Federal Register, Volume 77 Issue 150 (Friday, August 3, 2012)

[Federal Register Volume 77, Number 150 (Friday, August 3, 2012)]
[Rules and Regulations]
[Pages 46258-46282]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-18726]

=======================================================================
-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

12 CFR Part 235

[Regulation II; Docket No. R-1404]
RIN 7100-AD 63

Debit Card Interchange Fees and Routing

AGENCY: Board of Governors of the Federal Reserve System

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Board has amended the provisions in Regulation II (Debit
Card Interchange Fees and Routing) that govern adjustments to debit
card interchange transaction fees to make an allowance for fraud-
prevention costs incurred by issuers. The amendments permit an issuer
to receive or charge an amount of no more than 1 cent per transaction
(the same amount currently permitted) in addition to its interchange
transaction fee if the issuer develops and implements policies and
procedures that are reasonably designed to take effective steps to
reduce the occurrence of, and costs to all parties from, fraudulent
electronic debit transactions. The amendments set forth fraud-
prevention aspects that an issuer's policies and procedures must
address and require an issuer to review its policies and procedures at
least annually, and update them as necessary in light of their
effectiveness, cost-effectiveness, and changes in the types of fraud,
methods used to commit fraud, and available fraud-prevention methods.
An issuer must notify its payment card networks annually that it
complies with the Board's fraud-prevention standards. Finally, the
amendments provide that an issuer that is substantially noncompliant
with the Board's fraud-prevention standards is ineligible to receive or
charge a fraud-prevention adjustment and set forth a timeframe within
which an issuer must stop receiving or charging a fraud-prevention
adjustment.

DATES: This rule is effective October 1, 2012.

FOR FURTHER INFORMATION CONTACT: Dena L. Milligan, Attorney (202/452-
3900), Legal Division, or David Mills, Manager and Economist (202/530-
6265), Division of Reserve Bank Operations and Payment Systems; for
users of Telecommunications Device for the Deaf (TDD) only, contact
(202/263-4869); Board of Governors of the Federal Reserve System, 20th
and C Streets NW., Washington, DC 20551.

SUPPLEMENTARY INFORMATION:

I. Section 920 of the Electronic Fund Transfer Act

The Dodd-Frank Wall Street Reform and Consumer Protection Act (the
``Dodd-Frank Act'') (Pub. L. 111-203, 124 Stat. 1376 (2010)), was
enacted on July 21, 2010. Section 1075 of the Dodd-Frank Act amends the
Electronic Fund Transfer Act (``EFTA'') (15 U.S.C. 1693 et seq.) by
adding a new section 920 regarding debit card interchange transaction
fees and rules for payment card transactions.
Section 920 of the EFTA provides that, effective July 21, 2011, the
amount of any interchange transaction fee that an issuer receives or
charges with respect to an electronic debit transaction must be
reasonable and proportional to the cost incurred by the issuer with
respect to the transaction.\1\ This section requires the Board to
establish standards for assessing whether an interchange transaction
fee is reasonable and proportional to the cost incurred by the issuer
with respect to the transaction and requires the Board to establish
rules prohibiting network exclusivity on debit cards and issuer and
network inhibitions on merchant transaction routing choice. The Board's
final rule (Regulation II, Debit Card Interchange Fees and Routing)
implementing standards for assessing whether interchange transaction
fees meet the requirements of Section 920(a) and establishing rules
regarding network exclusivity and routing choice required by Section
920(b) became effective October 1, 2011, although issuers had until
April 1, 2012, or later to comply

[[Page 46259]]

with the network exclusivity provisions.\2\
---------------------------------------------------------------------------

\1\ An ``electronic debit transaction'' means the use of a debit
card (including a general-use prepaid card) as a form of payment.
EFTA Section 920(c)(5); 12 CFR 235.2(h). For purposes of Regulation
II, the term does not include transactions initiated at automated
teller machines (ATM).
\2\ 76 FR 43394, 43394 (Jul. 20, 2011). Regulation II is set
forth in 12 CFR part 235. Regulation II defines an interchange
transaction fee (or ``interchange fee'') to mean any fee
established, charged, or received by a payment card network and paid
by a merchant or acquirer for the purpose of compensating an issuer
for its involvement in an electronic debit transaction. 12 CFR
235.2(j).
---------------------------------------------------------------------------

Under EFTA Section 920(a)(5), the Board may allow for an adjustment
to the amount of an interchange transaction fee received or charged by
an issuer if (1) such adjustment is reasonably necessary to make
allowance for costs incurred by the issuer in preventing fraud in
relation to electronic debit card transactions involving that issuer,
and (2) the issuer complies with fraud-prevention standards established
by the Board. Those standards must be designed to ensure that any
adjustment is limited to the reasonably necessary fraud-prevention
allowance described in clause (1) above; takes into account any fraud-
related reimbursements (including amounts from chargebacks) received
from consumers, merchants, or payment card networks in relation to
electronic debit transactions involving the issuer; and requires
issuers to take effective steps to reduce the occurrence of, and costs
from, fraud in relation to electronic debit transactions, including
through the development and implementation of cost-effective fraud-
prevention technology.
In issuing the standards and prescribing regulations for the
adjustment, EFTA Section 920(a)(5) requires the Board to consider (1)
the nature, type, and occurrence of fraud in electronic debit
transactions; (2) the extent to which the occurrence of fraud depends
on whether the authentication in an electronic debit transaction is
based on a signature, personal identification number (PIN), or other
means; (3) the available and economical means by which fraud on
electronic debit transactions may be reduced; (4) the fraud-prevention
and data-security costs expended by each party involved in the
electronic debit transactions (including consumers, persons who accept
debit cards as a form of payment, financial institutions, retailers,
and payment card networks); (5) the costs of fraudulent transactions
absorbed by each party involved in such transactions (including
consumers, persons who accept debit cards as a form of payment,
financial institutions, retailers, and payment card networks); (6) the
extent to which interchange transaction fees have in the past reduced
or increased incentives for parties involved in electronic debit
transactions to reduce fraud on such transactions; and (7) such other
factors as the Board considers appropriate.

II. Proposed Rule, Interim Final Rule, and Comments

A. Proposed Rule

In December 2010, the Board requested comment on two approaches to
a framework for the fraud-prevention adjustment to the interchange
transaction fee standards: a technology-specific approach and a non-
prescriptive approach. The technology-specific approach would allow an
issuer to recover some or all of its costs incurred for implementing
major innovations that would likely result in substantial reductions in
total, industry-wide fraud losses. Under this approach, the Board would
identify paradigm-shifting technologies that would reduce debit card
fraud in a cost-effective manner. The alternative approach would
establish more general standards that an issuer must meet to be
eligible to receive an adjustment for fraud-prevention costs.\3\
---------------------------------------------------------------------------

\3\ 75 FR 81722, 81740-43 (Dec. 28, 2010).
---------------------------------------------------------------------------

In general, commenters did not agree about which approach to
pursue, but commenters generally opposed the Board's mandating use of
specific technologies. Most merchants generally favored a paradigm-
shifting approach where issuers would be eligible for a fraud-
prevention adjustment only for implementing technologies that reduced
fraudulent transactions to a level materially below the level for PIN
transactions. By contrast, issuers of all sizes and payment card
networks preferred the non-prescriptive approach that would provide
issuers with flexibility to tailor their fraud-prevention activities to
address most effectively the risks they face and changing fraud
patterns. Issuer commenters also opposed a fraud-prevention adjustment
only for particular authentication methods, noting that an adjustment
favoring a particular authentication method may not provide sufficient
incentives to invest in other potentially more effective authentication
methods.\4\ The Board considered these comments in the development of
an interim final rule.
---------------------------------------------------------------------------

\4\ The comments received by the Board in response to the
proposal are described in more detail in the Federal Register notice
announcing the interim final rule. See 76 FR 43478, 43480-86 (Jul.
20, 2011).
---------------------------------------------------------------------------

B. Interim Final Rule

In June 2011, the Board adopted a non-prescriptive approach to the
fraud-prevention standards, set forth in 12 CFR 235.4, as an interim
final rule, issued in connection with its final rule implementing other
provisions of EFTA Section 920.\5\ The interim final rule allows an
issuer to receive or charge an additional amount of no more than 1 cent
per transaction to the interchange fee permitted under Sec. 235.3 if
the issuer satisfies the Board's fraud-prevention standards. Those
standards require an issuer to develop and implement policies and
procedures reasonably designed to (i) identify and prevent fraudulent
electronic debit transactions; (ii) monitor the incidence of,
reimbursements received for, and losses incurred from fraudulent
electronic debit transactions; (iii) respond appropriately to
suspicious electronic debit transactions so as to limit the fraud
losses that may occur and prevent the occurrence of future fraudulent
electronic debit transactions; and (iv) secure debit card and
cardholder data. In addition, an issuer must review its fraud-
prevention policies and procedures at least annually, and update them
as necessary to address changes in the prevalence and nature of
fraudulent electronic debit transactions and the available methods of
detecting, preventing, and mitigating fraud. The interim final rule
provides that if an issuer meets these standards and wishes to receive
the adjustment, it must annually certify its compliance with the
Board's fraud-prevention standards to the payment card networks in
which the issuer participates. The Board requested comment on all
aspects of the interim final rule.
---------------------------------------------------------------------------

\5\ The final rule implementing other provisions in Regulation
II is published in 76 FR 43394 (Jul. 20, 2011).
---------------------------------------------------------------------------

C. Summary of Comments on Interim Final Rule

The Board received 42 comments on the interim final rule from debit
card issuers, depository institution trade associations, payment card
networks, merchants, merchant trade associations, a card-payment
processor, technology companies, a member of Congress, individuals, and
public interest groups.
1. Overview of Comments Received
The comments received generally focused on the following aspects of
the interim final rule: (1) The amount of the adjustment; (2) the non-
prescriptive standards in the interim final rule; and (3) the issuer-
certification process. These comments are summarized below and are
described in more detail in the Section-By-Section Analysis.

[[Page 46260]]

Fraud-prevention adjustment amount. Most issuers and their trade
associations, payment card networks, a public interest group, and a
technology company supported permitting a fraud-prevention adjustment
to the amount of an interchange transaction fee an issuer may receive
or charge but believed the fraud-prevention adjustment amount in the
interim final rule to be too low. Commenters that supported a higher
adjustment amount did so for several reasons, including encouraging
innovation and investment in fraud-prevention activities; maintaining
consumer and merchant confidence in the security of electronic debit
transactions; and reducing potential adverse effects on exempt issuers
that have higher per-transaction fraud-prevention costs than nonexempt
issuers. These commenters suggested that the Board could increase the
adjustment amount by expanding the costs used in determining the
adjustment amount; setting the adjustment amount to the fraud-
prevention amount at the cost of the issuer at the 80th percentile (as
with the interchange fee standard in Sec. 235.3) rather than at the
median issuer's cost; including an additional ad valorem component to
the adjustment; and not capping the adjustment amount. Commenters
suggested including costs such as fraud-prevention research and
development costs, data-security costs, fraud-related customer inquiry
costs, and exempt issuer costs.
By contrast, merchants and their trade associations asserted that
the fraud-prevention adjustment amount in the interim final rule is too
high. In general, these commenters argued that the fraud-prevention
amount in the interim final rule does not take into consideration the
fraud-prevention costs of merchants and other parties to electronic
debit transactions, for example, by deducting merchants' costs from
issuers' costs. Several of these commenters recommended that, in
setting the adjustment amount, the Board include only activities that
are demonstrably effective and cost-effective, and one commenter
recommended that the Board exclude costs of activities to detect and
mitigate fraudulent electronic debit transactions.
Approach to fraud-prevention standards. Debit card issuers, their
trade associations, and payment card networks overwhelmingly supported
the non-prescriptive framework for the fraud-prevention standards
largely as set forth in the interim final rule for several reasons.\6\
These reasons included providing better incentives to invest in fraud
prevention, retaining flexibility for each issuer to respond
effectively to the dynamic fraud environment, diversifying fraud-
prevention technologies employed throughout the industry, and limiting
public information about issuers' fraud-prevention activities, which,
commenters argued, could benefit fraudsters. In addition, several
commenters opposed a technology-specific adjustment, arguing that the
Board does not have the expertise to identify the most effective and
commercially feasible fraud-prevention technologies and that such an
approach could result in underinvestment in new, and potentially more
effective, fraud-prevention technologies that are not identified in the
standards.
---------------------------------------------------------------------------

\6\ The Board received some comments suggesting more targeted
clarifications to the rule text and commentary. These comments are
discussed below in connection with the relevant rule or commentary
section.
---------------------------------------------------------------------------

By contrast, most merchants and merchant trade associations, a
public interest group, and a member of Congress opposed the fraud-
prevention standards as set forth in the interim final rule because the
standards do not include specific metrics to measure the effectiveness
and cost-effectiveness of an issuer's fraud-prevention activities.
Several of these commenters argued that fraud-prevention standards that
lack such a metric are inconsistent with EFTA 920(a)(5). A number of
these commenters supported a proposal made by a coalition of merchants.
This proposal suggested metrics for measuring the effectiveness and
cost-effectiveness of fraud-prevention activities that would assess
whether the fraud-prevention technology results in a fraud rate
materially lower than that associated with PIN transactions and whether
the cost of implementing a technology is less than the amount of fraud
losses eliminated by its use.
In contrast to the other commenters, several technology companies
supported the specification of particular fraud-prevention technologies
in the Board's standards.
Issuer certification. The Board received several comments about the
certification process in Sec. 235.4(c). Many commenters opposed the
``certification'' requirement in the interim final rule because they
believed it improperly delegates assessment of an issuer's compliance
from an issuer's primary supervisor to an issuer or payment card
network. Other commenters supported the certification requirement as
described in the interim final rule or requested clarification about
the role of payment card networks in the certification process.
Commenters also disagreed as to whether the Board should specify a
uniform certification process and reporting period. In addition, one
payment card network supported a so-called ``cure period'' for issuers
to come into compliance with the Board's fraud-prevention standards
after a deficiency finding and a 30-day time period for networks to
change the status of an issuer once a network is notified of an
issuer's noncompliance with the Board's standards.
2. Consultation With Other Agencies
EFTA Section 920(a)(4)(C) directs the Board to consult, as
appropriate, with the Comptroller of the Currency, the Board of
Directors of the Federal Deposit Insurance Corporation, the National
Credit Union Administration Board, the Administrator of the Small
Business Administration, and the Director of the Bureau of Consumer
Financial Protection in the development of the interchange fee
standards. Board staff consulted with staff from these agencies in
development of a final rule on standards for receiving or charging a
fraud-prevention adjustment.

III. Statutory Considerations

EFTA Section 920(a)(5) requires the Board to consider several
different factors in prescribing regulations related to the fraud-
prevention adjustment. This section discusses each of those factors.
Nature, type, and occurrence of fraud. The Board's survey of debit
card issuers and payment card networks provided information about the
nature, type, and occurrence of fraud in electronic debit
transactions.\7\ From the card issuer and network surveys of 2009 data,
the Board estimates that industry-wide fraud losses to all parties to
debit card transactions were approximately $1.34 billion in 2009.\8\
Based on data provided by covered issuers, about 0.04 percent of
purchase transactions were fraudulent, with an average loss per
purchase

[[Page 46261]]

transaction of about 4 cents, or about 9 basis points of transaction
value.\9\
---------------------------------------------------------------------------

\7\ The Board's ``2009 Interchange Revenue, Covered Issuer Cost,
and Covered Issuer and Merchant Fraud Loss Related to Debit Card
Transactions'' is available at http://www.federalreserve.gov/paymentsystems/regii-data-collections.htm.
\8\ Unless otherwise noted, debit card transactions include
transactions initiated using general-use prepaid cards. Industry-
wide fraud losses were extrapolated from data reported in the issuer
and network surveys conducted by the Board. Of the 89 issuers that
responded to the issuer survey, 52 issuers provided data on fraud
losses related to their debit card transactions. These issuers
reported $726 million in fraud losses to all parties of card
transactions and represented 54 percent of the total transactions
reported by networks.
\9\ Covered issuers are those issuers that, together with
affiliates, have assets of $10 billion or more. See 12 CFR 235.5(a).
The percent of purchase transactions that are fraudulent is the
number of fraudulent transactions divided by the number of purchase
transactions. The average loss per purchase transaction is the
dollar amount of fraud losses divided by the number of purchase
transactions. The average loss per purchase transaction in basis
points is the dollar amount of fraud losses divided by the dollar
amount of purchase transactions.
---------------------------------------------------------------------------

The most commonly-reported and highest-value fraud types were
counterfeit card fraud; mail, telephone, and Internet order (or ``card-
not-present'') fraud; and lost and stolen card fraud.\10\ Counterfeit
card fraud represented 0.01 percent of all purchase transactions, with
an average loss of 2 cents per transaction and 4 basis points of
transaction value. Mail, telephone, and Internet order fraud also
represented 0.01 percent of all purchase transactions with an average
loss of 1 cent per transaction and 2 basis points of transaction value.
Lost and stolen card fraud represented less than 0.01 percent of all
purchase transactions with an average loss of 1 cent per transaction
and 1 basis point of transaction value.
---------------------------------------------------------------------------

\10\ Some issuers reported ATM fraud, which was excluded from
fraud loss totals because an ATM transaction does not come under the
definition of an ``electronic debit transaction.'' See 12 CFR
235.2(h).
---------------------------------------------------------------------------

Extent to which the occurrence of fraud depends on authentication
mechanism. The issuer survey data for 2009 also provided information
about the extent to which the occurrence of fraud depends on whether
the transaction was processed by a signature or a PIN network.\11\ Of
the approximately $1.34 billion estimated industry-wide fraud losses,
about $1.11 billion of these losses arose from signature debit card
transactions and about $181 million arose from PIN debit card
transactions.\12\ The higher losses for signature debit card
transactions are attributable to both a higher rate of fraud and higher
transaction volume for signature debit card transactions.\13\ The data
showed that about 0.06 percent of signature debit and 0.01 percent of
PIN debit purchase transactions were reported as fraudulent. For
signature debit, the average loss was 5 cents per transaction, and
represented about 13 basis points of transaction value. For PIN debit,
the average loss was 1 cent per transaction, and was about 3 basis
points of transaction value. Thus, on a per-dollar basis, signature
debit fraud losses were approximately 4 times PIN debit fraud
losses.\14\
---------------------------------------------------------------------------

