First Data Merchant Services LLC (“First Data”) and its former executive, Chi “Vincent” Ko (“Ko”), will pay more than $40.2 million to settle Federal Trade Commission (“FTC”) charges they knowingly processed payments and laundered, or assisted laundering of, credit card transactions for scams that targeted hundreds of thousands of consumers.

First Data is a global merchant services acquirer and payment processor that processes over $2 trillion dollars in annual payment volume in the United States through a variety of distribution channels and partnerships. According to the FTC’s complaint, First Data sponsored Ko’s former company, First Pay Solutions LLC (“FPS”), as an ISO. But in doing so, First Data ignored repeated warnings that FPS was laundering payments for fraudulent merchants. And, by its own due diligence and monitoring failures, First Data assisted and facilitated that conduct.

The Schemes

The FTC alleges that, for years, First Data processed payments through hundreds of straw merchant accounts for at least four deceptive schemes that have been the subject of FTC or U.S. Department of Justice law enforcement actions (the “Schemes”). We have written about these Schemes in the past. They include a debt relief scam that used deceptive telemarketing, business opportunity scams that used deceptive websites, and a criminal enterprise that used stolen credit card data to bill consumers without their consent. The $40.2 million to be paid by First Data and Ko in the settlements will be used to provide refunds to consumers harmed by these Schemes.

Red Flags and Repeated Warnings

According to the FTC, First Data ignored repeated warnings and direct evidence that merchants solicited by FPS and Ko were engaged in fraud. First Data violated its own anti-fraud policies, and the rules of its acquiring bank (Wells Fargo) and the card brands, by failing to adequately: (1) underwrite, screen, monitor, and/or oversee FPS or its sales agents; (2) review FPS’s merchant boarding, underwriting, and risk management processes; and (3) monitor or timely terminate the Schemes’ merchant accounts.

Based on this and the following facts, FTC alleges that First Data and Ko knew, or consciously avoided knowing, they were boarding fraudulent merchants.

Starting in 2012, Ko and FPS approved hundreds of merchant applications for the Schemes that were facially false or deceptive, that depicted shell companies as bona fide businesses, or that described business activity that was prohibited by bank and card brand rules. In early 2012, FPS staff told Ko that FPS was opening merchant accounts based on fraudulent applications; and, by April 2012, First Data had already questioned whether to continue a relationship with FPS based on its failure to adequately underwrite merchant accounts.

Nonetheless, for the next two and a half years, First Data and FPS continued to process payments for the Schemes while communicating about deceptive conduct and exorbitant chargeback rates associated with FPS’s portfolio. According to the complaint, FPS’s merchants at one point accrued over 300,000 chargebacks in less than one year, representing approximately 40% of First Data’s excessive chargeback violations for its entire wholesale merchant business.

Fraudulent Boarding Practices

FTC alleges that, during this time, First Data and FPS established hundreds of merchant accounts for the Schemes in the names of “straw men” or “mules” who had not given consent to their personal and financial information being used to apply for merchant accounts and often did not even know that merchant applications had been submitted in their names. These accounts were used, sometimes interchangeably, to process consumer payments for the Schemes. First Data and FPS established these accounts after FPS approved merchant applications that were facially false or deceptive, contained obvious factual discrepancies or internal inconsistencies, omitted key information about the merchant applicant’s business, or contained other “red flags,” or obvious indicators of fraud.

In some instances, FPS approved merchant applications for the Schemes that had no business description, no marketing materials, no merchant category code, no employee information, and no other information identifying the goods or services the merchant offered to consumers. In other instances, First Data and FPS opened accounts after FPS approved merchant applications that were demonstrably false, contained business descriptions that were prohibited by Wells Fargo (the acquirer), violated bank or card brand rules, or demonstrated histories of telemarketing law violations.

