WASHINGTON – For several months, financial institutions have been taking to Capitol Hill and the op-ed pages to decry the “adverse impacts” of data breaches on their customers – and their own bottom line. According to a memo issued yesterday by a group of merchants including NACS, the National Grocers’ Association, National Retail Federation and the Retail Industry Leaders Association, a recent report from the Credit Union National Association (CUNA) belies those statements and instead identifies a curious threat to financial institutions’ revenue: the improved financial well-being of their customers.
The merchant groups’ memo cites several portions from the credit union report, such as: “Credit quality will improve in 2014 and 2015. The overall loan delinquency rate will fall below 0.70% in 2015, below the long-run average of 0.75%, as job growth continues. Fast loan growth also will put downward pressure on both delinquencies and losses.”
Since when is credit quality improvement a bad thing?, ask the merchants. The answer: When banks and credit unions make less money from their customers’ delinquencies. They appear to be especially concerned about losing out on overdraft fees: “The CFPB’s expected focus on checking/ODP [Overdraft Privilege] in 2015 puts a big income stream at risk, and continuing issues with overdraft revenue could prove challenging.”
It is disturbing to find that financial institutions’ own internal documents suggest that they care more about making a few extra dollars than about their customers’ overall economic health. For most hardworking Americans, overdrafts are something to be avoided. For financial institutions in improving times, they are apparently a threatened “big income stream.”
Not mentioned as a source of financial losses in the report? Data breaches. The report doesn’t focus on losses from data breaches, perhaps because the authors know that merchants pay most of those costs.
Here are the real facts on data breach fraud:
• Merchants and financial institutions split the cost of fraud. A 2013 study by the Federal Reserve looked at fraud instances associated with the use of debit cards and found that retailers do share the costs incurred as a result of card fraud. In fact, costs were shown to be borne almost equally among retailers and card-issuing institutions.
• Merchants cover fraud costs under agreements with card networks. Merchants are required to compensate card issuers for any fraud that occurs as a result of a breach based upon an agreed upon formula that the card issuer has negotiated with MasterCard and Visa.
• Merchants pay for replacement of compromised cards. By contract, card issuers are reimbursed for fraud losses and card reissuance costs based upon a formula agreed to by the card issuer and card networks even if no fraudulent activity has actually occurred on the card. For example, according to the MasterCard Account Data Compromise User Guide, under a formula that card issuers and MasterCard have agreed to, a small financial institution is reimbursed by the merchant at a cost of $2.69 per magnetic stripe card.
• More secure payment technologies like chip-and-PIN reduce fraud dramatically. Unfortunately, credit unions and their brethren don’t want PIN numbers with new chip cards even though that is the formula that has proved successful in other countries around the world.
• PINs make transactions 700% more secure. A study by the Federal Reserve found that using PINs in debit card transactions reduced fraud by 700%.
• Chip-and-PIN could reduce U.S. fraud losses by 40%. “If the use of [chip-and-PIN] payment cards in the United States leads to a fraud loss pattern similar to the patterns seen in France, the Netherlands, and the U.K., then U.S. fraud losses could fall by as much as 40%.
• Credit unions are lagging behind on the chip-and-PIN transition. “More than half of credit unions will miss a key October 2015 deadline that requires credit cards to be equipped with EMV chips, according to executives with major payment processing organizations.”