\11\ Transactions processed over a signature debit network are
referred to sometimes as ``signature debit card transactions'' or
``signature debit transactions.'' Transactions processed over a PIN
debit network are referred to sometimes as ``PIN debit card
transactions'' or ``PIN debit transactions.''
\12\ The sum of card program fraud losses does not equal the
industry-wide fraud losses due to different sample sizes and
rounding.
\13\ In 2009, signature transactions accounted for 60 percent of
electronic debit transaction volume and 59 percent of transaction
value. PIN transactions accounted for 37 percent of electronic debit
transaction volume and 39 percent of transaction value. The
remainder of the transaction volume and value was attributable to
prepaid card transactions, which could be either signature or PIN
transactions. See 2009 Interchange Revenue, Covered Issuer Cost, and
Covered Issuer and Merchant Fraud Loss Related to Debit Card
transactions.
\14\ The survey data did not break out prepaid card PIN
transactions from prepaid card signature transactions. For all
prepaid debit transactions, about 0.03 percent of purchase
transactions were fraudulent; the average loss was 1 cent per
transaction, and 4 basis points of transaction value.
---------------------------------------------------------------------------

The different fraud loss rates for signature and PIN transactions
reflect, in part, differences in the ease of committing fraud
associated with the two card- and cardholder-authentication methods. A
signature debit card transaction requires information that is typically
contained on the card itself in order for card and cardholder
authentication to take place. Therefore, a thief need only steal the
card or information on the card in order to commit fraud.\15\ By
contrast, card- and cardholder-authentication of a PIN debit card
transaction requires not only the card or information contained on the
card, but also something only the cardholder should know, namely, the
PIN. In the case of PIN transactions, a thief generally needs both the
card, or information on the card, and the cardholder's PIN to commit
fraud. Virtually all PIN debit transactions currently occur in a card-
present environment, and virtually all transactions in card-not-present
environments (i.e., Internet) are routed over signature debit networks.
For Internet transactions, the cardholder typically does not
authenticate the transaction with a signature, although an issuer or
merchant may have other means of authenticating the cardholder or card,
such as the use of a Card Verification Value (CVV) number or the input
of cardholder information at the time of purchase.
---------------------------------------------------------------------------

\15\ Among other things, information on the card includes the
card number, the cardholder's name, and the cardholder's signature.
---------------------------------------------------------------------------

Card issuers responding to the Board's survey reported that card-
present fraud losses for signature debit transactions were over 3 times
greater than the fraud loss value, in basis points, associated with PIN
debit card-present transactions. Issuers also reported that fraud
losses across all parties on transactions over signature debit networks
were higher for card-not-present transactions than for card-present
transactions.\16\ On a transactions-weighted average basis, card-not-
present fraud losses represented 17 basis points of the value of card-
not-present signature debit transactions. Card-present fraud losses
represented 11 basis points of the value of card-present signature
debit transactions.
---------------------------------------------------------------------------

\16\ In 2009, almost all card-not-present transactions were
processed over signature networks.
---------------------------------------------------------------------------

Available and economical means by which fraud may be reduced. The
Board requested information about issuers' fraud-prevention activities
and costs in its survey. Issuers identified several categories of
activities used to detect, prevent, and mitigate fraudulent electronic
debit transactions, including transaction monitoring; merchant
blocking; card activation and authentication systems; PIN
customization; system and application security measures, such as
firewalls and virus protection software; and ongoing research and
development focused on making an issuer's fraud-prevention practices
more effective.
Based on reported information, the median issuer spent 1.8 cents
per transaction on all fraud-prevention activities. The most commonly
reported activity in the fraud-prevention section of the survey was
transaction monitoring, which generally includes activities related to
the authorization of a particular electronic debit transaction, such as
the use of neural networks and automated fraud risk scoring systems
that may lead to the denial of a suspicious transaction. At the median,
issuers reported spending approximately 0.7 cents per transaction on
transaction monitoring activity.\17\ The costs associated with research
and development, card-activation systems, PIN customization, merchant
blocking, and card-authentication systems were all small when measured
on a per-transaction basis, typically less than one-tenth of a cent
each. For all data-security costs reported by issuers in the issuer
card survey, the median was 0.1 cents.
---------------------------------------------------------------------------

\17\ Transaction monitoring costs were included in the costs
used as the basis for the interchange fee standard rather than the
fraud-prevention adjustment. See 76 FR 43478, 43482-83 (Jul. 20,
2011).
---------------------------------------------------------------------------

Fraud-prevention costs expended by parties involved in electronic
debit transactions. As discussed above, issuers incur costs for a
variety of fraud-prevention activities. In addition, other

[[Page 46262]]

parties involved in debit card transactions incur fraud-prevention
costs. For example, some consumers routinely monitor their accounts for
unauthorized debit card purchases, which could be measured as an
opportunity cost of the consumers' time; however, the opportunity cost
of consumers' time to monitor their account is difficult to put into
monetary terms. Merchants and acquirers incur costs for fraud-
prevention tools such as terminals that enable merchants to use various
card- and cardholder-authentication mechanisms, address verification,
geolocation services, and data-encryption technologies. In addition to
services they may purchase from others, merchants may develop their own
fraud-prevention tools. For example, many large Internet merchants
implement extra security measures to verify the legitimacy of a
purchase. Typically these checks occur between the time a transaction
is authorized by the issuer and the product is shipped to the
purchaser. In their comments on the proposed rule, several online
merchants noted that they have developed sophisticated fraud-risk
management systems that include both manual review and automated
processes, which have reduced fraud rates to levels at or below card-
present rates at other merchants. In addition to these investments,
merchants also take steps to secure data and comply with Payment Card
Industry Data Security Standards (PCI-DSS).\18\ In their comments on
the proposed rule and interim final rule, several merchants noted that
merchants incur substantial costs for PCI-DSS compliance as well as
other fraud-prevention activities.
---------------------------------------------------------------------------

\18\ The Payment Card Industry (PCI) Security Standards Council
was founded in 2006 by five card networks--Visa, Inc., MasterCard
Worldwide, Discover Financial Services, American Express, and JCB
International. These card brands share equally in the governance of
the organization, which is responsible for development and
management of PCI Data Security Standards (PCI-DSS). PCI-DSS is a
set of security standards that all payment system participants,
including merchants and processors, are required to meet in order to
participate in payment card systems.
---------------------------------------------------------------------------

Costs of fraudulent transactions absorbed by different parties
involved in fraudulent transactions. Various laws and regulations
allocate the costs of fraudulent electronic debit transactions among
different parties to the transactions. For example, the Consumer
Financial Protection Bureau's Regulation E limits a consumer's
liability for unauthorized electronic fund transfers to $50 in certain
circumstances.\19\ In addition, payment card network rules implement a
chargeback process to allocate loss between issuers and acquirers,
either of which may, if permitted by network rules, pass on some or all
of the loss to the cardholder or merchant. Typically, the allocation of
fraud losses under network rules varies by the type of transaction,
cardholder authentication method, and procedures followed at the point
of sale, among other factors.
---------------------------------------------------------------------------

\19\ See 12 CFR 1005.6.
---------------------------------------------------------------------------

Using the issuer survey data for 2009, the Board estimated the cost
of fraudulent transactions absorbed by different parties to debit card
transactions. Based on the issuer survey responses, almost all of the
reported fraud losses associated with debit card transactions fall on
the issuers and merchants. In particular, across all types of
transactions, 62 percent of reported fraud losses were borne by issuers
and 38 percent were borne by merchants. The fraud loss borne by
cardholders is low in dollar terms, but may also include costs
associated with the time spent rectifying fraudulent transactions. Most
issuers reported that they impose zero or very limited liability on
cardholders, even where they would be permitted to impose some
liability under the EFTA and Regulation E. Payment card networks and
merchant acquirers also reported that they bore very limited fraud
losses, indicating that merchant acquirers pass through fraud losses to
merchants.
The distribution of fraud losses between issuers and merchants
varies based on the authentication method used in a debit card
transaction. Issuers and payment card networks reported that nearly all
the fraud losses associated with PIN debit card transactions (96
percent) were borne by issuers. By contrast, reported fraud losses were
distributed much more evenly between issuers and merchants for
signature debit card transactions. Specifically, issuers and merchants
bore 59 percent and 41 percent of signature debit fraud losses,
respectively.\20\
---------------------------------------------------------------------------

\20\ For prepaid card transactions, issuers bore two-thirds and
merchants bore one-third of fraud losses.
---------------------------------------------------------------------------

The distribution of fraud losses also varies based on whether or
not the card was present at the point of sale. According to the survey
data, merchants assume approximately 74 percent of signature debit card
fraud for card-not-present transactions, compared to 23 percent for
card-present signature debit card fraud.
Extent to which interchange transaction fees have in the past
affected fraud-prevention incentives. Issuers have a strong incentive
to protect cardholders and reduce fraud independent of interchange fees
received. Competition among issuers for cardholders suggests that
protecting their cardholders from fraud is good business practice for
issuers. Higher interchange revenues may have allowed issuers to offset
both their fraud losses and fraud-prevention costs and fund innovation
on fraud-prevention tools and activities. Merchant commenters stated
that, historically, the higher interchange revenue for signature debit
relative to PIN debit has encouraged issuers to promote the use of
signature debit over PIN debit, even though signature debit has
substantially higher rates of fraud.

IV. Summary of Final Rule

The Board has considered all comments received and has adopted a
final rule for the fraud-prevention adjustment to the amount of an
interchange transaction fee that an issuer may receive or charge. The
final rule permits an issuer that satisfies the Board's fraud-
prevention standards to receive or charge an amount of no more than 1
cent per transaction in addition to any interchange transaction fee it
receives or charges in accordance with Sec. 235.3, the same amount as
permitted in the interim final rule. The final rule emphasizes the
statutory requirements by establishing fraud-prevention standards that
require an issuer to develop and implement policies and procedures
reasonably designed to take effective steps to reduce the occurrence
of, and costs to all parties from, fraudulent electronic debit
transactions, including through the development and implementation of
cost-effective fraud-prevention technology. An issuer's policies and
procedures must address (1) methods to identify and prevent fraudulent
electronic debit transactions; (2) monitoring of the volume and value
of its fraudulent electronic debit transactions; (3) appropriate
responses to suspicious electronic debit transactions in a manner
designed to limit the costs to all parties from and prevent the
occurrence of future fraudulent electronic debit transactions; (4)
methods to secure debit card and cardholder data; and (5) such other
factors as the issuer considers appropriate.
The final rule requires an issuer to review its fraud-prevention
policies and procedures, and their implementation, at least annually,
and update them as necessary in light of (i) their effectiveness in
reducing the occurrence of, and cost to all parties from, fraudulent
electronic debit transactions involving the issuer; (ii) their cost-
effectiveness; and (iii) changes in the types of fraud, methods used to
commit

[[Page 46263]]

fraud, and available methods for detecting and preventing fraudulent
electronic debit transactions that the issuer identifies from (A) its
own experience or information; (B) information provided to the issuer
by its payment card networks, law enforcement agencies, and fraud-
monitoring groups in which the issuer participates; and (C) applicable
supervisory guidance.
To be eligible to receive or charge a fraud-prevention adjustment,
an issuer must annually notify its payment card networks that it
complies with the Board's fraud-prevention standards. Finally, if an
issuer is substantially noncompliant with the Board's fraud-prevention
standards, as determined by the issuer or the agency with
responsibility for enforcing the issuer's compliance with Regulation
II, the issuer must notify its payment card networks that it is no
longer eligible to receive or charge a fraud-prevention adjustment no
later than 10 days after the date of the issuer's determination or
notification from the agency and must stop receiving or charging the
fraud-prevention adjustment no later than 30 days after notifying its
networks.
The Board made various changes throughout Sec. 235.4, and
accompanying commentary, in response to comments and additional
information available to it. The final rule is explained more fully
below.

V. Section-By-Section Analysis

Section 235.4(a) Adjustment Amount

A. Summary of Interim Final Rule
Section 235.4(a) of interim final rule permits an issuer to
increase the amount of the interchange fee it may receive or charge
under Sec. 235.3 by no more than 1 cent if the issuer complies with
the Board's fraud-prevention standards in Sec. 235.4(b) of the interim
final rule. The adjustment amount is the same irrespective of
authentication method, transaction type, or issuer.
The Board surveyed issuers regarding their total cost incurred in
2009 for fraud-prevention and data-security activities, as well as for
research and development activities related to an issuer's fraud-
prevention program. The Board also asked issuers to report the costs
associated with the following: card-activation systems, PIN
customization, merchant blocking, transaction monitoring, specialized
authorization services, cardholder-authentication systems, card-
authentication systems, data-access controls, and data encryption. The
Board also invited issuers to report other fraud-prevention and data-
security activities, and the costs incurred from those activities.
The interim final rule included costs related to activities used by
issuers to ``detect, prevent, and mitigate'' fraudulent electronic
debit transactions, as reported by issuers in the Board survey.\21\ For
example, the interim final rule included issuer costs related to
authenticating the card and cardholder (such as PIN management and
card-authentication technologies embedded in the card), providing
alerts to cardholders about suspicious electronic debit transactions,
receiving and processing reports of lost and stolen debit cards,
reissuing debit cards used or suspected to have been used to make
fraudulent electronic debit transactions, tracking and sharing
information with payment card networks about compromised debit cards,
monitoring compromised card databases, processing fraud claims and
disputes of cardholders, activating cards, securing data systems,
encrypting data, and ongoing research and development activities. Costs
that were not included as part of the fraud-prevention adjustment
included the cost of due diligence at account opening, the cost of
routine mailings of newly issued or reissued cards, and the cost of
fraud losses and any other costs allowed under the base interchange fee
standard.
---------------------------------------------------------------------------

\21\ 76 FR 43478, 43481 (Jul. 20, 2011).
---------------------------------------------------------------------------

The adjustment amount in the interim final rule corresponds to the
reported fraud-prevention costs, excluding those fraud-prevention costs
included in the interchange fee standards in Sec. 253.3, of the issuer
at the median of the survey respondents. The median issuer's 2009 per-
transaction fraud-prevention cost reported to the Board was 1.8 cents.
The costs associated with research and development, card-activation
systems, PIN customization, merchant blocking, and card-authentication
systems were all small when measured on a per-transaction basis,
typically less than one-tenth of a cent each. For all data-security
costs reported by issuers in the card issuer survey, the median was 0.1
cents.
In setting the interchange fee standard in Sec. 235.3, the Board
included costs of transaction-monitoring systems that are integral to
the authorization of a transaction. Transaction monitoring systems
assist in the authorization process by providing information to the
issuer before the issuer decides to approve or decline the transaction.
Because these costs are already included for all covered issuers as a
basis for establishing the interchange fee standards, the Board
excluded them in determining the fraud-prevention adjustment amount.
The median issuer's transactions-monitoring cost is 0.7 cents per
transaction. The fraud-prevention adjustment of 1 cent represents the
difference between the median issuer's fraud-prevention cost of 1.8
cents per transaction less the median issuer's transaction-monitoring
cost of 0.7 cents, rounded to the nearest cent.
B. Fraud-Prevention Costs Included in the Adjustment
1. Comments Received
In general, issuers and networks encouraged the Board to include
costs of a broad set of fraud-prevention activities. In particular,
these commenters recommended that the Board include in the calculation
of the adjustment costs related to routine account monitoring, customer
notifications, routine and non-routine card issuance and reissuance,
name and address verification, chargeback costs, research and
development of new fraud-prevention technologies, data security, card-
activation systems, neural networks, transaction scoring, PIN
customization, merchant blocking, other software systems, and lost
revenue due to customers not having access to their debit card while
awaiting reissuance. Some commenters encouraged the Board to include,
in particular, the costs of activities undertaken in response to
merchant data breaches.
Issuers also suggested that the Board include the costs of
cardholder inquiries related to fraud, including providing payment
transaction clarity so that customers are able to identify merchants
listed on their statements. These commenters asserted that fraudulent
transactions almost always involve a cardholder inquiry and that
responding to cardholder inquiries is a fundamental and an economical
means of preventing fraud as it permits issuers to gather information
about lost and stolen cards, which is necessary to make decisions
regarding appropriate responses to prevent fraud in connection with
such cards. These commenters also noted that time and expense
associated with cardholder inquiries is quantifiable and that the Board
should try to determine the portion of cardholder inquiry costs related
to fraud prevention.
A number of issuer commenters also encouraged the Board to base the
fraud-prevention adjustment amount on the fraud-prevention costs of
issuers that are exempt from the interchange fee standards in Sec.
253.3 and the fraud-

[[Page 46264]]

prevention adjustment in Sec. 235.4.\22\ Trade groups representing
small issuers were concerned that the interchange fee standards,
including the fraud-prevention adjustment, will become the de facto
interchange fee level across the industry and that small issuers will
suffer disproportionately because they tend to have higher per-
transaction fraud-prevention costs.
---------------------------------------------------------------------------

\22\ Institutions that have, together with their affiliates,
assets of less than $10 billion are exempt from the interchange fee
standards. 12 CFR 235.5(a).
---------------------------------------------------------------------------

