On April 14, Iowa Attorney General (AG) Brenna Bird, leading a coalition of 13 state AGs, sent a pointed letter to Visa, Mastercard, American Express, and Discover. Their message was clear: payment networks are expected to help shut down the U.S. market for unauthorized e‑cigarette products.

For financial services institutions that support e-cigarette merchants — card networks, sponsor banks, acquirers, independent sales organizations (ISOs), payment service providers (PSPs), and platforms — this letter is the latest signal of increased regulatory and enforcement risk for financial services companies that provide services to sellers of unauthorized e-cigarette products.

Under the Federal Food, Drug, and Cosmetic Act (FDCA), the only e-cigarette products that may be lawfully marketed in the U.S. are the 41 e-cigarette products that have received U.S. Food and Drug Administration (FDA) marketing authorization in the form of a marketing granted order (MGO). Any e-cigarette product that lacks FDA premarket authorization is considered adulterated and cannot be legally sold.

Yet, most of the U.S. e-cigarette market is comprised of products that lack premarket authorization. Indeed, the AGs’ letter claims that “[i]llicit e-cigarette products now account for almost all of the U.S. e-cigarette market, generating over $11 billion in annual retail sales and making up more than 80% of all e-cigarette sales nationwide.”

Some manufacturers assert they are continuing to sell their products pursuant to FDA’s exercise of enforcement discretion. When FDA extended its tobacco product authorities to cover e-cigarettes with tobacco-derived nicotine, the agency indicated that it generally intended not to enforce the premarket review requirement against e-cigarette products that were on the U.S. market as of August 8, 2016, and that had a timely submitted premarket tobacco product application (PMTA) by September 9, 2020, that was still undergoing review.

Nevertheless, FDA has since made clear that it no longer has any such enforcement discretion policy, asserting that its enforcement discretion policy for tobacco-derived nicotine product PMTAs contained a one-year sunset. For example, the agency’s website, last updated March 12, 2026, states that “FDA has not adopted a broad policy of enforcement discretion regarding tobacco products without marketing authorization,” and “[t]he pendency of an application does not create a legal safe harbor to sell that product.”

There are some exceptions. FDA says it is exercising its discretion to not enforce premarket review requirements for “a few tobacco products that have received a marketing denial order (MDO) that are under further agency review” and instances where “courts have granted stays of MDOs pending judicial review” or “FDA has administratively stayed MDOs.” Simply having a pending PMTA, however, does not fall into any formal enforcement discretion policy.

FDA has ramped up its enforcement efforts against unauthorized e-cigarettes over the past year (the April 14 letter lists 16 actions since January 2025), but the agency’s actions have not been enough to clear market shelves of illicit electronic nicotine delivery systems (ENDS).

As a result, states are increasingly trying to fill the gap. For example, state AGs have attempted to use their consumer protection authorities to target sellers of unauthorized e-cigarettes, and state legislatures have adopted e-cigarette directory laws that require manufacturers to certify the FDA premarket review status of their products.

Financial services providers appear to be state AGs’ next target. In November of last year, a bipartisan coalition of 25 state AGs sent a letter to Shopify, urging the company to take stronger action against merchants that use its e-commerce services to sell illegal e-cigarettes.

Now, the April 14 letter requests “immediate assistance” from Visa, Mastercard, American Express, among others, to “deny access to their services and take affirmative steps to identify, investigate, and remove merchants engaged in the unlawful sale of illicit e-cigarettes from their networks.” They allege companies using the payments services are violating not only the FDCA, but the Prevent All Cigarette Trafficking (PACT) Act, the Federal Trade Commission (FTC) Act, and other federal criminal and civil statutes related to fraud, false statements, and money laundering, as well as state restrictions, such as flavor bans, product registries, and laws intended to prevent marketing to youth.

Financial services companies that have notice that their companies are engaged in or are servicing companies that are engaged in unlawful activities face considerable risks, particularly under federal and state anti-money laundering statutes. We recommend such companies carefully consider whether their current monitoring controls account for unauthorized e-cigarette sales and the scope of their exposure in providing services to unauthorized e-cigarette sellers. We anticipate that regulators will continue to look for new ways to try to clear market shelves of unauthorized e-cigarettes, which could mean enforcement actions against companies that provide such sellers financial services.

If you would like to discuss how this AG initiative may affect your institution’s payments, merchant acquiring, or fintech partnerships — or how to calibrate risk controls around e‑cigarette merchants — our Troutman Pepper Locke team is available to assist.