Guest post by Ellen T. Berge and Andrew Bigart, Venable LLP
The past year was a big one for the payments industry with the introduction of new products, the growth of virtual currencies, and, of course, continued government pressure on payment processors and non-bank entities to police their merchants for potential fraud or consumer harm. This year promises more of the same, and the start of the year is the best time for companies to get their houses in order before the government comes knocking.
To help, we summarize below the U.S. government’s recent scrutiny of the payments industry and provide examples of basic compliance steps that a payment processor, independent sales organization (ISO), or other non-bank entity should consider to minimize potential risk in the event of a government investigation.
Why the Government Scrutiny of the Payments Industry?
The Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and Department of Justice (DOJ) have brought numerous enforcement actions in recent years against processors and others alleged to have aided or abetted merchants engaged in unfair, deceptive, or fraudulent marketing practices by providing the “means and instrumentalities” necessary for a merchant to extract money from consumer accounts.
The government has generally focused on “high risk” processing activities, such as card-not-present transactions conducted over the Internet, certain merchant industries that are perceived as more susceptible to fraud and consumer abuse, such as payday lending (DOJ’s Operation Choke Point) and credit repair, and certain marketing practices (continuity programs, telemarketing). In FTC v. IRN Payment Systems, for example, a payment processor agreed to pay $1.1 million to settle allegations that it had assisted and facilitated a fraudulent credit card interest rate reduction scam. Similarly, the CFPB has brought several enforcement actions against processors that allegedly assisted debt-settlement companies in unlawfully debiting consumer accounts. Even states have begun to target the payments industry, with the New York Attorney General recently announcing a settlement with a payment processor that allegedly failed to conduct sufficient due diligence on one of its merchants.
How to Prepare for Continued Scrutiny in 2015
The federal (and now apparently state) scrutiny of the payments industry is likely to continue into 2015. Although DOJ’s Operation Choke Point may seem like it has been on the back-burner since the holidays, the controversial initiative remains on the agenda for the House Committee on Financial Services – Oversight and Investigations. Moreover, federal regulators continue to view the payments industry as a natural pressure point for spotting and stemming potential fraud and consumer harm.
Although merchant fraud can never be eliminated, there are steps that a payments company can take to prepare itself for increased regulatory scrutiny in the current environment.
- Implement a Broad Compliance Management System. A good starting point for regulatory compliance is the establishment of a compliance management system (CMS) that covers the payment processor’s business operations and sets management’s expectations for compliance with applicable laws. A CMS should address how the processor will implement its compliance policies and procedures and monitor for changes in the myriad of laws that impact their services and the industries in which their merchants are operating.
- Review and Update Merchant Underwriting Policies and Procedures. Federal regulators are likely to focus on missed “red flags” in merchant underwriting as key indicators that payments companies have not conducted proper due diligence in determining whether to board a merchant, which regulators may argue ultimately caused harm to consumers. The Electronic Transactions Association (ETA) has developed voluntary guidance for its members in the payments industry that serves as a comprehensive resource for those seeking new and improved tools and strategies for enhancing policies and procedures.
- Re-evaluate and Deepen Risk Monitoring. Once a payment processor accepts a merchant, the payment processor must monitor the merchant’s activities for potential fraud and other risk. While the monitoring of processing metrics such as sales, refunds, and chargeback activity is a must, today’s regulatory environment demands that payments companies be willing to take a deeper look into each merchant’s marketing and sales practices even after the merchant is up and running. This review may involve a periodic check for web site changes, consumer complaints about the merchants, and other signals that the merchant’s business operations are different than what you might have thought.
- Develop Third-Party Oversight, Management, and Training. The federal banking and consumer protection regulators as well as the payment card brands have emphasized the need for banks and payment processors to oversee their business relationships with service providers to ensure compliance with Federal financial and consumer protection laws. If you work with sub-ISOs and sales agents, their actions (or failures to act) can come back to haunt you, as legal responsibility in the payment industry flows in all directions.
- PCI Compliance. With ever-increasing public and regulator concern for data security, it is important for processors to implement appropriate data security policies and procedures, including compliance with the Payment Card Industry Data Security Standard (PCI DSS).
As we look ahead to 2015, it’s a safe bet to assume that consumer protection regulators will continue to scrutinize the payments industry. Processors, ISOs, and other non-bank entities should take a moment to review their compliance policies and procedures. An ounce of prevention in this regard can go a long way to limiting the potential adverse impacts of a government investigation.
Ellen T. Berge is a Partner, and Andrew Bigart is a Counsel, in the Washington office of Venable LLP. Mrs. Berge and Mr. Bigart specialize in helping clients in the payments industry navigate the complex federal and state regulatory environment.
Subscribe to this blog for additional tips and webinar announcements.