Merchants, on the other hand, argued that the Board included too
many fraud-prevention costs. One commenter asserted that including
costs to detect and mitigate fraud goes beyond ``preventing fraud.''
Additionally, merchants argued that the Board included costs of
activities that have not been proven to prevent fraud, such as PIN
customization (which one commenter argued makes PINs easier to guess)
and research and development. Another commenter suggested that the
Board more precisely delineate between activities that prevent fraud
and those that do not.
Most merchant and merchant group commenters also asserted that the
Board failed to take into account merchant's fraud-prevention costs, as
required by EFTA Section 920(a)(5)(B). Several of these merchant
commenters encouraged the Board to offset the adjustment amount by
merchants' fraud-prevention costs or by the amount issuers recoup from
other parties to the fraudulent electronic debit transaction through
chargebacks or other means. One commenter argued that the desire to
avoid or minimize the administrative burden associated with surveying
merchants is not a sufficient reason for not measuring merchant costs.
Another commenter argued that, by not considering specific merchants'
fraud-prevention costs, merchants that have mostly card-not-present
transactions essentially subsidize fraud prevention for the rest of the
network, because those merchants tend to invest more in fraud
prevention (to deal with higher rates of fraud in the card-not-present
environment) than merchants that have mostly card-present transactions.
One merchant commenter suggested that the Board take merchant costs
into account by prohibiting issuers from imposing any fraud loss costs
or PCI-DSS (or similar costs) on merchants if the fraud relates to
transactions that qualify for the fraud-prevention adjustment.
2. Final Rule
Section 920(a)(5)(A)(i) of the EFTA permits the Board to allow an
adjustment to the amount of an interchange fee that an issuer may
receive or charge if ``such adjustment is reasonably necessary to make
allowance for costs incurred by the issuer in preventing fraud in
relation to electronic debit transactions involving that issuer.''
Fraud prevention involves a broad range of activities in which an
issuer may engage before, during, or after an electronic debit
transaction. Fraud-prevention activities include activities to detect
fraudulent transactions. Detecting possible fraud during the
authorization process, for example, can lead to actions such as denying
a transaction or contacting the cardholder to verify the legitimacy of
a previously authorized transaction. In this way, detecting possible
fraudulent electronic debit transactions can prevent the fraud from
happening. Similarly, issuers can take steps once fraud is discovered
to mitigate the loss associated with the fraudulent activity. For
example, an issuer may place an alert on a debit card indicating that
the card or account information may have been compromised or cancel a
compromised card and issue a new card to the cardholder in order to
prevent future fraudulent transactions using the card. Thus, although
the initial fraudulent transaction(s) may not have been prevented, an
issuer can prevent additional fraud loss by taking such steps.
Therefore, the Board has determined that activities that detect and
mitigate fraudulent electronic debit transactions contribute to
preventing fraud and that the costs of such activities are appropriate
to include for purposes of the fraud-prevention adjustment.
Costs associated with research and development of new fraud-
prevention technologies, card reissuance due to fraudulent activity,
data security, card activation, and merchant blocking are all examples
of costs that are incurred to detect and prevent fraudulent electronic
debit transactions. Therefore, the Board has included the costs of
these activities in setting the fraud-prevention adjustment amount to
the extent the issuers reported these costs in response to the survey
on 2009 costs. As in the interim final rule, the Board has determined
to exclude from the adjustment amount any costs included in the
interchange fee standards in Sec. 253.3. Thus, the costs of
transaction monitoring activities such as the use of neural networks
and transactions scoring systems that assist in the authorization
process by providing information to the issuer before the issuer
decides to approve or decline the transaction were not considered.
Section 920(a)(5) allows the Board to permit an adjustment to make
allowance for costs incurred by the issuer in preventing fraud in
relation to electronic debit transactions. Accordingly, the Board did
not include costs incurred to prevent fraud to a cardholder's
transaction account through means other than fraudulent electronic
debit transactions, or costs incurred to prevent fraud in connection
with other payment methods such as credit cards. For example, name and
address verification used in opening a checking account is an excluded
activity because it involves preventing fraud with respect to the
entire account relationship and is performed whether or not a debit
card is issued as a means of making payments from the account.
Similarly, the costs of activities employed solely to prevent
fraudulent credit card transactions are not included. To the extent an
issuer engages in an activity or activities to prevent both fraudulent
credit card and debit card transactions (e.g., securing data across all
of its card programs), issuers were instructed to allocate such joint
costs in the issuer survey based on the relative proportion of the cost
of the activity that was tied to debit card transactions, and only that
proportion of costs was included in determining the fraud-prevention
adjustment.
Additionally, fraud losses, including ATM losses, and the lost
revenue due to customers' inability to use their debit cards while
awaiting reissuance are not costs incurred to prevent fraudulent
electronic debit transactions and are excluded. Similarly, costs of
purchasing fraud-loss insurance or recovering losses also are excluded
as these are not costs incurred to prevent fraudulent electronic debit
transactions.
Fraud-prevention costs of exempt issuers. EFTA Section 920(a)(6)(A)
provides an exemption from EFTA Section 920(a) for any issuer that,
together with its affiliates, has assets of less than $10 billion.
EFTA, however, does not provide the Board with specific authority to
require networks to implement these exemptions in any particular way.
The Board recognizes the concerns raised by small issuers that market
forces could lead to a convergence of the interchange fee levels of
exempt and nonexempt issuers and that small issuers could suffer
disproportionately because they tend to have higher per-transaction
fraud-prevention costs. Nonetheless, the Board's interchange fee
standard, including the fraud-prevention adjustment, does not itself
limit the

[[Page 46265]]

amount of interchange fees small issuers may receive or charge.
Moreover, the Board recognizes that requesting that small issuers
record and report their costs associated with authorizing, clearing,
and settling electronic debit transactions and the costs associated
with fraud prevention and data security would impose administrative
burden on these entities. Therefore, the Board has determined not to
include in the adjustment the fraud-prevention costs incurred by small
issuers. As noted in the preamble to the Board's final rule
implementing other provisions of EFTA Section 920, the Board is
monitoring the effectiveness of the exemption for small issuers and
notes that, in the fourth quarter of 2011, the first quarter during
which the interchange fee standards went into effect, nearly all
payment card networks offered small issuers a higher interchange fee
than that set forth in the standards and that the average interchange
fee for small issuers is about the same as it was for all issuers in
2009.\23\
---------------------------------------------------------------------------

\23\ 76 FR 43394, 43436 (Jul. 20, 2011). See http://www.federalreserve.gov/paymentsystems/regii-average-interchange-fee.htm.
---------------------------------------------------------------------------

Fraud-prevention costs incurred by other parties. EFTA Section
920(a)(5)(B)(ii) requires the Board to consider the fraud-prevention
and data-security costs expended by each party involved in electronic
debit transactions. The Board recognizes that all parties to electronic
debit transactions, including merchants, incur fraud-prevention costs.
For example, both merchants and issuers incur costs to comply with PCI-
DSS and network rules related to fraud prevention. Moreover, certain
merchants, such as Internet merchants, have developed customized
approaches to prevent fraud and secure customer data in response to the
particular fraud risks faced in their sales environments.
The Board has given consideration to, and taken into account, the
fraud-prevention costs of other parties by setting the adjustment based
on the costs of the median issuer (as opposed to the interchange fee
standards in Sec. 253.3, which were set at the 80th percentile
issuer).\24\ This lower amount is intended, in part, to reduce the
adjustment as a way to recognize the fraud-prevention and data-security
costs of merchants and parallels the ad valorem component of the base
interchange fee standard (5 basis points multiplied by the transaction
value), which was set at the median issuer's per-transaction fraud
losses. Further, as discussed in connection with the Board's fraud-
prevention standards in Sec. 235.4(b), the Board also is requiring
issuers to take into account whether, and to what extent, fraud-
prevention technologies implemented by an issuer are likely to impose
costs on other parties. Requiring an issuer to take into account the
costs borne by other parties in these ways obviates the need to impose
a burdensome survey on merchants and other parties about their fraud-
prevention costs.
---------------------------------------------------------------------------

\24\ 76 FR 43394, 43433-34 (Jul. 20, 2011).
---------------------------------------------------------------------------

C. Adjustment Amount
1. Comments Received
The maximum permissible fraud-prevention adjustment amount in the
interim final rule is 1 cent. In general, issuers, depository industry
trade associations, and payment card networks supported increasing the
adjustment amount and asserted that the adjustment amount in the
interim final rule would discourage innovation and investment in fraud-
prevention activities, particularly in technology requiring substantial
upfront investment. Issuers also argued that the 1-cent adjustment
amount would undermine the goal of protecting cardholder financial
information. Another commenter stated that an insufficient fraud-
prevention adjustment could lead to an increase in declined
transactions at the point of sale as issuers become more conservative
in transaction authorizations. Another issuer commenter believed that
the fraud-prevention adjustment disproportionately shifts the burden on
issuers to implement fraud-prevention measures without reasonable
compensation.
Several issuers suggested setting the adjustment amount based on
the costs of the issuer at the 80th percentile, consistent with the
interchange fee standards in Sec. 235.3. Issuer commenters stated that
the Board provided no explanation for setting the adjustment at the
median while the interchange fee standard was set at the 80th
percentile of issuers' reported costs or for why the fraud-prevention
activities of issuers with costs above the median were not viewed as
cost-effective.
A few issuers suggested incorporating an ad valorem component
because issuers often target their fraud-prevention investments at
large-value transactions. One issuer suggested that an ad valorem
component also could vary based on the type of merchant in order to
compensate issuers for fraud-prevention costs associated with riskier
merchants.
Other comments from issuers suggested other manners in which the
fraud-prevention amount could vary. Specifically, one issuer suggested
increasing the adjustment amount for those issuers with higher-than-
average fraud losses because such issuers will both absorb more fraud
losses and incur more costs to prevent and mitigate fraud. Another
issuer suggested imposing a higher fraud-prevention adjustment on
merchants that are not PCI-DSS compliant or to set the fraud-prevention
adjustment amount as a percentage of interchange fee revenue.\25\ One
issuer group suggested varying the fraud-prevention adjustment based on
the charge-back rate of the merchant involved in the transaction.
---------------------------------------------------------------------------

\25\ This commenter suggested that the percentage be set at 19
percent, which the commenter estimated to be issuers' historic
fraud-prevention costs as a percentage of historic interchange fee
revenue.
---------------------------------------------------------------------------

One technology company suggested that issuers receive an additional
amount for adopting specific fraud-prevention technologies such as
biometric facial recognition software or other authentication methods
not yet prevalent in the industry.
In general, merchants and their associations urged the Board to
adopt a lower adjustment amount. Some merchant groups opposed the use
of the data collected from issuers to determine the amount of the
adjustment, arguing that the survey was flawed. These commenters argued
that the Board did not reveal results from the survey until it
published the interim final rule, that only a small subset of covered
issuers responded, and that there was no independent verification. One
merchant commenter supported the adjustment amount in recognition of
the fact that issuers ultimately are subject to complying with the
Board's fraud-prevention standards, but opposed the Board increasing
the adjustment amount higher than 1 cent. One merchant questioned
whether a fraud-prevention adjustment was necessary given the amount an
issuer could receive or charge under the base interchange fee standard.
2. Final Rule
The Board has considered the comments and has determined to retain
the 1-cent fraud-prevention adjustment amount that is permitted in the
interim final rule. As mentioned above, the Board initially set the
adjustment amount at the fraud-prevention cost of the median issuer
based on 2009 fraud-prevention costs reported by issuers in response to
the Board's 2010 survey, minus those fraud-prevention costs that are
already part of the interchange fee standards in Sec. 253.3. The Board
chose to

[[Page 46266]]

set the adjustment based on the median cost to balance the fraud-
prevention and data-security costs incurred by issuers and those
incurred by merchants, some of which are incurred due to the fraud-
prevention methods selected by issuers. This consideration and approach
parallels the approach taken with respect to the ad valorem component
of the base interchange fee standard. The ad valorem component, which
accounts for fraud losses incurred by issuers, was set at the median
issuer's fraud losses (i.e., 5 basis points multiplied by the
transaction value). In setting the ad valorem component, the Board
explicitly recognized that both issuers and merchants incur fraud
losses.\26\
---------------------------------------------------------------------------

\26\ 76 FR 43394, 43434 (Jul. 20, 2011).
---------------------------------------------------------------------------

The Board has considered the comments suggesting an ad valorem
component and has determined not to include such a component in the
fraud-prevention adjustment amount. An ad valorem component is more
appropriate for measuring fraud losses, for which there is a direct
correlation between transaction value and the amount of the loss, than
when measuring fraud-prevention costs, which may, but do not
necessarily, vary with the value of a transaction. The Board notes that
the 1-cent adjustment does not limit a payment card network's ability
to vary the overall interchange fee rate based on the type of merchant,
for any of the aforementioned reasons, so long as an issuer does not
receive interchange fees, including the fraud-prevention adjustment,
greater than permitted in Regulation II.
The Board has also determined not to permit issuers to receive or
charge an adjustment above the 1-cent amount for adopting certain new
authentication methods. As noted below in connection with Sec.
235.4(b), the Board has taken a non-prescriptive approach to allow for
flexibility in using a variety of methods to prevent fraudulent
electronic debit transactions.
As previously noted, the Board is using the fraud-prevention cost
data as reported by issuers for 2009 in determining the maximum fraud-
prevention adjustment amount permitted in Regulation II. Since that
time, the Board has surveyed issuers that are not exempt from the
interchange fee standards for their data for calendar year 2011. At the
time of this final rule, the Board is still processing and analyzing
the 2011 data. The Board will take into account data from the 2011
survey and future surveys when considering any future revisions to the
fraud-prevention adjustment.
D. Application to All Transactions
1. Comments Received
The interim final rule permits an issuer to receive or charge the
fraud-prevention amount for all types of electronic debit transactions.
Several merchant commenters encouraged the Board to permit an
adjustment only for PIN-based transactions, due to the lower fraud
rates of PIN-based debit compared to signature-based debit. Other
merchant commenters suggested the Board permit an adjustment only for
authentication methods that have fraud rates demonstratively lower than
those for PIN transactions. One individual suggested that the Board
provide greater disincentives, such as a negative adjustment, for less
secure technologies and asserted that doing so was consistent with the
statutory directive to consider the extent to which the occurrence of
fraud depended on the authentication method.
Issuers and networks supported applying the adjustment to all debit
card transactions. These commenters argued that not all authentication
methods are available for all transactions. One consequence of this,
they argued, is that lower fraud rates and losses for PIN may be due to
the fact that signature is the only method available for Internet
transactions and that PIN fraud, unlike signature fraud, often
manifests itself as ATM fraud, which the Board did not take into
account. Some of these commenters also argued that limiting the
adjustment to PIN transactions would create disincentives to invest in
signature and other non-PIN based fraud prevention. Authentication
technology providers also supported not limiting the adjustment to
authentication methods that exist and are used widely today.

2. Final Rule

The Board has considered the comments and has determined that an
eligible issuer may receive or charge a fraud-prevention adjustment for
all electronic debit transactions irrespective of the authentication
method used for the transaction. As recognized in the interim final
rule, limiting the adjustment to only a subset of authentication
methods, or only those available today, may not provide issuers with
sufficient flexibility to develop other methods of authentication that
may be more effective than today's alternatives and may not require a
PIN. Limiting the transactions eligible for a fraud-prevention
adjustment also may reduce the incentives for issuers to improve fraud-
prevention techniques for authentication methods that, for a variety of
reasons, experience higher fraud rates. Further, because issuers are
less likely to receive a higher interchange fee for signature-based
transactions than in the past, the Board believes that issuers'
incentives to encourage cardholders to use their signature rather than
their PIN to authenticate transactions at the point of sale will
diminish.

Section 235.4(b)(1) Issuer Fraud-Prevention Standards

A. Proposed Rule and Interim Final Rule
The Board's 2010 proposed rule did not contain a specific proposal
for a fraud-prevention adjustment to the interchange fee standards.
Instead, as discussed above, the Board requested comment on two general
approaches to an adjustment: a technology-specific approach, which
would permit an issuer to recover costs for major innovations
identified by the Board as likely to result in substantial reductions
in fraud losses, and a non-prescriptive approach, which would involve
more general standards for an issuer to satisfy without the
prescription of specific technologies.\27\ With respect to that initial
proposal, commenters generally opposed the Board mandating specific
technologies for many reasons, including that a technology-specific
approach would not necessarily be more effective than an approach that
involves a variety of technologies, practices, and methods and that a
technology-specific approach could deter investment in new
technologies.
---------------------------------------------------------------------------

\27\ For a more detailed description of the two approaches
proposed by the Board, see 75 FR 81722, 81742-43 (Dec. 28, 2010).
---------------------------------------------------------------------------

Issuers, depository institution trade associations, and payment
card networks preferred the non-prescriptive approach because that
approach would maintain issuer flexibility to respond to existing and
emerging fraud risks and to do so in a timely manner. Merchants
supported an approach that provided incentives to issuers and networks
to switch from the current methods and technologies to more effective
(``paradigm shifting'') fraud-prevention technologies. One merchant
group's suggestion, supported by many other merchant commenters,
proposed an approach under which any technologies issuers wanted to
offer to merchants must undergo an application and approval process
managed by the Board before the issuer would be eligible to receive the
fraud-prevention adjustment. This merchant group suggested that, as
part of the application and approval process, an issuer must

[[Page 46267]]

demonstrate that the technology reduces fraud to a level materially
lower than that associated with PIN debit transactions.\28\
---------------------------------------------------------------------------

\28\ See comment letter on the proposed rule from the Merchants
Payments Coalition and comment letter on the interim final rule from
the Merchants Payments Coalition.
---------------------------------------------------------------------------

The Board adopted the non-prescriptive approach to fraud-prevention
standards in the interim final rule. The Board determined that the
dynamic nature of the debit card fraud environment necessitates
standards that permit issuers to identify the best methods to detect,
prevent, and mitigate fraud losses for the size and scope of their
debit card programs and to respond to frequent changes in fraud
patterns. In addition, specifying and limiting the set of technologies
for which issuers recover their costs may weaken the long-term
effectiveness of the specified technologies. The reasons for selecting
the non-prescriptive approach for the interim final rule are set forth
more fully in the Federal Register notice announcing the interim final
rule.\29\
---------------------------------------------------------------------------

\29\ 76 FR 43394, 43478 (Jul. 20, 2011).
---------------------------------------------------------------------------

Section 235.4(b)(1) of the interim final rule requires an issuer,
in order to be eligible to receive a fraud-prevention adjustment, to
develop and implement policies and procedures reasonably designed to:
(1) Identify and prevent fraudulent electronic debit transactions; (2)
monitor the incidence of, reimbursements received for, and losses
incurred from fraudulent electronic debit transactions; (3) respond
appropriately to suspicious electronic debit transactions so as to
limit the fraud losses that may occur and prevent the occurrence of
future fraudulent electronic debit transactions; and (4) secure debit
card and cardholder data. Procedures could include practices,
activities, methods, or technologies that are used to implement and
make effective an institution's fraud-prevention policies. The
commentary to Sec. 235.4(b) discusses the types of fraud that an
issuer's policies and procedures should address, which includes the
unauthorized use of a debit card (see interim final rule comment 4(b)-
2). The commentary to the interim final rule also provides examples of
practices that may be part of an issuer's policies and procedures that
are reasonably designed to achieve each of the fraud-prevention goals
in Sec. 235.4(b)(1).\30\ The commentary to the interim final rule, and
changes thereto, are discussed below more fully in connection with the
applicable fraud-prevention objective set forth in Sec. 235.4(b).
---------------------------------------------------------------------------

\30\ See interim final rule comments 4(b)(1)(i) through
4(b)(1)(iv) in Appendix A to 12 CFR part 235.
---------------------------------------------------------------------------

