GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Card data security debate goes public as EMV deadline nears

News

Industry Update

New security bug dubbed Backoff exposed

ATM ISOs in EMV limbo

Square's 'ambiguous' EMV initiative

Features

Prepaid simplifies m-wallet ecosystem

Views

Regulatory agencies' investigations continue: Are you prepared?

James Huber and Chris Dryden
Global Legal Resources LLP

Education

Street SmartsSM:
How do you measure your success?

Tom Waters and Ben Abel
Bank Associates Merchant Services

Principled disruption

Dale S. Laszig
DSL Direct LLC

How gift cards drive revenue and customer loyalty

Michael Gavin
Merchant Warehouse

Company Profile

LoopPay Inc.

New Products

A POS with options

SELECTpay
Alpha Card Services LLC

Checkout in a flash

Netswipe for Mobile Web
Jumio Inc.

Inspiration

Silence, the low-tech solution

Departments

Readers Speak

Letter from the Editors

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

August 25, 2014  •  Issue 14:08:02

previous next

Regulatory agencies' investigations continue: Are you prepared?

By James Huber and Chris Dryden

The past decade has seen an increase in scrutiny by federal agencies seeking to curb electronic payment processing business practices that have made money for the card companies, acquiring banks, ISOs, merchant level salespeople (MLSs) and others on the payments value chain for 30 years.

Over the past few years, the federal agencies and state attorneys general have increased investigations of electronic payment processing companies and their related partners. This coordinated effort between federal and state investigative agencies was designed to curb unethical business practices; however, it also chilled legally compliant sales practices.

Thus, a letter from an attorney general regarding an upset merchant, or even threats from merchants to call an attorney general, should not be taken lightly. And every sales organization is bound to hear from an attorney general or a federal oversight agency eventually.

State and federal investigations cost ISOs time, money and resources that are better spent on sales efforts. An investigation might be limited to a response letter with an explanation for the complained-of activity; however, failure to properly address and minimize the concerns of the respective investigating entity may lead to a Civil Investigation Demand that requires disclosure of your business's policies and procedures, along with extensive document production and written responses.

Taking draconian actions

And if the investigative agency, whether state or federal, is still unsatisfied and undeterred from continuing its investigation, it could lead to a full seizure and takeover of your business including a freeze on all business assets – and could be as far reaching as the personal assets and bank accounts of the owners and officers.

This can also include an order that the owners and officers are forbidden from making any payments from either business or personal accounts, or forbidden from transferring assets. This means that the only assets at a company's owners' disposal may be those that are liquid and untraceable, for example, the $9,800 hidden in the closet.

But there is hope. With the proper compliance procedures, checks and balances, the horrors just enumerated are avoidable. This article provides a brief history and overview of investigations by respective state and federal agencies regarding their pursuit of electronic payment companies and their affiliates; an expert forecast of what "low hanging fruit" issues investigators are looking for; and what ISOs and their MLSs can do to reduce potential liabilities.

Prosecuting electronic payment companies, affiliates

The Federal Trade Commission started its prosecution of electronic payment processing companies by going after those entities that were clearly committing theft and fraud, such as identity theft and fee cramming. Those investigations did not target the ISOs or processors. But through those investigations, the FTC learned of all the parties involved in the payments space.

Now, the FTC has termed nonbank payment processors and everyone in the payments chain as "gatekeepers" to fraudulent schemes. Wherever a fraudulent scheme takes place that harms consumers, a payment mechanism is processing those fraudulent transactions. The FTC's discovery of certain nonbank payment processors' negligent or purposeful oversight of potential fraudulent schemes has called into question the integrity of the entire payment processing business.

The FTC – and related entities such as the Consumer Financial Protection Bureau, the U.S. Department of Justice, and other members of President Obama's Financial Fraud Enforcement Task Force – have initiated enforcement actions across all levels of the payment processing industry.

Recent cases that highlight the FTC's prosecution of companies at different levels of payment processing are as follows:

AEC also told clients how to avoid detection by load balancing and ignored consumer complaints. In this case, the court laid out bright lines for payment processors to heed, including:
  1. Monitoring merchants with unusually high unauthorized return rates
  2. Reviewing complaints regarding sales scripts or websites with false statements
  3. Inquiring into merchants with numerous consumer complaints to regulatory agencies

Setting a moving target

Despite the bright-line test set forth in the AEC case, the FTC continues to set new standards for levels of initial due diligence and ongoing monitoring and compliance procedures necessary to avoid fines and prosecution.

In FTC v. Merchant Services Direct, the FTC moved the court for a temporary restraining order (TRO) and asset freeze based on a Civil Investigation Demand from the Washington State Attorney General. The FTC accused MSD of being too aggressive in its sales practices to establish merchant accounts and non-cancellable equipment leases, including hiding fees and promising discount rates that were not accurate.

The court denied the FTC's request for a TRO because the information the FTC relied on to get its TRO did not reflect MSD's new compliance procedures and because MSD had taken remedial action to improve customer satisfaction and prevent recurring violations.

Finding new hope

The ruling in MSD set the precedent that remedial measures matter. But who wants to wait to hire $900-per-hour attorneys to fight a TRO and asset seizure when reasonable, cost-effective and upfront compliance measures can avoid the stress and cost of such an investigation.

A well-instituted compliance program should consider the recently released Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring in addition to the results of CFPB, FTC, state attorney general, and other investigative and regulatory agency investigations, prosecutions, and publications regarding electronic payment processing services and products.

An operational compliance program needs to track initial and ongoing policies and procedures as well as the corresponding metrics at all levels of the ISO and processor, including its hiring processes, operations, human resources, and compliance with all payments industry rules and regulations.

An effective compliance program can be monitored and facilitated internally, but investigative agencies give weight to a program backed by those with expertise in the electronic payment processing industry and the ability to constantly cull and monitor rapidly evolving state and federal regulatory rules.

Based on those rules, a compliance program should be tailored to monitor and track potential issues that are identified at the outset of the program though intensive site visits, interviews and document review. Then these established protocols should be periodically audited to ensure proper implementation and management.

For example, through a sales organization's customer relationship management (CRM) system, a compliance program should track all interactions with merchants. If a merchant makes any allegation that an MLS made any statement that could trigger an investigation by a regulatory agency, a compliance alert should be made via the CRM system or other tracking system. Appropriate parties should be flagged, including attorneys who advise the company of the potential liability and best course of action.

Investigative agencies' scope of prosecution and level of inquiry continue to expand without much definition. Remedial measures help after an investigation. Proactive measures amount to a liability force field repelling investigations.

James Huber and Chris Dryden are partners at Global Legal Resources LLP. GLR has advised electronic payment companies and their affiliates on every aspect of their business. GLR defends regulatory investigations, civil enforcement actions, and class-actions. GLRs attorneys are experts at instituting regulatory compliance procedures to avoid liability. James and Chris can be reached at jhuber@glrlegal.com and cdryden@glrlegal.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services