As the fintech industry has evolved over the past decade, the Federal Trade Commission has proved to be among the industry’s most active regulators. Acting through a multi-member, bipartisan structure, the agency enforces not only the broad prohibition on unfair and deceptive acts and practices, but also a range of proscriptive laws, including ECOA, TILA, and the FCRA, among many others. As a result, the FTC has broad experience in the fintech space, dealing with issues related to lead generation, B2B payments, digital assets and payment processors (again, among many others). Companies should expect increased scrutiny with Lina Khan now leading the FTC as its Chair, given her ambitious rulemaking and enforcement agenda.  Some of her appeared to have stalled for several months due to a democratic vacancy on the FTC, leaving the FTC with a 2-2 democrat-republican split. But with the confirmation of the third democratic commissioner, Alvaro Bedoya, Chair Khan now should have a voting majority to pursue her agenda. In this article, Christopher Leach, a partner with Mayer Brown and a former attorney with the Federal Trade Commission, explains the FTC’s enforcement trends for in the fintech space and where Chair Khan may take the agency during her term.

By Christopher B. Leach[1]

 

When fintech lawyers think through the list of relevant regulators, what comes to mind? Within the alphabet soup of federal regulators — SEC, CFPB, FinCEN, and so on — companies sometimes have overlooked the Federal Trade Commission (“FTC”), to their peril. With more than 100 years of experience enforcing antitrust and consumer protection laws, the FTC has been an active player in the fintech space on a range of issues, using the agency’s entire toolkit.

The FTC’s importance shifted up a notch with the appointment of Lina Khan as Chair of the agency. After making a name for herself with high-profile criticisms of tech platforms, Chair Khan has big plans for the FTC, including on issues related to fair lending, data privacy, information security, and focusing enforcement on the largest players in the market. Her progress had stalled in recent months while she awaited the confirmation of a third Democratic vote on the FTC. But with the third Commissioner now confirmed, companies should brace themselves for aggressive enforcement and new regulations.

 

I. REMIND ME, WHAT IS THE FTC?

For readers unfamiliar, the FTC is run collectively by 5 commissioners — traditionally two Democrats, two Republicans, and a chair appointed by the President. The Commission has two core mandates — consumer protection and competition — which are separated into distinct bureaus. Although under Chair Khan the agency has said the agency would take a more “interdisciplinary” approach and work across bureaus, investigations remain fairly siloed.

The FTC’s primarily statutory tool is Section 5 of the FTC Act, which prohibits unfair and deceptive acts and practices in commerce (“UDAP” in compliance speak). To prove deception, the FTC must show that the company made a statement that was likely to mislead a reasonable person about a material fact. And to prove that a practice is unfair, the FTC must show that the practice did or was likely to cause substantial injury to consumers, that was not reasonably avoidable, and where the harm is not outweighed by countervailing benefits. Notably, the FTC Act doesn’t require proof that any customers actually were deceived, or that any practice actually caused injury.

The FTC Act isn’t the only statute that the FTC enforces relevant to fintechs. Among others, the agency enforces fair lending rules under the Equal Credit Opportunity Act, the disclosure requirements under the Truth in Lending Act, credit reporting issues under the Fair Credit Reporting Act, privacy and security under the Gramm Leach Bliley Act, and subscription rules under the Restore Online Shoppers’ Confidence Act.

The FTC’s authorizing statute provides some jurisdictional quirks relevant to a fintech firm. The FTC Act exempts banks from the FTC’s jurisdiction; while the FTC can subpoena a bank for records, a bank cannot be the subject of an FTC enforcement action. But be careful, because that limitation does not apply to any non-bank entity that may work with a bank, for example non-bank fintechs that may offer Banking as a Service, or lead generators that may connect banks with prospective customers. The FTC also takes the view that “consumers” it can protect include small businesses (absent statutory definitions to the contrary), such that companies offering B2B solutions regularly are the subjects of FTC actions.

 

II. HOW DOES THE FTC USE THESE POWERS IN THE FINTECH SPACE?

Over the past decade, the agency has built up experience in a number of areas relevant to fintechs. Below are just a few:

