Debit Card Interchange Fees and Routing, 43478-43488 [2011-16860]

Download as PDF 43478 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations FEDERAL RESERVE SYSTEM 12 CFR Part 235 [Regulation II; Docket No. R–1404] RIN 7100–AD 63 Debit Card Interchange Fees and Routing Board of Governors of the Federal Reserve System. ACTION: Interim final rule; request for public comment. AGENCY: The Board is adopting an interim final rule and requesting comment on provisions in Regulation II (Debit Card Interchange Fees and Routing) adopted in accordance with Section 920(a)(5) of the Electronic Fund Transfer Act, which governs adjustments to debit interchange transaction fees for fraud-prevention costs. The provisions allow an issuer to receive an adjustment of 1 cent to its interchange transaction fee if the issuer develops, implements, and updates policies and procedures reasonably designed to identify and prevent fraudulent electronic debit transactions; monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions; respond appropriately to suspicious electronic debit transactions so as to limit the fraud losses that may occur and prevent the occurrence of future fraudulent electronic debit transactions; and secure debit card and cardholder data. If an issuer meets these standards and wishes to receive the adjustment, it must certify its eligibility to receive the fraudprevention adjustment to the payment card networks in which the issuer participates. SUMMARY: The interim final rule is effective October 1, 2011. Comment Period: Comments must be submitted by September 30, 2011. ADDRESSES: You may submit comments, identified by Docket No. R–1404 and RIN No. 7100 AD 63, by any of the following methods: Agency Web Site: http:// www.federalreserve.gov. Follow the instructions for submitting comments at http://www.federalreserve.gov/ generalinfo/foia/ProposedRegs.cfm. Federal eRulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. E-mail: regs.comments@federalreserve.gov. Include the docket number in the subject line of the message. Fax: (202) 452–3819 or (202) 452– 3102. emcdonald on DSK2BSOYB1PROD with RULES3 DATES: VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. You must use only one method when submitting comments. All public comments are available from the Board’s Web site at http:// www.federalreserve.gov/generalinfo/ foia/ProposedRegs.cfm as submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room MP– 500 of the Board’s Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays. FOR FURTHER INFORMATION CONTACT: Dena Milligan, Attorney (202/452– 3900), Legal Division, David Mills, Manager and Economist (202/530– 6265), Division of Reserve Bank Operations & Payment Systems; for users of Telecommunications Device for the Deaf (TDD) only, contact (202/263– 4869); Board of Governors of the Federal Reserve System, 20th and C Streets, NW., Washington, DC 20551. SUPPLEMENTARY INFORMATION I. Section 920 of the Electronic Fund Transfer Act The Dodd-Frank Wall Street Reform and Consumer Protection Act (the ‘‘Dodd-Frank Act’’) (Pub. L. 111–203, 124 Stat. 1376 (2010)) was enacted on July 21, 2010. Section 1075 of the DoddFrank Act amends the Electronic Fund Transfer Act (‘‘EFTA’’) (15 U.S.C. 1693 et seq.) by adding a new Section 920 regarding interchange transaction fees and rules for payment card transactions. Section 920 of the EFTA provides that, effective July 21, 2011, the amount of any interchange transaction fee that an issuer receives or charges with respect to an electronic debit transaction must be reasonable and proportional to the cost incurred by the issuer with respect to the transaction. This section requires the Board to establish standards for assessing whether an interchange transaction fee is reasonable and proportional to the cost incurred by the issuer with respect to the transaction. The Board has separately adopted a final rule implementing standards for assessing whether interchange transaction fees meet the requirements of Section 920(a) and establishing rules regarding routing choice and network exclusivity required by Section 920(b).1 1 Regulation II (published elsewhere in the Federal Register), defines an interchange transaction fee (or ‘‘interchange fee’’) to mean any PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 Under EFTA Section 920(a)(5), the Board may allow for an adjustment to an interchange transaction fee amount received or charged by an issuer if (1) Such adjustment is reasonably necessary to make allowance for costs incurred by the issuer in preventing fraud in relation to electronic debit card transactions involving that issuer, and (2) the issuer complies with fraudprevention standards established by the Board. Those standards must be designed to ensure that any adjustment is limited to the reasonably necessary fraud-prevention allowance described in clause (1) Above; takes into account any fraud-related reimbursements received from consumers, merchants, or payment card networks (including amounts from chargebacks) in relation to electronic debit transactions involving the issuer; and requires issuers to take effective steps to reduce the occurrence of, and costs from, fraud in relation to electronic debit transactions, including through the development and implementation of cost-effective fraudprevention technology.2 In issuing the standards and prescribing regulations for the adjustment, the Board must consider (1) The nature, type, and occurrence of fraud in electronic debit transactions; (2) the extent to which the occurrence of fraud depends on whether the authentication in an electronic debit transaction is based on a signature, personal identification number (PIN), or other means; (3) the available and economical means by which fraud on electronic debit transactions may be reduced; (4) the fraud-prevention and data-security costs expended by each party involved in the electronic debit transactions (including consumers, persons who accept debit cards as a form of payment, financial institutions, retailers, and payment card networks); (5) the costs of fraudulent transactions absorbed by each party involved in such transactions (including consumers, persons who accept debit cards as a form of payment, financial institutions, retailers, and payment card networks); (6) the extent to which interchange transaction fees have in the past reduced or increased incentives for fee established, charged, or received by a payment card network and paid by a merchant or acquirer for the purpose of compensating an issuer for its involvement in an electronic debit transaction. 2 Regulation II defines electronic debit transaction (or ‘‘debit card transaction’’) to mean the use of a debit card (which includes a general-use prepaid card), by a person as a form of payment in the United States to initiate a debit to an account. This term does not include transactions initiated at an automated teller machine (ATM), including cash withdrawals and balance transfers initiated at an ATM. E:\FR\FM\20JYR3.SGM 20JYR3 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations parties involved in electronic debit transactions to reduce fraud on such transactions; and (7) such other factors as the Board considers appropriate. emcdonald on DSK2BSOYB1PROD with RULES3 II. Outreach and Information Collection Following the enactment of the DoddFrank Act, the Board gathered information about fraud-prevention programs in the debit card industry in several ways. Board staff held numerous meetings with debit card issuers, payment card networks, merchant acquirers, merchants, industry trade associations, and consumer groups to discuss these programs. Topics discussed in those meetings included technological innovation in fraud prevention, fraud loss allocation among parties to electronic debit transactions, and fraud risk associated with different types of electronic debit transactions (e.g., signature and PIN debit transactions). In September 2010, the Board surveyed 131 bank holding companies and other financial institutions that, together with affiliates, have assets of $10 billion or more, and 16 payment card networks. As part of those surveys, the Board gathered information about the nature, type, and occurrence of fraud in electronic debit transactions; the losses due to fraudulent transactions absorbed by parties involved in those transactions; and the fraud-prevention and data-security activities and costs and related research and development costs (herein, collectively, referred to as fraud-prevention activities and costs) incurred by issuers in 2009.3 From these surveys, the Board was able to estimate industry-wide fraud losses to all parties of a debit card transaction and to perform a more detailed analysis of fraud losses by type of authentication method (e.g., PIN or signature). The survey data also provided an estimate of the loss allocation among parties to the transaction.4 3 The surveys also requested information regarding the number of cards and accounts, the number and value of debit card transactions processed, interchange revenue received from networks, various costs associated with processing debit card transactions and operating a card program, and exclusivity arrangements and routing procedures. 4 The Board reported preliminary survey results in the proposed rule (See 75 FR 81740–41, Dec. 28, 2010). Since that time, Board staff has further analyzed the data and addressed a number of minor problems, changing the number of usable responses. Fur example, some issuers provided fraud loss for certain types of fraud but did not report total fraud losses. In those instances, the sum of the reported fraud losses was used as that respondent’s total fraud loss. In other instances, issuers misreported total fraud losses in a different field. Those totals were included in subsequent analysis of the data. In addition, prepaid fraud loss and fraudprevention cost data have been included where VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 III. Proposal In December 2010, the Board requested comment on proposed Regulation II, Debit Card Interchange Fees and Routing.5 As part of that proposal, the Board requested comment on two approaches to designing a framework for the fraud-prevention adjustment to the interchange transaction fee: A technology-specific approach and a non-prescriptive approach.6 The technology-specific approach would allow an issuer to recover some or all of its costs incurred for implementing major innovations that would likely result in substantial reductions in fraud losses. Under this approach, the Board would identify paradigm-shifting technologies that would reduce debit card fraud in a costeffective manner. The alternative approach would establish a more general standard that an issuer must meet to be eligible to receive an adjustment for fraud-prevention costs. The Board requested comment on various aspects of these approaches. For example, the Board requested information about the benefits and drawbacks of each approach, possible frameworks to implement the approaches, and the technologies or types of fraud-prevention activities whose costs should be considered under each approach. The Board also asked whether there were additional approaches that should be considered. Given survey data showing a substantially lower incidence of fraud for PIN debit transactions in comparison to signature-debit transactions, the Board also asked whether an adjustment should only be for PIN-based transactions.7 The Board noted that comments received would be considered in the development of a specific proposal for further public comment. IV. Overview of Comments and Interim Final Rule The Board received numerous comments on the fraud-prevention adjustment from issuers, depository institution trade associations, payment appropriate. Therefore, in certain instances, some data reported in the initial proposal have changed. These data are reported separately (see ‘‘2009 Interchange Revenue, Covered Issuer Cost, and Covered Issuer and Merchant Fraud Loss Related to Debit Card Transactions’’ published on the Board’s Web site at http://www.federalreserve.gov), and some data are discussed later in this notice. 5 A final rule addressing other provisions in Regulation II is published elsewhere in the Federal Register. 6 See 75 FR 81742–81743 (Dec. 28, 2010). 7 Survey data shows that signature-debit fraud losses are approximately four times PIN-debit fraud losses. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 43479 card networks, merchants, merchant trade associations, individuals, consumer groups, technology companies, consultants, other government agencies, and members of Congress. The comments were generally focused on four main topics: (1) Whether the overall framework for the adjustment should be technology-specific or nonprescriptive; (2) what form the fraudprevention adjustment should take, i.e., should the adjustment be tied to an eligible issuers’ costs, perhaps up to a specific cap, or be uniform across eligible issuers; (3) whether the adjustment should apply only to particular authentication methods, such as for PIN-based authentication; and (4) the time frame for the effective date for the fraud-prevention adjustment. These comments are summarized below and are described in more detail in the Section Analysis. Although there was not agreement on whether to pursue a technology-specific or non-prescriptive approach, commenters generally agreed that the Board should not mandate use of specific technologies. Merchant commenters generally favored the paradigm-shifting approach.8 These commenters stated that the fraudprevention adjustment should not cover costs associated with securing technologies that were known to be less effective at preventing fraud than other available technologies.9 In contrast, issuer commenters of all sizes and payment card networks preferred the non-prescriptive approach that would allow issuers to have the flexibility to tailor their fraudprevention activities to address most effectively the risks they faced associated with changing fraud patterns. Issuer commenters also opposed a fraud-prevention adjustment only for particular authentication methods, noting that an adjustment favoring a particular authentication method may not provide sufficient incentives to invest in other potentially more effective authentication methods. In addition, among all types of commenters, there was a general consensus that the fraud-prevention adjustment should be effective at the same time as the interchange fee 8 Merchants proposed a framework where an issuer receives an adjustment only if both the merchant and issuer use an eligible low-fraud technology. 9 For example, merchant commenters argued that the fraud-prevention adjustment should not include activities aimed at securing signature debit transactions when PIN transactions are known to have lower incidence of fraud and lower average fraud loss per incident. E:\FR\FM\20JYR3.SGM 20JYR3 emcdonald on DSK2BSOYB1PROD with RULES3 43480 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations standard—either on July 21, 2011, or at a later date as suggested by some commenters. Many merchant commenters believed that the Board demonstrated that it had sufficient information to establish a fraudprevention adjustment by the statutory effective date. Some commenters, particularly issuers and networks, argued that it was important to have the fraud-prevention adjustment in place alongside the rest of the interchange fee standards in order to avoid any gaps in the ability to fund certain fraudprevention activities. Under the interim final rule, if an issuer meets standards set forth by the Board, it may receive or charge a fraudprevention adjustment of no more than 1 cent per transaction to any interchange transaction fee it receives or charges in accordance with § 235.3. To be eligible to receive the fraudprevention adjustment, an issuer must develop and implement policies and procedures reasonably designed to (1) Identify and prevent fraudulent electronic debit transactions; (2) monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions; (3) respond appropriately to suspicious electronic debit transactions so as to limit the fraud losses that may occur and prevent the occurrence of future fraudulent electronic debit transactions; and (4) secure debit card and cardholder data. An issuer must review its fraudprevention policies and procedures at least annually, and update them as necessary to address changes in the prevalence and nature of fraudulent electronic debit transactions and the available methods of detecting, preventing, and mitigating fraud. Finally, the issuer must certify, on an annual basis, its compliance with the Board’s standards to the payment card networks in which the issuer participates.10 The interim final rule will be effective concurrent with the interchange fee standard on October 1, 2011. Issuers must comply with the Board’s fraudprevention standards by that date in order to receive or charge the fraudprevention adjustment to the interchange transaction fee on that date. The Board requests comment on all aspects of the interim final rule and will consider these comments in developing the final rule. 10 The interim final rule applies to issuers and cards that are covered under the interchange fee standards. See discussion of the exemptions to the interchange fee standards in § 235.5 of Regulation II, Debit Card Interchange Fee and Routing—Final Rule, published elsewhere in the Federal Register. VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 V. Section Analysis Section 235.4 sets forth the circumstances under which an issuer may receive or charge a fraudprevention adjustment as an amount in addition to the amount permitted as an interchange transaction fee under § 235.3. Section 235.4 also prescribes the maximum amount of such adjustment. A. Statutory Considerations EFTA Section 920(a)(5) requires the Board to consider several different factors in prescribing regulations related to the fraud-prevention adjustment. This section discusses each of those factors. Nature, type, and occurrence of fraud. The Board’s survey of debit card issuers and payment card networks provided information about the nature, type, and occurrence of fraud in electronic debit transactions. From the card issuer and network surveys, the Board estimates that industry-wide fraud losses to all parties of debit (including prepaid) card transactions were approximately $1.34 billion in 2009.11 Based on data provided by covered issuers, about 0.04 percent of purchase transactions were fraudulent, with an average loss per purchase transaction of about 4 cents, or about 9 basis points of transaction value.12 The most commonly-reported and highest cost fraud types were counterfeit card fraud, lost and stolen card fraud, and mail, telephone, and Internet order (i.e., card-not-present) fraud.13 For signature and PIN debit card (including prepaid card) transactions combined, counterfeit card fraud represented 0.01 percent of all purchases transactions with an average loss of 2 cents per transaction and 4 basis points of transaction value. Lost and stolen card fraud was less than 0.01 percent of all purchase transactions with an average loss of 1 cent per transaction and 1 basis 11 Industry-wide fraud losses were extrapolated from data reported in the issuer and network surveys conducted by the Board. Of the 89 issuers that responded to the issuer survey, 52 issuers provided data on fraud losses related to their debit (including prepaid) card transactions. These issuers reported $726 million in fraud losses to all parties of card transactions and represented 54 percent of the total transactions reported by networks. 