B. Comments Received
Issuers and networks overwhelmingly supported the non-prescriptive
framework and standards in Sec. 235.4(b). Issuers and networks
asserted that the non-prescriptive approach would provide incentives to
prevent fraud and invest in new fraud-prevention technologies, while
also providing flexibility for each issuer to determine its optimal
fraud-prevention solutions (including non-technology based solutions)
and enabling issuers, networks, and acquirers to compete based on
fraud-prevention tools. Issuers and networks opposed a technology-
specific approach, which they argued would lock the industry into
particular technologies, give fraudsters advance notice of fraud-
prevention methods, slow the implementation of new technology, and
result in an inefficient allocation of resources by discouraging new
investments in other technologies. Moreover, issuers and networks did
not believe that the government was better positioned than industry
participants to select the most effective and commercially feasible
fraud-prevention technology.
Merchants opposed both specifying particular fraud-prevention
technologies in the rule (although supported Board-involvement in
approving eligible technologies) and the standards as set forth in the
interim final rule. Many merchants opposed the standards in the interim
final rule because they believed that the standards, as drafted, would
permit issuers to qualify for an adjustment by adopting existing fraud-
prevention technologies, which the merchant commenters believed to be
ineffective at preventing fraud. In addition, one merchant believed
that the standards were too vague and may inadvertently lead to issuers
adopting policies and procedures that are inconsistent with providing
economical means of reducing fraud. Merchants restated their support
for the paradigm-shifting approach suggested in response to the
proposed rule in which an issuer would be eligible for the fraud-
prevention adjustment only if the issuer adopted a technology that
reduced fraud to levels that are materially lower than the levels
experienced with PIN debit, and only after the issuer documented the
technology's effectiveness and cost-effectiveness to the Board.\31\ The
approach proposed by merchants also would require the Board to request
public comment on the effectiveness and cost-effectiveness of fraud-
prevention technologies and formally approve particular technologies
prior to an issuer being able to receive a fraud-prevention adjustment
for transactions that use the technology. One merchant commenter
supported an alternative approach under which issuers, not networks,
would offer technologies to merchants and merchants would determine
which issuers' solutions to implement based on the solution's cost and
effectiveness.
---------------------------------------------------------------------------

\31\ One commenter was indifferent between the two approaches
provided Board does not prescribe how merchants must implement
fraud-prevention technologies.
---------------------------------------------------------------------------

Issuers widely supported the Board's standards in the interim final
rule and argued that they should be eligible for the adjustment without
demonstrating actual reductions in fraud because fraud may be caused by
factors outside of the issuer's control. By contrast, merchants and
their trade groups believed the standards to be inconsistent with EFTA
Section 920(a)(5)'s requirements. Specifically, merchants argued that
the standards should require an issuer to demonstrate quantifiable
reductions in the incidence of fraud prior to receiving a fraud-
prevention adjustment. One merchant commenter argued that requiring
issuers' policies and procedures to be ``reasonably designed'' to
achieve the Board's objectives is not equivalent to requiring issuers
to take ``effective'' steps to prevent fraud, which is the requirement
in EFTA Section 920(a)(5).\32\
---------------------------------------------------------------------------

\32\ One commenter was concerned that the rule does not appear
to require that the issuer actually adhere to the policies and
procedures prior to receiving an adjustment. The interim final rule
requires that an issuer implement the policies and procedures in
addition to developing the policies and procedures.
---------------------------------------------------------------------------

Merchant commenters, as well as a member of Congress, encouraged
the Board to adopt metrics-based standards to ensure that issuers
receive the fraud-prevention adjustment only if they reduce fraud
losses or the occurrence of fraud to specified levels, for example, at
or below the industry fraud levels for PIN debit transactions. This
approach, the commenters argued, would ensure that the market has
proper incentives to adopt effective fraud-prevention technology.
Merchants also argued that the Board's standards were inconsistent
with EFTA Section 920(a)(5)'s requirement that issuers develop and
implement cost-effective fraud-prevention technology. Merchants argued
that the Board's standards failed to demonstrate the cost-effectiveness
of fraud-prevention measures. One merchant group believed that the
cost-

[[Page 46268]]

effective requirement could be satisfied only if the adjustment is
based on issuer-specific fraud reduction and cost. By contrast, one
issuer argued that whether or not a fraud-prevention activity is
``cost-effective'' may not be apparent at the outset, because new
fraud-prevention activities must be monitored over time to assess cost-
effectiveness. This issuer suggested that the Board continue gathering
additional information about issuers' costs for new fraud-prevention
activity.
Finally, merchants argued that the Board's standards do not require
an issuer receiving the adjustment to demonstrate that it has made any
investments in fraud-prevention activities that reduce fraud.
C. Non-Prescriptive Standards
The Board has considered the comments and has adopted fraud-
prevention standards in the final rule that largely follow the non-
prescriptive approach set forth in the interim final rule. The Board
has revised Sec. 235.4(b)(1) to provide that, in order to be eligible
for a fraud-prevention adjustment to the amount of any interchange fee
received or charged in accordance with Sec. 235.3, an issuer must
develop and implement policies and procedures reasonably designed to
take effective steps to reduce the occurrence of, and costs to all
parties from, fraudulent electronic debit transactions, including
through the development and implementation of cost-effective fraud-
prevention technologies. New Sec. 235.4(b)(2) will continue to require
an issuer's policies and procedures to address fraud-prevention
objectives similar to those in the interim final rule (discussed
further below), but the Board is expanding the scope of those policies
and procedures to permit issuers to consider factors other than those
explicitly listed, if appropriate.
After considering the comments received, the Board has determined
that the final rule should not prescribe specific technologies that an
issuer must implement in order to be eligible to receive an adjustment.
The dynamic nature of the debit card fraud environment and the
variation in issuer debit card portfolios, customer base, and
transaction-processing arrangements requires standards that permit
issuers to determine the best methods to detect and prevent fraudulent
transactions, and mitigate fraud losses from those transactions, as
well as to respond to the frequent changes in industry fraud types and
methods, and available fraud-prevention methods. Standards that
incorporate a technology-specific approach would not provide issuers
with sufficient flexibility to design and modify policies and
procedures that best meet a particular issuer's needs and that most
effectively reduce fraud losses to all parties involved in the
transactions.
Similarly, standards that restrict eligible fraud-prevention
technologies to those that an issuer has demonstrated to be effective
and that have been subject to a Board approval process would not
provide sufficient flexibility to issuers. Moreover, because existing
fraud-prevention technologies are implemented as part of broader fraud-
prevention programs, requiring issuers to isolate and measure the
effectiveness of a particular fraud-prevention technology would be
impractical.
Prescribing one eligible technology or a limited set of eligible
technologies also could inhibit investment in new, ``non-eligible''
technologies (i.e., those for which effectiveness has not yet been
demonstrated because they are not implemented in the marketplace),
which ultimately could become more effective than ``eligible''
technologies. Specifically prescribing eligible fraud-prevention
technologies also would provide fraudsters with information on the
fraud-prevention technologies prevalent in the industry, which could
make those technologies less effective over time.
Moreover, even the most effective fraud-prevention technologies
issuers could implement would not prevent all fraudulent electronic
debit transactions. This fact underscores the need for a fraud-
prevention program that also involves non-technology-based policies and
procedures (such as notifying customers of potentially fraudulent
transactions) that complement technology-based fraud-prevention
solutions.
D. Fraudulent Electronic Debit Transactions
In its proposed rule, the Board did not include a definition of
``fraud'' or ``fraudulent electronic debit transaction,'' but suggested
that fraud in the debit card context should be defined as ``the use of
a debit card (or information associated with a debit card) by a person,
other than the cardholder, to obtain goods, services, or cash without
authority for such use.'' \33\ The Board noted that this definition was
derived from the EFTA's definition of ``unauthorized electronic fund
transfer.'' \34\ After considering the comments received on the
proposed rule, the Board determined that fraud is broader than
unauthorized use and that whether a transaction is fraudulent depends
on the facts and circumstances.\35\ Accordingly, the Board did not
include a regulatory definition of ``fraudulent electronic debit
transaction'' in the interim final rule. Instead, the Board provided
three examples in the interim final rule's comment 4(b)-2 of the types
of fraud that an issuer's policies and procedures should address: (1) A
person uses a stolen debit card to make an unauthorized purchase; (2) a
merchant uses cardholder information from a previous transaction to
make a subsequent, unauthorized transaction; and (3) a hacker obtains
card information and uses that information to make an unauthorized
purchase. The Board requested comment on whether the rule should
include a definition of ``fraud'' or ``fraudulent electronic debit
transaction,'' and if so, what would be an appropriate definition.
---------------------------------------------------------------------------

\33\ See 75 FR 81722, 81740 (Dec. 28, 2010).
\34\ 15 U.S.C. 1693a(11).
\35\ In announcing the interim final rule the Board noted that
fraud could include, for example, a situation where a cardholder
authorizes a transaction, but either the merchant is fraudulent and
does not deliver the expected goods or services or the cardholder
fraudulently alleges that he or she never received the goods or
services. See 76 FR 43478, 43485 (Jul. 20, 2011).
---------------------------------------------------------------------------

Commenters were divided as to whether the Board should define
``fraud'' or ``fraudulent electronic debit transaction'' in the
regulatory text. Some issuers opposed defining either term because
fraud is constantly changing and defining the term in the regulatory
text would provide issuers with less flexibility to adapt their fraud-
prevention programs to changing fraud. Other issuers opposed including
a definition arguing that what is fraud is a judicial concept that
should not be defined in the regulatory text. In general, commenters
that supported including a definition of ``fraud'' or ``fraudulent
electronic debit transaction'' appeared to do so as a means to either
limit or expand the types of fraud-prevention activities an issuer's
policies and procedures should address.\36\
---------------------------------------------------------------------------

\36\ One issuer suggested that any definition of ``fraud'' or
``fraudulent electronic debit transaction'' be silent on any
authentication method that must be used so that issuers have
flexibility in preventing fraud.
---------------------------------------------------------------------------

Commenters that supported including a definition of ``fraud'' or
``fraudulent electronic debit transaction'' in the regulatory text were
divided as to how the Board should define any such term. One merchant
commenter suggested that the definition be limited to the unauthorized
use of the debit card in order to exclude transactions by fraudulent
merchants and fraudulent

[[Page 46269]]

cardholders, such as those who legitimately own the card but are using
it to commit fraud. One issuer suggested defining ``fraudulent
electronic debit transaction'' as including both the unauthorized use
of a debit card from which the cardholder receives no benefit and the
use of a debit card by a cardholder, or person acting in concert with a
cardholder, with fraudulent intent. Some issuers suggested that the
definition include ATM fraud losses because often these losses are a
result of security breaches at the point of sale. One depository
institution trade group, while not commenting explicitly on the
appropriateness of a regulatory definition, opposed the commentary's
examples of fraudulent debit card transactions, because the commenter
believed that by including the examples, the Board was suggesting that
issuers were the appropriate party to prevent the fraud in each
example, even though the merchant may be in the best position to
prevent fraud in the examples provided.
The final rule does not include a regulatory definition of either
``fraud'' or ``fraudulent electronic debit transaction.'' The Board
continues to believe that which transactions are considered fraudulent
will be determined based on the facts and circumstances and may evolve
over time. The Board also continues to believe that fraudulent
electronic debit transactions should not be limited to the
``unauthorized'' use of a debit card, as that term is used elsewhere in
the EFTA, because all types of fraud impose costs on system
participants. Accordingly, an issuer's policies and procedures should
be designed to reduce the occurrence of, and costs to all parties from,
all types of fraud and not merely the unauthorized use of a debit card.
The Board, however, has made clarifying changes to interim final
rule comment 4(b)-2, which is redesignated as comment 4(b)(1)-1
(hereinafter referred to as comment 4(b)(1)-1). In the interim final
rule, the comment provided that the listed examples of fraud are types
of fraud that could be ``effectively addressed by the issuer, as the
entity with the direct relationship with the cardholder and that
authorizes the transaction.'' The Board recognizes that in some
instances the issuer may be able to use its direct relationship with
the cardholder to prevent these types of fraud (e.g., through comparing
the unauthorized transaction to its cardholder's typical transaction
pattern). Although an issuer may be unable to effectively address all
of these types of fraud in all situations, an issuer should be able to
develop and implement policies and procedures designed to detect and
prevent fraudulent transactions of the types listed. For example, an
issuer could develop and implement policies and procedures to
deactivate a card upon notice that the card has been stolen. Therefore,
the Board is removing from comment 4(b)(1)-1 the statement that the
examples correspond to the types of fraud that an issuer can prevent.
The Board also has revised that comment to clarify that the types of
fraud an issuer's policies and procedures should address are not
limited to those included in the examples. The Board also made other
minor editorial changes to this comment.
E. Policies and Procedures Designed To Take Effective Steps
Section 920(a)(5) of the EFTA mandates that the Board's fraud-
prevention standards require an issuer to take effective steps to
reduce the occurrence of, and costs from, fraud in relation to
electronic debit transactions, including through the development and
implementation of cost-effective fraud-prevention technologies. In
assessing whether an issuer is taking effective steps to reduce
fraudulent electronic debit transactions, the Board does not believe
that Section 920(a)(5) requires that the steps an issuer takes prevent
all fraud. Moreover, the Board does not believe, as some merchant
commenters argued, that an issuer be required to demonstrate that a
particular fraud-prevention measure directly led to a reduction in
fraudulent electronic debit transactions before the cost of that
measure is included in the fraud-prevention adjustment. Isolating the
effectiveness of a particular fraud-prevention measure is virtually
impossible due to the numerous fraud-prevention methods and
technologies implemented by an issuer and the fact that the
effectiveness of a particular measure may not be evident until a year
or more after implementation. In addition, an issuer's incidence of
fraudulent electronic debit transactions may fluctuate for various
reasons, including factors outside the issuer's control (e.g., a data
breach at a large merchant processor).
EFTA Section 920(a)(5) requires that an issuer take effective steps
to reduce fraudulent electronic debit transactions, without any
reference to the size of the reduction. The language of EFTA Section
920(a)(5) does not compel the Board to impose a maximum permissible
level of fraudulent electronic debit transactions for an issuer to be
eligible to receive a fraud-prevention adjustment. In addition,
selecting a benchmark fraud level would not necessarily ensure that
issuers continue to take effective steps to reduce fraudulent
transactions due to the variety of sales channels and evolving fraud-
prevention technologies. An issuer may not have incentives to develop
or invest in new and potentially more effective fraud-prevention
technologies for sales channels that experience fraud levels below the
selected benchmark level or if the issuer experiences fraud at a level
below the selected benchmark. Moreover, deeming an issuer to be
eligible for an adjustment if the issuer's fraud rate is below some
industry rate would not necessarily satisfy the requirement that the
Board's standards require an issuer to take effective steps to reduce
the occurrence of, and costs to all parties from, fraudulent electronic
debit transactions involving that issuer. For example, an issuer with a
fraud rate significantly below the benchmark may be able to qualify for
a fraud-prevention adjustment even if the steps that issuer is taking
are no longer effective in reducing the occurrence of, and costs from,
fraud in relation to electronic debit transactions involving that
issuer.
In addition, requiring issuers to maintain fraud below a benchmark
level, particularly one based on technology that may not be available
widely for all point-of-sale channels, could have adverse consequences
for consumers. Cardholders may not always be able to use lower-fraud
fraud-prevention methods (such as PIN) in all point-of-sales
channels.\37\ Issuers may, for example, set more restrictive
authorization rules for transactions in the sales channels for which
the benchmarked cardholder-authentication technology is not available.
---------------------------------------------------------------------------

\37\ For example, while the Board understands that technology is
developing to allow PIN debit transactions for Internet
transactions, this technology is not widely used.
---------------------------------------------------------------------------

The final rule permits an issuer to receive the fraud-prevention
adjustment if it develops and implements policies and procedures
reasonably designed to take effective steps to reduce the occurrence
of, and costs to all parties from, fraudulent electronic debit
transactions and if those policies and procedures address the fraud-
prevention aspects in revised Sec. 235.4(b)(2). This approach
recognizes that, at the outset, an issuer cannot predict with certainty
that any particular policies and procedures will effectively prevent
fraud in relation to electronic debit transactions. The Board believes
that providing specific factors that issuers

[[Page 46270]]

must address in their policies and procedures, but providing
flexibility in how those policies and procedures may be implemented to
address those factors, over time will allow for more effective fraud
prevention. This approach permits issuers to adjust their practices
based on new fraud-prevention technologies and practices, new patterns
of fraud, changes to the size of their debit card programs, and changes
in how their customers use debit cards. (See discussion below of Sec.
235.4(b)(2) and commentary.) Under the final rule, an issuer must be
able to demonstrate that its policies and procedures are reasonably
designed to take effective steps to reduce fraudulent electronic debit
transactions.
The Board has added new comment 4(b)(1)-2 to clarify that an
issuer's policies and procedures must be designed to reduce fraud,
where cost-effective, across all types of electronic debit transactions
in which its cardholders engage.\38\ An issuer may enable multiple
types of card-authentication methods on its debit cards (e.g., a chip
or a code embedded in the magnetic strip) as well as permit multiple
cardholder-authentication methods (e.g., a signature or a PIN).
Accordingly, the Board believes that an issuer should consider whether
its fraud-prevention policies and procedures are effective for each
method used to authenticate the card and the cardholder. In addition,
the effectiveness of the card- and cardholder-authentication methods an
issuer has enabled on its debit cards likely will vary based on the
sales channel in which the debit card is used. For example, in a card-
not-present environment (e.g., the Internet), a chip or a code embedded
in the magnetic strip may not be used to authenticate the card.
Therefore, new comment 4(b)-2 provides that an issuer should consider
the effectiveness of its fraud-prevention policies and procedures for
different sales channels for which the card is used (e.g., card-present
and card-not-present).
---------------------------------------------------------------------------

\38\ Comment 4(b)-5, discussed below, describes the cost-
effective aspect in more detail.
---------------------------------------------------------------------------

