Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
On May 21, the Office of Inspector General for the U.S. Postal Service (OIG) issued a report titled, “The Road Ahead for Postal Financial Services.” The report follows a January 2014 white paper issued by the OIG, which explored how the U.S. Postal Service could expand its provision of financial products to underserved Americans. The report summarizes five potential approaches for increasing the Postal Service’s financial services offerings, including: (i) expand current product offerings, which include paper money orders, international remittances, gift cards, and limited check cashing, as well as adjacent services (e.g., bill pay, ATMs); (ii) develop one key partner to provide financial services offerings, including possible expansion to general purpose reloadable prepaid cards, small loans, and/or deposit accounts; (iii) develop different partners for each product; (iv) make the Postal Service a “marketplace” for distribution of financial products of an array of providers; and/or (v) license the Postal Service as a financial institution focused on the financially underserved (although the OIG is not recommending this approach). Factors to consider when determining which approach to take, if any, include the legal and regulatory landscape; the effectiveness of cash management systems; dedication of the internal team, and public awareness of existing and potential services offered.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
On December 20, President Obama signed two bills impacting bank supervision and compliance. These bills were sent to the President after the Senate approved both measures on December 11. The first, H.R.4014, amends the Federal Deposit Insurance Act to protect information submitted to the CFPB as part of its supervisory process. For more information about these issues, please see our recent Special Alert. The second bill, H.R. 4367, amends the Electronic Fund Transfer Act to remove the requirement that ATMs have an attached placard disclosing fees. The amended law requires only that fees be disclosed on the ATM screen.
Federal Banking Regulators Issue Supplemental Statement Regarding Borrower and Institution Relief Following Hurricane Sandy
On November 14, the Federal Reserve Board, the OCC, the National Credit Union Administration, and the FDIC supplemented a prior statement on the impact of Hurricane Sandy on customers and the operations of financial institutions. The supplemental guidance identifies activities that could be considered “reasonable and prudent” steps to assist affected customers, including, for example (i) waiving certain fees and penalties, including ATM and overdraft fees, (ii) easing credit limits and terms for new loans, and (iii) offering payment accommodations. The regulators also provide post-storm guidance regarding loan modifications, the Community Reinvestment Act, and customer identification. The guidance largely mirrors guidance issued by the FDIC on November 9, 2012 in Financial Institution Letter FIL-47-2012.
On July 25, the U.S. District Court for the District of Minnesota granted summary judgment to a consumer alleging that the placement of an ATM fee notice on the inside of a “hooded ATM” was not “prominent and conspicuous” as required under the Electronic Funds Transfer Act (EFTA). Brown v. Wells Fargo & Co., No. 11-1362 2012 WL 3030294 (D. Minn. Jul. 25, 2012). The consumer, on behalf of a putative class, alleged that the ATM fee disclosure was placed on the inside of the hood protecting the screen, and not in a more conspicuous position. The consumer did not contest that the disclosure was provided electronically on the screen, as also required by the EFTA, and that he was aware before completing the transaction that he would be charged a fee. Because the EFTA does not define “prominent and conspicuous,” the court looked to other consumer protection statutes to determine that the disclosure must be displayed such that a reasonable person ought to have noticed. In this case, the court held that a reasonable person would not conclude that the notice was prominent and conspicuous because (i) the disclaimer was not in capital letters, (ii) the type and background of the notice were in a coordinating, not contrasting color, (iii) the notice was placed inside the hood as opposed to on top of the machine, and (iv) the notice generally did not stand out relative to other information on or near the ATM. While the court granted the consumer’s motion for summary judgment on the EFTA claims, the court disposed of his claim for unjust enrichment, and refused to certify the class, holding that the consumer failed to meet the requirements of either Rule 23(a) or (b). As we have reported in recent weeks, the U.S. Congress is considering legislation that would eliminate the physical fee disclosure requirement, and instead require that ATM operators only provide an on-screen notice.