12 The percent of purchase transactions that are fraudulent is the number of fraudulent transactions divided by the number of purchase transactions. The average loss per purchase transaction is the dollar amount of fraud losses divided by the number of purchase transactions. The average loss per purchase transaction in basis points is the dollar amount of fraud losses divided by the dollar amount of purchase transactions. 13 Some issuers reported ATM fraud, which was excluded from fraud loss totals because ATM transactions are not defined in the statute or final rule as electronic debit transactions. PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 point of transaction value. Mail, telephone, and Internet order fraud was 0.01 percent of all purchase transactions with an average loss of 1 cent per transactions and 2 basis points of transaction value. Extent to which the occurrence of fraud depends on authentication mechanism. The issuer survey data also provided information about the extent to which the occurrence of fraud depends on whether the transaction is authenticated with a signature or a PIN. Of the approximately $1.34 billion estimated industry-wide fraud losses, about $1.11 billion of these losses arose from signature debit card transactions and about $181 million arose from PIN debit card transactions.14 The higher losses for signature debit card transactions are attributable to both a higher rate of fraud and higher transaction volume for signature debit card transactions. The data showed that about 0.06 percent of signature debit and 0.01 percent of PIN debit purchase transactions were reported as fraudulent. For signature debit, the average loss was 5 cents per transaction, and represented about 13 basis points of transaction value. For PIN debit, the average loss was 1 cent per transaction, and was almost 3 basis points of transaction value. Thus, on a per-dollar basis, signature debit fraud losses are approximately 4 times PIN debit fraud losses.15 The different fraud loss rates for signature and PIN transactions reflect, in part, differences in the ease of fraud associated with the two authentication methods. A signature debit card transaction requires information that is typically contained on the card itself in order for card and cardholder authentication to take place. Therefore, a thief only needs to steal information on the card in order to commit fraud.16 In contrast, a PIN debit card transaction requires not only information contained on the card itself, but also something only the cardholder should know, namely the PIN. In this case, a thief generally needs both the information on the card and the cardholder’s PIN to commit fraud. Virtually all Internet debit card transactions are routed over signature 14 The sum of card program fraud losses will not equal the industry-wide fraud losses due to different sample sizes and rounding. 15 The survey data did not break out prepaid card PIN transactions from prepaid card signature transactions. For all prepaid debit transactions, about 0.03 percent of purchase transactions were fraudulent, the average loss was 1 cent per transaction, and 4 basis points of transaction value. 16 Among other things, information on the card includes the card number, the cardholder’s name, and the cardholder’s signature. E:\FR\FM\20JYR3.SGM 20JYR3 emcdonald on DSK2BSOYB1PROD with RULES3 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations debit networks. Card issuers responding to the Board’s survey reported that, in signature debit systems, fraud losses for all parties to card-not-present transactions were higher than fraud losses for card-present transactions. On a transactions-weighted average, cardnot-present fraud losses represented 17 basis points of the value of card-notpresent signature debit transactions. Card-present fraud losses represented 11 basis points of the value of card-present signature debit transactions and were over 3 times greater than the fraud loss value, in basis points, associated with PIN debit card-present transactions. Available and economical means by which fraud may be reduced. The Board requested information about issuers’ fraud-prevention activities and costs in its survey. Issuers identified several categories of activities used to detect, prevent, and mitigate fraudulent electronic debit transactions, including transaction monitoring; merchant blocking; card activation and authentication systems; PIN customization; system and application security measures, such as firewalls and virus protection software; and ongoing research and development focused on making an issuer’s fraud-prevention practices more effective. The median amount spent by issuers on all reported fraud-prevention activities was approximately 1.8 cents per transaction. The most commonly reported fraud-prevention activity was transaction monitoring, which generally includes activities related to the authorization of a particular electronic debit transaction, such as the use of neural networks and automated fraud risk scoring systems that may lead to the denial of a suspicious transaction. At the median, issuers reported spending approximately 0.7 cents per transaction on transactions monitoring activity.17 Fraud-prevention costs expended by different parties. All parties to debit card transactions incur fraud-prevention costs. For example, some consumers routinely monitor their accounts for unauthorized debit card purchases; however, consumer costs are difficult to quantify. Some issuers, merchants, and acquirers pay networks, processors, or third-party vendors for fraud-prevention tools such as neural networks and access to databases about compromised cards and accounts. In addition to services they may purchase from others, merchants may develop their own fraud-prevention tools. For example, 17 Transaction monitoring costs were included in the costs used as the basis for the interchange fee standard rather than the fraud-prevention adjustment. See discussion of § 235.4(a) below. VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 many large online merchants implement extra security measures to verify the legitimacy of a purchase. Typically these checks occur between the time a card is authorized by the issuer and the product is shipped to the purchaser. In their comments, several online merchants noted that they have developed sophisticated fraud risk management systems that include both manual review and automated processes, which have reduced fraud rates to levels at or below card-present rates at other merchants. In addition to these investments, merchants also take steps to secure data and comply with Payment Card Industry Data Security Standards (PCI–DSS).18 In their comments, several merchants noted that these compliance costs can be substantial. As discussed more fully elsewhere in this notice, issuers incur costs for a variety of fraud-prevention activities. Costs of fraudulent transactions absorbed by the different parties. Using the issuer survey data, the Board estimated the cost of fraudulent transactions absorbed by different parties to a debit card transaction. Based on the issuer survey responses, almost all of the reported fraud losses associated with debit card transactions fall on the issuers and merchants.19 In particular, across all types of transactions, 62 percent of reported fraud losses were borne by issuers and 38 percent were borne by merchants. The distribution of fraud losses between issuers and merchants depends, in part, on the authentication method used in a debit card transaction. Issuers and payment card networks reported that nearly all the fraud losses associated with PIN debit card transactions (96 percent) were borne by issuers. In contrast, reported fraud losses were distributed much more evenly between issuers and merchants for signature debit card transactions. Specifically, issuers and merchants bore 18 The Payment Card Industry (PCI) Security Standards Council was founded in 2006 by five card networks—Visa, Inc., MasterCard Worldwide, Discover Financial Services, American Express, and JCB International. These card brands share equally in the governance of the organization, which is responsible for development and management of PCI Data Security Standards (PCI–DSS). PCI–DSS is a set of security standards that all payment system participants, including merchants and processors, are required to meet in order to participate in payment card systems. 19 Most issuers reported that they offer zero or very limited liability to cardholders, in addition to the EFTA limits on consumer liability for unauthorized electronic fund transfers afforded to consumers, such that the fraud loss borne by cardholders is negligible. See 15 U.S.C. 1693g and 12 CFR 205.6. Payment card networks and merchant acquirers also reported very limited fraud losses for themselves. PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 43481 59 percent and 41 percent of signature debit fraud losses, respectively.20 In general, merchants are subject to greater liability for fraud in card-notpresent transactions than in cardpresent transactions. According to the survey data, merchants assume approximately 74 percent of signature debit card fraud for card-not-present transactions, compared to 23 percent for card-present signature debit card fraud.21 Extent to which interchange transaction fees have in the past affected fraud-prevention incentives. Issuers have a strong incentive to protect cardholders and reduce fraud independent of interchange fees received. Competition for cardholders suggests that protecting their cardholders from fraud is good business practice for issuers. Higher interchange revenues may have allowed issuers to offset both their fraud losses and fraudprevention costs and fund innovation on fraud-prevention tools and activities. Merchant commenters argued that, historically, the higher interchange revenue for signature debit relative to PIN debit has encouraged issuers to promote the use of signature debit over PIN debit, even though signature debit has substantially higher rates of fraud. B. Section 235.4(a) Adjustment Amount Section 235.4(a) permits an issuer to increase the amount of the interchange transaction fee it may receive or charge under § 235.3 by no more than 1 cent if the issuer complies with the standards in § 235.4(b). Section 235.4(a) does not differentiate the adjustment by authentication method or by type of transaction.22 1. Request for Comment and Comments Received To inform its rulemaking, the Board’s December 2010 proposal requested comment on whether the fraudprevention adjustment should use the same implementation approach as the interchange fee standard; that is, either (1) An issuer-specific adjustment, with a safe harbor and a cap, or (2) a cap regardless of an issuer’s costs. In a 20 For prepaid card transactions, issuers bore twothirds and merchants bore one-third of fraud losses. 21 These percentages may differ from those noted in the Board’s proposal (See 75 FR 81741, Dec. 28, 2010) because the number of usable survey responses has changed. 22 For example, an issuer that complies with the fraud-prevention standards would be eligible to receive an interchange fee equal to the sum of the 21 cent base component, the 5 basis point ad valorem component, and the 1 cent fraudprevention adjustment, equaling a total of 22 cents plus 5 basis points of the transaction’s value for each electronic debit transaction. E:\FR\FM\20JYR3.SGM 20JYR3 emcdonald on DSK2BSOYB1PROD with RULES3 43482 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations related question, the Board also asked whether the adjustment should apply only to PIN-based transactions, in light of the fact that, as reported above in the statutory considerations section, signature debit fraud losses are approximately four times PIN debit fraud losses on a per-dollar basis. In considering the implementation approach, many commenters referred to the statutory language that an adjustment should be ‘‘reasonably necessary to make allowance for costs incurred by the issuer in preventing fraud in relation to electronic debit card transactions involving that issuer.’’ They pointed to the term ‘‘reasonably necessary’’ as their basis for making arguments both for and against a cap on the amount of the adjustment. For example, most merchant commenters argued that it would be reasonably necessary for individual issuers to recover their initial capital costs for certain technologies, up to a cap equal to the cost associated with PIN debit card fraud-prevention activities.23 They supported a process where issuers offered technologies with fraud loss rates lower than that for PIN debit transactions and merchants could choose whether or not to adopt these technologies. One merchant commenter opposed both a fixed amount and a cap as being counter to fair market price negotiation between the issuers offering technologies and merchants choosing to adopt these technologies. This commenter also argued that allowing recovery up to a cap ignored the statutory language to make allowance for costs ‘‘incurred by the issuer’’ and that the relevant cost measure should be an individual issuer’s costs. On the other hand, several issuer, network, and depository institution trade association commenters opposed a cap on the basis that it limited the recovery of costs that could be determined to be reasonably necessary to prevent fraud. Some of these commenters noted that any cap might reduce incentives to invest in innovative fraud-prevention techniques. A few of them supported a safe harbor to reduce compliance and supervisory burden and to encourage effective fraud prevention. In response to the Board’s question regarding whether a fraud-prevention adjustment should be only for PIN debit transactions, merchant commenters highlighted the survey data indicating that signature-debit transactions experience higher average fraud losses than PIN-debit transactions. They 23 See comment from Merchants Payments Coalition. VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 expressed a concern that, in the past, interchange fees supported incentives for issuers to promote a less secure form of authentication. Both issuer and merchant commenters acknowledged that some types of sales environments preclude use of PIN authentication. However, merchant commenters asserted that, when signature and PIN methods are available both on the card and at the sales terminal, issuers often encourage cardholders to route the transaction using their signature rather than their PIN so that issuers could receive higher interchange revenue. A few issuers and networks commented that an adjustment only for PIN-based transactions would limit incentives to invest in potentially more effective authentication methods, such as dynamic data, that might not require a PIN. Some issuers commented that a fraud-prevention adjustment only for PIN debit transactions may limit fraudprevention investments for non-PIN transactions, making these transactions less secure. According to these commenters, issuers may manage this risk by assessing cardholder fees on non-PIN transactions or by limiting the value allowed per transaction. These practices, asserted some issuers, may reduce sales or increase payment costs, especially for merchants that do not accept PIN debit cards. Merchant commenters, on the other hand, urged the Board to consider an adjustment only for technologies or methods with fraud loss rates lower than the rate for PIN debit card programs. These commenters argued that debit card transactions authorized with a PIN have a much lower fraud loss rate than those authorized with a signature. In particular, merchants did not want issuers to be reimbursed for efforts to better secure an inherently less secure authentication method. 2. Interim Final Rule Section 920(a)(5) permits the Board to allow an adjustment to the amount of an interchange fee that an issuer may receive if ‘‘such adjustment is reasonably necessary to make allowance for costs incurred by the issuer in preventing fraud in relation to electronic debit transactions involving that issuer.’’ Section 920(a)(5) of the EFTA does not specify what amount, or range of amounts, is considered ‘‘reasonably necessary to make allowance for’’ an issuer’s fraudprevention costs. The phrasing ‘‘reasonably necessary to make allowance for’’ fraud-prevention costs does not require a direct connection between the fraud-prevention adjustment and actual issuer costs; the PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 statute requires only that the adjustment be ‘‘reasonably necessary’’ and ‘‘make an allowance for’’ fraud-prevention costs. Moreover, the statute does not require the Board to set the adjustment so that each (or any) issuer fully recovers its fraud-prevention costs. Instead, the statute provides for an ‘‘allowance for’’ fraud-prevention costs. The Board believes that an amount that makes allowance for an issuer’s fraudprevention costs is one that gives consideration to those costs, and allows a reasonable recovery of those costs based on the considerations in Section 920(a)(5)(B)(ii) described above.24 The statute also allows the Board, in setting a fraud-prevention adjustment, to consider such other factors as the Board considers appropriate.25 As explained below, the Board has considered the fraud-prevention costs of parties to electronic debit transactions, the incentives created by the adjustment, and other factors in setting the adjustment. The Board considered the fraudprevention costs incurred by all parties to an electronic debit transaction: Consumers, merchants, payment card networks, processors, and issuers. The Board narrowed its focus to costs expended by merchants and issuers because most fraud-prevention costs are ultimately borne by these parties, and the fraud-prevention adjustment to the interchange transaction fee is effectively paid by merchants to issuers. The Board recognizes that both merchants and issuers incur costs associated with fraud prevention including, for example, costs to comply with PCI–DSS and network rules related to fraud prevention. In addition, several merchant commenters stated that they, like issuers, have natural incentives to protect customer information and to safeguard their reputations as careful trustees of this information. To maintain these reputations and to reduce their exposure to fraud losses, these commenters noted that they have made substantial investments in fraudprevention measures, including, as one online merchant noted, analysis of Internet Protocol address, Internet service provider, and device ID information. For these reasons, the Board has adopted an interim final rule with a fraud-prevention adjustment set at issuer survey respondents’ median fraud-prevention costs, minus those 24 ‘‘Allow for’’ may be defined as ‘‘to give consideration to circumstances or contingencies.’’ Merriam-Webster Dictionary (‘‘allow’’ used with ‘‘for’’) (online edition). 