DATA SECURITY AND FRAUD
- ICBA continues to advocate its core data security principles to Congress and other policy makers as well as the payment card networks and other private-sector standards organizations. These core principles include:
- The costs of data breaches should ultimately be borne by the party that incurs the breach;
- All participants in the payments system – including merchants – should be subject to Gramm-Leach-Bliley Act-like data security standards;
- A national data security breach and notification standard should be implemented to replace the current patchwork of state laws;
- Unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed; and
- While community banks and other financial institutions continue to move to chip technology, tokenization and end-to-end encryption for debit and credit cards, these technologies alone would not prevent future data breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.
- Policymakers should recognize that community banks must maintain an appropriate balance between securing customer information and sharing appropriate information for the purpose of providing products and services.
- As policymakers pursue legislation to improve cyber security, they must recognize that establishing notification standards without Gramm-Leach-Bliley Act-like data security standards for all participants of the payment system – including merchants – will not provide consumers the level of protection they need from data breaches.
- ICBA opposes any legislative or regulatory efforts that would make banks liable for losses incurred by business customers as a result of a business’s poor security practices.
- ICBA supports ongoing regulatory efforts and existing public-private partnerships to address the growing threat of losses due to corporate account takeover.
Community bankers and their customers are deeply alarmed by the wide-scale data breaches at national retail chains and others. These far-reaching and costly breaches have the potential to jeopardize consumers’ financial integrity and confidence in the payments system. Community banks remain strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and the key to long-term customer retention.
The Party that Incurs a Breach Should be Liable for Associated Costs. It is critical that the party that incurs a data breach, whether it be a retailer, financial institution, data processor or other entity, bear responsibility for the related fraud losses and costs of mitigation. Allocating financial responsibility with the party that is best positioned to secure consumer data will provide a strong incentive for it to do so effectively. Additionally, aligning incentives to maximize data security by all parties that process and/or store consumer data will make the payments system stronger over time. Payments rules should mandate merchant security provisions to further protect customer data, particularly debit and credit card information.
Regardless of where a breach actually occurs, banks are stewards of the customer financial relationship and take a variety of steps to protect the integrity of their customers’ accounts, including monitoring for indications of suspicious activity, reimbursing customers for confirmed fraudulent transactions, modifying customer limits to limit fraud losses, and blocking and reissuing cards for affected accountholders at an estimated expense of up to $15 per card.
Extend Gramm-Leach-Bliley Act-Like Standards. Under current law, retailers and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions. Securing financial data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. ICBA supports subjecting these entities to Gramm-Leach-Bliley Act-like standards with similar enforcement. It is equally important that these entities provide uniform and timely notification to banks concerning the nature and scope of any breach when bank customer information such as account numbers may have been compromised.
A National Data Security Breach and Notification Standard is Vital. Most states have enacted laws with differing requirements for protecting customer information and giving notice in the event of a data breach. This patchwork of state laws only increases burdens and costs, fosters confusion, and ultimately is detrimental to customers. ICBA believes customer notification is appropriate to let customers take steps to protect themselves from identity theft or fraud resulting from data breaches. However, any notification standard needs to be accompanied by Gramm-Leach-Bliley Act-like data security standards for all participants of the payment system – including merchants – to provide consumers a greater level of protection. Additionally, it is important that notification requirements allow financial institutions and others flexibility to determine when notice is appropriate. Overly broad notification requirements defeat the purpose of calling attention to the risks associated with a particular breach. Federal banking agencies should continue to set the standard for financial institutions.
New Technologies Will Reduce Risk But There Is No Single Universal Remedy. Community banks are already investing in technologies that will better secure transactions processing and thwart criminals. In particular, community banks are joining other financial institutions in the orderly migration to chip technology for debit and credit cards. Chip technology may not have prevented the mass retailer breaches but it would have reduced the market value of the card data as it would be far more difficult for criminals to make counterfeit cards. Using chip technology will not protect against fraud in “card-not-present” transactions, such as online purchases. Other technologies, such as tokenization and end-to-end encryption will create a layered approach. Even with these technologies in place, criminals will continue to try to find weaknesses in data security, so it is crucial that the marketplace continue to have the flexibility to innovate.
Online Business Banking. Community banks offer robust, secure online banking products to their business banking customers. However community banks should not be liable for breaches that occur as a result of negligence by the business customer. ICBA strongly opposes any legislative or regulatory effort that seeks to extend the consumer protection provisions under Regulation E to business customers.
ICBA supports the efforts of the Federal Financial Institutions Examination Council (FFIEC) and the Financial Services – Information Sharing Analysis Center (FS-ISAC) to develop guidance and best practices to deal with corporate account takeover, the siphoning of funds from a corporate account using breached login credentials. ICBA supports these efforts and will continue to work to educate community bankers on the issue and ensure that appropriate regulatory measures are in place to help prevent this crime.
Staff Contacts: Lilly Thomas, Aaron Stetter, and Cary Whaley