The Regulation Two Layer Cake:
The Feds and the States
by Jim Romeo
Nowadays credit card issuing has a black cloud over it. There is an unspoken fear that predatory lending practices could flow over into other credit instruments. What does this mean to the card industry at large?
The first thing it means is more vigilance and possibly more regulation in favor of cardholders. More mandates, reporting and oversight for merchants, equipment suppliers and others who are part of the transaction pie. This oversight will continue to come from both the federal and local governments.
Recently, Chairwoman Carolyn B. Maloney (D-NY) of the House Financial Institutions and Consumer Credit Subcommittee introduced the “Credit Cardholders’ Bill of Rights Act of 2008″ (H.R. 5244). In a statement released by Maloney she stated, “A credit card agreement is supposed to be a contract, but in recent years cardholders have lost the ability to say no to unfair interest rate hikes and fees.Ê This balanced, moderate bill simply levels the playing field between card companies and cardholders while fostering fair competition and free market values. It sets no rate caps, fees or price controls, nor does it dictate any business models to card companies.”
This seems to be a page from the book of today’s new era of credit caution; however, she is definitive on her last caveat: “nor does it dictate any business models to card companies.”
Maloney goes on to say that “there is no doubt that credit card companies provide a valuable service and deserve to earn a fair profit, but consumers also deserve the right to be able to understand their accounts and be empowered to control them. Regrettably, regulators and prior Congresses have dropped the ball on protecting consumers in recent years. My bill would give cardholders the information and rights they deserve to make decisions about their own credit.”
Maloney’s proposed Bill of Rights includes the following:
Protects cardholders against arbitrary interest rate increases.
Prevents cardholders who pay on time from being unfairly penalized.
Protects cardholders from due date gimmicks.
Shields cardholders from misleading terms.
Empowers cardholders to set limits on their credit.
Requires card companies to fairly credit and allocate payments.
Prohibits card companies from imposing excessive fees on cardholders.
Prevents card companies from giving subprime credit cards to people who can’t afford them.
Requires Congress to provide better oversight of the credit card industry.
Contains NO rate caps, fee setting or price controls.
The new aura of caution is not just a federal thing nowadays. Many states entered into their legislative sessions at the turn of 2008. Accordingly, legislators at the state level are also taking action to deal with the looming concern of safe card transactions. This is against an already long list of state laws—all with different requirements, penalties and interpretations of data risk.
“I expect government regulation to attempt to reign in the unique state laws regarding data security breaches,” says Christopher Justice of Merchant Link. “Currently, there are 39 state laws that define the loss of consumer data differently, establish different reporting requirements and offer a vast array of penalties. Having no set standards creates confusion and establishes criteria which are nearly impossible to comply.”
However, the confusion may be justified. Christopher Justice reminds us that the card business is very complex and often legislators lose sight of that. “State regulators often fail to understand the complexity of issues and propose laws that become unmanageable and ineffective at solving the problem,” he adds. “For example, a California law states that the loss of a consumer’s name and zip code represents the loss of personal identification. Yet, when the name, address and city are published in the telephone book, nobody thinks twice.”
Todd Burger of Chameleon Networks thinks that state intervention is long overdue on predatory lending issues. “It is long overdue for states to step in and regulate the usurious charges for a late payment,” he says. “The high interest rates, do not reflect credit risk, cost of capital or anything other than the fact that credit card companies have found it possible to print so many rules and conditions that few people find time to study the fine print before its too late.”
This intervention may have some influence on disclosure practices and usage rules. In fact, states have already stepped in to regulate whether or not sales tax is subject to interchange fees.
“Several states such as Kansas, Florida and Nebraska passed legislation in 2007 prohibiting subjecting sales tax to interchange fees,” says Tony Shap, President of PaymentMax Processing. “Kansas and Kentucky passed Transparency Disclosure legislation in 2007, requiring banks to disclose interchange fees to their customers.”
Shap also points out that data security is a great concern, and California is a leader in keeping tight screws on data protection.