25 See EFTA Section 920(a)(5)(B)(ii)(VII). E:\FR\FM\20JYR3.SGM 20JYR3 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES3 fraud-prevention costs that are already part of the interchange fee standards.26 The median issuer’s per-transaction fraud-prevention cost as reported in response to the Board’s survey is 1.8 cents. In its final rule for the interchange fee standards, the Board has included costs of transaction-monitoring systems that are integral to the authorization of a transaction in its setting of the interchange transaction fee standards. Transaction monitoring systems assist in the authorization process by providing information to the issuer before the issuer decides to approve or decline the transaction. Because these costs are already included for all covered issuers as a basis for establishing the interchange fee standards, they are excluded from the costs used to determine the fraudprevention adjustment.27 Issuers were instructed to separately report the costs of each type of fraud-prevention activity to the extent possible, and the median issuer’s transactions-monitoring cost is 0.7 cents per transaction. The fraudprevention adjustment of 1 cent represents the difference between the median fraud-prevention cost of 1.8 cents less the median transactionsmonitoring cost of 0.7 cents, rounded to the nearest cent. The median of the remaining fraudprevention costs provides some issuers with recovery of all of these costs and other issuers with recovery of some of these costs. The Board believes that the median allowance helps to offset the costs of implementing activities that are effective at reducing fraud losses while placing cost discipline on issuers to ensure that those fraud-prevention activities are also cost effective and recognizing that fraud-prevention costs are incurred by both merchants and issuers. An issuer that meets the Board standards (discussed below) may receive the adjustment, even if its fraudprevention costs are below the median, and no issuer may receive more than the median, regardless of its fraudprevention costs. The Board is concerned that limiting an adjustment to authentication methods available today, or a subset of those methods, may not allow flexibility for issuers to develop other methods of authentication that may be more 26 The fraud-prevention adjustment does not include an allowance for fraud losses. EFTA Section 920(a)(5)(A)(i) limits the adjustment to ‘‘costs incurred by the issuer in preventing fraud.’’ Fraud losses are not costs incurred to prevent fraud. The Board includes issuer fraud losses as a basis for the establishment of the interchange fee standards in § 235.3 of the final rule. See notice elsewhere in the Federal Register. 27 The median cost of fraud-prevention activities tied to authorization is about 0.7 cents. VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 effective than today’s alternatives and may not require a PIN. It may also reduce the incentives for issuers to improve fraud-prevention techniques for systems that, for a variety of reasons, experience higher fraud rates. Further, the interchange fee standards set a maximum permissible interchange fee that an issuer may receive for electronic debit transactions, irrespective of authentication method. Because issuers are less likely to receive a higher interchange fee for signature-based transactions, issuer processing costs for PIN debit transactions are generally less than those for signature debit transactions, and fraud losses are significantly lower for PIN debit transactions than for signature debit transactions, the Board believes that issuers’ incentives to encourage cardholders to use their signature rather than their PIN to authenticate transactions at the point of sale will diminish. For these reasons, the Board has adopted a fraud-prevention adjustment that is the same for each type authentication method. C. Section 235.4(b)—Adoption of NonPrescriptive Standards 1. Request for Comment and Comments Received As discussed above, the Board’s proposed rule did not contain a specific proposal for the fraud-prevention adjustment. Instead, the Board requested comment on two general approaches to the adjustment: A technology-specific approach and a nonprescriptive approach. The technologyspecific approach was described as allowing issuers to recover some or all of its costs, perhaps up to a cap, incurred for implementing major innovations that would likely result in substantial reductions in fraud losses. As described in the proposed rule, the Board would identify paradigm-shifting technologies that would reduce debit card fraud in a cost-effective manner. The Board noted this approach might help spur adoption of technologies eligible for a fraud-prevention adjustment. At the same time, it might also reduce issuer incentives to invest in more effective and less costly technologies not identified by the Board. Although neither merchant nor issuer commenters supported the Board mandating specific technologies, merchants and their trade associations preferred the technology-specific approach. Many merchants proposed that issuers be required to make specific technologies available to merchants that PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 43483 reduce fraud losses to a level lower than that associated with PIN debit transactions. They asserted that their proposal allowed the market, and not the Board, to determine technologies that are eligible for a fraud-prevention adjustment.28 A merchant commenter suggested that this test could be further conditioned based on the riskiness of particular merchants. For example, the calculation of the fraud-prevention adjustment could consider the rate of fraud-related chargebacks to merchants, and those merchants with higher rates would pay a higher fraud-prevention adjustment than would those with lower rates, still up to a cap. One commenter noted that a metrics-based approach could be applied at the issuer level rather than at the technology level. For example, only issuers with a rate of fraud losses lower than the industry average may be eligible to receive or charge a fraud-prevention adjustment. Alternatively, the non-prescriptive approach would entail a more general set of standards that an issuer must meet to be eligible to receive an adjustment for fraud-prevention costs. Such standards could require issuers to take steps reasonably necessary to maintain an effective fraud-prevention program but not prescribe specific technologies that must be employed as part of the program. This approach maintains issuer flexibility in responding to emerging and changing fraud risks.29 In their comments, issuers of all sizes, depository institution trade associations, payment card networks, and a federal regulatory agency preferred the non-prescriptive approach for a variety of reasons. Many of these commenters argued that debit card fraud is dynamic and requires issuers and networks to innovate on an ongoing basis in order to develop new responses to existing and emerging fraud risks. The flexibility to develop creative and timely responses, they noted, is important for detecting and preventing debit card fraud. Moreover, several of these commenters noted that the industry is better positioned than the Board to adapt fraud-prevention programs in a timely manner to respond effectively to changing fraud patterns.30 28 See letter from Merchants Payments Coalition. Although the Merchants Payments Coalition did not propose that the Board identify technologies in its standards, it did propose that any technologies issuers want to offer to merchants undergo an application and approval process, including a public comment period, managed by the Board. 29 For a more detailed description of the two approaches proposed by the Board, see 75 FR 81742–81743 (Dec. 28, 2010). 30 A few commenters, primarily technology vendors, consultants, and technology associations, E:\FR\FM\20JYR3.SGM Continued 20JYR3 43484 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES3 Many of these commenters expressed concerns with the identification, in any context, of particular technologies eligible for a fraud-prevention adjustment under a possible technologyspecific approach. For example, several commenters suggested that this approach assumes that a single or limited set of technologies is more effective at reducing fraud losses than implementing a variety of technologies, practices, and methods in combination. To the extent that a set of technologies is identified, these commenters believed issuers would most likely invest in the set of technologies for which they can recover their costs. As a result, they asserted, competition among issuers (and networks) in fraud prevention will most likely be reduced. These commenters also echoed a concern noted by the Board in its December 2010 proposal—a risk that issuers would underinvest in new, non-eligible technologies, which may be more effective and less costly than those identified in the standard. Finally, a few of these commenters suggested that defining a list of eligible technologies would provide valuable information to fraudsters in their efforts to weaken mechanisms designed to strengthen security in the payment system. According to these commenters, such a list would also provide fraudsters with a good sense of the technologies most likely to be adopted, if they were not already, by the industry. Ultimately, these commenters argued that this information could make technologies that have been identified less effective over the long term. 2. Non-Prescriptive Approach EFTA Section 920(a)(5) states that the Board’s standards must require an issuer to take effective steps to reduce the occurrence of, and costs from, fraudulent electronic debit transactions and must ensure that an issuer implement ‘‘cost-effective’’ fraudprevention technologies. As explained below, the Board is adopting standards for assessing whether the fraudprevention program for an issuer is designed to reduce fraudulent debit card activity effectively. In assessing whether a program is effective, the Board does not believe that Section 920(a)(5) requires that the program prevent all fraud in order for an issuer to qualify for the fraud-prevention adjustment. The dynamic nature of the debit card fraud environment requires standards that permit issuers to determine themselves the best methods to detect, supported the Board mandating particular technologies, such as chip and PIN or biometrics. VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 prevent, and mitigate fraud losses for the size and scope of their debit card program and to respond to frequent changes in fraud patterns. Standards that incorporate a technology-specific approach do not provide sufficient flexibility to issuers to design and adapt policies and procedures that best meet a particular issuer’s needs and that would most effectively reduce fraud losses for all parties to a transaction. A variety of factors may affect the incidence of fraudulent electronic debit transactions and losses from those transactions, not all of which can be addressed solely by actions taken by issuers. For example, an acquirer or merchant processor used by merchants frequented by an issuer’s cardholders may experience a data breach that increases the number of fraudulent transactions and losses for an issuer. An issuer’s policies and procedures, however, may be able to mitigate the occurrence of, and costs from, fraudulent electronic debit transactions resulting from such a data breach. In this circumstance, an issuer’s fraudprevention policies and procedures may be effective, notwithstanding the fact that the issuer may have incurred a higher incidence of fraudulent electronic debit transactions than in more typical years. Another factor affecting fraud trends is the nature of the fraud environment as a ‘‘cat and mouse’’ game. For example, as new and more effective fraud-prevention practices are employed by issuers, these practices will become targets for fraudsters wanting to compromise card and cardholder data. As technologies become less effective because of these efforts by fraudsters, issuers will be expected to find new ways to strengthen their fraudprevention measures. To encourage improvement in fraud-prevention efforts, the interim final rule requires an issuer to review its policies and procedures, at least annually, and update them to address changes in the prevalence and nature of fraudulent electronic debit transactions and available fraud-prevention methods. Specifying, and limiting the set of, technologies for which issuers recover their costs may weaken the long-term effectiveness of these technologies. For example, the risk that fraudsters may use this list as a way to focus their efforts to compromise card and cardholder data is material. For these reasons, the Board is adopting as an interim final rule, and requesting comment on, a non-prescriptive approach for the fraud-prevention adjustment. The Board invites public comment on all aspects of the interim PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 final rule, including the questions specifically raised throughout the notice, and will adjust the rule as appropriate after consideration of comments received. 3. Develop and Implement Policies and Procedures Section 235.4(b)(1) requires that in order to be eligible to receive a fraudprevention adjustment, an issuer must develop and implement policies and procedures reasonably designed to (1) Identify and prevent fraudulent electronic debit transactions; (2) monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions; (3) respond appropriately to suspicious electronic debit transactions so as to limit the fraud losses that may occur and prevent the occurrence of future fraudulent electronic debit transactions; and (4) secure debit card and cardholder data. Procedures may include practices, activities, methods, or technologies that are used to implement and make effective an institution’s fraudprevention policies. Together, these policies and procedures shall be reasonably designed to detect, prevent, and mitigate fraudulent electronic debit transactions and as provided for in § 235.4(b)(1)(i–iv). Comment 4(b)–1 clarifies that an issuer must both develop and implement effective policies and procedures. Comment 4(b)–2 discusses the types of fraud that an issuer’s policies and procedures should address. In its proposal, the Board did not include regulatory language to define ‘‘fraudulent electronic debit transaction’’ but suggested in the preamble that fraud in the debit card context should be defined as ‘‘the use of a debit card (or information associated with a debit card) by a person, other than the cardholder, to obtain goods, services, or cash without authority for such use.31 This definition is derived from the EFTA’s definition of ‘‘unauthorized electronic fund transfer.’’ (15 U.S.C. 1693a(11)). One commenter stated that the definition of ‘‘fraud’’ should be expanded to include so-called ‘‘friendly fraud’’ where the cardholder authorizes the transaction and later claims the transaction cardholder did not engage in the transaction. In contrast to elsewhere in the EFTA, Section 920 uses the term ‘‘fraud’’ rather than ‘‘unauthorized’’ transaction. Accordingly, for purposes of Section 920(a)(5), fraud in relation to electronic debit transaction may encompass more 31 See E:\FR\FM\20JYR3.SGM 75 FR 81722, 81740 (Dec. 28, 2010). 20JYR3 emcdonald on DSK2BSOYB1PROD with RULES3 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations than ‘‘unauthorized’’ use of the card. For example, a cardholder may authorize payment to a fraudulent or ‘‘phony’’ merchant that does not deliver the expected goods or services to the cardholder. Another transaction that could be considered fraudulent, as suggested by commenters, is one in which the cardholder authorized the transaction and received the goods or services, but subsequently alleges fraudulently that the cardholder never received the goods or services. The Board has considered the comments and believes that fraud in electronic debit transactions is broader than unauthorized use and that whether a transaction is in fact fraudulent will depend on the facts and circumstances of the transaction. All types of fraud impose costs on system participants, and the issuer’s costs associated with preventing all types of fraud may be considered when determining the fraud-prevention adjustment. Under the interim final rule, the policies and procedures that an issuer must implement in order to qualify for the fraud-prevention adjustment need not necessarily address types of fraud, such as authorized transactions with a fraudulent merchant, that issuers generally have very limited ability to control. The issuer may choose, however, to include policies and procedures to minimize such fraudulent transactions if it learns of a specific fraudulent merchant or scam that its cardholders have experienced or are likely to experience. In such cases, the issuer could, for example, alert its cardholders as to the existence of the particular fraud. The Board requests comment on whether the rule should include a definition of ‘‘fraud’’ or ‘‘fraudulent electronic debit transaction,’’ and if so, what would be an appropriate definition. Comment 4(b)(1)(i)–1 provides examples of practices that may be part of an issuer’s policies and procedures to identify and prevent fraudulent electronic debit transactions. Comment 4(b)(1)(i)–2 clarifies that an issuer should assess the effectiveness of different authentication methods used by its cardholders, including the rate of fraudulent transactions for each method and consider practices to encourage the use of more effective authentication methods. This comment also clarifies that issuers should monitor industry developments and consider adopting, where practical, new methods of authentication that are materially more effective than the methods currently used by its cardholders. The Board requests comment on whether an issuer’s policies and procedures should VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 require an issuer to assess whether its customer rewards or similar programs provide inappropriate incentives to use an authentication method that is demonstrably less effective in preventing fraud. Comment 4(b)(1)(ii)–1 provides that an issuer must have policies and procedures designed to monitor the types, number, and value of its fraudulent electronic debit transactions. The issuer must also track its and its cardholders’ losses from fraudulent electronic debit transactions, its fraudrelated chargebacks to merchant acquirers, and reimbursements from other parties to the transaction. Comment 4(b)(1)(iii)–1 provides that an issuer must implement appropriate responses to suspicious transactions or transactions likely to be fraudulent. The comment clarifies that the response may be different depending on the nature of the transaction and may require the issuer to coordinate with industry organizations, law enforcement agencies, and other parties to the transaction. Comment 4(b)(1)(iii)–2 clarifies that it is not an appropriate response for the issuer to merely shift the loss to another party, other than the party that committed the fraud. Comment 4(b)(1)(iv)–1 provides that an issuer’s policies and procedures should be designed to secure debit card and cardholder data that are transmitted to or from an issuer (or its service provider) during transaction processing, stored by the issuer (or its service provider), and carried on media by employees or agents of the issuer. The comment also notes that this standard may be incorporated into an issuer’s information security program as required by Section 501(b) of the Gramm-Leach-Bliley Act. 4. Review and Update Policies and Procedures Section 235.4(b)(2) requires that an issuer review and update its fraudprevention policies and procedures as least annually. In certain circumstances, more frequent updates may be necessary if there are significant changes in fraud types, fraud patterns, or fraudprevention techniques or technologies. Comment 4(b)(2)–1 provides that an issuer should review and update its policies and procedures if a significant change occurs even if the issuer reviewed and updated its policies and procedures within the preceding year. 5. Section 235.4(c) Certification Section 235.4(c) requires an issuer to certify to its payment card networks that its fraud-prevention standards comply with the Board’s standards as provided PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 43485 for in § 235.4(b). Issuers that are eligible for the adjustment should certify their compliance annually to each payment card network in which the issuer participates that allows issuers to receive or charge a fraud-prevention adjustment to their interchange transaction fee as permitted under §§ 235.3 and 235.4. The Board expects that these payment card networks will develop their own processes for identifying issuers eligible for this adjustment. (See comment 4(c)–1.) The Board requests comment on whether the rule should establish a consistent certification process and reporting period for an issuer to certify to a payment card network that the issuer meets the Board’s fraudprevention standards and is eligible to receive or charge the fraud-prevention adjustment. Form of Comment Letters Comment letters should refer to Docket No. R–1404 and RIN No. 7100 AD 63 and when possible, should use a standard typeface with a font size of 10 or 12, to enable the Board to convert text submitted in paper form to machinereadable form through electronic scanning that will facilitate automated retrieval of comments for review. Comments may be mailed electronically to regs.comments@federalreserve.gov. Solicitation of Comments Regarding Use of ‘‘Plain Language’’ Section 772 of the Gramm-LeachBliley Act of 1999 (12 U.S.C. 4809) requires the Board to use ‘‘plain language’’ in all proposed and final rules published after January 1, 2000. The Board invites comment on whether the interim final rule is clearly stated and effectively organized, and how the Board might make the text of the rule easier to understand. Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501–3521; 5 CFR 1320 Appendix A.1), the Board reviewed the interim final rule under the authority delegated to the Board by the Office of Management and Budget (OMB). The Board may not conduct or sponsor, and a respondent is not required to respond to, an information collection unless it displays a currently valid OMB control number. The OMB control number will be assigned. The interim final rule contains requirements subject to the PRA. The collection of information required by this interim final rule is found in § 235.4 of Regulation II (12 CFR part 235). Under the interim final rule, if an issuer E:\FR\FM\20JYR3.SGM 20JYR3 43486 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES3 meets standards set forth by the Board, it may receive or charge an adjustment of no more than 1 cent per transaction to any interchange transaction fee it receives or charges in accordance with § 235.3. To be eligible to receive the fraudprevention adjustment under § 235.4(a)(1), an issuer shall develop and implement policies and procedures reasonably designed to (1) Identify and prevent fraudulent electronic debit transactions; (2) monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions; (3) respond appropriately to suspicious electronic debit transactions so as to limit the fraud losses that may occur and prevent the occurrence of future fraudulent electronic debit transactions; and (4) secure debit card and cardholder data. An issuer must review its fraud prevention policies and procedures at least annually, and update them as necessary to address changes in prevalence and nature of fraudulent electronic debit transactions and available methods of detecting, preventing, and mitigating fraud. Finally, the issuer must certify, on an annual basis, its compliance with the Board’s standards to the payment card networks in which the issuer participates. The interim final rule will be effective concurrent with the interchange fee standard on October 1, 2011. The interim final rule would apply to issuers that, together with their affiliates, have consolidated assets of $10 billion. The Board estimates that there are 380 issuers 32 regulated by the Federal financial regulatory agencies required to comply with the recordkeeping and reporting provisions under § 235.4. The Board estimates that the 380 issuers would take, on average, 160 hours (one month) to develop and implement policies and train appropriate staff to comply with the recordkeeping provisions under § 235.4. This one-time annual PRA burden is estimated to be 60,800 hours. On a continuing basis, the Board estimates issuers would take, on average, 40 hours (one business week) annually to review its fraud prevention policies and 32 For purposes of the PRA, the Board is estimating the burden for entities currently regulated by the Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, and National Credit Union Administration (collectively, the ‘‘Federal financial regulatory agencies’’). Such entities may include, among others, State member banks, national banks, insured nonmember banks, savings associations, and Federally-chartered credit unions. VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 procedures, updating them as necessary, and estimates the annual PRA burden to be 15,200 hours. The Board estimates 380 issuers would take, on average, 5 minutes to comply with the reporting provision under § 235.4(c) (annual certification), and estimates the annual reporting burden to be 32 hours. The total annual PRA burden for this information collection is estimated to be 73,032 hours. Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the Board’s functions, including whether the information has practical utility; (2) the accuracy of the Board’s estimate of the burden of the proposed information collection, including the cost of compliance; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of information collection on respondents, including through the use of automated collection techniques or other forms of information technology. Comments on the collection of information should be sent to Cynthia Ayouch, Acting Federal Reserve Clearance Officer, Division of Research and Statistics, Mail Stop 95–A, Board of Governors of the Federal Reserve System, Washington, DC 20551, with copies of such comments sent to the Office of Management and Budget, Paperwork Reduction Project (7100–to be assigned), Washington, DC 20503. with respect to this rulemaking. In addition, the Board finds that there is good cause to conclude that providing notice and an opportunity to comment before issuing this interim final rule would be contrary to the public interest. As noted above, the Board received numerous comments that addressed questions posed by the Board regarding the fraud-prevention adjustment to the interchange transaction fee. Among all types of commenters, there was a general consensus that the fraudprevention adjustment should be effective at the same time as the interchange fee standard in order to prevent any gaps in the ability to fund certain fraud-prevention activities. Without adequate funding, fraudprevention activities could be reduced, thereby causing harm to consumers, merchants, and issuers. Moreover, the Board’s data gathering effort provided the Board with sufficient information to develop and make a fraud-prevention adjustment effective concurrent with the interchange fee standard. Consequently, the Board finds that use of notice and comment procedures before issuing these rules would not be in the public interest. Interested parties will still have an opportunity to submit comments in response to this interim final rule. The interim final rule may be modified accordingly. Regulatory Flexibility Act The Board incorporates by reference the final Regulatory Flexibility Act analysis published with the Board’s Regulation II, published elsewhere in the Federal Register. That analysis applies to the Regulation II as a whole, including the fraud-prevention adjustment adopted in this interim final rule. Banks, banking, Debit card routing, Electronic debit transactions, and Interchange transaction fees. Administrative Procedure Act The Administrative Procedure Act (APA), 5 U.S.C. 551 et seq., generally requires public notice before promulgation of regulations. See 5 U.S.C. 553(b). Unless notice or a hearing is specifically required by statute, however, the APA also provides an exception ‘‘when the agency for good cause finds (and incorporates the finding and a brief statement of reasons therefore in the rules issued) that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.’’ 5 U.S.C. 553(b)(B). As an initial matter, Section 920 of the EFTA, as amended by the DoddFrank Act, does not specifically require the Board to provide notice or a hearing ■ PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 List of Subjects in 12 CFR Part 235 Authority and Issuance For the reasons set forth in the preamble, the Board is amending 12 CFR part 235 as follows: PART 235—DEBIT CARD INTERCHANGE FEES AND ROUTING 1. The authority citation for part 235 continues to read as follows: Authority: 15 U.S.C. 1693o–2. ■ 2. Add § 235.4 to read as follows: § 235.4 Fraud–prevention adjustment. (a) In general. If an issuer meets the standards set forth in paragraph (b) of this section, it may receive or charge an additional amount of no more than 1 cent per transaction to any interchange transaction fee it receives or charges in accordance with § 235.3. (b) Issuer standards. To be eligible to receive the fraud-prevention adjustment, an issuer shall— (1) Develop and implement policies and procedures reasonably designed to— E:\FR\FM\20JYR3.SGM 20JYR3 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations (i) Identify and prevent fraudulent electronic debit transactions; (ii) Monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions; (iii) Respond appropriately to suspicious electronic debit transactions so as to limit the fraud losses that may occur and prevent the occurrence of future fraudulent electronic debit transactions; and (iv) Secure debit card and cardholder data; and (2) Review its fraud-prevention policies and procedures at least annually, and update them as necessary to address changes in prevalence and nature of fraudulent electronic debit transactions and available methods of detecting, preventing, and mitigating fraud. (c) Certification. To be eligible to receive or charge a fraud-prevention adjustment, an issuer that meets the standards set forth in paragraph (b) of this section must certify such compliance to its payment card networks on an annual basis. ■ 3. Appendix A to part 235 is amended to add new Section 235.4 to read as follows: Appendix A to Part 235—Official Board Commentary on Regulation II * * * emcdonald on DSK2BSOYB1PROD with RULES3 Section 235.4 Adjustment * * Fraud-Prevention 4(b) Issuer Standards 1. In general. Section 235.4(b) does not specify particular policies and procedures that an issuer must implement. Rather, an issuer must determine which policies and procedures are reasonably designed to achieve the objectives set forth in the standards. An issuer’s policies and procedures must include fraud-prevention technologies and other methods or practices reasonably designed to detect, prevent, and mitigate fraudulent electronic debit transactions. An issuer does not satisfy the standards in § 235.4(b) if it merely develops policies and procedures; the issuer also must implement those policies and procedures. Implementing an issuer’s fraud-prevention policies and procedures should include training the issuer’s employees and agents, as appropriate. 2. An issuer’s policies and procedures should address, among other things, fraud related to debit card use by unauthorized persons, which is a type of fraud that can be effectively addressed by the issuer, as the entity with the direct relationship with the cardholder and that authorizes the transaction. Examples of use by unauthorized persons include the following: i. A thief steals a cardholder’s wallet and uses the debit card to purchase goods, without the authority of the cardholder. ii. A cardholder makes a $100 purchase at a merchant. Subsequently, the merchant’s VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 employee uses information from the debit card to initiate a subsequent transaction for an additional $100, without the authority of the cardholder. iii. A hacker steals cardholder account information from a merchant processor and uses that information to make unauthorized purchases of goods or services. Paragraph 4(b)(1)(i). Identify and prevent fraudulent debit card transactions. 1. In general. An issuer shall develop and implement policies and procedures reasonably designed to identify and prevent fraudulent electronic debit transactions. These policies and procedures should include activities to prevent, detect, and mitigate fraud even if the costs of these activities are not recoverable as part of the fraud-prevention adjustment. The issuer’s policies and procedures may include the following: i. An automated mechanism to assess the risk that a particular electronic debit transaction is fraudulent during the authorization process (i.e., before the issuer approves or declines an authorization request). For example, an issuer may use neural networks to identify transactions that present increased risk of fraud. As a result of this analysis, the issuer may decide to decline to authorize these transactions. An issuer may not be able to determine whether a given transaction in isolation is fraudulent at the time of authorization, and therefore may have policies and procedures that monitor sets of transactions initiated with a cardholder’s debit card. For example, an issuer could compare a set of transactions initiated with the card to a customer’s typical transactions in order to determine whether a transaction is likely to be fraudulent. Similarly, an issuer could compare a set of transactions initiated with a debit card and common fraud patterns in order to determine whether a transaction or future transaction is likely to be fraudulent. ii. Practices to support reporting of lost and stolen cards or suspected incidences of fraud by cardholders or other parties to a transaction. As an example, an issuer may promote customer awareness by providing text alerts of transactions in order to detect fraudulent transactions in a timely manner. An issuer may also report debit cards suspected of being fraudulent to their networks for inclusion in a database of compromised cards. iii. Practices to help determine whether a user is authorized to use the card at the time of a transaction. For example, an issuer may specify the use of particular technologies or methods, such as dynamic data, to better authenticate a cardholder at the point of sale. 2. Review of authentication methods. The issuer’s policies and procedures should include an assessment of the effectiveness of the different authentication methods that the issuer enables its cardholders to use, including a review of the rate of fraudulent transactions for each authentication method. If one method of authentication results in significantly lower fraud losses than other method(s) of authentication enabled on the issuer’s debit cards, the issuer should consider practices to encourage its cardholders to use the more effective PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 43487 authentication method. It should also consider methods for reducing fraud related to the authentication method that experiences higher fraud rates. In addition, the issuer should monitor industry developments and consider adopting, where practical, new method(s) of authentication that are materially more effective than the methods currently available to its cardholders. Paragraph 4(b)(1)(ii). Monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions. 1. In order to inform its policies and procedures, an issuer must be able to track its fraudulent electronic debit transactions over time. Accordingly, an issuer must have policies and procedures designed to monitor the types, number, and value of fraudulent electronic debit transactions. In addition, an issuer must track its and its cardholders’ losses from fraudulent electronic debit transactions, its fraud-related chargebacks to acquirers, and any reimbursements from other parties. Other reimbursements could include payments made to issuers as a result of fines assessed to merchants for noncompliance with Payment Card Industry (PCI) Data Security Standards or other industry standards. Paragraph 4(b)(1)(iii). Respond to suspicious electronic debit transactions. 1. An issuer may identify transactions that it suspects to be fraudulent after it has authorized or settled the transaction. For example, a cardholder may inform the issuer that the cardholder did not authorize a transaction or transactions, or the issuer may learn of a fraudulent transaction or possibly compromised debit cards from the network, the acquirer, or other parties. An issuer must have policies and procedures in place designed to implement an appropriate response once an issuer has identified suspicious transactions or transactions likely to be fraudulent. The appropriate response is likely to differ depending on the circumstances and the risk of future fraudulent electronic debit transactions. For example, in some circumstances, it may be sufficient for an issuer to monitor more closely the account with the suspicious transactions. In other circumstances, it may be necessary to reissue cards or close the account. An appropriate response may also require coordination with industry organizations, law enforcement agencies, and other parties, such as payment card networks, merchants, and issuer or merchant processors. An appropriate response would be reasonably designed to mitigate fraud losses due to suspicious transactions and transactions alleged to be fraudulent across all parties to such transactions. 2. An issuer’s policies and procedures do not provide an appropriate response if they merely shift the loss to another party, other than the party that committed the fraud. Paragraph 4(b)(1)(iv). Secure debit card and cardholder data. 1. An issuer must have policies and procedures designed to secure debit card and cardholder data that are transmitted by the issuer (or its service provider) during transaction processing, that are stored by the E:\FR\FM\20JYR3.SGM 20JYR3 43488 Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / Rules and Regulations emcdonald on DSK2BSOYB1PROD with RULES3 issuer (or its service provider), and that are carried on media (e.g., laptops, transportable data storage devices) by employees or agents of the issuer. This standard may be incorporated into an issuer’s information security program, as required by Section 501(b) of the Gramm-Leach-Bliley Act. Paragraph 4(b)(2) Annual review 1. Periodic updates of policies and procedures. In general, an issuer must review its policies and procedures at least annually. In certain circumstances, however, an issuer may need to review and update its policies and procedures more frequently than once a year. For example, during a particular year, VerDate Mar<15>2010 18:38 Jul 19, 2011 Jkt 223001 there may be significant changes in fraud types, fraud patterns, or fraud-prevention methods or technologies. If a significant change occurs, an issuer must review and, if necessary, update its fraud-prevention policies and procedures to address the significant change, even if the issuer has reviewed its policies and procedures within the preceding year. 4(c) Certification. 1. To be eligible to receive the fraudprevention adjustment, each issuer must certify its compliance with the Board’s fraudprevention standards to the payment card networks in which it participates on an PO 00000 Frm 00012 Fmt 4701 Sfmt 9990 annual basis. Payment card networks that plan to allow issuers to receive or charge a fraud-prevention adjustment will develop their own processes for identifying issuers eligible for this adjustment. An issuer need not certify if it chooses not to receive any fraud-prevention adjustment available through a network. By order of the Board of Governors of the Federal Reserve System, June 30, 2011. Jennifer J. Johnson, Secretary of the Board. [FR Doc. 2011–16860 Filed 7–19–11; 8:45 am] BILLING CODE 6210–01–P E:\FR\FM\20JYR3.SGM 20JYR3

