[Federal Register Volume 76, Number 139 (Wednesday, July 20, 2011)]
[Rules and Regulations]
[Pages 43478-43488]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-16860]
[[Page 43477]]
Vol. 76
Wednesday,
No. 139
July 20, 2011
Part III
Federal Reserve System
-----------------------------------------------------------------------
12 CFR Part 235
Debit Card Interchange Fees and Routing; Interim Final Rule
��Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 /
Rules and Regulations��
[[Page 43478]]
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
12 CFR Part 235
[Regulation II; Docket No. R-1404]
RIN 7100-AD 63
Debit Card Interchange Fees and Routing
AGENCY: Board of Governors of the Federal Reserve System.
ACTION: Interim final rule; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Board is adopting an interim final rule and requesting
comment on provisions in Regulation II (Debit Card Interchange Fees and
Routing) adopted in accordance with Section 920(a)(5) of the Electronic
Fund Transfer Act, which governs adjustments to debit interchange
transaction fees for fraud-prevention costs. The provisions allow an
issuer to receive an adjustment of 1 cent to its interchange
transaction fee if the issuer develops, implements, and updates
policies and procedures reasonably designed to identify and prevent
fraudulent electronic debit transactions; monitor the incidence of,
reimbursements received for, and losses incurred from fraudulent
electronic debit transactions; respond appropriately to suspicious
electronic debit transactions so as to limit the fraud losses that may
occur and prevent the occurrence of future fraudulent electronic debit
transactions; and secure debit card and cardholder data. If an issuer
meets these standards and wishes to receive the adjustment, it must
certify its eligibility to receive the fraud-prevention adjustment to
the payment card networks in which the issuer participates.
DATES: The interim final rule is effective October 1, 2011.
Comment Period: Comments must be submitted by September 30, 2011.
ADDRESSES: You may submit comments, identified by Docket No. R-1404 and
RIN No. 7100 AD 63, by any of the following methods:
Agency Web Site: http://www.federalreserve.gov. Follow the
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Federal eRulemaking Portal: http://www.regulations.gov. Follow the
instructions for submitting comments.
E-mail: [email protected]. Include the docket number
in the subject line of the message.
Fax: (202) 452-3819 or (202) 452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors of the
Federal Reserve System, 20th Street and Constitution Avenue, NW.,
Washington, DC 20551.
You must use only one method when submitting comments. All public
comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted,
unless modified for technical reasons. Accordingly, your comments will
not be edited to remove any identifying or contact information.
Public comments may also be viewed electronically or in paper in
Room MP-500 of the Board's Martin Building (20th and C Streets, NW.)
between 9 a.m. and 5 p.m. on weekdays.
FOR FURTHER INFORMATION CONTACT: Dena Milligan, Attorney (202/452-
3900), Legal Division, David Mills, Manager and Economist (202/530-
6265), Division of Reserve Bank Operations & Payment Systems; for users
of Telecommunications Device for the Deaf (TDD) only, contact (202/263-
4869); Board of Governors of the Federal Reserve System, 20th and C
Streets, NW., Washington, DC 20551.
SUPPLEMENTARY INFORMATION
I. Section 920 of the Electronic Fund Transfer Act
The Dodd-Frank Wall Street Reform and Consumer Protection Act (the
``Dodd-Frank Act'') (Pub. L. 111-203, 124 Stat. 1376 (2010)) was
enacted on July 21, 2010. Section 1075 of the Dodd-Frank Act amends the
Electronic Fund Transfer Act (``EFTA'') (15 U.S.C. 1693 et seq.) by
adding a new Section 920 regarding interchange transaction fees and
rules for payment card transactions.
Section 920 of the EFTA provides that, effective July 21, 2011, the
amount of any interchange transaction fee that an issuer receives or
charges with respect to an electronic debit transaction must be
reasonable and proportional to the cost incurred by the issuer with
respect to the transaction. This section requires the Board to
establish standards for assessing whether an interchange transaction
fee is reasonable and proportional to the cost incurred by the issuer
with respect to the transaction. The Board has separately adopted a
final rule implementing standards for assessing whether interchange
transaction fees meet the requirements of Section 920(a) and
establishing rules regarding routing choice and network exclusivity
required by Section 920(b).\1\
---------------------------------------------------------------------------
\1\ Regulation II (published elsewhere in the Federal Register),
defines an interchange transaction fee (or ``interchange fee'') to
mean any fee established, charged, or received by a payment card
network and paid by a merchant or acquirer for the purpose of
compensating an issuer for its involvement in an electronic debit
transaction.
---------------------------------------------------------------------------
Under EFTA Section 920(a)(5), the Board may allow for an adjustment
to an interchange transaction fee amount received or charged by an
issuer if (1) Such adjustment is reasonably necessary to make allowance
for costs incurred by the issuer in preventing fraud in relation to
electronic debit card transactions involving that issuer, and (2) the
issuer complies with fraud-prevention standards established by the
Board. Those standards must be designed to ensure that any adjustment
is limited to the reasonably necessary fraud-prevention allowance
described in clause (1) Above; takes into account any fraud-related
reimbursements received from consumers, merchants, or payment card
networks (including amounts from chargebacks) in relation to electronic
debit transactions involving the issuer; and requires issuers to take
effective steps to reduce the occurrence of, and costs from, fraud in
relation to electronic debit transactions, including through the
development and implementation of cost-effective fraud-prevention
technology.\2\
---------------------------------------------------------------------------
\2\ Regulation II defines electronic debit transaction (or
``debit card transaction'') to mean the use of a debit card (which
includes a general-use prepaid card), by a person as a form of
payment in the United States to initiate a debit to an account. This
term does not include transactions initiated at an automated teller
machine (ATM), including cash withdrawals and balance transfers
initiated at an ATM.
---------------------------------------------------------------------------
In issuing the standards and prescribing regulations for the
adjustment, the Board must consider (1) The nature, type, and
occurrence of fraud in electronic debit transactions; (2) the extent to
which the occurrence of fraud depends on whether the authentication in
an electronic debit transaction is based on a signature, personal
identification number (PIN), or other means; (3) the available and
economical means by which fraud on electronic debit transactions may be
reduced; (4) the fraud-prevention and data-security costs expended by
each party involved in the electronic debit transactions (including
consumers, persons who accept debit cards as a form of payment,
financial institutions, retailers, and payment card networks); (5) the
costs of fraudulent transactions absorbed by each party involved in
such transactions (including consumers, persons who accept debit cards
as a form of payment, financial institutions, retailers, and payment
card networks); (6) the extent to which interchange transaction fees
have in the past reduced or increased incentives for
[[Page 43479]]
parties involved in electronic debit transactions to reduce fraud on
such transactions; and (7) such other factors as the Board considers
appropriate.
II. Outreach and Information Collection
Following the enactment of the Dodd-Frank Act, the Board gathered
information about fraud-prevention programs in the debit card industry
in several ways. Board staff held numerous meetings with debit card
issuers, payment card networks, merchant acquirers, merchants, industry
trade associations, and consumer groups to discuss these programs.
Topics discussed in those meetings included technological innovation in
fraud prevention, fraud loss allocation among parties to electronic
debit transactions, and fraud risk associated with different types of
electronic debit transactions (e.g., signature and PIN debit
transactions).
In September 2010, the Board surveyed 131 bank holding companies
and other financial institutions that, together with affiliates, have
assets of $10 billion or more, and 16 payment card networks. As part of
those surveys, the Board gathered information about the nature, type,
and occurrence of fraud in electronic debit transactions; the losses
due to fraudulent transactions absorbed by parties involved in those
transactions; and the fraud-prevention and data-security activities and
costs and related research and development costs (herein, collectively,
referred to as fraud-prevention activities and costs) incurred by
issuers in 2009.\3\ From these surveys, the Board was able to estimate
industry-wide fraud losses to all parties of a debit card transaction
and to perform a more detailed analysis of fraud losses by type of
authentication method (e.g., PIN or signature). The survey data also
provided an estimate of the loss allocation among parties to the
transaction.\4\
---------------------------------------------------------------------------
\3\ The surveys also requested information regarding the number
of cards and accounts, the number and value of debit card
transactions processed, interchange revenue received from networks,
various costs associated with processing debit card transactions and
operating a card program, and exclusivity arrangements and routing
procedures.
