts is handed down from the card brands.  To remain compliant with those constantly-evolving requirements a close eye on card brand rule revisions has been essential.  But now states are getting into the act as well.     

Tennessee provides the latest example.  Effective March 1, 2016, Tennessee requires that all merchant agreements disclose certain terms, such as the effective date and term of the contract,  the circumstances surrounding early termination or cancellation, and a complete schedule of all fees applicable to card processing services.  These requirements are benign enough, as the vast majority of commercial contracts already contain those provisions. 

But here comes the sticky part.  In addition to the above, the Tennessee statute requires the payment acquirer to provide monthly statements.  So far so good – everyone provides monthly statements.  However, the law mandates that certain data points be included in each monthly statement, including an itemized list of all fees assessed since the previous statement, the total value of the transactions processed, and, if the acquirer is not a bank, an indication of the “aggregate fee percentage”.  The aggregate fee percentage is calculated by dividing the fees by the total value of processed transactions during the statement period.

The troubling requirement is the last one:  that any non-bank payment acquirer include in monthly statements the fees imposed, calculated as a percentage of the total value of the transactions processed during the statement period.  Currently such a calculation is not determined, so systems will need to be revamped to include that information in statements. 

And a determination will need to be made as to who, exactly, this requirement applies to.  The law says it is imposed on non-bank payment acquirers.  Certainly that includes payment facilitators.  But if both an ISO and a bank are a party to a merchant agreement and provide the statement, does the aggregate fee percentage need to be included in the monthly statement?  It’s not clear.  A conservative interpretation would suggest that if any non-bank is a party to a merchant agreement, the aggregate fee percentage should be disclosed each month.

Interestingly, the remedy for non-compliance with the Tennessee law is limited to an option by the merchant to terminate the contract.  Before the merchant may cancel the agreement, it must give the acquirer 30 days’ notice.  If the non-compliance is cured, then the merchant is not permitted to terminate the agreement.

ISOs, banks, and processors should review the new Tennessee statute to ensure compliance with its provisions.  And now that the payments industry is on the radar of state legislators, card processors will need to monitor state law developments to keep up with shifting obligations. 

–Holli Targan, Partner, Jaffe, Raitt, Heuer & Weiss, P.C.

Holli Targan

Attorney & Partner

htargan@jaffelaw.com