What Recent Regulatory Actions Can Tell Payment Processors and ISOs About The Anticipated Wave of COVID-19 Related Enforcement And How To Protect Your Business

The Department of Justice claims that “Operation Choke Point” ended nearly two years ago. Regardless, the Federal Trade Commission (“FTC”) has continued to aggressively pursue legal cases against payment processors and Independent Sales Organizations (“ISOs”) for facilitating consumer payments to merchants allegedly engaged in unfair or deceptive trade practices. Even during the last few months, while many have been sheltering at home during the COVID-19 pandemic, the FTC and other regulatory agencies have been busy pursuing numerous judgments against processors, often with steep monetary and other penalties.

Payment processors and ISOs should pay close attention to these recent enforcement actions. They likely foreshadow what many expect to be a wave of anticipated regulatory action by the FTC and other agencies to pursue companies that use deceptive marketing or other unfair practices that take advantage of consumer fears relating to COVID-19. Payment processors and ISOs should heed the warnings and lessons learned from recent enforcement actions to get their compliance houses in order, particularly regarding merchants involved in any healthcare or COVID-related sales and marketing.

Enforcement Orders in 2020:

• FTC and State of Ohio ex rel. Attorney General v. Madera Merchant Services, LLC, et al. (June 4, 2020 Stipulated Order for Permanent Injunction and Monetary Judgment, W.D.Tex.)
  • Madera Merchant Services, LC, B&P Enterprises, LLC, their owners, and a company officer all agreed to be permanently banned from payment processing to settle claims by the FTC and Ohio Attorney General that they helped perpetrate numerous scams by facilitating payments for unscrupulous merchants in violation of the Telemarketing Sales Rule (“TSR”) and Ohio Consumer Sales Practices Act.
    • The TSR generally protects consumers against abusive and deceptive practices in telemarketing. A person who provides “substantial assistance or support” to any seller or telemarketer when that person “knows or consciously avoids knowing” that the seller or telemarketer is engaged in any act or practice in violation of the TSR also violates the TSR. This is how the FTC targets payment processors and ISOs – by asserting that the facilitating of payments provides the requisite “substantial assistance or support” to bad merchants.
  • Madera and its principals allegedly used remotely created checks and payment orders (“RCPOs”) to allow the fraudulent merchants to draw money from consumer victims’ bank accounts related to student debt reduction and credit card interest reduction telemarketing schemes. The TSR prohibits the use of RCPOs in connection with telemarketing sales.
  • Madera purportedly ignored many red flags that highlighted the merchants’ misconduct, including high return rates and other concerns that caused financial institutions to close many of the merchants’ accounts.
  • In addition to a permanent ban on payment processing, the defendants were ordered to pay a judgment of more than $8.6 million, which is mostly suspended due to an inability to pay, upon the surrender of the contents of a number of bank accounts along with defendants’ personal property.
     

• FTC v. First Data Merchant Services, LLC and Ko (May 20, 2020 Stipulated Order for Permanent Injunction and Monetary Judgment, S.D.N.Y)
  • First Data, and its former executive, Chi Ko, agreed to pay $40 million to settle claims by the FTC that they knowingly processed payments and laundered, or assisted laundering of, credit card transactions for scams targeting hundreds of thousands of consumers – all in violation of the FTC Act and TSR.
    • Section 5(a) of the FTC Act, commonly referred to as “UDAP” prohibits “unfair and deceptive trade practices in or affecting commerce.” What is considered to be an “unfair and deceptive trade practice” is broadly defined, so this law is a powerful tool for the FTC.
  • Ko, through his prior company, First Pay Solutions, LLC, which served as an ISO for First Data, opened hundreds of merchant accounts with First Data for at least four scam merchants – 3 of which had been the subject of prior FTC action and 1 that was criminally prosecuted by the Department of Justice.
  • The FTC claims that First Data ignored repeated red flags and warnings from employees, banks, and others about Ko and his company’s conduct. For example, a Wells Fargo executive emailed First Data expressly asking why it was signing ISOs like First Pay, which the executive claimed “are going to get First Data and Wells Fargo in trouble with the FTC and CFPB due to consumer deceptive practices.” This warning, and many other red flags, were ignored.
  • Under its settlement, First Data is also prohibited from assisting or facilitating FTC Act violations related to payment processing and evading fraud and risk oversight programs. The company will also be required to screen and monitor certain high-risk merchant clients, establish and implement an oversight program to monitor its wholesale ISOs, and hire an independent assessor to oversee its compliance with the settlement’s oversight program for the next 3 years.
     

The above actions taken within the past months are just the most recent examples of enforcement actions against payment processors and ISOs that have been ongoing during 2019 and before.

Other high-profile regulatory actions during 2019 include:

• FTC v. Allied Wallet, et al. (C.D. Cal.): Allied Wallet acted as a payment facilitator – meaning that it provided clients who did not have merchant accounts access to acquirer banks. The company, including its owner and two officers, allegedly knowingly processed payments for numerous merchants that were engaged in fraud, including phantom debt collection schemes, a pyramid scheme, and business coaching schemes – all in violation of the FTC Act. In that settlement, a judgment of $110 million was entered against the defendants (partly suspended) and the CEO and owner of the company was forced to turn over his residence in Los Angeles, California
• FTC v. InterBill, Ltd. and Thomas Wells (D.Nev.): In 2009, the FTC obtained a judgment against processor, InterBill, Ltd., and its owner, Thomas Wells, for violations of the FTC Act. In 2019, the FTC alleged that Wells and InterBill’s successor, Priority Payout Corp., repeatedly violated the terms of the 2009 Order by failing to properly review and monitor merchant accounts, which again, resulted in facilitating payment processing for numerous fraudulent merchants. Thus, in May 2019, the processor and Wells settled contempt charges and agreed to pay over $1.8 million (in addition to the original $1.7 million judgment). Wells and his company are also permanently banned from payment processing activities. This contempt order is a serious warning to any company or individual who has settled prior charges with the FTC to strictly comply with all the terms of any settlement or consent judgment.
   

