Suspicious Activity Reporting (“SAR”) forms the cornerstone of the Bank Secrecy Act (“BSA”) reporting system. Broadly speaking, federal regulations require all banks and financial institutions to file a SAR with respect to a host of financial crimes and transactions conducted or attempted through them if they know, suspect or have reason to suspect that the transaction may involve potential money laundering or other illegal activity. FinCEN regards credit card laundering and factoring as a variation of money laundering, equally subject to SAR requirements.

Credit card laundering occurs when a merchant uses a straw entity to act as a front, pass-through or aggregator for the merchant’s transactions. Other indicia include, multiple MIDs, multiple corporations and a continuity negative option model.

Almost always, such conduct violates federal civil law, such as Section 5 of the Federal Trade Commission Act and the Telemarketing Sales Rule, as well as federal criminal law, such as 18 U.S.C. § 1029 (factoring), 18 U.S.C. § 371 or § 1029(b)(2) (conspiracy), 18 U.S.C. § 1343 (wire fraud), or 18 U.S.C. § 1344 (bank fraud). Many states also have their own laws against transaction laundering.

Yet except for certain Money Services Businesses (“MSBs”), non-bank Third-Party Organizations such as ISOs/MSPs, Payment Facilitators/Payment Service Providers, data processors and network providers (collectively “TPOs”) generally are not subject to BSA requirements. Thus, it is the acquiring bank’s responsibility to (1) ensure that a TPO’s incident reporting and management program contains clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents of credit card laundering and other suspicious activity; and (2) monitor TPO compliance and processing information on an ongoing basis to ensure compliance with the acquirer’s SAR obligations.

Generally, when banks rely on TPOs for processing and sales services, they either explicitly or implicitly require the TPO to notify them whenever it becomes aware of certain types of suspicious activity. Particular notification criteria may be stipulated in the contract between the bank and the TPO.

Again, the BSA requires banks and financial institutions to file a SAR for transactions conducted or attempted by, at, or through them and aggregating $5,000 or more, if they know, suspect, or have reason to suspect that the transaction:

• Involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity, or is
• Designed to evade the requirements of the BSA, whether through structuring or other means, or
  

• Serves no business or apparent lawful purpose, and the reporting business knows of no reasonable explanation for the transaction after examining all available facts.

Certain MSBs (including money transmitters; and issuers, sellers and redeemers of money orders and traveler’s checks) must file a SAR for any transaction conducted by, through, or at the MSB that is suspicious,and totals $2,000 or more.

In the context of credit card laundering, typical warning signs of suspicious activity include:

• Multiple MIDs for a single merchant, particularly where due diligence or monitoring suggests multiple shell entities with different signers associated by similar address, phone number, websites or relationships.
• Excessive chargebacks/returns across multiple MIDs even though individual MIDs may show an acceptable rate of chargebacks.
• Merchants that maintain merchant accounts with multiple processors, or that move from one processor to another within a short period.

MIDs with historical transaction activity that is substantially different from what would normally be expected for the category of merchant business.
Any other evidence of deposits for transactions involving sales of goods or services generated by another merchant.
When the bank is unable to identify and understand the nature and sources of the transactions processed through an account, the risks to the bank and the likelihood of suspicious activity can increase. Banks and financial institutions that fail to have an adequate program in place to monitor and address the risks associated with their third-party relationships are subject to regulatory intervention.

Moreover, even if the acquirer’s own risk mitigation program is lacking, it is squarely in the TPO’s own best interest to make sure it aggressively monitors, detects and reports suspected credit card laundering and other suspicious activity to the acquirer, including documenting its reporting decisions and maintaining all supporting documentation for a period of at least five years, lest it come under investigation for facilitating suspicious or illegal activity.