Department of Justice introduced Operation Choke Point in early 2013 as an enforcement initiative to choke off swindlers’ access to the payments system by targeting the banks and ISOs that board them as merchants.

Since that time, federal regulatory agencies have made a standard play of aggressively investigating acquiring banks and third party processors for potential “aider and abettor” liability anytime their merchants are suspected of engaging in consumer fraud. Where such investigations perceive shoddy underwriting or deficient monitoring practices, acquirers and ISOs alike face liability for facilitating their merchant’s “bad acts” by extending access to the payments system.

Two recent lawsuits exemplify the government’s approach in such situations: (1) the Federal Trade Commission’s (“FTC”) lawsuit against the ISO and sales agents allegedly responsible for processing more than $26 million in illegal transactions for Jeremy Johnson and the IWorks enterprise, hereinafter the “CardFlex Action”; and (2) the Consumer Financial Protection Board’s (“CFPB”) lawsuit against the merchant processors and ISOs allegedly responsible for processing millions of dollars in “phantom-debt” payments for a group of merchants engaged in a fraudulent debt-collection scheme, hereinafter the “Global Payments Action.”

The CardFlex Action

In December 2010, FTC sued the now infamous Jeremy Johnson and his company, IWorks, Inc. (“IWorks”), along with nine other individuals and companies, and the dozens of shell companies they used to carry out the fraud. More than three and a half years later, in July 2014, FTC also finally got around to suing the ISO – CardFlex, Inc. – and sales agents allegedly responsible for facilitating more than $26 million in illegal transactions for the IWorks enterprise.

FTC alleges that Johnson first met with CardFlex’s principals, Andrew Phillips and John Blaugrund, in June 2009. Despite the fact that four separate banks had already placed Johnson on MasterCard’s Merchant Alert To Control High-risk merchants (MATCH) list since 2006, and Harris Bank alone had terminated 13 merchant accounts associated with Johnson just the preceding month, CardFlex not only decided to do business with IWorks, CardFlex even chose to loosen the underwriting requirements for Johnson’s accounts.

Shortly after their meeting, Phillips allegedly emailed Johnson a “personal guarantee” form to keep on hand and use for each merchant account application to be submitted by IWorks. Johnson explained his understanding of the arrangement to IWorks employees by stating that, as long as he signed a personal guaranty, CardFlex would open “any account in any name or corp we want” without requiring much “financial info.” As another IWorks employee described the deal, “CardFlex will set up merchant accounts with “basically ‘no questions asked’ (that is why we went with CardFlex).’”

FTC also alleges the CardFlex defendants knowingly submitted fraudulent merchant applications to the acquirer, including (i) routinely concealing the affiliation between the shell corporation and IWorks when they completed merchant applications on IWorks’ behalf, (ii) falsely certifying they had conducted onsite inspections of merchant offices that did not exist, and (iii) papering the applications with dummy webpages (known as “bank pages”) for underwriting purposes that, unlike the real IWorks’ websites, conspicuously displayed the terms of IWorks’ negative option offers. By such practices, the CardFlex defendants allegedly boarded 293 merchant accounts in the names of 30 separate straw corporations on IWorks’ behalf in less than a one-year period.

CardFlex did this even though Phillips knew the IWorks accounts had serious chargeback issues no later than the first month of processing. For example, in a September 2009 email, Phillips not only thanked Johnson for a Pebble Beach golf trip, but also cautioned him that “everyone of your accounts is at 3% and above and this is month one.” Nonetheless, CardFlex proceeded to open more than 200 additional merchant accounts for IWorks over the next three months. By early December 2009, Wells Fargo had already shut down at least 14 of those merchant accounts for excessive chargebacks, with many of those accounts posting chargeback rates of 5% to 6%.

Phillips responded by instructing IWorks to begin “load balancing” (i.e. spreading transaction volume among numerous accounts) to avoid triggering chargeback monitoring program minimum-transaction-per-account thresholds, and even suggested that IWorks (i) staff a single person to perform “load balancing full time” and (ii) obtain “multiple signers” for each corporation rather than using the same five-to-six “signers” for all of its corporations. CardFlex also provided IWorks with the efficient means to “load balance” their accounts online by simply checking a box titled “Enable Load Balancing for Credit Cards,” and then entering the relevant account information.

By the time Wells Fargo finally put the brakes on the operation and terminated its relationship with CardFlex in June 2010, a look-back review of CardFlex’s total merchant processing portfolio revealed that CardFlex had processed more than $387 Million in credit card volume with an overall chargeback ratio of 3.34% through March 2010 alone.