Agencies

[Federal Register Volume 76, Number 139 (Wednesday, July 20, 2011)]
[Rules and Regulations]
[Pages 43478-43488]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-16860]



[[Page 43477]]

Vol. 76

Wednesday,

No. 139

July 20, 2011

Part III





Federal Reserve System





-----------------------------------------------------------------------





12 CFR Part 235





 Debit Card Interchange Fees and Routing; Interim Final Rule

Federal Register / Vol. 76, No. 139 / Wednesday, July 20, 2011 / 
Rules and Regulations

[[Page 43478]]


-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

12 CFR Part 235

[Regulation II; Docket No. R-1404]
RIN 7100-AD 63


Debit Card Interchange Fees and Routing

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Interim final rule; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Board is adopting an interim final rule and requesting 
comment on provisions in Regulation II (Debit Card Interchange Fees and 
Routing) adopted in accordance with Section 920(a)(5) of the Electronic 
Fund Transfer Act, which governs adjustments to debit interchange 
transaction fees for fraud-prevention costs. The provisions allow an 
issuer to receive an adjustment of 1 cent to its interchange 
transaction fee if the issuer develops, implements, and updates 
policies and procedures reasonably designed to identify and prevent 
fraudulent electronic debit transactions; monitor the incidence of, 
reimbursements received for, and losses incurred from fraudulent 
electronic debit transactions; respond appropriately to suspicious 
electronic debit transactions so as to limit the fraud losses that may 
occur and prevent the occurrence of future fraudulent electronic debit 
transactions; and secure debit card and cardholder data. If an issuer 
meets these standards and wishes to receive the adjustment, it must 
certify its eligibility to receive the fraud-prevention adjustment to 
the payment card networks in which the issuer participates.

DATES: The interim final rule is effective October 1, 2011.
    Comment Period: Comments must be submitted by September 30, 2011.

ADDRESSES: You may submit comments, identified by Docket No. R-1404 and 
RIN No. 7100 AD 63, by any of the following methods:
    Agency Web Site: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
    Federal eRulemaking Portal: http://www.regulations.gov. Follow the 
instructions for submitting comments.
    E-mail: regs.comments@federalreserve.gov. Include the docket number 
in the subject line of the message.
    Fax: (202) 452-3819 or (202) 452-3102.
    Mail: Jennifer J. Johnson, Secretary, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue, NW., 
Washington, DC 20551.
    You must use only one method when submitting comments. All public 
comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, 
unless modified for technical reasons. Accordingly, your comments will 
not be edited to remove any identifying or contact information.
    Public comments may also be viewed electronically or in paper in 
Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) 
between 9 a.m. and 5 p.m. on weekdays.

FOR FURTHER INFORMATION CONTACT: Dena Milligan, Attorney (202/452-
3900), Legal Division, David Mills, Manager and Economist (202/530-
6265), Division of Reserve Bank Operations & Payment Systems; for users 
of Telecommunications Device for the Deaf (TDD) only, contact (202/263-
4869); Board of Governors of the Federal Reserve System, 20th and C 
Streets, NW., Washington, DC 20551.

SUPPLEMENTARY INFORMATION

I. Section 920 of the Electronic Fund Transfer Act

    The Dodd-Frank Wall Street Reform and Consumer Protection Act (the 
``Dodd-Frank Act'') (Pub. L. 111-203, 124 Stat. 1376 (2010)) was 
enacted on July 21, 2010. Section 1075 of the Dodd-Frank Act amends the 
Electronic Fund Transfer Act (``EFTA'') (15 U.S.C. 1693 et seq.) by 
adding a new Section 920 regarding interchange transaction fees and 
rules for payment card transactions.
    Section 920 of the EFTA provides that, effective July 21, 2011, the 
amount of any interchange transaction fee that an issuer receives or 
charges with respect to an electronic debit transaction must be 
reasonable and proportional to the cost incurred by the issuer with 
respect to the transaction. This section requires the Board to 
establish standards for assessing whether an interchange transaction 
fee is reasonable and proportional to the cost incurred by the issuer 
with respect to the transaction. The Board has separately adopted a 
final rule implementing standards for assessing whether interchange 
transaction fees meet the requirements of Section 920(a) and 
establishing rules regarding routing choice and network exclusivity 
required by Section 920(b).\1\
---------------------------------------------------------------------------

    \1\ Regulation II (published elsewhere in the Federal Register), 
defines an interchange transaction fee (or ``interchange fee'') to 
mean any fee established, charged, or received by a payment card 
network and paid by a merchant or acquirer for the purpose of 
compensating an issuer for its involvement in an electronic debit 
transaction.
---------------------------------------------------------------------------

    Under EFTA Section 920(a)(5), the Board may allow for an adjustment 
to an interchange transaction fee amount received or charged by an 
issuer if (1) Such adjustment is reasonably necessary to make allowance 
for costs incurred by the issuer in preventing fraud in relation to 
electronic debit card transactions involving that issuer, and (2) the 
issuer complies with fraud-prevention standards established by the 
Board. Those standards must be designed to ensure that any adjustment 
is limited to the reasonably necessary fraud-prevention allowance 
described in clause (1) Above; takes into account any fraud-related 
reimbursements received from consumers, merchants, or payment card 
networks (including amounts from chargebacks) in relation to electronic 
debit transactions involving the issuer; and requires issuers to take 
effective steps to reduce the occurrence of, and costs from, fraud in 
relation to electronic debit transactions, including through the 
development and implementation of cost-effective fraud-prevention 
technology.\2\
---------------------------------------------------------------------------

    \2\ Regulation II defines electronic debit transaction (or 
``debit card transaction'') to mean the use of a debit card (which 
includes a general-use prepaid card), by a person as a form of 
payment in the United States to initiate a debit to an account. This 
term does not include transactions initiated at an automated teller 
machine (ATM), including cash withdrawals and balance transfers 
initiated at an ATM.
---------------------------------------------------------------------------

    In issuing the standards and prescribing regulations for the 
adjustment, the Board must consider (1) The nature, type, and 
occurrence of fraud in electronic debit transactions; (2) the extent to 
which the occurrence of fraud depends on whether the authentication in 
an electronic debit transaction is based on a signature, personal 
identification number (PIN), or other means; (3) the available and 
economical means by which fraud on electronic debit transactions may be 
reduced; (4) the fraud-prevention and data-security costs expended by 
each party involved in the electronic debit transactions (including 
consumers, persons who accept debit cards as a form of payment, 
financial institutions, retailers, and payment card networks); (5) the 
costs of fraudulent transactions absorbed by each party involved in 
such transactions (including consumers, persons who accept debit cards 
as a form of payment, financial institutions, retailers, and payment 
card networks); (6) the extent to which interchange transaction fees 
have in the past reduced or increased incentives for

[[Page 43479]]

parties involved in electronic debit transactions to reduce fraud on 
such transactions; and (7) such other factors as the Board considers 
appropriate.

II. Outreach and Information Collection

    Following the enactment of the Dodd-Frank Act, the Board gathered 
information about fraud-prevention programs in the debit card industry 
in several ways. Board staff held numerous meetings with debit card 
issuers, payment card networks, merchant acquirers, merchants, industry 
trade associations, and consumer groups to discuss these programs. 
Topics discussed in those meetings included technological innovation in 
fraud prevention, fraud loss allocation among parties to electronic 
debit transactions, and fraud risk associated with different types of 
electronic debit transactions (e.g., signature and PIN debit 
transactions).
    In September 2010, the Board surveyed 131 bank holding companies 
and other financial institutions that, together with affiliates, have 
assets of $10 billion or more, and 16 payment card networks. As part of 
those surveys, the Board gathered information about the nature, type, 
and occurrence of fraud in electronic debit transactions; the losses 
due to fraudulent transactions absorbed by parties involved in those 
transactions; and the fraud-prevention and data-security activities and 
costs and related research and development costs (herein, collectively, 
referred to as fraud-prevention activities and costs) incurred by 
issuers in 2009.\3\ From these surveys, the Board was able to estimate 
industry-wide fraud losses to all parties of a debit card transaction 
and to perform a more detailed analysis of fraud losses by type of 
authentication method (e.g., PIN or signature). The survey data also 
provided an estimate of the loss allocation among parties to the 
transaction.\4\
---------------------------------------------------------------------------

    \3\ The surveys also requested information regarding the number 
of cards and accounts, the number and value of debit card 
transactions processed, interchange revenue received from networks, 
various costs associated with processing debit card transactions and 
operating a card program, and exclusivity arrangements and routing 
procedures.
    \4\ The Board reported preliminary survey results in the 
proposed rule (See 75 FR 81740-41, Dec. 28, 2010). Since that time, 
Board staff has further analyzed the data and addressed a number of 
minor problems, changing the number of usable responses. Fur 
example, some issuers provided fraud loss for certain types of fraud 
but did not report total fraud losses. In those instances, the sum 
of the reported fraud losses was used as that respondent's total 
fraud loss. In other instances, issuers misreported total fraud 
losses in a different field. Those totals were included in 
subsequent analysis of the data. In addition, prepaid fraud loss and 
fraud-prevention cost data have been included where appropriate. 
Therefore, in certain instances, some data reported in the initial 
proposal have changed. These data are reported separately (see 
``2009 Interchange Revenue, Covered Issuer Cost, and Covered Issuer 
and Merchant Fraud Loss Related to Debit Card Transactions'' 
published on the Board's Web site at http://www.federalreserve.gov), 
and some data are discussed later in this notice.
---------------------------------------------------------------------------