The Board has not adopted the language in interim final rule
comment 4(b)(1)(i)-2 requiring an issuer to consider practices to
encourage its cardholders to use the materially more effective
authentication method and to consider methods for reducing fraud for
the less effective authentication method. Since October 1, 2011, when
the Board's interchange fee standards became effective, the
differential in interchange fee revenue across networks supporting
different authentication methods largely has been eliminated for
issuers that are subject to the interchange fee standards. Accordingly,
issuers no longer have the incentive to steer cardholders to one type
of authentication method over another. Issuers, however, will continue
to be required to review the effectiveness of each of their
authentication methods as part of the required review of their fraud-
prevention policies and procedures.
Relatedly, the Board requested comment on whether the Board's
standards should require an issuer to assess whether its customer
rewards or similar programs provide inappropriate incentives to use an
authentication method that is demonstrably less effective in preventing
fraud. A few issuers opposed requiring issuers to assess customer
rewards policies because doing so was outside the Board's authority and
unnecessary. Specifically, these issuers believed that the interchange
fee standards in Sec. 235.3 likely would reduce the prevalence of
reward programs. In addition, issuers argued that they consider a
variety of factors when determining whether to offer rewards programs
and expressed confusion as to what would constitute an ``inappropriate
incentive.'' One merchant trade group supported prohibiting issuers
from receiving a fraud-prevention adjustment if they provide incentives
to use a high-fraud authentication method, and one consumer group
supported a requirement on issuers to assess whether their rewards
programs are encouraging the use of less secure fraud-prevention
technologies.
For reasons similar to the determination not to adopt the language
in interim final rule comment 4(b)(1)(i)-2, the Board has neither
imposed a specific requirement that issuers assess whether their
rewards programs provide incentives to cardholders to use higher-fraud
authentication methods nor prohibited issuers from receiving a fraud-
prevention adjustment due to their use of rewards and other incentives.
Issuers offer rewards programs to cardholders for a variety of reasons,
and, to the extent rewards programs were based on differentials in
interchange fees across networks, Sec. 235.3 effectively has largely
eliminated a covered issuer's incentive to offer rewards for
transactions over one network. Accordingly, the potential fraud-
prevention benefit from explicitly requiring issuers to assess whether
cardholder rewards or similar incentive programs provide an
inappropriate incentive to use higher-fraud authentication methods is
significantly outweighed by the added burden that would be imposed on
issuers.
EFTA Section 920(a)(5) also provides that an issuer must take
effective steps to reduce ``costs from'' fraudulent electronic debit
transactions.\39\ EFTA Section 920(a)(5)(A)(i)(II) is silent as to
which parties' costs the Board's standards must ensure that an issuer
take effective steps to reduce. EFTA Section 920(a)(5)(B)(ii), however,
explicitly requires the Board to consider the costs of fraudulent
transactions absorbed by each party involved in such transactions. As a
result of various laws, regulations, and payment card network rules
(discussed above) that allocate the costs of fraudulent electronic
debit transactions among different parties to the fraudulent
transactions, issuers, acquirers, and merchants typically all absorb
losses from fraudulent electronic debit transactions.\40\ The Board
believes that an issuer should take effective steps to reduce costs
from fraudulent transactions that are incurred by all parties to such
transactions, and not merely steps that reduce the issuer's own fraud
losses. Accordingly, the Board is providing in revised Sec. 235.4(b)
that an issuer must reasonably design its policies and procedures ``to
take effective steps to reduce the occurrence of, and costs to all
parties from, fraudulent electronic debit transactions'' (emphasis
added).
---------------------------------------------------------------------------

\39\ EFTA Section 920(a)(5)(A)(i)(II).
\40\ Most issuers indicated that they impose zero liability on
their cardholders for fraudulent transactions, and most acquirers
reported limited fraud losses, indicating that merchant acquirers
pass through fraud losses to merchants.
---------------------------------------------------------------------------

New comment 4(b)-3 provides guidance on the reduction in the
occurrence of, and costs to all parties from, fraudulent electronic
debit transactions. A reduction in the occurrence of fraudulent
electronic debit transactions can be measured by determining whether
there is a reduction in the number of an issuer's electronic debit
transactions that are fraudulent relative to the issuer's total
electronic debit transactions. The Board believes that measuring a
reduction in the occurrence of fraudulent electronic debit transactions
in relation to an issuer's total transactions is more appropriate than
measuring the reduction in terms of the absolute number of fraudulent
transactions. Measuring only the change in the number of an issuer's
fraudulent electronic debit transactions would not, for example,
account for an increase in the number of electronic debit transactions
initiated by an issuer's cardholders. In addition, an issuer must
implement policies and procedures that

[[Page 46271]]

are reasonably designed to reduce the value of its electronic debit
transactions that are fraudulent relative to non-fraudulent
transactions. New comment 4(b)-3 emphasizes that an issuer's policies
and procedures should be reasonably designed to reduce the costs of
fraudulent transactions to all parties, irrespective of whether the
issuer ultimately bears the fraud losses as a result of regulations or
network rules.
New comment 4(b)-4 recognizes that the number and value of an
issuer's fraudulent electronic debit transactions relative to non-
fraudulent transactions may vary materially from year to year and that,
in certain circumstances, an issuer's policies and procedures may be
effective notwithstanding a relative increase in transactions that are
fraudulent in a particular year. For example, a data breach at a
merchant processor that exposes the data of a substantial portion of an
issuer's cards and cardholders could result in the issuer having a
relatively higher number of fraudulent transactions in one year than in
the preceding year, even if the issuer had implemented the same or
improved fraud-prevention policies and procedures. This could be a
circumstance in which an issuer's policies and procedures may be
effective notwithstanding a relative increase in transactions that are
fraudulent.
Continuing increases in an issuer's fraudulent transactions
relative to non-fraudulent transactions, however, would warrant further
scrutiny as to the effectiveness of an issuer's policies and
procedures. For example, instead of at a merchant processor, the data
breach might occur at the issuer or the issuer's processor. As a
result, an issuer may experience higher fraud rates in one year and, in
the following years, the share of that issuer's transactions that are
fraudulent may continue to increase. Further scrutiny would be
warranted to determine, for example, whether the issuer's policies and
procedures are designed to take effective steps to prevent fraudulent
transactions as a direct result of the initial data breach and to
prevent subsequent data breaches from occurring.
F. Development and Implementation of Cost-Effective Technologies
EFTA Section 920(a)(5) states that the Board's fraud-prevention
standards must require an issuer to take effective steps to reduce the
occurrence of, and costs from, fraudulent electronic debit
transactions, including through the development and implementation of
cost-effective fraud-prevention technologies. Some merchant commenters
argued that the Board's standards in the interim final rule failed to
require issuers to demonstrate the cost-effectiveness, particularly
vis-[agrave]-vis merchants, of their fraud-prevention measures prior to
receiving the fraud-prevention adjustment. One commenter believed that
the Board's standards could not satisfy the cost-effective requirement
in the statute unless the adjustment amount is based on issuer-specific
fraud reduction and cost. By contrast, one issuer asserted that
measuring the cost-effectiveness of a particular activity at the outset
may not be possible because new fraud-prevention activities must be
monitored over time to assess cost-effectiveness.\41\
---------------------------------------------------------------------------

\41\ This commenter also suggested that the Board continue to
gather information about the costs of new fraud-prevention
activities.
---------------------------------------------------------------------------

EFTA Section 920 does not define the term ``cost-effective.''
Dictionaries, in general, define ``cost-effective'' as the quality of
being economical in terms of the benefits, including goods or services
received for the money spent.\42\ Interpreting ``cost-effective'' as
requiring a precise measurement of effectiveness of a particular
technology vis-[agrave]-vis its cost to an issuer as well as merchants
would necessitate, in addition to an issuer calculating its own
implementation costs, the extremely burdensome and complex analyses of
calculating the costs to merchants and others of implementing and using
the fraud-prevention technology and isolating the amount of fraudulent
electronic debit transactions prevented by a particular technology,
rather than by other means. Moreover, the complexity of this analysis
would be increased further if an issuer were required to demonstrate
cost-effectiveness prior to implementing a new technology or else take
the risk of investing in a new technology only to find afterwards that
it could not demonstrate the technology's cost-effectiveness and, thus,
not be eligible to receive a fraud-prevention adjustment.
---------------------------------------------------------------------------

\42\ Merriam-Webster Dictionary, available at http://www.merriam-webster.com; American Heritage Dictionary, available at
http://ahdictionary.com.
---------------------------------------------------------------------------

An alternate interpretation of the cost-effectiveness requirement
is that, instead of requiring an issuer to affirmatively demonstrate
the cost-effectiveness of a particular fraud-prevention technology, the
requirement acts as a limitation on the fraud-prevention methods the
Board's standards may require issuers to develop and implement. Thus,
the Board could not adopt standards that would require an issuer to
develop and implement new fraud-prevention technologies the costs of
which far exceed any expected benefit from adopting the
technologies.\43\
---------------------------------------------------------------------------

\43\ As discussed above in connection with Sec. 235.4(a), the
Board has set the adjustment amount equal to the cost of the median
issuer to give consideration to, and take into account, the fraud-
prevention costs of other parties (as opposed to the interchange fee
standards in Sec. 253.3, which were set at the 80th percentile
issuer) and to place additional cost discipline on issuers to ensure
that their fraud-prevention activities are cost effective.
---------------------------------------------------------------------------

EFTA Section 920(a)(5)(A)(ii) is silent as to which party's
perspective is relevant for the cost-effectiveness of a particular
technology. EFTA Section 920(a)(5)(B) requires the Board to consider,
among other factors, the fraud-prevention and data-security costs
expended by each party involved in electronic debit transactions. There
are numerous fraud-prevention methods an issuer may use or adopt. Some
of these fraud-prevention methods, such as the use of neural networks,
do not impose costs on other parties to the transaction. Other fraud-
prevention methods, such as card-authentication technology built into
the card, impose costs on merchants that must ensure their point-of-
sale terminals are compatible with the card-authentication technology
embedded in the card. Therefore, the Board believes that it is
appropriate, when assessing the cost-effectiveness of a particular
fraud-prevention technology, for an issuer to consider whether and to
what extent the fraud-prevention method it implements will impose costs
on other parties. The Board recognizes, however, that an issuer may not
have complete information about the costs that other parties may incur.
Nonetheless, an issuer should consider the approximate magnitude of the
costs imposed on other parties, even though an issuer may not have
complete information about the extent of the costs imposed on other
parties.
New comment 4(b)-5 clarifies that a consideration of the cost-
effectiveness of a fraud-prevention technology involves considering the
expected cost of a technology relative to the expected effectiveness of
that technology in reducing fraud. This approach recognizes that an
issuer likely will be unable to measure the issuer's actual cost and
the actual effectiveness of a fraud-prevention technology, particularly
if the technology is new, but will be able to form a reasonable
expectation as to both the cost of and effectiveness of a given fraud-
prevention technology. In calculating the expected cost of a particular
fraud-prevention method, an issuer should consider both the expected
initial implementation

[[Page 46272]]

costs and the expected ongoing costs of using the fraud-prevention
method.
New comment 4(b)-6 provides that an issuer need not develop fraud-
prevention technologies itself to satisfy the standards in Sec.
235.4(b), but may implement appropriate fraud-prevention technologies
developed by a third party. Fraud-prevention technologies vary in their
technological complexity, including the technological expertise and
investment required for their development. Issuers--typically entities
engaged in banking activities--often do not have the technological
expertise to develop, or have opted not to specialize in the
development of, complex fraud-prevention technologies. Instead, issuers
often purchase fraud-prevention solutions (e.g., neural networks)
developed by third parties. Although not developed by the issuer, these
technologies nonetheless may be cost effective. Moreover, many issuers
would not find it to be economical to devote resources to in-house
research and development of all the fraud-prevention technologies they
implement.

Section 235.4(b)(2) Required Elements of an Issuer's Policies and
Procedures

Section 235.4(b)(1) of the interim final rule requires an issuer,
in order to be eligible to charge or receive a fraud-prevention
adjustment, to develop and implement policies and procedures reasonably
designed to (i) identify and prevent fraudulent electronic debit
transactions, (ii) monitor the incidence of, reimbursements received
for, and losses incurred from fraudulent electronic debit transactions,
(iii) respond appropriately to suspicious electronic debit transactions
so as to limit the fraud losses that may occur and prevent the
occurrence of future fraudulent electronic debit transactions, and (iv)
secure debit card and cardholder data. The interim final rule's
commentary to Sec. 235.4(b)(1) provides additional detail on the types
of policies and procedures considered reasonably designed to achieve
the fraud-prevention objectives in Sec. 235.4(b)(1)(i) through (iv).
In addition to the comments received on the overall framework of
the fraud-prevention standards (discussed above), the Board received
more targeted comments on the policies and procedures designed to
achieve the specified fraud-prevention objectives. These comments are
discussed below in connection with each fraud-prevention objective.
In the final rule, revised Sec. 235.4(b)(1) more generally
requires an issuer to develop and implement policies and procedures
that are ``reasonably designed to take effective steps to reduce the
occurrence of, and costs to all parties from, fraudulent electronic
debit transactions.'' Section 235.4(b)(2), in turn, sets forth elements
of a fraud-prevention program that an issuer's policies and procedures
must address. The Board believes, for the reasons set forth below, that
developing and implementing policies and procedures that address these
specific elements are steps that are effective in reducing the
occurrence of, and costs from, fraudulent electronic debit
transactions. These required aspects of a fraud-prevention program are
similar to the fraud-prevention objectives in interim final rule Sec.
235.4(b)(1).
Several commenters emphasized that one of the benefits of a non-
prescriptive approach to fraud-prevention is that such an approach
provides an issuer with greater flexibility to tailor its fraud-
prevention program to the size and scope of its debit card program and
to ever-changing fraud-types and patterns. The Board agrees that a
flexible approach to fraud prevention is preferable to a one-size-fits-
all approach. Accordingly, the Board has determined to add new comment
4(b)(2)-1 that provides that an issuer may tailor its fraud-prevention
policies and procedures to address its particular debit card program.
Relevant considerations when tailoring its policies and procedures
include the size of its debit card program, the types of transactions
in which its cardholders commonly engage (e.g., card-present or card-
not-present), fraud types and methods experience by the issuer, and the
cost of implementing new fraud-prevention methods in light of the
expected reduction in fraud from implementing such new methods.
Likewise, the Board recognizes that an issuer may determine that fraud-
prevention factors other than those listed in Sec. Sec.
235.4(b)(2)(i)-(iv) are appropriate for its policies and procedures to
address. Accordingly, the Board has determined to revise Sec.
235.4(b)(2) to provide that an issuer's policies and procedures also
must address ``such other factors as the issuer considers
appropriate.''
A. Section 235.4(b)(2)(i) Identify and Prevent Fraudulent Transactions
In interim final rule Sec. 235.4(b)(1), the first fraud-prevention
objective of an issuer's policies and procedures is identifying and
preventing fraudulent electronic debit transactions. The commentary to
interim final rule Sec. 235.4(b)(1) provides that an issuer's policies
and procedures should include activities to prevent, detect, and
mitigate fraud even if the costs of the activities are not recoverable
as part of the fraud-prevention adjustment. The commentary also
provides examples of policies and procedures designed to identify and
prevent fraudulent electronic debit transactions. For example, an
issuer could use an automated mechanism to assess the risk that a
particular electronic debit transaction is fraudulent during the
authorization process. An issuer also could implement practices that
support cardholder-reporting of lost or stolen cards or suspected
incidences of fraud. The commentary also provides that an issuer could
specify the use of particular technologies or methods to better
authenticate the cardholder at the point of sale. Finally, the
commentary provides that an issuer's policies and procedures should
include an assessment of the effectiveness of the different
authentication methods that the issuer enables its cardholders to use
and that, if the issuer determines one method is more effective than
the other, the issuer should consider practices to encourage its
cardholders to use the more effective authentication method, as well as
consider adopting new methods of authentication that are materially
more effective than those currently available to its cardholders.
One commenter suggested that Board state in the commentary that an
issuer should review the effectiveness of its authorization rules that
govern automated fraud-detection mechanisms. Another commenter
suggested that the Board add language encouraging issuers to specify
the use of particular technologies or methods in order to authenticate
the payment device and cardholder at the time of the transaction
because there may be two authentication processes--one that identifies
the card and one that identifies the cardholder.\44\
---------------------------------------------------------------------------

\44\ The other comments the Board received on this provision and
accompanying commentary focused primarily on the issuer's review of
the authentication methods it makes available to its cardholders. As
discussed above, the Board has moved the commentary paragraphs
applicable to an issuer's review of its policies and procedures to
the commentary to Sec. 235.4(b)(1). Accordingly, these comments are
discussed in connection with Sec. 235.4(b)(1) and accompanying
commentary.
---------------------------------------------------------------------------

Section 235.4(b)(2)(i) of the final rule requires that an issuer's
policies and procedures address ``methods to identify and prevent
fraudulent electronic debit transactions.'' The Board has revised
comment 4(b)(2)(i)-1.i (interim final rule comment 4(b)(1)(i)-2.iii) to
include the concept of card authentication at the time of the
transaction, as suggested by the commenter, in recognition of the fact

