Reed Smith In-depth

The Bureau’s effort to build its case against ACTIVE Network LLC is the proverbial “camel’s nose under the tent” with respect to the likely approach the Bureau will take against large technology companies as well as any retailer or seller of nonfinancial goods. The complexity of the merchant exemption could distract business leaders and cause them to miss opportunities available under the “covered person” definition. A company or market actor may not be a “covered person” with respect to UDAAP. But the Bureau is interested in unfairness, deception, or abusiveness to consumers that may arise in connection with nonfinancial goods. To the extent that the same entity is also offering a payment product or credit card product, the Bureau can use the Dodd-Frank Act to pry open the door to regulate nonfinancial products on the basis of the ancillary service offerings of the company.

If the strategy used in the ACTIVE Network LLC matter gets good traction in the courts, the Bureau can also use alleged EFTA or other enumerated consumer law violations as a springboard to exert authority over nonfinancial products and services offered by companies, especially when distinct products are offered in a bundled package online or on a mobile device in a single checkout page, or even when they are not.

At its heart, the matter could be better characterized as a sales dispute, not a consumer finance dispute. Nevertheless, the Bureau is utilizing the opacity or obscurity of the two concessions to retailers in the CFPA to surge ahead in its pursuit of merchants and retailers on the basis of the business’s nexus to payment processing, no matter how attenuated the link may be. Ultimately, however, the Bureau’s recent lawsuit may be barred or at least complicated by either the retailers’ exception (from the “covered person definition”) or the merchant exemption (from the limitations of Bureau authority section), as detailed below.

Authors: Le Duong

Tech eye concept

During the same week that much ink had been spilled after the U.S. Court of Appeals for the Fifth Circuit held that the Consumer Financial Protection Bureau’s (CFPB or the Bureau) funding mechanism was unconstitutional, the Bureau commenced an enforcement action on October 18, 2022, with major ramifications for Big Tech, the financial technology (fintech) industry, and all consumer-facing businesses with a subscription-based service component.

The Bureau filed a lawsuit against ACTIVE Network, LLC (ACTIVE) in the U.S. District Court for the Eastern District of Texas, asserting that ACTIVE generated more than $300 million in membership fees via “online trickery” and “digital dark patterns.” It is the most influential case of the year with respect to the Bureau’s priority to sweep the online sales of nonfinancial consumer products within its jurisdictional reach. One of the issues involved is the Dodd-Frank Wall Street Reform and Consumer Protection Act’s obscure merchant exemption, which was and remains one of the Bureau’s most impenetrable exemptions of authority. Yet the enforcement and impact of the Bureau in 2023 depends more pragmatically on the merchant exemption, as opposed to constitutionality debates, given CFPB Director Rohit Chopra’s priorities concerning tech giants, subscription renewals, “rundles” (subscription-based services tying bundles of products together), and e-commerce/payments.

We address in the FAQs below the key issues that Big Tech, retailers, and consumer financial market participants should be aware of given the Bureau’s recent assertions. We will address in a separate article whether or not the Fifth Circuit’s decision is a “nothingburger” (and if so, how and why).

Issue #1: Does payment processing constitute a financial product or service?

As to the Bureau, generally yes, unless the payment processing activity for the consumer in question is done exclusively to carry out the consumer’s payment instruction for the purchase of a nonfinancial good sold by a retailer or merchant to the same consumer. The ACTIVE litigation triggers threshold inquiries concerning both (1) the nature of the Bureau’s authority over consumer financial services, i.e., the “covered person” authority, and (2) the specific conduct for which violations were alleged. The Bureau sued ACTIVE alleging that it engaged in deceptive and abusive acts and practices in violation of the Consumer Financial Protection Act of 2010 (CFPA) (found in title X of the Dodd-Frank Act) by enrolling consumers in ACTIVE Advantage without their knowledge, consent, or a full understanding of the material terms of the transaction. In other words, the conduct at issue was an alleged unfair, deceptive, or abusive acts and practice (UDAAP), as articulated in the CFPA.

The specific enforcement authority, however, of the Bureau to prevent or punish the commission of UDAAP is limited to “covered persons.”1 Under the CFPA, a “covered person” includes, in pertinent part, “any person that engages in offering or providing a consumer financial product or service.”2 A “financial product or service” includes, among other things,

(vii) providing payments or other financial data processing products or services to a consumer by any technological means, including processing or storing financial or banking data for any payment instrument, or through any payments systems or network used for processing payments data, including payments made through an online banking system or mobile telecommunications network, except that a person shall not be deemed to be a covered person with respect to financial data processing solely because the person

(i) is a merchant, retailer, or seller of any nonfinancial good or service who engages in financial data processing by transmitting or storing payments data about a consumer exclusively for purpose of initiating payments instructions by the consumer to pay such person for the purchase of, or to complete a commercial transaction for, such nonfinancial good or service sold directly by such person to the consumer; or

(ii) provides access to a host server to a person for purposes of enabling that person to establish and maintain a website.3

The defendant, ACTIVE, is a wholly owned subsidiary of a publicly traded global payments processor based in Atlanta. A superficial reading of paragraphs 15 to 18 in the Complaint could lead one to conflate ACTIVE’s role with that of its parent. The fact that the defendant resides in the payment processing industry (and may have marketed its payment processing capability when selling its registration software service) is not the Bureau’s ace in the hole. Likewise, the Complaint’s superficial assertion that ACTIVE is engaged in providing “payment processing services” does not, standing alone, confer authority on the Bureau to act.

