Back Office Outsourcing Operations: IBM accused of connection with laundering scheme

At first, it looked like a nothing story: but the ramifications of a civil claim against IBM and others are potentially enormous.

A US Federal Judge has ruled that IBM (or to be more precise its division "IBM Net Trade" based in Denmark) "must defend claims that it wrongly received, retained and refused to return" substantial sums of money that were "derived from the sale of pornographic content over the internet," according to the plaintiff.

Paycom Billing Services, Inc claims that IBM, Payment Resources International and its principles Andrew Phillips and John Blaugrund together with others "partipated in a pattern of racketeering activities involving several different schemes in connection with the processing of credit card transactions related to the purchase of adult-oriented content over the internet."

The allegations, which IBM and other defendants deny, are that PRI and others defrauded Paycom and that IBM received and held onto the money.

In January 2002, says Paycom, a US District Judge told PRI and others including a processor called Global Payment Systems Limited, must answer to charges based on US anti-racketeering laws, including "numerous acts of wire fraud and laundering of monetary instruments to defraud Paycom."

Paycom's press release says that Global Payment Systems is "British" but the filed court documents describe it at "a British Virgin Islands corporation."

Paycom is claiming tens of millions of dollars in actual cash losses as a result of the alleged fraud.

IBM is alleged to have contracted with Global Payment Systems to process the transactions that Paycom says were fraudulently obtained from Paycom. IBM then, according to Paycom, "wrongfully retained the lion's share of those proceeds to pay for other, unrelated debts of Global Payment Systems and certain merchants other than Paycom" ON 20th December 2002, Paycom obtained judgment for more than USD40 million against Global Payment Systems in Los Angeles.

IBM had sought to remove itself from the action claiming fraud claiming that its conduct was not related to the conduct of the other parties. However, on 12 December the Court ruled that there was sufficient connected conduct to require IBM to answer to the claims in the same suit.

Global Payment Services Limited do not appear to have an internet presence, at least not one that Google finds.

Payment Resources International shows on its website a picture of a grand building described as its headquarters: but its address is a "suite" number, which in US addressing may mean anything from a permanent presence to a room in a business centre to a "virtual office" with nothing more than a postbox and an answering service. Its website gives no clear indication of its corporate structure and, if it is an unincorporated venture, no details of its partners. The latest press release on its site is from November 2001.

Paycom claims to be "the most experienced credit card and check (sic) processing company on the net." According to the papers filed at Court, Paycom provides a range of services including that of, in effect, processing and collection agent for traders who do not hold their own merchant account with, for example, Visa or Mastercard. The transactions are processed through Paycom's own account with the card companies so they regard, as between themselves, Paycom as the trader. Paycom processes the transaction and collects the money from the credit card company, which in turn collects it from the customer. Paycom then makes the funds available, less its transaction charges, to the trader.

No single transaction identification number follows the transactions from beginning to end, says Paycom and so it is difficult, if not impossible, to cross refer chargebacks to a particular transaction. If it proves impossible, then Paycom cannot back charge that to any specific merchant and so presume that the card company has not made a mistake and must absorb the loss.

Paycom declares that a large part of its internet business is related to the delivery of internet content for the "adult internet industry," a pseudonym for pornography.

Visa and Mastercard, which make up more than 85% of Paycom's business, say that pornography sites pose particularly high levels of risk for fraud and lead them to higher than normal risk of chargebacks. According to Paycom, this has meant that a discrete market has developed in processing these transactions for which a higher than normal processing fee can be charged.

Ventures, in this litigation called independent sales organisations or ISOs, have been set up to find banks willing to take on this sort of business, and Payment Resources International is one such venture and, despite representations that it was a processor, so is Global Payment Systems, says Paycom. Credit card companies usually only deal with banks - although some finance companies have been allowed to issue cards. So no matter how large its business became, Paycom is unlikely to have been able to develop a direct relationship with the card company.

PRI is an ISO and it found banks willing to take Paycom's business. At one point in the court documents, Paycom implies that it did not have its own merchant account.

Basically (and this is a very simplified version of the claim which runs to several hundred paragraphs) Paycom found that some defendants were using the chargeback mechanism to facilitate fraud. When chargebacks reach specified percentages, the card companies "fine" the acquiring bank. The acquiring bank passes these fines onto the merchant. The allegations are, in summary, that some defendants were raising fictitious "fines" and debiting them from funds that were due to be paid to Paycom.

The Court's findings in relation to the money laundering issues are that the allegations against several defendants (not including IBM) are that each allegation made amounts to conduct which is indictable under laws relating to money laundering and, in particular, under RICO.

Whether or not the allegations are eventually proved, the Paycom court documents demonstrate with considerable clarity the way that such business relationships are created and how they are alleged to have gone wrong. The case file suggests that Paycom failed to do adequate due diligence and failed to monitor those with whom they were doing business. Their systems appeared to permit too great a reliance on business critical information which they did not verify. Paycom appears to have become overly dependent on one supplier - a situation which has led to problems in many companies.

The ramifications arising from the inclusion of IBM's Danish business is the question of hypothecation of funds - that is whether they are allocated to a specific customer of IBM's own customer. IBM had no contract with Paycom. Indeed, Paycom did not even know IBM was handling any of its business, says Paycom. So far as it was concerned, all processing was being done by Global Processing Systems.

PRI is alleged to have claimed that it was able to electronically send data to Global Payment Solutions but it turned out that they actually saved the data to floppy diskettes and despatched it by courier. Global Payment Services then tried to reformat the data into a form that IBM found acceptable. Then Global Payment Services sent the data by courier.

The transactions were then reprocessed by IBM who obtained authorisation for them, even though they had been previously authorised. This led to more transaction rejections, says Paycom.

"NatWest then settled the transactions through the Visa interchange and forwarded the proceed from the transactions back up the chain to IBM, who was supposed to pass the proceeds to Global Payment Services, who was supposed to pass them onto PRI, who should have passed them on to Paycom. However, Paycom never received the money," Paycom's claim says. Paycom says that up to 14 merchants were being run through what seems to be a merchant account set up by PRI in its own name, instead of Paycom having a merchant account of its own. The IBM documents are not yet available to us. But the main issue that this case raises for companies in the same position as IBM is to define who they hold a duty of care to: if it is to someone other than the contracting party, then all financial processing outsourcing functions are suddenly hazardous. How does the company identify those to whom it owes a duty of care? How many stages away from the contracting party does it have to investigate. Here, Paycom was three steps away from IBM.

Ignoring for a moment any allegations of fraud on the part of IBM (which if not spurious do not appear strong on the face of the papers disclosed by Paycom) the real issues of concern is that of contractual obligations and the duties in tort; there is also a lateral thinking issue relating to money laundering - if the court finds that IBM should have drilled down through the relationship with its customer to identify and protect the merchant, then this places a burden no dissimilar to the USA PATRIOT Act correspondent banking provisions.

And it has to be remembered that if the Court finds a duty of care to Paycom, then by extension it means that there is a duty of care to all of Paycom's customers. This is, it is here submitted, an intolerable burden. Interestingly, though, it would also create ethical dilemmas in a wide range of services businesses: if you do know the individual merchant, at what point to you refuse to handle his account - are you going to willingly undertake transactions relating to pornography, sale of counterfeit goods?

The progress of this case needs to be closely monitored.