Bank Sold Credit Card Data to Felon : Privacy: Charter Pacific gave card numbers to man who allegedly used them to run up $45 million in bogus charges. Consumer advocates say case illustrates need for tougher laws.
A San Fernando Valley bank sold a convicted felon 90% of the credit card numbers that he allegedly used to run up $45.7 million in mostly bogus charges against consumers worldwide, according to interviews and court documents filed Friday.
Charter Pacific Bank, which has made millions by processing credit card transactions for adult entertainment firms, provided Kenneth H. Taves of Malibu more than 3.7 million card numbers compiled from its merchants’ accounts, according to a report filed in U.S. District Court in Los Angeles.
Discovery of the sale appears to answer investigators’ questions about how Taves, 47, obtained the 900,000 card numbers he allegedly billed, but it also provides new ammunition to consumer advocates in the intensifying national uproar over financial privacy.
“I find it outrageous that the law allows a bank to sell credit card numbers,” said Ed Mierzwinski, consumer program director at the California Public Interest Research Group’s Washington office. “This will help expose the seamy businesses these banks are in.”
Federal and state banking regulators are examining Charter Pacific’s database sales and its handling of Taves’ merchant accounts. But it is unclear if such sales are illegal.
“We’re looking at the issue of exactly what happened here,” said George Doerr, the Federal Deposit Insurance Corp.’s assistant regional director. “It’s a problem giving customer information at all. To give out credit card numbers, that’s pretty serious.”
Charter Pacific said it sells the data files to merchants as a tool for verifying customers’ card numbers, particularly in online transactions. When a customer submits a credit card, the merchant can check it against the databases of numbers and reject any cards that appear to have histories of misuse, bank executives said.
The Agoura Hills bank said Taves apparently purchased the databases before an account for one of his firms, Netfill, was shut down due to excessive chargebacks, or refund demands. The bank has said it didn’t know Taves was associated with two other accounts that his firms allegedly used to process transactions there.
Regulators allege that Taves illegally billed Visa and MasterCard holders worldwide for a service they never ordered: access to his network of X-rated Web sites.
Charter Pacific President Michael Ward said the bank conducts a credit check of all merchants requesting the credit card databases, but doesn’t check for criminal histories. When Taves ordered at least three databases from the bank in November 1997, he was on probation for a conviction eight months earlier for aiding and abetting a check-counterfeiting scheme, court records show.
Ward said the bank has found “no single place you can go” to conduct such a check, and said the databases “shouldn’t be useful for anything other than a fraud scrub,” referring to the verification process merchants use.
Even if the bank had learned of Taves’ criminal record--which also includes a conviction for being an accessory to a 1980 murder--it would not be barred by law from selling him the customer data, experts said.
“There’s no statute I know of that says banks can’t sell information to convicted felons,” said Senior Assistant Atty. Gen. Herschel Elkins, who is examining financial privacy in California. “We’re looking at all the possibilities.”
Banking industry officials said several major banks have sold personal customer data, including credit card numbers, to marketing firms. But they said Charter Pacific’s practice of selling card numbers for merchant verification appeared to be unusual.
Earlier this year, state regulators in Minnesota sued Minneapolis-based U.S. Bancorp for selling customer information, including credit card numbers, to an outside marketing firm. Minnesota officials said the sales violate federal and state consumer protection laws. In June, the bank settled the case without admitting the allegations and agreed to pay about $3 million to the state and various charities.
Some Banks Have Tightened Policies
Other major banks, including Bank of America and Wells Fargo, have sold or shared customer information such as telephone numbers and account numbers with outside vendors or telemarketers. But the banks tightened their policies on releasing the data earlier this year amid a raft of customer complaints.
But spokesmen for Bank of America and Wells Fargo said Friday their institutions don’t sell credit card numbers to merchant account holders.
The report filed Friday, compiled by the receiver who was placed in charge of Taves’ assets by the court, also represents a potentially devastating disclosure for Charter Pacific, an institution whose shares trade over the counter. The bank reported $91.5 million in assets at the end of last year.
When Taves ordered the data files, the bank already was under an order from the FDIC to tighten controls throughout its operation as a result of bad real estate loans. If the bank is found to have violated that order, it could be fined. Moreover, it could face legal liability for card holder losses, which are estimated to exceed $45 million.
Established in 1981, the bank in recent years has depended heavily on the fees generated by processing card transactions, including those for phone-sex lines and X-rated Web sites. Most banks earn the majority of their income from lending. But Charter Pacific last year reported $6.9 million in net income from card processing operations and only $4.8 million from lending.
Charter Pacific officials have told the Federal Trade Commission that about one-third of the bank’s 250 merchant accounts belong to Internet-based adult entertainment firms. The bank’s executives noted Friday that their other merchant accounts include mail-order firms and retailers. The credit card numbers that Charter Pacific sells belong to customers of all its merchants, not just the adult-content services, according to the receiver.
Bank officials also said the case points up weaknesses in the credit card system. When a card holder makes a purchase, certain card information is supposed to be verified electronically by the bank that issued it. But some banks automatically approve transactions under $50, and some don’t require information such as the card’s expiration date to authorize purchases, Charter Pacific officials said.
Because the databases provided to Taves contained only credit card numbers--not expiration dates--the only way the charges could be approved is if banks didn’t demand that extra data, said Executive Vice President Richard Cornejo. What’s more, the amount typically billed to each card was only $19.95.
Lawyers for the FTC--which filed the civil complaint alleging that Taves deceived consumers--plan to meet with Taves’ attorneys Wednesday to discuss a settlement of the case. The U.S. attorney’s office is also investigating. Taves has been in federal custody since May on a related criminal complaint of filing a false financial statement to the FTC.
His attorney could not be reached Friday. In the past, Taves has denied wrongdoing and said unscrupulous computer users may have entered stolen card numbers into his adult Web sites, causing the inaccurate card charges.
FTC officials had speculated that Taves obtained the card numbers by using a mathematical formula to generate random digits. But FTC staff attorney Doug Wolfe said the discovery of the bank database is “a strong indicator” of the numbers’ origin.
Mierzwinski, the Washington privacy advocate, said he hoped the case would fuel the push for laws restricting what information banks can release to outsiders.
“This bank, in my opinion, is potentially risking the safety and soundness of the banking system,” he said. “This has to be stopped.”
