Following on the heels of significant regulatory actions by the Consumer Financial Protection Bureau, Federal Reserve, and the FDIC against regulated companies and their third-party service providers, the Federal Trade Commission recently announced a settlement order against a payment processor, as well as its principals (including one “John P. Lawless,” no joke). The defendant, Automated Electronic Checking, Inc. (“AEC”) had allegedly engaged in processing fraudulent and unauthorized charges for its merchant-clients and partnered with dubious banks that had been the subject of prior regulatory scrutiny. The settlement order requires the disgorgement of nearly $1 million in fees collected from processing tens of millions of dollars on behalf of merchants (including nearly $50 million for two merchants that had already been the subject of an earlier FTC order), and bans AEC’s principals from engaging in payment processing services “by any means in the future.”
The FTC’s action against AEC highlights the risks involved when partnering with a service provider, especially a payments processor that has direct access to customer payment data. The problem is multiplied when other entities involved in the transaction flow – merchants, banks, technology providers, data brokers – contribute to the fraud.
The FTC’s order against AEC should remind parties involved in the payments flow to keep in mind the guidance issued by various regulators on dealing with third-party service providers, including:
- The FFIEC’s Bank Secrecy Act/Anti-Money Laundering Exam Manual on third-party payment processors and technology service providers;
- The CFPB’s bulletin on service providers;
- The FDIC’s letters on managing third-party risk and payment processor relationships; and
- The Treasury Department, Financial Crimes Enforcement Network’s advisory on third-party payment processing risks.