\4\ The Board reported preliminary survey results in the
proposed rule (See 75 FR 81740-41, Dec. 28, 2010). Since that time,
Board staff has further analyzed the data and addressed a number of
minor problems, changing the number of usable responses. Fur
example, some issuers provided fraud loss for certain types of fraud
but did not report total fraud losses. In those instances, the sum
of the reported fraud losses was used as that respondent's total
fraud loss. In other instances, issuers misreported total fraud
losses in a different field. Those totals were included in
subsequent analysis of the data. In addition, prepaid fraud loss and
fraud-prevention cost data have been included where appropriate.
Therefore, in certain instances, some data reported in the initial
proposal have changed. These data are reported separately (see
``2009 Interchange Revenue, Covered Issuer Cost, and Covered Issuer
and Merchant Fraud Loss Related to Debit Card Transactions''
published on the Board's Web site at http://www.federalreserve.gov),
and some data are discussed later in this notice.
---------------------------------------------------------------------------
III. Proposal
In December 2010, the Board requested comment on proposed
Regulation II, Debit Card Interchange Fees and Routing.\5\ As part of
that proposal, the Board requested comment on two approaches to
designing a framework for the fraud-prevention adjustment to the
interchange transaction fee: A technology-specific approach and a non-
prescriptive approach.\6\ The technology-specific approach would allow
an issuer to recover some or all of its costs incurred for implementing
major innovations that would likely result in substantial reductions in
fraud losses. Under this approach, the Board would identify paradigm-
shifting technologies that would reduce debit card fraud in a cost-
effective manner. The alternative approach would establish a more
general standard that an issuer must meet to be eligible to receive an
adjustment for fraud-prevention costs.
---------------------------------------------------------------------------
\5\ A final rule addressing other provisions in Regulation II is
published elsewhere in the Federal Register.
\6\ See 75 FR 81742-81743 (Dec. 28, 2010).
---------------------------------------------------------------------------
The Board requested comment on various aspects of these approaches.
For example, the Board requested information about the benefits and
drawbacks of each approach, possible frameworks to implement the
approaches, and the technologies or types of fraud-prevention
activities whose costs should be considered under each approach. The
Board also asked whether there were additional approaches that should
be considered. Given survey data showing a substantially lower
incidence of fraud for PIN debit transactions in comparison to
signature-debit transactions, the Board also asked whether an
adjustment should only be for PIN-based transactions.\7\ The Board
noted that comments received would be considered in the development of
a specific proposal for further public comment.
---------------------------------------------------------------------------
\7\ Survey data shows that signature-debit fraud losses are
approximately four times PIN-debit fraud losses.
---------------------------------------------------------------------------
IV. Overview of Comments and Interim Final Rule
The Board received numerous comments on the fraud-prevention
adjustment from issuers, depository institution trade associations,
payment card networks, merchants, merchant trade associations,
individuals, consumer groups, technology companies, consultants, other
government agencies, and members of Congress.
The comments were generally focused on four main topics: (1)
Whether the overall framework for the adjustment should be technology-
specific or non-prescriptive; (2) what form the fraud-prevention
adjustment should take, i.e., should the adjustment be tied to an
eligible issuers' costs, perhaps up to a specific cap, or be uniform
across eligible issuers; (3) whether the adjustment should apply only
to particular authentication methods, such as for PIN-based
authentication; and (4) the time frame for the effective date for the
fraud-prevention adjustment. These comments are summarized below and
are described in more detail in the Section Analysis.
Although there was not agreement on whether to pursue a technology-
specific or non-prescriptive approach, commenters generally agreed that
the Board should not mandate use of specific technologies. Merchant
commenters generally favored the paradigm-shifting approach.\8\ These
commenters stated that the fraud-prevention adjustment should not cover
costs associated with securing technologies that were known to be less
effective at preventing fraud than other available technologies.\9\
---------------------------------------------------------------------------
\8\ Merchants proposed a framework where an issuer receives an
adjustment only if both the merchant and issuer use an eligible low-
fraud technology.
\9\ For example, merchant commenters argued that the fraud-
prevention adjustment should not include activities aimed at
securing signature debit transactions when PIN transactions are
known to have lower incidence of fraud and lower average fraud loss
per incident.
---------------------------------------------------------------------------
In contrast, issuer commenters of all sizes and payment card
networks preferred the non-prescriptive approach that would allow
issuers to have the flexibility to tailor their fraud-prevention
activities to address most effectively the risks they faced associated
with changing fraud patterns. Issuer commenters also opposed a fraud-
prevention adjustment only for particular authentication methods,
noting that an adjustment favoring a particular authentication method
may not provide sufficient incentives to invest in other potentially
more effective authentication methods.
In addition, among all types of commenters, there was a general
consensus that the fraud-prevention adjustment should be effective at
the same time as the interchange fee
[[Page 43480]]
standard--either on July 21, 2011, or at a later date as suggested by
some commenters. Many merchant commenters believed that the Board
demonstrated that it had sufficient information to establish a fraud-
prevention adjustment by the statutory effective date. Some commenters,
particularly issuers and networks, argued that it was important to have
the fraud-prevention adjustment in place alongside the rest of the
interchange fee standards in order to avoid any gaps in the ability to
fund certain fraud-prevention activities.
Under the interim final rule, if an issuer meets standards set
forth by the Board, it may receive or charge a fraud-prevention
adjustment of no more than 1 cent per transaction to any interchange
transaction fee it receives or charges in accordance with Sec. 235.3.
To be eligible to receive the fraud-prevention adjustment, an issuer
must develop and implement policies and procedures reasonably designed
to (1) Identify and prevent fraudulent electronic debit transactions;
(2) monitor the incidence of, reimbursements received for, and losses
incurred from fraudulent electronic debit transactions; (3) respond
appropriately to suspicious electronic debit transactions so as to
limit the fraud losses that may occur and prevent the occurrence of
future fraudulent electronic debit transactions; and (4) secure debit
card and cardholder data. An issuer must review its fraud-prevention
policies and procedures at least annually, and update them as necessary
to address changes in the prevalence and nature of fraudulent
electronic debit transactions and the available methods of detecting,
preventing, and mitigating fraud. Finally, the issuer must certify, on
an annual basis, its compliance with the Board's standards to the
payment card networks in which the issuer participates.\10\
---------------------------------------------------------------------------
\10\ The interim final rule applies to issuers and cards that
are covered under the interchange fee standards. See discussion of
the exemptions to the interchange fee standards in Sec. 235.5 of
Regulation II, Debit Card Interchange Fee and Routing--Final Rule,
published elsewhere in the Federal Register.
---------------------------------------------------------------------------
The interim final rule will be effective concurrent with the
interchange fee standard on October 1, 2011. Issuers must comply with
the Board's fraud-prevention standards by that date in order to receive
or charge the fraud-prevention adjustment to the interchange
transaction fee on that date. The Board requests comment on all aspects
of the interim final rule and will consider these comments in
developing the final rule.
V. Section Analysis
Section 235.4 sets forth the circumstances under which an issuer
may receive or charge a fraud-prevention adjustment as an amount in
addition to the amount permitted as an interchange transaction fee
under Sec. 235.3. Section 235.4 also prescribes the maximum amount of
such adjustment.
A. Statutory Considerations
EFTA Section 920(a)(5) requires the Board to consider several
different factors in prescribing regulations related to the fraud-
prevention adjustment. This section discusses each of those factors.
Nature, type, and occurrence of fraud. The Board's survey of debit
card issuers and payment card networks provided information about the
nature, type, and occurrence of fraud in electronic debit transactions.
From the card issuer and network surveys, the Board estimates that
industry-wide fraud losses to all parties of debit (including prepaid)
card transactions were approximately $1.34 billion in 2009.\11\ Based
on data provided by covered issuers, about 0.04 percent of purchase
transactions were fraudulent, with an average loss per purchase
transaction of about 4 cents, or about 9 basis points of transaction
value.\12\
---------------------------------------------------------------------------
\11\ Industry-wide fraud losses were extrapolated from data
reported in the issuer and network surveys conducted by the Board.
Of the 89 issuers that responded to the issuer survey, 52 issuers
provided data on fraud losses related to their debit (including
prepaid) card transactions. These issuers reported $726 million in
fraud losses to all parties of card transactions and represented 54
percent of the total transactions reported by networks.
