Regulatory scrutiny of the payments industry remains intense. Meanwhile, regulators’ expectations of payment processors, ISOs, and payment facilitators have never been higher. Recent enforcement actions have not been limited to those instances where an acquirer crafted elaborate schemes to conceal merchant identities or alarming chargeback ratios. Rather, the Federal Trade Commission (“FTC”) has seemed at times to scrutinize processors where the alleged warning signs of consumer deception were somewhat obscure and the warning flags, if hued with red at all, were at best a dark pink.
A recent concurrence from an FTC Commissioner, however, signals that that propensity to target acquirers—while strong—is not without limitation.
The case at issue involves RevenueWire, Inc. (“RevenueWire”). According to the FTC, RevenueWire entered into contracts with payment processors to collect payments for its own sales of eBooks and software. The contracts prohibited RevenueWire from submitting third-party sales through the merchant accounts, i.e., transaction laundering. Nevertheless, per the FTC, RevenueWire proceeded to use its merchant accounts to collect payments from consumers on behalf of other companies, two of which had been defendants in previous FTC enforcement actions. The FTC alleged that RevenueWire was aware of these organizations’ deceptive practices and the use of telemarketing to hawk their wares. Accordingly, the FTC alleged that RevenueWire and its CEO violated the Telemarketing Sales Rule (“TSR”) by (i) “provid[ing] substantial assistance or support” to these organizations despite knowledge of their unlawful telemarketing activity; and (ii) credit card laundering. 16 C.F.R. Part 310.3.
Accused of operating something akin to an unregistered payment aggregator for dirty sub-merchants, RevenueWire and its CEO elected to settle. And the penalty they agreed to shoulder is substantial. Indeed, in addition to requiring the careful scrutiny of “high risk” clients—under pain of judicial contempt sanctions—the defendants agreed to turn over $6.75 million to the FTC.
In that regard, at least, RevenueWire is hardly remarkable. Similar actions have been brought, and similar settlements agreed to, in actions such as CardFlex, CardReady, and Allied Wallet.
What is noteworthy about RevenueWire, however, is the concurring statement issued by Commissioner Christine S. Wilson. Commissioner Wilson approved filing the complaint, but took care to note that the filing “does not signal a shift on the part of the FTC to a strict liability standard for payment processors.” Stated otherwise, the case was not meant to suggest that the Commission will automatically hold acquirers liable for the bad acts of their merchants. Rather, quoting previous FTC testimony before the House Subcommittee on Government Operations (during a hearing in which the ETA actively participated), Commissioner Wilson explained that the FTC will “pursue appropriate law enforcement ‘when a payment processor helps a fraudulent merchant take money from consumers – either by actively helping the merchant hide its fraudulent conduct from acquiring banks and payment networks or by turning a blind eye to the merchant’s fraud.’” (emphases supplied).
In RevenueWire in particular, Commissioner Wilson found the conduct alleged to meet that threshold of active assistance or purposeful blindness. According to her, “RevenueWire was at the center of the deceptive business model[ ] and knew that the call centers and telemarketers were making deceptive statements.” (emphasis supplied).
So, does the concurring statement suggest that processors and ISOs can now relax their careful underwriting and monitoring of high-risk merchants? Of course not. The regulatory standards remain high and the costs of transgressing them remain punishingly steep. But it is refreshing to hear a Commissioner clarify that the FTC does not perceive the industry as “the enemy” or the unwilling insurer against all merchant misconduct. Acquirers must do their jobs when it comes to underwriting and risk monitoring, but those that do should avoid the crushing blow of regulatory enforcement actions.