First Data Merchant Services, LLC (First Data), and its former executive, Chi “Vincent” Ko, will pay $40.2 million to settle Federal Trade Commission (FTC) charges that they ignored obvious warning signs of fraud and processed transactions for an array of scams that caused tens of millions of dollars in harm to consumers.

This action serves as a powerful reminder that the FTC seeks to hold processors and their independent sales organizations (ISOs) financially responsible for facilitating the unlawful conduct of merchants by enabling merchants to access the payments system to allegedly defraud consumers and launder card transactions. Just as noteworthy, the settlement agreed to by First Data may propel new industry standards for processors to formally oversee the merchant onboarding activities of ISOs given responsibility for underwriting merchant accounts.

The FTC’s complaint, which seeks injunctive and equitable monetary relief for violations of the FTC Act and the Telemarketing Sales Rule, alleges that Ko, through his former company, First Pay Solutions LLC (FPS), opened hundreds of merchant accounts for at least four deceptive schemes that were the subject of FTC or U.S. Department of Justice law enforcement actions. The schemes included a debt relief scam that utilized deceptive telemarketing, business opportunity scams that used deceptive websites, and a criminal enterprise that used stolen credit card data to bill consumers without their consent. First Data contracted with FPS as an ISO, and after First Data and its bank terminated the ISO relationship with FPS in 2014, First Data acquired FPS’s merchant portfolio and hired Ko in 2017 as an executive, allegedly to bolster First Data’s roster of high-risk but lucrative merchant accounts.

According to the FTC, First Data and FPS approved numerous merchant accounts under shell companies with straw owners and allowed processing to occur for years notwithstanding numerous red flags in the merchant applications and the processing activity under the accounts. Among other things, those red flags included applications that were substantially blank or duplicative of other applications, which the FTC deemed to be a strong indicator of “load balancing” used to defray chargeback scrutiny by the card networks. The complaint also referenced underwriting files for approved merchants that showed websites with identical terms and conditions and refund language, “right down to the same misspellings.” The underwriting file for one merchant included evidence that the merchant had been the prior target of state attorney general action for deceptive sales practices. Many accounts had consistently high chargeback ratios (27%-36%, in one instance).

When any concerns about the accounts were raised by underwriters or other staff at the companies, Ko and First Data allegedly ignored the warnings. The complaint also described warnings that First Data allegedly received and ignored from its sponsor bank, including that working with ISOs like FPS would get First Data in trouble with the FTC. The complaint also alleged that Ko used sales agents (or sub-ISOs) to help acquire the problematic accounts, and Ko and First Data failed to follow written procedures for vetting the sales agents that would have turned up previous convictions for mail fraud, bank fraud, conspiracy to commit fraud, and other concerns about them.

Under the terms of First Data’s proposed settlement, in addition to paying more than $40 million, the company will be prohibited from assisting or facilitating FTC Act violations related to payment processing and evading fraud and risk oversight programs. Ko will be required to pay $270,373.70, and he will be banned from payment processing for certain types of high-risk merchants, credit card laundering activities, making or assisting others in making false or misleading statements, and assisting or facilitating violations of the FTC Act. The $40.2 million to be paid under the settlements will be used to provide refunds to consumers harmed by these scams.

First Data’s proposed settlement order also requires that First Data implement stringent underwriting and monitoring programs and launch a “Wholesale ISO Oversight Program” to be completed within a year after the order becomes effective.  This program must include standards for First Data to underwrite wholesale ISOs in compliance with bank requirements and card brand operating rules and be designed to prevent fraud or unfair or deceptive practices. The program must establish a methodology and ratings system for assessing the risk of each wholesale ISO’s merchant portfolio and instill policies and procedures for ISO oversight. First Data would need to hire an independent third-party professional with specific qualifications in payments risk to serve as the “assessor” of the program and provide annual certification of compliance with the Wholesale ISO Oversight Program for three years.

Clearly, processors, banks, ISOs, sales agents, and others in the payments chain have a lot to unpack with this latest settlement. Adapting the injunctive relief — which is far more extensive than what we could possibly cover here — as appropriate for your business may be helpful for preventing fraudulent merchants from entering the payments system. On that note, the conduct at issue in this case primarily occurred during 2012-2014, indicating again that it is never too early to plan ahead.