  • Lead generation. The FTC has long been interested in lead generators — the companies that acquire consumer information to provide leads on possible sales to other companies, including fintech lenders and other providers. Cases involving these entities often involve misrepresentations related to sharing data in ways that are at odds with representations to consumers when obtaining their consent. For example, the FTC has brought actions in which the lead generator told consumers that it would use the data only to connect consumers with lenders, but then used the data for other activities, including marketing. Similarly, the FTC looks skeptically at lead generators who represent that they connect consumers with “the best” lenders (think the “top 10” rankings) but that really connect with lenders who generate the most revenue for the lead generator. And liability has not ended with the client-facing lead generators themselves: the FTC also has brought cases against the companies and lenders that have purchased the leads, on the theory that the lead generators were acting as their agents.
  • Unauthorized fees. One of the FTC’s bread-and-butter actions involve unauthorized fees. These cases can run the gamut, from boiler-room frauds stealing from consumers, to cases where the agency alleges that companies hid fees or failed to disclose fees adequately. Cases against fintechs have generally fallen into the latter category, with the primary takeaway being that the FTC has looked with great skepticism on fees disclosed only in terms and conditions, even if those practice would be sufficient to obligate customers under state-law contract principles.
  • Access to funds. In cases as diverse as payments and neobanks, the FTC has brought cases where companies did not provide consumers with access to funds in a timely manner. These cases often are difficult for the FTC. While consumers frequently complain of transfer or withdrawal delays, there are not general rules regarding how long companies have to effect those transfers. For that reason, the FTC often has built these cases on deception theories — that the company promised transfers in a certain timeline, but did not deliver. For example, one payments company was sued because its promise of overnight access did not account for the company’s KYC and other processes that might slow down transfers from in-app funds to a regular bank account.
  • Gig economy. Like many regulators, the FTC is interested in companies in the gig economy. Because these companies operate in a two-sided market, issues can arise both from consumers who purchase goods or services, and also from the individuals who work using those platforms. Focusing on the platform users here, the FTC has brought a number of actions alleging that companies made deceptive earnings claims in advertising designed to recruit new users. Although these actions often are brought under Section 5 of the FTC Act directly, the FTC recently initiated a rulemaking on deceptive earnings claims, targeting the gig economy specifically. While in its early stages, the rulemaking appears poised to codify the FTC’s existing practice, and possibly to provide specific guardrails regarding certain claims such as when companies use the word “up to” to qualify representations.
  • As part of the Restore Online Shoppers’ Confidence Act, the FTC has authority to sue companies that take customer money through “negative option” products sold over the internet. In English, a “negative option” is nothing more than a recurring subscription, in which the consumer’s inaction is taken as consent to continue charging the consumer until the consumer affirmatively cancels the subscription. The rules are straightforward: companies must disclose all material information prior to obtaining customers’ billing information and provide an easy means of cancellation. But the FTC has focused on this statute — releasing an enforcement statement related to negative option marketing—in part because it authorizes the agency to collect civil penalties for first-time violators.
  • B2B lending & payments. As indicated above, the FTC places pride in protecting small businesses, and has brought a number of actions against companies that provide credit to small businesses. For example, in 2020, the agency brought a pair of actions against companies that offer Merchant Cash Advances — a small business lending product structured as a purchase of future receivables, and thus often not subject to state laws governing credit, such as licensing and usury restrictions.
  • Digital assets. The agency also has an important role in the digital asset space, most recently identified in President Biden’s executive order on digital assets as a key agency related to consumer protection. Although the FTC does not take a side in the big regulatory disputes — g.“is it a security” — the agency has taken action publicly against companies involved in cryptocurrency. For example, the FTC sued a company operating a pyramid scheme that was offering the “potential” to make substantial sums in bitcoin, but the company’s structure ensured that few ever made those amounts. Outside of the scam space, the agency has brought cases against companies that offer services adjacent to digital asset transactions, including a case against a company that sold bitcoin mining equipment for delays in sending equipment.
  • Payment processors. While many of the same lessons above apply to companies that process payments, companies in this area also have been the subject of liability where they facilitate scams by processing payments between victims and perpetrators. These cases often are charged either as “unfair” practices under Section 5 of the FTC Act or, if the scams involved telemarketing, providing substantial assistance to violators under the Telemarketing Sales Rule. These cases are not based on strict liability. Rather, they generally require knowledge or conscious avoidance of knowledge by, for example, ignoring red flags.

 

III. SO, WHAT CAN THE FTC DO WHEN A COMPANY BREAKS THE LAW?

As a civil law enforcement entity, nobody will go to jail (although the agency regularly refers fraud cases to the Department of Justice for prosecution). The agency’s primary tool for first-time offenders is conduct relief, either via a cease-and-desist order issued by the Commission through its administrative process, or via an injunction issued by a federal court. The provisions can range from the banal — a “sin no more” order prohibiting the company from violating the law in the same way again — to industry bans and material limitations on business practices. In recent years, the agency has been more creative in crafting injunctive relief, for example by requiring companies that have unlawfully collected user information to delete all the information and any algorithms that relied on that data, or by requiring multi-year cybersecurity audits if the violation involved inadequate or deceptive data security.

Notably, the FTC can sue not only the company, but also individuals who knew of the violation and had authority to control the conduct. This sort of liability is more obviously appropriate in smaller companies and boiler room operations where the owner also was actively engaged in a fraud. But the FTC also has brought cases against officers of large corporations, with Republican Commissioners often dissenting on that point.

Monetary sanctions are the agency’s other tool, but this part is in flux. For the past four decades, the FTC relied on favorable court interpretations holding that Section 13(b) of the FTC Act — which allows the FTC to seek “injunctions” against UDAPs under Section 5 of the FTC Act — also allows courts to order companies to pay restitution. The Supreme Court rejected this practice unanimously in AMG Capital Management v. FTC, issued in April 2021. That decision left the FTC scrambling to find other ways to force companies to pay money in connection with enforcement actions. The agency retains a number of traditional ways to obtain monetary relief, including by enforcing laws that expressly authorize civil penalties or other monetary relief, or by enforcing rules that the FTC itself writes.

