On October 28, the Federal Reserve announced its final rule to amend Regulation HH, standards for financial market utilities (FMUs) that have been designated as systemically important by the FSOC. The new rule will implement a common set of risk-management standards for all designated FMUs and revise certain definitions. Further, the Fed also announced final revisions to part 1 of its Federal Reserve Policy on Payment System Risk. The final rule and revisions to the policy are based on the Principles for Financial Market Infrastructures, which were developed jointly by the Committee on Payment and Settlement Systems and the International Organization of Securities Commissions. Specifically, the amendments and revisions will establish (i) separate standards to address credit risk and liquidity risk; (ii) new plans for recovery and orderly wind-down; (iii) new standards on general business risk and on tiered participation arrangements; and (iv) increased requirements on transparency and disclosure. The final rule will be effective on December 31, 2014. FMUs have until December 31, 2015 to comply with specific additional requirements set forth in the rule.
On November 3, a large financial services company announced the rollout of its Token Service (Service) for online, mobile app, and in-store mobile purchases. The Service is designed to increase security and reduce magnetic-stripe card fraud. Based on EMVCo’s Payment Tokenization Specification and Technical Framework, the Service offers four main features: (i) token vault to store and designate tokens; (ii) ability to issue tokens; (iii) lifestyle management services to manage tokens; and (iv) anti-fraud and risk management services for institutions issuing the cards. The Service is currently available in the U.S. and is scheduled to launch internationally in 2015.
On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
On August 6, in remarks at a financial technology conference, the UK’s Chancellor of the Exchequer, George Osborne, outlined the UK government’s plans for the UK to become a world leader in financial innovation and financial technology. Mr. Osborne noted the UK’s science and technology resources and its history of leading the way in financial innovation. He called for new means of banking and payments for consumers and businesses that go beyond just viewing statements online and that “bypass traditional banks altogether, and lend money directly – through peer-to-peer platforms.” Mr. Osborne believes that “with the right backing from government,” London can become “the Fin Tech capital of the world.” To that end, he detailed the government’s plans to support financial innovation, including by: (i) establishing an appropriate tax regime for the industry; (ii) committing funds for government investment programs; (iii) establishing a favorable regulatory regime; (iv) creating a new partnership between Innovate Finance and the British Business Bank to champion financial innovation and technology; and (v) launching a “major program of work exploring the potential of virtual currencies and digital money.” For example, as part of the regulatory changes, Mr. Osborne described several pieces of legislation, including those that will: (i) require the large UK banks to “pass on information on small businesses they reject for loans, so that FinTech Companies and alternative lenders can step in and offer finance instead”; and (ii) allow consumers to use their smart phones to pay in checks.
Recently, the Federal Reserve Board released two payments-related reports: (i) a report to Congress on government-administered general use prepaid cards; and (ii) a detailed report on the Federal Reserve’s 2013 payments study. The report on government-administered prepaid cards analyzes the $502 million in fee revenue collected by issuers in 2013, a majority of which was attributable to interchange fees. For consumer-related fees, the report indicates such fees derived primarily from ATM-related charges. The second report details findings from the 2013 Federal Reserve Payments Study, the fifth in a series of triennial studies conducted by the Federal Reserve System to comprehensively estimate and study aggregate trends in noncash payments in the United States. The paper expands on the 2013 summary findings originally published last December, and includes, among many other things, the following new findings: (i) credit cards are more prevalent than other general-purpose card types; (ii) among general-purpose cards with purchase activity in 2012, consumers preferred debit cards, with an average use of 23 payments per month, compared with an average of 11 payments per month for general-purpose credit cards and 10 payments per month for general-purpose prepaid cards; (iii) although the number of ATM cash withdrawals using debit cards and general-purpose prepaid cards dropped slightly, growth in the value of ATM withdrawals continued to exceed inflation; (iv) the number of online bill payments reported by major processors, which included those initiated through online banking websites and directly through billers and settled over ACH, exceeded three billion in 2012; and (v) there were more than 250 million mobile payments made using a mobile wallet application, and at least 205 million person-to-person or money transfer payments.