\12\ The percent of purchase transactions that are fraudulent is
the number of fraudulent transactions divided by the number of
purchase transactions. The average loss per purchase transaction is
the dollar amount of fraud losses divided by the number of purchase
transactions. The average loss per purchase transaction in basis
points is the dollar amount of fraud losses divided by the dollar
amount of purchase transactions.
---------------------------------------------------------------------------
The most commonly-reported and highest cost fraud types were
counterfeit card fraud, lost and stolen card fraud, and mail,
telephone, and Internet order (i.e., card-not-present) fraud.\13\ For
signature and PIN debit card (including prepaid card) transactions
combined, counterfeit card fraud represented 0.01 percent of all
purchases transactions with an average loss of 2 cents per transaction
and 4 basis points of transaction value. Lost and stolen card fraud was
less than 0.01 percent of all purchase transactions with an average
loss of 1 cent per transaction and 1 basis point of transaction value.
Mail, telephone, and Internet order fraud was 0.01 percent of all
purchase transactions with an average loss of 1 cent per transactions
and 2 basis points of transaction value.
---------------------------------------------------------------------------
\13\ Some issuers reported ATM fraud, which was excluded from
fraud loss totals because ATM transactions are not defined in the
statute or final rule as electronic debit transactions.
---------------------------------------------------------------------------
Extent to which the occurrence of fraud depends on authentication
mechanism. The issuer survey data also provided information about the
extent to which the occurrence of fraud depends on whether the
transaction is authenticated with a signature or a PIN. Of the
approximately $1.34 billion estimated industry-wide fraud losses, about
$1.11 billion of these losses arose from signature debit card
transactions and about $181 million arose from PIN debit card
transactions.\14\ The higher losses for signature debit card
transactions are attributable to both a higher rate of fraud and higher
transaction volume for signature debit card transactions. The data
showed that about 0.06 percent of signature debit and 0.01 percent of
PIN debit purchase transactions were reported as fraudulent. For
signature debit, the average loss was 5 cents per transaction, and
represented about 13 basis points of transaction value. For PIN debit,
the average loss was 1 cent per transaction, and was almost 3 basis
points of transaction value. Thus, on a per-dollar basis, signature
debit fraud losses are approximately 4 times PIN debit fraud
losses.\15\
---------------------------------------------------------------------------
\14\ The sum of card program fraud losses will not equal the
industry-wide fraud losses due to different sample sizes and
rounding.
\15\ The survey data did not break out prepaid card PIN
transactions from prepaid card signature transactions. For all
prepaid debit transactions, about 0.03 percent of purchase
transactions were fraudulent, the average loss was 1 cent per
transaction, and 4 basis points of transaction value.
---------------------------------------------------------------------------
The different fraud loss rates for signature and PIN transactions
reflect, in part, differences in the ease of fraud associated with the
two authentication methods. A signature debit card transaction requires
information that is typically contained on the card itself in order for
card and cardholder authentication to take place. Therefore, a thief
only needs to steal information on the card in order to commit
fraud.\16\ In contrast, a PIN debit card transaction requires not only
information contained on the card itself, but also something only the
cardholder should know, namely the PIN. In this case, a thief generally
needs both the information on the card and the cardholder's PIN to
commit fraud.
---------------------------------------------------------------------------
\16\ Among other things, information on the card includes the
card number, the cardholder's name, and the cardholder's signature.
---------------------------------------------------------------------------
Virtually all Internet debit card transactions are routed over
signature
[[Page 43481]]
debit networks. Card issuers responding to the Board's survey reported
that, in signature debit systems, fraud losses for all parties to card-
not-present transactions were higher than fraud losses for card-present
transactions. On a transactions-weighted average, card-not-present
fraud losses represented 17 basis points of the value of card-not-
present signature debit transactions. Card-present fraud losses
represented 11 basis points of the value of card-present signature
debit transactions and were over 3 times greater than the fraud loss
value, in basis points, associated with PIN debit card-present
transactions.
Available and economical means by which fraud may be reduced. The
Board requested information about issuers' fraud-prevention activities
and costs in its survey. Issuers identified several categories of
activities used to detect, prevent, and mitigate fraudulent electronic
debit transactions, including transaction monitoring; merchant
blocking; card activation and authentication systems; PIN
customization; system and application security measures, such as
firewalls and virus protection software; and ongoing research and
development focused on making an issuer's fraud-prevention practices
more effective.
The median amount spent by issuers on all reported fraud-prevention
activities was approximately 1.8 cents per transaction. The most
commonly reported fraud-prevention activity was transaction monitoring,
which generally includes activities related to the authorization of a
particular electronic debit transaction, such as the use of neural
networks and automated fraud risk scoring systems that may lead to the
denial of a suspicious transaction. At the median, issuers reported
spending approximately 0.7 cents per transaction on transactions
monitoring activity.\17\
---------------------------------------------------------------------------
\17\ Transaction monitoring costs were included in the costs
used as the basis for the interchange fee standard rather than the
fraud-prevention adjustment. See discussion of Sec. 235.4(a) below.
---------------------------------------------------------------------------
Fraud-prevention costs expended by different parties. All parties
to debit card transactions incur fraud-prevention costs. For example,
some consumers routinely monitor their accounts for unauthorized debit
card purchases; however, consumer costs are difficult to quantify. Some
issuers, merchants, and acquirers pay networks, processors, or third-
party vendors for fraud-prevention tools such as neural networks and
access to databases about compromised cards and accounts. In addition
to services they may purchase from others, merchants may develop their
own fraud-prevention tools. For example, many large online merchants
implement extra security measures to verify the legitimacy of a
purchase. Typically these checks occur between the time a card is
authorized by the issuer and the product is shipped to the purchaser.
In their comments, several online merchants noted that they have
developed sophisticated fraud risk management systems that include both
manual review and automated processes, which have reduced fraud rates
to levels at or below card-present rates at other merchants. In
addition to these investments, merchants also take steps to secure data
and comply with Payment Card Industry Data Security Standards (PCI-
DSS).\18\ In their comments, several merchants noted that these
compliance costs can be substantial. As discussed more fully elsewhere
in this notice, issuers incur costs for a variety of fraud-prevention
activities.
---------------------------------------------------------------------------
\18\ The Payment Card Industry (PCI) Security Standards Council
was founded in 2006 by five card networks--Visa, Inc., MasterCard
Worldwide, Discover Financial Services, American Express, and JCB
International. These card brands share equally in the governance of
the organization, which is responsible for development and
management of PCI Data Security Standards (PCI-DSS). PCI-DSS is a
set of security standards that all payment system participants,
including merchants and processors, are required to meet in order to
participate in payment card systems.
---------------------------------------------------------------------------
Costs of fraudulent transactions absorbed by the different parties.
Using the issuer survey data, the Board estimated the cost of
fraudulent transactions absorbed by different parties to a debit card
transaction. Based on the issuer survey responses, almost all of the
reported fraud losses associated with debit card transactions fall on
the issuers and merchants.\19\ In particular, across all types of
transactions, 62 percent of reported fraud losses were borne by issuers
and 38 percent were borne by merchants.
---------------------------------------------------------------------------
\19\ Most issuers reported that they offer zero or very limited
liability to cardholders, in addition to the EFTA limits on consumer
liability for unauthorized electronic fund transfers afforded to
consumers, such that the fraud loss borne by cardholders is
negligible. See 15 U.S.C. 1693g and 12 CFR 205.6. Payment card
networks and merchant acquirers also reported very limited fraud
losses for themselves.
---------------------------------------------------------------------------
The distribution of fraud losses between issuers and merchants
depends, in part, on the authentication method used in a debit card
transaction. Issuers and payment card networks reported that nearly all
the fraud losses associated with PIN debit card transactions (96
percent) were borne by issuers. In contrast, reported fraud losses were
distributed much more evenly between issuers and merchants for
signature debit card transactions. Specifically, issuers and merchants
bore 59 percent and 41 percent of signature debit fraud losses,
respectively.\20\
---------------------------------------------------------------------------
\20\ For prepaid card transactions, issuers bore two-thirds and
merchants bore one-third of fraud losses.
---------------------------------------------------------------------------
In general, merchants are subject to greater liability for fraud in
card-not-present transactions than in card-present transactions.