III. Proposal

    In December 2010, the Board requested comment on proposed 
Regulation II, Debit Card Interchange Fees and Routing.\5\ As part of 
that proposal, the Board requested comment on two approaches to 
designing a framework for the fraud-prevention adjustment to the 
interchange transaction fee: A technology-specific approach and a non-
prescriptive approach.\6\ The technology-specific approach would allow 
an issuer to recover some or all of its costs incurred for implementing 
major innovations that would likely result in substantial reductions in 
fraud losses. Under this approach, the Board would identify paradigm-
shifting technologies that would reduce debit card fraud in a cost-
effective manner. The alternative approach would establish a more 
general standard that an issuer must meet to be eligible to receive an 
adjustment for fraud-prevention costs.
---------------------------------------------------------------------------

    \5\ A final rule addressing other provisions in Regulation II is 
published elsewhere in the Federal Register.
    \6\ See 75 FR 81742-81743 (Dec. 28, 2010).
---------------------------------------------------------------------------

    The Board requested comment on various aspects of these approaches. 
For example, the Board requested information about the benefits and 
drawbacks of each approach, possible frameworks to implement the 
approaches, and the technologies or types of fraud-prevention 
activities whose costs should be considered under each approach. The 
Board also asked whether there were additional approaches that should 
be considered. Given survey data showing a substantially lower 
incidence of fraud for PIN debit transactions in comparison to 
signature-debit transactions, the Board also asked whether an 
adjustment should only be for PIN-based transactions.\7\ The Board 
noted that comments received would be considered in the development of 
a specific proposal for further public comment.
---------------------------------------------------------------------------

    \7\ Survey data shows that signature-debit fraud losses are 
approximately four times PIN-debit fraud losses.
---------------------------------------------------------------------------

IV. Overview of Comments and Interim Final Rule

    The Board received numerous comments on the fraud-prevention 
adjustment from issuers, depository institution trade associations, 
payment card networks, merchants, merchant trade associations, 
individuals, consumer groups, technology companies, consultants, other 
government agencies, and members of Congress.
    The comments were generally focused on four main topics: (1) 
Whether the overall framework for the adjustment should be technology-
specific or non-prescriptive; (2) what form the fraud-prevention 
adjustment should take, i.e., should the adjustment be tied to an 
eligible issuers' costs, perhaps up to a specific cap, or be uniform 
across eligible issuers; (3) whether the adjustment should apply only 
to particular authentication methods, such as for PIN-based 
authentication; and (4) the time frame for the effective date for the 
fraud-prevention adjustment. These comments are summarized below and 
are described in more detail in the Section Analysis.
    Although there was not agreement on whether to pursue a technology-
specific or non-prescriptive approach, commenters generally agreed that 
the Board should not mandate use of specific technologies. Merchant 
commenters generally favored the paradigm-shifting approach.\8\ These 
commenters stated that the fraud-prevention adjustment should not cover 
costs associated with securing technologies that were known to be less 
effective at preventing fraud than other available technologies.\9\
---------------------------------------------------------------------------

    \8\ Merchants proposed a framework where an issuer receives an 
adjustment only if both the merchant and issuer use an eligible low-
fraud technology.
    \9\ For example, merchant commenters argued that the fraud-
prevention adjustment should not include activities aimed at 
securing signature debit transactions when PIN transactions are 
known to have lower incidence of fraud and lower average fraud loss 
per incident.
---------------------------------------------------------------------------

    In contrast, issuer commenters of all sizes and payment card 
networks preferred the non-prescriptive approach that would allow 
issuers to have the flexibility to tailor their fraud-prevention 
activities to address most effectively the risks they faced associated 
with changing fraud patterns. Issuer commenters also opposed a fraud-
prevention adjustment only for particular authentication methods, 
noting that an adjustment favoring a particular authentication method 
may not provide sufficient incentives to invest in other potentially 
more effective authentication methods.
    In addition, among all types of commenters, there was a general 
consensus that the fraud-prevention adjustment should be effective at 
the same time as the interchange fee

[[Page 43480]]

standard--either on July 21, 2011, or at a later date as suggested by 
some commenters. Many merchant commenters believed that the Board 
demonstrated that it had sufficient information to establish a fraud-
prevention adjustment by the statutory effective date. Some commenters, 
particularly issuers and networks, argued that it was important to have 
the fraud-prevention adjustment in place alongside the rest of the 
interchange fee standards in order to avoid any gaps in the ability to 
fund certain fraud-prevention activities.
    Under the interim final rule, if an issuer meets standards set 
forth by the Board, it may receive or charge a fraud-prevention 
adjustment of no more than 1 cent per transaction to any interchange 
transaction fee it receives or charges in accordance with Sec.  235.3. 
To be eligible to receive the fraud-prevention adjustment, an issuer 
must develop and implement policies and procedures reasonably designed 
to (1) Identify and prevent fraudulent electronic debit transactions; 
(2) monitor the incidence of, reimbursements received for, and losses 
incurred from fraudulent electronic debit transactions; (3) respond 
appropriately to suspicious electronic debit transactions so as to 
limit the fraud losses that may occur and prevent the occurrence of 
future fraudulent electronic debit transactions; and (4) secure debit 
card and cardholder data. An issuer must review its fraud-prevention 
policies and procedures at least annually, and update them as necessary 
to address changes in the prevalence and nature of fraudulent 
electronic debit transactions and the available methods of detecting, 
preventing, and mitigating fraud. Finally, the issuer must certify, on 
an annual basis, its compliance with the Board's standards to the 
payment card networks in which the issuer participates.\10\
---------------------------------------------------------------------------

    \10\ The interim final rule applies to issuers and cards that 
are covered under the interchange fee standards. See discussion of 
the exemptions to the interchange fee standards in Sec.  235.5 of 
Regulation II, Debit Card Interchange Fee and Routing--Final Rule, 
published elsewhere in the Federal Register.
---------------------------------------------------------------------------

    The interim final rule will be effective concurrent with the 
interchange fee standard on October 1, 2011. Issuers must comply with 
the Board's fraud-prevention standards by that date in order to receive 
or charge the fraud-prevention adjustment to the interchange 
transaction fee on that date. The Board requests comment on all aspects 
of the interim final rule and will consider these comments in 
developing the final rule.

V. Section Analysis

    Section 235.4 sets forth the circumstances under which an issuer 
may receive or charge a fraud-prevention adjustment as an amount in 
addition to the amount permitted as an interchange transaction fee 
under Sec.  235.3. Section 235.4 also prescribes the maximum amount of 
such adjustment.

A. Statutory Considerations

    EFTA Section 920(a)(5) requires the Board to consider several 
different factors in prescribing regulations related to the fraud-
prevention adjustment. This section discusses each of those factors.
    Nature, type, and occurrence of fraud. The Board's survey of debit 
card issuers and payment card networks provided information about the 
nature, type, and occurrence of fraud in electronic debit transactions. 
From the card issuer and network surveys, the Board estimates that 
industry-wide fraud losses to all parties of debit (including prepaid) 
card transactions were approximately $1.34 billion in 2009.\11\ Based 
on data provided by covered issuers, about 0.04 percent of purchase 
transactions were fraudulent, with an average loss per purchase 
transaction of about 4 cents, or about 9 basis points of transaction 
value.\12\
---------------------------------------------------------------------------

    \11\ Industry-wide fraud losses were extrapolated from data 
reported in the issuer and network surveys conducted by the Board. 
Of the 89 issuers that responded to the issuer survey, 52 issuers 
provided data on fraud losses related to their debit (including 
prepaid) card transactions. These issuers reported $726 million in 
fraud losses to all parties of card transactions and represented 54 
percent of the total transactions reported by networks.
    \12\ The percent of purchase transactions that are fraudulent is 
the number of fraudulent transactions divided by the number of 
purchase transactions. The average loss per purchase transaction is 
the dollar amount of fraud losses divided by the number of purchase 
transactions. The average loss per purchase transaction in basis 
points is the dollar amount of fraud losses divided by the dollar 
amount of purchase transactions.
---------------------------------------------------------------------------

    The most commonly-reported and highest cost fraud types were 
counterfeit card fraud, lost and stolen card fraud, and mail, 
telephone, and Internet order (i.e., card-not-present) fraud.\13\ For 
signature and PIN debit card (including prepaid card) transactions 
combined, counterfeit card fraud represented 0.01 percent of all 
purchases transactions with an average loss of 2 cents per transaction 
and 4 basis points of transaction value. Lost and stolen card fraud was 
less than 0.01 percent of all purchase transactions with an average 
loss of 1 cent per transaction and 1 basis point of transaction value. 
Mail, telephone, and Internet order fraud was 0.01 percent of all 
purchase transactions with an average loss of 1 cent per transactions 
and 2 basis points of transaction value.
---------------------------------------------------------------------------

    \13\ Some issuers reported ATM fraud, which was excluded from 
fraud loss totals because ATM transactions are not defined in the 
statute or final rule as electronic debit transactions.
---------------------------------------------------------------------------

    Extent to which the occurrence of fraud depends on authentication 
mechanism. The issuer survey data also provided information about the 
extent to which the occurrence of fraud depends on whether the 
transaction is authenticated with a signature or a PIN. Of the 
approximately $1.34 billion estimated industry-wide fraud losses, about 
$1.11 billion of these losses arose from signature debit card 
transactions and about $181 million arose from PIN debit card 
transactions.\14\ The higher losses for signature debit card 
transactions are attributable to both a higher rate of fraud and higher 
transaction volume for signature debit card transactions. The data 
showed that about 0.06 percent of signature debit and 0.01 percent of 
PIN debit purchase transactions were reported as fraudulent. For 
signature debit, the average loss was 5 cents per transaction, and 
represented about 13 basis points of transaction value. For PIN debit, 
the average loss was 1 cent per transaction, and was almost 3 basis 
points of transaction value. Thus, on a per-dollar basis, signature 
debit fraud losses are approximately 4 times PIN debit fraud 
losses.\15\
---------------------------------------------------------------------------

    \14\ The sum of card program fraud losses will not equal the 
industry-wide fraud losses due to different sample sizes and 
rounding.
    \15\ The survey data did not break out prepaid card PIN 
transactions from prepaid card signature transactions. For all 
prepaid debit transactions, about 0.03 percent of purchase 
transactions were fraudulent, the average loss was 1 cent per 
transaction, and 4 basis points of transaction value.
---------------------------------------------------------------------------

    The different fraud loss rates for signature and PIN transactions 
reflect, in part, differences in the ease of fraud associated with the 
two authentication methods. A signature debit card transaction requires 
information that is typically contained on the card itself in order for 
card and cardholder authentication to take place. Therefore, a thief 
only needs to steal information on the card in order to commit 
fraud.\16\ In contrast, a PIN debit card transaction requires not only 
information contained on the card itself, but also something only the 
cardholder should know, namely the PIN. In this case, a thief generally 
needs both the information on the card and the cardholder's PIN to 
commit fraud.
---------------------------------------------------------------------------

    \16\ Among other things, information on the card includes the 
card number, the cardholder's name, and the cardholder's signature.
---------------------------------------------------------------------------

    Virtually all Internet debit card transactions are routed over 
signature

[[Page 43481]]

debit networks. Card issuers responding to the Board's survey reported 
that, in signature debit systems, fraud losses for all parties to card-
not-present transactions were higher than fraud losses for card-present 
transactions. On a transactions-weighted average, card-not-present 
fraud losses represented 17 basis points of the value of card-not-
present signature debit transactions. Card-present fraud losses 
represented 11 basis points of the value of card-present signature 
debit transactions and were over 3 times greater than the fraud loss 
value, in basis points, associated with PIN debit card-present 
transactions.
    Available and economical means by which fraud may be reduced. The 
Board requested information about issuers' fraud-prevention activities 
and costs in its survey. Issuers identified several categories of 
activities used to detect, prevent, and mitigate fraudulent electronic 
debit transactions, including transaction monitoring; merchant 
blocking; card activation and authentication systems; PIN 
customization; system and application security measures, such as 
firewalls and virus protection software; and ongoing research and 
development focused on making an issuer's fraud-prevention practices 
more effective.
    The median amount spent by issuers on all reported fraud-prevention 
activities was approximately 1.8 cents per transaction. The most 
commonly reported fraud-prevention activity was transaction monitoring, 
which generally includes activities related to the authorization of a 
particular electronic debit transaction, such as the use of neural 
networks and automated fraud risk scoring systems that may lead to the 
denial of a suspicious transaction. At the median, issuers reported 
spending approximately 0.7 cents per transaction on transactions 
monitoring activity.\17\
---------------------------------------------------------------------------

    \17\ Transaction monitoring costs were included in the costs 
used as the basis for the interchange fee standard rather than the 
fraud-prevention adjustment. See discussion of Sec.  235.4(a) below.
---------------------------------------------------------------------------

    Fraud-prevention costs expended by different parties. All parties 
to debit card transactions incur fraud-prevention costs. For example, 
some consumers routinely monitor their accounts for unauthorized debit 
card purchases; however, consumer costs are difficult to quantify. Some 
issuers, merchants, and acquirers pay networks, processors, or third-
party vendors for fraud-prevention tools such as neural networks and 
access to databases about compromised cards and accounts. In addition 
to services they may purchase from others, merchants may develop their 
own fraud-prevention tools. For example, many large online merchants 
implement extra security measures to verify the legitimacy of a 
purchase. Typically these checks occur between the time a card is 
authorized by the issuer and the product is shipped to the purchaser. 
In their comments, several online merchants noted that they have 
developed sophisticated fraud risk management systems that include both 
manual review and automated processes, which have reduced fraud rates 
to levels at or below card-present rates at other merchants. In 
addition to these investments, merchants also take steps to secure data 
and comply with Payment Card Industry Data Security Standards (PCI-
DSS).\18\ In their comments, several merchants noted that these 
compliance costs can be substantial. As discussed more fully elsewhere 
in this notice, issuers incur costs for a variety of fraud-prevention 
activities.
---------------------------------------------------------------------------