On June 23, the ICBA and The Clearing House published a white paper on virtual currency that (i) defines virtual currency and describes the current regulatory environment; (ii) describes key players in the Bitcoin system; (iii) discusses the application of certain functional and prudential payment system regulations that may be applied to the Bitcoin system and other convertible decentralized virtual currencies; and (iv) evaluates potential regulation of virtual currency, virtual currency investment programs, and exchanges. The paper concludes, among other things, that: (i) credentials used to transact in Bitcoin are functionally similar to prepaid cards and arguably fall within the definition of such cards provided in Regulations E and II; and (ii) the CFPB may determine that cross-border transactions in Bitcoin fall within the scope of the CFPB’s Remittance Transfer Rule, which would require entities facilitating such transfers to comply with the rule’s disclosure, reversibility, and error-resolution requirements. The paper discusses potential safety and soundness oversight for entities in the Bitcoin system. It also suggests that existing regulations intended to protect consumers and market participants in the event of the failure of a securities or commodities exchange may be inapplicable to Bitcoin exchanges, and that alternative means of protecting investors and accountholders—such as disclosure requirements and coordinated state-level registration of exchanges—should be explored.
On June 5, the FDIC and a Delaware bank entered a consent order that prohibits the bank from entering into any new relationships with third-party prepaid card processors or prepaid card program managers until the FDIC approves a written report from the bank that details the steps taken by the bank to (i) implement new BSA compliance policies and procedures; (ii) improve staff training; (iii) implement controls sufficient to mitigate BSA and safety and soundness risk associated with prepaid card, credit card merchant acquiring, and ACH activities; and (iv) perform a BSA risk assessment. The order similarly restricts the bank’s activities related to credit card merchant acquiring and ACH merchant payment processing. The order does not prohibit the bank from issuing prepaid cards through existing distribution channels under existing contracts with third-parties, but does restrict certain activities related to existing credit card and ACH processing activities. In addition, the bank must (i) retain and designate BSA and OFAC officers; (ii) conduct a suspicious activity reporting look-back review; and (iii) submit periodic progress reports. Finally, the order requires increased board supervision of the bank’s BSA compliance program and mandates the creation of a board-level BSA committee.
On May 29, the House Oversight Committee released a staff report on Operation Choke Point, DOJ’s investigation of banks and payment processors purportedly designed to address perceived consumer fraud by blocking fraudsters’ access to the payment systems. The report provides the following “key findings”: (i) the operation was created by DOJ to “choke out” companies it considers to be “high risk” or otherwise objectionable, despite the fact that those companies are legal businesses; (ii) the operation has forced banks to terminate relationships with a wide variety of lawful and legitimate merchants; (iii) DOJ is aware of these impacts and has dismissed them; (iv) DOJ lacks adequate legal authority for the initiative; and (v) contrary to DOJ’s public statements, Operation Choke Point is primarily focused on the payday lending industry, particularly online lenders. The findings are based on documents provided to the committee by DOJ, including internal memoranda and other documents that, among other things, “acknowledge the program’s impact on legitimate merchants” and show that DOJ “has radically and unjustifiably expanded its [FIRREA] Section 951 authority.” The committee released the nearly 1,000 pages of supporting documents, which are available in two parts, here and here.
On May 16, the Conference of State Bank Supervisors Emerging Payments Task Force held a public hearing to examine the changing payments landscape and opportunities and risks presented by current and emerging technologies. The Legacy Payment Systems panel focused on continued efforts to improve efficiency and speed while simultaneously “preserving consumer confidence and system stability.” The Retail Payments Innovations panelists described innovative electronic and mobile payment systems and suggested that further innovation would be best supported by existing regulatory framework, which offers sufficient consumer protections. Finally, the Virtual Currencies panel urged state and federal regulators to “provide clear and consistent regulatory expectations and guidance without restricting innovation.” The event was the most recent of a number held by federal and state policymakers to address the proliferation of emerging financial technologies used to move money and transfer funds, which range from enhancements of traditional ACH or credit and debit methods of payment to virtual currencies that disrupt the traditional model. The CSBS is expected to use public hearings like this one to develop a proposed regulatory framework for state agencies.