According to the survey data, merchants assume approximately 74 percent
of signature debit card fraud for card-not-present transactions,
compared to 23 percent for card-present signature debit card fraud.\21\
---------------------------------------------------------------------------
\21\ These percentages may differ from those noted in the
Board's proposal (See 75 FR 81741, Dec. 28, 2010) because the number
of usable survey responses has changed.
---------------------------------------------------------------------------
Extent to which interchange transaction fees have in the past
affected fraud-prevention incentives. Issuers have a strong incentive
to protect cardholders and reduce fraud independent of interchange fees
received. Competition for cardholders suggests that protecting their
cardholders from fraud is good business practice for issuers. Higher
interchange revenues may have allowed issuers to offset both their
fraud losses and fraud-prevention costs and fund innovation on fraud-
prevention tools and activities. Merchant commenters argued that,
historically, the higher interchange revenue for signature debit
relative to PIN debit has encouraged issuers to promote the use of
signature debit over PIN debit, even though signature debit has
substantially higher rates of fraud.
B. Section 235.4(a) Adjustment Amount
Section 235.4(a) permits an issuer to increase the amount of the
interchange transaction fee it may receive or charge under Sec. 235.3
by no more than 1 cent if the issuer complies with the standards in
Sec. 235.4(b). Section 235.4(a) does not differentiate the adjustment
by authentication method or by type of transaction.\22\
---------------------------------------------------------------------------
\22\ For example, an issuer that complies with the fraud-
prevention standards would be eligible to receive an interchange fee
equal to the sum of the 21 cent base component, the 5 basis point ad
valorem component, and the 1 cent fraud-prevention adjustment,
equaling a total of 22 cents plus 5 basis points of the
transaction's value for each electronic debit transaction.
---------------------------------------------------------------------------
1. Request for Comment and Comments Received
To inform its rulemaking, the Board's December 2010 proposal
requested comment on whether the fraud-prevention adjustment should use
the same implementation approach as the interchange fee standard; that
is, either (1) An issuer-specific adjustment, with a safe harbor and a
cap, or (2) a cap regardless of an issuer's costs. In a
[[Page 43482]]
related question, the Board also asked whether the adjustment should
apply only to PIN-based transactions, in light of the fact that, as
reported above in the statutory considerations section, signature debit
fraud losses are approximately four times PIN debit fraud losses on a
per-dollar basis.
In considering the implementation approach, many commenters
referred to the statutory language that an adjustment should be
``reasonably necessary to make allowance for costs incurred by the
issuer in preventing fraud in relation to electronic debit card
transactions involving that issuer.'' They pointed to the term
``reasonably necessary'' as their basis for making arguments both for
and against a cap on the amount of the adjustment. For example, most
merchant commenters argued that it would be reasonably necessary for
individual issuers to recover their initial capital costs for certain
technologies, up to a cap equal to the cost associated with PIN debit
card fraud-prevention activities.\23\ They supported a process where
issuers offered technologies with fraud loss rates lower than that for
PIN debit transactions and merchants could choose whether or not to
adopt these technologies. One merchant commenter opposed both a fixed
amount and a cap as being counter to fair market price negotiation
between the issuers offering technologies and merchants choosing to
adopt these technologies. This commenter also argued that allowing
recovery up to a cap ignored the statutory language to make allowance
for costs ``incurred by the issuer'' and that the relevant cost measure
should be an individual issuer's costs.
---------------------------------------------------------------------------
\23\ See comment from Merchants Payments Coalition.
---------------------------------------------------------------------------
On the other hand, several issuer, network, and depository
institution trade association commenters opposed a cap on the basis
that it limited the recovery of costs that could be determined to be
reasonably necessary to prevent fraud. Some of these commenters noted
that any cap might reduce incentives to invest in innovative fraud-
prevention techniques. A few of them supported a safe harbor to reduce
compliance and supervisory burden and to encourage effective fraud
prevention.
In response to the Board's question regarding whether a fraud-
prevention adjustment should be only for PIN debit transactions,
merchant commenters highlighted the survey data indicating that
signature-debit transactions experience higher average fraud losses
than PIN-debit transactions. They expressed a concern that, in the
past, interchange fees supported incentives for issuers to promote a
less secure form of authentication. Both issuer and merchant commenters
acknowledged that some types of sales environments preclude use of PIN
authentication. However, merchant commenters asserted that, when
signature and PIN methods are available both on the card and at the
sales terminal, issuers often encourage cardholders to route the
transaction using their signature rather than their PIN so that issuers
could receive higher interchange revenue.
A few issuers and networks commented that an adjustment only for
PIN-based transactions would limit incentives to invest in potentially
more effective authentication methods, such as dynamic data, that might
not require a PIN. Some issuers commented that a fraud-prevention
adjustment only for PIN debit transactions may limit fraud-prevention
investments for non-PIN transactions, making these transactions less
secure. According to these commenters, issuers may manage this risk by
assessing cardholder fees on non-PIN transactions or by limiting the
value allowed per transaction. These practices, asserted some issuers,
may reduce sales or increase payment costs, especially for merchants
that do not accept PIN debit cards. Merchant commenters, on the other
hand, urged the Board to consider an adjustment only for technologies
or methods with fraud loss rates lower than the rate for PIN debit card
programs. These commenters argued that debit card transactions
authorized with a PIN have a much lower fraud loss rate than those
authorized with a signature. In particular, merchants did not want
issuers to be reimbursed for efforts to better secure an inherently
less secure authentication method.
2. Interim Final Rule
Section 920(a)(5) permits the Board to allow an adjustment to the
amount of an interchange fee that an issuer may receive if ``such
adjustment is reasonably necessary to make allowance for costs incurred
by the issuer in preventing fraud in relation to electronic debit
transactions involving that issuer.'' Section 920(a)(5) of the EFTA
does not specify what amount, or range of amounts, is considered
``reasonably necessary to make allowance for'' an issuer's fraud-
prevention costs. The phrasing ``reasonably necessary to make allowance
for'' fraud-prevention costs does not require a direct connection
between the fraud-prevention adjustment and actual issuer costs; the
statute requires only that the adjustment be ``reasonably necessary''
and ``make an allowance for'' fraud-prevention costs. Moreover, the
statute does not require the Board to set the adjustment so that each
(or any) issuer fully recovers its fraud-prevention costs. Instead, the
statute provides for an ``allowance for'' fraud-prevention costs. The
Board believes that an amount that makes allowance for an issuer's
fraud-prevention costs is one that gives consideration to those costs,
and allows a reasonable recovery of those costs based on the
considerations in Section 920(a)(5)(B)(ii) described above.\24\
---------------------------------------------------------------------------
\24\ ``Allow for'' may be defined as ``to give consideration to
circumstances or contingencies.'' Merriam-Webster Dictionary
(``allow'' used with ``for'') (online edition).
---------------------------------------------------------------------------
The statute also allows the Board, in setting a fraud-prevention
adjustment, to consider such other factors as the Board considers
appropriate.\25\ As explained below, the Board has considered the
fraud-prevention costs of parties to electronic debit transactions, the
incentives created by the adjustment, and other factors in setting the
adjustment.
---------------------------------------------------------------------------
\25\ See EFTA Section 920(a)(5)(B)(ii)(VII).
---------------------------------------------------------------------------
The Board considered the fraud-prevention costs incurred by all
parties to an electronic debit transaction: Consumers, merchants,
payment card networks, processors, and issuers. The Board narrowed its
focus to costs expended by merchants and issuers because most fraud-
prevention costs are ultimately borne by these parties, and the fraud-
prevention adjustment to the interchange transaction fee is effectively
paid by merchants to issuers.
The Board recognizes that both merchants and issuers incur costs
associated with fraud prevention including, for example, costs to
comply with PCI-DSS and network rules related to fraud prevention. In
addition, several merchant commenters stated that they, like issuers,
have natural incentives to protect customer information and to
safeguard their reputations as careful trustees of this information. To
maintain these reputations and to reduce their exposure to fraud
losses, these commenters noted that they have made substantial
investments in fraud-prevention measures, including, as one online
merchant noted, analysis of Internet Protocol address, Internet service
provider, and device ID information.
