Visa may soon have a Facebook-like reckoning with Europe's regulators
Visa's short, vague explanation of last week's European outage has started raising eyebrows in the U.K. Parliament.
Nicky Morgan, a Conservative member of the U.K.'s House of Commons and chair of the chamber's multipartisan Treasury Select committee, has written to Charlotte Hogg, Visa's chief executive for Europe, pressuring the card network for more information about the outage.
Even five days after the event, there's still not a lot of information about how many payments didn't work, how many merchants were involved, and if there is any fallout from backlogs of rejected transactions such a financial losses or refunds. There are estimates that millions of payments didn't go through, but no official count.
Much like when the U.S. Congress grilled Mark Zuckerberg about Facebook's possible connections to data usage in the 2016 U.S. presidential election, Visa's management faces an unwelcome choice: It can share more information about internal shortcomings or mistakes that caused payments to shut off temporarily, or get summoned to Parliament for a politically-infused public questioning that could result in deeper regulation down the road.
Morgan's office did not return requests for comment. In her letter, Morgan asked Visa when it knew about its system failure and how long it knew before issuing its first public statement; how many cards were affected, and how many were issued in the U.K.; what led to the "hardware failure" and what controls does Visa have in place to prevent such failure. Morgan is also pressuring Visa to disclose details about its backup processing site(s) and if cardholders and merchants are entitled to compensation from Visa.
The card brand has not released any of that information on its website, where its last message was a June 2 alert that its systems are up and running and an apology for the outage. On Wednesday morning, it referred questions about the outage to its original statement.
Morgan's letter gives Visa a deadline of June 15 for answers, and threatened to compel Hogg or another Visa representative to give these answers in person, which would likely mean a subpoena.
"The chances are good that Visa will need to disclose more. Electronic payments have been a big part of Europe’s regulatory agenda already, and anything that involves the movement of money can be considered critical infrastructure; and failures in money movement are potentially destabilizing," said Rick Oglesby, founder and president of AZ Payments. "I can’t read the minds of U.K. or European legislators, but there are definitely scenarios that they can visualize that would make this, in the eyes of regulatory officials, something worth digging into."
Parliament has treated Zuckerberg similarly, first with a letter and then a formal summons which may be executed the next time the Facebook CEO is in the U.K. In the U.S., Zuckerberg faced days of embarrassing televised questions about his leadership and myriad disclosures about Facebook's use of data, and how much Zuckerberg knew or didn't know about data usage and information-sharing conversations between executives at his own company.
In the case of Visa, its explanation of the outage as a "hardware issue" has not gone over well with merchants. There have also been complaints about how long Visa waited before communicated the problem, with some merchants and consumers reporting declined payments up to nine hours before Visa acknowledged the problem over Twitter.
The amount of time between discovery and disclosure of a service problem has become a major point of contention, particularly as retail data breaches have accelerated. In the case of last year's Equifax breach, the company's messaging caused it as much grief as the event itself.
Given the size of the Visa outage, it's likely if Visa had disclosed more information sooner it may not be facing the current political pressure. It can be argued the outage was not major—it was an isolated incident in one part of the world, and recovery happened in less than a day. And there's been no reports of widespread fraud or other outages tied to the aftermath of the event.
But the use of the phrase "hardware issue" — without any other detail to clarify what device or location was at fault — has sparked broader concerns about further problems that could arise as more fintech developers connect to Visa's network.