    \18\ The Payment Card Industry (PCI) Security Standards Council 
was founded in 2006 by five card networks--Visa, Inc., MasterCard 
Worldwide, Discover Financial Services, American Express, and JCB 
International. These card brands share equally in the governance of 
the organization, which is responsible for development and 
management of PCI Data Security Standards (PCI-DSS). PCI-DSS is a 
set of security standards that all payment system participants, 
including merchants and processors, are required to meet in order to 
participate in payment card systems.
---------------------------------------------------------------------------

    Costs of fraudulent transactions absorbed by the different parties. 
Using the issuer survey data, the Board estimated the cost of 
fraudulent transactions absorbed by different parties to a debit card 
transaction. Based on the issuer survey responses, almost all of the 
reported fraud losses associated with debit card transactions fall on 
the issuers and merchants.\19\ In particular, across all types of 
transactions, 62 percent of reported fraud losses were borne by issuers 
and 38 percent were borne by merchants.
---------------------------------------------------------------------------

    \19\ Most issuers reported that they offer zero or very limited 
liability to cardholders, in addition to the EFTA limits on consumer 
liability for unauthorized electronic fund transfers afforded to 
consumers, such that the fraud loss borne by cardholders is 
negligible. See 15 U.S.C. 1693g and 12 CFR 205.6. Payment card 
networks and merchant acquirers also reported very limited fraud 
losses for themselves.
---------------------------------------------------------------------------

    The distribution of fraud losses between issuers and merchants 
depends, in part, on the authentication method used in a debit card 
transaction. Issuers and payment card networks reported that nearly all 
the fraud losses associated with PIN debit card transactions (96 
percent) were borne by issuers. In contrast, reported fraud losses were 
distributed much more evenly between issuers and merchants for 
signature debit card transactions. Specifically, issuers and merchants 
bore 59 percent and 41 percent of signature debit fraud losses, 
respectively.\20\
---------------------------------------------------------------------------

    \20\ For prepaid card transactions, issuers bore two-thirds and 
merchants bore one-third of fraud losses.
---------------------------------------------------------------------------

    In general, merchants are subject to greater liability for fraud in 
card-not-present transactions than in card-present transactions. 
According to the survey data, merchants assume approximately 74 percent 
of signature debit card fraud for card-not-present transactions, 
compared to 23 percent for card-present signature debit card fraud.\21\
---------------------------------------------------------------------------

    \21\ These percentages may differ from those noted in the 
Board's proposal (See 75 FR 81741, Dec. 28, 2010) because the number 
of usable survey responses has changed.
---------------------------------------------------------------------------

    Extent to which interchange transaction fees have in the past 
affected fraud-prevention incentives. Issuers have a strong incentive 
to protect cardholders and reduce fraud independent of interchange fees 
received. Competition for cardholders suggests that protecting their 
cardholders from fraud is good business practice for issuers. Higher 
interchange revenues may have allowed issuers to offset both their 
fraud losses and fraud-prevention costs and fund innovation on fraud-
prevention tools and activities. Merchant commenters argued that, 
historically, the higher interchange revenue for signature debit 
relative to PIN debit has encouraged issuers to promote the use of 
signature debit over PIN debit, even though signature debit has 
substantially higher rates of fraud.

B. Section 235.4(a) Adjustment Amount

    Section 235.4(a) permits an issuer to increase the amount of the 
interchange transaction fee it may receive or charge under Sec.  235.3 
by no more than 1 cent if the issuer complies with the standards in 
Sec.  235.4(b). Section 235.4(a) does not differentiate the adjustment 
by authentication method or by type of transaction.\22\
---------------------------------------------------------------------------

    \22\ For example, an issuer that complies with the fraud-
prevention standards would be eligible to receive an interchange fee 
equal to the sum of the 21 cent base component, the 5 basis point ad 
valorem component, and the 1 cent fraud-prevention adjustment, 
equaling a total of 22 cents plus 5 basis points of the 
transaction's value for each electronic debit transaction.
---------------------------------------------------------------------------

1. Request for Comment and Comments Received
    To inform its rulemaking, the Board's December 2010 proposal 
requested comment on whether the fraud-prevention adjustment should use 
the same implementation approach as the interchange fee standard; that 
is, either (1) An issuer-specific adjustment, with a safe harbor and a 
cap, or (2) a cap regardless of an issuer's costs. In a

[[Page 43482]]

related question, the Board also asked whether the adjustment should 
apply only to PIN-based transactions, in light of the fact that, as 
reported above in the statutory considerations section, signature debit 
fraud losses are approximately four times PIN debit fraud losses on a 
per-dollar basis.
    In considering the implementation approach, many commenters 
referred to the statutory language that an adjustment should be 
``reasonably necessary to make allowance for costs incurred by the 
issuer in preventing fraud in relation to electronic debit card 
transactions involving that issuer.'' They pointed to the term 
``reasonably necessary'' as their basis for making arguments both for 
and against a cap on the amount of the adjustment. For example, most 
merchant commenters argued that it would be reasonably necessary for 
individual issuers to recover their initial capital costs for certain 
technologies, up to a cap equal to the cost associated with PIN debit 
card fraud-prevention activities.\23\ They supported a process where 
issuers offered technologies with fraud loss rates lower than that for 
PIN debit transactions and merchants could choose whether or not to 
adopt these technologies. One merchant commenter opposed both a fixed 
amount and a cap as being counter to fair market price negotiation 
between the issuers offering technologies and merchants choosing to 
adopt these technologies. This commenter also argued that allowing 
recovery up to a cap ignored the statutory language to make allowance 
for costs ``incurred by the issuer'' and that the relevant cost measure 
should be an individual issuer's costs.
---------------------------------------------------------------------------

    \23\ See comment from Merchants Payments Coalition.
---------------------------------------------------------------------------

    On the other hand, several issuer, network, and depository 
institution trade association commenters opposed a cap on the basis 
that it limited the recovery of costs that could be determined to be 
reasonably necessary to prevent fraud. Some of these commenters noted 
that any cap might reduce incentives to invest in innovative fraud-
prevention techniques. A few of them supported a safe harbor to reduce 
compliance and supervisory burden and to encourage effective fraud 
prevention.
    In response to the Board's question regarding whether a fraud-
prevention adjustment should be only for PIN debit transactions, 
merchant commenters highlighted the survey data indicating that 
signature-debit transactions experience higher average fraud losses 
than PIN-debit transactions. They expressed a concern that, in the 
past, interchange fees supported incentives for issuers to promote a 
less secure form of authentication. Both issuer and merchant commenters 
acknowledged that some types of sales environments preclude use of PIN 
authentication. However, merchant commenters asserted that, when 
signature and PIN methods are available both on the card and at the 
sales terminal, issuers often encourage cardholders to route the 
transaction using their signature rather than their PIN so that issuers 
could receive higher interchange revenue.
    A few issuers and networks commented that an adjustment only for 
PIN-based transactions would limit incentives to invest in potentially 
more effective authentication methods, such as dynamic data, that might 
not require a PIN. Some issuers commented that a fraud-prevention 
adjustment only for PIN debit transactions may limit fraud-prevention 
investments for non-PIN transactions, making these transactions less 
secure. According to these commenters, issuers may manage this risk by 
assessing cardholder fees on non-PIN transactions or by limiting the 
value allowed per transaction. These practices, asserted some issuers, 
may reduce sales or increase payment costs, especially for merchants 
that do not accept PIN debit cards. Merchant commenters, on the other 
hand, urged the Board to consider an adjustment only for technologies 
or methods with fraud loss rates lower than the rate for PIN debit card 
programs. These commenters argued that debit card transactions 
authorized with a PIN have a much lower fraud loss rate than those 
authorized with a signature. In particular, merchants did not want 
issuers to be reimbursed for efforts to better secure an inherently 
less secure authentication method.
2. Interim Final Rule
    Section 920(a)(5) permits the Board to allow an adjustment to the 
amount of an interchange fee that an issuer may receive if ``such 
adjustment is reasonably necessary to make allowance for costs incurred 
by the issuer in preventing fraud in relation to electronic debit 
transactions involving that issuer.'' Section 920(a)(5) of the EFTA 
does not specify what amount, or range of amounts, is considered 
``reasonably necessary to make allowance for'' an issuer's fraud-
prevention costs. The phrasing ``reasonably necessary to make allowance 
for'' fraud-prevention costs does not require a direct connection 
between the fraud-prevention adjustment and actual issuer costs; the 
statute requires only that the adjustment be ``reasonably necessary'' 
and ``make an allowance for'' fraud-prevention costs. Moreover, the 
statute does not require the Board to set the adjustment so that each 
(or any) issuer fully recovers its fraud-prevention costs. Instead, the 
statute provides for an ``allowance for'' fraud-prevention costs. The 
Board believes that an amount that makes allowance for an issuer's 
fraud-prevention costs is one that gives consideration to those costs, 
and allows a reasonable recovery of those costs based on the 
considerations in Section 920(a)(5)(B)(ii) described above.\24\
---------------------------------------------------------------------------

    \24\ ``Allow for'' may be defined as ``to give consideration to 
circumstances or contingencies.'' Merriam-Webster Dictionary 
(``allow'' used with ``for'') (online edition).
---------------------------------------------------------------------------

    The statute also allows the Board, in setting a fraud-prevention 
adjustment, to consider such other factors as the Board considers 
appropriate.\25\ As explained below, the Board has considered the 
fraud-prevention costs of parties to electronic debit transactions, the 
incentives created by the adjustment, and other factors in setting the 
adjustment.
---------------------------------------------------------------------------

    \25\ See EFTA Section 920(a)(5)(B)(ii)(VII).
---------------------------------------------------------------------------

    The Board considered the fraud-prevention costs incurred by all 
parties to an electronic debit transaction: Consumers, merchants, 
payment card networks, processors, and issuers. The Board narrowed its 
focus to costs expended by merchants and issuers because most fraud-
prevention costs are ultimately borne by these parties, and the fraud-
prevention adjustment to the interchange transaction fee is effectively 
paid by merchants to issuers.
    The Board recognizes that both merchants and issuers incur costs 
associated with fraud prevention including, for example, costs to 
comply with PCI-DSS and network rules related to fraud prevention. In 
addition, several merchant commenters stated that they, like issuers, 
have natural incentives to protect customer information and to 
safeguard their reputations as careful trustees of this information. To 
maintain these reputations and to reduce their exposure to fraud 
losses, these commenters noted that they have made substantial 
investments in fraud-prevention measures, including, as one online 
merchant noted, analysis of Internet Protocol address, Internet service 
provider, and device ID information.
    For these reasons, the Board has adopted an interim final rule with 
a fraud-prevention adjustment set at issuer survey respondents' median 
fraud-prevention costs, minus those

[[Page 43483]]

fraud-prevention costs that are already part of the interchange fee 
standards.\26\ The median issuer's per-transaction fraud-prevention 
cost as reported in response to the Board's survey is 1.8 cents. In its 
final rule for the interchange fee standards, the Board has included 
costs of transaction-monitoring systems that are integral to the 
authorization of a transaction in its setting of the interchange 
transaction fee standards. Transaction monitoring systems assist in the 
authorization process by providing information to the issuer before the 
issuer decides to approve or decline the transaction. Because these 
costs are already included for all covered issuers as a basis for 
establishing the interchange fee standards, they are excluded from the 
costs used to determine the fraud-prevention adjustment.\27\ Issuers 
were instructed to separately report the costs of each type of fraud-
prevention activity to the extent possible, and the median issuer's 
transactions-monitoring cost is 0.7 cents per transaction. The fraud-
prevention adjustment of 1 cent represents the difference between the 
median fraud-prevention cost of 1.8 cents less the median transactions-
monitoring cost of 0.7 cents, rounded to the nearest cent.
---------------------------------------------------------------------------

    \26\ The fraud-prevention adjustment does not include an 
allowance for fraud losses. EFTA Section 920(a)(5)(A)(i) limits the 
adjustment to ``costs incurred by the issuer in preventing fraud.'' 
Fraud losses are not costs incurred to prevent fraud. The Board 
includes issuer fraud losses as a basis for the establishment of the 
interchange fee standards in Sec.  235.3 of the final rule. See 
notice elsewhere in the Federal Register.
    \27\ The median cost of fraud-prevention activities tied to 
authorization is about 0.7 cents.
---------------------------------------------------------------------------

    The median of the remaining fraud-prevention costs provides some 
issuers with recovery of all of these costs and other issuers with 
recovery of some of these costs. The Board believes that the median 
allowance helps to offset the costs of implementing activities that are 
effective at reducing fraud losses while placing cost discipline on 
issuers to ensure that those fraud-prevention activities are also cost 
effective and recognizing that fraud-prevention costs are incurred by 
both merchants and issuers. An issuer that meets the Board standards 
(discussed below) may receive the adjustment, even if its fraud-
prevention costs are below the median, and no issuer may receive more 
than the median, regardless of its fraud-prevention costs.
    The Board is concerned that limiting an adjustment to 
authentication methods available today, or a subset of those methods, 
may not allow flexibility for issuers to develop other methods of 
authentication that may be more effective than today's alternatives and 
may not require a PIN. It may also reduce the incentives for issuers to 
improve fraud-prevention techniques for systems that, for a variety of 
reasons, experience higher fraud rates. Further, the interchange fee 
standards set a maximum permissible interchange fee that an issuer may 
receive for electronic debit transactions, irrespective of 
authentication method. Because issuers are less likely to receive a 
higher interchange fee for signature-based transactions, issuer 
processing costs for PIN debit transactions are generally less than 
those for signature debit transactions, and fraud losses are 
significantly lower for PIN debit transactions than for signature debit 
transactions, the Board believes that issuers' incentives to encourage 
cardholders to use their signature rather than their PIN to 
authenticate transactions at the point of sale will diminish.
    For these reasons, the Board has adopted a fraud-prevention 
adjustment that is the same for each type authentication method.

