Today, the DOJ unsealed an eighteen-count indictment in Brooklyn, New York charging a Turkish citizen (Defendant) with organizing worldwide cyberattacks against at least three U.S. payment processors’ computer networks. The Defendant’s organization allegedly used “sophisticated intrusion techniques” to hack the computer systems, stealing prepaid debit card data and subsequently using the stolen data to make ATM withdrawals in which standard withdrawal limits were manipulated to allow for greater withdrawals. According to the indictment, the Defendant managed a group of co-conspirators responsible for distributing the stolen card information to “cashing crews” around the world, who then used the information to conduct tens of thousands of fraudulent ATM withdrawals and fraudulent purchases. Within two days – February 27 and 28, 2011 – the DOJ alleges that the “cashing crews withdrew approximately $10 million through approximately 15,000 fraudulent ATM withdrawals in at least 18 countries.” The remaining two operations, occurring in late 2012 and early 2013, resulted in ATM withdrawals of roughly $5 million and $40 million, respectively. The Defendant, along with other high-ranking members of the conspiracy, received the funds from the fraudulent operations via wire transfer, electronic currency, and personal delivery of U.S. and foreign currency. The Defendant was arrested in Germany on December 18, 2013, and was extradited to the United States on June 23, 2015. The charges against the Defendant follow previous charges against members of the conspiracy, including the arrest of a member of the New York cashing crew.
On November 30, the Fed announced the release of its annual report on debit card transactions in 2015. The report is the fourth in a series to be published every two years pursuant to Section 920 of the Electronic Fund Transfer Act (EFTA). As in prior years, the 2015 report reflected that issuers’ costs of authorizing, clearing, and settling debit card transactions (excluding issuer fraud losses) varied greatly across respondents. Data compiled in the report estimates that debit-card fraud losses to all parties (merchants, cardholders, and issuers) increased by 44 percent from 2013 to an estimated total of $2.41 billion in 2015. The median covered issuer had average fraud prevention and data security costs of 1.9 cents per transaction.
On May 27, the Governor of New York State announced that the state Department of Labor published new proposed rules intended to better regulate employers who pay their employees using debit cards. The proposed regulations detail the responsibilities of employers that use debit cards to pay employees, and prohibit employers from profiting from or passing along costs to employees. In addition, the proposed rules prohibit employers from imposing fees (such as those for customer service, account maintenance, overdraft, and inactivity), and require employers to (i) obtain advance consent, which must be documented and kept on record for six years; (ii) make known to employees the local locations where their wages can be accessed for free; and (iii) provide unlimited free ATM withdrawals within a local network, including a method to withdraw the full amount of wages each pay period without penalty. The regulations will take effect following a 45-day notice and comment period.
The Department of Education is set to propose new regulations which could change how financial institutions provide services on college campuses, according to a NPRM to be published in the Federal Register on May 18. The new rules, part of a nearly 300-page “Program Integrity and Improvement” package, are intended to among other things (i) ensure that students have convenient access on their Title IV funds, (ii) do not incur unreasonable and uncommon financial account fees, and (iii) are not led to believe they must open a particular account from a financial institution to receive Federal student aid. The proposed regulations also update other provisions in the cash management regulations, clarify how previously passed coursework is treated with respect to Title IV funds eligibility, and streamline the requirements for converting clock hours to credit hours. Public comments on the proposed rulemaking will be due 45 days after date of publication in the Federal Register.
Tennessee Enacts Legislation Requiring Payment Service Providers to Provide Adequate Disclosures to Merchants
On April 17, the Tennessee Governor Bill Haslem signed H.B. 547, which requires the disclosure of fees and other details in contracts entered into by payment service providers with merchants located within the state. The legislation requires the payment service providers to provide merchants with information detailing where the merchant can obtain access to operating rules, regulations, and bylaws under the agreement. In addition, the law requires payment service providers to disclose (i) the effective date of the agreement; (ii) terms of the agreement; (iii) any provisions relating to early termination or cancellation of the agreement; and (iv) a full schedule of all payment services fees with respect to the credit card, debit card, or other payment services under the agreement. The law also requires payment service providers to supply merchants with a monthly statement of fees, total value of transactions, and in some cases the aggregate fee percentage.