Business Blog
$40.2 million reminder about the importance of due diligence and monitoring
Companies that deceive consumers often don’t act alone. Pull back the curtain and you may find behind-the-scenes businesses that lend a hand. The FTC alleges that Atlanta-based First Data Merchant Services and its former vice president, Chi “Vincent” Ko, engaged in conduct that helped scammers rake in megabucks at consumers’ expense. The $40.2 million total proposed settlement should warn other companies of the hazards of looking the other way when fraud stares you in the face.
Access to the credit card system is the lifeblood of many businesses. But banks that are members of credit card networks won’t open merchant accounts for just anyone. Various entities – including payment processors and independent sales organizations (ISOs) – serve as intermediaries between banks and merchants. Credit card networks impose anti-fraud policies on banks and other third parties. They, in turn, enter into contracts with payment processors and ISOs that mandate compliance with those rules, including due diligence and monitoring. The purpose of those multi-layered requirements is evident: to keep scammers out of the credit card ecosystem and to ensure that payment processors and others take quick action if there’s evidence they’ve wormed their way in.
You’ll want to read the complaint for an in-depth look, but according to the FTC’s lawsuit, the defendants opened merchant accounts and processed payments for at least four scam operations. Three of them – Thrive Learning, Coaching Department, and E.M. Systems – were subjects of FTC law enforcement. A fourth operation that used stolen credit card data to bill consumers without their consent resulted in criminal prosecutions by the Department of Justice.
The FTC says that as early as 2012, defendant Ko, through his company First Pay Solutions, started approving hundreds of facially false merchant applications for the four scam operations. For example, the applications often used straw men and shell companies. In addition, they often described business activities prohibited by credit card rules. (Examples of banned categories include “debt consolidation services,” “get rich quick opportunities,” and “any merchant engaged in any form of deceptive marketing practices.”) Given that some of Ko’s sales agents had multiple criminal convictions, F ratings with the Better Business Bureau, or civil judgments for deceptive conduct, he shouldn’t have been surprised by what was going on. Indeed, other members of Ko’s staff warned him early on that some sales agents were opening merchant accounts based on phony applications. But according to the FTC, Ko violated his obligation to monitor what was going on and to take action in light of evidence that fraud was afoot.
What role did First Data – one of the largest payments processors in the country – play? First Data employed Ko and First Pay Solutions as an ISO to sell its services and processed payments for the four operations mentioned in the complaint. Throughout its relationship with First Pay Solutions, First Data had what the industry calls “shadow underwriting,” which gave First Data access to information regarding First Pay Solutions merchants’ processing activities.
According to the FTC, by April 2012, First Data had already started to question the kind of accounts First Pay Solutions was opening. For the next several years, First Data and First Pay Solutions communicated about deceptive conduct and high chargeback rates, but never seemed to do much about them. How bad was the problem? Very. At one point, First Pay Solutions’ merchants accrued over 300,000 chargebacks in less than a year, totaling approximately 40% of First Data’s excessive chargeback violations for its entire wholesale merchant business.
The FTC says First Data continued to receive warnings and direct evidence that First Pay Solutions’ portfolio was permeated by fraud, and yet continued to allow Ko and his company to open merchant accounts with minimal oversight. Then in 2014, a Wells Fargo’s executive vice-president emailed the General Counsel of First Data’s parent corporation, asking this prescient question: “Why is First Data signing ISOs like [First Pay]? They are going to get First Data and Wells Fargo in trouble with the FTC and CFPB due to consumer deceptive practices . . . .” Toward the end of that year, Wells Fargo terminated its processing contract First Pay Solutions.
In addition, in December 2014, Visa banned First Pay Solutions from bringing high-risk merchants on board until a full audit could be performed. Visa also required First Data to pay $18.7 million restitution in connection with First Pay Solutions’ merchants. In April 2015, a forensic accounting firm found major failures in risk management practices, including deficient monitoring of merchant transactions and failures in due diligence by Ko and his company.
Based on those developments, you might expect that First Data cut First Pay Solutions loose for highly questionable conduct, right? On the contrary, in May 2015, First Data acquired the company’s merchant accounts, took over its office space, and hired most of its employees. A few months later, First Data asked Wells Fargo to allow former First Pay Solutions’ employees to solicit high-risk merchants. Wells Fargo said yes, but on two conditions: that the employees weren’t “associated with or related to Vincent Ko” and that First Data could confirm that “Vincent Ko has no influence.”
Those caveats make a subsequent personnel decision by First Data seem particularly ironic – because in January 2017, who did First Data hire as its Vice-President of Strategic Partnerships? Vincent Ko.
The complaint offers much more detail about the FTC’s allegations. Count 1 charges that First Data and Ko violated the FTC Act by engaging in unfair payment processing practices, including opening or maintaining accounts for shell companies or others engaged in fraud, processing transactions for merchants who were defrauding consumers, failing to terminate merchants, and ignoring evidence of fraudulent activity on merchant accounts. According to Count 2, defendant Ko engaged in credit card laundering, in violation of the Telemarketing Sales Rule. Count 3 alleges that First Data violated the TSR by assisting and facilitating credit card laundering. And Count 4 charges First Data and Ko with violating the TSR by assisting and facilitating companies who (among other things) used false or misleading statements to market debt relief services or investment opportunities.
In addition to the $40 million judgment against First Data and the $270,373 judgment against Ko, the terms of the proposed settlement require First Data to submit to annual audits for the next three years by an FTC-approved independent assessor. The order also bans Ko for life from processing payments for high-risk merchants.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.