Debit Card Networks have implemented PINless Debit Rules that hit community banks and credit unions hard.
This is a big deal.
And here’s why…
This means Networks are shifting risk/liability of a transaction from the merchant to the issuer, they are tying this situation within their Network Operating rules, and not requiring merchants to prompt consumers at point-of-sale to use the PIN security the community financial institutions paid for (on EMV chip).
PINless Debit rules are not issuer friendly, and something needs to be done before the situation becomes too big for community financial institutions to do something about it, and no longer are in control of their own destiny due to lack of market competition.
The Copper River Group has identified this merchant friendly behavior and has had enough. Dan Fisher, President and CEO of The Copper River Group, has taken these observations to the Fed and NCUA for investigation.
April 22, 2019
Re: PINless Debit Transactions and Card Payment Network Practices
The objective of this letter is to call the issue of PINless Debit transactions and the practices of Card Payment Networks to the attention of the Board of Governors of the Federal Reserve System and National Credit Union Administration (NCUA) as it relates to community banks and credit unions that represent Exempt Issuers as defined in Regulation II
Reference: Wall Street Reform and Consumer Protection Act (July 21, 2010)
Reference: 12 CFR Part 235 (Regulation II)
Covered Issuers: Financial institutions equal to or greater than $10 Billion in assets are covered under 12 CFR Part 235.3 Reasonable and proportional interchange transaction fees.
Exempt Issuers: Financial institutions less than $10 billion in assets are exempt under 12 CFR Part 232.5 Exemptions.
The Wall Street Reform and Consumer Protection Act commonly referred to as Dodd-Frank included the Durbin Amendment. This amendment was added to address three specific issues related to the use of debit cards by consumers.
To cap or limit the income generated by large issuers (Referred to as Covered Issuers in Regulation II).
To preserve the income that community financial institutions rely upon to offset the costs of offering debit cards and other support services (bank and credit unions) referred to as Exempt Issuers in Regulation II.
To provide a least cost routing option to merchants for Pinned POS transactions. This, in essence, gave merchants the opportunity to share in the benefits that the Accept All Cards Lawsuit and out-of- court settlement (Big Box Retailers) excluded them from since they were not allowed to join (thus creating an unfair advantage bordering on monopolistic competition of big box retailers perceived by merchants).
Observations and Opinions
The observations and opinions brought forth within this letter pertain specifically to The Copper River Group’s practice alone, and the work that we perform at the direction of our client engagements (community banks and credit unions that are exempt issuers.)
We do feel, however, that the practices of the card processing networks in conjunction with the core application processors that own them represent a growing issue that is adversely affecting consumers and their respect for community banks or credit unions, resulting in the shifting of liability and risk back to the issuer, which creates an environment of increasing fraud and mitigates the benefits intended by the Durbin Amendment and Regulation II.
12 CFR Part 235 (Final Rule); Docket No. R-1401 July 20, 2011
As we reviewed the commenter attribution included with the Board of Governors commentary of the final rule, a Pinned Debit Transaction is in essence a guarantee of payment.
This is important to note when a PIN is used simultaneously with a debit card transaction the reliability of authentication is very high. Furthermore, debit card fraud, other than specifically compromised and counterfeit cards due to data breaches, is at the lowest level relative to other types of transactions.
In addition, with the implementation of the EMV chip technology, Card Present Technology fraud has been declining (EMVCo statistics).
Definition: A Card Payment Network is an entity that processes debit card payments on behalf of Exempt Issuers. Examples are: Accel, Jeanie, NYCE, Pulse, Shazam, Star ETC…
PINless Debit Transactions
Card Processing Networks developed the PINless debit transaction as far back as the 90’s, but did not truly begin to see real growth until after the implementation of Regulation II.
To recap, the PINless Debit Transaction functions in the same way as if a PIN was used. The distinction here is that the PIN is not used and Network Rules are used to qualify the transaction as a Pinned transaction. Consequently, the PIN authentication technology on the EMV chip that community financial institutions have invested in is ignored and the transaction is processed as if a PIN was used.
In addition, the liability associated with the transaction is shifted to the issuer and away from the merchant, and the issuer does not have chargeback rights. Consequently, if the transaction is fraudulent the issuer must take the loss. Network operating rules that enable PINless debit transactions expose exempt issuers to fraud losses that, if the PIN was required at the point of sale, would not have been authenticated.
It should also be pointed out that PIN network interchange is significantly lower than signature-based transaction interchange. The combination of increased fraud losses and reduced interchange essentially takes away the benefits to community financial institutions that the Durbin Amendment intended to protect.
Note: The Durbin Amendment did not authorize nor did Regulation II authorize the shifting of liability back to the issuer, thus increasing their costs while at the same time reducing their income.
