The U.S. Senate was holding credit card issuers responsible this past holiday season whey they raised interest rates just in time for the big shopping season. However, the card issuers were quick to defend themselves. The Merchants Payments Coalition, a group of nearly 30 associations representing almost 2.7 million stores, lauded the hearing.
Michigan’s Senator Carl Levin spoke out about holding an interest rate to the time it was issued to the consumer.
This occurred against a backdrop of news where every other word seems to be ‘debt’ peppered with other financial terms such as ‘subprime lending’ and ‘mortgages foreclosures’.
Is this going to trump any hard interest in furthering more legislation on identity theft when there have been some measures already taken in this area?
What's the sentiment out there when one strolls around the Senate and House office buildings?
“I can tell you that in one word and that word is of course security,” says Mitchell Drimmer, Relationship Manager of South Florida for Heartland Payment Systems. “I'm not just talking about the normal items like identify theft and credit cards, but security with other types of electronic transactions such as Remote Deposit Capture, EBT and ACH transactions. There are a lot of ways that money is moved around in cyberspace and it's easier to grab it from a computer terminal than a bank teller window at your local bank.”
Duncan Douglass is an attorney with Alston & Bird, LLP, and specializes in gift cards and the state laws that apply.
Douglas concurs with Drimmer. “Our nation's legislators are very focused on privacy/data security and credit card interest rate practice. In part it's reassuring to know that elected officials are taking seriously the importance of financial information privacy/ security and consumer protection. As the national and global economies transition to a marketplace increasingly dominated by electronic payment transactions, this is key. However, I worry somewhat that recent bad facts -- including the TJX mega data security breach and the looming consumer credit crunch -- will cause legislators to make bad laws in their election-year zeal to take voter-friendly action against the great evils of the electronic payments industry.”
Douglass hopes that any new legislation or actions being taken will be active rather than reactive. “Certainly there is room for measured legislation to protect consumers' private financial information and shield consumers from unscrupulous credit card lending practices but hopefully all of the attention currently being paid in Washington to the electronic payments industry will not result in unfortunate knee-jerk legislation,” he adds.
Matt Ornce, Chief Security Officer at Electronic Payment Exchange sees the tide turning, not necessarily to how to prevent data breaches, but to how to mop up once the data breach has occurred.
“The biggest issue on the minds of legislators regarding all type of payment transactions is unfortunately not how to avoid the impact of data breaches, but how to clean them up after they occur,” says Ornce. “Currently, about two-thirds of the U.S. states have unique statutes regarding data breach notification. Just as it made sense for the card associations to come together to form a unified security standards organization from competing programs with the PCI DSS, it makes sense to have a unified set of guidelines for breach notifications.
What should be everyone’s highest priority is how to minimize or even eliminate the liability of a data breach. This would make the breach notification issue moot because if you don’t have the data to begin with, you’re in no danger of exposing it if you are breached.”
Judie Rinearson, an expert in banking and electronic payments with the law firm of Bryan Cave, LLP, has notable expertise in a hot new
segment of the card market: prepaid cards. She sees this coming
under the microscope of regulatory bodies.
“It’s always hard to read the mind of legislators,” says Rinearson.
“Obviously there's been a lot of focus on subprime loans and
consumers being overburdened with debt. With respect to prepaid
cards that means concerns about high fees, or about some cards that have "overdraft" provisions which not only permit cardholders to spend more than they have on the card but could also result in a fee being charged.”
But because there has been notable abuse of cards in attaining money by skimming and scamming, Rinearson also has concerns about prepaid cards being used as a means of money laundering. In fact, there are numerous cases in which embezzlers use stolen cards to buy prepaid cards so there's not a clear trail of what merchandise was actually purchased. It's a way for them to transfer the payments to a card where it's hard to tell what they bought with the merchandise.
“Another issue for regulators/legislators is money laundering risks,”
she adds. “ There is growing concern that criminals are using payment cards to hide and move funds derived from criminal activities, or for other illegal purposes.”
Because prepaid cards are gaining every year in popularity and
merchants find them to be viable and profitable, Rinearson feels
their popularity has some legislators asking whether federal consumer protections such as those provided in Reg E (regarding
‘debit’) or (Reg Z regarding ‘credit’) should apply to prepaid cards.
In the coming year, many feel that identity theft will be the focus of scrutiny. Cases of embezzlement and data compromises just seem to be getting worse.
“Identity theft cannot receive enough scrutiny and I can only hope that our legislators devote more of their energy to this issue,” says Dimmer of Heartland. “Perhaps with the elections coming and the economy in such a mess the fine people in Washington will step up to the plate. In a way its kind of tied into the mortgage crisis. Our government was asleep at the wheel when the average citizen was run amok by the predatory lending practices of some institutions. It hurt the average family and it most certainly hurt our nation’s economy. Now, the lawmakers need to be proactive in protecting the American family from this financial crisis that has the potential of being as devastating as a natural disaster.”
As Duncan Douglass points out, we are heading into an election year rife with “thorny political issues that have voters divided,” he says. “Financial data privacy and security and attendant identity theft, are high profile issues that are easy for legislators to battle. Who, at least in principle, doesn’t favor legislation that protects consumers from identity theft and harmful disclosures of sensitive information?” Douglass asks. “The challenge, faced by the electronic payments industry on these issues is one of education—both of legislators and consumers.”
This is where the ability of self-regulation must be publicized and the perception of the industry's ability to self-regulate must be broadcast to instill public confidence. “Historically the electronic payments industry has done a fine job of self-regulation -- including in the areas of data privacy and security -- but the industry must convince consumers and legislators that it is capable of continuing to self-regulate even in the midst of increasing threats to consumers
that choose to pay electronically,” says Douglass. “The electronic
payments industry, which is emerging from its own Enron-like crisis (albeit on a much smaller scale), needs to take efforts quickly to avoid a Sarbanes-Oxley-like response from Congress.”
Matt Ornce of the Electronic Payment Exchange warns of the tendency of lawmakers to wield knee-jerk legislation. Everything is reactionary. When the bad guys can’t use one tactic because of a
tough new law, they just move somewhere else. Ornce isn’t confident
that industry self-regulation is a much better solution.
“In Washington, it’s hard to predict regulators' future focus given their often knee-jerk reactions to headlines, but as data breaches continue to dominate those headlines, legislators will undoubtedly feel pressure to react,” says Ornce. “The credit card industry has taken significant steps towards building better defenses around sensitive cardholder data. Even though critics of the PCI DSS have complained that it isn't a one-size-fits-all solution, non-industry regulation would almost certainly unfairly penalize some sectors while possibly leaving others poorly regulated. And it is a given that such legislation would not address the root cause of breaches:
unnecessarily storing sensitive card data when alternative solutions do exist today.”
On the flip side, Judy Rinearson doesn't necessarily think that identify theft will dominate as an issue that legislators will be focused on. There's been so much in predatory lending that it may well trump any interest in identity theft for a while.
“I could be wrong of course, but a lot has been done in this area this year,” says Rinearson. “The new Fact Act Rules published for comment in October will require ID Theft prevention programs and the implementation of “red flags” that will indicate a potential ID Theft risk. I think these new rules could be very effective. These rules (which will need to be finalized and implemented in 2008), should be given time to work before taking this issue to the next level.”
Concludes Rinearson, “In the meantime, I think Washington will be focusing more on debt relief and mortgage foreclosure relief.”
|
