Q: Some unknown person obtained my independent contractor's personal login for a major resort chain's agent website. The unknown person then made about $50,000 in bookings using an unauthorized or stolen credit card. Now, after the cardholder disputed all the charges, the chain is claiming that my agency is responsible for the chargebacks because our ARC number was used. Does use of my ARC number really make us liable for chargebacks, no matter who is at fault? Doesn't the resort have a duty to flag suspicious patterns of bookings? Don't they have a duty to cancel fraudulently made bookings to avoid charging us back?
A: Just because a perpetrator used your agency's ARC number or your IC's login does not mean you are liable for anything. Your liability depends on the terms of your contract, if any, with the resort operator.
As is probably the case much of the time, you may have no agreement with the resort operator and simply rely on industry practice for a standard commission of 10%. In that case, the resort operator has no clear legal basis on which to hold your agency liable. Although it could argue that you must have been negligent in allowing your IC to expose his or her login to fraudsters, the resort operator would have a hard time providing evidence of such negligence.
As is probably the case much of the rest of the time, the resort's terms and conditions for agencies may be on its booking website, and they may state you are liable for chargebacks on all bookings made with your ARC number, regardless of who made the bookings. In that case, the resort operator would have to prove that your agency agreed to the terms and conditions, and it would have a hard time doing so if only your IC used the website.
Finally, as is the case with at least some resort operators, wholesalers and tour operators, you may have signed an agency agreement that expressly states that you are liable for chargebacks on bookings using your ARC number. In that case, you don't really have any legal defense to the resort operator's claim against you.
Such a clause is obviously unfair, so if you see one in the future, try to get it deleted or limit it to cases where it can be proven that your agency's employees or ICs participated in fraud or that they failed to follow the supplier rules for credit card charges.
The resort does not have any legal duty to your agency to flag suspicious bookings as they are being made, unless your agreement with the operator so provides. Although the operator may have such programs in place, their existence does not give you any legal right to deny liability for fraudulent bookings not caught.
On the other hand, all parties to a contract have an implied duty to mitigate their damages, so the resort operator needs to try to lessen its loss by canceling any booked trips and then holding your agency responsible only for its out-of-pocket losses, excluding its profits.