FTC settled with the last three remaining processing defendants in the CardFlex Action – CardFlex, Phillips and Blaugrund – in March of this year by entering a stipulated Permanent Injunction banning each of them for life from acting as a payment processor, ISO, or sales agent for certain types of high-risk merchants; and entering a $3.3 million monetary judgment against CardFlex and Phillips that will be partially suspended based on their current financial condition, but which will come immediately due in full in the event FTC determines they misrepresented their financial condition in any way. The CardFlex defendants are also subject to compliance monitoring requiring them to furnish FTC with annual reports concerning their business activities for the next 10 years.

The Global Payments Action

No later than FTC had finished putting the CardFlex Action to bed, CFPB filed suit under the Consumer Finance Protection Act (“CFPA”) and the Fair Debt Collection Practices Act (“FDCPA”) against a group of merchants allegedly engaged in a fraudulent debt collection scheme (“debt collectors”) and the third party payment processors responsible for facilitating their access to the payments system, specifically including Global Payments, Inc., Electronic Merchant Services, and their respective ISOs (the “Processors”).

CFPB bases its action against the Processors for deficient underwriting and merchant monitoring practices in violation of both card association rules and Processors’ own risk management policies. Generally, CFPB alleges that, even though (i) card association rules prohibit merchants from accepting a Card to collect or refinance an existing debt, (ii) Global’s own credit policy specifically identified both collection agencies and “Aggregators” as “prohibited merchants,” and (iii) debt collectors were Card Not Present (“CNP”) merchants subject to mandatory enhanced scrutiny under Global’s own policies, the Global defendants approved debt collectors’ numerous applications for payment processing accounts and failed to reasonably monitor those accounts for signs of unlawful conduct.

Merchant Underwriting Problems

In March 2011, despite the fact that Global’s underwriting purported to include a review for criminal activity, associates, and verification of addresses, business filings or corporate affiliations, Global approved co-defendant Mohan Bagga’s merchant application for “Credit Power, LLC” even though its “chief executive officer” had recently finished a sentence for drug trafficking and shared Bagga’s address listed on the application. In November 2011, Global approved a second merchant application for Bagga in the name of Universal Debt and Payments Solutions (“UDPS”), even though (i) Global’s own policies identified a merchant’s use of the word “Payments” in its legal name or DBA as a red flag for factoring; (ii) Bagga listed his residence address as the business address (a recognized red flag that a business may not be legitimate); and (iii) Bagga’s poor credit history and status violated Global’s own underwriting standards.

Global also approved additional merchant accounts for Credit Power and UDPS through other ISOs based on similarly deficient underwriting practices. UDPS’ March 2013 application identified a physical and legal address it never occupied, and the fax imprint shows the application was faxed from a FedEx Office location, and the address on the voided check UDPS provided with its application belongs to another collection agency. While the application clearly stated that UDPS was in the business of “debt collections,” the underwriting summary used the MCC for “Family Clothing Stores.” Credit Power’s April 2013 application identified an address for a UPS Store, and was faxed from the same FedEx Office as the UDPS application. The underwriting summary included a BBB review giving Credit Power an “F” rating and identifying its principal as an ex felon.

Processors Ignored Many Other Red Flags

CFPB further alleges that, once Credit Power and UDPS began processing, Processors continued to ignore other red flags.

For example, in January 2012, one of the ISOs recognized that UDPS was processing payments for RSB Equity Group, LLC (“RSB”). Although Global’s policy prohibited processing payments for another merchant, or “factoring,” Processors allowed UDPS and Credit Power to continue processing payments. In November 2012, one of the ISOs received a MATCH alert for UDPS and RSB. The MATCH alert stated that another processor terminated affiliates of UDPS and RSB because the processor, after investigation, found factoring and excessive chargeback volume. Although the ISO had identified this same factoring conduct by RSB and UDPS in January 2012, it did not conduct any further investigation.

In March 2013, Global notified the ISO that Visa had prohibited Credit Power from processing payments using the Visa network. However, Processors continued to allow Credit Power and UDPS to process payments with other card brands. On July 8, 2013, Discover Card shut down UDPS’s account due to “prohibited business practices.” Yet the Processors still allowed UDPS and Credit Power to continue processing MasterCard transactions for almost another year, despite chargeback rates of up to 28.5% in July 2013 and 31% in August 2013.

Conclusion

In addition to DOJ’s recent criminal actions against CommerceWest Bank (for knowingly facilitating wire fraud by certain telemarketing and payday loan merchants) and Plaza Bank (for knowingly facilitating wire fraud by merchants selling identity theft protection insurance), and CFPB’s civil action against PayPal for deceptive or unfair practices in connection with PayPal Credit, the CardFlex and Global Payments Actions suggest that Operation Choke Point is very much alive, and that third party processors remain very much under scrutiny.

How does your TPP/ISO Agreement allocate responsibility for merchant underwriting and monitoring? Are your company’s underwriting criteria and risk management practices up to snuff? How complete are your underwriting files? How do your advertising materials look from a regulator’s perspective? Wherever you are situated in the payments hierarchy, these are all questions you should look at before the federal government does.