On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
On March 21, the U.S. Court of Appeals for the D.C. Circuit held that the Federal Reserve Board’s final rule imposing a 21-cent per transaction limit on debit card interchange fees (up from a 12-cent per transaction limit in its proposed rule) was based on a reasonable construction of a “poorly drafted” provision of the Dodd-Frank Act and that the Board acted reasonably in issuing a final rule requiring debit card issuers to process debit card transactions on at least two unaffiliated networks. NACS v. Bd. of Governors of the Fed. Reserve Sys., No. 13-5270, 2014 WL 1099633 (D.C. Cir. Mar. 21, 2014). The action was brought by a group of merchants challenging the increase to the interchange fee cap and implementation of anti-exclusivity rule for processing debit transactions that was less restrictive than other options. In support of their challenge, the merchants argued that in setting the cap at 21 cents the Board ignored Dodd-Frank’s command against consideration of “other costs incurred by an issuer which are not specific to a particular electronic debit transaction.” The court held, in a decision that hinged on discerning statutory intent from the omission of a comma, that when setting the fee cap the Board could consider both the incremental costs associated with the authorization, clearance, and settlement of debit card transactions (ACS costs) and other, additional, non-ACS costs associated with a particular transaction (such as software and equipment). The court further concluded that the Board could consider all ACS costs, network processing fees, and fraud losses. The court, however, remanded the question of whether the Board could also consider transaction-monitoring costs when setting the fee cap, given that monitoring costs are already accounted for in another portion of the statute. Finally, the court rejected the merchants’ argument that the Board’s final rule should have required the card issuers to allow their cards to be processed on at least two unaffiliated networks per method of authentication (i.e., PIN authentication or signature authentication) holding that the statute goes no further than preventing card issuers or networks from requiring the exclusive use of a particular network.
State Banking Associations Object To Senators’ Request For Increased Bank Payment System Security Oversight
On March 5, 53 state bankers associations sent a letter to Federal Reserve Board Chair Janet Yellen defending banks’ efforts to secure consumer financial data and highlighting the responsibilities of other parties, in particular merchants, to do the same. The banking associations, representing bankers in every state and Puerto Rico, took issue with a letter Democratic Senators Dick Durbin (D-IL) and Al Franken (D-MN) sent last month to the Federal Reserve Board Chair seeking information about the Board’s oversight of card issuers’ fraud prevention policies and recommending that the Board do more to verify the effectiveness of such policies. The banking associations contend that the Senators’ letter is a “thinly veiled effort to once again advance the regulation of interchange under the guise of current concerns over data security,” and criticize the Senators for converting a discussion about security responsibilities into one about interchange fees.
On February 20, the CSBS announced the formation of an Emerging Payments Task Force to study changes in payment systems—including virtual currencies and other innovations—to determine the potential impact on consumer protection, state law, and banks and nonbank entities chartered or licensed by the states. The Task Force is comprised of nine state regulators, including New York State Department of Financial Services Superintendent Lawsky who has recently indicated New York will seek to become the first state to directly address virtual currency through new regulations. The Task Force will be chaired by David Cotney, Commissioner of the Massachusetts Division of Banks, who testified on these issues on behalf of the CSBS last fall before the Senate Banking Committee. The CSBS stated that the Task Force will “take a comprehensive approach to studying the changing payment systems” by engaging with a broad range of federal, state, and industry stakeholders to understand how new entrants and technologies affect the stability of payment systems and the broader financial marketplace and “to develop ideas for connecting the emerging payments landscape to the financial regulatory fabric.”
