This article was authored by Michael Blume and Leonard Gordon. It was previously posted on Venable.com and is re-published here with permission.
"Wait a minute," you may say, "the Department of Justice just announced that Operation Chokepoint was over. I read the letter." Yes, in an August 16 letter to Congress the Department of Justice stated that Operation Chokepoint "is no longer in effect, and it will not be undertaken again." While the announced end of Operation Chokepoint may be an important moment for the payments industry, it is equally important to recognize that there is nothing to stop the Department of Justice – or, for that matter, the Consumer Financial Protection Bureau, the Federal Trade Commission, or a state attorney general – from bringing a case that looks very much like those that arose under Operation Chokepoint. Need proof? Just look at the press releases for two matters the government brought after the August 16th announcement: an FTC lawsuit and a DOJ settlement. Put another way, if you are in the payments industry and think you can relax your compliance vigilance, you've got another thing coming.
While many criticized Operation Chokepoint as casting too wide a net, the government's intention was to hold those financial institutions that allegedly turned a blind eye to unlawful conduct carried out by their customers or clients responsible for facilitating such fraud. From law enforcement's perspective, the actual cases that arose from Operation Chokepoint (and those that may come in the future from the DOJ, CFPB, FTC, or a state Attorney General) fit squarely within a longstanding legal tradition. The most prominent Operation Chokepoint cases – involving CommerceWest Bank, Four Oaks Fincorp, and Plaza Bank – were built on allegations that there were warning signs of fraud within the financial institution. The government pointed to chargeback rates for customers that were wildly out of proportion with the usual and expected rates in the industry. It also described instances in which other banks allegedly warned the defendant bank, sometimes repeatedly, that the defendant bank's customers were engaged in fraud. There were times that the defendant banks were purported to have learned little about the customers they were bringing on, except to know that those customers were taking active steps to hide what they were doing, like setting up complex corporate ownership structures in foreign countries.
Despite these, and other warning signs, the defendant banks allegedly continued to work with the very entities that were displaying the signs. According to the government, the banks simply brushed them aside. In legal terms, the government alleged that they were deliberately ignorant of or willfully blind to the fraud that was infecting their institutions. They were, therefore, facilitating that very fraud.
That type of approach is not unique to Operation Chokepoint. The FTC and CFPB, for example, have filed numerous lawsuits over the years against payment processors alleged to have facilitated payments to bad actors. While DOJ has declared the end of Operation Chokepoint, it would be incorrect to presume that other federal regulators (or the states) will stop scrutinizing the payments industry.
And that is precisely why payments companies must maintain their compliance vigilance. Ending Operation Chokepoint will not end cases that present facts like those in the CommerceWest, Four Oaks, or Plaza cases. Such cases existed before Operation Chokepoint began, and there is nothing to suggest that they will go away after Operation Chokepoint ends.
Importantly, the payments industry has evolved significantly since Operation Chokepoint was launched, during which time it has bolstered its compliance and risk management systems. The starting point for minimizing enforcement risk is the implementation of a compliance management system (CMS) centered on merchant due diligence, underwriting, monitoring, and vendor management.
Of course a robust CMS is only effective if implemented in practice. This means that payments companies must be aware of red flags, and avoid engaging in the types of activities that law enforcement has targeted as facilitating the unlawful conduct of merchants. Examples of activities to avoid include:
- Assisting a merchant in finding ways to structure its operations to defeat chargeback requests or monitoring systems.
- Transmitting funds on behalf of merchants where a review of the merchant's activities would have shown that the funds were obtained unlawfully.
- On-boarding customers without appropriately understanding their businesses.
- Encouraging merchants to evade payment card brand scrutiny such as by opening multiple accounts and forwarding false applications.
- Failing to take action when a payment card brand places a merchant on a monitoring list.
- Encouraging merchants to use a payment mechanism that is less regulated or not subject to systemic monitoring.
- Ignoring or failing to investigate consumer complaints.
- Ignoring or failing to address high or unusual chargeback rates.
- Failure to monitor for and take action in response to state or federal investigations or enforcement actions involving merchants, including a merchant's failure to comply with a state or federal consent order.
In closing, while Operation Chokepoint itself may be over, many of the concepts that drove the law enforcement initiative are likely to remain in the DOJ, CFPB, FTC, and state attorney general toolboxes. Given this risk, payment processors must keep abreast of legal and regulatory developments so that they can revise their policies and procedures as needed.