CNP Series: Lessons from a CNP Fraud Scheme – Part 3

This is the third of four articles that will use the case to examine card-not-present fraud from a legal perspective. Part 1 described the case and some of the issues the decision turned on. Part 2 examined the involvement of CardFlex, one of the ISOs charged by the FTC with aiding Johnson in his alleged fraud. Part 3 looks at credit card laundering, one of the crimes Johnson was charged with.

Recently, the criminal case against online merchant Jeremy Johnson in Utah that started back in June 2011 finally came to a close. After more than four years of litigation and six weeks of trial, the jury found Johnson guilty of eight counts of making false statements to a bank, but acquitted him on 78 other charges, including bank fraud, wire fraud, conspiracy and money laundering. By far the biggest legal spectacle involving card-not-present high-risk processing in more than a decade, the Johnson case poses a cautionary tale to banks and ISOs inclined to bend the rules in search of profits; and to merchants willing to “bend the truth” to get access to the payments system.

Credit Card Laundering: Feds Are Cleaning House

The U.S. federal government has declared open season on merchant processors for their involvement in what is called credit card laundering or “factoring,” with a number of high-profile lawsuits involving the practice.

Recently, Utah merchant Jeremy Johnson wasprosecuted for such activity, which resulted in his conviction on eight felony counts of false statements to banks. Prior to the filing of the DOJ’s criminal complaint in January 2011, the FTC filed its own civil action against Johnson, IWorks and the dozens of shell companies they used to carry out the fraud. More than three and a half years later, in July 2014, the FTC sued the ISO CardFlex and the various sales agents allegedly responsible for facilitating more than $26 million in illegal transactions for the IWorks scheme.

The IWorks action provides a good illustration of how ISOs can quickly land themselves in hot water with the FTC right alongside their merchants for allegedly employing, advising or enabling them to employ deceptive tactics to open merchant accounts, and thereby facilitating their access to the payments system. The FTC alleged that IWorks and Johnson submitted fraudulent merchant applications to the acquirer, opening at least 293 accounts in the names of 30 separate “straw” corporations in less than a year. The FTC sued the ISO and agent defendants for engaging in unfair and deceptive practices in violation of Section 5 of the FTC Act by facilitating Johnson’s submission of the applications and opening of the straw merchant accounts, which is the same type of conduct now being actively targeted by the FTC in credit card laundering cases against other merchant processors and ISOs.

The takeaway here is clear: The FTC expects processors and ISOs to actively police the payments system, and will not hesitate to prosecute them for failing to appropriately vet and monitor their merchants, especially where the evidence suggests any possible collusion with a merchant to dupe an acquirer or circumvent card brand rules—credit card laundering and factoring schemes being prime examples.

What is Credit Card Laundering?

Credit card laundering generally occurs in the context of a merchant that can’t open a merchant account in its own name, whether for past sins or the questionable nature of its present business activities. In such cases, the merchant, or the ISO or sales agent seeking to sign up the merchant, may recruit another company (that already has a merchant account, or can readily open one) to act as a front, pass-through or aggregator for the merchant’s transactions. In return, the recruited company typically receives a percentage of the sales, anywhere from a few points to ten percent or more. While it may sound like a simple solution to a business-crippling problem, the simple fact is merchants and ISOs that go this route are engaged in illegal credit card laundering (also known as “factoring”), and may face big civil and criminal liability.

When transactions are being factored, defrauded consumers can’t identify the true source of the transaction (i.e., the real merchant) by the charges that appear on their credit card statements. This confusion makes it easy for unscrupulous merchants to avoid detection by consumers and law enforcement. Furthermore, even if the bank and processors terminate the offending merchant account, they may not learn the identity of the actual company behind the excessive chargebacks. The true culprit is then able to perpetuate the scheme as long as it can recruit other companies to provide access to their merchant accounts. Thus, from the FTC’s perspective, using straw signers to facilitate access to the payments system constitutes an unfair and deceptive business practice that violates Section 5 of the FTC Act and is very much on its radar.