[[Page 46273]]

that fraud may be in the form of unauthorized use of a legitimate debit
card or unauthorized use of a counterfeit debit card. The Board
believes that an issuer should implement policies and procedures
designed to prevent both types of fraud. The Board also has revised
comment 4(b)(2)(i)-1.i to clarify that an issuer may specify the use of
particular technologies or methods only to the extent that doing so
does not inhibit the ability of a merchant to direct the routing of
electronic debit transactions for processing over any payment card
network that may process such transactions (see Sec. 235.7 and
commentary thereto). In other words, an issuer may not specify the use
of a particular technology if that technology is enabled for only one
network, or two affiliated networks, on the debit card, but may specify
the use of a particular technology that is available for at least two
unaffiliated networks enabled on the card. This addition prevents
potential conflicts with Regulation II's other requirements.
In addition, the Board has adopted comments 4(b)(2)(i)-1.ii and
4(b)(2)(i)-1.iii as set forth in interim final rule comments
4(b)(1)(i)-1.i and 4(b)(1)(i)-1.ii, respectively, and has made minor
clarifying changes to comment 4(b)(2)(i)-1.iii. The Board has not
revised the commentary to provide that an issuer review the
effectiveness of any rules for its automated fraud-detection
mechanisms, as suggested by a commenter. This review is encompassed in
new Sec. 235.4(b)(3), which requires an issuer to review its policies
and procedures, and their implementation, in light of their
effectiveness.
B. Section 235.4(b)(2)(ii) Monitoring the Volume and Value of its
Fraudulent Transactions
Section 235.4(b)(1)(ii) of the interim final rule requires issuers
to monitor the incidence of, reimbursements received for, and losses
incurred from fraudulent electronic debit transactions. Under that
section, an issuer's policies and procedures must be designed to
monitor the types, number, and value of electronic debit transactions,
as well as its and its cardholders' losses from fraudulent electronic
debit transactions, fraud-related chargebacks to acquirers, and
reimbursements from other parties (such as from fines assessed to
merchants for noncompliance with Payment Card Industry Data Security
Standards). (See interim final rule comment 4(b)(1)(ii)-1). The Board
imposed this monitoring requirement on issuers as necessary in order
for an issuer to inform its policies and procedures. The Board received
one comment related to the monitoring requirement. This commenter
expressed support for the standard's flexibility in requiring issuers
to monitor the incidence of fraud. The final rule retains the
requirements that the policies and procedures developed and implemented
by an issuer address monitoring the volume and value of its fraudulent
electronic debit transactions, as well as the types of fraudulent
electronic debit transactions it experiences.
The Board has made minor, clarifying revisions to comment
4(b)(2)(ii)-1 (interim final rule comment 4(b)(1)(ii)-1). Specifically,
the Board has revised this comment to clarify that the monitoring
requirement is imposed on an issuer with respect to the number and
value of the issuer's fraudulent electronic debit transactions, as
opposed to the number and value of fraudulent transactions experienced
across the industry. The Board also has revised comment 4(b)(2)(ii)-1
in recognition of the fact that an issuer may not be able to monitor
the value of losses imposed on its cardholders by merchants. Rather,
issuers must monitor the losses from fraudulent transactions that it
passes on to its cardholders. Finally, the Board has revised comment
4(b)(2)(ii)-1 to emphasize that an issuer should establish procedures
to retain fraud-related information necessary to perform its reviews
under Sec. 235.4(b)(3) and to retain and report information as
required under Sec. 235.8.
C. Section 235.4(b)(2)(iii) Appropriate Response to Suspicious
Transactions
Section 235.4(b)(1)(iii) of the interim final rule requires an
issuer to develop and implement policies and procedures reasonably
designed to ``respond appropriately to suspicious electronic debit
transactions so as to limit the fraud losses that may occur and prevent
the occurrence of future fraudulent electronic debit transactions.''
Interim final rule comment 4(b)(1)(iii)-1 explains that whether an
issuer's response to fraudulent or suspicious electronic debit
transactions is appropriate depends on the circumstances and the risk
of future fraudulent electronic debit transactions. The comment also
provides examples of appropriate responses. Interim final rule comment
4(b)(1)(iii)-2 clarifies that an issuer's policies and procedures do
not provide an appropriate response if they merely shift the loss to
another party, other than the party that committed the fraud.
The Board received comments on this provision from two issuers. One
issuer supported the Board's position that an ``appropriate'' response
depends on the circumstances and suggested that the Board clarify that
these ``circumstances'' include an issuer's debit card program,
specific fraud experiences, and data analysis. Another issuer expressed
concern that comment 4(b)(1)(iii)-2 could be construed in a manner that
adversely affects the incentives and risks imposed by network rules
(e.g., the chargeback rules).
The final rule retains the requirement that an issuer's policies
and procedures address appropriate responses to suspicious electronic
debit transactions. The Board, however, has revised Sec.
235.4(b)(2)(iii) (interim final rule Sec. 235.4(b)(1)(iii)) to clarify
that an issuer's response should be designed to limit potential costs
to all parties from fraudulent electronic debit transactions. The Board
has made changes to comment 4(b)(2)(iii)-1 (interim final rule comment
Sec. 235.4(b)(1)(iii)-1) to clarify that the issuer's assessment of
the risk of future fraudulent electronic debit transactions is one
example of the facts and circumstances that determines the
appropriateness of the response.
Interim final rule comment 4(b)(1)(iii)-2 provides that merely
shifting the loss to another party is not an appropriate response to a
suspicious electronic debit transaction. One commenter expressed
concern that this statement could adversely affect network rules that
allocate fraud losses. Interim final rule comment 4(b)(1)(iii)-2 was
intended to emphasize that an issuer's response should mitigate the
issuer's fraud losses in addition to the fraud losses of other parties.
The Board, however, does not believe that interim final rule comment
4(b)(1)(iii)-2 is necessary to provide guidance on the appropriateness
of an issuer's response to suspicious transactions in light of the
clarifications to revised Sec. 235.4(b)(2)(iii). Accordingly, the
Board has removed the comment.
D. Section 235.4(b)(1)(iv) Data Security
Section 235.4(b)(1)(iv) of the interim final rule requires an
issuer to develop and implement policies and procedures reasonably
designed to secure debit card and cardholder data. Interim final rule
comment 4(b)(1)(iv) further explains that debit card and cardholder
data should be secured during transaction processing, during storage by
the issuer (or its service provider), and when carried on media by
employees or agents of the issuer. That comment recognizes that this
standard may be incorporated into an issuer's information security
program required

[[Page 46274]]

by Section 501(b) of the Gramm-Leach-Bliley Act.\45\
---------------------------------------------------------------------------

\45\ See 15 U.S.C. 6805.
---------------------------------------------------------------------------

One commenter suggested that the Board revise its commentary to
require an issuer to secure debit card and cardholder data only when
such data are transmitted by the issuer and not apply the requirement
to situations where the issuer is receiving data, because the issuer
cannot control the transmission of data from third parties. As set
forth in the interim final rule, comment 4(b)(1)(iv) states that an
issuer should secure debit card and cardholder data when the issuer or
its service provider is the party transmitting or storing the data.
Although the issuer may not have direct control over every piece of
information transmitted by its service provider, the issuer should
select a service provider that sufficiently secures data the service
provider transmits that relates to the issuer's debit cards and
cardholders' data. An issuer is not required to develop and implement
policies and procedures that address the security of debit card and
cardholder information when received and processed by third parties
that are not acting as the issuer's agent. Accordingly, the Board has
determined not to make any changes to Sec. 235.4(b)(2)(iv) (interim
final rule Sec. 235.4(b)(1)(iv)) and the accompanying commentary as
set forth in the interim final rule.

Section 235.4(b)(3) Review of Policies and Procedures

Section 235.4(b)(2) of the interim final rule requires an issuer to
review its fraud-prevention policies and procedures at least annually
and to update those policies and procedures as necessary to address
changes in the prevalence and nature of fraudulent electronic debit
transactions and available methods of detecting, preventing, and
mitigating fraud. Interim final rule comment 4(b)(2) explains that an
issuer may need to review and update its policies and procedures more
frequently than once a year; an additional review could be necessary,
for example, if there is a significant change in fraud types, fraud
patterns, or fraud-prevention methods or technologies before an
issuer's next-scheduled annual review. In addition, comment 4(b)(1)(i)-
2 to the interim final rule provides that an issuer should assess of
the effectiveness of the different authentication methods that the
issuer enables its cardholders to use and that, if the issuer
determines one method is more effective than the other, the issuer
should consider practices to encourage its cardholders to use the more
effective authentication method, as well as consider adopting new
methods of authentication that are materially more effective than those
currently available to its cardholders.
The Board received comments on both of these provisions related to
an issuer's review of its policies and procedures. One issuer
explicitly supported requiring issuers to review their fraud-prevention
policies and procedures on an annual basis. This issuer also suggested
that, rather than requiring additional reviews based on the undefined
``significant change'' in fraud or fraud patterns, an issuer should
determine whether changes in fraud types, fraud patterns, or fraud-
prevention technologies or methodologies have an impact on the issuer's
policies and procedures that would require additional review of and
update to its policies and procedures.
One issuer suggested that the Board revise the language in comment
4(b)(1)(i)-2 to the interim final rule to recognize that the
effectiveness of an authentication method in preventing fraud is only
one of many factors issuers consider in promoting a particular
authentication method, and that other factors an issuer may consider
include acceptance and cost. In addition, one issuer argued that
whether a particular authentication method is ``materially more
effective'' should be determined by each issuer and that issuers should
not be required to adopt any specific authentication method.\46\ By
contrast, merchant commenters supported standards that would require
issuers to promote the technology with the lowest rate of fraud, as
opposed to requiring that an issuer ``consider'' promoting the lower-
fraud technology.
---------------------------------------------------------------------------

\46\ Some issuers recommended that the Board provide more detail
regarding the meaning of the phrase ``materially more effective.''
In light of the revisions to Sec. 235.4(b)(1) and accompanying
commentary, it is unnecessary to address those comments.
---------------------------------------------------------------------------

Section 235.4(b)(3) of the final rule retains the requirement that
an issuer review, at least annually, its fraud-prevention policies and
procedures, and their implementation, and update them as necessary. The
Board, however, has revised the review requirement to provide more
guidance on the required elements of the reviews and when reviews and
updates to an issuer's policies and procedures, and their
implementation, are necessary.
Section 235.4(b)(3)'s review requirement is intended to ensure that
an issuer continues to take effective steps to reduce fraudulent
electronic debit transactions, including through the development and
implementation of cost-effective technologies. Accordingly, the Board
has revised the provision relating to an issuer's review to require an
issuer to review its policies and procedures, and their implementation,
in light of their effectiveness (Sec. 235.4(b)(3)(i)) and cost-
effectiveness (Sec. 235.4(b)(3)(ii)). New comment 4(b)(3)-1.i provides
that an issuer's assessment should consider whether its policies and
procedures are reasonably designed to reduce the number and value of
its fraudulent electronic debit transactions relative to its non-
fraudulent electronic debit transactions and are cost effective.\47\
---------------------------------------------------------------------------

\47\ Comments 4(b)(1)-2 through 4(b)(1)-6 provide additional
guidance on effectiveness and cost-effectiveness.
---------------------------------------------------------------------------

The Board has made additional revisions to the interim final rule's
requirement that an issuer update its policies and procedures, as
necessary, ``to address changes in the prevalence and nature of
fraudulent electronic debit transactions and available methods of
detecting, preventing, and mitigating fraud.'' One reason for adopting
the non-prescriptive approach to fraud-prevention standards is to
ensure that an issuer has sufficient flexibility to adjust its fraud-
prevention methods in light of the rapidly changing nature of fraud and
the availability of fraud-prevention methods. For this flexibility to
be most beneficial and effective in preventing fraudulent electronic
debit transactions, an issuer must update its policies and procedures
in light of the changing nature of fraud and availability of fraud-
prevention methods. The Board, however, believes that the most
important source of information to an issuer about types and methods of
fraud is the issuer's own experience and information. The Board also
believes the additional burden on issuers of continuous open-ended
monitoring of the types of fraud and methods used to commit fraud
throughout the industry may exceed the benefit of this information to
the issuers. To the extent an issuer experiences changes in fraud types
and methods, it should identify them through its monitoring and update
its policies and procedures, as necessary, in light of the subsequent
identification from its own experience.
In addition to its own experience, an issuer may learn of changes
in the types of fraud, methods used to commit fraud, and available
methods for detecting and preventing fraud from other sources.
Specifically, payment card networks may provide their issuers with
information regarding common types

[[Page 46275]]

and methods of fraudulent transactions based on the networks'
monitoring of transactions or may provide an issuer with information on
new fraud-prevention methods that are available for an issuer to enable
on its cards. In addition, law enforcement agencies or fraud-monitoring
groups in which the issuer participates may inform the issuer of
changes in the nature of fraud and available methods of preventing
fraud. Finally, an issuer may learn of changes in the nature of fraud
and fraud-prevention methods from supervisory guidance. The Board
believes that, at a minimum, an issuer should be expected to consider
any changes in the types of fraud, methods used to commit fraud, and
available methods to prevent fraudulent electronic debit transactions
that it learns about from these sources. The Board, therefore, has
revised Sec. 235.4(b)(3) to specify the sources of information
regarding the changing nature of fraud and available methods of
preventing fraud that an issuer must consider in determining whether
updates to its policies and procedures are necessary.
New comment 4(b)(3)-2 provides that an issuer may need to review
its policies and procedures more frequently than on an annual basis
based on information obtained from monitoring its fraudulent electronic
debit transactions, changes in the types or methods of fraud, and
available fraud-prevention methods. The revised comment eliminates the
``significant change'' trigger in the interim final rule and requires
an issuer to determine whether more frequent review is necessary. The
Board considered the comments received on this provision and determined
that objectively defining ``significant change'' could inhibit an
issuer from more frequently reviewing its policies and procedures. Each
issuer will have unique fraud-prevention programs, and a change in
debit card fraud, industry fraud types and methods, and available
fraud-prevention methods may be ``significant'' for one issuer, but not
another issuer. Therefore, the Board believes that an issuer will be in
the best position to determine whether changes in its debit card fraud,
industry trends in fraud types and methods, and available fraud-
prevention methods necessitate a more-frequent-than-annual review of
its fraud-prevention programs. An issuer's determination as to the
necessity of more frequent reviews and updates is subject to
supervisory review under Sec. 235.9.
The Board has added new comment 4(b)(3)-3 to provide guidance on
the interaction between an issuer's required fraud-prevention program
reviews and updates and an issuer's eligibility to receive the fraud-
prevention adjustment under Sec. 235.4. The required review of an
issuer's fraud-prevention policies and procedures, and their
implementation, is intended to ensure that an issuer's policies and
procedures continue to be reasonably designed to take effective steps
to reduce the occurrence of, and costs to all parties from, fraudulent
electronic debit transactions. The review requirements also ensure that
an issuer is assessing its fraud-prevention policies and procedures
against changing fraud trends and available fraud-prevention methods.
The Board anticipates that updates to an issuer's fraud-prevention
policies and procedures may be necessary, although the Board does not
expect substantial updates to be necessary often.
An issuer could be deterred from making necessary updates to its
policies and procedures if an issuer becomes ineligible to receive the
fraud-prevention adjustment after merely determining that any updates
to its fraud-prevention program are necessary. In fact, one of the
effective steps that an issuer can take to prevent fraudulent
electronic debit transactions, and reduce the losses from such
transactions, is to revise its fraud-prevention policies and procedures
to make them more effective. Therefore, the Board has added new comment
4(b)(3)-3 to provide that an issuer does not become ineligible to
receive the fraud-prevention adjustment merely because it determines
updates are necessary or appropriate. In order to remain eligible to
receive or charge a fraud-prevention adjustment under Sec. 235.4,
however, an issuer should develop and implement such updates as soon as
reasonably practicable in light of the circumstances. For example, an
issuer may determine that it should enable new card-authentication
methods, and such new card-authentication methods require the
reissuance of cards. Such an issuer should issue the new cards as soon
as reasonably practicable in light of the process for ordering new
cards and distributing them to cardholders. This process could take
longer than, for example, improving algorithms on a neural network
program it uses.

Section 235.4(c) Notification

Section 235.4(c) of the interim final rule provides that, in order
to be eligible to receive or charge a fraud-prevention adjustment, an
issuer that satisfies the standards set forth in Sec. 235.4(b) must
certify its compliance to its payment card networks on an annual basis.
The interim final rule does not establish a process for this
certification and, instead, leaves it up to the payment card networks
to develop their own processes for identifying issuers eligible for the
adjustment. Interim final rule comment 4(c)-1.
The Board received several comments on the certification provision.
Merchants and their trade groups generally opposed the certification
provision because they believed that the issuers and networks would be
the ultimate judges of whether an issuer's policies and procedures
satisfy the Board's standards. One commenter expressed concern that
placing the compliance determination with the network would lead each
network to favor its own fraud-prevention technology. Commenters that
opposed placing the compliance determination with issuers and networks
suggested that, alternatively, issuers should be required to certify
their compliance with the fraud-prevention standards to their regulator
in order to ensure that issuers are receiving adjustments only when the
issuer complies with the Board's standards. One commenter supported a
network-certification requirement but only if such a requirement was
limited to identifying which issuers have self-certified as complying
with the Board's standards.
The Board also received comments on whether the Board should
establish a uniform certification process, assuming the Board required
some certification. Some issuers opposed establishing a uniform
certification process in support of allowing industry participants to
develop the process. These issuers argued that industry-established
processes would enable more consistency with the network-established
processes for identifying issuers that are exempt and not exempt from
the interchange fee standard. One commenter thought a network-
established process was appropriate because networks currently are able
to ensure compliance with the network's fraud-prevention standards. By
contrast, other commenters representing issuers supported the Board
establishing a consistent certification process across networks to
ensure that all issuers are treated fairly, provided that the process
is sufficiently flexible to support operational and system differences
across networks. Other commenters recommended that the Board establish
a uniform certification process that would allow consumers and
merchants to have access to compliance filings.
The final rule requires an issuer to inform its payment card
networks, on an annual basis, of its compliance with the rule's fraud-
prevention standards in

[[Page 46276]]

Sec. 235.4(b) before the issuer may receive or charge a fraud-
prevention adjustment. The Board has, however, revised Sec. 235.4(c)
to refer to this requirement as a ``notification'' requirement instead
of a ``certification'' requirement, as in the interim final rule. Based
on the comments received, the term ``certification'' connoted a more
official and final determination by the issuer and payment card
networks of an issuer's compliance than the Board intended. Compliance
with the fraud-prevention standards in Sec. 235.4(b), like compliance
with all other provisions of Regulation II, is subject to
administrative enforcement in accordance with Sec. 235.9. Accordingly,
the Federal agency with responsibility for enforcing an issuer's
compliance with Regulation II is the entity that ultimately determines
an issuer's compliance with the Board's fraud-prevention standards. The
Board believes that referring to the requirement as a ``notification''
more accurately conveys that the purpose of this requirement is to
place an affirmative requirement on an issuer to inform networks of
what the issuer has determined to be its compliance with the fraud-
prevention standards.
The Board also did not establish a uniform notification process in
its final rule. In issuing the final rule implementing the other
provisions of EFTA Section 920, the Board determined not to establish a
uniform certification process for issuers that were exempt from the
interchange fee standards or that issued debit cards that were exempt
from the interchange fee standards.\48\ The Board continues to believe
that payment card networks should have the flexibility to develop their
own processes for identifying issuers that are eligible to receive a
fraud-prevention adjustment.\49\ The Board believes it is unnecessary
to impose additional processes by rule that serve the same function as
those already developed by payment card networks. The final rule,
however, continues to specify that an issuer must notify its payment
card networks of its compliance on an annual basis.
---------------------------------------------------------------------------

\48\ 76 FR 43394, 43437-38 (Jul. 20, 2011).
\49\ This flexibility is similar to that which payment card
networks have in establishing processes to determine the status of
issuers that do not appear on the Board's list of exempt
institutions with consolidated assets below $10 billion, issuers of
debit cards issued pursuant to government-administered payment
programs, and issuers of certain reloadable, general-use prepaid
cards.
---------------------------------------------------------------------------