The agency also has attempted to stretch its existing authorities in questionable ways to obtain money from companies. For example, it recently succeeded in its first use of a broader application of Section 521(a) of the Gramm-Leach-Bliley Act, which authorizes the FTC to obtain money penalties. Originally understood to prohibit scammers from obtaining financial information under a false pretext, the FTC used the statute to allege a violation simply by dint of a misrepresentation in the course of a transaction where a consumer presents payment information. And then there are settlements where the FTC seems not to have any theory for money penalties, but nonetheless has convinced the target to pay as part of the resolution, even if a court could not order the relief.

 

IV. WHAT SHOULD FINTECHS EXPECT FROM THE FTC?

For the past few months, the agency largely has not been executing on Chair Khan’s agenda.  From October 2021 until just this month (May 2021), the agency was operating only with 2 Democrats and 2 Republicans — Rohit Chopra’s seat has been vacant since he left the FTC to lead the Consumer Financial Protection Bureau. For the months of the 2-2 commission, Chair Khan has not been able to push through her aggressive agenda. But that is set to change soon. Alvaro Bedoya, President Biden’s pick to fill the third Democrat seat — whose nomination had stalled in the Senate Commerce Committee — was confirmed by the Senate on May 11, 2022 on a 51-50 vote (with Vice President Harris breaking the tie).

Now that Chair Khan has her voting majority, the fintech world should expect a number of changes that might affect their businesses. Based on her priorities and actions to date, here are three of the most prominent spaces to watch.

  • Fair lending enforcement. Chair Khan has said that one of the FTC’s priorities is to increase enforcement against practices that harm “marginalized communities,” which of course includes fair lending issues. For companies that offer credit to consumers, that obviously means that the Equal Credit Opportunity Act may be in play in every investigation. But she also suggested expanding further. She and the other Democratic Commissioner issued a separate statement in an auto-lending settlement explaining that they also would have supported a count alleging that discriminatory conduct also should be pleaded as an “unfair” practice in violation of Section 5 of the FTC Act.

The effect of adopting such a theory of liability could be to expand dramatically the FTC’s role in enforcing anti-discrimination laws or even potentially creating an “ability to repay” requirement. Whereas the Equal Credit Opportunity Act applies only to credit transactions, Section 5 of the FTC Act applies broadly to “commerce.” The views from this joint statement come days after the Consumer Financial Protection Bureau similarly announced that it would interpret its own “unfairness” authority under the Dodd-Frank Act to prohibit discrimination outside of the credit context, unmoored from specific anti-discrimination statutes. Whether that theory holds up in court remains to be seen. But expect that there will soon be three democratic votes to transform the FTC into a main anti-discrimination enforcer.

  • Privacy rulemaking. In December 2021 the agency announced that it might initiate a rulemaking starting in February 2022 on cybersecurity, data privacy, and algorithmic bias. But with only two Democratic commissioners to support the rule, that deadline has come and gone with no action. The rule’s provision are not yet clear. If the agency follows the precedent from its other recent proposed rulemakings, this privacy rule likely will aim to codify the legal theories FTC has employed in prior enforcement actions. These certainly would include prohibitions on misrepresentations regarding cybersecurity protections or data collection/sharing practices, among many others. And in speeches, both Chair Khan and Sam Levine, the FTC’s Director of the Bureau of Consumer Protection, have flagged their concern with the standard notice-and-consent process widely used in the market.

The rule itself likely will not be final for some time. FTC rulemaking is more involved than the notice-and-comment process under the Administrative Procedure Act. In addition to a proposed and final rule, the FTC must issue an advanced notice of proposed rulemaking, prove that the practices at issue are “prevalent,” and hold a hearing where concerned individuals can present their own evidence and, if necessary, cross-examine the FTC’s evidence. And that is all before court challenges.

  • Enforcement against dominant platforms and intermediaries. Another consistent theme in Chair Khan’s speeches is a desire to re-focus enforcement into “dominant platforms” and key market intermediaries. Her reasons seem largely one of resource allocation — moving away from one-off whack-a-mole fraud cases to more complex matters where conduct relief can have a much larger effect on consumers across the market. While this shifting enforcement may not involve new legal theories, larger companies in this space should be aware that they are under increased scrutiny.

 

V. CONCLUSION

The FTC has a long history of enforcing its laws in the fintech space. This focus is likely to increase now that Chair Khan has her third Democratic vote to proceed on a more aggressive enforcement and regulatory agenda. How this ends will depend on how far the agency is willing to push, and whether companies are willing to test novel theories in court. I would stay tuned.


[1] Partner, Mayer Brown LLP; former attorney at Federal Trade Commission, Division of Financial Practices.