Many large merchants expressed outrage at the apparent laxity of the Federal Reserve Board's finalized rule that will allow non-exempt debit card issuers to collect a 1-cent fraud-prevention adjustment on debit card transactions.
The Fed's rule, which has been in effect on an interim basis since October 2011 and was finalized last week, provides an incentive to issuers to prevent fraud. Issuers earn the extra penny per transaction if they have policies and procedures designed to reduce the occurrence and costs of fraud on debit cards.
The finalized rule, which takes effect Oct. 1, applies to issuers with more than $10 billion in assets. Debit card issuers receive approximately 24 cents per debit transaction, based on the interchange rate the Fed set last year.
For merchants processing millions of debit transactions annually, a penny a transaction is "a very significant amount of money," Doug Kantor, legal counsel to the Washington, D.C.-based Merchants Payments Coalition, said in an interview.
Many large merchants say the Fed's final rule on the fraud-prevention allowance has no teeth, in that it can't ensure that issuers are actually reducing fraud by any measurable amount and leaves compliance largely in issuers' hands, Kantor says.
"The Fed's final rule on the fraud allowance is very vague and says only that issuers must take steps to reduce debit card fraud, but it doesn't say exactly how, nor does it establish any standards or parameters to show fraud declined over any specific period of time," Kantor says.
In its 52-page rule, the Fed explained that after considering all arguments, it determined that it "should not prescribe specific technologies that an issuer must implement in order to be eligible to receive an adjustment," because of the "dynamic nature" of the debit card fraud environment and wide variation in issuer standards.
"Moreover, because existing fraud-prevention technologies are implemented as part of broader fraud-prevention programs, requiring issuers to isolate and measure the effectiveness of a particular fraud-prevention technology would be impractical," the Fed said.
Isolating the effectiveness of a particular fraud-prevention measure is "virtually impossible" due to the wide variety of methods and technologies available and results may not be evident for a year or more after implementation, the Fed added.
"In addition, selecting a benchmark fraud level would not necessarily ensure that issuers continue to take effective steps to reduce fraudulent transactions due to the variety of sales channels and evolving fraud-prevention technologies," the Fed said.
A spokesperson for the Fed was not immediately available for further comment.
The coalition laid out its objections to the rule in public comments several months ago, Kantor says. The Food Marketing Institute and National Association of Convenience Stores also filed comments calling for more stringent rules.
Merchants in the coalition say issuers should receive the extra penny only if they prove they have met established goals to reduce debit card fraud by a specific amount, he says.
The Fed ultimately has the authority to enforce issuers' compliance with the rule, but Kantor says such broad oversight gives plenty of room for individual issuers to skate by with minimal fraud-prevention efforts.
"Under the final rule, an issuer could go along for years, saying they have taken steps to reduce fraud, and stay in compliance without ever showing a measurable decline in fraud," Kantor says.
Indeed, various methods exist to measure how heavily bulwarked debit card issuers are against fraud, James Van Dyke, president of Javelin Strategy & Research, said in an interview.
The Fed could probably beef up compliance with its final rule by requiring specific fraud-prevention tools and making sure financial institutions are actually deploying them, Van Dyke says.
"The Fed could find various ways to make their incentive to prevent fraud work better," he says.
Javelin publishes an annual study ranking the top 25 U.S. banks on basic identity theft-prevention tactics that help block much debit card fraud, including measuring how banks handle sensitive consumer data and the presence of strong consumer authentication methods and alerts to notify consumers of suspicious transactions, among others, Van Dyke says.
Many issuers have additional fraud-mitigation tools not visible to outsiders, such as customer behavior analysis and device-detection tools, he notes.
"Most large issuers are using fraud-prevention tools, but fraud levels vary every year and there is a great deal of research available from many agencies and organizations, to measure financial institutions' efforts to block fraud," Van Dyke says.