Recent federal activity is sending a clear message to banks and payment companies: “debanking” decisions can no longer be driven by vague notions of “reputational risk,” and institutions should expect greater scrutiny of how they evaluate, onboard, and offboard customers.

In the past several months, federal regulators have sharpened their focus on account terminations, onboarding denials, and other access decisions that may disproportionately affect certain industries or segments of customers. Those efforts are converging around a common theme: financial institutions and payment providers must be able to articulate and defend risk-based decisions with objective criteria, not subjective impressions.

The Federal Trade Commission’s latest move underscores that point. FTC Chair Andrew N. Ferguson recently sent warning letters to the CEOs of four payment companies, including two major card networks, raising concerns about unfair or biased debanking practices in the payments ecosystem. The letters highlight the potential for enforcement where account closures or refusals to serve are not grounded in clear, consistently applied standards tied to legal and compliance risks, but instead rely on opaque “reputational” considerations.

For banks, payment facilitators, ISOs, processors, and software platforms that enable payments, this development raises the stakes on how access decisions are made and documented. Key questions now include:

  • What specific risk factors drive onboarding and termination decisions?
  • Are those factors tied to defined legal, credit, fraud, or operational risks, or framed in imprecise “reputational” terms?
  • How are those criteria applied in practice across different merchant verticals and customer types?
  • Do policies and procedures provide a clear, defensible rationale if regulators ask why a particular customer was declined or terminated?

Regulators are signaling that it is no longer enough to “know it when you see it.” Payment companies need transparent policies, consistent processes, and a risk framework that can withstand regulatory scrutiny. That includes documenting how decisions are made, training teams that implement those policies, and regularly reviewing practices to identify patterns that may appear biased or unfair.

Now is an opportune time for financial institutions and payment platforms to revisit onboarding and termination policies to remove or refine “reputational risk” concepts, tighten definitions of prohibited or higher-risk activities and align them with applicable law, card network rules, and internal risk appetite, evaluate how exceptions are handled and escalated.

If your organization is reassessing its approach to debanking, account terminations, or risk-based access decisions, our team at Taft can help evaluate existing frameworks, update policy language, and align practices with evolving federal expectations.

 

The Eighth Circuit’s recent decision to vacate the Federal Trade Commission’s (FTC) new Negative Option Rule (commonly referred to as the “Click-to-Cancel” Rule) has created significant uncertainty for businesses in the payments and subscription industries. Many companies were preparing to comply with the now-vacated rule’s broad requirements, only to see them now nullified just before they were set to take effect. And while the court’s decision halts, for now, the FTC’s efforts in implementing the new Rule, it is important for businesses to recognize that the fundamental compliance obligations for negative option programs remain firmly in place under existing federal and state laws.

What Happened?

The FTC’s (now vacated) Negative Option Rule, which was intended to take effect on July 14, 2025, was purportedly intended to simplify the process for consumers to cancel recurring subscriptions and to require clear, affirmative consent for automatic renewals. With this rule, the FTC sought to modernize its original negative option rule (promulgated in 1973), that covered only one form of negative option plan, by extending its application to modern-day forms of negative-option programs.

Challengers to the rule argued, among other things, that the FTC failed to conduct the proper economic impact analysis as required under the Regulatory Flexibility Act. However, The Eighth Circuit agreed and vacated the new rule on procedural grounds, concluding that the FTC had failed to conduct the necessary preliminary regulatory. As a result, the vacated rule will not take effect, and the prior, more limited rule remains operative.

The Core Concepts Remain

Although the FTC’s new rule is no longer in play, businesses should not interpret this as a signal to relax their compliance efforts on these issues. The core principles that underpinned the vacated rule, such as clear disclosures, affirmative consent, and easy cancellation are still enforced through a patchwork of existing laws. And, the FTC had already taken enforcement action against payment providers for such practices long before the new Click-to-Cancel Rule was even proposed.

For example, the Restore Online Shoppers’ Confidence Act (ROSCA) applies to online negative option features, including automatic renewals and free-to-pay conversions. ROSCA requires businesses to provide clear and conspicuous disclosure of all material terms before obtaining billing information, to secure express informed consent from consumers before charging them, and to offer simple mechanisms for consumers to stop recurring charges. Violations of ROSCA are treated as violations of an FTC trade regulation rule, which allows the FTC to seek civil penalties and other remedies.

Further, Unfair or Deceptive Acts or Practices (UDAP) laws also play a significant role. At the federal level, Section 5 of the FTC Act prohibits unfair or deceptive acts or practices, including those involving negative option marketing. Every state has its own UDAP statute, many of which mirror or expand upon federal requirements. These laws generally require that material terms be disclosed before the consumer agrees to buy, that affirmative and informed consent be obtained, and that cancellation methods be simple, reasonable, and easily accessible.

State specific “Click-to-Cancel” and automatic renewal laws add another layer of complexity. For instance, California mandates that businesses provide a cancellation mechanism that is as easy as the sign-up process, with clear disclosures and prompt processing of cancellation requests. Several other states have enacted or are considering similar laws, often with requirements that match or even exceed those of the vacated FTC rule.

What Should Businesses Do Now?

In light of these overlapping requirements, businesses should continue their compliance efforts with respect to negative option and subscription offerings. The absence of the FTC’s new rule does not eliminate the need for robust compliance programs. The original negative option rule, ROSCA, UDAP, and state laws still require clear, upfront disclosures of all material terms, affirmative and informed consent for automatic renewals, and easy, accessible cancellation methods (often including “click-to-cancel” for online sign-ups). Companies should actively review their enrollment and renewal processes, existing contracts, and contract templates to ensure they meet or exceed the requirements of the original negative option rule, ROSCA, the FTC Act, and the most stringent state laws.

Importantly, however, although the Eight Circuit’s decision invalidates the rule, it did not undercut the FTC’s policy objectives. The Eight Circuit’s decision was procedural, not substantive, and the FTC may reappear with a revised rule or increased enforcement under existing statutes. In addition the rule invalidation may prompt a heightened regulatory response at the state level. In this environment, proactive monitoring of regulatory developments remains essential.

