Recently, I heard about a new form of theft against a central Indiana nonprofit. Using the organization’s login information for its credit card processor, a perpetrator was able to issue repeated refunds to a Russian bank account. The first two – one for $9,000 and the other for $21,000 – were processed. The third attempt for $80,000, however, was caught by the business administrator when he logged into the account and noticed the pending payment.
Fortunately, insurance refunded the $30,000 that was stolen, but ultimately the organization has the responsibility for selecting a qualified service provider. With that in mind, businesses and organizations should exercise caution when using credit card processors, donation websites, and any other outside service providers that involve financial information.
In another example, executives of CenterCede, a payroll services provider, defrauded its payroll clients of more than $2 million. The president and the chief financial officer collaborated and did not pay their clients’ federal taxes in appropriate amounts by applicable deadlines. Instead, they diverted funds to pay their exorbitant salaries and to cover growing liabilities, including the tax liabilities of other CenterCede clients. Eventually, both men were sentenced and sent to prison for two to four years.
Due diligence is your best defense when considering a new financial relationship. Below are some questions and tips to assist you before signing on the dotted line with a new service provider.
An effective due diligence process should include these questions:
- How does the company protect users’ private information?
- Have there been any fraudulent claims against the company? If so, how were they resolved?
- Who is liable if illegal activity occurs?
- How accessible is its customer service department?
- How could your organization’s financial information be used by someone intending to do harm?
Investigate the prospective company:
- Conduct a background check.
- Identify the major lines of business and volume of a payment processor’s customers. Look for any red flags.
- Visit the company’s business operations center, if possible, to verify legitimacy.
- Check for any complaints with the Better Business Bureau (BBB).
- Review consumer complaints and procedures used to handle these complaints.
Payment processor activities that should raise suspicion:
- Does the processor use more than one financial institution to process payments? Spreading the activity among several institutions may allow the processor to engage in inappropriate activity that avoids detection. This strategy is also used in case one or more of the financial relationships is terminated as a result of suspicious activity.
- Is the processor using a financially troubled institution in need of capital? These troubled financial institutions may be more willing to engage in higher-risk transactions in return for increased fee income. Check with rating services, such as Bankrate or Bauer Financial, to determine how the institution is performing.
- Does the processor resell its services to “Independent Sales Organizations” (companies contracted to procure new merchant relationships). These organizations can in turn sell services to other merchants who are unknown by the processor
- Nonbank payment processors are not subject to certain regulations; therefore, they may be more vulnerable to money laundering, identity theft, fraud schemes and illicit transactions.
While all illegal activity can never be completely eliminated, conducting a thorough due diligence protocol can minimize your risk when entering into a new business relationship. Investigative due diligence is an essential step for businesses and nonprofits concerned about the unknown scope of a new relationship, even when the provider is a reputable company or comes highly recommended.