Will Durbin Rule Make Data Less Secure?

WASHINGTON — Sony Corp.'s disclosure that a massive data breach may have let thieves steal the personal information of more than 77 million PlayStation users is playing into the hands of banks attempting to change a Federal Reserve Board proposal to limit debit interchange fees.

While the two issues do not at first appear related, banks have said that once it goes into effect on July 21, the Durbin amendment could weaken data security standards.

Banks and several large technology companies, including Apple Inc. and Microsoft Corp., argue that because the Fed's proposed 12-cent interchange fee cap does not properly take into account the costs of fraud and fraud prevention, banks will inevitably have less money to protect data security, making the entire system less safe.

The PlayStation incident reminds policymakers and the public about the continued dangers of a breach, and reinforces a bank complaint that it is mostly retailers — not the banks themselves — that endanger consumers' private data.

"The latest, and maybe the largest security breach ever, may have put the personal data of 77 million American consumers, including mine, at risk," said Pace Bradshaw, vice president of congressional affairs for the Consumer Bankers Association. "While the details of that specific case continue to unravel, this is a very clear and timely reminder that security measures are not static and should constantly be evaluated and enhanced."

Bradshaw said that "when you look at data security breaches, you don't see many on the bank side."

The PlayStation breach comes at a critical time in the debate, as bankers continue to push to revamp the proposal to account for fraud losses.

Under the Dodd-Frank law, the Fed must ensure debit interchange fees are "reasonable and proportional."

In its Dec. 16 proposal, the central bank proposed a 12-cent cap, but left the door open to an adjustment for fraud prevention, while saying nothing about bearing the costs of fraud losses.

The Fed suggested two separate ways to win a potential fraud prevention adjustment if banks take certain steps.

Under one approach, banks would have to deploy specific forms of security technology, while under the other, banks would have to take "reasonably necessary" steps to prevent fraud, but not have to use specific technologies. It is unclear how much benefit banks will see from the adjustment, as the Fed left it open-ended on what the size would be.

Bankers argue that the adjustment could potentially let the Fed determine appropriate security standards and may not properly account for the costs of fraud prevention. They also note that the central bank does not address the costs of fraud already incurred by a data breach and other criminal activity.

"You're really not doing us any favors if you only look at fraud prevention," said Jason Kratovil, vice president of congressional relations for the Independent Community Bankers of America. "If you are not looking at the full picture — including mitigating fraud that occurred as a result of a merchant data breach — you are not providing small issuers any comfort or relief at all."

Dan Berger, senior vice president of government affairs for the National Association of Federal Credit Unions, agreed.

"NAFCU is concerned that the real costs of developing, maintaining, innovating and protecting the debit system has not been fully recognized by the price-cap amendment or proposed rule," he said.

It's an issue that also worries members of Congress.

"Everyone is hurt when there's a data security breach," Rep. Shelley Moore Capito, R-W.Va., said in an email to American Banker. "As chairman of the subcommittee on Financial Services and Consumer Credit, I certainly think it's important to make sure consumer and merchant information and data is protected as Dodd-Frank is implemented."

Capito has introduced a bill that would delay the Durbin amendment by a year and give other regulators the power to influence the plan if they determine it doesn't properly take various costs into account, including fraud and fraud prevention.

Some regulators have already weighed in on the issue. In a March letter to the Fed, Acting Comptroller of the Currency John Walsh raised concerns with the central bank's potential fraud prevention adjustment. The agency said that under one possible approach, issuers would only receive the credit for major technological innovations.

"We are concerned that adopting the second alternative would make the board the gatekeeper for determining which innovations are significant enough to be eligible for the adjustment," Walsh wrote. "The OCC encourages national banks to develop technologies to prevent fraud across all product lines and to implement improvements whenever feasible, whether they be product-specific or cut across multiple product lines. This is simply sound banking practice. Allowing cost recovery for only certain technologies, and only when applicable in merchant debit card transactions, runs counter to that fundamental goal."

The issue was highlighted at a Visa Inc. conference on Wednesday. Nessa Feddis, vice president and senior counsel at the American Bankers Association, dismissed the Fed's suggestion of dictating data technology to win a higher interchange fee.

"The Fed dictating technology is an academic exercise rather than a real exercise," she said.