Final Thoughts

The Eighth Circuit’s decision represents a procedural setback for the FTC, but not for consumer protection. The legal and regulatory expectations for negative option programs remain robust. Businesses should remain vigilant and proactive, recognizing that compliance is not merely a box to check, but a critical part of building consumer trust and avoiding costly enforcement actions.

If you have questions about how these developments impact your business, or need assistance auditing your compliance program, please reach out to the Taft Paytech & Payment Systems team. 

This article is for informational purposes only and does not constitute legal advice. For specific guidance, consult with your legal counsel.

 

On November 15, 2024, the Federal Trade Commission (FTC) published its final “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (the “Rule”), part of which includes what the FTC refers to as the “Click to Cancel” rule. This far-reaching rule applies to most automatically renewable contracts and thus is poised to have a significant impact on millions of businesses in almost every imaginable industry—unless the incoming Trump administration rescinds it or rolls back enforcement before it even gets underway.

The term “negative option” as used in the Rule refers to any contract term or condition whereby the consumer’s failure to cancel or take some other affirmative action is treated as an acceptance of the seller’s offer or a continuation of the contract. Examples include:

  1. Automatic renewal of the contract.
  2. A continuity plan, where the consumer has agreed to accept and pay for periodic delivery of goods or services (e.g., bottled water delivery).
  3. A free-to-pay or fee-to-pay conversion, i.e., a free or reduced-cost trial period which will convert to a paid subscription unless the consumer affirmatively cancels.
  4. A pre-notification negative option plan, which refers to programs (such as book-of-the-month clubs) wherein the seller will send periodic notices offering goods or services to participating consumers and will automatically send, and charge the consumer for, the goods or services unless the consumer affirmatively declines the offer. This type of program is currently the only negative option regulated under the old rule. The new final Rule adds the other three types above.

Importantly, even though the Rule talks about selling goods and services to “consumers,” the FTC has made clear that it intends to enforce the Rule with respect to sales to “business consumers” as well as individual consumers. Thus, the Rule will govern both B2B and B2C contracts alike. Furthermore, unlike some existing statutes and rules that are specific to online or telephone sales or other particular sales channels (e.g., the Restore Online Shoppers’ Confidence Act (ROSCA) and the Telemarketing Sales Rule (TSR)), the new Rule is media-agnostic and will apply regardless of whether an agreement is entered into online, on paper, in person, or in any other format or sales environment.

The Rule has four major components:

  • Prohibition on making any material misrepresentation, expressly or by implication, concerning any good or service with a negative option feature. Note this does not just prohibit misrepresentations about the negative option. Rather, as long as the good or service contains a negative option feature and is thus covered by the Rule, this clause establishes a violation for any misrepresentation of any material fact regarding the good or service, including relating to its cost, purpose or efficacy, health or safety, or any other material fact.
  • Disclosure requirements regarding the negative option, including a notice of the upcoming charge, the amount to be charged, the deadline by which the consumer must act to avoid being charged, and the mechanism by which the consumer may cancel.
  • Requirement to obtain the consumer’s informed consent.
  • “Click to Cancel” rule, obligating sellers to establish a simple cancelation mechanism which is at least as simple and as easy to use as the method the consumer used to consent to the negative option feature in the first place.

Under the Rule, failure to comply with the above requirements constitutes an unfair or deceptive act or practice in violation of the FTC Act, exposing the offending business to civil penalties.

The Rule becomes effective January 14, 2025. For most of the new requirements of the Rule, business will have until May 14, 2025 to comply. Compliance with respect to the prohibitions on misrepresentations is set to begin earlier, on March 14, 2025.

In a public comment submitted to the FTC last year (while this Rule was in the proposal stage), the Electronic Transactions Association (ETA) raised concerns on behalf of members of the payments industry, in light of the broad language covering anyone “charging for . . . goods or services with a negative option feature.” To ensure that this would not be interpreted to include not only the seller but also intermediaries such as payment processors, the ETA requested an express exemption for payment processors and other intermediaries. As the ETA noted, such payment intermediaries typically do not control the terms of the negative option feature and do not control the interface with the consumer buyer. Unfortunately, the FTC rejected this approach and declined to adopt a categorical exemption for payment intermediaries. However, the FTC did note that it agrees with the ETA that a proper reading of the Rule would not include intermediaries who merely effect the transfer of funds from the consumer buyer to the merchant seller. The FTC indicated that it intends to continue its practice from other contexts (namely, ROSCA) not to enforce such rules against payment intermediaries solely for their conduct in effecting funds transfers.

All that said, there is a good chance that the incoming Trump (47) administration, which takes control of the Executive Branch on January 20, 2025 (less than a week after the Rule in question goes into effect), may rescind the entire regulation. Administration officials and surrogates have expressed a skeptical view of executive rulemaking authority and the administration is expected to act aggressively when it comes to removing regulations that it considers overly broad or restrictive to business interests. This regulation in particular has been criticized as an example of agency overreach, which renders it especially vulnerable.

Firstly, last year, when this Rule was still in the Proposed Rule stage, two FTC commissioners strongly dissented from pursuing such rulemaking, in large part because of concerns that the FTC “has demonstrated a zeal and willingness to push beyond the boundaries of out authority.” The dissent further argued that the Rule’s bans on general misrepresentations unrelated to the negative option feature exceed the scope of permissible rulemaking and therefore the FTC lacks authority under the FTC Act to seek civil penalties and other consumer redress.

Public comments raised further questions as to the propriety of the new Rule. For example, in the public comment from the ETA cited above, the ETA also questioned whether the FTC has authority to address B2B transactions at all. Among other things, the ETA argued that the regulatory influence interposed by the FTC in B2B contractual arrangements is outside the scope of the agency’s statutory authority.

Vivek Ramaswamy, tapped by President-Elect Donald Trump to co-lead the newly formed Department of Government Efficiency (DOGE), which was created to rein in the administrative state,[1] tweeted on X that one of DOGE’s primary tools for deregulation will be to identify and declare void any regulations that do not pass muster under the “Major Questions” doctrine, as explained and ruled on by the Supreme Court in the landmark decision, West Virginia v. EPA (2022), which held that agencies cannot decide major questions of economic or political significance without “clear congressional authorization.” There is a strong likelihood that this new FTC Rule would fail under this test.

