Recently, ERA spoke with Manatt’s Richard Lawson, a partner in the firm’s Consumer Protection practice, who, until recently, was Director of the Consumer Protection Division for the Florida Attorney General, about a fundamental part of the direct response ecosystem—payment processing services. Lawson shared his perspective on why enforcement efforts are picking up in the sector and the best ways processors and independent sales organizations (ISOs) can protect themselves in light of heightened regulatory scrutiny.
Can you set the stage for us?
RL: In the last 10 years, the FTC and state attorneys general have increased the number of actions against payment processors and ISOs. While third-party marketers have typically been the initial target of an investigation for their allegedly deceptive conduct, government agencies have aggressively expanded their net of liability for entities—such as payment processors—that provide ancillary services. For example, over the past few years, Vermont brought several actions against a payment processor that worked with lenders not licensed in Vermont. New York brought an action against a processor that worked with an entity accused of failing to deliver identity theft protection, and the New York Attorney General has reportedly corresponded with the payment processors that subsequently ceased working with fantasy sports clients. Further, just this past January, Florida and the FTC added an ISO as a defendant to a case filed in 2015 against a debt relief operation, alleging that the ISO aided the debt relief entity by procuring ‘straw men’ to set up merchant accounts. All these efforts center around the idea of what the processor knew and when did it know it.
Why are government agencies focusing their efforts on these businesses?
RL: One of the issues I always confronted in my time with the Florida Attorney General was the proper use of resources. From the outside, it can seem as if the government has an unlimited amount of time and staff, but in Florida where I had a staff of 115, we had to process, on average, over 60,000 consumer complaints a year. As a result, we—as with the FTC and other state attorney general offices—had to prioritize our resources to ensure that that we could have the largest effect for the most consumers in the quickest fashion. Accordingly, if we were investigating an entity that was central to a deceptive practice case, we had to decide whether it was merely a source of documents or a potential focus of the investigation. As the central conduit for cash flow, payment processors and ISOs can expect they will be at least tangentially involved as a source of records for the investigation. Often, these documents will lead to further, less amenable, conversations.
What issues are likely to spur government interest in a payment processor or ISO, and what steps can companies take to make sure they avoid any liability?
RL: First and foremost, high chargeback volume is a telltale signal that something is amiss. Payment processors will not welcome a conversation with a government lawyer about why they continued to do business with a client whose chargeback rate was in excess of industry standards.
Processors should carefully vet the businesses with which they interact. Many actions have been brought when the processor failed to ensure that the companies they worked with were properly licensed, or utilized scripts as submitted (or even worse, worked with companies whose scripts were provided but contained unlawful language), and the like. On this note, a processor should use common sense when working with a company that is engaged in frequent government actions and take particular care to research the client company. For example, a recent FTC settlement called on the processor to immediately terminate merchant clients whose chargeback rates exceed certain thresholds and the merchant clients were often targeted entities such as outbound telemarketing, credit card or identity theft protection services, buying clubs, medical discount membership plans, money-making opportunities, or timeshare resale services.
Processors would be wise to check if the merchant client is on the payment card MATCH list. Created for banks, which work with merchants, it allows them to quickly see if a particular business is a high risk. The list references merchants that have had problems with chargebacks, compromised data, high fraud volumes, fraudulent collusion, and the like.
Lastly, government agencies are becoming more aggressive about looking for ‘straw men’ who are being used as conduits to diffuse high chargeback rates among multiple bogus companies. Florida and the FTC recently brought an action where they alleged the defendant procured these ‘straw men’ to act as surrogates for the main deceptive business and thereby diffuse high chargeback rates among different entities. Policing for these straw men will take extra effort on the processor’s part, but it is an important part of any compliance program.
It sounds like internal monitoring is essential?
RL: Absolutely. A company that can demonstrate that it took reasonable precautions—that its staff was (and continues to be) fully trained and refreshed on procedures and that can provide examples of where these policies and procedures resulted in remedial action—is going to have a great case to make. Few things are more embarrassing than when the government’s key evidence stems from a company’s failure to live up to its own standards. In a classic case of being penny-wise and pound-foolish, the cost of failing to effectively monitor up front can be quickly dwarfed not only by the expense of a government investigation and any related fines or restitution, but by an even more expensive and invasive process where the processor is not only ordered to monitor its clients more carefully, but the processor has the expense of being monitored by the FTC or a state attorney general.