Industry representatives, meanwhile, have said the exclusion of fraud costs is a reason to delay the Durbin amendment.

"There are a number of items that go into the cost of processing a debit transaction … and the Durbin amendment didn't consider many of these, including fraud loss," Bradshaw said. "This is also a reason we need to delay this."

But the merchants and Sen. Dick Durbin, the author of the interchange measure, claim that banks push consumers toward riskier products, including signature debit cards rather than PIN-based transactions, and should bear more of the fraud costs.

"The Durbin amendment will improve data security and the card issuers ought to be honest about that," said Doug Kantor, counsel for the Merchants Payments Coalition.

"Right now they get paid to push products and to push people toward products that create more fraud and have worse data security. That is a profound problem. They get higher profit on signature debit transactions than PIN transactions. … The banks push their customers to act that way because they make more money, and then they push the product on merchants."

Durbin echoed that point in an April 12 open letter to JPMorgan Chase & Co.'s chief executive and president, Jamie Dimon.

"Chase's practice of steering American cardholders toward fraud-prone signature debit stands in stark contrast to Chase's practices in Canada," Durbin wrote.

"The Chase Canada website indicates that 'chip and PIN technology will become available for all Chase Canada MasterCard and Visa cards in 2011.' … It is frankly inexcusable that your bank would urge your American customers to 'always select' a fraud-prone technology while you provide your Canadian customers with technology that enhances security and reduces fraud.

"In contrast to the current U.S. interchange system which rewards banks for promoting fraud-prone signature debit, my amendment will allow interchange fee increases only to those banks that successfully prevent fraud. The Federal Reserve can implement this in its final rulemaking by setting target fraud prevention metrics and allowing increased interchange for banks that meet those targets."

Oliver Ireland, a partner at Morrison & Foerster LLP, dismissed those arguments.

"The vast majority of the merchants can't take PIN, so you are hearing from a minority that can take PIN," Ireland said.

"Secondly, if you talk to the banks that issue cards, what you find is PIN transaction fraud doesn't show up at merchants, because anybody that has managed to get the card number and PIN number uses it at an ATM, so the merchants don't see it. The banks see it."

To be sure, the industry said it would continue to try and protect customers' data, but the revenue to do so would need to be found somewhere.

"When you take some of the resources to prevent fraud, you run the risk to the system because the system won't be as strong as it otherwise could be," said Ken Clayton, senior vice president and chief counsel for the ABA. "We are going to continue to make sure the system is safe and secure. We don't want people to walk away thinking that the system isn't safe and secure, but it's wrong for the merchants to not bear some of the cost of that."

The industry argues that unless the final rule specifically accounts for fraud losses, the customer will end up paying more.

"Right now interchange revenue will in part fund all of the investment and infrastructure to support the network and things like fraud and when there is a data breach that's how the credit unions and banks get reimbursed from a breach," said Trish Wexler, a spokeswoman for the Electronic Payments Coalition.

"The problem with the Fed rule is the way it is written right now is it only allows for in that 7 to 12 cents for the clearing of the transaction and fraud cost is not considered now. At what point if a bank is not compensated for that coverage does the bank start to suffer or that cost gets shifted to the customer?"

Cliff Rossi, a professor at the University of Maryland, agreed data security will suffer.

"If debit interchange fees are significantly lowered, there will be greater sensitivity to low-cost provider networks over best-in-class data security technology," he said. "My expectation is that investment in payment system security technology will moderate somewhat in response to lower interchange fees.

"We've gotten a glimpse of what some firms are likely to do in terms of reduced service, redirection of customers to other payment alternatives such as credit cards and the like."

Kratovil said the community banks won't be able to keep up with the data security concerns under the Durbin amendment.

"It creates both an immediate problem" and a longer-term problem, he said. "Since fraud liability rests largely on issuers, what are individual banks going to do to respond internally?" he said. "And looking to the future, the criminals are getting more sophisticated, and if the money for investments and upgrades is not in the system to respond, how do you keep the technologies on par or ahead of the criminals? … You can't completely ignore it. If you are a community banker, your first priority is protecting your customers. You're not going to stop doing that. But if you have ancillary programs like fraud insurance, third-party neutral networks … maybe you start to scale that back a little."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER