Guest Analysis: Recent FTC Complaint Highlights Questionable Underwriting, Monitoring, and Load Balancing Practices

Edward A. Marshall
September 23, 2014 –  In recent years, the Federal Trade Commission has taken a microscope and a mallet to the payments industry—identifying conduct it deems conducive to consumer fraud and bringing enforcement actions against perceived “bad actors.” The FTC’s approach has been the subject of considerable criticism. But it has also shone a light on certain practices within the industry that warrant reexamination or elimination. And its enforcement actions, both against merchants and entities within the payments space, can provide valuable learning opportunities to identify and correct those practices and rid the payments ecosystem of merchants bent on defrauding consumers. A recent complaint against an ISO and two sales agents, along with their principals, is a prime example.  

In FTC v. CardFlex, Inc., Civil Action No. 3:14-cv-00397 (D. Nev. filed 2014), the FTC accused CardFlex, Inc. (“CardFlex”), Blaze Processing, LLC (“Blaze”), and Mach 1 Merchanting, LLC (“Mach 1”), among others, of facilitating over $26 million in unauthorized charges to consumers’ payment cards. Certain defendants, including Blaze and Mach 1, have already settled with the FTC. The suit against CardFlex and other individuals, however, remains pending. As to these defendants, the FTC’s accusations—at this point—are simply that: accusations. The FTC has not introduced proof in support of its claims, and the defendants have not yet had the opportunity to present their case. But, regardless of how the litigation ultimately shakes out, there is much to learn from the FTC’s filing.

As background, the FTC alleges that a consortium of merchants, known as “iWorks,” bilked consumers out of millions of dollars between 2006 and 2011 through websites purporting to offer risk-free information about government grants and Internet-based moneymaking opportunities. On their face, these programs involved a minimal investment of a few dollars to cover shipping and handling. But, in practice (and with disclosures, if at all, existing only in the fine print), consumers signed up for negative option plans that would bill their cards for sizable one-time fees and recurring charges of up to $100 a month for core products and related (but, likely, unwanted) services.

In its court filings, the FTC alleges that CardFlex, Blaze, and Mach 1 opened up nearly 300 merchant accounts in thirty corporate names to give iWorks “unfettered access” to the payments network. And it contends that the defendants engaged in at least four questionable practices that facilitated consumer fraud on a massive scale.

First, the FTC contends that the defendants relied upon a personal guaranty from an iWorks’ principal (who at least by appearances, seemed quite wealthy) to relax underwriting standards. Apparently on the assumption that the guaranty provided a safety net against financial fallout, the FTC alleges that defendants ignored multiple “red flags,” including the fact that several iWorks merchants, along with its principal, appeared on MasterCard’s MATCH list, and that their accounts had previously been terminated by other processors and acquiring banks. Furthermore, the FTC accuses Blaze of going a step further, knowingly submitting false applications that misrepresented the number of employees associated with various iWorks merchants and disclaiming any affiliation with other players in the iWorks network.

Second, the FTC alleges that the defendants ignored elevated chargebacks and potential causes that included consumer deception. Indeed, upon learning that all of the iWorks merchant accounts had chargeback ratios above 3%, the FTC says that a CardFlex principal examined the iWorks’ websites and discovered that they did not conspicuously disclose the potential for recurring charges and effectively “hid” the relevant terms of the negative option plans. Despite articulated concerns and an initial insistence that iWorks correct the problem, the FTC alleges that the defendants continued facilitating iWorks’ transactions without prudent oversight even as the chargeback ratios remained elevated.

Third, and potentially more problematic for the defendants, the FTC accuses CardFlex and Blaze of helping iWorks to avoid detection by the card associations, their acquiring bank, and their processor. Specifically, it suggests that the defendants encouraged iWorks to vary business names to keep their interrelatedness undetected by the card brands (albeit similar enough not to prompt a negative reaction from consumers who saw the charges listed on their statements). And it alleges that the defendants instructed iWorks to expand and vary the names of principals listed on the applications to further obscure the relationship among various entities operating under the iWorks umbrella.

And, finally, the FTC accuses the defendants of actively assisting iWorks with the implementation of a “load balancing” program, whereby sales volume would be allocated across an array of merchant accounts to, in this case, avoid unwanted monitoring. Among other things, the FTC charges that the defendants opened up hundreds of new iWorks merchant accounts, even as older accounts were shut down by processors and acquiring banks for suspicious activity. These accounts were then used, per the FTC, to process transactions up to a certain volume—one low enough to avoid detection by the card brands’ monitoring programs—and then rotate to a different account, where the process would repeat itself. In time, it alleges, the load balancing scheme became so complex that it took a twenty-two page flowchart to describe how transactions would be processed “under the radar,” including transactions associated with older, “legacy” accounts that had been terminated.

Again, at this point, the FTC’s allegations against CardFlex and the remaining individual defendants are merely that. Its ability to prove those allegations and obtain the legal relief it is seeking remains to be seen. But, regardless of the outcome, the FTC’s complaint imparts several valuable lessons:

  • A guaranty is no substitute for prudent underwriting. Guaranties from merchant principals make good sense. But they don’t take the place of prudent underwriting. At the outset, it is exceedingly unlikely that any guarantor can shoulder the full financial fallout associated with chargebacks and enforcement actions that stem from deceptive practices. And, monetary relief aside, the FTC has the ability to seek injunctive relief against an ISO and its principals, excluding them from the payments ecosystem indefinitely, when their lax underwriting allows a bad merchant to infect the payments ecosystem. Simply put, guaranties should augment, not replace, solid underwriting standards.
  • Chargebacks need to be monitored and remediation programs enforced. Chargebacks are inevitable. And many are innocuous. Even elevated chargeback ratios, such as the 3% to 6% alleged in the FTC’s complaint, do not suggest that a merchant is necessarily a “bad actor” whose access to the payments system should be immediately terminated. Rash action can be detrimental in its own right. And a robust compliance program can prove effective at bringing chargebacks within an acceptable range. But especially where elevated chargeback rates appear to be the product of potentially deceptive practices, they should be reduced through a program that demands accountability and results. Red flags cannot be ignored for years while a potentially untoward merchant keeps doing business and, potentially, harming consumers.
  • Transparency is key. Unscrupulous merchants may try to hide their interrelatedness and otherwise avoid monitoring by the card brands. Some, such as those involved in the Tax Club litigation, see FTC v. The Tax Club, Inc., Case No. 13-cv-210 (S.D.N.Y. filed 2013), have appeared to achieved that result (at least for a time) without any assistance from ISOs and sales agents. But actors within the payments space should never attempt to conceal the relationship among merchants by submitting misleading applications or varying merchant or principal names to obscure their association. And, while “load balancing” can be perfectly legitimate (as the FTC concedes in its complaint), it should not be used to keep a merchant’s chargeback activity under the monitoring radars maintained by the card associations. ISOs and sales agents owe it to the industry to ensure that the programs are as effective as possible, not thwarted by artificial mechanisms designed to keep transactions below the thresholds in which those programs operate.

In sum, while the FTC’s enforcement actions may be open to criticism, they can also provide valuable learning opportunities for the industry. Irrespective of whether its allegations in CardFlex ultimately prove to have merit, they highlight practices that actors in the payments space would be well advised to avoid.

Edward A. Marshall is a partner at Arnall Golden Gregory LLP, in Atlanta, Georgia, where he co-chairs the firm’s payment systems team. He also co-chairs the payment systems litigation subcommittee of the ABA Section of Litigation and serves as a member of the ETA’s Risk, Fraud & Security Committee. 

[spacer height=3] [divide] [spacer height=3]

The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.