Unfair Competitive Advantage (Covered Issuers and Merchants)
The most recent report published by the Federal Reserve System, “2017 Interchange Fee Revenue, and Covered Issuer and Merchant Fraud Losses to Debit Card Transactions” identifies that fraud is declining for Covered Issuers and Merchants.
Covered Issuers own and manage in-house and outsourced card payment processing systems, and do not need to be members of a card processing network.
In addition, they can easily comply with Regulation II and not publish or accept PINless transactions. All card present transactions require a PIN in a majority of their transactions. It should be noted that we have identified only a very limited number of retail establishments that run PINless for covered institutions.
It should also be pointed out that revenue generated by PINless Debit transactions for Exempt Issuers is the same revenue as for Covered Issuers, which erases the intent of the Durbin Amendment.
With the elimination of the PIN requirement for authentication for PINless Debit Transactions, the transaction is accepted at the POS as a Card Present and PIN Authenticated Transaction even though the PIN was not entered. In addition, it is treated as a payment guarantee transaction and reduces the fraud exposure of the merchant, and the issuer must accept the loss (no chargeback rights).
Furthermore, the transaction is routed through the Pinned Network (as opposed to the Signature Network) thus creating a transaction cost that closely emulates the cost of covered issuers to the Card Processing Network. Merchants can now grab and route transactions that traditionally were Signature transactions and shift the liability of the fraud loss to the issuer.
The result of the two above benefits gives an unfair advantage to Covered Issuers and Merchants. This is clearly not the intent of Durbin or Regulation II.
Network Operating Rules define the relationship between the Card Payment Network and the Issuer. Every Card Payment Network publishes and requires the Issuer to acknowledge and abide by the rules when becoming a participating member.
The need for community banks and credit unions to join a Card Payment Network is primarily driven by the cost to maintain a separate Card Payment Network. To do so would be cost prohibitive for most community financial institutions.
Also, core application processing providers play a major role in what Card Payment Network the financial institutions can join by making the membership in their specific network a requirement.
Card Payment Networks manipulate the rules and exploit their clients by implementing rule changes that Exempt issuers are forced to accept due to contract terms. Furthermore, when issuers ask for a rules waiver (Opt-Out), they are declined. Community banks and credit unions are currently operating under a processing agreement that would be expensive to terminate, and realize that they are stuck. Core processors and the Card Payment Networks are aware of this and take advantage of the Exempt Issuer.
Network Operating rules were not taken into consideration with respect to how they could be misused to neutralize the intended protections of consumers and community banks and credit unions.
Core Processor Business Practices
We have observed the practice of some core application processors to require the financial institution to join their proprietary Card Payment Network. We have also seen processors include in the processing agreement language that even if the financial institution selects a different Card Payment Network, the institution must also join the core processor network.
In addition, we have also seen contract language that states that even though the financial institution has set up the routing options that comply with Regulation II, the Merchant routing to the Card Payment Network they prefer will take precedence no matter what.
This, in conjunction with membership requirements, clearly provides the Merchant and Card Processing Network with an unfair advantage with the ability to bypass the issuer preference, even if the issuer is in compliance with Regulation II.
Regulation II requires that all issuers provide merchants the ability to choose between two unaffiliated networks. Regulation II does not authorize Card Processing Networks, Core Processors or Merchants the ability to ignore the rights of Exempt Issuers as defined.
Card Payment Networks Expanding Rules
Card networks have expanded the PINless Debit rules to include Card Not Present (CNP) transactions that have a greater propensity for fraud. The Fed and EMVco have both published reports noting the trend in online fraud and the impact on FI’s.
The increase in fraud has not deterred Card Payment Networks from offering these expanded rules to merchants. It is noted that some networks have not shifted the liability to the issuer as of yet, but we predict that an revised expanded rule is coming and the new rule changes will be supported by an announcement of Card Payment Network of the implementation of a new improved fraud detection system of dubious capability.
Community Financial Institution Challenge
As it stands today, community financial institutions are beginning to realize the negative impact of these rules and have challenged their Card Payment Networks regarding justification for these rules. The most common response is that card networks do not have the choice, the merchant has the choice. This is just not an accurate reflection of reality.
The Card Payment Network develops the gateway, publishes the rules, and provides the BIN table. The merchant then selects the path of the available options. In addition, core processors in some cases allow membership in other networks, but also require the FI to be a member of their network and then place language in their contract with the FI that they will make the final decision with respect to merchant routing. This approach imputes a tertiary network of options over which they have control. Consequently, even though the FI is compliant with two unaffiliated networks, the card core provider network will also have the preferred position and the preferred applying PINless debit rules.
The rules are written to benefit the merchant and to drive more volume to the network, but these rules are written to benefit the Card Payment Network and the core application provider that owns them, not the community banks and credit unions they serve. They essentially eliminate any benefit the Regulation II intended to establish.
FI’s Request to Opt Out of PINless Debit Rules
Financial institutions have begun to understand the adverse impact of that these Network Operating Rules. It should also be noted that the institution was required to agree to abide by these rules as a function of the core processing contract, and by virtue of the contract, are indeed obligated to a defined term.
