DATA SECURITY AND FRAUD
- ICBA continues to advocate its core data security principles to Congress and other policy makers as well as the payment card networks and other private-sector standards organizations. These core principles include:
- Costs: The costs of data breaches should ultimately be borne by the party that incurs the breach.
- Data Security Standards: All participants in the payments system, including merchants, should be subject to Gramm-Leach-Bliley Act-like data security standards.
- Notification Standards: A national data security breach and notification standard should be implemented to replace the current patchwork of state laws.
- Innovation: Banks and card networks must continue to freely innovate in order to effectively protect consumer data and confidence.
- Policymakers should recognize that community banks must maintain an appropriate balance between securing customer information and sharing appropriate information for the purpose of providing products and services.
- ICBA strongly supports ongoing regulatory efforts and existing voluntary public-private partnerships to address the growing threat of cyber-attacks.
Data breaches at national retail chains and elsewhere have the potential to jeopardize consumers’ financial integrity and confidence in the payments system. Community banks remain strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and the key to long-term customer retention.
The Party that Incurs a Breach Should Be Liable for Associated Costs. Allocating financial responsibility for the fraud losses and costs of mitigation to the party that experiences the breach, whether it be a retailer, financial institution, data processor or other entity, will provide a strong incentive for all parties that process and/or store consumer data to protect the data adequately. Additionally, payments rules should mandate merchant security provisions to further protect customer data, particularly debit and credit card information.
Regardless of where a breach actually occurs, banks are stewards of the customer financial relationship and take a variety of steps to protect the integrity of their customers’ accounts, including monitoring for indications of suspicious activity, reimbursing customers for confirmed fraudulent transactions, modifying customer limits to limit fraud losses, and blocking and reissuing cards for affected accountholders at an estimated expense of up to $15 per card.
Extend Gramm-Leach-Bliley Act-Like Standards. Under current law, retailers and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions. Securing financial data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. It is equally important that these entities provide uniform and timely notification to banks concerning the nature and scope of any breach when bank customer information such as account numbers may have been compromised.
A National Data Security Breach and Notification Standard is Vital. Most states have enacted laws with differing requirements for protecting customer information and giving notice in the event of a data breach. This patchwork of state laws only increases burdens and costs, fosters confusion, and ultimately is detrimental to customers. Customer notification is appropriate to let customers take steps to protect themselves from identity theft or fraud resulting from data breaches. However, any notification standard needs to be accompanied by Gramm-Leach-Bliley Act-like data security standards for all participants of the payment system – including merchants – to provide consumers a greater level of protection. Additionally, it is important that notification requirements allow financial institutions and others flexibility to determine when notice is appropriate. Overly broad notification requirements defeat the purpose of calling attention to the risks associated with a particular breach. Federal banking agencies should continue to set the standard for financial institutions.
New Technologies Will Reduce Risk But There Is No Single Universal Remedy. Community banks are already investing in technologies, such as chip technology, tokenization and end-to-end encryption, that will better secure transactions processing and thwart criminals. Chip technology may not have prevented the mass retailer breaches but it would have reduced the market value of the card data as it would be far more difficult for criminals to make counterfeit cards. Using chip technology will not protect against fraud in “card-not-present” transactions, such as online purchases. Even with these technologies in place, criminals will continue to try to find weaknesses in data security, so it is crucial that the marketplace continue to have the flexibility to innovate.
Online Business Banking. Community banks offer robust, secure online banking products to their business banking customers. However, community banks should not be liable for breaches that occur as a result of negligence by the business customer. ICBA strongly opposes any legislative or regulatory effort that seeks to extend the consumer protection provisions under Regulation E to business customers.
ICBA supports the efforts of the Federal Financial Institutions Examination Council (FFIEC) and the Financial Services – Information Sharing Analysis Center (FS-ISAC) to develop guidance and best practices to deal with corporate account takeover, the siphoning of funds from a corporate account using breached login credentials. ICBA will continue to work to educate community bankers on the issue and ensure that appropriate regulatory measures are in place to help prevent this crime.