Processors and ISOs are increasingly coming under attack for failure to monitor their merchants' activities and are being held liable for their merchants' actions. The Federal Trade Commission ('FTC') has recently taken a hard stance against the merchant acquiring business, making it a good idea to take a closer look at your own merchants' activities.
On December 5, 2007 the FTC and Attorneys General from seven states sued several payment processors, including Your Money Access, LLC, YMA Company, LLC and two officers of Your Money Access, LLC, individually (the 'Processors') for violations of state and federal laws alleging that the Processors improperly debited funds from consumers' bank accounts on behalf of fraudulent telemarketers and internet-based merchants. What is surprising about this action is that the FTC is pursuing the processor instead of the fraudulent telemarketers and merchants. Lydia Parnes, the FTC's Director of the Bureau of Consumer Protection explained, "Payment processors play a key role in many commercial transactions and they are positioned to monitor return rates on these transactions. The Processors purportedly saw extremely high return rates and looked the other way. We allege that consumers lost millions of dollars as a result and that the company's conduct violated federal and state laws." Similarly, in a class action lawsuit against Wachovia Bank, the plaintiffs alleged that the bank was aware of their telemarketing merchants' fraudulent activity but turned a blind eye to the action because the bank reaped tremendous fees from returned funds.
These cases send a clear message to processors and ISOs alike: If your merchants' business practices indicate they are involved in fraudulent advertising activities, and especially if the merchants are telemarketers or internet sellers, you will be held liable as if you performed the fraudulent
activity yourself. Processors and ISOs are in a position, and are obligated by card association rules, to research potential merchants and to monitor return rates on merchants' transactions. If you fail to monitor such return rates, or choose to ignore other signs of fraudulent activity, expect to face
the consequences. Here are the lessons learned from these cases which can be easily applied to your own business practices.
Investigate New Merchants and New Portfolios
Consistently high levels of return rates likely indicate fraudulent activity. Ignoring the signs of fraudulent activity could leave you on the hook for the merchants' bad acts. One way to investigate new merchant accounts is to require all prospective merchants to disclose their past and projected return rates to you and to perform comprehensive due diligence on portfolio acquisition targets.
In June 2004 the Processors acquired three payment processors (the 'Newtown Companies') which operated under common ownership. The FTC claims that prior to the acquisition, many of the Newtown CompaniesÕ merchants had extremely high return rates, often in excess of 40 percent and sometimes as high as 70 percent. After acquiring the Newtown Companies' merchant accounts and then continuing to process for such accounts long after the Processors learned, or should have learned, of fraudulent activity by the merchants is the basis of the claim against the Processors.
You should also research your new merchants' accounts for other indications of fraudulent activity and request information regarding the product or service of each prospective merchant you wish to process for, and then compare the information to actual sales scripts from each merchant. In the FTC suit, even if the extremely high level of return rates were overlooked by the Processors, they allegedly also ignored additional signs of trouble set forth in the merchant files they acquired. The FTC alleges the acquired files contained obvious signs of deceptive activity, such as sales scripts containing misrepresentations about merchants' products and services or statements that were highly likely to be false. Watch out for merchants' sales scripts that make dubious promises to consumers or provide misleading information.
Have Risk Management Procedures in Place
As part of best practices you should have a risk management policy in place which contemplates the possibility of fraudulent merchants. The policy should clearly lay out the procedure employees should follow if they have reason to believe a merchant is operating fraudulently. Processors and ISOs are already required to have some risk management procedures in place due to card
association rules which require screening of new merchants before entering into merchant agreements. Acquirers must perform on site inspections, review previous merchant agreements, and verify each merchant operates a valid business by performing credit, background and reference checks.
Case in point: If the Processors had done a background check on the Newtown Companies, they might have discovered the founder of the Newtown Companies was previously accused by the FTC of engaging in fraudulent activities, including the deceptive promotion of credit cards and other products. Moreover, at least three of the Newtown Companies' merchants had been under investigation for consumer fraud and had been sued by the FTC. If a background investigation raises questions about particular merchants those accounts should be investigated and terminated.
Continue To Monitor Newly Acquired Account Activity
Although having a Risk Management policy in place is a good first step, it is necessary to actually enforce the policy if fraudulent activity is suspected. After accepting merchants you should regularly monitor such merchants' actual return rates and product descriptions, even if you requested such information on applications. Merchants that generate high return rates, especially those which are consistently returned for codes indicating lack of consumer authorization (including, 'account closed', 'no account', or 'invalid account number') should be investigated immediately.
The Processors are under attack because despite the allegedly obvious signs of wrongdoing prior to the acquisition, (i.e. the signs of deceptive and/or unauthorized debiting activity shown in the merchant files and the high return rates), the Processors continued to process transactions for many of the deceptive merchants who sustained the pattern of deceptive practices.
After acquiring the Newtown Companies' processing portfolios the Processors continued to process transactions for many of the transferred merchants, including merchants which displayed the signs of deceptive or unauthorized debiting activity and high return rates as described above. Moreover the Processors began processing for new merchants, which were not acquired from the Newtown Companies' platforms, and which processed with similar and suspiciously high return rate levels. In total the Processors processed in excess of $200,000,000 in debits and attempted debits in the 21 months between June 2004 and March 2006. During that time it is alleged that more than 34.5% ($69,000,000) of the attempted debits were returned or rejected by consumers or the consumers' banks.
These cases send a clear message to processors and ISOs in the industry. Although you may not be directly involved in prohibited, fraudulent or deceptive sales practices, by assisting merchants that do perform such actions and reaping the benefits, you may be held liable as if you had performed the actions yourself. The FTC is taking the position that processors and ISOs are able to regulate their clients' actions through thorough reviews of business practices. It is in your best interests to heed the lessons learned by the Processors, before it is too late. 
These recommendations are general suggestions. They are not a substitute for specific legal advice. For specific information consult experienced legal counsel.
|