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
This week, New York State Department of Financial Services (NY DFS) Superintendent Benjamin Lawsky presided over a two-day hearing regarding emerging virtual currencies and the appropriate role of regulation. The hearing was the next step in an inquiry announced last August, and was held as the NY DFS considers developing a state license specific to virtual currency that would subject operators to state oversight. The panels featured the views of private investors, virtual currency firms, regulatory experts, and law enforcement officials. From our view inside the room, the most prominent, theme to emerge is that regulators will need to strike a balance between protecting the public interest—both from a consumer protection standpoint and with regard to the potential for criminal activity—while allowing emerging virtual currency technologies to develop, evolve, and thrive. Read more…
Federal Reserve Board Seeks Comment On Designated Utilities’ Risk Management Standards, Payment System Risk Policy
On January 10, the Federal Reserve Board proposed revisions to the Regulation HH risk-management standards for certain financial market utilities that have been designated as systemically important by the Financial Stability Oversight Council, and for which the Federal Reserve Board is the Supervisory Agency pursuant to Title VIII of the Dodd-Frank Act. The Board also requested comment on related revisions to part I of the Federal Reserve Policy on Payment System Risk (PSR policy), which applies to financial market infrastructures more generally, including those operated by the Federal Reserve Banks. The Federal Reserve states that both sets of proposed changes are based on and generally are consistent with the April 2012 Principles for Financial Market Infrastructures developed jointly by the international standard-setting bodies, the Committee on Payment and Settlement Systems and the Technical Committee of the International Organization of Securities Commissions. Among other things, the revisions: (i) establish separate standards to address credit risk and liquidity risk, (ii) add a standard on general business risk, and (iii) heighten requirements on transparency and disclosure. Comments on both proposals must be submitted by March 31, 2014.
On December 12, the Federal Reserve Board issued a revised proposed rule that would, among other things, encourage depositary banks to receive, and paying banks to send, returned checks electronically. The revised proposal is intended to address comments the Board received in response to a 2011 proposal to amend subparts C and D of Regulation CC. The Board is now seeking comment on two alternative frameworks for return requirements. Under the first, the expeditious-return requirement currently imposed on paying and returning banks for returned checks would be eliminated; a paying bank returning a check would be required to provide the depositary bank with a notice of nonpayment of the check—regardless of the amount of the check being returned—only if the paying bank sends the returned check in paper form. Under the second, the current expeditious-return requirement—using the current two-day test—would be retained for checks being returned to a depositary bank electronically via another bank, but the notice-of-nonpayment requirement would be eliminated. The Board is proposing to retain, without change, the current same-day settlement rule for paper checks. In addition, the Board is also requesting comment on applying Regulation CC’s existing check warranties to checks that are collected electronically and on new warranties and indemnities related to checks collected electronically and to electronically-created items. Comments are due by May 2, 2014.
On November 27, the Federal Reserve Board requested comments on proposed changes to its procedures for posting debit and credit entries to institutions’ Federal Reserve accounts for ACH debit and commercial check transactions. In a policy statement, the Board seeks comments on a proposal to change the posting time of ACH debit transactions processed by the Federal Reserve Banks’ FedACH service overnight to 8:30 a.m. ET from 11:00 a.m. ET to align with the posting of ACH credit transactions. For commercial check transactions, the Board seeks to move the posting time for receiving most credits for deposits and debits for presentments to 8:30 a.m. ET, and to set two other posting times at 1:00 p.m. ET and 5:30 p.m. ET. The Board is also proposing to establish a set of principles that would be applied to any new posting rules for the Reserve Banks’ same-day ACH service. In a related proposed rule, the Board offered for comment companion amendments to Regulation J to permit Reserve Banks to obtain settlement from paying banks by as early as 8:30 a.m. ET for checks that the Reserve Banks present, and to permit the Reserve Banks to require paying banks that receive presentment of checks from the Reserve Banks to make the proceeds of settlement for those checks available to the Reserve Banks as soon as 30 minutes after receiving the checks. Comments on both the policy statement and the proposed rule are due 60 days after the documents are published in the Federal Register.
On November 21, CFPB Director Richard Cordray delivered remarks at The Clearing House Annual Conference, including a review of the CFPB’s efforts to resolve concerns raised by the mortgage market through adoption of new mortgage rules and the objective of evenhanded oversight that is not dependent on charter choice or regulator. Mr. Cordray placed particular emphasis on the CFPB’s ability and efforts to “level the playing field” through its nonbank supervision program.
Notably, Director Cordray raised questions about recent efforts by other regulators and law enforcement authorities to investigate and take action against nonbank entities, like online payday lenders, by focusing on how these nonbanks get paid through bank payment systems. Cordray cautioned that, “[t]he focus of these . . . actions may create burdens that fall disproportionately on individual banks that are participants in the payment systems” and that the referenced approach “may not be the most efficient or effective approach.” Rather, Director Cordray suggested that further attention should be given to “how [payment] systems are designed and how they function for all of the institutions that participate in them.” The Director also expressed interest in working with the Clearing House to improve the CFPB’s understanding of using enhanced computer analytics and communications to identify patterns in payment systems, which he stated would better enable the CFPB to “identify and enforce the law against illegitimate firms that are otherwise able to reduce their own costs by hitching a free ride on the payments system,” as well as to consider necessary changes in law or practice.