For these reasons, the Board has adopted an interim final rule with
a fraud-prevention adjustment set at issuer survey respondents' median
fraud-prevention costs, minus those
[[Page 43483]]
fraud-prevention costs that are already part of the interchange fee
standards.\26\ The median issuer's per-transaction fraud-prevention
cost as reported in response to the Board's survey is 1.8 cents. In its
final rule for the interchange fee standards, the Board has included
costs of transaction-monitoring systems that are integral to the
authorization of a transaction in its setting of the interchange
transaction fee standards. Transaction monitoring systems assist in the
authorization process by providing information to the issuer before the
issuer decides to approve or decline the transaction. Because these
costs are already included for all covered issuers as a basis for
establishing the interchange fee standards, they are excluded from the
costs used to determine the fraud-prevention adjustment.\27\ Issuers
were instructed to separately report the costs of each type of fraud-
prevention activity to the extent possible, and the median issuer's
transactions-monitoring cost is 0.7 cents per transaction. The fraud-
prevention adjustment of 1 cent represents the difference between the
median fraud-prevention cost of 1.8 cents less the median transactions-
monitoring cost of 0.7 cents, rounded to the nearest cent.
---------------------------------------------------------------------------
\26\ The fraud-prevention adjustment does not include an
allowance for fraud losses. EFTA Section 920(a)(5)(A)(i) limits the
adjustment to ``costs incurred by the issuer in preventing fraud.''
Fraud losses are not costs incurred to prevent fraud. The Board
includes issuer fraud losses as a basis for the establishment of the
interchange fee standards in Sec. 235.3 of the final rule. See
notice elsewhere in the Federal Register.
\27\ The median cost of fraud-prevention activities tied to
authorization is about 0.7 cents.
---------------------------------------------------------------------------
The median of the remaining fraud-prevention costs provides some
issuers with recovery of all of these costs and other issuers with
recovery of some of these costs. The Board believes that the median
allowance helps to offset the costs of implementing activities that are
effective at reducing fraud losses while placing cost discipline on
issuers to ensure that those fraud-prevention activities are also cost
effective and recognizing that fraud-prevention costs are incurred by
both merchants and issuers. An issuer that meets the Board standards
(discussed below) may receive the adjustment, even if its fraud-
prevention costs are below the median, and no issuer may receive more
than the median, regardless of its fraud-prevention costs.
The Board is concerned that limiting an adjustment to
authentication methods available today, or a subset of those methods,
may not allow flexibility for issuers to develop other methods of
authentication that may be more effective than today's alternatives and
may not require a PIN. It may also reduce the incentives for issuers to
improve fraud-prevention techniques for systems that, for a variety of
reasons, experience higher fraud rates. Further, the interchange fee
standards set a maximum permissible interchange fee that an issuer may
receive for electronic debit transactions, irrespective of
authentication method. Because issuers are less likely to receive a
higher interchange fee for signature-based transactions, issuer
processing costs for PIN debit transactions are generally less than
those for signature debit transactions, and fraud losses are
significantly lower for PIN debit transactions than for signature debit
transactions, the Board believes that issuers' incentives to encourage
cardholders to use their signature rather than their PIN to
authenticate transactions at the point of sale will diminish.
For these reasons, the Board has adopted a fraud-prevention
adjustment that is the same for each type authentication method.
C. Section 235.4(b)--Adoption of Non-Prescriptive Standards
1. Request for Comment and Comments Received
As discussed above, the Board's proposed rule did not contain a
specific proposal for the fraud-prevention adjustment. Instead, the
Board requested comment on two general approaches to the adjustment: A
technology-specific approach and a non-prescriptive approach. The
technology-specific approach was described as allowing issuers to
recover some or all of its costs, perhaps up to a cap, incurred for
implementing major innovations that would likely result in substantial
reductions in fraud losses. As described in the proposed rule, the
Board would identify paradigm-shifting technologies that would reduce
debit card fraud in a cost-effective manner. The Board noted this
approach might help spur adoption of technologies eligible for a fraud-
prevention adjustment. At the same time, it might also reduce issuer
incentives to invest in more effective and less costly technologies not
identified by the Board.
Although neither merchant nor issuer commenters supported the Board
mandating specific technologies, merchants and their trade associations
preferred the technology-specific approach. Many merchants proposed
that issuers be required to make specific technologies available to
merchants that reduce fraud losses to a level lower than that
associated with PIN debit transactions. They asserted that their
proposal allowed the market, and not the Board, to determine
technologies that are eligible for a fraud-prevention adjustment.\28\ A
merchant commenter suggested that this test could be further
conditioned based on the riskiness of particular merchants. For
example, the calculation of the fraud-prevention adjustment could
consider the rate of fraud-related chargebacks to merchants, and those
merchants with higher rates would pay a higher fraud-prevention
adjustment than would those with lower rates, still up to a cap. One
commenter noted that a metrics-based approach could be applied at the
issuer level rather than at the technology level. For example, only
issuers with a rate of fraud losses lower than the industry average may
be eligible to receive or charge a fraud-prevention adjustment.
---------------------------------------------------------------------------
\28\ See letter from Merchants Payments Coalition. Although the
Merchants Payments Coalition did not propose that the Board identify
technologies in its standards, it did propose that any technologies
issuers want to offer to merchants undergo an application and
approval process, including a public comment period, managed by the
Board.
---------------------------------------------------------------------------
Alternatively, the non-prescriptive approach would entail a more
general set of standards that an issuer must meet to be eligible to
receive an adjustment for fraud-prevention costs. Such standards could
require issuers to take steps reasonably necessary to maintain an
effective fraud-prevention program but not prescribe specific
technologies that must be employed as part of the program. This
approach maintains issuer flexibility in responding to emerging and
changing fraud risks.\29\
---------------------------------------------------------------------------
\29\ For a more detailed description of the two approaches
proposed by the Board, see 75 FR 81742-81743 (Dec. 28, 2010).
---------------------------------------------------------------------------
In their comments, issuers of all sizes, depository institution
trade associations, payment card networks, and a federal regulatory
agency preferred the non-prescriptive approach for a variety of
reasons. Many of these commenters argued that debit card fraud is
dynamic and requires issuers and networks to innovate on an ongoing
basis in order to develop new responses to existing and emerging fraud
risks. The flexibility to develop creative and timely responses, they
noted, is important for detecting and preventing debit card fraud.
Moreover, several of these commenters noted that the industry is better
positioned than the Board to adapt fraud-prevention programs in a
timely manner to respond effectively to changing fraud patterns.\30\
---------------------------------------------------------------------------
\30\ A few commenters, primarily technology vendors,
consultants, and technology associations, supported the Board
mandating particular technologies, such as chip and PIN or
biometrics.
---------------------------------------------------------------------------
[[Page 43484]]
Many of these commenters expressed concerns with the
identification, in any context, of particular technologies eligible for
a fraud-prevention adjustment under a possible technology-specific
approach. For example, several commenters suggested that this approach
assumes that a single or limited set of technologies is more effective
at reducing fraud losses than implementing a variety of technologies,
practices, and methods in combination. To the extent that a set of
technologies is identified, these commenters believed issuers would
most likely invest in the set of technologies for which they can
recover their costs. As a result, they asserted, competition among
issuers (and networks) in fraud prevention will most likely be reduced.
These commenters also echoed a concern noted by the Board in its
December 2010 proposal--a risk that issuers would underinvest in new,
non-eligible technologies, which may be more effective and less costly
than those identified in the standard. Finally, a few of these
commenters suggested that defining a list of eligible technologies
would provide valuable information to fraudsters in their efforts to
weaken mechanisms designed to strengthen security in the payment
system. According to these commenters, such a list would also provide
fraudsters with a good sense of the technologies most likely to be
adopted, if they were not already, by the industry. Ultimately, these
commenters argued that this information could make technologies that
have been identified less effective over the long term.
2. Non-Prescriptive Approach
EFTA Section 920(a)(5) states that the Board's standards must
require an issuer to take effective steps to reduce the occurrence of,
and costs from, fraudulent electronic debit transactions and must
ensure that an issuer implement ``cost-effective'' fraud-prevention
technologies. As explained below, the Board is adopting standards for
assessing whether the fraud-prevention program for an issuer is
designed to reduce fraudulent debit card activity effectively. In
assessing whether a program is effective, the Board does not believe
that Section 920(a)(5) requires that the program prevent all fraud in
order for an issuer to qualify for the fraud-prevention adjustment.
