In a development that underscores the Federal Trade Commission’s (FTC) growing scrutiny of the “merchant of record” model, the commission announced a $5 million settlement with UK-based Paddle.com Market Limited (Paddle), which processed payments for multiple businesses that allegedly sold deceptive tech support software subscriptions to U.S. consumers. The Paddle settlement, which follows a series of earlier actions involving merchants of record, suggests that the FTC has expanded its focus from the traditional payments industry to more novel models that support merchant aggregation and related services. The settlement also presents another novel use of the FTC’s authority under the Restore Online Shoppers’ Confidence Act (ROSCA), which has become a favored tool of the FTC in policing sales and recurring billing practices that the commission deems unfair or deceptive.
FTC Allegations and Merchant of Record Concerns
Over the past decade, global e-commerce has grown dramatically, with merchants selling goods and services to consumers around the world. Given the complexity of cross-border sales, many e-commerce merchants have partnered with payments companies that process sales for the merchant as the “merchant of record,” and which may provide other ecommerce services, such as sales fulfillment and tax remittance. Although the merchant of record model has grown in popularity, the concept is not expressly recognized by the card network rules, which generally require merchant aggregators to register as payment facilitators.
According to the FTC’s complaint, instead of registering as a payment facilitator authorized to provide payment processing services to sub-merchants, Paddle operated as a merchant of record that provided an “end-to-end payment processing solution” for software sellers. As the merchant of record, Paddle processed sales transactions for the tech support merchants under Paddle’s own name and merchant account instead of under the names of the tech support companies. Contrary to payment network rules, said the FTC, Paddle never registered as a payment facilitator and engaged in unlawful payments aggregation without complying with merchant underwriting and monitoring requirements that govern payment facilitators.
The FTC complaint outlines a litany of alleged problems with the merchant of record model used by Paddle. Among the allegations:
- Concealing the identities and practices of its tech support clients by processing payments under Paddle’s own name
- Failing to effectively screen its tech support clients to ensure they were legitimate businesses not engaged in unlawful conduct or deceptive sales practices, including by failing to conduct “know your customer” (KYC) and other verification checks on the account that payment processors routinely do
- Obscuring the tech support merchants’ high chargebacks—often an indicator of deceptive or misleading sales practices—by aggregating the sales of thousands of separate merchants selling different products and services and engaging third-party chargeback prevention services “to artificially reduce chargebacks without investigating and addressing the root cause of the chargebacks”
- Facilitating confusing and deceptive consumer interactions by failing to provide customer service and tech support to consumers who sought such help from Paddle, given that Paddle was the purported merchant and the entity that billed them
Furthermore, the FTC alleged that Paddle had direct knowledge of its tech support clients’ deceptive and unlawful practices, including numerous risk warnings from its processing partners and acquirers, and found ways to continue processing for the tech support companies instead of terminating them. Because some of the sales occurred over the phone, the FTC alleged violations of the Telemarketing Sales Rule (TSR), which prohibits a payment processor or other intermediary from providing substantial assistance or support to those who violate the TSR when the intermediary knows or consciously avoids knowing of the law violations.
The $5 million settlement includes both monetary relief and injunctive provisions aimed at ensuring Paddle conducts appropriate oversight of its clients and their subscription marketing practices going forward. While the company did not admit to wrongdoing, the settlement imposes significant compliance obligations that will likely reshape how Paddle structures its merchant relationships and client onboarding in the future. In addition to the additional compliance obligations, Paddle is permanently banned from processing payments for tech-support merchants that engage in telemarketing or pop-up messages about computer security or performance.
Novel Application of ROSCA Applied to the Merchant of Record
The case against Paddle also includes a novel use by the FTC of its authority to enforce ROSCA in the merchant of record model. In an online transaction involving a recurring billing program, ROSCA requires that merchants make clear and conspicuous disclosure of all material terms before obtaining a consumer’s billing information and obtain the consumer’s express informed consent to the offer before charging the consumer. The FTC’s position was that Paddle, as the merchant of record, was primarily and directly responsible for the ROSCA violations of the tech support scammers. Specifically, the FTC alleged that Paddle’s status as merchant of record meant it was not just a neutral conduit—it was a central player in the transaction. The FTC’s theory was that Paddle, by assuming this central role, effectively stepped into the shoes of its clients and bore independent legal obligations under ROSCA.
Key Takeaways
The Paddle case continues a trend of aggressive FTC enforcement targeting payment intermediaries, including increased scrutiny of the merchant of record model. It’s a reminder that payment intermediaries and platforms may be held liable for consumer protection violations if they exercise meaningful control over billing practices or consumer disclosures—especially when they act as the merchant of record.
The decision also reflects the FTC’s expanded focus on international companies and potential harm to U.S. consumers. The commission unanimously authorized the filing of the complaint in a 3-0 vote. Chairman Andrew N. Ferguson issued a statement in support of the action, joined by commissioners Melissa Holyoak and Mark R. Meador, highlighting the use of FTC law enforcement authority against a foreign company to protect U.S. consumers.
Any business that operates as a merchant of record—whether domestically or internationally—should review its operations to ensure that its activities comply with the network rules, KYC best practices, and consumer protection laws. The Paddle decision demonstrates that the FTC will hold the merchant of record responsible for disclosures, sales and refund policies, customer service, and other compliance under consumer protection laws. In fact, the FTC’s complaint alleged that an outside consultant warned Paddle that if it operated as a merchant of record it would bear the ultimate responsibility of compliance.
To mitigate risk, merchants of record should perform robust underwriting of customers, ensure that products are marketed and sold in compliance with applicable consumer protection laws, and monitor sales transactions for signs of fraud or deceptive sales practices. As explained by the FTC in a prior action against a payment processor, “Knowing the identity of the merchant and its principals, where it is located, the products or services it sells, how it sells (e.g., telemarketing, online, retail store), its marketing practices, and the transaction volume allows the networks, acquirers, and intermediaries (such as payment processors and facilitators) to assess whether the merchant is engaged in legitimate business.” The Paddle decision underscores that merchants of record cannot avoid liability for the merchants they support or the transactions that they process.
