ICBA Policy Resolutions for 2013
Track I: Legislation and Regulation
DATA SECURITY AND FRAUD
- A national standard should be enacted for securing customer data to protect community banks and their customers against fraud and data breaches. Therefore, ICBA supports efforts to enhance payment account data security by driving development of common data security standards.
- Any federal legislation in the area of customer data security must recognize the existing mandates set forth in the Gramm-Leach-Bliley Act that require community banks to protect customer data, and maintain a consumer notification plan in the event of a data breach.
- Entities that use, maintain, or process sensitive customer information, such as data brokers, third- party processors and retailers, should be subject to increased federal oversight.
- Policymakers should recognize that community banks must maintain an appropriate balance between securing customer information and sharing appropriate information for the purpose of providing products and services.
- The entity that used, maintained, or processed the data or consumer information that was breached or compromised should be financially liable for losses and costs incurred by financial institutions. The reimbursement amount should include the cost of re-issuing compromised credit and debit cards, as well as other costs incurred to restore customer confidence. Payments rules should incorporate merchant security provisions to further protect customer data, particularly debit and credit card information.
- ICBA opposes any legislative or regulatory efforts that would make banks liable for losses incurred by business customers as a result of the customers’ poor security practices.
- ICBA supports ongoing regulatory efforts and existing public-private partnerships to address the growing threat of corporate account takeover cybercrime.
Community banks are strong guardians of the security and confidentiality of sensitive customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and the key to long-term customer retention.
A Single National Standard is Vital. Many states have enacted laws with differing requirements for protecting customer information and giving notice in the event of a data breach. This patchwork of state laws only increases burdens and costs, fosters confusion, and ultimately is detrimental to customers. ICBA believes customer notification is appropriate to let customers take steps to lessen the likelihood of identity theft or fraud resulting from data breaches. However, it is important that notification requirements allow financial institutions and others flexibility to determine when notice is appropriate. Overly broad notification requirements defeat the purpose of calling attention to the risks associated with a particular breach. Federal banking agencies should set the standard for financial institutions, as they currently do.
Data Brokers, Retailers and Other Entities. Currently, data brokers, retailers and other entities processing sensitive customer information are not subject to the same standards and oversight for protecting customer information as banks. ICBA supports subjecting these entities to Gramm-Leach-Bliley Act-like standards with similar enforcement. It is equally important that these entities provide uniform and timely notification to banks concerning the nature and scope of a breach when bank customer information such as account numbers may have been compromised. The party that suffered the breach should bear responsibility for the costs of mitigation and losses when bank account information is compromised and should be responsible for restitution for those losses, and related expenses.
Online Business Banking. Community banks offer robust, secure online banking products to their business banking customers. However community banks should not be liable for breaches that occur as a result of negligence by the business customer. ICBA strongly opposes any legislative or regulatory effort that seeks to extend the consumer protection provisions under Regulation E to business customers.
PCI Security Standards Council. ICBA is a member of the Payments Card Industry (PCI) Security Standards Council, which was founded by the major credit card networks, to enhance payment account data security by driving development of common data security standards, the PCI Security Standards. Additionally, the council works to educate the banking and merchant industry regarding the importance of widespread adoption of the Standards.
Corporate Account Takeover. Increasingly sophisticated cyber criminals continue to target small and medium-sized businesses for cyber fraud, most often in the form of a Corporate Account Takeover. This crime usually begins with a successful “phishing” scam and leads to money being siphoned out of a business’s account. Business accounts are not regulated at the federal level in the same way as consumer accounts. For this reason, the Federal Financial Institutions Examination Council (FFIEC) has published supplemental guidance designed to address the issue at the bank level and entities such as the Financial Services – Information Sharing Analysis Center (FS-ISAC) have formed to deal with this growing problem. ICBA supports these efforts and will continue to work to educate community bankers on the issue and ensure that appropriate regulatory measures are in place to help prevent this crime.
Staff contacts: Lilly Thomas, Viveca Ware, Cary Whaley
Return to ICBA Policy Resolutions