Consequently, there is muddy water here that is being exploited by the core processing provider and the Card Payment Network. That being, the implication that through the contract and the agreement to abide by the Network Operating Rules it is implied that there is a bi-lateral relationship. On the contrary, what appears to be bi-lateral, operates as unilateral with the Card Payment Network empowered to change the rules at any time.
Next, when the issuer becomes concerned, they submit a request to opt out of the PINless debit transactions (a rules waiver). The response has been no. Furthermore, when the issuer begins to look for a new Card Payment Network they are either told that the core application provider does not integrate with that network or they include a contract that mitigates the selection of the network.
Next, when a FI begins the search for an issuer friendly network they are alarmed to find that all of the networks that they are reviewing have implemented the same rules. Our research has determined that there are only two Card Payment Networks that will consider or negotiate network participation contingent on core application integration and rules waivers.
Community Financial Institutions in Competitive Jeopardy
As the market is evolving unsupervised core processors and Card Payment Networks are closing the loop and slamming the door on the potential competitive options available to community banks and credit unions. Networks and processors will ultimately eliminate any benefit intended by the Durbin Amendment for community banks and credit unions.
In the following examples we have noted:
A liability shift in the form of a cost reduction has been moved from the merchant to the issuer. Large issuers have the option to require a PIN on all POS CP transactions, but community banks and credit unions do not. Core processors are requiring tertiary networks that they control to the benefit of the merchant, not the issuer, even though the issuer is Regulation II compliant with two unaffiliated networks as a condition of a processing relationship. Core application processors refusing to integrate with the two networks willing to negotiate rules waivers. The Card Present PINless rules appear to be same across all of the top tier Card Payment Networks. Card Not Present Rules also appear to be the same across all of the top tier payment networks. With the acquisition of First Data and WorldPay, which represent the combination of the Star and Jeanie networks, soon there will be two less options which could have significant adverse impact on community financial institutions.
Federal Reserve and National Credit Union Administration
We are requesting that under the Wall Street Reform Act (Dodd-Frank) and Regulation II that both the Fed and the NCUA review and investigate the treatment of community banks and credit unions by core application providers and card processing networks conveyed in this letter.
Anti-Trust Implication of Consolidation of Card Payment Networks (DoJ Review)
We also ask that the acquisitions of WorldPay by FIS and First Data by Fiserv be reviewed by the Department of Justice. We are concerned that the acquisition of these two networks would stifle competition and limit the options available to exempt issuers.
We are asking that the Department of Justice consider the following action.
FIS be compelled to spin off the Jeanie Network.
Fiserv be compelled to spin off the Star Network.
That both networks Jeanie and Star become independent networks.
We are also requesting the appropriate modifications be made to Regulation II that is similar to prohibition of network exclusivity to include:
That core processors and Card Payment Networks should be prohibited from requiring membership in their card processing network.
That exempt institutions should be allowed to affiliate with any Card Payment Network of their choice, and the core processing providers must integrate.
That all exempt issuers be provided the opportunity to stay or change their card network within twenty-four months after the Revised Regulation II is implemented at no penalty.
In addition, core processors and Card Payment Networks should be prohibited from interfering with or overriding the transaction routing of a Regulation II compliant community financial institution.
In addition, community banks and credit unions that request to opt out of unfavorable and/or restrictive network operating rules should not be unreasonably withheld by the card processing network.
We also ask that the Federal Reserve and the National Credit Union Administration examine and review why the criteria for the PINless Debit, Internet Based Purchases (sometimes referred to as eCommerce purchases), Recurring Payment Transactions (sometimes referred to as Bill Pay) all appear to be the same.
We find that there are too many coincidental similarities, from PINless Debit thresholds, denial of waiver requests, expanding PINless rules and refusal to integrate with non-core application processor Card Payment Networks.
Our concern is at some point, the Card Payment Networks that community banks and credit unions use will be controlled by a limited number of FinTech companies that will limit competition to the point that there will be no competition.
It should be noted that the liability shift from the merchant to the issuer not only affects the profitability of community financial institutions, but it also impacts their customers by virtue of increased costs, and there is little incentive for merchants to reduce the fraud since the rule guarantees payment to the merchant. This outcome alone neutralizes the intent of Dodd-Frank (Durbin Amendment) as it pertains to Exempt Issuers.
Finally, the rule change that favors one side of a two-side payment system, with no vote or appeal that leaves one party being disadvantaged is not innovation.
Your swift review of these issues outlined herein, and resolution is needed to restore the intended vision and benefits of the Durbin Amendment within the Wall Street Reform and Consumer Protection Act (July 21, 2010) back to the consumer and their community financial institutions.
Dan M. Fisher
Dan M. Fisher President and CEO The Copper River Group, Inc.