Section 235.4(d) Change in Status

The interim final rule does not explicitly address steps an issuer
must take if it is found to be non-compliant with the Board's fraud-
prevention standards by the Federal agency with responsibility for
enforcing compliance with Regulation II. One network encouraged the
Board to provide for a cure period in the event the Federal agency with
responsibility to enforce an issuer's compliance under Sec. 235.9
determined that a particular issuer was no longer eligible to receive a
fraud-prevention adjustment. This network suggested that the Board
allow such an issuer 90 to 180 days to come into compliance after a
finding of a deficiency. This network also supported providing networks
30 days advance notice prior to the date on which an issuer may no
longer receive a fraud-prevention adjustment in order to allow the
network to reprogram its systems.
The Board has added new Sec. 235.4(d) to the final rule to address
a change in the issuer's compliance status. EFTA Section 920(a)(5)
provides that the Board may allow for a fraud-prevention adjustment to
the permissible interchange fee only if an issuer complies with the
Board's fraud-prevention standards. As recognized in new comment
4(b)(3)-3, in the course of reviewing its fraud-prevention policies and
procedures, an issuer may determine that updates are necessary.
Likewise, the agency with responsibility for enforcing an issuer's
compliance with Regulation II under Sec. 235.9 also may identify
updates that are necessary for an issuer to continue to be eligible to
receive or charge a fraud-prevention adjustment. Merely determining
that updates to its policies and procedures are necessary does not
render an issuer ineligible to receive or charge a fraud-prevention
adjustment; the Board anticipates that issuers may need to update their
policies and procedures regularly to ensure their continued
effectiveness and cost-effectiveness.
The Board believes that if an issuer is in substantial non-
compliance with the Board's fraud-prevention policies and procedures,
the issuer should not be eligible to receive a fraud-prevention
adjustment. Under the non-prescriptive approach adopted by the Board,
there are likely to be varying degrees of deficiencies in an issuer's
fraud-prevention policies and procedures. Whether the deficiencies
constitute substantial non-compliance will depend on the facts and
circumstances, including the severity of the deficiencies. For example,
an issuer's policies and procedures may fail to address appropriate
responses to suspicious transactions as required by Sec.
235.4(b)(2)(iii). Another issuer's policies and procedures may address
appropriate responses to suspicious transactions, but the manner in
which the response is made may be less effective in light of recent
changes to fraud types experienced by the issuer. Failure to address an
entire category of fraud-prevention activity could be one circumstance
in which an issuer is substantially non-compliant with the Board's
fraud-prevention standards.
New Sec. 235.4(d) provides that an issuer is not eligible to
receive or charge a fraud-prevention adjustment if the issuer is
substantially noncompliant with the Board's fraud-prevention standards
in Sec. 235.4(b). A finding of substantial noncompliance would be made
by the issuer or the Federal agency with responsibility for enforcing
an issuer's compliance with Regulation II under Sec. 235.9. New Sec.
235.4(d) also provides that an issuer found to be substantially
noncompliant with the Board's standards must notify its payment card
networks that it is no longer eligible to receive or charge a fraud-
prevention adjustment no later than 10 days after determining or
receiving notification from the appropriate agency under Sec. 235.9
that the issuer is substantially noncompliant. In addition, the issuer
must stop receiving and charging the fraud-prevention adjustment no
later than 30 days after notifying its payment card networks. This is
the amount of time that a network-commenter suggested as the minimum
amount of time necessary for a network to reprogram its interchange fee
schedules. The Board does not believe it is necessary to incorporate a
cure period in the final rule because the need to regularly update an
issuer's policies and procedures does not make the issuer ineligible to
receive the fraud-prevention adjustment, assuming the updates are made
on a timely basis. Moreover, the Board does not believe that issuers in
substantial noncompliance with the Board's standards should be entitled
to receive the fraud-prevention adjustment during a cure period.
In addition, the final rule does not specify the steps an issuer
must take to become eligible to receive the fraud-prevention adjustment
after it has come into compliance. A determination of substantial non-
compliance will be made by the appropriate agency under Sec. 235.9.
The Board believes that it is appropriate for that agency to determine
the steps an issuer must take to satisfy the agency that the issuer has
remedied deficiencies in its fraud-prevention program.

[[Page 46277]]

VI. EFTA 904(a) Economic Analysis

A. Statutory Requirement

Section 904(a)(2) of the EFTA requires the Board to prepare an
economic analysis of the impact of the regulation that considers the
costs and benefits to financial institutions, consumers, and other
users of electronic fund transfers. The analysis must address the
extent to which additional paperwork would be required, the effect upon
competition in the provision of electronic fund transfer services among
large and small financial institutions, and the availability of such
services to different classes of consumers, particularly low income
consumers.\50\
---------------------------------------------------------------------------

\50\ This analysis considers the competition between ``covered
issuers'' (i.e., those that, together with affiliates, have assets
of $10 billion or more) and ``exempt issuers'' (i.e., those that,
together with affiliates, have assets of less than $10 billion).
---------------------------------------------------------------------------

B. Cost/Benefit Analysis

The Section-by-Section Analysis above, as well as the Final
Regulatory Flexibility Analysis and Paperwork Reduction Act analysis
below, contain a more detailed discussion of the costs and benefits of
various aspects of the proposal. This discussion is incorporated by
reference in this section.
As permitted by Section 920(a)(5) of the EFTA, this final rule
allows an issuer that is subject to the interchange fee standards to
receive or charge an amount of no more than 1 cent per transaction in
addition to its interchange transaction fee if the issuer develops and
implements policies and procedures that are reasonably designed to take
effective steps to reduce the occurrence of, and costs to all parties
from, fraudulent electronic debit transactions.\51\ The final rules
sets forth fraud-prevention aspects that an issuer's policies and
procedures must address and requires an issuer to review its policies
and procedures at least annually, and update them as necessary in light
of their effectiveness, cost-effectiveness, and changes in the types of
fraud, methods used to commit fraud, and available fraud-prevention
methods. An issuer must notify its payment card networks annually that
it complies with the Board's fraud-prevention standards and must also
notify its payment card networks that it is no longer eligible to
receive or charge a fraud-prevention adjustment no later than 10 days
of determining or receiving notification from the appropriate agency
under Sec. 235.9 that the issuer is substantially non-compliant with
the Board's fraud-prevention standards. The issuer must stop receiving
or charging the fraud-prevention adjustment no later than 30 days after
notifying its networks.
---------------------------------------------------------------------------

\51\ The interchange fee standards provide that an issuer may
not receive or charge an interchange transaction fee in excess of
the sum of a 21-cent base component and 5 basis points of the
transaction's value. Certain issuers and products are exempt from
the interchange fee restrictions, including small issuers that,
together with their affiliates, have less than $10 billion in
assets; certain cards accessing government-administered payment
programs; and certain reloadable general-use prepaid cards that are
not marketed or labeled as a gift certificate or gift card. Payment
card networks may, but are not required to, differentiate between
interchange fees received by covered issuers and products versus
exempt issuers and products.
---------------------------------------------------------------------------

1. Additional Paperwork
The collection of information required by this final rule is found
in Sec. 235.4 of Regulation II (12 CFR part 235). The new paperwork
requirements of this final rule are discussed below in the Paperwork
Reduction Act section, which contains a more detailed estimate for
burden hours for being eligible to receive or charge the fraud-
prevention adjustment. This final rule does not impose additional
paperwork requirements related to the reporting to the Board required
under Sec. 235.8; issuers that do not qualify for the small issuer
exemption (``covered issuers'') would be required to provide cost data
to the Board independent of whether they qualify for the fraud-
prevention adjustment. Covered issuers also would be required under
Sec. 235.8 to retain records that demonstrate compliance with the
requirements of Regulation II for not less than five years after the
end of the calendar year in which the electronic debit transaction
occurred. If an issuer receives actual notice that it is subject to an
investigation by an enforcement agency, the issuer must retain the
records until final disposition of the matter. For smaller institutions
that are not required to submit cost information to the Board under
Regulation II, the regulation does not impose any reporting
requirements.
2. Competition in the Provision of Services Among Financial
Institutions
As required by EFTA Section 920(a)(6), Regulation II exempts small
issuers (i.e., those issuers that, together with affiliates, have
consolidated assets of less than $10 billion) from the interchange fee
standards, as well as the provisions relating to the fraud-prevention
standards and adjustment. Regulation II, however, does not mandate that
payment card networks adopt a two-tier interchange fee structure in
which exempt issuers receive higher interchange fees. Since the
interchange fee provisions of Regulation II (including the 1-cent
fraud-prevention adjustment) became effective on October 1, 2011, most
payment card networks have offered a two-tier interchange fee structure
in which exempt issuers receive higher average interchange fees than
those received by non-exempt issuers.\52\ The 1-cent adjustment in the
final rule, which is already permitted under the interim final rule, is
not likely to affect the continuation of a two-tier interchange fee
structure.\53\
---------------------------------------------------------------------------

\52\ See http://www.federalreserve.gov/paymentsystems/regii-average-interchange-fee.htm.
\53\ See 76 FR 43394, 43463-64 for an analysis of the provision
of two-tier interchange fee structure on the competition in the
provision of services among financial institutions.
---------------------------------------------------------------------------

Some covered issuers may find that the additional cost of complying
with the fraud-prevention standards are greater than the additional
revenue generated from receiving the adjustment and so choose to not
qualify for the adjustment. To the extent payment card networks provide
the adjustment, covered issuers that qualify for the adjustment will
likely experience an increase in their interchange revenue compared to
covered issuers that do not qualify for the adjustment. In such a
situation, covered issuers that do not qualify for the adjustment may
need to adjust fees and account terms in response to the lower
interchange revenue, whereas covered issuers that qualify may not.
Under this scenario, consumers may shift their purchases of some
financial services from covered issuers that do not qualify for the
adjustment to exempt issuers or covered issuers that qualify for the
adjustment in response to changes in fees and account terms at covered
issuers that do not qualify for the adjustment. However, covered
issuers that do not qualify for the adjustment and that have
diversified product lines may look to retain customers by promoting
alternative products not covered by the interchange fee standards, such
as credit cards.
The competitive effects of any changes in fees or account terms
across covered and exempt issuers due to the adjustment will depend on
the degree of substitution among exempt issuers, covered issuers that
qualify for the adjustment, and covered issuers that do not qualify for
the adjustment. If the degree of substitutability of debit card and
account services between covered issuers that qualify for the
adjustment and covered issuers that do not qualify is large, then
substantial shifts in the customer market share of each group of issuer
may occur in response to less favorable changes in fees and account
terms by issuers which do not qualify for the adjustment. Conversely,
if

[[Page 46278]]

substitution between covered issuers that qualify for the adjustment
and covered issuers that do not is low, then any changes in fees and
account terms may generate small shifts in customer market shares
across covered issuers.
As the previous analysis suggests, the effect on competition among
covered and exempt financial institutions will depend on a number of
factors, including the extent to which payment card networks retain
two-tier fee structures, the differentials in interchange fees across
tiers in such structures, the product and service lines offered by
covered and exempt financial institutions, and the substitutability of
products and services across covered and exempt financial institutions.
As noted above, most debit card networks have implemented two-tier fee
structures. There is, however, no requirement that the networks
continue to do so, and the level of interchange fees that will prevail
in the long term is not known and will depend on market dynamics. Prior
economic research suggests that competition between large and small
depository institutions is weaker than competition within either group
of institutions, likely because these institutions serve different
customer bases.\54\ For example, large institutions have tended to
attract customers who desire expansive branch and ATM networks and a
wide variety of financial instruments. By contrast, smaller
institutions often market themselves as offering more individualized,
relationship-based service and customer support to consumers and small
businesses. This research suggests that substitution effects in
response to changes in fees or account terms are stronger between
depository institutions of similar sizes than across depository
institutions of different sizes. Therefore, there may be greater
substitution away from covered issuers that do not qualify for the
adjustment to covered issuers that do qualify for the adjustment
because most covered issuers are large, but less substitution away from
covered issuers that do not qualify to exempt issuers (which are mostly
small).
---------------------------------------------------------------------------

\54\ See, e.g., Robert Adams, Kenneth Brevoort, and Elizabeth
Kiser, ``Who Competes with Whom? The Case of Depository
Institutions,'' Journal of Industrial Economics, March 2007, v. 55,
iss. 1, pp. 141-67; Andrew M. Cohen and Michael J Mazzeo, ``Market
Structure and Competition among Retail Depository Institutions,''
Review of Economics and Statistics, February 2007, v. 89, iss. 1,
pp. 60-74; and Timothy H. Hannan and Robin A. Prager, ``The
Profitability of Small Single-Market Banks in an Era of Multi-market
Banking,'' Journal of Banking and Finance, February 2009, v. 33,
iss. 2, pp. 263-71.
---------------------------------------------------------------------------

C. Availability of Services to Different Classes of Consumers

The ultimate effect of the final rule on consumers will depend on
the behavior of various participants in the debit card market.
Specifically, the effect of the rule on any individual consumer will
depend on a variety of factors, including the consumer's current
payment behavior (e.g., cash user or debit card user), changes in the
consumer's payment behavior, the competitiveness of the merchants from
which the consumer makes purchases, changes in merchant payment method
acceptance, and changes in the behavior of banks.
For low-income consumers, to the extent that fees and other account
terms become more attractive as a result of the issuer receiving the
adjustment, some low-income consumers may be more willing or more able
to obtain debit cards and related deposit accounts. Similarly, more
attractive fees and account terms may cause certain low-income
consumers who previously did not hold debit cards and deposit accounts
to use those products. At the same time, however, low-income consumers
who currently use cash for purchases may face higher prices at the
point of sale if retailers that they frequent set higher prices to
reflect higher costs of debit card transactions because of the
adjustment. Therefore, the net effect on low-income consumers will
depend on various factors, including each consumer's payment and
purchase behavior, as well as market responses to the rule.

D. Conclusion

EFTA Section 904(a)(3) provides that ``to the extent practicable,
the Board shall demonstrate that the consumer protections of the
proposed regulations outweigh the compliance costs imposed upon
consumers and financial institutions.'' Based on the analysis above and
in the Section-by-Section Analysis, the Board cannot, at this time,
determine whether the benefits to consumers exceed the possible costs
to financial institutions. The overall effects of the final rule on
financial institutions and on consumers are dependent on a variety of
factors, and the Board cannot predict the market response to the final
rule.

VII. Final Regulatory Flexibility Analysis

A final regulatory flexibility analysis (RFA) was included in the
interim final rule in accordance with Section 3(a) of the Regulatory
Flexibility Act, 5 U.S.C. 601 et seq. (RFA). The Board incorporated by
reference the final RFA analysis published with the other provisions of
the Board's Regulation II. The final analysis applicable to the other
provisions of Regulation II applied to the regulation as a whole,
including the fraud-prevention adjustment adopted in the interim final
rule.
The RFA requires an agency to prepare a final regulatory
flexibility analysis (FRFA) unless the agency certifies that the rule
will not, if promulgated, have a significant economic impact on a
substantial number of small entities. The Board believes it is
possible, but unlikely, that the fraud-prevention provisions in
Regulation II will have a direct, significant economic impact on a
substantial number of small entities.\55\ Nonetheless, the Board has
prepared the following FRFA pursuant to the RFA.
---------------------------------------------------------------------------

\55\ In addition, the final rule could have an indirect impact
on small merchants due to the increased interchange fee small
merchants may pay as a result of some covered issuers receiving or
charging the 1-cent fraud-prevention adjustment. The size of this
indirect impact, however, is difficult to predict and will depend on
the number of debit card transactions performed by small merchants
that are subject to the interchange fee standards, the pricing
structures that acquirers offer to small merchants, and the fraud-
prevention methods adopted by issuers.
---------------------------------------------------------------------------

1. Statement of the need for, and objectives of, the final rule.
EFTA Section 920 requires the Board to establish standards for
assessing whether an interchange transaction fee received or charged by
an issuer is reasonable and proportional to the cost incurred by the
issuer with respect to the transaction. EFTA Section 920 authorizes the
Board to allow for an adjustment to the amount of an interchange
transaction fee received or charged by an issuer if (1) such adjustment
is reasonably necessary to make an allowance for costs incurred by the
issuer in preventing fraud in relation to electronic debit transactions
involving that issuer, and (2) the issuer complies with fraud-
prevention standards established by the Board. The final rule is
intended to provide issuers with additional incentives to engage in
activities that prevent fraud in relation to electronic debit
transactions, and require issuers wishing to receive the adjustment to
develop and implement fraud-prevention policies and procedures.
2. Summary of significant issues raised by public comments in
response to the Board's IRFA, the Board's assessment of such issues,
and a statement of any changes made as a result of such comments. The
Board did not receive any comments explicitly about the final RFA
included in the interim final rule. Commenters,

[[Page 46279]]

however, discussed the proposed rule's impact on small entities,
particularly small issuers. EFTA Section 920(a)(6)(A) and Sec.
235.5(a) exempt from the interchange fee restrictions any issuer that,
together with its affiliates, has assets of less than $10 billion.
Consequently, like Regulation II's other provisions governing
interchange fees, the provisions related to the fraud-prevention
adjustment to the interchange fee restrictions do not directly affect
small issuers. Commenters, however, were concerned that the small
issuer exemption would not be effective in practice if payment card
networks do not implement two-tier fee structures.
As mentioned above and in the preamble to the Board's final rule
implementing the other provisions of EFTA Section 920, the Board is
monitoring the effectiveness of the exemption for small issuers. The
Board also publishes annual lists of institutions above and below the
small issuer exemption asset threshold in order to reduce the
administrative burden associated with identifying small issuers that
qualify for the exemption. Based on information reported to the Board
by payment card networks, the average interchange fee received by
exempt issuers in the fourth quarter of 2011, following the
implementation of the interchange fee standard, was about the same as
the amount they received in 2009.
3. Description and estimate of small entities affected by the final
rule. This final rule applies directly to financial institutions that,
together with affiliates, have assets of $10 billion or more. A
financial institution generally is considered small if it has assets of
$175 million or less.\56\ Therefore, this final rule does not directly
affect small entities.
---------------------------------------------------------------------------

\56\ U.S. Small Business Administration, Table of Small Business
Size Standards Matched to North American Industry Classification
System Codes, available at http://www.sba.gov/idc/groups/public/documents/sba_homepage/serv_sstd_tablepdf.pdf.
---------------------------------------------------------------------------

4. Projected reporting, recordkeeping, and other compliance
requirements. The Board's final rule does not apply to small entities
and, therefore, in general, does not impose compliance requirements on
small entities.\57\
---------------------------------------------------------------------------

\57\ There may be some small financial institutions that have
very large affiliates such that the institution does not qualify for
the small issuer exemption.
---------------------------------------------------------------------------

5. Steps taken to minimize the economic impact on small entities;
significant alternatives. In its proposed rule, the Board requested
comment on any approaches, other than the proposed alternatives, that
would reduce the burden on all entities, including small entities. As
noted above, the Board will publish lists of institutions above and
below the small issuer exemption asset threshold to facilitate the
implementation of two-tier interchange fee structures (including the
fraud-prevention adjustment) by payment card networks. In addition, the
Board plans to publish annually information regarding the average
interchange fees received by exempt issuers and covered issuers in each
payment card network; this information may assist exempt issuers in
determining the networks in which they wish to participate.