Furthermore, the Congressional Review Act grants Congress the ability, by simple-majority vote, to void any rules that have been promulgated by executive agencies within the past 60 legislative days. Congress employed the CRA sixteen times during the first Trump administration to nullify existing regulations, and a GOP-led Congress is likely to use it again to remove Biden-era rules that fall within the allowable window. As this Rule does fall within such time period, it is a prime candidate to be the subject of a congressional resolution of disapproval pursuant to the CRA.

We will continue to monitor any developments and are available to assist in analyzing the impact of such developments on your business operations and contractual relationships. Please contact us if you have any questions or if you need any assistance in this matter.

 

[1] Note that notwithstanding its designation as a “Department,” DOGE is expected to remain an unofficial committee not part of the federal government.

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-awaited rule on Personal Financial Data Rights (referred to herein as the “Open Banking Rule”).

The Open Banking Rule requires banks, credit unions, and other financial service providers to make available consumers’ data upon request to those consumers or other third parties designated by such consumers. The rule is issued to implement the personal financial data rights established by the Consumer Financial Protection Act of 2010 (“CFPA”).  In particular, Section 1033 of the CFPA, provides consumers with a right to access their account information and authorize certain third parties to access such information on the consumer’s behalf.  Subject to the newly finalized Open Banking Rule, Section 1033 requires covered banks, credit unions, financial institutions, and certain payment providers to make available consumers financial data to that consumer or third party authorized to receive such information on the consumer’s behalf.

The Open Banking Rule casts a wide-net and has substantial implications not only on the data providers (defined below), but also on the third parties receiving such information on behalf of the requesting consumer.  The same day the Open Banking Rule was released, a Kentucky-based bank and two trade associations filed a lawsuit in federal district court in Kentucky challenging the rule, and we expect more lawsuits to follow.  These legal challenges could delay or impact implementation of the rule, and Taft will continue to monitor their status.

We’ve boiled down the basics here in an FAQ format to demystify the implications this proposed rule would have on the payments industry.

Q: Who does the Open Banking Rule Apply to?

A: The Open Banking Rule applies to “data providers,” which are financial institutions (as defined in Regulation E), card issuers (as defined in Regulation Z), or any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.

Q: Which entities are considered “data providers”?

A: Data providers include depository institutions such as banks or credit unions, and nondepository institutions that issue credit cards, hold transaction accounts, issue devices to access an account, or provide other types of payment facilitation products or services.

Q: Which entities are not covered under the Open Banking Rule?

A: Data providers are exempt if they are depository institutions that hold $850 million or less in total assets, which is based on U.S. Small Business Administration (“SBA”) size standards.

Q: Who is an “authorized third party” under the Open Banking Rule?

A:   An “authorized third party” is a third party that is authorized to receive “covered data” about “covered financial products and services” available in electronic form to consumers.  An “authorized third party” is defined as a third party that has complied with the authorization procedures set forth in subpart D of the Open Banking Rule. For a third party to comply with subpart D and obtain authorization from a consumer to become an “authorized third party,” it must obtain authorization from the consumer on an annual basis. Continued use of a third party’s services does not constitute authorization. Authorization must include the following “near in time” type disclosures to the consumer as a precursor to obtaining authorization:

  • Name of the third party that will be authorized to access the covered data.
  • Name of the data provider that will be in control or possession of the covered data that will be processed by the third party.
  • The categories of covered data that will be accessed.
  • The purpose of accessing the covered data.
  • The time frame that the authorization will cover (up to one year)
  • A description of the revocation mechanism for granting consent.

 Q: What is “covered data”?

A: “Covered data” is financial information that a financial institution (or “data provider”) must make accessible to consumers and authorized third parties upon request. Financial information includes, among other things, account balances, account terms and conditions, information necessary to initiate payments (including, account and routing numbers), transaction amounts, transaction dates, payment types, rewards credits, fees and finance charges, and verification information necessary to confirm account ownership (e.g., name, address, email address and phone number).

Q: How does the Open Banking Rule impact a person’s obligations or duties under the Gramm-Leach-Bliley Act and Regulation P?

A: Data providers are required to maintain a “developer interface”, which is a functionality through which it receives requests for covered data and makes the data available to authorized third parties.  Data providers are required to have an information security program for their developer interface that meets the requirements of the Safeguards Framework under the Gramm-Leach-Bliley Act (“GLBA”).  If the data provider is not subject to the GLBA’s Safeguards Framework, they must have an information security program that meets the standards under the FTC’s Standards for Safeguarding Customer Information.  Third parties must also have an information security program for their own systems for the collection, use, and retention of covered data that meets these requirements.

Q: How does the Open Banking Rule impact a person’s obligations or duties under the Fair Credit Reporting Act?

A: The obligations of the Open Banking Rule creates overlap with the Fair Credit Reporting Act. A third-party data aggregator or other financial service provider may be classified as a credit reporting agency if it handles covered data that could be used for credit decisions, i.e., in a manner that the Fair Credit Reporting Act deems to be “credit report” like information. This regulatory overlap will impose obligations on fintech and data aggregation companies to comply with the requirements of the Fair Credit Reporting Act for data accuracy, privacy, limitations on use of data, and data security.

Q: When are the mandatory compliance dates? 

A: Compliance dates are staggered, based on the calculation of a data provider’s total assets or total receipts.  Larger entities have a shorter timeframe for compliance.  April 1, 2026 is the compliance deadline for depository institutions with at least $250 billion in total assets, and non-depository institutions that generated at least $10 billion in total receipts in either of the years 2023 or 2024, while April 1, 2030 is the compliance deadline for depository institutions that hold less than $1.5 billion but more than $850 million in total assets.

Taft continues evaluating the Final Rule and is available to assist in analyzing the impact it may have on your new or existing operations and contractual agreements.

Fraud in the payments space is nothing new. In fact, it is fairly pervasive across the (now numerous) available payment systems. And despite the clear benefits of faster payments, the advent of faster, more easily accessible methods of payment has given rise to new opportunities for fraudsters.

