Updated: Tuesday, November 25, 2014
Prepaid community reacts to CFPB
O n Nov. 20, 2014, the Consumer Finance Protection Bureau published a broad set of recommended guidelines for prepaid providers that seek to simplify and standardize the way prepaid products are sold, distributed and supported in the United States.
The prepaid community’s initial comments have been mostly high level as industry stakeholders complete their due diligence on the proposed changes and their far-reaching impact on the prepaid ecosystem.
Green Dot gives thumbs up to CFPB
Pasadena based Green Dot Corp., a leading provider of prepaid products and wholly owned subsidiary of Green Dot Bank, applauded the bureau's efforts to improve the prepaid experience.
Green Dot founder, Chairman, and Chief Executive Officer Steve Streit met with the CFPB representatives on Nov. 13 in Wilmington, Del., and issued a favorable statement to the bureau and media.
“Today the prepaid industry takes another step towards maturity and passes another milestone on its path to long term sustainability and critical mass," Streit said. "I, as a person, and Green Dot, as a company, fully support the CFPB's mission. A football game without rules and referees isn't a sport; it's a brawl. Like sports, to be successful, industry also needs rules and referees to ensure fairness, integrity and safety for all participants.
Green Dot believes its business will not be materially impacted by the CFPB’s newly proposed rules. Furthermore, Green Dot fully supports rules that mandate Regulation E consumer protections for lost or stolen funds and disputed transactions, including the providing of provisional credits to consumers and the CFPB’s proposed rulemaking dealing with the new framework for overdraft programs attached to prepaid cards.”
NBPCA members begin deliberation
The Network Branded Prepaid Card Association is a New Jersey-based association for providers of prepaid cards that bear the card brand network logos of American Express Co., Discover Financial Services, MasterCard Worldwide, and Visa Inc. Doug Bower, NBPCA Executive Director and President, predicts a bright future for prepaid products over the next two decades, as wealth is transferred from baby boomers to younger generations who are more comfortable with the convenience and utility of prepaid products.
“Confidence is a key ingredient for success in life, whether it’s in education, sports or relationships," Bower said. "Many consumers find that prepaid products make it easier to manage their finances. They also enjoy the autonomy and control of the prepaid experience. NBPCA welcomes guidelines that enhance the uniformity and clarity of prepaid products and improve transparency for consumers."
The CFPB had alerted the NBPCA two years ago that it was developing a new set of guidelines that would likely include some regulatory disclosures. While Bower and colleagues were expecting the CFPB proposal, they were surprised by its broad scope, which affects all forms of prepaid accounts, including “cards, codes, or other devices capable of being loaded with funds and usable at unaffiliated merchants or for person-to-person transfers,” according to language in the report.
“We didn’t anticipate the provisions in this new rule making and the size of the disclosures,” Bower said, adding that it will take time for the association to review and respond to the multi-faceted report.
Rezzcard sees potential win for consumers
Alex Cooper is CEO of New Jersey-based Rezzcard, a payment solution for building owners and managers that enables them to accept one-time or reoccurring rent payments onsite and through a secure web portal. The service is an alternative to traditional checking accounts for underserved and underbanked consumers.
Cooper acknowledged that the bureau's proposed changes to prepaid regulations as a positive development in the prepaid space.
“The regulations may accelerate consolidation of some of the smaller programs and issuers but that would have happened anyway as the industry matures," Cooper said. "Prepaid cards have become valuable and meaningful transactional accounts for the underserved and under banked. Cleaner and better disclosures make better consumer products, which will benefit the marketplace and put better products in consumers’ hands."
The 870-page guidelines, published under the “proposed rules” tab at www.consumerfinance.gov/regulations/, will remain open for public feedback for 90 days from Nov. 20, 2014. During this period, respondents can voice comments and concerns via www.consumerfinance.gov/notice-and-comment/.
CFPB prepaid playbook awaits reviews
Monday, November 24, 2014
T he Consumer Financial Protection Bureau recently rewrote the prepaid playbook and is actively soliciting reviews. The ambitious work-in-progress offers a sweeping set of guidelines, similar to those established for traditional credit and debit cards, designed to enforce fraud protection, fee transparency, standardized rules and improved account access.
Prepaid is one of the fastest growing segments of consumer financial products in the United States. Total dollar value of general-purpose reloadable (GPR) prepaid cards has grown from under $1 billion in 2003 to nearly $65 billion in 2012. It s expected to reach nearly $100 billion in 2014.
The CFPB is calling for a broader definition of the expanding “prepaid universe” that includes plastic, virtual, mobile and emerging prepaid schemes. Prepaid products are consumer accounts typically funded by a consumer or third party. Consumers can use these products to make payments, store funds, get cash at ATMs, receive direct deposits and send funds to other consumers. Prepaid adoption has also grown beyond the payments industry, for example, in the government, healthcare and payroll services spheres.
No consumer left behind
The Network Branded Prepaid Card Association, based in Montvale, N.J., is a trade association for providers of prepaid cards that are branded with American Express Co., Discover Financial Services, MasterCard Worldwide, and Visa Inc. logos.