VIII. Paperwork Reduction Act

In accordance with the Paperwork Reduction Act of 1995 (PRA) (44
U.S.C. 3501--3521; 5 CFR Part 1320 Appendix A.1), the Board has
reviewed the final rule under the authority delegated to the Board by
the Office of Management and Budget (OMB). The Board may not conduct or
sponsor, and a respondent is not required to respond to, an information
collection unless it displays a currently valid OMB control number. The
OMB control number will be assigned.
On July 20, 2011, notice of the interim final rule was published in
the Federal Register (76 FR 43478). The Board invited comment on (1)
whether the proposed collection of information is necessary for the
proper performance of the Board's functions, including whether the
information has practical utility; (2) the accuracy of the Board's
estimate of the burden of the proposed information collection,
including the cost of compliance; (3) ways to enhance the quality,
utility, and clarity of the information to be collected; and (4) ways
to minimize the burden of information collection on respondents,
including through the use of automated collection techniques or other
forms of information technology. The comment period for the interim
final rule expired on September 30, 2011. No comments were received
specifically addressing the paperwork burden estimates. One commenter,
however, stated that it was difficult to determine whether the Board's
estimate of 40 hours to review an issuer's policies and procedures was
adequate in light of the fact that the compliance burden could increase
in the future should the standards become more specific. The Board is
restating its burden estimates from the interim final rule to reflect
updates to the respondent count and to include burden estimates for the
disclosure requirement under Sec. 235.4(d), change in status.
The final rule contains requirements subject to the PRA. The
collection of information required by this final rule is found in Sec.
235.4 of Regulation II (12 CFR part 235). Under the final rule, if an
issuer meets standards set forth by the Board, it may receive or charge
an adjustment of no more than 1 cent per transaction to any interchange
transaction fee it receives or charges in accordance with Sec. 235.3.
To be eligible to receive the fraud-prevention adjustment under
Sec. 235.4(a)(1), an issuer must develop and implement policies and
procedures reasonably designed to take effective steps to reduce the
occurrence of, and costs to all parties from, fraudulent electronic
debit transactions, including through the development and
implementation of cost-effective fraud-prevention technology. An
issuer's policies and procedures must address (1) methods to identify
and prevent fraudulent electronic debit transactions; (2) monitoring of
the volume and value of its fraudulent electronic debit transactions;
(3) appropriate responses to suspicious electronic debit transactions
in a manner designed to limit the costs to all parties from and prevent
the occurrence of future fraudulent electronic debit transactions; (4)
methods to secure debit card and cardholder data; and (5) such other
factors as the issuer considers appropriate.
An issuer must review its fraud-prevention policies and procedures,
and their implementation, at least annually, and update them as
necessary in light of (i) their effectiveness in reducing the
occurrence of, and cost to all parties from, fraudulent electronic
debit transactions involving the issuer; (ii) their cost-effectiveness;
and (iii) changes in the types of fraud, methods used to commit fraud,
and available methods of detecting and preventing fraudulent electronic
debit transactions that the issuer identifies from (A) its own
experience or information; (B) information provided to the issuer by
its payment card networks, law enforcement agencies, and fraud-
monitoring groups in which the issuer participates; and (C) applicable
supervisory guidance. Finally, an issuer must notify the payment card
networks in which the issuer participates, on an annual basis, of its
compliance with the Board's standards, as well as of its substantial
noncompliance, as determined by the issuer or Federal agency with
responsibility for enforcing the issuer's compliance with Regulation
II. The final rule will be effective on October 1, 2012.

[[Page 46280]]

The final rule will apply to issuers that, together with their
affiliates, have consolidated assets of $10 billion or more. The Board
estimates that there are as many as 564 chartered issuers required to
comply with the recordkeeping and reporting provisions under Sec.
235.4.\58\
---------------------------------------------------------------------------

\58\ For purposes of the PRA, the Board is estimating the burden
for entities currently regulated by the Board, Office of the
Comptroller of the Currency, Federal Deposit Insurance Corporation,
and National Credit Union Administration (collectively, the
``Federal financial regulatory agencies''). Such entities may
include, among others, State member banks, national banks, insured
nonmember banks, savings associations, and Federally-chartered
credit unions.
---------------------------------------------------------------------------

The Board estimates that the 564 issuers will take, on average, 160
hours (one month) to develop and implement policies and train
appropriate staff to comply with the recordkeeping provisions under
Sec. 235.4. This one-time annual PRA burden is estimated to be 90,240
hours. On a continuing basis, the Board estimates issuers will take, on
average, 40 hours (one business week) annually to review its fraud
prevention policies and procedures, updating them as necessary, and
estimates the annual PRA burden to be 22,560 hours. The Board estimates
564 issuers will take, on average, 30 minutes to comply with the
disclosure provision under Sec. 235.4(c) (annual notification), and
estimates the annual reporting burden to be 282 hours. Lastly, the
Board estimates 564 issuers will take, on average, 30 minutes to comply
with the disclosure requirement under Sec. 235.4(d) (change in
status), and estimates the annual reporting burden to be 283 hours. The
total annual PRA burden for this information collection is estimated to
be 113,364 hours.
The Federal Reserve has a continuing interest in the public's
opinions of our collections of information. At any time, comments
regarding the burden estimate, or any other aspect of this collection
of information, including suggestions for reducing the burden, may be
sent to: Secretary, Board of Governors of the Federal Reserve System,
Washington, DC 20551 Paperwork Reduction Project (Docket R-
1404), Washington, DC 20503.

IX. Use of ``Plain Language''

Section 722 of the Gramm-Leach-Bliley Act of 1999 (12 U.S.C. 4809)
requires the Board to use ``plain language'' in all final rules
published after January 1, 2000. The Board has sought to present this
final rule in a simple and straight forward manner. The Board received
no comments on whether the interim final rule was clearly stated and
effectively organized, or on how the Board might make the text of the
rule easier to understand.

List of Subjects in 12 CFR Part 235

Banks, banking, Debit card routing, Electronic debit transactions,
and Interchange transaction fees.

Authority and Issuance

For the reasons set forth in the preamble, the Board amends Title
12, Chapter II of the Code of Federal Regulations as follows:

PART 235--DEBIT CARD INTERCHANGE FEES AND ROUTING

0
1. The authority citation for part 235 continues to read as follows:

Authority: 15 U.S.C. 1693o-2.

0
2. Revise Sec. 235.4 to read as follows:

Sec. 235.4 Fraud-prevention adjustment.

(a) In general. Subject to paragraph (b) of this section, an issuer
may receive or charge an amount of no more than 1 cent per transaction
in addition to any interchange transaction fee it receives or charges
in accordance with Sec. 235.3.
(b) Issuer standards. (1) To be eligible to receive or charge the
fraud-prevention adjustment in paragraph (a) of this section, an issuer
must develop and implement policies and procedures reasonably designed
to take effective steps to reduce the occurrence of, and costs to all
parties from, fraudulent electronic debit transactions, including
through the development and implementation of cost-effective fraud-
prevention technology.
(2) An issuer's policies and procedures must address--
(i) Methods to identify and prevent fraudulent electronic debit
transactions;
(ii) Monitoring of the volume and value of its fraudulent
electronic debit transactions;
(iii) Appropriate responses to suspicious electronic debit
transactions in a manner designed to limit the costs to all parties
from and prevent the occurrence of future fraudulent electronic debit
transactions;
(iv) Methods to secure debit card and cardholder data; and
(v) Such other factors as the issuer considers appropriate.
(3) An issuer must review, at least annually, its fraud-prevention
policies and procedures, and their implementation and update them as
necessary in light of--
(i) Their effectiveness in reducing the occurrence of, and cost to
all parties from, fraudulent electronic debit transactions involving
the issuer;
(ii) Their cost-effectiveness; and
(iii) Changes in the types of fraud, methods used to commit fraud,
and available methods for detecting and preventing fraudulent
electronic debit transactions that the issuer identifies from--
(A) Its own experience or information;
(B) Information provided to the issuer by its payment card
networks, law enforcement agencies, and fraud-monitoring groups in
which the issuer participates; and
(C) Applicable supervisory guidance.
(c) Notification. To be eligible to receive or charge a fraud-
prevention adjustment, an issuer must annually notify its payment card
networks that it complies with the standards in paragraph (b) of this
section.
(d) Change in Status. An issuer is not eligible to receive or
charge a fraud-prevention adjustment if the issuer is substantially
non-compliant with the standards set forth in paragraph (b) of this
section, as determined by the issuer or the appropriate agency under
Sec. 235.9. Such an issuer must notify its payment card networks that
it is no longer eligible to receive or charge a fraud-prevention
adjustment no later than 10 days after determining or receiving
notification from the appropriate agency under Sec. 235.9 that the
issuer is substantially non-compliant with the standards set forth in
paragraph (b) of this section. The issuer must stop receiving and
charging the fraud-prevention adjustment no later than 30 days after
notifying its payment card networks.

0
3. In Appendix A to part 235, revise Section 235.4 to read as follows:

Appendix A to Part 235--Official Board Commentary on Regulation II

* * * * *

Section 235.4 Fraud-prevention adjustment

4(a) [Reserved]

4(b)(1) Issuer standards

1. An issuer's policies and procedures should address fraud
related to debit card use by unauthorized persons. Examples of use
by unauthorized persons include, but are not limited to, the
following:
i. A thief steals a cardholder's wallet and uses the debit card
to purchase goods, without the authority of the cardholder.
ii. A cardholder makes a purchase at a merchant. Subsequently,
the merchant's employee uses information from the debit card to
initiate a subsequent transaction, without the authority of the
cardholder.
iii. A hacker steals cardholder account information from the
issuer or a merchant processor and uses the stolen information to
make unauthorized card-not-present purchases or to create a
counterfeit card to make unauthorized card-present purchases.
2. An issuer's policies and procedures must be designed to
reduce fraud, where cost effective, across all types of electronic
debit transactions in which its cardholders engage.

[[Page 46281]]

Therefore, an issuer should consider whether its policies and
procedures are effective for each method used to authenticate the
card (e.g., a chip or a code embedded in the magnetic stripe) and
the cardholder (e.g., a signature or a PIN), and for different sales
channels (e.g., card-present and card-not-present).
3. An issuer's policies and procedures must be designed to take
effective steps to reduce both the occurrence of and costs to all
parties from fraudulent electronic debit transactions. An issuer
should take steps reasonably designed to reduce the number and value
of its fraudulent electronic debit transactions relative to its non-
fraudulent electronic debit transactions. These steps should reduce
the costs from fraudulent transactions to all parties, not merely
the issuer. For example, an issuer should take steps to reduce the
number and value of its fraudulent electronic debit transactions
relative to its non-fraudulent transactions whether or not it bears
the fraud losses as a result of regulations or network rules.
4. For any given issuer, the number and value of fraudulent
electronic debit transactions relative to non-fraudulent
transactions may vary materially from year to year. Therefore, in
certain circumstances, an issuer's policies and procedures may be
effective notwithstanding a relative increase in the transactions
that are fraudulent in a particular year. However, continuing
increases in the share of fraudulent transactions would warrant
further scrutiny.
5. In determining which fraud-prevention technologies to
implement or retain, an issuer must consider the cost-effectiveness
of the technology, that is, the expected cost of the technology
relative to its expected effectiveness in controlling fraud. In
evaluating the cost of a particular technology, an issuer should
consider whether and to what extent other parties will incur costs
to implement the technology, even though an issuer may not have
complete information about the costs that may be incurred by other
parties, such as the cost of new merchant terminals. In evaluating
the costs, an issuer should consider both initial implementation
costs and ongoing costs of using the fraud-prevention method.
6. An issuer need not develop fraud-prevention technologies
itself to satisfy the standards in Sec. 235.4(b). An issuer may
implement fraud-prevention technologies that have been developed by
a third party that the issuer has determined are appropriate under
its own policies and procedures.

Paragraph 4(b)(2) Elements of fraud-prevention policies and
procedures.

1. In general. An issuer may tailor its policies and procedures
to address its particular debit card program, including the size of
the program, the types of transactions in which its cardholders
commonly engage, fraud types and methods experienced by the issuer,
and the cost of implementing new fraud-prevention methods in light
of the expected fraud reduction.

Paragraph 4(b)(2)(i). Methods to identify and prevent fraudulent
debit card transactions.

1. In general. Examples of policies and procedures reasonably
designed to identify and prevent fraudulent electronic debit
transactions include the following:
i. Practices to help determine whether a card is authentic and
whether the user is authorized to use the card at the time of a
transaction. For example, an issuer may specify the use of
particular authentication technologies or methods, such as dynamic
data, to better authenticate a card and cardholder at the time of
the transaction, to the extent doing so does not inhibit the ability
of a merchant to direct the routing of electronic debit transactions
for processing over any payment card network that may process such
transactions. (See Sec. 235.7 and commentary thereto.)
ii. An automated mechanism to assess the risk that a particular
electronic debit transaction is fraudulent during the authorization
process (i.e., before the issuer approves or declines an
authorization request). For example, an issuer may use neural
networks to identify transactions that present increased risk of
fraud. As a result of this analysis, the issuer may decide to
decline to authorize these transactions. An issuer may not be able
to determine whether a given transaction in isolation is fraudulent
at the time of authorization, and therefore may have implemented
policies and procedures that monitor sets of transactions initiated
with a cardholder's debit card. For example, an issuer could compare
a set of transactions initiated with the card to a customer's
typical transactions in order to determine whether a transaction is
likely to be fraudulent. Similarly, an issuer could compare a set of
transactions initiated with a debit card and common fraud patterns
in order to determine whether a transaction or future transaction is
likely to be fraudulent.
iii. Practices to support reporting of lost and stolen cards or
suspected incidences of fraud by cardholders or other parties to a
transaction. As an example, an issuer may promote customer awareness
by providing text alerts of transactions in order to detect
fraudulent transactions in a timely manner. An issuer may also
report debit cards suspected of being fraudulent to their networks
for inclusion in a database of potentially compromised cards.

Paragraph 4(b)(2)(ii). Monitoring of the issuer's volume and value
of fraudulent electronic debit transactions.

1. Tracking its fraudulent electronic debit transactions over
time enables an issuer to assess whether its policies and procedures
are effective. Accordingly, an issuer must include policies and
procedures designed to monitor trends in the number and value of its
fraudulent electronic debit transactions. An effective monitoring
program would include tracking issuer losses from fraudulent
electronic debit transactions, fraud-related chargebacks to
acquirers, losses passed on to cardholders, and any other
reimbursements from other parties. Other reimbursements could
include payments made to issuers as a result of fines assessed to
merchants for noncompliance with Payment Card Industry (PCI) Data
Security Standards or other industry standards. An issuer should
also establish procedures to track fraud-related information
necessary to perform its reviews under Sec. 235.4(b)(3) and to
retain and report information as required under Sec. 235.8.

Paragraph 4(b)(2)(iii). Appropriate responses to suspicious
electronic debit transactions.

1. An issuer may identify transactions that it suspects to be
fraudulent after it has authorized or settled the transaction. For
example, a cardholder may inform the issuer that the cardholder did
not initiate a transaction or transactions, or the issuer may learn
of a fraudulent transaction or possibly compromised debit cards from
the network, the acquirer, or other parties. An issuer must
implement policies and procedures designed to provide an appropriate
response once an issuer has identified suspicious transactions to
reduce the occurrence of future fraudulent electronic debit
transactions and the costs associated with such transactions. The
appropriate response may differ depending on the facts and
circumstances, including the issuer's assessment of the risk of
future fraudulent electronic debit transactions. For example, in
some circumstances, it may be sufficient for an issuer to monitor
more closely the account with the suspicious transactions. In other
circumstances, it may be necessary to contact the cardholder to
verify a transaction, reissue a card, or close an account. An
appropriate response may also require coordination with industry
organizations, law enforcement agencies, and other parties, such as
payment card networks, merchants, and issuer or merchant processors.

Paragraph 4(b)(2)(iv). Methods to secure debit card and cardholder
data.

1. An issuer must implement policies and procedures designed to
secure debit card and cardholder data. These policies and procedures
should apply to data that are transmitted by the issuer (or its
service provider) during transaction processing, that are stored by
the issuer (or its service provider), and that are carried on media
(e.g., laptops, transportable data storage devices) by employees or
agents of the issuer. This standard may be incorporated into an
issuer's information security program, as required by Section 501(b)
of the Gramm-Leach-Bliley Act.

Paragraph 4(b)(3) Review of and updates to policies and procedures.

1. i. An issuer's assessment of the effectiveness of its
policies and procedures should consider whether they are reasonably
designed to reduce the number and value of fraudulent electronic
debit transactions relative to non-fraudulent electronic debit
transactions and are cost effective. (See comment 4(b)(1)-3 and
comment 4(b)(1)-5).
ii. An issuer must also assess its policies and procedures in
light of changes in fraud types (e.g., the use of counterfeit cards,
lost or stolen cards) and methods (e.g., common purchase patterns
indicating possible fraudulent behavior), as well as changes in the
available methods of detecting and preventing fraudulent electronic
debit transactions (e.g., transaction monitoring, authentication
methods) as part of its periodic review of its policies and
procedures. An issuer's review of its policies and procedures must
consider information from the issuer's own experience and that the

[[Page 46282]]

issuer otherwise identified itself; information from payment card
networks, law enforcement agencies, and fraud-monitoring groups in
which the issuer participates; and supervisory guidance. For
example, an issuer should consider warnings and alerts it receives
from payment card networks regarding compromised cards and data
breaches.
2. An issuer should review its policies and procedures and their
implementation more frequently than annually if the issuer
determines that more frequent review is appropriate based on
information obtained from monitoring its fraudulent electronic debit
transactions, changes in the types or methods of fraud, or available
methods of detecting and preventing fraudulent electronic debit
transactions. (See Sec. 235.4(b)(1)(ii) and commentary thereto.)
3. In light of an issuer's review of its policies and
procedures, and their implementation, the issuer may determine that
updates to its policies and procedures, and their implementation,
are necessary. Merely determining that updates are necessary does
not render an issuer ineligible to receive or charge the fraud-
prevention adjustment. To remain eligible to receive or charge a
fraud-prevention adjustment, however, an issuer should develop and
implement such updates as soon as reasonably practicable, in light
of the facts and circumstances.

4(c) Notification.

1. Payment card networks that plan to allow issuers to receive
or charge a fraud-prevention adjustment can develop processes for
identifying issuers eligible for this adjustment. Each issuer that
wants to be eligible to receive or charge a fraud-prevention
adjustment must notify annually the payment card networks in which
it participates of its compliance through the networks' processes.
* * * * *

Dated: July 27, 2012.

By order of the Board of Governors of the Federal Reserve
System.
Robert deV. Frierson,
Deputy Secretary of the Board.
[FR Doc. 2012-18726 Filed 8-2-12; 8:45 am]
BILLING CODE 6210-01-P