From bill payment and payroll to the “behind the scenes” funds settlement mechanisms of various payment applications we use daily, one of the primary payment systems used by consumers and businesses alike is the ACH network. The National Automated Clearing House Association (“Nacha”) establishes the rules governing the ACH network (“Rules”). In March of 2024, Nacha voted on and approved 15 amendments to the Rules, including several revisions that are intended to strengthen the ACH network participants’ ability to detect potential fraud and to efficiently recover funds in the event that fraud does take place (collectively, the “Risk Management Topics”). Several of these Risk Management Topics go into effect on October 1, 2024, while others that may require more lead time from a technical perspective have staggered effective dates over the next few years. Understanding the requirements, and the opportunities, presented by these new Risk Management Topics is critical for financial institutions and corporations, alike. Below is a high-level summary of the new Risk Management Topics for your consideration.

1. Expanded Use Cases of the R17 and R06 Return Reason Codes. When a financial institution receives a debit or credit entry from another financial institution through the ACH network, the Rules permit the Receiving Depository Financial Institution (“RDFI”) to return that entry to the Originating Depository Financial Institution (“ODFI”). The RDFI must follow explicit parameters set forth in the Rules surrounding the return of these ACH entries, including that a Return Reason Code, identifying the reason for the return, be attached to the returned entry. The new revisions to the R06 and R17 Return Reason Codes provide both ODFIs and RDFIs with more discretion with respect to the return of entries they suspect to be fraudulent.

Prior to October 1, 2024, the R06 Return Reason Code was used by ODFIs to request that the RDFI return an entry that was either an “Erroneous Entry” (which is narrowly defined) or that was a credit entry initiated without the authorization of the Originator. The new revision allows ODFIs to use R06 to request a return from the RDFI for any reason.

The R17 Return Reason Code was previously used by RDFIs to return entries that: (a) it could not process; (b) contained an invalid account number and which the RDFI suspected was initiated under questionable circumstances; or (c) the RDFI or the account holder (“Receiver”) identified as being an improper reversal of an entry. As revised, RDFIs can use R17 to return entries they believe to be initiated under “questionable circumstances” without requiring that there also be an error with the account number. This include entries transmitted without an Originator’s authorization and entries that are originated under False Pretenses (as defined below).

Financial institutions should ensure their internal procedures reflect the new use cases of R06 and R17, and corporates should be educated in their additional avenues for requesting/ initiating returns through their financial institution.

Risk Management Topic Key Takeaways Effective Date
Expanded Use of ODFI Request for Return (R06) An ODFI may now request that an RDFI return any entry for any reason at all, including suspected fraud. The RDFI still maintains sole discretion in deciding whether to honor the requested return, but now it must give the ODFI a response within 10 banking days. Importantly, the ODFI will still need to indemnify the RDFI for such requested returns.

Phase 1 – October 1, 2024: ODFIs may begin using R06.

 

Phase 2 – April 1, 2025: RDFIs will need to have procedures in place to respond timely to an R06 request.

 
Codifying Expanded Use (R17)

An RDFI may (but is not required to) return any entry it believes, in its sole discretion, is fraudulent. RDFIs exercising this right to return must do so within the 2 banking day time frame and must include the descriptor “QUESTIONABLE” in the return addenda.

 

 October 1, 2024

2. Additional Funds Availability Exceptions. Previously, the Rules allowed an RDFI to delay funds availability of ACH credits to a Receiver if the RDFI reasonably believed it was an unauthorized credit entry (e.g. in the event of an account takeover of an Originator’s account). As revised, the Rules will now also allow an RDFI to delay funds availability if it reasonably believes that a credit was unlawful, suspicious, or otherwise sent under False Pretenses. The revised Rules define “False Pretenses” as “the inducement of a payment by a Person misrepresenting: (a) that Person’s identity, (b) that Person’s association with or authority to act on behalf of another Person, or (c) the ownership of an account to be credited.” This definition is intended to cover common fraud scenarios like business email compromise, vendor impersonation, and other payee impersonations where the Originator is induced by a third party to authorize an entry. Identifying what is, and what is not, an instance of False Pretenses is nuanced; for example, while a business email compromise or vendor impersonation that induces someone to make a payment to a fraudster would constitute False Pretenses, a corporate account takeover or a payment intentionally made to a legitimate Receiver who then uses the funds for something other than for the Originator’s intended purpose would not. RDFIs will need to review their internal policies and procedures with respect to monitoring potential unauthorized credits and credits initiated under False Pretenses.

Risk Management Topic Key Takeaways Effective Date
Additional Funds Availability Exceptions

An RDFI may, but is not required to, delay funds availability (subject to applicable law, including Regulation CC) if it suspects it was originated under False Pretenses, not only if it was unauthorized.

 

 October 1, 2024

3. Timing of Written Statements of Unauthorized Debit (“WSUDs”) and Prompt Return of Unauthorized Debits. The existing Rules require that an RDFI receive a WSUD from consumers on or after the Settlement Date (as defined in the Rules) of an unauthorized debit in order to return it as unauthorized. However, technological developments have created an environment where a Receiver may become aware of a pending unauthorized debit before its actual Settlement Date. The new revisions to the Rules allow for more flexibility in the timing of a consumer completing a WSUD. The existing Rules were also silent as to exactly how quickly an RDFI was required to take action based on a WSUD it received from a consumer Receiver; it merely required that entries returned as unauthorized be transmitted to the ODFI within a certain timeframe. Now, there is a requirement that RDFIs return such unauthorized entries no later than the opening of business on the sixth (6th) banking day following the completion of their review of the Receiver’s signed WSUD. The revisions related to consumer WSUDs and unauthorized debits are designed to allow Receivers and RDFIs to more quickly respond to potential unauthorized debits, thus mitigating risk of additional fraudulent transactions and helping make the affected parties whole more quickly. RDFIs will need to review their internal policies and procedures associated with the handling of WSUDs and returning entries as unauthorized.

Risk Management Topic Key Takeaways Effective Date
Timing of WSUDs

WSUDs may be completed by a consumer Receiver on or after the date on which the entry is presented to the Receiver, even if that is prior to the debit posting to their account.

 

 October 1, 2024
Prompt Return of Unauthorized Debits

An RDFI must return a consumer Receiver’s unauthorized debit for which it has received a WSUD no later than the 6th banking day following the completion of the RDFI’s review of the completed WSUD, but in no case later than the 60th calendar day following the settlement date of the original debit.