What Can Be Learned?
All of the above enforcement actions, and others not discussed in this article, tell a similar story. That is, payment processors and ISOs need to be vigilant in monitoring the business activities of their merchants, both at the time of onboarding and throughout the processing term. It is those payment processors and ISOs who ignore warnings and red flags about unscrupulous merchant conduct who are more likely to become targets of the FTC or other regulatory agencies.

This is likely going to be even more true in the coming months and years during what is expected to be a torrent of regulatory and enforcement action against companies who have preyed on consumers and taken advantage of the COVID-19 pandemic. The FTC has already issued numerous warning letters to sellers of unapproved and mislabeled products claiming to treat or prevent the coronavirus and making other unsubstantiated health claims. Additional warning letters or enforcement actions are likely to follow. The FTC is also expected to target payment processors and ISOs who facilitate payments to merchants engaged in COVID-related scams.

Even if a processor does not get sued, it may still suffer negative consequences. The FTC has been uncompromising in seizing reserve accounts for fraudulent merchants, which often leaves processors on the hook for substantial chargebacks. Also, state attorneys general are likely going to be active in pursuing merchants and those who facilitate their deceptive practices under state consumer protection laws. States are financially hurting due to lost revenues and higher expenses caused by COVID-19 and are expected to try and recoup some funds through monetary penalties against bad actors.

This is the time for payment companies to double down on compliance and review all due diligence and monitoring programs to ensure they strong and protect the business. This is particularly true for merchants involved in the healthcare space or selling any products or services related in any way to or marketed around preventing or treating COVID-19.
 
Below are some key steps to take:

• Review your merchant onboarding process: Ensure that your screening and merchant onboarding process is comprehensive so that potentially deceptive merchants can be identified on the front end. This includes: requiring detailed information about the merchant’s business (such as written documentation and website screenshots or marketing materials as well as testing results for healthcare products); obtaining a verified physical business address and background information about the business and principals; searching for prior criminal, civil or regulatory judgments and consumer complaints; and obtaining references, including from banks or prior processors. Routinely review and update all underwriting policies and procedures and ensure that the sales team and underwriters are properly trained in what to look for during this process. Remember, policies and procedures are only as strong as their implementation.
• Continuously and closely monitor all merchant accounts: In particular, merchants in high risk industries, healthcare, or selling any COVID-related products or services should be closely scrutinized to catch any suspicious behavior early. This includes: monitoring return rates and chargebacks; checking the merchants’ businesses and websites to ensure that they are actually selling what they claimed at the time of onboarding and that the marketing and terms of sale are truthful and clear; and swiftly addressing concerns raised by banks, card networks, or consumers.Also, closely scrutinize any merchants who deal with negative options, “free trials,” or continuity plans to ensure the merchant is not violating the Restore Online Shoppers’ Confidence Act (“ROSCA”). ROSCA prohibits post-transaction third-party sellers from charging any financial account in an internet transaction without clearly disclosing all material terms of the transaction and without the customer’s express consent to the charge. ROSCA also imposes strict requirements on negative option features (where a customer’s silence or failure to affirmatively cancel or reject products or services constitutes acceptance). Many healthcare-related products, especially vitamins, nutraceuticals, and other supplements, use “risk free trials” and negative option features in their marketing and should be closely reviewed during the underwriting process and throughout the time of processing.
  • Also, closely scrutinize any merchants who deal with negative options, “free trials,” or continuity plans to ensure the merchant is not violating the Restore Online Shoppers’ Confidence Act (“ROSCA”). ROSCA prohibits post-transaction third-party sellers from charging any financial account in an internet transaction without clearly disclosing all material terms of the transaction and without the customer’s express consent to the charge. ROSCA also imposes strict requirements on negative option features (where a customer’s silence or failure to affirmatively cancel or reject products or services constitutes acceptance). Many healthcare-related products, especially vitamins, nutraceuticals, and other supplements, use “risk free trials” and negative option features in their marketing and should be closely reviewed during the underwriting process and throughout the time of processing.
• Take action if needed: The biggest thing that gets payment processors in trouble with regulators is ignoring red flags about merchant misconduct. Thus, if either initial screening or ongoing monitoring reveals concerns that the merchant is involved in fraudulent or potentially deceptive conduct, do not ignore red flags and hope the problem goes away. Take action immediately to further investigate red flags; consider suspending processing of new transactions during the investigation; if appropriate, consult with applicable card networks, legal counsel, or authorities; and, if necessary, terminate the merchant or take other action permitted under the merchant agreement.
   

Having a robust compliance program that provides clear policies and procedures for due diligence throughout the life of a merchant account is critical, perhaps now more than ever.

If you need assistance with preparing or reviewing any compliance or due diligence programs, or responding to investigatory inquiries from regulators, please contact experienced legal counsel.