Don’t Sing the Credit Card Blues

If businesses don’t impose controls, policies and procedures over credit card processing and they don’t perform daily and monthly reconciliations, employees with access to the credit card systems could process fictitious or fraudulent refund or credit transactions to their personal credit cards. Learn how to avoid this fraud.

A small medical practice with two physicians and a staff of five found out the importance of regularly reviewing its refund activity when it lost more than $10,000 in unauthorized refunds processed over five years through the practice’s credit card system.

The medical practice hadn’t always accepted credit card payments, so it had to constantly send statements to patients to collect fees. At some point, the physician owners realized that if they offered the ability to pay by credit card, their collections would increase, and the outstanding balance from private-paying patients would decrease – especially if payment was collected up front before treatments were provided.

The practice manager (we’ll call her Meg) implemented a merchant system with swipe terminals and posted signs informing patients that the practice now accepted credit card payments. (A practice manager is similar to an office manager of a non-medical entity.) Many patients began paying their copayments and balances with their credit cards, and collections increased for the owners.

Initially, the practice received a monthly automated merchant bank statement, available for downloading, which identified the activity processed during the month. The practice had no procedures in place to independently review the daily credit card activity or reconcile the monthly activity to the merchant statement, so the practice grew more dependent on the individuals who processed the charges, recorded the payments within the medical billing system and generated the daily close-out reports. The practice stopped generating the merchant statement image and simply relied on the deposits that posted into the practice’s bank account.

One day Meg found a close-out report inadvertently left on a computer printer. She reviewed the day’s activity and saw an odd refund processed for $125. Meg couldn’t independently trace the $125 credit transaction because the office had no process in place to support refunds or credits.

Early the next morning, Meg asked the employee who typically handled the charges to explain the refund. At first, the employee (we’ll call her Liz) explained that a patient had been in earlier in the week and paid by credit card. The patient had returned to pay by check instead, and a refund needed to be made to the patient’s card so the patient wouldn’t pay twice, Liz explained. Meg asked Liz to retrieve the underlying credit card slips for both transactions and to deliver them to her office with any other information about the patient and the charges.

Liz later went to Meg’s office but had no slips to support either transaction. Liz closed the door and explained that the slips were gone and that she had processed the refund to her own credit card to avoid being late on her credit card payment, which would caused the interest rate to skyrocket because of the default terms on the card. Liz explained that it was only $125 and that she fully intended to put the funds back into the practice to cover the refund. She didn’t realize that the processed refund wouldn’t constitute a payment on the account and the account would fall into the default terms.

Crushed by Liz’s admission, Meg left Liz in the office and sought one of the physician owners. After a brief private meeting with the physician, Meg returned and placed Liz on immediate administrative leave. Meg walked Liz to her desk, where she retrieved her coat and belongings and escorted her to the front door. Thankfully, the other office staff members hadn’t yet arrived at work.

Meg then generated merchant statements as far back as she could on the system and retrieved the paper statements from the files. She identified and highlighted all refund transactions on copies of the statements and compiled a listing of every refund transaction and sent it to the merchant bank to identify the credit cards associated with each refund.

More than 70 suspicious transactions were identified in the previous few years, most of which were associated with the same credit card number. The merchant bank identified the cardholders as Liz and her spouse. More than $10,000 had been systematically processed over the entire period in amounts below $150 – mostly on heavier-volume credit card sale days when the refund could be easily absorbed into the resulting deposit amount with little risk of detection.

Could this scheme have been prevented? Probably not – most systems are built to process refunds without the ability to disable the capability. There are times legitimate refunds need to be processed, and the system has to be able to process them. However, should the scheme have been detected within the first month or two? Absolutely. Here’s why:

1. The practice should have had a process to require a form or some documentation for all refunds.

2. Someone independent should have been looking at the daily close-outs. If a refund was processed on any given day, the individual should have traced the refund to the supporting documents.

3. Someone should have been reviewing the monthly merchant statement and noticed the refund activity and traced it to the supporting documentation.

Most companies now accept credit cards from customers as a method of payment. Although it might be dependent on the nature of the business, even service-based businesses and professionals, such as attorneys, accountants, dentists and physicians, have implemented the means to accept credit cards to better ensure that customers, clients and patients pay their amounts due. In many cases, especially in the current economic conditions, credit cards might be the only available means individuals have to pay their obligations.

Processing Sales 

Credit-card processing methods still range from manual handwritten charge slips to point-of-sale software for accepting and processing credit card information. The most common method is the swipe terminal, in which the card is physically swiped, and either a code is entered on the key pad or the signature of the cardholder is captured on a small attached screen. A cardholder’s card information can usually be entered manually at the same terminal if the physical card isn’t present, for instance, when bill payers mail in payments on outstanding balances but never physically appear at the business or phone to make their payments.

Most frequently, a customer signs a business copy of a charge slip, and the merchant provides a copy. For manually processed charges, a copy of the slip can be mailed to a cardholder, which shows the charge to the card. Now customers often don’t have to sign for purchases when the prices are below a set threshold; the receipt is simply printed for the customer. This saves the business and the cardholder a step, but it also creates a greater opportunity for fraudulent transactions on credit cards.

Regardless of how each credit card is charged, the underlying goal, of course, is to accept a payment from a customer, client or patient, which results in a deposit into a business bank account. Credit cards are processed through a merchant bank, which charges a monthly fee along with a percentage of each sale transacted. The percentage varies depending on the card processed and the size of the transaction. The corresponding deposit into the business account can be gross (for the full amount of the sales transactions processed) or net (the sales less deducted applicable fees associated with the sales). Gross sale deposits are desirable for reconciling activity because the fees and discounts are taken as separate transactions periodically.

