The federal government now expects processors to be payments cops, says Andy Phillips, chief executive of an ISO that found out the hard way. Following the networks’ rules is no guarantee the government will think you’ve done enough.
In the new world of payment processing, I’m now a cop. I didn’t sign on for the job. I’m not even equipped for it. And if I fail in that responsibility, I imperil my business.
I learned that lesson the hard way.
In 2009, following 2008’s financial meltdown, the payment-processing business was in turmoil. New standards were coming down from the Federal Trade Commission aimed at changing the way the industry did business. And the banks that independent sales organizations like mine worked with distributed weekly—sometimes daily—updates to underwriting standards for new merchant accounts.
Flash forward to March 30, 2015, and you might have read that my company settled a dispute with the FTC related to services CardFlex provided to iWorks, a Utah-based e-commerce company.
The case against iWorks is still ongoing, but the FTC alleged in a separate complaint against us that we didn’t do enough to stop what it says we should have stopped. In seeking the full amount of iWorks’ $26 million in processing volume from us, the FTC was really saying that processors and ISOs should be guarantors for their merchants.
CardFlex moved to dismiss the FTC’s lawsuit, challenging its authority to pursue us as a third-party service provider that didn’t directly engage in the fraudulent acts the FTC said iWorks had done. But faced with the FTC’s vast resources, we surrendered.
We denied—still deny—any wrongdoing, but we paid $1.3 million in cash and assets to settle the FTC’s claims for reasons most parties settle: to avoid the time, expense, and uncertainty of litigation. We needed to put this matter behind us.
You could be in a similar situation. If you’re in payment processing, you’re a cop now, too.
How did this come to be? The answer is somewhat complicated. You may think you’re doing all that’s required by following the rules of the card brands and the automated clearing house governing body, NACHA.
But the federal government sees every rule as subject to its interpretation. You could become the target of an investigation or lawsuit if, despite your following those rules, the government feels that your processes and systems weren’t good enough.
And when you become a target, you’re going to pay. First, you’re going to pay huge internal and legal costs to perform the work necessary to reply to government attorneys. And you’ll almost certainly pay a fine, penalty, or “disgorgement”—a repellent-sounding legal term for the government’s demand that you return what it regards as “illegally” earned income. This is not net income, but the gross amount charged to the merchant, including 100% of the interchange.
There’s also the price you’ll pay in reputational damage. Never mind the constitutional presumption of innocence; government investigators will remind you that, in the public’s mind, you’re guilty no matter what the outcome.
Even scarier is that the government can reach back in time and charge you with violating a law based on long-ago events. With benefit of hindsight, they can argue you should have known what was going on, in real-time, despite the present-day realities and challenges our businesses deal with daily.
Monitor, Monitor, Monitor
What can you do? Short of an unlikely sea change in public policy, there are steps you can take to limit your exposure to fishing expeditions.
The government is looking for any business that, in its eyes, is taking advantage of consumers. Be prepared to show that, in your initial underwriting, the merchant was providing what was represented—a viable product that offers a benefit to society, sold in clear and concise language.
With that, your work has only just begun. Next: monitor, monitor, and monitor. Run analytics and closely monitor results—and then, no kidding, do this forever.
But monitoring is a quantitative, not necessarily qualitative, tool. Data shows you the black-and-white of merchant activity—transactions, return percentages, and chargeback rates, etc. Your data, however, may not pick up obscure information about product reliability, marketing (including government-regulated claims about health, for instance), or bait-and-switch activity in which an account you’ve sold for one purpose is now, unbeknownst to you, being used for another.
Then, take action. No one likes terminating a merchant, but the risk of government action dictates that you take action quickly, sometimes without real cause. Failure to do so could be construed as turning the other cheek, or worse, being complicit.
And if that’s not enough, it seems that for every system devised to protect us as an industry there is someone trying to circumvent it. One tactic for circumventing chargeback rules, for instance, is load balancing. In itself, load balancing is not a rule or law violation. It is reasonably used when a merchant wishes to split volume for any variety of reasons.
Most commercially available gateways have this flag, as did the one used by iWorks. It’s typically used by businesses uncomfortable with having all of their processing performed by one ISO or bank. Many consider load balancing simply good business.
But load balancing can be used to circumvent the rules. If an official decides one of your customers is using load balancing incorrectly, you could find yourself in an unwanted position.
In conclusion, consider a lesson I learned as a carpenter before I began providing entrepreneurs with payment solutions. We carpenters would say, “Measure twice, cut once.” That’s good advice in payments. Be cautious as you navigate uncharted waters. Wherever possible, be more conservative than the regulators watching you.
—Andy Phillips is chief executive of CardFlex Inc., Costa Mesa, Calif. Reach him at firstname.lastname@example.org.