On November 12, NACHA, which manages the development, administration, and governance of the ACH network, released two proposed rules that it describes as complementary approaches to improving ACH Network quality by reducing the incidence of exceptions. The first proposal would improve NACHA’s ability to identify and enforce rules against “outlier” originators by: (i) reducing the existing return rate threshold for unauthorized debits from 1% to 0.5%; (ii) establishing a 3% return rate threshold for account data quality returns, and an overall debit return rate threshold of 15%; (iii) clarifying permissible and impermissible practices for the collection of ACH debits returned for insufficient funds and other reasons; and (iv) explicitly applying certain risk management rules to third-party senders. In addition, the proposed rule would expand NACHA’s authority to initiate enforcement proceedings for a potential violation of the NACHA Rules related to unauthorized transactions. The second proposal would establish economic incentives for originating institutions and their originators to improve origination quality, and provide partial cost-recovery to receiving institutions for handling exceptions. Specifically, the rule would apply fees when: (i) the proposed economic incentives are fees that would be applied to instances when a receiving institution; (ii) returns an ACH transaction due to incorrect account data within the transaction; (iii) corrects information within an ACH transaction and sends the correction back; or (iv) returns an ACH transaction due to a problem with the receiver’s authorization. NACHA is accepting comments on the proposals until Monday, January 13, 2014.
On November 7, the PCI Security Standards Council (PCI SSC), an organization that develops standard for payment card security, released updated data security standards. One standard applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. The other standard applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. PCI SSC updates the standards every three years. This most recent update includes, among other things, requirements that payment card processors: (i) evaluate evolving malware threats for any systems not considered to be commonly affected; (ii) control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination; (iii) protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution; (iv) implement a methodology for penetration testing; (v) implement a process to respond to any alerts generated by the change-detection mechanism; and (vi) maintain information about which security requirements are managed by each service provider, and which are managed by the entity.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 10, the Federal Reserve Banks issued a public consultation paper that identifies “key gaps and opportunities” in the U.S. payment system. They include: (i) payment recipients prefer other forms of payments than checks but exercise little control over the sender to request a preferred form of payment, (ii) the system lacks a “near-real-time” payment capability, (iii) innovations have not gained significant market penetration while legacy systems tend to be more ubiquitous, (iv) legacy systems lack certain desired features, including, for example, assurance that a payment will not be returned or reversed, (v) cross-border payments are slow and costly, and lack fee and timing transparency, (vi) some digital wallet applications reduce the visibility and choice of payment instrument at the point of sale, (vii) businesses’ legacy payment and accounting systems make straight-through processing difficult, but are costly to change, and (viii) data security fears inhibit adoption of electronic payments. The paper outlines certain desired outcomes and seeks input on strategies and tactics to address the perceived gaps and shape the future of the domestic payment system. Interested stakeholders can submit comments until December 13, 2013.
On August 6, the New York Department of Financial Services (DFS) sent letters to 35 online lenders, including lenders affiliated with Native American Tribes, demanding that they cease and desist offering allegedly illegal payday loans to New York borrowers. The letters demand that within 14 days the companies confirm that they are no longer soliciting or making payday loans in excess of the state usury caps. Under New York law, it is civil usury for a company to make a loan or forbearance under $250,000 with an interest rate exceeding 16% per year, and a criminal violation to make a loan with an interest rate exceeding 25% per year. The letters also remind recipients that it is illegal to collect on loans that exceed the usury cap; a separate letter to third-party debt collectors included the same notice. The DFS previously warned third-party debt collectors about collecting on illegal payday loans in March. In addition, the Department of Financial Services sent letters to 117 banks and NACHA requesting that they work with the DFS to create a set of model safeguard procedures to deny ACH access to the targeted lenders and provide the DFS with information about steps the institutions are taking to halt the allegedly illegal activity.
The role of banks in processing payday loan payments was identified as an enforcement priority earlier this year by the DOJ’s Financial Fraud Enforcement Task Force. The DOJ, the CFPB, and other federal agencies reportedly have issued subpoenas to banks and other entities as part of a broad investigation of online payday lending.