 

 October 1, 2024

4. Fraud Monitoring by Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs. The current Rules require non-consumer Originators to, among other things, use commercially reasonable fraudulent transaction detection systems when originating WEB debits and also when originating Micro-Entries. However, there was no corresponding requirement with respect to other SEC codes or to credits other than Micro-Entries. The revised Rules will require non-consumer Originators and ODFIs, as well as Third-Party Senders and Third-Party Service Providers (as each are defined in the Rules), to develop risk-based policies and procedures to identify fraudulent transactions more broadly. Importantly, a risk-based analysis cannot be used to conclude that no monitoring is needed on a going-forward basis. All non-consumer Originators, Third-Party Senders, Third-Party Service Providers and ODFIs should, at a minimum, conduct risk assessments to identify, qualify, and quantify the risks they face. All impacted parties should also evaluate their current policies and procedures, update them accordingly, and continue to review them on an annual basis and update as needed.

Risk Management Topic Key Takeaways Effective Date
Fraud Monitoring by Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs.

Non-Consumer Originators, Third-Party Senders, Third-Party Service Providers, and ODFIs must implement fraud detection systems to detect and prevent fraud for both debits and credits in general, including:

 

(a) establishing/ implementing risk-based processes and procedures relevant to the role it plays in the authorization or transmission of entries that are reasonably intended to identify entries that are suspected of being unauthorized or authorized under False Pretenses; and

 

(b) reviewing such processes and procedures at least annually and making appropriate updates to address evolving risks.

 

Phase 1 – March 20, 2026: All ODFIs and certain Third-Party Senders, Third-Party Service Providers, and non-consumer Originators with annual origination volume in 2023 that exceeded 6 million entries will need to have these processes in place.

 

Phase 2 – June 19, 2026: All other Third-Party Senders, Third-Party Service Providers, and non-Consumer Originators will need to be compliant with the new Rule.

5. Credit Monitoring by RDFIs. Historically, the onus has been on Originators and ODFIs to safeguard against fraudulent credit entries entering the ACH network, with the RDFIs having been largely omitted from that responsibility. However, RDFIs are in the unique position of being able to recognize when a Receiver’s account is receiving atypical credit entries (for example, based on their typical account balance, or the age of the account). Thus, under the revised Rules, RDFIs will now be required to establish and implement processes and procedures to help identify and mitigate fraudulent credit entries. RDFIs should update their internal policies and procedures to include this new monitoring obligation, and should ensure staff is appropriately trained to perform whatever monitoring the RDFI decides to implement.

Risk Management Topic Key Takeaways Effective Date
RDFI ACH Credit Monitoring

RDFIs will need to implement processes and procedures to identify unauthorized credit entries as well as credit entries initiated under False Pretenses, and to annually review their processes and procedures and make any indicated updates. The addition of this monitoring responsibility does not modify or supersede the ODFI’s warranty that the entries it introduces to the network are authorized, nor does it reallocate liability between ODFIs and RDFIs.

 

Phase 1 – March 20, 2026: RDFIs with receipt volume exceeded 10 million entries in 2023 will need to be compliant with the new Rule.

 

Phase 2 – June 19, 2026: All other RDFIs will need to be compliant with the new Rule.

 

6. Standard Company Entry Descriptions: PAYROLL and PURCHASE. The Company Entry Description field of ACH files already exists under the Rules; it is a 10-character field and is used to identify batches containing certain types of entries, including for reversals (“REVERSAL”) and for reinitiated entries (“RETRY PYMT”). The new updates to the Rules will require that non-consumer Originators, ODFIs, Third-Party Senders and Third-Party Service Providers to also use two new Company Entry Descriptions: (a) PPD credits for the payment of wages or other similar compensation must include the Company Enty Description of “PAYROLL”; and (b) e-commerce purchases, which are debits authorized by a consumer online for the online purchase of goods, must include the Company Entry Description of “PURCHASE.” The goal in adding these qualifiers is to help all of the network participants more readily identify, and monitor, transaction types that are frequently associated with fraudulent transactions. Non-consumer Originators, ODFIs, Third-Party Senders and Third-Party Service Providers (as applicable) will need to ensure they are categorizing their payments and using these new Company Entry Descriptions in creating their files.

Risk Management Topic Key Takeaways Effective Date
Standard Company Entry Descriptions Certain transactions will require the use of PAYROLL and PURCHASE Company Entry Description field of the ACH file. March 20, 2026, but Originators may begin using these codes prior to the Effective Date.

While the above Risk Management Topics may require substantial changes to the policies and procedures of the affected participants, the overarching result is expected to be a more secure network that is more readily able to stave off, combat, and ultimately remedy fraud.

Please contact us if you have any questions or concerns about how the Risk Management Topics will affect your institution.

For years, “FBO” has been one the payments industry’s favorite buzz words. The FBO account structure has been a common “best practice” by payments providers seeking to remove themselves from the flow of funds to reduce their risk of being regulated as a money transmitter. As a foundational matter, FBO accounts are merely custodial depository accounts maintained at financial institutions and established “for the benefit of” (FBO) intended beneficiaries of funds in the accounts. The structures of such accounts can vary. Typically, in the payments space, these accounts are structured to be bank-owned and held for the benefit of the payments provider’s customer (often a merchant or sub-merchant), rather than for the payments provider itself, to maximize the protections afforded by removing the payments provider from the flow of funds. Under this model, the payments provider can instruct the bank to move funds in and out of the FBO account as authorized by the payments provider’s customer, without ever taking actual possession or control over the funds.

While this structure remains foundational to countless arrangements between banks and their fintech partners, the risks created by the misuse of this structure has led the Federal Deposit Insurance Corporation (FDIC) to issue a proposed rule which would impose extensive requirements on FDIC insured depository institutions (IDI) with respect to “custodial deposit accounts with transactional features” – FBO accounts included. This proposed rule comes amid heighted scrutiny of bank and fintech arrangements by the federal banking regulators. The requirements set forth in this proposed rule would not only impact the IDIs but would also have a substantial impact on payments providers whose business models and operations rely upon the availability of these types of account structures.

The proposed rule is complex and technical. So, we’ve boiled down the basics here in an FAQ format to demystify the implications this proposed rule would have on the payments industry.

Q:  What prompted the proposed rule?