During the same time period, from February to September 2014, FPS approved 40 pairs of identical merchant applications. Each pair had the same purported principal and merchant name and was opened the same day. These pairs of identical merchant applications also used suspicious billing descriptors that hid or omitted the merchant’s name. For example, FPS approved merchant applications for purported nutraceutical and web hosting companies with billing descriptors that contained no text except for the phone number to an offshore telemarketing call center – e.g. 888-441-2916.COM.

Rogue’s Gallery of Sales Agents

So how did First Data and FPS board so many bad accounts? Well, FPS’ sales agents included CardReady LLC , Brandon Becker, James Berland, First Pay Systems LLC f/k/a Electronic Payment Services, Inc., KMA Merchant Services LLC, Jay Wigdore, Michael Abdelmesseh, and Richard Kuhlmann.

Wigdore had federal criminal convictions in 1995, 2000, and 2003 for mail fraud, bank fraud, and conspiracy to commit fraud. Wigdore’s illegal conduct was also highlighted in the FBI’s publicly available 2004 “Financial Institution Fraud and Failure Report.” At the time Wigdore contracted with FPS, his convictions were public and the FBI report was available on the Internet.

KMA maintained an “F” ranking with the Better Business Bureau for at least two years prior to contracting with FPS. KMA’s ranking was publicly available on the BBB’s website at the time it began referring merchants to FPS and First Data.

Kuhlmann was subject to numerous publicly available civil judgments and tax liens during the five-year period before becoming an FPS sales agent.

When CardReady contracted with FPS in February 2012, CardReady and its CEO faced an unpaid civil judgment of approximately $700,000 for breach of contract that was public record. CardReady was also named as a defendant in a fraudulent conveyance action that was public record during the time period it referred merchants to FPS and First Data.

Wells Fargo Terminates FPS

Wells Fargo finally brought these practices to an end in late 2014 when it terminated FPS’s sponsorship. In December 2014, Visa required First Data to pay $18.7 million restitution in connection with FPS’s merchants and banned First Data from boarding high-risk merchants pending a forensic audit. And the April 2015 audit found significant failures in First Data’s risk management practices, including “no controls” over high-risk merchant boarding in its wholesale merchant business, deficient merchant transaction monitoring, and failures in due diligence of its agents, like FPS and Ko.

Did First Data respond by severing ties with FPS? On the contrary, in May 2015, First Data acquired FPS’s merchant accounts, took over its office space, and hired most of its employees. A few months later, First Data asked Wells Fargo to allow former FPS employees to solicit high-risk merchants. Wells Fargo said yes, but on two conditions: that the employees were not “associated with or related to Vincent Ko” and that First Data could confirm that “Vincent Ko has no influence.”

Shockingly, after all this, in January 2017, First Data hired Ko as its vice-president of strategic partnerships.

Consequences

Based on the foregoing, FTC alleges that First Data violated the FTC Act and the Telemarketing Sales Rule. FTC reports that, in addition to paying more than $40 million, under the terms of its proposed settlement, First Data, which was acquired by Fiserv, Inc. in 2019, will be prohibited from assisting or facilitating FTC Act violations related to payment processing and evading fraud and risk oversight programs. First Data will also be required to screen and monitor certain high-risk merchant-clients, as well as establish and implement an oversight program to monitor its wholesale ISOs. In addition, the settlement requires First Data to hire an independent assessor to oversee the company’s compliance with the settlement’s oversight program for the next three years.

For his part, Ko will be required to pay $270,373.70. He will be banned from payment processing for certain types of high-risk merchants, credit card laundering activities, making or assisting others in making false or misleading statements, and assisting or facilitating violations of the FTC Act.

The FTC filed the complaint in the U.S. District Court for the Southern District of New York yesterday (May 19). The stipulated final orders for First Data and Ko should be filed shortly.

Why It Matters

This case is a reminder that acquirers, processors, and ISOs that fail to appropriately police the security of the payments system face liability for the bad acts of their sales agents and merchants. Access to the credit card system is a privilege, and banks and their third party agents must employ appropriate controls to keep scammers out, and take quick remedial action to promptly identify and expel those that sneak in.

Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments and Digital Marketing Law.