The dynamic nature of the debit card fraud environment requires
standards that permit issuers to determine themselves the best methods
to detect, prevent, and mitigate fraud losses for the size and scope of
their debit card program and to respond to frequent changes in fraud
patterns. Standards that incorporate a technology-specific approach do
not provide sufficient flexibility to issuers to design and adapt
policies and procedures that best meet a particular issuer's needs and
that would most effectively reduce fraud losses for all parties to a
transaction.
A variety of factors may affect the incidence of fraudulent
electronic debit transactions and losses from those transactions, not
all of which can be addressed solely by actions taken by issuers. For
example, an acquirer or merchant processor used by merchants frequented
by an issuer's cardholders may experience a data breach that increases
the number of fraudulent transactions and losses for an issuer. An
issuer's policies and procedures, however, may be able to mitigate the
occurrence of, and costs from, fraudulent electronic debit transactions
resulting from such a data breach. In this circumstance, an issuer's
fraud-prevention policies and procedures may be effective,
notwithstanding the fact that the issuer may have incurred a higher
incidence of fraudulent electronic debit transactions than in more
typical years.
Another factor affecting fraud trends is the nature of the fraud
environment as a ``cat and mouse'' game. For example, as new and more
effective fraud-prevention practices are employed by issuers, these
practices will become targets for fraudsters wanting to compromise card
and cardholder data. As technologies become less effective because of
these efforts by fraudsters, issuers will be expected to find new ways
to strengthen their fraud-prevention measures. To encourage improvement
in fraud-prevention efforts, the interim final rule requires an issuer
to review its policies and procedures, at least annually, and update
them to address changes in the prevalence and nature of fraudulent
electronic debit transactions and available fraud-prevention methods.
Specifying, and limiting the set of, technologies for which issuers
recover their costs may weaken the long-term effectiveness of these
technologies. For example, the risk that fraudsters may use this list
as a way to focus their efforts to compromise card and cardholder data
is material. For these reasons, the Board is adopting as an interim
final rule, and requesting comment on, a non-prescriptive approach for
the fraud-prevention adjustment. The Board invites public comment on
all aspects of the interim final rule, including the questions
specifically raised throughout the notice, and will adjust the rule as
appropriate after consideration of comments received.
3. Develop and Implement Policies and Procedures
Section 235.4(b)(1) requires that in order to be eligible to
receive a fraud-prevention adjustment, an issuer must develop and
implement policies and procedures reasonably designed to (1) Identify
and prevent fraudulent electronic debit transactions; (2) monitor the
incidence of, reimbursements received for, and losses incurred from
fraudulent electronic debit transactions; (3) respond appropriately to
suspicious electronic debit transactions so as to limit the fraud
losses that may occur and prevent the occurrence of future fraudulent
electronic debit transactions; and (4) secure debit card and cardholder
data.
Procedures may include practices, activities, methods, or
technologies that are used to implement and make effective an
institution's fraud-prevention policies. Together, these policies and
procedures shall be reasonably designed to detect, prevent, and
mitigate fraudulent electronic debit transactions and as provided for
in Sec. 235.4(b)(1)(i-iv). Comment 4(b)-1 clarifies that an issuer
must both develop and implement effective policies and procedures.
Comment 4(b)-2 discusses the types of fraud that an issuer's
policies and procedures should address. In its proposal, the Board did
not include regulatory language to define ``fraudulent electronic debit
transaction'' but suggested in the preamble that fraud in the debit
card context should be defined as ``the use of a debit card (or
information associated with a debit card) by a person, other than the
cardholder, to obtain goods, services, or cash without authority for
such use.\31\ This definition is derived from the EFTA's definition of
``unauthorized electronic fund transfer.'' (15 U.S.C. 1693a(11)). One
commenter stated that the definition of ``fraud'' should be expanded to
include so-called ``friendly fraud'' where the cardholder authorizes
the transaction and later claims the transaction cardholder did not
engage in the transaction.
---------------------------------------------------------------------------
\31\ See 75 FR 81722, 81740 (Dec. 28, 2010).
---------------------------------------------------------------------------
In contrast to elsewhere in the EFTA, Section 920 uses the term
``fraud'' rather than ``unauthorized'' transaction. Accordingly, for
purposes of Section 920(a)(5), fraud in relation to electronic debit
transaction may encompass more
[[Page 43485]]
than ``unauthorized'' use of the card. For example, a cardholder may
authorize payment to a fraudulent or ``phony'' merchant that does not
deliver the expected goods or services to the cardholder. Another
transaction that could be considered fraudulent, as suggested by
commenters, is one in which the cardholder authorized the transaction
and received the goods or services, but subsequently alleges
fraudulently that the cardholder never received the goods or services.
The Board has considered the comments and believes that fraud in
electronic debit transactions is broader than unauthorized use and that
whether a transaction is in fact fraudulent will depend on the facts
and circumstances of the transaction.
All types of fraud impose costs on system participants, and the
issuer's costs associated with preventing all types of fraud may be
considered when determining the fraud-prevention adjustment. Under the
interim final rule, the policies and procedures that an issuer must
implement in order to qualify for the fraud-prevention adjustment need
not necessarily address types of fraud, such as authorized transactions
with a fraudulent merchant, that issuers generally have very limited
ability to control. The issuer may choose, however, to include policies
and procedures to minimize such fraudulent transactions if it learns of
a specific fraudulent merchant or scam that its cardholders have
experienced or are likely to experience. In such cases, the issuer
could, for example, alert its cardholders as to the existence of the
particular fraud. The Board requests comment on whether the rule should
include a definition of ``fraud'' or ``fraudulent electronic debit
transaction,'' and if so, what would be an appropriate definition.
Comment 4(b)(1)(i)-1 provides examples of practices that may be
part of an issuer's policies and procedures to identify and prevent
fraudulent electronic debit transactions. Comment 4(b)(1)(i)-2
clarifies that an issuer should assess the effectiveness of different
authentication methods used by its cardholders, including the rate of
fraudulent transactions for each method and consider practices to
encourage the use of more effective authentication methods. This
comment also clarifies that issuers should monitor industry
developments and consider adopting, where practical, new methods of
authentication that are materially more effective than the methods
currently used by its cardholders. The Board requests comment on
whether an issuer's policies and procedures should require an issuer to
assess whether its customer rewards or similar programs provide
inappropriate incentives to use an authentication method that is
demonstrably less effective in preventing fraud.
Comment 4(b)(1)(ii)-1 provides that an issuer must have policies
and procedures designed to monitor the types, number, and value of its
fraudulent electronic debit transactions. The issuer must also track
its and its cardholders' losses from fraudulent electronic debit
transactions, its fraud-related chargebacks to merchant acquirers, and
reimbursements from other parties to the transaction.
Comment 4(b)(1)(iii)-1 provides that an issuer must implement
appropriate responses to suspicious transactions or transactions likely
to be fraudulent. The comment clarifies that the response may be
different depending on the nature of the transaction and may require
the issuer to coordinate with industry organizations, law enforcement
agencies, and other parties to the transaction. Comment 4(b)(1)(iii)-2
clarifies that it is not an appropriate response for the issuer to
merely shift the loss to another party, other than the party that
committed the fraud.
Comment 4(b)(1)(iv)-1 provides that an issuer's policies and
procedures should be designed to secure debit card and cardholder data
that are transmitted to or from an issuer (or its service provider)
during transaction processing, stored by the issuer (or its service
provider), and carried on media by employees or agents of the issuer.
The comment also notes that this standard may be incorporated into an
issuer's information security program as required by Section 501(b) of
the Gramm-Leach-Bliley Act.
4. Review and Update Policies and Procedures
Section 235.4(b)(2) requires that an issuer review and update its
fraud-prevention policies and procedures as least annually. In certain
circumstances, more frequent updates may be necessary if there are
significant changes in fraud types, fraud patterns, or fraud-prevention
techniques or technologies.
Comment 4(b)(2)-1 provides that an issuer should review and update
its policies and procedures if a significant change occurs even if the
issuer reviewed and updated its policies and procedures within the
preceding year.
