October 1, 2012
Authored by: Bryan Cave Leighton Paisner
The Federal Reserve Board (FRB) announced an amendment to the fraud-prevention adjustment provisions of Regulation II’s debit card interchange fee standards. When Reg. II was initially released in July 2011, the section addressing this adjustment was issued as an interim final rule.
To be eligible for the adjustment of no more than one cent per transaction, an issuer must develop and implement policies and procedures reasonably designed to take effective steps to reduce the occurrence of, and costs to all parties from, fraudulent electronic debit transactions, including developing and implementing cost-effective fraud prevention technology.
According to the Board’s press release, the final rule simplifies the elements required to be included in the issuer’s fraud prevention policies and procedures, which now must address:
- Methods to identify and prevent fraudulent electronic debit transactions;
- Monitoring volume and value of its fraudulent electronic debit transactions;
- Appropriate responses to suspicious electronic debit transactions to limit the costs to all parties from and prevent the occurrence of future fraudulent electronic debit transactions;
- Methods to secure debit card and cardholder data; and
- Other factors as the issuer may consider appropriate.
- In addition, the issuer must review its fraud prevention policies and procedures, and their implementation, at least annually and update them as necessary in light of:
- Their effectiveness in reducing the occurrence of, and cost to all parties from, fraudulent electronic debit transactions involving the issuer;
- Their cost effectiveness; and
- Changes in the types of fraud, methods used to commit fraud and available methods for detecting and preventing fraudulent electronic debit transactions that the issuer identifies from its own experience or information; information provided to the issuer by its payment card networks, law enforcement agencies, and fraud monitoring groups in which the issuer participates; and applicable supervisory guidance.
The issuer also must notify its payment card networks annually that it complies with the policies and procedures requirements outlined above. If an issuer is substantially noncompliant with the policies and procedures requirements, as determined by the issuer or its regulator, it must notify its payment card networks within 10 days that it is no longer eligible to receive or charge a fraud prevention adjustment, and it must stop receiving and charging the adjustment within 30 days after that.
Many merchant groups are reportedly critical of the final rule, saying that it will not actually decrease fraud and that it allows banks to take the one cent fraud adjustment based solely on an ineffective self-determination that they prevent fraud.