On March 21, the U.S. Court of Appeals for the D.C. Circuit held that the Federal Reserve Board’s final rule imposing a 21-cent per transaction limit on debit card interchange fees (up from a 12-cent per transaction limit in its proposed rule) was based on a reasonable construction of a “poorly drafted” provision of the Dodd-Frank Act and that the Board acted reasonably in issuing a final rule requiring debit card issuers to process debit card transactions on at least two unaffiliated networks. NACS v. Bd. of Governors of the Fed. Reserve Sys., No. 13-5270, 2014 WL 1099633 (D.C. Cir. Mar. 21, 2014). The action was brought by a group of merchants challenging the increase to the interchange fee cap and implementation of anti-exclusivity rule for processing debit transactions that was less restrictive than other options. In support of their challenge, the merchants argued that in setting the cap at 21 cents the Board ignored Dodd-Frank’s command against consideration of “other costs incurred by an issuer which are not specific to a particular electronic debit transaction.” The court held, in a decision that hinged on discerning statutory intent from the omission of a comma, that when setting the fee cap the Board could consider both the incremental costs associated with the authorization, clearance, and settlement of debit card transactions (ACS costs) and other, additional, non-ACS costs associated with a particular transaction (such as software and equipment). The court further concluded that the Board could consider all ACS costs, network processing fees, and fraud losses. The court, however, remanded the question of whether the Board could also consider transaction-monitoring costs when setting the fee cap, given that monitoring costs are already accounted for in another portion of the statute. Finally, the court rejected the merchants’ argument that the Board’s final rule should have required the card issuers to allow their cards to be processed on at least two unaffiliated networks per method of authentication (i.e., PIN authentication or signature authentication) holding that the statute goes no further than preventing card issuers or networks from requiring the exclusive use of a particular network.
On March 7, Visa and Mastercard announced the formation of a cross-industry payment security working group, which the payment system providers state will be focused on “enhancing payment system security to keep pace with the expectations of consumers, retailers and financial institutions.” The group’s initial focus will be on supporting the adoption of EMV chip technology in the United States. In addition, the group will promote tokenization and point-to-point encryption, and will develop “an actionable roadmap for securing the future across all segments of the payments industry.” The group will include representatives from banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups.
State Banking Associations Object To Senators’ Request For Increased Bank Payment System Security Oversight
On March 5, 53 state bankers associations sent a letter to Federal Reserve Board Chair Janet Yellen defending banks’ efforts to secure consumer financial data and highlighting the responsibilities of other parties, in particular merchants, to do the same. The banking associations, representing bankers in every state and Puerto Rico, took issue with a letter Democratic Senators Dick Durbin (D-IL) and Al Franken (D-MN) sent last month to the Federal Reserve Board Chair seeking information about the Board’s oversight of card issuers’ fraud prevention policies and recommending that the Board do more to verify the effectiveness of such policies. The banking associations contend that the Senators’ letter is a “thinly veiled effort to once again advance the regulation of interchange under the guise of current concerns over data security,” and criticize the Senators for converting a discussion about security responsibilities into one about interchange fees.
On February 20, the CSBS announced the formation of an Emerging Payments Task Force to study changes in payment systems—including virtual currencies and other innovations—to determine the potential impact on consumer protection, state law, and banks and nonbank entities chartered or licensed by the states. The Task Force is comprised of nine state regulators, including New York State Department of Financial Services Superintendent Lawsky who has recently indicated New York will seek to become the first state to directly address virtual currency through new regulations. The Task Force will be chaired by David Cotney, Commissioner of the Massachusetts Division of Banks, who testified on these issues on behalf of the CSBS last fall before the Senate Banking Committee. The CSBS stated that the Task Force will “take a comprehensive approach to studying the changing payment systems” by engaging with a broad range of federal, state, and industry stakeholders to understand how new entrants and technologies affect the stability of payment systems and the broader financial marketplace and “to develop ideas for connecting the emerging payments landscape to the financial regulatory fabric.”
This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
This week, New York State Department of Financial Services (NY DFS) Superintendent Benjamin Lawsky presided over a two-day hearing regarding emerging virtual currencies and the appropriate role of regulation. The hearing was the next step in an inquiry announced last August, and was held as the NY DFS considers developing a state license specific to virtual currency that would subject operators to state oversight. The panels featured the views of private investors, virtual currency firms, regulatory experts, and law enforcement officials. From our view inside the room, the most prominent, theme to emerge is that regulators will need to strike a balance between protecting the public interest—both from a consumer protection standpoint and with regard to the potential for criminal activity—while allowing emerging virtual currency technologies to develop, evolve, and thrive. Read more…