Recently, the criminal case against online merchant Jeremy Johnson in Utah that started back in June 2011 finally came to a close. After more than four years of litigation and six weeks of trial, the jury found Johnson guilty of eight counts of making false statements to a bank, but acquitted him on 78 other charges, including bank fraud, wire fraud, conspiracy and money laundering.
By far the biggest legal spectacle involving card-not-present high-risk processing in more than a decade, the Johnson case poses a cautionary tale to banks and ISOs inclined to bend the rules in search of profits; and to merchants willing to “bend the truth” to get access to the payments system.
This is the second of four articles that will use the case to examine card-not-present fraud from a legal perspective. Part 1 described the case and some of the issues the decision turned on. Part 2 looks at the involvement of CardFlex, one of the ISOs charged by the FTC of aiding Johnson in his alleged fraud.
CNP Series: Lessons from a CNP Fraud Scheme – Part 2The CardFlex Side of the Story
We recently reported to you regarding the DOJ’s federal criminal conviction of Jeremy Johnson for making false statements to Wells Fargo for the purpose of opening a myriad of straw merchant accounts. Fallout from the case landed on the processors, ISOs and sales agents that worked with him, including CardFlex, Inc., which found itself squarely in the FTC’s crosshairs because of the matter.
CardFlex’s CEO, Andrew Phillips, contacted us shortly after Part 1 of this series ran to give us his side of the story. We found it riveting and wanted to share it.
To recap, the FTC alleged that CardFlex and its principals provided critical assistance to Johnson by conspiring with him to use shell corporations and third-party signers to board those accounts, providing him with load-balancing software and instructing him along the way.
In turn, CardFlex did what the overwhelming majority of defendants in FTC cases do—it settled those charges by entering a stipulated order for permanent injunction and paying some funds. As Phillips put it, his attorneys made it clear that if he wanted to fight the case, it would take at least $5 million and five years (an estimate that we agree with). According to Phillips, he did not regret the decision but, based upon what came out at Jeremy Johnson’s trial, he now feels he was railroaded by the FTC.
Phillips said Johnson approached him in mid-2009 with a plan to offer a “soup-to-nuts” third-party payment solution for entrepreneurs looking to break into e-commerce. Johnson had already been placed on MATCH (Member Alert to Control High Risk, a black list managed by the card networks containing merchants whose card processing privileges have been revoked). He was having serious chargeback problems and said he wanted to diversify by moving away from the merchant side of the coin to help others launch their own online businesses using iWorks’ proven relationships, systems and technologies, and Johnson’s credit. Johnson said he would personally guarantee the merchant accounts—he was liquid, with more than $30 million cash on hand in the bank—and sold CardFlex on the idea that he was looking to bring legitimate merchants to the game.
Phillips maintains that CardFlex performed substantial due diligence on iWorks and each of the hundreds of merchant accounts it opened, but, in hindsight, Phillips himself acknowledges that CardFlex could have done more to uncover and shut down the scheme earlier than it did had it employed more vigorous merchant monitoring practices.
Phillips contends that the federal government overreached its authority, based on evidence that came out in Johnson’s criminal trial that Johnson developed his multiple MID scheme more than one and a half years before ever approaching CardFlex.
In his defense at trial, Johnson attempted to rely on the FTC’s allegations that CardFlex came up with the idea of using straw entities and third-party signers to create multiple MIDs. That would enable Johnson to claim he could not be guilty of defrauding Wells Fargo because he merely followed the instructions provided to him by CardFlex as Wells Fargo’s agent. An unrelated defense was that the representation was made to CardFlex and not Wells Fargo.
However, by finding Johnson guilty on eight counts of making false statements to a bank, the jury appears to have rejected those arguments, persuaded in no small part by Johnson’s internal emails showing that he had already developed the straw-merchant-multiple-MIDs scheme long before meeting with CardFlex, and even had another ISO on deck for when the CardFlex accounts got shut down. Thus, Phillips maintains, that same evidence should have exonerated CardFlex in the FTC action and proven his own innocence in these matters, at least as far as the allegations surrounding the development, the idea and the technology to support the scheme.
To us, that is probably an overstatement because such evidence does not conclusively prove that CardFlex had no role in aiding Johnson’s scheme. The FTC could reasonably argue that by failing to shut down the merchants’ processing in a timely manner, Cardflex violated the FTC Act. Nonetheless, Phillips believes that the FTC made an example of CardFlex as part of its bigger agenda to turn processors and ISOs into payments cops by holding them strictly liable for their merchants’ bad acts.
Other payment companies and processors would do well to heed this cautionary tale and choose their merchant partners very carefully. Dot all the i’s and cross all the t’s from start to finish by employing ETA best practices in regard to both underwriting and monitoring to keep the FTC and other regulators at bay.
The information contained in this article is for informational purposes only. Please consult an attorney before relying upon it for your specific legal needs. Theodore F. Monroe is an Attorney whose practice focuses on the electronic payment and direct marketing industries. For more information about this article or any other matter, please e-mail Monroe at firstname.lastname@example.org.