The Federal Trade Commission (FTC) recently announced a settlement with First Data Merchant Services, LLC (First Data) and Chi “Vincent” Ko, one of its executives, for a little over $40.2 million after allegations that First Data facilitated at least four fraudulent scams. First Data is one of the largest global payment processors, and it processes over $2 trillion a year.
The FTC Allegations
The FTC complaint alleges that First Data assisted and facilitated payments for companies engaged in fraudulent schemes and illegal activities. One scheme involved a debt relief telemarketing scam that took over $20 million from consumers. Another fraudulent scheme utilized First Data payment services to exploit consumer’s stolen credit card data, which were used to place $28 million in unauthorized charges on bills through First Data merchant accounts.
According to the complaint, a 2015 audit found that First Data had “no controls” on how it managed high-risk merchants. In addition to ignoring other red-flags, the lack of controls made it possible for Ko to open accounts under false names, provide deceptive information to open the accounts and ignore evidence that his clients were engaged in fraud. Of the warning signs, many of the merchant account applications approved by First Data omitted key information about the applicant’s business, had no merchant category code, contained no employee information, and included no information about the goods or services the merchant offered to consumers.
The $40.2 million settlement funds will be used to refund consumers harmed by the fraudulent schemes. First Data is also required to hire an independent assessor to oversee compliance with the settlement’s oversight program for three years. The FTC’s complaint against First Data Merchant Services can be found here, and the settlement press release can be found here.
Payment processors should take care to implement proper screening for account applications. Screening should include safeguards aimed at detecting potential fraudulent applications, as well as ongoing screening for illegal transactions. Additionally, companies engaging payment processors should take care to vet the companies with which they work and to require reasonable security controls in the processing of payments.
All companies engaging third party payment processors should be aware of this settlement, take steps to review their internal vendor vetting processes, and confirm that appropriate security measures, including the Payment Card Industry Data Security Standards, are contractually required.