Your employees may be using your business’s credit cards to make charges you haven’t authorized. And if you don’t discover it soon after the fact, you may be liable for those charges.
“A court’s rationale is pragmatic and straightforward. If the credit card bank sends you a monthly statement and you send payment in full for all charges, then the bank is entitled to rely on the fact that all of the charges on that statement are authorized and have been approved,” says Joe Hickey, a member at Dykema Gossett PLLC.
Smart Business spoke with Hickey about how to keep from becoming a victim of employee credit card fraud.
How is fraud perpetrated against individuals and businesses?
Unauthorized use is a use that is not authorized by express, apparent or implied authority. If someone uses your card with your express consent you are obviously liable for the charges. But cardholders can be liable for a fraudulent use of their card — one they likely view as unauthorized — when the cardholder’s conduct cloaks the perpetrator with the apparent authority to use the card.
Typically, fraud with a personal card involves a wealthy individual who hires an assistant and gives that person access to all of the security verification information needed to apply for and/or use a card. That person will also review and pay the monthly card statements received from the credit card bank. It’s this combination of complete and unfettered autonomy and access, coupled with the cardholder never reviewing the statements, that creates apparent authority.
Businesses that frequently issue business cards to individual employees in their own names and with their own credit card numbers may have someone in their accounting department who both reviews and pays all business card statements. If that person is dishonest, he or she might fraudulently apply for their own card, with no one the wiser because that same person pays the bills.
How can business owners try to avoid being defrauded?
That is up to the business owner. To ensure the card is not being used fraudulently, a good start is to separate the payment and review functions. The person monitoring incoming statements should be independent of the payment process, and the person making payments should probably not have the ability to incur charges on the card (unless, of course, someone else is auditing).
Courts are likely to hold you liable if you do not separate those functions. While this is undoubtedly a fraudulent use of the card, it will be considered an authorized use because the bank receiving the payments rightfully concludes (based on the actual cardholder’s conduct) that the charges were authorized. Otherwise, why would payments be made?
Why do businesses often overlook fraudulent charges?
Individuals and businesses erroneously believe it is their bank’s duty to monitor their accounts for fraud. That is not true. While credit card banks employ fraud detection technologies, those technologies are designed merely to try to detect fraudulent use of your card before you receive your statement. Banks in no way hold themselves as monitoring your account and being responsible for finding fraud. Frankly, this is an impossible task. The best fraud detection system is personally reviewing the monthly statements.
Businesses might also mistakenly believe that they have procedures in place that would expose fraud, but because the perpetrator employees are also given unfettered access to make payments and withdrawals from bank accounts, as well as having broad access to accounting books and records, they are perfectly situated to manipulate information to hide their fraud. For example, while the ledger may indicate that a check was issued to pay a vendor, it’s possible for a perpetrator to issue a check to pay off the credit card. If you or someone independent does not audit the credit card statements and bank records with the books, it’s likely no one will know for sure if a payment was actually made to the credit card bank rather than the vendor.
In addition, business owners might have an employee create summaries of charges from the credit card statements. The owner reviews this summary prepared by the same person committing the fraud, but never reviews the actual statement. This, too, is not the bank’s fault.
How can a company avoid finding itself in this situation?
Be diligent and employ reasonable audit and cross reference procedures. It’s important to regularly review the statements so you notice charges you didn’t approve. Alternatively, keep the review and payment functions separate. Either way, the quicker you take action to advise the credit card bank the charges are fraudulent, the less likely this use will be viewed as authorized. If, on the other hand, you do not look at statements for months — or even years — it’s possible the courts will show little sympathy if you seek to recoup the money from the credit card bank. While you could always go after the renegade employee, they likely lack the funds to pay you back.
Under the Fair Credit Billing Act, you generally have 60 days to contact the bank and say, ‘This charge isn’t mine.’ If 60 days is the appropriate time for reporting billing errors, it’s also appropriate for reporting fraudulent use of a credit card. After that, the bank has a better argument.
If, despite its best efforts, a company is the victim of credit card fraud, what is the next step?
Contact your credit card bank, report the fraud and ask it to investigate. If the bank concludes that this was your employee and this employee was authorized to use the card via apparent authority, it will likely say you are liable. True, the person forged your signature and the act is fraud; but if you’re not timely in uncovering the fraud, the courts will determine that you let it happen.
Joe Hickey is a member at Dykema Gossett PLLC. Reach him at (248) 203-0555 or email@example.com.