Operation Choke Point has produced a spike in activity, with last week yielding two major settlements totaling over $6 million after a year of relative calm. As a result, G2 is reprising our 10 Steps guide for avoiding the unlawful activity that got the two defendant banks in trouble.
Recent headlines from CommerceWest Bank and Plaza Bank continue to underscore the need for a strong due diligence process when managing relationships with merchants and TPPPs. Although both cases involve complicity in fraud, they do highlight the consequences of being involved with such acts as well as how to avoid suspicions of impropriety. In the case of CommerceWest Bank, the pleading outlines several steps to ensure the bank is not abetting consumer fraud by taking precautions when working with payment processor customers including:
- Reviewing main lines of business and return volumes for the third-party payment processor’s merchants; and
- Requiring that the third-party payment processor provide the bank with information about its merchants to enable the bank to assure that the merchants are operating lawful businesses.
Even high-risk merchants and originators need not cause a problem, as long as they are carefully monitored to avoid fraudulent or illegal activity, according to a recent FDIC bulletin, which states:
“Facilitating payment processing for merchant customers engaged in higher-risk activities can pose risks to financial institutions; however, those that properly manage these relationships and risks are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable law.”
So, what constitutes “proper management” of high-risk merchants and third-party payment processors? The FDIC, OCC, Department of Justice and a number of other government entities and industry organizations have plenty of recommendations.
Essentially, these recommendations boil down to:
- Conduct thorough due diligence on your:
- Direct merchants & ACH originators
- Third-party processors
- TPPPs’ merchants
- Monitor your merchants, your third-party processors and their merchants on an ongoing basis
But, as they say, the devil is in the details. What type of monitoring should you conduct? Which fraud databases should you check during due diligence?
G2 Web Services has compiled the following best practices to help you conduct better due diligence and monitoring of your merchants and ACH originators.
1. Check the merchant for a history of fraudulent activity.
Has the merchant/ACH originator participated in criminal fraud rings in the past? Does it have a history of bust-out fraud? Has it been terminated by previous banks? FraudFile from G2 Web Services is a neutral, secure fraud database that should be consulted before boarding any new merchant. Also, MasterCard’s MATCH, Visa’s VMAS and NACHA’s Terminated Originator Database and Originator Watch List contain information on merchants suspected of fraud.
2. Identify and document what the merchant is selling, beyond its MCC or SIC code.
Relying solely on the merchant’s MCC or SIC code can be risky, as a plethora of high-risk services fall under MCC 8999 “Professional Services”, for example. Visit the merchant’s website and document what type of merchant it is at a granular level to set a benchmark for future monitoring.
3. Supplement standard compliance checks with an analysis of the merchant’s online history of risk.
Most banks and payment service providers exercise basic due diligence, including verifying the merchant’s identify, conducting a credit check and background check. However, with commerce rapidly shifting to online, there are few resources that dig into a merchant’s online history of risk. The G2 Merchant Map® is the most extensive database of online and offline merchant risk history and relationships, comprising millions of merchants globally. Check the G2 Merchant Map to determine whether your merchant has sold illegal goods online, broken card network compliance rules, or been terminated by a financial institution in the past for bad behavior.
4. Identify the merchant’s website and analyze it for suspicious activity or illicit goods.
If your merchant doesn’t provide a website on its merchant application, do some research and see if you can find one that the merchant may be hiding from you. Examine the website to determine whether the merchant is selling illegal, high-risk or undesirable goods and services. Remember that high-risk merchants, even those high-risk merchant categories outlined by the FDIC, are acceptable to board if they fit within your risk tolerance and are compliant with the law and card network rules, but they should be carefully monitored. Pay careful attention to the alerts put out by the FTC, changes in card network rules, and OCC and FDIC regulations to ensure your merchant isn’t violating any of them.
5. Check the merchant’s reputation and any publicly available consumer complaints.
Has the merchant been accused of scamming consumers? Is there a large volume of complaints about the merchant? It’s a good idea to do a thorough online search to get an idea of your merchant’s reputation. Be sure to check their Better Business Bureau rating as well. While not all consumer complaints indicate a disreputable business, some can be clear indicators.
6. Require all of your third-party payment processors (TPPPs) to follow the same due diligence standards you do, and regularly review the merchants they have boarded.
Set up a system that allows you clear and regular insight into the types of merchants and ACH originators your third-party payment processors (TPPPs, ISOs, etc.) are boarding, and ensure that they are following the same standards you follow for your direct merchants. It is helpful to include this requirement as a clause in your contract with new third-party processors and set up a process from the beginning. While managing multiple TPPPs with large volumes of merchants/originators can be difficult, there are tools to help you manage third-party payment processor due diligence and merchant/originator monitoring, such as KYC Governor from G2 Web Services.
7. After boarding, persistently monitor the merchant for changes in goods/services offered.
Even with the best due diligence, there is nothing stopping a seemingly legitimate florist from switching to selling illegal drugs. In addition to monitoring transactions for chargebacks, revenue spikes, and abnormal return rates, monitor your merchants’ websites for the sale of high-risk goods and services, illegal and brand-damaging content, and content that violates card network rules.
8. Monitor the merchant for fraudulent activity.
Is your merchant colluding with other merchants to mask fraudulent activity from you? Has your merchant set up a false storefront or online store, only to rack up transactions for goods that will never be delivered, leaving consumers empty-handed? In addition to monitoring your transactions for consumer fraud, be sure to monitor for merchant fraud as well. Bust-out merchant fraud in particular can be difficult to detect, but very costly if unseen or ignored.
9. Regularly check merchant’s reputation for changes and new consumer complaints.
Fraudulent or illegal activity can pick up quickly, which means it is important to continue to monitor merchants’ reputation on a regular basis, and monitor consumer complaints. Often, these can be one of the first indicators of a problem.
10. Require third-party payment processors to monitor all their merchants using the same standards you do, and request regular reports.
Ensure that your TPPPs are carefully monitoring their merchants, and set up a system that provides you access to view reports of all monitoring activity.
G2 Web Services recently introduced KYC Governor to help banks manage high-risk merchants and third-party payment processor relationships. Find out how KYC Governor can help you take a proactive approach to managing merchant, ACH originator and TPPP risk.