To the contrary, the authority of the Bureau, if it exists here, is properly assessed on the basis of ACTIVE’s business. The following facts, among others, illuminate the issue.

  • ACTIVE operates a website focused on selling registrations (i.e., tickets) for a panoply of recreational or athletic events like marathons, triathlons, and art camps and provides software to enable the online registration.
  • ACTIVE also sells a membership program called ACTIVE Advantage, a nonfinancial good or service that provides discounts on registration fees and sells additional nonfinancial products (e.g., beer tastings, flowers, travel, sports apparel, etc.).

Based on these facts, it appears that the Bureau’s enforcement action may be barred or at least complicated by the exclusion (for retailers) to the payment processing prong of the definition of covered persons, which we discuss next.

Issue #2: Is the Bureau’s enforcement action barred by the exclusion for retailers within the payment processing prong of the “covered person” definition?

Practically speaking, this depends on how the federal district court judge in Texas rules and whether the parties litigate the issue, but the answer is: probably, yes. There are two steps in our analysis.

First, under the definition of “financial product or service,” ACTIVE’s two business lines – event registrations and the ACTIVE Advantage discount club – appear to trigger the exclusion for merchants in subpart (I) of the definition (quoted above). ACTIVE sells a nonfinancial good or service – event registrations through an online portal to find local events and participate in activities – directly to consumers. ACTIVE engages in the “processing of financial data” (if at all) only to the extent ACTIVE is initiating payment instructions by the consumer to pay for said event registration. Again, ACTIVE sells those items directly to the consumer. Therefore, under the CFPA, ACTIVE may likely not qualify as a provider of a “financial product or service” based on the payment processor definition. In the foregoing analysis, you can switch the words “event registration” for “discount membership club,” and the conclusion would be the same.

Second, in order to satisfy the payment processor prong of “financial product or service,” ACTIVE also must have been acting as a payment processor to begin with. Specifically, under the CFPA, it must have been “processing or storing financial data for any payment instrument” or “providing payments or other financial data processing…services…through any payments system or network used for processing payments data.” While ACTIVE’s parent company meets this criteria, it is dubious that ACTIVE itself was –notwithstanding its marketing – directly engaged in the business of processing financial data through the credit card or ACH network or any applicable network, or directly engaged in processing or storing financial data for payment instruments such as a check, money order, or traveler’s check, or even a stored value card or digital wallet.

Under either step, ACTIVE would not likely satisfy the CFPA’s provision for providing a “financial product or service.” Unless it is a “covered person,” then, on some other basis (which the Complaint does not allege), ACTIVE would fall outside the Bureau’s authority to enforce its UDAAP prohibition.

Issue #3: If ACTIVE Network LLC’s receipt and storage of financial data does not constitute payment processing, what are the implications to industry from the Complaint’s assertions regarding Bureau authority

One could certainly read the Complaint or press release and wish to conclude that ACTIVE met the CFPA’s “financial product or service” criteria for payment processors because it collected payments data through software applications and provided “payments storage services” to event organizers and consumers, as alleged by the Bureau in the Complaint.

This is problematic. By extension, the logical conclusion to this argument would mean that 1.8 million online retailers in the United States would be subject to the CFPB’s authority, regardless of the fact that its authority is restricted to the consumer financial services industry. Leaving aside online retailers, for that matter, any business that sells things online using website software would, per this argument, constitute a “payment processor” simply because the business is “storing” a consumer’s credit card number or other payments information in the course of purchasing the goods. If this is truly the new reality, it is hard to swallow. A big-box store, a bakery, a clothing company, or other business with an online sales channel that accepts credit card payments does not suddenly become a payment processor; the mere fact that they store credit card information to effectuate the sale (of toilet paper, croissants, jeans, or other products) does not mean that they are “providing payments services.” In this regard, the Bureau’s possible position manifested in the ACTIVE matter is troubling.

Nevertheless, let’s assume for argument’s sake that somehow ACTIVE or other online sellers of retail merchandise can be held to have engaged in the processing or storing of financial data for purposes of the CFPA. Is the Bureau free and clear and able to sue such businesses anyway? Not necessarily. The next portion of the “financial product or service” provision contains an explicit exclusion for a merchant’s or retailer’s goods (see our discussion of subpart (I) in Issue #2 above).

The Bureau’s pursuit of ACTIVE (and of similarly situated companies with retail operations) could be wrought with peril given multiple clauses in the CFPA. As to the ultimate outcome, it depends on how the parties decide to litigate the issue and how the court rules, if given a meaningful opportunity to reach the issue.