ICBA Policy Resolutions for 2014
ICBA Priorities for 2014
DATA SECURITY AND FRAUD
- ICBA continues to advocate its core data security principles to Congress and other policy makers as well as the payment card networks and other private-sector standards organizations. These core principles include:
- the costs of data breaches should ultimately be borne by the party at fault for the breach;
- all participants in the payments system – including merchants – should be subject to Gramm-Leach-Bliley Act-like data security standards;
- a national data security breach and notification standard should be implemented to replace the current patchwork of state laws;
- unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed; and
- while community banks and other financial institutions continue to move to chip technology for debit and credit cards, these technologies alone would not prevent future data breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.
- Policymakers should recognize that community banks must maintain an appropriate balance between securing customer information and sharing appropriate information for the purpose of providing products and services.
- ICBA opposes any legislative or regulatory efforts that would make banks liable for losses incurred by business customers as a result of a business’s poor security practices.
- ICBA supports ongoing regulatory efforts and existing public-private partnerships to address the growing threat of corporate account takeover cybercrime.
Community bankers and their customers are deeply alarmed by the wide-scale data breaches at national retail chains and others. These far-reaching and costly breaches have the potential to jeopardize consumers’ financial integrity and confidence in the payments system. Community banks remain strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and the key to long-term customer retention.
Party at Fault Should be Liable for Associated Costs. It is critical that the party at fault for a data breach whether it be a retailer, financial institution, data processor or other entity, bear responsibility for the related fraud losses and costs of mitigation when consumer information is compromised. Allocating financial responsibility with the party that is best positioned to secure consumer data will provide a strong incentive to do so effectively. Additionally, aligning incentives to maximize data security by all parties that process and/or store consumer data will make the payments system stronger over time, which is a win for everyone, especially consumers. Payments rules should mandate merchant security provisions to further protect customer data, particularly debit and credit card information.
Regardless of where a breach actually occurs, banks are stewards of the customer financial relationship and take a variety of steps to protect the integrity of their customers’ accounts, including monitoring for indications of suspicious activity, reimbursing customers for confirmed fraudulent transactions, modifying customer limits to limit fraud losses, and blocking and reissuing cards for affected accountholders at an estimated expense of up to $15 per card.
Extend Gramm-Leach-Bliley Act-Like Standards. Under current law, retailers and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions. Securing financial data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. ICBA supports subjecting these entities to Gramm-Leach-Bliley Act-like standards with similar enforcement. It is equally important that these entities provide uniform and timely notification to banks concerning the nature and scope of any breach when bank customer information such as account numbers may have been compromised. As noted above, the party that suffered the breach should bear responsibility for the costs of mitigation and losses when bank account information is compromised and should be responsible for restitution for those losses and related expenses.
National Data Security Breach and Notification Standard is Vital. Most states have enacted laws with differing requirements for protecting customer information and giving notice in the event of a data breach. This patchwork of state laws only increases burdens and costs, fosters confusion, and ultimately is detrimental to customers. ICBA believes customer notification is appropriate to let customers take steps to lessen the likelihood of identity theft or fraud resulting from data breaches. However, it is important that notification requirements allow financial institutions and others flexibility to determine when notice is appropriate. Overly broad notification requirements defeat the purpose of calling attention to the risks associated with a particular breach. Federal banking agencies should set the standard for financial institutions, as they currently do.
New Technologies Will Reduce Risk But There Is No Universal Remedy. Community banks are already investing in technologies that will better secure transactions processing and thwart criminals. In particular, community banks are joining other financial institutions in the orderly migration to chip technology for debit and credit cards. Chip technology may not have prevented the mass retailer breaches but it would have reduced the market value of the card data as it would be far more difficult for criminals to make counterfeit cards. Using chip technology will not protect against fraud in “card-not-present” transactions, such as online purchases. Criminals will continue to try to find weaknesses regardless of the technology, so it is crucial that the marketplace continue to have the flexibility to innovate.
Online Business Banking. Community banks offer robust, secure online banking products to their business banking customers. However community banks should not be liable for breaches that occur as a result of negligence by the business customer. ICBA strongly opposes any legislative or regulatory effort that seeks to extend the consumer protection provisions under Regulation E to business customers.
Corporate Account Takeover. Increasingly sophisticated cyber criminals continue to target small and medium-sized businesses for cyber fraud, most often in the form of a Corporate Account Takeover. This crime usually begins with intercepted log-in credentials and leads to money being siphoned out of a business’s account. Business accounts are not regulated at the federal level in the same way as consumer accounts. For this reason, the Federal Financial Institutions Examination Council (FFIEC) has published supplemental guidance designed to address the issue at the bank level and entities such as the Financial Services – Information Sharing Analysis Center (FS-ISAC) have formed to deal with this growing problem. ICBA supports these efforts and will continue to work to educate community bankers on the issue and ensure that appropriate regulatory measures are in place to help prevent this crime.
Staff Contacts: Lilly Thomas, Aaron Stetter, and Cary Whaley
Return to ICBA Policy Resolutions