Reconciling Sales 

Whether you charge an individual’s card as a result of an actual sale or you charge the card for payment on a balance owed (as in the case of professional services), processing a charge on a card will result in a sale in the eyes of the merchant system. The business must have controls and procedures to daily reconcile the credit card activity to ensure that all sales have been properly recorded and charged. Ideally, charges should be processed throughout the day. At the end of each business day, the credit card system should be closed out. The close-out process captures all the transactions processed from the previous close-out and produces a report summarizing the day’s activity. The report should then be used to reconcile the activity for the day.

As with reconciling cash receipts, there should be a three-way reconciliation of credit card activity completed daily and monthly. Sales per the merchant system’s close-out reports should be reconciled to the credit card activity entered into the business’ accounting system and also to the actual funds received into the business bank account. Once reconciled, the supporting information for each day’s reconciliation should be forwarded to the owner or designated individual for review and approval. The daily reconciliations should be supported with the business copies of each charge slip and should be collected on a monthly basis to be reconciled to the merchant statement.

Processing Refunds or Credits 

The same systems used to process sales are also used to process a refund or credit to an individual’s card. In some business contexts, processing refunds makes sense and is expected in retail sales and product returns. However, other businesses, such as professional services, should experience little to no refund or credit activity. A refund or credit transaction reduces: 1) the sales to the business for the day 2) the gross amount that will be deposited into the business’ bank account, and 3) the individual cardholder’s outstanding credit card balance.

Policies and procedures should be implemented to control and authorize any refunds, regardless of payment by cash or credit card. One policy should mandate that any sales or payments originally made by a credit card will only result in a refund or credit processed back to the same card. A second policy is that a form will be completed for every processed refund. The form should require the identification of the individual receiving the refund or credit, the name of the employee processing the transaction, the amount and the reason for the refund or credit. Most retailers require customers to sign a slip to record that a customer actually received the refund (versus the employee processing fictitious refunds).

A third policy requires an employee at an appropriate level to authorize each refund or credit. This practice works best at grocery and department stores at which an employee can initiate a refund or credit, but a manager must approve the transaction to complete the processing.

Herein lies the biggest risk with businesses that accept credit card payments. Inherent in every credit card system, whether manual or fully automated, is the ability to process refunds and credits. If businesses don’t impose controls, policies and procedures over credit card processing and they don’t perform daily and monthly reconciliations, employees with access to the credit card systems could process fictitious or fraudulent refund or credit transactions to their personal credit cards, which reduces the outstanding balances through the businesses’ credit card activities.    

The unauthorized refunds or credits, if processed on days with higher-than-normal sales transactions, could be blended within the details, and the resulting deposits into the business account would still remain positive amounts (only reduced by the fictitious refunds).

Reviewing and Reconciling Refunds or Credits 

The procedures over the daily activity from the close-out report should include a review for any refunds or credits processed during the day. Every refund should be supported with required documentation, and the individual performing the review should be independent of the individuals who process charges and credits. Any unsubstantiated refunds or credits should be immediately researched, and refunds or credits processed to the same card number within a set period should also be investigated.

Reviewing and Reconciling the Merchant Statement 

I recommend a back-to-basics review approach for detecting potential unauthorized or fraudulent activity processed through the credit card system. Much like with the business’ bank statements, an owner should receive the unopened monthly merchant statement directly and immediately review it. An owner should print and review the monthly statement if it’s available online or electronically. The owner should then initial the statement and forward it to a designated individual for reconciling who will then send it back to the owner who’ll ensure that it actually was reconciled.

The owner and designated reconciler’s review should include refunds and credits processed during the month. The review should be fairly easy for those businesses that don’t process many or any refunds. Unfortunately, merchant statements no longer identify the actual credit card numbers processed because of privacy rules designed to minimize disclosure of personal information and possible identity theft. Under the old system, it was fairly easy to determine if the same card number was being processed continuously. The latest statements only display transaction numbers, so the business will be at the mercy of the merchant bank if it has to research the identification of the card number and holder for any suspicious transactions.

That’s why it’s critical for a business to implement internal procedures and documentation requirements for any refund or credit transactions. The individual charge slips will contain card numbers and customer names, which allow easy discovery if the refunds or credits were processed to an employee. The business will find a problem the first time a refund or credit is processed on a daily close-out and the underlying forms and support aren’t located to substantiate that refund or credit. If an employee has failed to comply with the policies and procedures, it will be considered an unauthorized transaction. Either way, it should be identified the first time it occurs, and appropriate action should be taken with the responsible individual.

No Credit Card Blues 

Customers in most businesses – from retail to professional services – are accustomed to paying with credit cards out of convenience or necessity. Keep employees honest by implementing controls, policies, and procedures over credit card processing, and performing daily and monthly reconciliations. If you don’t, you could soon be singing the credit card blues.

Stephen Pedneault, CFE, CPA/CFF, is the founder and principal of Forensic Accounting Services, LLC. He is the author of three fraud-related books.  

SIDE BAR 

Credit Card Sales, Transactions, and Merchant Statements Checklist 

This article is excerpted and adapted with permission from the publisher, John Wiley & Sons, from “Preventing and Detecting Employee Theft and Embezzlement: A Practical Guide,” by Stephen Pedneault, CFE, CPA/CFF © 2010 John Wiley & Sons. See the online ACFE Bookstore.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.