C. Section 235.4(b)--Adoption of Non-Prescriptive Standards

1. Request for Comment and Comments Received
    As discussed above, the Board's proposed rule did not contain a 
specific proposal for the fraud-prevention adjustment. Instead, the 
Board requested comment on two general approaches to the adjustment: A 
technology-specific approach and a non-prescriptive approach. The 
technology-specific approach was described as allowing issuers to 
recover some or all of its costs, perhaps up to a cap, incurred for 
implementing major innovations that would likely result in substantial 
reductions in fraud losses. As described in the proposed rule, the 
Board would identify paradigm-shifting technologies that would reduce 
debit card fraud in a cost-effective manner. The Board noted this 
approach might help spur adoption of technologies eligible for a fraud-
prevention adjustment. At the same time, it might also reduce issuer 
incentives to invest in more effective and less costly technologies not 
identified by the Board.
    Although neither merchant nor issuer commenters supported the Board 
mandating specific technologies, merchants and their trade associations 
preferred the technology-specific approach. Many merchants proposed 
that issuers be required to make specific technologies available to 
merchants that reduce fraud losses to a level lower than that 
associated with PIN debit transactions. They asserted that their 
proposal allowed the market, and not the Board, to determine 
technologies that are eligible for a fraud-prevention adjustment.\28\ A 
merchant commenter suggested that this test could be further 
conditioned based on the riskiness of particular merchants. For 
example, the calculation of the fraud-prevention adjustment could 
consider the rate of fraud-related chargebacks to merchants, and those 
merchants with higher rates would pay a higher fraud-prevention 
adjustment than would those with lower rates, still up to a cap. One 
commenter noted that a metrics-based approach could be applied at the 
issuer level rather than at the technology level. For example, only 
issuers with a rate of fraud losses lower than the industry average may 
be eligible to receive or charge a fraud-prevention adjustment.
---------------------------------------------------------------------------

    \28\ See letter from Merchants Payments Coalition. Although the 
Merchants Payments Coalition did not propose that the Board identify 
technologies in its standards, it did propose that any technologies 
issuers want to offer to merchants undergo an application and 
approval process, including a public comment period, managed by the 
Board.
---------------------------------------------------------------------------

    Alternatively, the non-prescriptive approach would entail a more 
general set of standards that an issuer must meet to be eligible to 
receive an adjustment for fraud-prevention costs. Such standards could 
require issuers to take steps reasonably necessary to maintain an 
effective fraud-prevention program but not prescribe specific 
technologies that must be employed as part of the program. This 
approach maintains issuer flexibility in responding to emerging and 
changing fraud risks.\29\
---------------------------------------------------------------------------

    \29\ For a more detailed description of the two approaches 
proposed by the Board, see 75 FR 81742-81743 (Dec. 28, 2010).
---------------------------------------------------------------------------

    In their comments, issuers of all sizes, depository institution 
trade associations, payment card networks, and a federal regulatory 
agency preferred the non-prescriptive approach for a variety of 
reasons. Many of these commenters argued that debit card fraud is 
dynamic and requires issuers and networks to innovate on an ongoing 
basis in order to develop new responses to existing and emerging fraud 
risks. The flexibility to develop creative and timely responses, they 
noted, is important for detecting and preventing debit card fraud. 
Moreover, several of these commenters noted that the industry is better 
positioned than the Board to adapt fraud-prevention programs in a 
timely manner to respond effectively to changing fraud patterns.\30\
---------------------------------------------------------------------------

    \30\ A few commenters, primarily technology vendors, 
consultants, and technology associations, supported the Board 
mandating particular technologies, such as chip and PIN or 
biometrics.

---------------------------------------------------------------------------

[[Page 43484]]

    Many of these commenters expressed concerns with the 
identification, in any context, of particular technologies eligible for 
a fraud-prevention adjustment under a possible technology-specific 
approach. For example, several commenters suggested that this approach 
assumes that a single or limited set of technologies is more effective 
at reducing fraud losses than implementing a variety of technologies, 
practices, and methods in combination. To the extent that a set of 
technologies is identified, these commenters believed issuers would 
most likely invest in the set of technologies for which they can 
recover their costs. As a result, they asserted, competition among 
issuers (and networks) in fraud prevention will most likely be reduced. 
These commenters also echoed a concern noted by the Board in its 
December 2010 proposal--a risk that issuers would underinvest in new, 
non-eligible technologies, which may be more effective and less costly 
than those identified in the standard. Finally, a few of these 
commenters suggested that defining a list of eligible technologies 
would provide valuable information to fraudsters in their efforts to 
weaken mechanisms designed to strengthen security in the payment 
system. According to these commenters, such a list would also provide 
fraudsters with a good sense of the technologies most likely to be 
adopted, if they were not already, by the industry. Ultimately, these 
commenters argued that this information could make technologies that 
have been identified less effective over the long term.
2. Non-Prescriptive Approach
    EFTA Section 920(a)(5) states that the Board's standards must 
require an issuer to take effective steps to reduce the occurrence of, 
and costs from, fraudulent electronic debit transactions and must 
ensure that an issuer implement ``cost-effective'' fraud-prevention 
technologies. As explained below, the Board is adopting standards for 
assessing whether the fraud-prevention program for an issuer is 
designed to reduce fraudulent debit card activity effectively. In 
assessing whether a program is effective, the Board does not believe 
that Section 920(a)(5) requires that the program prevent all fraud in 
order for an issuer to qualify for the fraud-prevention adjustment.
    The dynamic nature of the debit card fraud environment requires 
standards that permit issuers to determine themselves the best methods 
to detect, prevent, and mitigate fraud losses for the size and scope of 
their debit card program and to respond to frequent changes in fraud 
patterns. Standards that incorporate a technology-specific approach do 
not provide sufficient flexibility to issuers to design and adapt 
policies and procedures that best meet a particular issuer's needs and 
that would most effectively reduce fraud losses for all parties to a 
transaction.
    A variety of factors may affect the incidence of fraudulent 
electronic debit transactions and losses from those transactions, not 
all of which can be addressed solely by actions taken by issuers. For 
example, an acquirer or merchant processor used by merchants frequented 
by an issuer's cardholders may experience a data breach that increases 
the number of fraudulent transactions and losses for an issuer. An 
issuer's policies and procedures, however, may be able to mitigate the 
occurrence of, and costs from, fraudulent electronic debit transactions 
resulting from such a data breach. In this circumstance, an issuer's 
fraud-prevention policies and procedures may be effective, 
notwithstanding the fact that the issuer may have incurred a higher 
incidence of fraudulent electronic debit transactions than in more 
typical years.
    Another factor affecting fraud trends is the nature of the fraud 
environment as a ``cat and mouse'' game. For example, as new and more 
effective fraud-prevention practices are employed by issuers, these 
practices will become targets for fraudsters wanting to compromise card 
and cardholder data. As technologies become less effective because of 
these efforts by fraudsters, issuers will be expected to find new ways 
to strengthen their fraud-prevention measures. To encourage improvement 
in fraud-prevention efforts, the interim final rule requires an issuer 
to review its policies and procedures, at least annually, and update 
them to address changes in the prevalence and nature of fraudulent 
electronic debit transactions and available fraud-prevention methods.
    Specifying, and limiting the set of, technologies for which issuers 
recover their costs may weaken the long-term effectiveness of these 
technologies. For example, the risk that fraudsters may use this list 
as a way to focus their efforts to compromise card and cardholder data 
is material. For these reasons, the Board is adopting as an interim 
final rule, and requesting comment on, a non-prescriptive approach for 
the fraud-prevention adjustment. The Board invites public comment on 
all aspects of the interim final rule, including the questions 
specifically raised throughout the notice, and will adjust the rule as 
appropriate after consideration of comments received.
3. Develop and Implement Policies and Procedures
    Section 235.4(b)(1) requires that in order to be eligible to 
receive a fraud-prevention adjustment, an issuer must develop and 
implement policies and procedures reasonably designed to (1) Identify 
and prevent fraudulent electronic debit transactions; (2) monitor the 
incidence of, reimbursements received for, and losses incurred from 
fraudulent electronic debit transactions; (3) respond appropriately to 
suspicious electronic debit transactions so as to limit the fraud 
losses that may occur and prevent the occurrence of future fraudulent 
electronic debit transactions; and (4) secure debit card and cardholder 
data.
    Procedures may include practices, activities, methods, or 
technologies that are used to implement and make effective an 
institution's fraud-prevention policies. Together, these policies and 
procedures shall be reasonably designed to detect, prevent, and 
mitigate fraudulent electronic debit transactions and as provided for 
in Sec.  235.4(b)(1)(i-iv). Comment 4(b)-1 clarifies that an issuer 
must both develop and implement effective policies and procedures.
    Comment 4(b)-2 discusses the types of fraud that an issuer's 
policies and procedures should address. In its proposal, the Board did 
not include regulatory language to define ``fraudulent electronic debit 
transaction'' but suggested in the preamble that fraud in the debit 
card context should be defined as ``the use of a debit card (or 
information associated with a debit card) by a person, other than the 
cardholder, to obtain goods, services, or cash without authority for 
such use.\31\ This definition is derived from the EFTA's definition of 
``unauthorized electronic fund transfer.'' (15 U.S.C. 1693a(11)). One 
commenter stated that the definition of ``fraud'' should be expanded to 
include so-called ``friendly fraud'' where the cardholder authorizes 
the transaction and later claims the transaction cardholder did not 
engage in the transaction.
---------------------------------------------------------------------------

    \31\ See 75 FR 81722, 81740 (Dec. 28, 2010).
---------------------------------------------------------------------------

    In contrast to elsewhere in the EFTA, Section 920 uses the term 
``fraud'' rather than ``unauthorized'' transaction. Accordingly, for 
purposes of Section 920(a)(5), fraud in relation to electronic debit 
transaction may encompass more

[[Page 43485]]

than ``unauthorized'' use of the card. For example, a cardholder may 
authorize payment to a fraudulent or ``phony'' merchant that does not 
deliver the expected goods or services to the cardholder. Another 
transaction that could be considered fraudulent, as suggested by 
commenters, is one in which the cardholder authorized the transaction 
and received the goods or services, but subsequently alleges 
fraudulently that the cardholder never received the goods or services. 
The Board has considered the comments and believes that fraud in 
electronic debit transactions is broader than unauthorized use and that 
whether a transaction is in fact fraudulent will depend on the facts 
and circumstances of the transaction.
    All types of fraud impose costs on system participants, and the 
issuer's costs associated with preventing all types of fraud may be 
considered when determining the fraud-prevention adjustment. Under the 
interim final rule, the policies and procedures that an issuer must 
implement in order to qualify for the fraud-prevention adjustment need 
not necessarily address types of fraud, such as authorized transactions 
with a fraudulent merchant, that issuers generally have very limited 
ability to control. The issuer may choose, however, to include policies 
and procedures to minimize such fraudulent transactions if it learns of 
a specific fraudulent merchant or scam that its cardholders have 
experienced or are likely to experience. In such cases, the issuer 
could, for example, alert its cardholders as to the existence of the 
particular fraud. The Board requests comment on whether the rule should 
include a definition of ``fraud'' or ``fraudulent electronic debit 
transaction,'' and if so, what would be an appropriate definition.
    Comment 4(b)(1)(i)-1 provides examples of practices that may be 
part of an issuer's policies and procedures to identify and prevent 
fraudulent electronic debit transactions. Comment 4(b)(1)(i)-2 
clarifies that an issuer should assess the effectiveness of different 
authentication methods used by its cardholders, including the rate of 
fraudulent transactions for each method and consider practices to 
encourage the use of more effective authentication methods. This 
comment also clarifies that issuers should monitor industry 
developments and consider adopting, where practical, new methods of 
authentication that are materially more effective than the methods 
currently used by its cardholders. The Board requests comment on 
whether an issuer's policies and procedures should require an issuer to 
assess whether its customer rewards or similar programs provide 
inappropriate incentives to use an authentication method that is 
demonstrably less effective in preventing fraud.
    Comment 4(b)(1)(ii)-1 provides that an issuer must have policies 
and procedures designed to monitor the types, number, and value of its 
fraudulent electronic debit transactions. The issuer must also track 
its and its cardholders' losses from fraudulent electronic debit 
transactions, its fraud-related chargebacks to merchant acquirers, and 
reimbursements from other parties to the transaction.
    Comment 4(b)(1)(iii)-1 provides that an issuer must implement 
appropriate responses to suspicious transactions or transactions likely 
to be fraudulent. The comment clarifies that the response may be 
different depending on the nature of the transaction and may require 
the issuer to coordinate with industry organizations, law enforcement 
agencies, and other parties to the transaction. Comment 4(b)(1)(iii)-2 
clarifies that it is not an appropriate response for the issuer to 
merely shift the loss to another party, other than the party that 
committed the fraud.
    Comment 4(b)(1)(iv)-1 provides that an issuer's policies and 
procedures should be designed to secure debit card and cardholder data 
that are transmitted to or from an issuer (or its service provider) 
during transaction processing, stored by the issuer (or its service 
provider), and carried on media by employees or agents of the issuer. 
The comment also notes that this standard may be incorporated into an 
issuer's information security program as required by Section 501(b) of 
the Gramm-Leach-Bliley Act.
4. Review and Update Policies and Procedures
    Section 235.4(b)(2) requires that an issuer review and update its 
fraud-prevention policies and procedures as least annually. In certain 
circumstances, more frequent updates may be necessary if there are 
significant changes in fraud types, fraud patterns, or fraud-prevention 
techniques or technologies.
    Comment 4(b)(2)-1 provides that an issuer should review and update 
its policies and procedures if a significant change occurs even if the 
issuer reviewed and updated its policies and procedures within the 
preceding year.
5. Section 235.4(c) Certification
    Section 235.4(c) requires an issuer to certify to its payment card 
networks that its fraud-prevention standards comply with the Board's 
standards as provided for in Sec.  235.4(b). Issuers that are eligible 
for the adjustment should certify their compliance annually to each 
payment card network in which the issuer participates that allows 
issuers to receive or charge a fraud-prevention adjustment to their 
interchange transaction fee as permitted under Sec. Sec.  235.3 and 
235.4. The Board expects that these payment card networks will develop 
their own processes for identifying issuers eligible for this 
adjustment. (See comment 4(c)-1.)
    The Board requests co