Shap also explains that California passed the Consumer Data Protection Act of 2007, which put mandates on companies storing personal financial info. “There are some exceptions if the entity has a Payment and Data Retention Policy,” adds Shap. “Even with this policy there is a limit on the time and purpose for storing personal info. California is leading the way on passing legislation requiring companies to notify consumers when personal information has been compromised.”
Wisconsin introduced legislation in their 2008 session that addresses the risks from card transactions. The Wisconsin Credit Union League promulgated the legislation. The trade association represents 260 not-for-profit, member-owned financial institutions. State Rep. Brett Davis and State Sen. Bob Wirch introduced the draft legislation. This legislation is designed to protect the integrity of data stored on credit and debit cards.
“Due to recent breaches of consumers’ personal information involving payment cards, legislators and consumers have a heightened awareness of the extremely important matter of data security. We hope this common sense proposal will win broad bi-partisan support and be signed into law this session,” said Brett Thompson, President & CEO of The Wisconsin Credit Union League in a released statement. “Sen. Wirch and Rep. Davis deserve much credit for their leadership in addressing this issue which, if not addressed immediately, could sharply erode consumer confidence in plastic payment cards.”
The proposed bill would prohibit merchants from retaining PINs or security codes after processing a credit or debit card transaction. If a merchant were to ignore the law, collect and keep that information, and if the information were lost, the party responsible for losing the information would be required to pay for the costs to close consumers’ accounts and re-issue cards. The party responsible for the loss would also be required to pay for steps that intend to prevent any ensuing fraudulent use of a consumer’s personal information and cover certain costs enabling continued financial services to the cardholder, such as notifying affected customers or crediting accounts for fraudulent transactions.
According to Thompson, approximately 75% of Wisconsin consumers who responded to a survey that the credit union league conducted, supported measures that require the party responsible for a data breach to bear such restorative costs. He says consumers may spend up to 60 hours to fix damage caused by a breach and attempts at fraud.
“This bill follows some of the payment card industry’s existing, basic rules that merchants sometimes ignore since they don’t carry the force of law or have any real consequence for those who ignore the rules,” Thompson adds.
“The payment card system itself acknowledges the imprudence of storing sensitive personal information when it’s unnecessary to do so.”
Such proposed legislation is representative of the efforts being put forth by states to shift accountability to those in the transaction pipeline. For the card industry, it is not exactly music to their ears. It further burdens the card transaction supply chain to bear the risk of a privacy breach, which usually translates into more cost somewhere.
The breach of personal information and the risk thereof spills the risk onto merchants and that can be burdensome.
“When consumers user their cards at restaurants, hotels and retailers, card data is stored within the cash register to allow the merchant to be paid,” adds Christopher Justice of Merchant Link. “If that information is not protected or removed completely, the consumer’s card data is vulnerable to theft. While consumers are typically not liable for losses in this regard, merchants spend millions as a result of the loss.”
This risk continues to be addressed by an overshadowing of Federal and State oversight; however, there are still industry members that implement their own equipment standards to lower the risk of skimming and other data breaches.
“Private industry, public institutions and trade organizations, again in various geographies, have made significant progress in identifying and mitigating the risks associated with identity theft, particularly as it relates to credit card breaches,” says Chris Speer of the consulting firm of Deloitte and Touche, USA who recently released research about consumer privacy. “At the same time, the perpetrators of identity theft continue to develop techniques and schemes to circumvent the controls established by these organizations.”
While the threat of privacy invasion and identity theft continues, so does the fragile outlook of consumer credit and the processing that goes with it. While the industry marches forward to prove its own ability to regulate itself and protect data and privacy of card users, there continues to be a layer cake that is baking — a layer cake of Federal and State oversight that will be the subject of the watchful eye of the card industry and those affected by such legislation.
Jim Romeo is a regular contributor to Transaction World Magazine and is a freelance writer based in Chesapeake, Virginia who specializes in business and technology. Visit his website at www.JimRomeo.net.