A:   The proposed rule was ultimately prompted by consumer confusion about whether funds placed with IDIs through arrangements with non-bank payments providers qualify for FDIC protection and concern for their ability to access and recover such funds. In particular, the FDIC cites the bankruptcy of Synapse Financial Technologies, Inc. (Synapse), a technology company that worked with several IDIs and numerous fintechs. The Synapse bankruptcy affected consumers’ ability to access funds placed at IDIs in FBO and custodial accounts for a number of months. In some instances, it was advertised that the funds were FDIC insured. Following the bankruptcy, the IDIs that were holding customer funds had difficulty obtaining, reviewing, and reconciling Synapse’s records to determine the ownership of those funds. This caused detrimental harm to many customers who were unable to receive funds needed to cover daily expenses.

The Synapse bankruptcy was just one prime example provided by the FDIC. It highlighted that the use of “custodial accounts with transactional features” presents significant hurdles and corresponding delays in the FDIC’s ability to make deposit insurance determinations. In recent months, the FDIC has taken action against a number of IDIs seeking to address concerns related to bank/fintech partnerships and now seeks to address the issues it has identified consistently among all IDIs through the proposed rule.

Q: What are the FDIC’s objectives and intentions for the proposed rule?

A:   The FDIC seeks to:

  • Strengthen IDI recordkeeping requirements for “custodial deposit accounts with transactional features” (which includes FBO accounts);
  • Preserve beneficial owners’ and depositors’ entitlement to the protections afforded by federal deposit insurance;
  • Promote the FDIC’s ability to promptly make deposit insurance determinations;
  • Enable the FDIC to pay deposit insurance claims “as soon as possible” in the event of a failure of an IDI holding custodial accounts with transactional features; and
  • Promote timely access to funds (even in the absence of an IDI failure).

Q: Who does the proposed rule apply to?

A: The proposed rule directly applies to all IDIs, regardless of size, who offer custodial accounts with transactional features (subject to exemptions for specific types of custodial accounts). The proposed rule would apply regardless of how many custodial accounts with transactional features are held at the IDI and regardless of how many beneficial owners funds’ are held within such accounts. The FDIC seeks comment on whether there should be a minimum threshold for applying the requirements of the proposed rule.

If made final, fintechs and other-non bank payments providers will be impacted through operational and contractual changes in their relationships with IDI partners that will be required as a result of the proposed rule. 

Q: What is a “custodial deposit account” under the proposed rule?

A: A “custodial deposit account” for purposes of the proposed rule is a relationship where one party is responsible for opening a deposit account at an IDI on behalf of others who may own the funds but do not have a direct relationship with the bank. 

Q: What are “custodial accounts with transactional features” under the proposed rule?

A: A deposit account that:

  • Is established for the benefit of beneficial owner(s);
  • Holds commingled deposits of multiple beneficial owners; and
  • The beneficial owner(s) may authorize or direct a transfer from to a party other than the account holder or the beneficial owner(s) (e.g. to make a purchase or pay a bill).

If funds in the custodial account are only returned to either the beneficial owner or the account holder, and would not be transferred to third parties, the account would fall outside the scope of the types of accounts covered by the proposed rule. However, the FDIC questions whether it should apply the proposed rule’s recordkeeping requirements to all custodial deposit accounts, and not just those with “transactional features.”

Q: How does the proposed rule differentiate between a “beneficial owner” and an “account holder”?

A: A “beneficial owner” would be defined as “a person or entity that owns, under applicable law, the funds in a custodial account.” An “account holder” would be “the person or entity who opens or establishes a custodial account with transactional features with an insured depository institution.” So, in the case of a fintech or other non-bank payments provider that establishes an account at an IDI for the benefit of its customers, even if the account is titled in the name of the IDI itself for the benefit of the fintech’s customers, the fintech would be the “account holder” under the proposed rule because it contracted with the IDI to establish the account.

Q: What types of custodial deposit accounts are exempt from the rule?

A:   The proposed rule exempts certain custodial deposit accounts that already have stringent recordkeeping requirements under applicable law, including custodial deposit accounts which are:

  • Only used to hold trust deposits;
  • Established by government depositors, such as accounts maintained for the payment of government benefits;
  • Established by brokers or dealers under the Securities and Exchange Act of 1934, and investment advisers under the Investment Advisers Act of 1940;
  • Established by attorneys or law firms on behalf of clients, commonly known as interest on lawyers trust accounts (IOLTA accounts);
  • Used in connection with employee benefit plans and retirement plans;
  • Maintained by real estate brokers, real estate agents, title companies, and qualified intermediaries under the Internal Revenue Code;
  • Maintained by mortgage servicers in a custodial or other fiduciary capacity;
  • Protected by applicable federal or state law prohibiting the disclosure of the identities of the beneficial owners of the deposits;
  • Maintained by virtue of agreements to allocate/distribute deposits among participating IDIs in a network for purposes other than payment transactions of customers of the IDI or participating IDIs; or
  • Used to hold security deposits tied to property owners for a homeownership, condominium, or other similar housing association governed by state law, and accounts holding security deposits tied to residential or commercial leasehold interests.

The FDIC invites comments on whether there are other categories of custodial deposit accounts that should be exempt from the proposed rule.

Q: Can IDIs still contract with third parties to maintain the beneficial ownership records relating to the custodial account?

A: Yes, an IDI would still be able to contract with a third party (such as, for example, a vendor, processor, software or service provider or similar entity), provided that enhanced requirements are satisfied. These include:

  • The IDI having direct, continuous and unrestricted access to the beneficial owner records maintained by the third party, including in the event of the business interruption, insolvency or bankruptcy of the third party;
  • The IDI having a business continuity plan in place, including backup recordkeeping for the required beneficial ownership records and technical capabilities to ensure compliance with the proposal’s requirements;
  • The IDI implementing appropriate internal controls to:

(a) accurately determine the respective beneficial ownership interests associated with the custodial deposit account with transactional features; and

(b) conduct reconciliations against the beneficial ownership records no less frequently than the close of business daily;

  • Annually validating the third party’s records, where such validation is performed by persons or entities independent of the third party, in order to assess and verify that the third party is maintaining accurate and complete records consistent with the proposal’s provisions;
  • The third party maintaining the records in a specific electronic file format (as must the IDI if it maintains the records itself); and
  • The IDI having a direct contractual relationship with the third party that includes risk mitigation measures.