5. Section 235.4(c) Certification
Section 235.4(c) requires an issuer to certify to its payment card
networks that its fraud-prevention standards comply with the Board's
standards as provided for in Sec. 235.4(b). Issuers that are eligible
for the adjustment should certify their compliance annually to each
payment card network in which the issuer participates that allows
issuers to receive or charge a fraud-prevention adjustment to their
interchange transaction fee as permitted under Sec. Sec. 235.3 and
235.4. The Board expects that these payment card networks will develop
their own processes for identifying issuers eligible for this
adjustment. (See comment 4(c)-1.)
The Board requests comment on whether the rule should establish a
consistent certification process and reporting period for an issuer to
certify to a payment card network that the issuer meets the Board's
fraud-prevention standards and is eligible to receive or charge the
fraud-prevention adjustment.
Form of Comment Letters
Comment letters should refer to Docket No. R-1404 and RIN No. 7100
AD 63 and when possible, should use a standard typeface with a font
size of 10 or 12, to enable the Board to convert text submitted in
paper form to machine-readable form through electronic scanning that
will facilitate automated retrieval of comments for review. Comments
may be mailed electronically to [email protected].
Solicitation of Comments Regarding Use of ``Plain Language''
Section 772 of the Gramm-Leach-Bliley Act of 1999 (12 U.S.C. 4809)
requires the Board to use ``plain language'' in all proposed and final
rules published after January 1, 2000. The Board invites comment on
whether the interim final rule is clearly stated and effectively
organized, and how the Board might make the text of the rule easier to
understand.
Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995 (PRA) (44
U.S.C. 3501-3521; 5 CFR 1320 Appendix A.1), the Board reviewed the
interim final rule under the authority delegated to the Board by the
Office of Management and Budget (OMB). The Board may not conduct or
sponsor, and a respondent is not required to respond to, an information
collection unless it displays a currently valid OMB control number. The
OMB control number will be assigned.
The interim final rule contains requirements subject to the PRA.
The collection of information required by this interim final rule is
found in Sec. 235.4 of Regulation II (12 CFR part 235). Under the
interim final rule, if an issuer
[[Page 43486]]
meets standards set forth by the Board, it may receive or charge an
adjustment of no more than 1 cent per transaction to any interchange
transaction fee it receives or charges in accordance with Sec. 235.3.
To be eligible to receive the fraud-prevention adjustment under
Sec. 235.4(a)(1), an issuer shall develop and implement policies and
procedures reasonably designed to (1) Identify and prevent fraudulent
electronic debit transactions; (2) monitor the incidence of,
reimbursements received for, and losses incurred from fraudulent
electronic debit transactions; (3) respond appropriately to suspicious
electronic debit transactions so as to limit the fraud losses that may
occur and prevent the occurrence of future fraudulent electronic debit
transactions; and (4) secure debit card and cardholder data. An issuer
must review its fraud prevention policies and procedures at least
annually, and update them as necessary to address changes in prevalence
and nature of fraudulent electronic debit transactions and available
methods of detecting, preventing, and mitigating fraud. Finally, the
issuer must certify, on an annual basis, its compliance with the
Board's standards to the payment card networks in which the issuer
participates. The interim final rule will be effective concurrent with
the interchange fee standard on October 1, 2011.
The interim final rule would apply to issuers that, together with
their affiliates, have consolidated assets of $10 billion. The Board
estimates that there are 380 issuers \32\ regulated by the Federal
financial regulatory agencies required to comply with the recordkeeping
and reporting provisions under Sec. 235.4.
---------------------------------------------------------------------------
\32\ For purposes of the PRA, the Board is estimating the burden
for entities currently regulated by the Board, Office of the
Comptroller of the Currency, Federal Deposit Insurance Corporation,
Office of Thrift Supervision, and National Credit Union
Administration (collectively, the ``Federal financial regulatory
agencies''). Such entities may include, among others, State member
banks, national banks, insured nonmember banks, savings
associations, and Federally-chartered credit unions.
---------------------------------------------------------------------------
The Board estimates that the 380 issuers would take, on average,
160 hours (one month) to develop and implement policies and train
appropriate staff to comply with the recordkeeping provisions under
Sec. 235.4. This one-time annual PRA burden is estimated to be 60,800
hours. On a continuing basis, the Board estimates issuers would take,
on average, 40 hours (one business week) annually to review its fraud
prevention policies and procedures, updating them as necessary, and
estimates the annual PRA burden to be 15,200 hours. The Board estimates
380 issuers would take, on average, 5 minutes to comply with the
reporting provision under Sec. 235.4(c) (annual certification), and
estimates the annual reporting burden to be 32 hours. The total annual
PRA burden for this information collection is estimated to be 73,032
hours.
Comments are invited on: (1) Whether the proposed collection of
information is necessary for the proper performance of the Board's
functions, including whether the information has practical utility; (2)
the accuracy of the Board's estimate of the burden of the proposed
information collection, including the cost of compliance; (3) ways to
enhance the quality, utility, and clarity of the information to be
collected; and (4) ways to minimize the burden of information
collection on respondents, including through the use of automated
collection techniques or other forms of information technology.
Comments on the collection of information should be sent to Cynthia
Ayouch, Acting Federal Reserve Clearance Officer, Division of Research
and Statistics, Mail Stop 95-A, Board of Governors of the Federal
Reserve System, Washington, DC 20551, with copies of such comments sent
to the Office of Management and Budget, Paperwork Reduction Project
(7100-to be assigned), Washington, DC 20503.
Regulatory Flexibility Act
The Board incorporates by reference the final Regulatory
Flexibility Act analysis published with the Board's Regulation II,
published elsewhere in the Federal Register. That analysis applies to
the Regulation II as a whole, including the fraud-prevention adjustment
adopted in this interim final rule.
Administrative Procedure Act
The Administrative Procedure Act (APA), 5 U.S.C. 551 et seq.,
generally requires public notice before promulgation of regulations.
See 5 U.S.C. 553(b). Unless notice or a hearing is specifically
required by statute, however, the APA also provides an exception ``when
the agency for good cause finds (and incorporates the finding and a
brief statement of reasons therefore in the rules issued) that notice
and public procedure thereon are impracticable, unnecessary, or
contrary to the public interest.'' 5 U.S.C. 553(b)(B).
As an initial matter, Section 920 of the EFTA, as amended by the
Dodd-Frank Act, does not specifically require the Board to provide
notice or a hearing with respect to this rulemaking. In addition, the
Board finds that there is good cause to conclude that providing notice
and an opportunity to comment before issuing this interim final rule
would be contrary to the public interest. As noted above, the Board
received numerous comments that addressed questions posed by the Board
regarding the fraud-prevention adjustment to the interchange
transaction fee. Among all types of commenters, there was a general
consensus that the fraud-prevention adjustment should be effective at
the same time as the interchange fee standard in order to prevent any
gaps in the ability to fund certain fraud-prevention activities.
Without adequate funding, fraud-prevention activities could be reduced,
thereby causing harm to consumers, merchants, and issuers. Moreover,
the Board's data gathering effort provided the Board with sufficient
information to develop and make a fraud-prevention adjustment effective
concurrent with the interchange fee standard. Consequently, the Board
finds that use of notice and comment procedures before issuing these
rules would not be in the public interest. Interested parties will
still have an opportunity to submit comments in response to this
interim final rule. The interim final rule may be modified accordingly.
List of Subjects in 12 CFR Part 235
Banks, banking, Debit card routing, Electronic debit transactions,
and Interchange transaction fees.
Authority and Issuance
For the reasons set forth in the preamble, the Board is amending 12
CFR part 235 as follows:
PART 235--DEBIT CARD INTERCHANGE FEES AND ROUTING
0
1. The authority citation for part 235 continues to read as follows:
Authority: 15 U.S.C. 1693o-2.
0
2. Add Sec. 235.4 to read as follows:
Sec. 235.4 Fraud-prevention adjustment.
(a) In general. If an issuer meets the standards set forth in
paragraph (b) of this section, it may receive or charge an additional
amount of no more than 1 cent per transaction to any interchange
transaction fee it receives or charges in accordance with Sec. 235.3.