When the merchant at issue is a telemarketer, such conduct also constitutes illegal credit card laundering under the Telemarketing Sales Rule (TSR). Specifically, the TSR prohibits any merchant from presenting (or causing another to present) a telemarketing credit card transaction into the payments system that is not the result of a transaction between the cardholder and the merchant submitting the transaction. The TSR also makes it illegal for any person to employ, solicit or otherwise cause another to submit such a prohibited transaction, or to obtain access to the payments system through the use of a business relationship or an affiliation with a merchant, when such access is not authorized by the merchant agreement or the applicable credit card system. Moreover, the FTC has demonstrated its eagerness to look past the merchant and go after everyone in the payment chain where they play a role in facilitating such schemes.

CardReady and PayBasics Actions

This past December, the FTC filed two separate lawsuits (against CardReady and PayBasics) for alleged credit card laundering and factoring in violation of the TSR. In its complaint against CardReady, FTC alleges that the ISO and its principals solicited at least 26 straw merchants to act as signatories on shell businesses and dummy merchant accounts for a group of merchants running a fraudulent debt relief scam in order to launder their transactions and fraudulently facilitate their access to the payments system. The FTC alleges that CardReady submitted falsified merchant applications to its processor that depicted the shell companies as bona fide businesses by using the signers’ driver’s licenses and bank statements, and the previously signed forms. The FTC made similar claims against PayBasics and its principals, alleging they knowingly helped a group of merchants behind a fraudulent work-at-home scheme to open and maintain merchant accounts used to process credit card payments for sales made by a number of different third-party scammers. The agency alleges that, in some cases, PayBasics’ principals personally vouched for the shell companies behind the bogus merchant accounts so they would be approved, in violation of the TSR.

These cases should prove a cautionary tale to those that would knowingly set up multiple MIDs and straw or funnel accounts to load-balance or launder their credit card transactions and those processors and ISOs that assist them.

Consequences: Lifetime Bans and Money Judgments

And what are the potential consequences to those that fail to heed this warning? Johnson (already incarcerated pursuant to the criminal action) is expected to go to trial in the FTC action later this year. Based on the result in the criminal action, Johnson will likely face a catastrophic monetary judgment and draconian injunctive relief.

In January of this year—less than a month after FTC filed suit against them—PayBasics and its principals agreed to settle FTC’s claims by stipulating to a permanent injunction order prohibiting them from acting as a payment processor, contracting with a payment processor to provide payment processing services, or acting as sales agents for high-risk merchants, and imposing a (partially suspended) monetary judgment of $1.02 million.

The CardReady action remains pending in federal district court in Florida.

Criminal Liability: Prison Time and More Money

Credit card laundering also violates various federal and state criminal laws. Where the practice affects interstate or foreign commerce, the federal courts have jurisdiction. The Department of Justice Financial Crimes Enforcement Network (“FinCEN”) regards such factoring activities as a variation on money laundering, and may pursue merchants and processors alike in appropriate cases. Depending on the particular facts of the credit card laundering scheme, such conduct may variously violate 18 U.S.C. § 1029 (factoring), 18 U.S.C. § 371 or § 1029(b)(2) (conspiracy), 18 U.S.C. § 1343 (wire fraud), or 18 U.S.C. § 1344 (bank fraud). Maximum penalties range from 10 to 30 years in prison, plus up to $1 million per offense.

Many states also have their own laws against factoring. For example, under Washington law, a person is guilty of unlawful factoring of a credit or payment card transaction if the person:

• Presents to or deposits with, or causes another to present to or deposit with, a financial institution for payment a credit or payment card transaction record that is not the result of a credit or payment card transaction between the cardholder and the person
• Employs, solicits, or otherwise causes a merchant or an employee, representative, or agent of a merchant to present to or deposit with a financial institution for payment a credit or payment card transaction record that is not the result of a credit or payment card transaction between the cardholder and the merchant; or
• Employs, solicits, or otherwise causes another to become a merchant for purposes of engaging in such unlawful conduct.

A first offense is a class C felony, which carries a maximum penalty of 5 years in prison and a $10,000 fine, and a second offense is a class B felony, which carries a maximum penalty of 10 years and $20,000. Many other states have similar laws.