Data Security and Fraud

Position

  • All participants in the payments system, including merchants, and all entities with access to customer financial information, should be subject to Gramm-Leach-Bliley Act-like data security standards.
  • ICBA supports a national data security breach and notification standard to replace the current patchwork of state laws.
  • Community banks should be notified of a potential and/or actual breach as expeditiously as possible in order to mitigate losses.
  • The costs of data breaches should ultimately be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should continue to be able to access various cost recovery options after a breach.
  • Banks, card networks and financial technology companies must continue to freely innovate to effectively protect consumer data and confidence.
  • ICBA strongly supports ongoing regulatory efforts and existing voluntary public-private partnerships to address the growing threat of cyber-attacks.
  • ICBA supports stronger data security standards for regulatory agencies and staff.

Background

Data breaches at national retail chains and elsewhere have the potential to jeopardize consumers’ financial integrity and confidence in the payments system. Community banks are strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and retaining customers. However, bad actors will continue to look for weaknesses in the payments and information systems in various industries and breaches will occur. ICBA supports the following legal and regulatory changes to mitigate losses in the event of a breach.

Extend Gramm-Leach-Bliley Act-Like Standards. Under current federal law, retailers and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions. Securing financial data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. To most effectively secure customer data, all participants in the payments system, and all entities with access to customer financial information, should be subject to and maintain well-recognized standards, such as Gramm-Leach-Bliley Act-like standards.

A National Data Security Breach and Notification Standard is Vital. Many states have enacted laws with differing requirements for providing notice in the event of a data breach. This patchwork of state notification laws and potentially overly broad notification requirements only increase burdens and costs, foster confusion, and ultimately are detrimental to customers. While notifying customers is appropriate, any national notification standard needs to be accompanied by Gramm-Leach-Bliley Act-like data security standards for all participants of the payment system – including merchants – to provide consumers a greater level of protection. Federal banking agencies should continue to set the standard for financial institutions.

Banks Need Timely and Enhanced Breach Notification. It is equally important that community banks receive timely notification concerning the nature and scope of any breach when bank customer information, such as account numbers, may have been compromised.

Cost Recovery. Regardless of where a breach occurs, banks are stewards of the customer financial relationship and take a variety of steps to protect the integrity of their customers’ accounts, including monitoring for indications of suspicious activity, reimbursing customers for confirmed fraudulent transactions, modifying customer limits to limit fraud losses, and blocking and reissuing cards of affected account holders at an estimated expense of up to $15 per card. These costs should ultimately be borne by the party that incurs the breach. Barring a liability shift, community banks should have access to various cost recovery options.

New Technologies Will Reduce Risk but There Is No Single Universal Remedy. Community banks invest in technologies, such as chip technology, tokenization and end-to-end encryption, that better secure payment card transaction processing and thwart criminals. Chip technology may not have prevented the mass retailer breaches but it would have reduced the market value of the card data as it would be far more difficult for criminals to make counterfeit cards. Using chip technology will not protect against fraud in “card-not-present” transactions, such as online purch9oases. Even with these technologies in place, criminals will continue to try to find weaknesses in data security. It is crucial that the marketplace continue to have the flexibility to innovate to create more secure technologies.

Online Business Banking. Community banks offer robust, secure online banking products to their business banking customers. However, community banks should not be liable for breaches that occur as a result of negligence by the business customer.

Regulators Should Hold Data Safely. Despite issuing rules, regulations, guidance, and examining financial institutions for the safekeeping of customer data, regulatory bodies have also been subject to data breaches. During bank examinations, regulators become privy to, and hold, sensitive bank information, including customer information. Like banks, regulatory agencies have a responsibility to safeguard this sensitive information.

Emerging Threats. ICBA supports the efforts of the Federal Financial Institutions Examination Council (FFIEC) and the Financial Services – Information Sharing Analysis Center (FS-ISAC) to develop guidance and best practices to counteract emerging threats. Sharing this type of information with federal agencies and financial sector participants helps manage emerging threats and protect critical systems.

Staff Contacts: Jeremy DalpiazLilly Thomas, and Aaron Stetter