Why You Need to Buy Insurance
February 13, 2017CNP Series: Lessons from a CNP Fraud Scheme – Part 2
February 15, 2017Late last month, the criminal case against Jeremy Johnson that started back in June 2011 finally came to a close. After more than four years of litigation and six weeks of trial, the jury found Johnson guilty of eight counts of making false statements to a bank, but acquitted him on 78 other charges, including bank fraud, wire fraud, conspiracy and money laundering.
By far the biggest legal spectacle involving card-not-present high-risk processing in more than a decade, the Johnson case poses a cautionary tale to banks and ISOs inclined to bend the rules in search of profits; and to merchants willing to “bend the truth” to get access to the payments system.
This is the first of four articles that will use the case to examine card-not-present fraud from a legal perspective. Part 1 describes the case and some of the issues the decision turned on. Subsequent articles will take a closer look at those issues and how they might apply to all sides of the card-not-present ecosystem.
The IWorks Scheme
Johnson masterminded an extremely profitable online marketing scheme known as IWorks. IWorks depended on a huge network of affiliate marketers to target vulnerable consumers with risk-free and free trial offers to receive instructional CDs showing how to win government grant programs to stop foreclosures, pay down debt, purchase real estate, launch businesses, cover medical expenses, and even pay grocery bills and Christmas presents, all in exchange for the consumer’s payment of a nominal shipping and handling fee. Instead, consumers found unauthorized charges by unknown merchants on their monthly card statements, including large onetime charges for “forced upsells,” and recurring monthly charges flowing from their involuntary enrollment in negative option continuity billing programs. These practices enabled IWorks to generate more than $275 million in sales between 2005 and 2010 alone.
The MATCH Problem
But by 2009, Johnson had a real problem: how to maintain his access to the payments system and keep the money taps flowing despite having been placed on the MATCH list by no less than four separate banks. MATCH stands for Merchant Alert To Control High-risk merchants. Of course, the card brands created MATCH to compile information on businesses and their owners when their merchant accounts have been terminated for excessive chargebacks, excessive fraud, credit card laundering, illegal activity, or other violations of card brand standards. In turn, acquiring banks use the list to help screen applicants, and generally reject out-of-hand any merchant that has been added to MATCH as an unacceptable risk.
The Straw Merchant Solution
Like hundreds of other MATCH-listed merchants, Johnson solved his dilemma by enlisting a legion of surrogates (family, friends, employees, etc.) to form more than 60 shell companies to operate in his behalf. Because those surrogates were not listed on MATCH and the newly formed entities had no negative processing history, they had little trouble opening new merchant accounts, and Johnson allegedly used these straw companies to open more than 293 merchant accounts with CardFlex and Wells Fargo in a one year period alone.
This strategy also enabled Johnson to spread transactions across the merchant accounts to avoid detection by the card brands’ excessive chargeback monitoring programs. For example, Visa sets a 1 percent chargeback limit for any merchant that processes 100 or more transactions and 100 a more chargebacks in a given month. Any merchant that exceeds that limit is placed in the merchant chargeback-monitoring program. Thus, by spreading IWorks’ transactions across hundreds of merchant accounts, Johnson was able to keep his transaction numbers below the 100 chargeback mark for each merchant account even though IWorks’ total chargeback activity dramatically exceeded the 1% threshold.
Notably, Johnson ultimately testified that he learned these strategies from CardFlex’s principals, Andrew Phillips and John Blaugrund, and that it was their idea to begin “load balancing” the accounts to avoid triggering chargeback monitoring program minimum-transaction-per-account thresholds, and “obtaining multiple signers for each corporation” rather than using the same five to six “signers” for all of its corporations to avoid detection by Wells Fargo. Nonetheless, Wells Fargo eventually got wise and put the brakes on the operation in June 2010, shutting down the IWorks’ network of merchant accounts and severing all ties with CardFlex.
The Federal Trade Commission
In December 2010, the FTC filed a civil action for unfair and deceptive business practices against Johnson, IWorks, Inc., nine other individual defendants, nine other corporate entities and, ultimately, the more than 60 shell companies they are alleged to have created to carry out the IWorks scheme. Among other things, FTC alleged that Johnson’s websites used misleading testimonials, failed to disclose that consumers would be entered into negative option plans, and failed to disclose that positive articles about the products were created by Johnson and his marketing affiliates.
FTC also alleged that Johnson (in conjunction with CardFlex) knowingly submitted fraudulent merchant applications to Wells Fargo, including concealing the affiliation between the straw merchants and IWorks, and papering the applications with dummy webpages (known as “bank pages”) for underwriting purposes that, unlike the real IWorks’ websites, conspicuously displayed the terms of IWorks’ negative option offers.
The Department of Justice
Less than a month later, in January 2011, the DOJ filed its own separate criminal action against Johnson, IWorks, and four of the other individual defendants (all ex-employees) named in the FTC suit that allegedly conspired with Johnson to carry out the IWorks scheme. DOJ alleged a total of 86 separate criminal counts against Johnson and each of his co-defendants for false statements to banks, wire fraud, bank fraud, money laundering, and conspiracy to commit those crimes.
While the jury acquitted Johnson on 78 of those counts, it found him guilty on eight felony counts of false statements to banks. This is not terribly surprising when one considers that, in order to prove the crime of false statements to a bank, the government must show only that the defendant (1) made a false statement to a bank, (2) knowing it was false, and (3) did so for the purpose of influencing in any way the action of the bank.
Unlike the crime of bank fraud, it is not necessary to prove that the bank was, in fact, influenced or misled, or that the bank was exposed to a risk of loss. Thus, while Johnson repeatedly attempted to introduce evidence that Wells Fargo suffered no damage as a result of any false statement that may have been contained in the merchant applications, the District Court refused to allow such evidence on the ground that it was not a defense to the crime, and therefore irrelevant.
The penalties for false statements to a bank are severe. Sentencing guidelines prescribe a maximum penalty of up to a $1 million dollars in fines and 30 years in prison per count. Sentencing is set for June 20, 2016 and, while it is hard to predict how much time Johnson might get, the District Court may easily sentence him to 10 years in prison, which is what the government was seeking as a pre-trial plea deal.
The CardFlex Action
In July 2014, the FTC also finally got around to suing CardFlex and its principals for their alleged role for facilitating more than $26 million in illegal transactions for the IWorks enterprise. CardFlex and its officers, Phillips and Blaugrund, finally settled FTC’s charges in May 2015 by stipulating to a lifetime ban from acting as a payment processor, ISO, or sales agent on behalf of several categories of merchants, or assisting merchants to avoid chargeback monitoring programs; plus a $3.3 million monetary judgment against CardFlex and Phillips that was partially suspended based on their current financial condition.
Interestingly, Phillips testified in the recent criminal action and denied knowing about Johnson’s scheme, even though he had accepted a personal guarantee from Johnson for each of the corporate merchant accounts.
Nevertheless, given Johnson’s testimony about the CardFlex defendants’ role in eliciting and facilitating the straw merchant applications, the reality is the CardFlex defendants got off relatively easy as such conduct could easily have landed them substantial prison time along with Johnson for aiding and abetting Johnson’s false statements to Wells Fargo.
Conclusion
Card not present processing is inherent with risks. Now the stakes are higher for those in the industry processing for high risk merchants attempting to evade the card brand rules by setting up multiple merchant accounts through multiple signers. Be careful out there.