The additional requirements are intended to promote the integrity of the records and ensure that the IDI has continued access.

Q: What actions would IDIs need to take if the proposed rule is adopted?

A:   The proposed rule would require that IDIs holding custodial accounts with transactional features implement the following:

  • Recordkeeping. Maintain records relating to the account using a specific file format. The records would need to identify:
    • The beneficial owners of the custodial account;
    • The balance attributable to each beneficial owner; and
    • The ownership category in which the beneficial owner holds the deposited funds.

Records would also need to be maintained in a specific electronic file format with required fields for records of beneficial owners and their interests in the deposited funds. The specific format is described in Appendix A of the proposed rule.

  • Internal Controls. Implement and maintain internal controls to ensure that account balances are accurate. Such internal controls should be tailored to the individual IDI based on its unique circumstances, including its size and the scope of its risk appetite, but must include:
    • Maintaining accurate account balances, including the respective individual beneficial ownership interests associated with the custodial deposit account; and
    • Reconciling account balances against beneficial ownership records no less frequently than as of the close of business daily.
  • Written Policies and Procedures. Establish written policies and procedures to achieve compliance with the proposed rule’s requirements.
  • Annual Certification and Report. Annually complete and submit to the FDIC and to the IDI’s primary regulator:
    • A certification confirming the institution’s compliance with, and testing of, the proposed requirements
    • A report that:
      • Describes material changes to information technology systems relevant to compliance with the rule;
      • Lists account holders that maintain custodial deposit accounts with transactional features, total balance of the custodial deposit accounts and the total number of beneficial owners;
      • Sets forth the results of the institution testing of its recordkeeping requirements; and
      • Provides results of independent validation of any records maintained by third parties.

As a result of actions required by the proposed rule, the IDI would also need to review and update its contracts with its existing fintech partners.

Q: What happens if an IDI does not comply with the proposed rule, if adopted?

A: IDIs would be subject to examination by their primary federal regulator and enforcement actions for failures to comply that could result in cease-and-desist orders and civil money penalties. 

Q: What does the proposed rule mean for the IDIs’ non-bank partners?

A: Fintechs and other non-bank partners that contract with IDIs and assume the recordkeeping responsibilities of the IDI will need to provide the IDI with additional and continuous access to records and submit to review and verification by an outside, independent entity on an annual basis. IDIs will increase scrutiny on fintechs and other non-bank partners and make these types of accounts available to a fewer number of well-established fintech and non-bank partners. The costs associated with these account types will also likely increase.

Q: Would the rule apply retroactively to FBO accounts that were established before the proposed rule became effective?

A: Yes. The proposed rule would apply to custodial deposit accounts with transactional features regardless of when the account was established (before or after the proposed rule’s effective date). Thus, current agreements between IDIs and their fintech partners with respect to these types of accounts would need to be updated accordingly.

Q: What should IDIs do now in anticipation of the proposed rule becoming final?

A: IDIs can prepare by:

  • Reviewing the nature of their relationships with non-bank companies to determine whether such non-bank companies have custodial deposit accounts at the IDIs that fall under the scope of the proposed rule;
  • Analyzing the anticipated costs and benefits of accepting and maintaining custodial deposit account relationships with non-bank companies if the proposed rule is adopted;
  • Investigating the technical requirements of having data transmitted from account holders in the format required by the proposed rule;
  • Developing a recordkeeping system for maintaining required data;
  • Assessing capabilities of existing platforms or core processing systems to satisfy the requirements of the proposed rule;
  • Developing or procuring data interface systems, where necessary;
  • Submitting comments to the proposed rule, if desired, before the deadline;
  • Collecting agreements with third parties in anticipation of updating obligations and responsibilities if the proposed rule is adopted; and
  • Identifying which existing policies and procedures may be impacted.

Q: What should IDI partners do now in anticipation of the proposed rule becoming final?

A: IDI partners relying on FBO accounts at IDIs should:

  • Consider whether to submit a response to the proposed rule;
  • Identify any gaps between current operations, processes, and technical capabilities against the requirements of the proposed rule;
  • Evaluate existing internal systems, policies or procedures; and
  • Review business arrangements with other partners and fintechs.

Q: What is the future of FBO Accounts?

A: Regardless of whether this proposed rule becomes final, we can anticipate that there will be changes to FBO and custodial account models given recent events that put a magnifying glass on risks that can arise. While there will certainly be more hoops to jump through for many of the FBO account structures in use today, if the rule becomes final, the use of FBO and custodial accounts in IDI and fintech relationships will still be viable. However, we can reasonably anticipate that as the regulators increase scrutiny of these account structures (and bank-fintech arrangements, generally), IDIs will follow suit and further limit the availability of these products and increase costs to fintech partners as part of their own risk mitigation.

Q: What does this proposed rule mean for you?

A: Whether you are an IDI, fintech, or non-bank payments provider that leverages an FBO or custodial account as part of your operations, this proposed rule will have significant impact on you if made final. If you would like to understand the impact to your specific operations or if you are looking for guidance on the comment letter process, please reach out to a member of Taft’s Paytech and Payment Systems Team directly.

This week, New York’s new surcharging law went into effect, replacing the prior surcharge ban which had been attacked at the U.S. Supreme Court (as discussed here). The old law was simply a wholesale ban on credit card surcharges, although since being reinterpreted by the New York Court of Appeals in 2018, it has not been enforced categorically. The new statutory language appears to be an attempt to codify the Court of Appeals’ interpretation under which surcharge programs are permitted so long as certain disclosures are made. Even the law’s title has been changed from the harsh “Credit Card Surcharge Prohibited” to the more reasonable sounding “Credit Card Surcharge Notice Requirement.” But do not be deceived by the seemingly innocuous updates. Merchants have begun to worry about the amendments and their concerns appear to be justified, particularly in light of regulatory guidance published this week by the New York Department of State (NYDOS), Consumer Protection division. The NYDOS’s Credit Card Surcharge Guidance goes far beyond current industry standards, prohibiting surcharge practices that the card brands and other regulators sanction and deem compliant.