(b) Issuer standards. To be eligible to receive the fraud-
prevention adjustment, an issuer shall--
(1) Develop and implement policies and procedures reasonably
designed to--
[[Page 43487]]
(i) Identify and prevent fraudulent electronic debit transactions;
(ii) Monitor the incidence of, reimbursements received for, and
losses incurred from fraudulent electronic debit transactions;
(iii) Respond appropriately to suspicious electronic debit
transactions so as to limit the fraud losses that may occur and prevent
the occurrence of future fraudulent electronic debit transactions; and
(iv) Secure debit card and cardholder data; and
(2) Review its fraud-prevention policies and procedures at least
annually, and update them as necessary to address changes in prevalence
and nature of fraudulent electronic debit transactions and available
methods of detecting, preventing, and mitigating fraud.
(c) Certification. To be eligible to receive or charge a fraud-
prevention adjustment, an issuer that meets the standards set forth in
paragraph (b) of this section must certify such compliance to its
payment card networks on an annual basis.
0
3. Appendix A to part 235 is amended to add new Section 235.4 to read
as follows:
Appendix A to Part 235--Official Board Commentary on Regulation II
* * * * *
Section 235.4 Fraud-Prevention Adjustment
4(b) Issuer Standards
1. In general. Section 235.4(b) does not specify particular
policies and procedures that an issuer must implement. Rather, an
issuer must determine which policies and procedures are reasonably
designed to achieve the objectives set forth in the standards. An
issuer's policies and procedures must include fraud-prevention
technologies and other methods or practices reasonably designed to
detect, prevent, and mitigate fraudulent electronic debit
transactions. An issuer does not satisfy the standards in Sec.
235.4(b) if it merely develops policies and procedures; the issuer
also must implement those policies and procedures. Implementing an
issuer's fraud-prevention policies and procedures should include
training the issuer's employees and agents, as appropriate.
2. An issuer's policies and procedures should address, among
other things, fraud related to debit card use by unauthorized
persons, which is a type of fraud that can be effectively addressed
by the issuer, as the entity with the direct relationship with the
cardholder and that authorizes the transaction. Examples of use by
unauthorized persons include the following:
i. A thief steals a cardholder's wallet and uses the debit card
to purchase goods, without the authority of the cardholder.
ii. A cardholder makes a $100 purchase at a merchant.
Subsequently, the merchant's employee uses information from the
debit card to initiate a subsequent transaction for an additional
$100, without the authority of the cardholder.
iii. A hacker steals cardholder account information from a
merchant processor and uses that information to make unauthorized
purchases of goods or services.
Paragraph 4(b)(1)(i). Identify and prevent fraudulent debit card
transactions.
1. In general. An issuer shall develop and implement policies
and procedures reasonably designed to identify and prevent
fraudulent electronic debit transactions. These policies and
procedures should include activities to prevent, detect, and
mitigate fraud even if the costs of these activities are not
recoverable as part of the fraud-prevention adjustment. The issuer's
policies and procedures may include the following:
i. An automated mechanism to assess the risk that a particular
electronic debit transaction is fraudulent during the authorization
process (i.e., before the issuer approves or declines an
authorization request). For example, an issuer may use neural
networks to identify transactions that present increased risk of
fraud. As a result of this analysis, the issuer may decide to
decline to authorize these transactions. An issuer may not be able
to determine whether a given transaction in isolation is fraudulent
at the time of authorization, and therefore may have policies and
procedures that monitor sets of transactions initiated with a
cardholder's debit card. For example, an issuer could compare a set
of transactions initiated with the card to a customer's typical
transactions in order to determine whether a transaction is likely
to be fraudulent. Similarly, an issuer could compare a set of
transactions initiated with a debit card and common fraud patterns
in order to determine whether a transaction or future transaction is
likely to be fraudulent.
ii. Practices to support reporting of lost and stolen cards or
suspected incidences of fraud by cardholders or other parties to a
transaction. As an example, an issuer may promote customer awareness
by providing text alerts of transactions in order to detect
fraudulent transactions in a timely manner. An issuer may also
report debit cards suspected of being fraudulent to their networks
for inclusion in a database of compromised cards.
iii. Practices to help determine whether a user is authorized to
use the card at the time of a transaction. For example, an issuer
may specify the use of particular technologies or methods, such as
dynamic data, to better authenticate a cardholder at the point of
sale.
2. Review of authentication methods. The issuer's policies and
procedures should include an assessment of the effectiveness of the
different authentication methods that the issuer enables its
cardholders to use, including a review of the rate of fraudulent
transactions for each authentication method. If one method of
authentication results in significantly lower fraud losses than
other method(s) of authentication enabled on the issuer's debit
cards, the issuer should consider practices to encourage its
cardholders to use the more effective authentication method. It
should also consider methods for reducing fraud related to the
authentication method that experiences higher fraud rates. In
addition, the issuer should monitor industry developments and
consider adopting, where practical, new method(s) of authentication
that are materially more effective than the methods currently
available to its cardholders.
Paragraph 4(b)(1)(ii). Monitor the incidence of, reimbursements
received for, and losses incurred from fraudulent electronic debit
transactions.
1. In order to inform its policies and procedures, an issuer
must be able to track its fraudulent electronic debit transactions
over time. Accordingly, an issuer must have policies and procedures
designed to monitor the types, number, and value of fraudulent
electronic debit transactions. In addition, an issuer must track its
and its cardholders' losses from fraudulent electronic debit
transactions, its fraud-related chargebacks to acquirers, and any
reimbursements from other parties. Other reimbursements could
include payments made to issuers as a result of fines assessed to
merchants for noncompliance with Payment Card Industry (PCI) Data
Security Standards or other industry standards.
Paragraph 4(b)(1)(iii). Respond to suspicious electronic debit
transactions.
1. An issuer may identify transactions that it suspects to be
fraudulent after it has authorized or settled the transaction. For
example, a cardholder may inform the issuer that the cardholder did
not authorize a transaction or transactions, or the issuer may learn
of a fraudulent transaction or possibly compromised debit cards from
the network, the acquirer, or other parties. An issuer must have
policies and procedures in place designed to implement an
appropriate response once an issuer has identified suspicious
transactions or transactions likely to be fraudulent. The
appropriate response is likely to differ depending on the
circumstances and the risk of future fraudulent electronic debit
transactions. For example, in some circumstances, it may be
sufficient for an issuer to monitor more closely the account with
the suspicious transactions. In other circumstances, it may be
necessary to reissue cards or close the account. An appropriate
response may also require coordination with industry organizations,
law enforcement agencies, and other parties, such as payment card
networks, merchants, and issuer or merchant processors. An
appropriate response would be reasonably designed to mitigate fraud
losses due to suspicious transactions and transactions alleged to be
fraudulent across all parties to such transactions.
2. An issuer's policies and procedures do not provide an
appropriate response if they merely shift the loss to another party,
other than the party that committed the fraud.
Paragraph 4(b)(1)(iv). Secure debit card and cardholder data.
1. An issuer must have policies and procedures designed to
secure debit card and cardholder data that are transmitted by the
issuer (or its service provider) during transaction processing, that
are stored by the
[[Page 43488]]
issuer (or its service provider), and that are carried on media
(e.g., laptops, transportable data storage devices) by employees or
agents of the issuer. This standard may be incorporated into an
issuer's information security program, as required by Section 501(b)
of the Gramm-Leach-Bliley Act.
Paragraph 4(b)(2) Annual review
1. Periodic updates of policies and procedures. In general, an
issuer must review its policies and procedures at least annually. In
certain circumstances, however, an issuer may need to review and
update its policies and procedures more frequently than once a year.
For example, during a particular year, there may be significant
changes in fraud types, fraud patterns, or fraud-prevention methods
or technologies. If a significant change occurs, an issuer must
review and, if necessary, update its fraud-prevention policies and
procedures to address the significant change, even if the issuer has
reviewed its policies and procedures within the preceding year.
4(c) Certification.
1. To be eligible to receive the fraud-prevention adjustment,
each issuer must certify its compliance with the Board's fraud-
prevention standards to the payment card networks in which it
participates on an annual basis. Payment card networks that plan to
allow issuers to receive or charge a fraud-prevention adjustment
will develop their own processes for identifying issuers eligible
for this adjustment. An issuer need not certify if it chooses not to
receive any fraud-prevention adjustment available through a network.
By order of the Board of Governors of the Federal Reserve
System, June 30, 2011.
Jennifer J. Johnson,
Secretary of the Board.
[FR Doc. 2011-16860 Filed 7-19-11; 8:45 am]
BILLING CODE 6210-01-P