June 27, 2023
July 1 is the compliance date for the “clarification” to Regulation II, which the Board of the Federal Reserve System approved in its final rule last October. The final rule clarifies that all debit card issuers must enable two unaffiliated debit networks for card-not-present (CNP) transactions. While this requirement has applied to card-present transactions for a decade, it now also explicitly pertains to CNP payments.
Given the significant climb in mobile and online debit card transactions, it’s not surprising that the Federal Reserve wants to clarify specificity to this category of payments. In fact, debit cards now are the most commonly cited form of online payment in the United States according to a survey of 10,000 U.S. consumers conducted by Statista in March.
According to the official Reg II update statement from the Federal Reserve, “When the Board initially issued the rule in July 2011, the market had not developed solutions to broadly support multiple networks for card-not-present debit card transactions. Since that time, technology has evolved to address these barriers.”
With the growth in mobile and online debit payments, which are typically CNP transactions, the Federal Reserve stated the time had come to crystallize the two-unaffiliated-network requirement for all debit card transactions.
This is the time to check your bank’s compliance with the new requirements as the compliance date is approaching quickly. Confirm with your processor that CNP transactions are enabled on the two debit networks enabled for your customers’ debit transactions. Because the Federal Reserve has been clear that issuers that have not yet enabled CNP transactions on their unaffiliated debit network may have to make modifications to comply.
The good news? You may already be compliant. For a decade, the industry has been utilizing two unaffiliated debit networks with card-present payments, and many community banks applied that same approach to CNP transactions. In fact, ICBA Bancard reviewed our portfolio, and we found all our debit card issuers already meet this requirement.
In short, while much has been made of this change, for community banks, it simply calls out that mobile, online, or CNP transactions need to be held to the same standard as those at a physical point of sale. And fortunately, this shift isn’t a heavy lift for many community banks.
This deadline can also prompt a check-in on your fraud prevention and risk management policies. In the final rule, the Federal Reserve indicated that issuers retain control of decisions relating to their fraud prevention or risk management policies and whether to accept or decline specific transactions. That reinforces the importance of having up-to-date policies that reflect your bank’s current risk tolerance.
While we don’t anticipate an increase in fraud due to this latest update, it’s as good a time as any to explore what more you can do to protect your institution. Couple rising fraud—the Federal Trade Commission just reported consumer losses in text message scams have doubled—with the continued pressure stemming from today’s economic and regulatory environment, and it may be time to consider fraud programs that provide more peace of mind when it comes to insuring against losses.
ICBA Bancard offers a Fraud Loss Protection Plan that helps community banks limit their exposure to losses stemming from the fraudulent use of credit and debit cards. It’s a program worth considering as today’s landscape continues to evolve.
Fortunately, community banks sit in a good position as the updates to Reg II go into effect, but by taking the time to review and tweak debit card processes, procedures, and risk mitigation, you can set yourselves up for a stronger future. And that’s a very good place to be as we kick off the third quarter.