Under the new law effective as of February 11, 2024, any seller in any sales transaction imposing a surcharge on a customer who elects to use a credit card in lieu of payment by cash, check, or similar means shall clearly and conspicuously post the total price for using a credit card in such transaction, inclusive of surcharge. Furthermore, any such surcharge may “not exceed the amount of the surcharge charged to the business by the credit card company for such credit card use.”  That provision itself is vague as merchants are not charged “surcharges” by credit card companies for credit card use.  In any event, the law continues by stating: “The final sales price of any such sales transaction, inclusive of such surcharge, shall not amount to a price greater than the posted price for such sales transaction.”

The statute expressly states that merchants are not prohibited from offering a “two-tier pricing system,” described as “the tagging or posting of two different prices in which the credit card price, inclusive of any surcharge, is posted alongside the cash price.” The problem with this formulation—and with the NYDOS’s guidance on implementation—is that it treats dual pricing as a permitted way to do surcharging rather than how dual pricing is generally understood (including by the card brands), in the context of cash discounting.

In short, the statute conflates surcharges with the generally understood cash discount model. To be clear: although the law purports to permit surcharges in certain circumstances with the proper disclosures, New York’s surcharge law does not permit the charging of surcharges as that term is commonly understood in the payments industry. And what it does allow as a permissible “surcharge” (i.e., posting the highest credit card price and offering a discount or utilizing a dual pricing model) is not really a surcharge at all, but is what is generally recognized as permitted under the cash discount rubric, independent of any surcharge regulation.

Under Visa and Mastercard rules, if a merchant wishes to implement a traditional surcharge, among other requirements, the merchant must clearly and prominently disclose the fee with signage at the point of entry and point of sale, and list the surcharge as a separate line item on the receipt. However, these actions are now explicitly labeled as “ILLEGAL” in the flyers included with the NYDOS guidance (available here and here). Similarly, posting a sign identifying a surcharge percentage amount to be added to the cost of the good/service (a practice generally recognized as compliant by the card brands) is touted as “ILLEGAL” by NYDOS. The guidance is clear that the only way to comply with the new NY surcharge law is to list or post the HIGHER credit card price inclusive of the surcharge in dollar and cents alongside a posted discount for cash purchase. This throws into question the ability for Merchants operating in New York to comply with both the card brands rules on surcharging and NY’s new surcharging law and certainly creates operational challenges for merchants that have built technology and systems around traditional surcharging practices.

Another consequence of conflating surcharges and cash discounts in New York is that it potentially opens up true (and otherwise compliant) cash discount programs and dual price models (which have historically not been subject to the rules and laws governing surcharges) to being regulated as a surcharge. Contrast New York’s guidance with Visa’s position that a discounted cash or debit price that is clearly displayed next to the higher credit price does not constitute an additional fee or surcharge that is removed when the customer pays with cash or a debit card. Yet, the New York law describes the difference between two prices presented on equal footing as “inclusive of any surcharge.” An aggressive reading of the surcharge law may allow regulators to subject these two-tier pricing systems to the limitations now applicable to surcharges in New York.

The penalty for violating New York’s surcharging law can be steep and includes liability for a civil penalty up to $500 dollars for each violation. Significantly, the enforcement mechanisms have also changed, as the law can now be enforced concurrently by the director or commissioner of a municipal consumer affairs office, or by the town attorney, city corporation counsel, or other lawful designee of a municipality or local government. What’s more, all monies collected from such enforcement will be retained by the municipality or local government, which incentivizes local governments to police surcharge compliance (including in borderline cases or where there are questions regarding interpretation). For many merchants, business as usual could quickly lead to unwanted attention by state regulators or local and municipal governments.

Several years ago the Supreme Court’s favorable opinion regarding the merchant challenge to New York’s anti-surcharge law kicked off a series of lawsuits nationwide in which lower federal courts stepped in to invalidate similar surcharge bans in other states. This, in turn, led the attorneys general and consumer protection agencies of other states to preemptively cease enforcement of their own state surcharge bans even if the law remained on the books. Based on these events, Visa removed the majority of states (New York included) from their list of states where surcharging is prohibited.  However, in light of the new surcharging law and the guidance issued this week, it seems that the “surcharging,” as that practice is understood and generally implemented across the payments industry, is once again prohibited in New York. Merchants implementing surcharge and cash discount programs in New York should reevaluate their programs in light of the new law and guidance.

During our road trip on highway 66 we stopped at a local shop and I spotted in a dark corner this old map with pins and currencies left by visitors from all over the planet.
Christine Roy, Unsplash

As a corporation that handles ACH transactions on behalf of others, you may have heard your financial institution refer to you as a “Third-Party Sender.” Common examples of Third-Party Senders include payroll processing companies, rent payment companies, and other bill pay providers. If an entity is designated as a Third-Party Sender, it is subject to certain duties under the Nacha Operating Rules (“ACH Rules”), such as the requirements to have an annual ACH Audit conducted and to enter into specific agreements with its clients (the “Originators”). Continue Reading Third-Party Senders: Are you a Money Transmitter?

Chicago Federal Reserve Bank Building
Joshua Woroniecki, Unsplash

On January 19, 2021, several federal banking regulators including FinCEN, the Federal Reserve, the FDIC, NCUA, and the OCC jointly issued answers to several frequently asked questions (FAQs) regarding suspicious activity reports (SARs) and other anti-money laundering (AML) considerations for financial institutions covered by SAR rules.  As used below, the term “financial institution” includes money services businesses.

Importantly, the FAQs do not alter existing BSA/AML legal or regulatory requirements, nor do they establish new supervisory expectations.  Instead, they are intended to clarify the regulatory requirements related to SARs to assist financial institutions with their compliance obligations. Continue Reading New Joint Regulatory FAQs Regarding Suspicious Activity Reporting and other AML Considerations

1669133609-1973-3117-lxb_photoHNPrWOH2Z8Ulxb_photo-
Towfiqu barbhuiya, Unsplash

The commercial slowdown wrought by the global pandemic COVID-19 has left many in the payments industry wondering how the virus will affect their existing processing agreements. Depending on which side of an agreement you are on, you may be worried about breaching your contractual obligations or about the other party not being able to perform its end of the agreement. Likewise, you may be looking for a way to get out of the contract without being in breach, or, alternatively, nervous that COVID-19 will present an opportunity for the other side to legally terminate. Continue Reading Payment Processing Contracts and COVID-19