The Green Sheet Online Edition
August 25, 2014 • Issue 14:08:02
Regulatory agencies' investigations continue: Are you prepared?
The past decade has seen an increase in scrutiny by federal agencies seeking to curb electronic payment processing business practices that have made money for the card companies, acquiring banks, ISOs, merchant level salespeople (MLSs) and others on the payments value chain for 30 years.
Over the past few years, the federal agencies and state attorneys general have increased investigations of electronic payment processing companies and their related partners. This coordinated effort between federal and state investigative agencies was designed to curb unethical business practices; however, it also chilled legally compliant sales practices.
Thus, a letter from an attorney general regarding an upset merchant, or even threats from merchants to call an attorney general, should not be taken lightly. And every sales organization is bound to hear from an attorney general or a federal oversight agency eventually.
State and federal investigations cost ISOs time, money and resources that are better spent on sales efforts. An investigation might be limited to a response letter with an explanation for the complained-of activity; however, failure to properly address and minimize the concerns of the respective investigating entity may lead to a Civil Investigation Demand that requires disclosure of your business's policies and procedures, along with extensive document production and written responses.
Taking draconian actions
And if the investigative agency, whether state or federal, is still unsatisfied and undeterred from continuing its investigation, it could lead to a full seizure and takeover of your business including a freeze on all business assets – and could be as far reaching as the personal assets and bank accounts of the owners and officers.
This can also include an order that the owners and officers are forbidden from making any payments from either business or personal accounts, or forbidden from transferring assets. This means that the only assets at a company's owners' disposal may be those that are liquid and untraceable, for example, the $9,800 hidden in the closet.
But there is hope. With the proper compliance procedures, checks and balances, the horrors just enumerated are avoidable. This article provides a brief history and overview of investigations by respective state and federal agencies regarding their pursuit of electronic payment companies and their affiliates; an expert forecast of what "low hanging fruit" issues investigators are looking for; and what ISOs and their MLSs can do to reduce potential liabilities.
Prosecuting electronic payment companies, affiliates
The Federal Trade Commission started its prosecution of electronic payment processing companies by going after those entities that were clearly committing theft and fraud, such as identity theft and fee cramming. Those investigations did not target the ISOs or processors. But through those investigations, the FTC learned of all the parties involved in the payments space.
Now, the FTC has termed nonbank payment processors and everyone in the payments chain as "gatekeepers" to fraudulent schemes. Wherever a fraudulent scheme takes place that harms consumers, a payment mechanism is processing those fraudulent transactions. The FTC's discovery of certain nonbank payment processors' negligent or purposeful oversight of potential fraudulent schemes has called into question the integrity of the entire payment processing business.
The FTC – and related entities such as the Consumer Financial Protection Bureau, the U.S. Department of Justice, and other members of President Obama's Financial Fraud Enforcement Task Force – have initiated enforcement actions across all levels of the payment processing industry.
Recent cases that highlight the FTC's prosecution of companies at different levels of payment processing are as follows:
- FTC v. Direct Benefits Group LLC – DBG processed fraudulent payments through multiple processors, including Landmark Clearing Inc., under many merchant accounts that went upstream to First Bank of Delaware, which turned a blind eye to the abuse of remotely created payment orders. Some of Landmark's merchants had return rates as high as 80 percent, with an average of around 40 percent.
- FTC v. Google Money Tree – GMT was prosecuted for a work-at-home scheme facilitated by Process America. Process America failed to:
FTC v. Automated Electronic Checking Inc. – The FTC found that AEC encouraged merchants with high return rates to switch from ACH payments to remotely created checks and remotely created payment orders because the oversight was not highly scrutinized. AEC knew, or should have known, because it actively debited accounts that:
- Follow up on plainly deceptive statements on merchant's website
- Take action on notices that entities should be placed in Visa/MC chargeback monitoring programs
- Address excessive chargeback rates. Process America actively participated in the submission of fraudulent merchant applications and load balancing to skew the chargeback percentages.
- Belonged to consumers who had never heard of AEC's clients
- Belonged to consumers who had never knowingly purchased anything from those clients
- Experienced a high amount of returns for unauthorized account transactions
AEC also told clients how to avoid detection by load balancing and ignored consumer complaints. In this case, the court laid out bright lines for payment processors to heed, including:
- Monitoring merchants with unusually high unauthorized return rates
- Reviewing complaints regarding sales scripts or websites with false statements
- Inquiring into merchants with numerous consumer complaints to regulatory agencies
Setting a moving target
Despite the bright-line test set forth in the AEC case, the FTC continues to set new standards for levels of initial due diligence and ongoing monitoring and compliance procedures necessary to avoid fines and prosecution.
In FTC v. Merchant Services Direct, the FTC moved the court for a temporary restraining order (TRO) and asset freeze based on a Civil Investigation Demand from the Washington State Attorney General. The FTC accused MSD of being too aggressive in its sales practices to establish merchant accounts and non-cancellable equipment leases, including hiding fees and promising discount rates that were not accurate.
The court denied the FTC's request for a TRO because the information the FTC relied on to get its TRO did not reflect MSD's new compliance procedures and because MSD had taken remedial action to improve customer satisfaction and prevent recurring violations.
Finding new hope
The ruling in MSD set the precedent that remedial measures matter. But who wants to wait to hire $900-per-hour attorneys to fight a TRO and asset seizure when reasonable, cost-effective and upfront compliance measures can avoid the stress and cost of such an investigation.
A well-instituted compliance program should consider the recently released Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring in addition to the results of CFPB, FTC, state attorney general, and other investigative and regulatory agency investigations, prosecutions, and publications regarding electronic payment processing services and products.
An operational compliance program needs to track initial and ongoing policies and procedures as well as the corresponding metrics at all levels of the ISO and processor, including its hiring processes, operations, human resources, and compliance with all payments industry rules and regulations.
An effective compliance program can be monitored and facilitated internally, but investigative agencies give weight to a program backed by those with expertise in the electronic payment processing industry and the ability to constantly cull and monitor rapidly evolving state and federal regulatory rules.
Based on those rules, a compliance program should be tailored to monitor and track potential issues that are identified at the outset of the program though intensive site visits, interviews and document review. Then these established protocols should be periodically audited to ensure proper implementation and management.
For example, through a sales organization's customer relationship management (CRM) system, a compliance program should track all interactions with merchants. If a merchant makes any allegation that an MLS made any statement that could trigger an investigation by a regulatory agency, a compliance alert should be made via the CRM system or other tracking system. Appropriate parties should be flagged, including attorneys who advise the company of the potential liability and best course of action.
Investigative agencies' scope of prosecution and level of inquiry continue to expand without much definition. Remedial measures help after an investigation. Proactive measures amount to a liability force field repelling investigations.
James Huber and Chris Dryden are partners at Global Legal Resources LLP. GLR has advised electronic payment companies and their affiliates on every aspect of their business. GLR defends regulatory investigations, civil enforcement actions, and class-actions. GLRs attorneys are experts at instituting regulatory compliance procedures to avoid liability. James and Chris can be reached at firstname.lastname@example.org and email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.