Nearly $5 Million Penalty Against Bank for Lax Third-Party Processor, Raises Compliance Concerns

The Justice Department’s nearly $5 million penalty against a California bank tied to its oversight of a third-party payment processor highlights an increasingly risky and challenging area of financial crime compliance: the actions of a customer’s customer. [private]

Federal prosecutors Tuesday handed down the $4.9 million penalty against Irvine-based CommerceWest Bank, a hybrid civil and criminal action in which the institution had to admit to a criminal count of “willfully failing to file” a suspicious activity report (SAR), the bedrock intelligence from required by federal anti-money laundering (AML) legislation.

The hefty action has several compliance takeaways for financial crime professionals: when presented with vociferous red flags from customers and other banks, take them seriously; keep tighter compliance reins on entities considered inherently high-risk and clamp that oversight even tighter when a client can be a conduit for other sub-entities that the bank does not have visibility into to be able to risk-rate or manually or automatically monitor.

More broadly, the action also weaves into the trend of large banks de-risking by dropping risky entities. Several compliance officers in recent years have noticed that as large institutions drop third-party processors, they are increasingly testing the waters and compliance countermeasures at smaller and medium-sized institutions, in some cases lying about the customers they will serve to gain the account.

The action is also a continuation of the momentum from “Operation Chokepoint,” an effort initiated by the Justice Department in early 2013 to penalize banks allowing online scammers ready access to the payments system to defraud consumers, in many cases by illegally accessing credit and debit cards through dirty payment processors and equally crafty merchants.

The bank, established in 2001 and with assets of $422 million, ignored “a series of glaring red flags,” from V Internet Corp. LLC, for more than a year, including return rates of more than 50 percent, thousands of complaints from customers and “even multiple complaints from other banks whose customers had been victims of these fraud schemes,” according to court documents.

CommerceWest “ignored warning signs and numerous complaints stemming from unauthorized withdrawals, and now it must pay the price for allowing innocent consumers to be ripped-off by fraudsters,” said Acting U.S. Attorney Stephanie Yonekura of the Central District of California, in a prepared statement.

Even with such a panoply of warning signs, the bank failed to do further investigations, close the account or even file one SAR, according to investigators, adding that by the time they contacted CommerceWest, the bank had “permitted thousands of unauthorized charges from consumer bank accounts,” racking up millions of dollars in fee income while defrauding customers out of tens of millions of dollars.

In the scheme, the bank “knowingly facilitated consumer fraud” by allowing Las Vegas-based V Internet to make millions of dollars in unauthorized withdrawals from customer bank accounts on behalf of fraudulent merchants, say investigators.

The sham merchants included a fraudulent telemarketing company and a company that charged hundreds of thousands of victims for a payday loan referral fee they had never agreed to authorize.

Taking the activities further, in early 2013, V Internet actively took over the payday loan referral scam, operating as both the payment processor and merchant until July 2013, say prosecutors.

Rather than stopping the scheme, the bank “developed a practice of blocking transactions against accounts at those banks that complained, but allowing the transactions to continue against accounts at all other banks,” court documents said.

Moreover, investigators uncovered that as of May 2013, at least one CommerceWest official had “determined that all of V Internet’s transactions appeared to be fraudulent and unauthorized.”

But the bank did not make a decision to terminate the account until early July and, even then, gave the company an additional 30 days to wind down its processing activity. The bank finally blocked the company from accessing victim’s checking accounts when contacted by the Justice Department.

Critical to banks ensuring they don’t run afoul of government anti-fraud and AML requirements is, at account opening, asking the third-party processor what kinds of businesses it will be engaging in and, more specifically, what are the names and contact details of the merchants it will be transacting with, say compliance professionals.

Even those questions could weed out several fly-by-night operations as shifty processors will likely not be willing to divulge this information, raising the risk of the entity and, potentially, nudging the bank not to open the account in the first place.

Beyond that, banks should ask the processor how long it has been in operation, what regions it will be transacting with, what products and what other banks, if any, they have accounts with or have had accounts with, say analysts. If the processor has not had accounts at other banks, or if the relationships were short-lived, that is a critical red flag evincing the operation has potentially illicit practices.

If the bank does open the account for the processor, the operation could follow the path set out by some institutions, which have started requiring that the processor themselves to adopt AML-type practices, including customer due diligence, transaction monitoring and sending reports on suspicious behavior to the parent bank.

Again, if the processor shows an unwillingness to adopt such practices, it could be because they are planning on engaging in dubious practices or working with criminal entities, such as illegal foreign online gambling portals that are banned from having direct connections with US banks.