The NBPCA advocates on behalf of its members through educational outreach, published research, and active involvement in community and government affairs. The six designated categories of network branded prepaid cards are GPR, payroll, incentive, healthcare, government disbursement and gift cards.
The NBPCA’s site, www.nbpca.org, includes letters to the CFPB and other government entities. One letter written by Rep. David Scott, D-Ga., to CFPB Director Richard Cordray in September 2014, applauds the CFPB's efforts to solicit feedback from the prepaid community while urging the bureau to make inclusive regulations that respect the needs of underbanked consumers.
“As the Bureau looks to enhance fee disclosures, extend deposit insurance, and bolster other consumer protections on these products, efforts that we fully support, regulators must be careful not to stifle innovation or limit features that consumers want and need,” Scott wrote. “New regulations on financial products should always be analyzed through the eyes of the consumers that use them.”
Scott cited the 68 million unbanked and underbanked adults in the United States for whom prepaid products represent an affordable alternative to the expensive cash economy. These consumers occasionally need “a bridge to make it to their next paycheck” and access to prepaid features that meet critical short-term spending needs such as buying groceries and gas, he said.
Shaping the oversight
New York City-based David True is Managing Director at Broadly Curious Advisors and President of NYPay, a payments industry networking organization. True noted that many consumers who use overdraft fees as a form of short-term credit believe that the rates they pay are worth the benefit. He encouraged prepaid professionals to review proposed changes to regulatory structure and participate in crafting the new legislation.
“Regulations are often a reaction to excesses by a small group of outliers whose actions are not representative of the majority of ethical, law-abiding prepaid professionals," True said. "The very fact that these [substandard] practices continue indicates that self-regulation isn’t working.”
True suggested that instead of “reflexively rejecting additional oversight,” stakeholders in the prepaid value chain engage with the CFPB to ensure that the final draft of proposed oversights reflects the best interests of all parties and makes the business stronger for all.
Consumer bill of rights
In his closing comments to CFPB Director Richard Cordray, congressman Scott wrote that GPR cards are “bank-issued and account linked products that deserve parity with identically situated traditional checking accounts.” He strongly recommended preserving the features that consumers need to “confidently self bank,” features that the CFPB is also seeking to protect. These include:
- Easy and free access to account information: Periodic statements and account information would be accessible online and free of charge to consumers.
- Error resolution rights: Financial institutions would have a remediation process for consumers who encounter errors with their accounts.
- Fraud and lost-card protection: Consumers would be protected against unauthorized, erroneous, or fraudulent withdrawals or purchases, including when registered cards are lost or stolen. Liability for consumers who promptly notify their financial institutions of lost or stolen cards would be limited to $50.
- Know before you owe: Prepaid fees would be clearly documented and transparent, both in quick reference guides and expanded disclosures.
- Publicly available card agreements: To facilitate comparison shopping, prepaid account agreements would be posted on issuer websites and on a public, CFPB-maintained website.
Details of the proposed disclosures are available at: http://files.consumerfinance.gov/f/201411_cfpb_prepaid-model-sample-disclosure-forms.pdf
Make your opinion count
The CFPB's mission is to help consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives.
The bureau’s proposed prepaid rules and disclosures will be open for public comment for 90 days from their date of publication in the Federal Register. A copy of the proposed regulations, including information on how to submit comments, can be found on www.consumerfinance.gov/regulations/.
Visa, MasterCard to cut credit card interchange in Canada
Friday, November 21, 2014
R etailers in Canada appear to have achieved something those in the United States have failed to achieve: commitments by the Visa Inc. and MasterCard Worldwide units operating there to lower credit card interchange. And they didn’t even have to challenge card brand pricing in the courts or through the government to get it.
Canada's Minister of Finance announced on Nov. 4, 2014, a plan under which the Canadian units of MasterCard and Visa will “voluntarily” slash merchant interchange, thereby forestalling government-imposed changes in the card companies’ interchange models.
“These commitments represent a meaningful long-term reduction in costs for merchants that should ultimately result in lower prices for consumers,” Minister of Finance Joe Oliver said in a statement. “As a result of the voluntary proposals, there is no need for the government to regulate the interchange rates set by the credit card networks.”
MasterCard and Visa each submitted a proposal to reduce interchange fees to an average effective rate of 1.50 percent for the next five years, beginning no later than April 2015. They promised to ensure all merchants see lower interchange. The largest price breaks, however, will go to small and midsize merchants and charities. To ensure they keep their promises, the two card companies have agreed to annual verifications by an independent third party.
American Express Co. has made no promises to cut merchant fees. “American Express has a different business model than Visa and MasterCard," Oliver said in a statement. "It negotiates its fee directly with merchants, and merchants know their cost each time they accept an American Express credit card. Nevertheless, if there is a fundamental shift in the marketplace and it is determined credit card networks other than Visa and MasterCard exert market power or will soon exert market power, the government will expect that those networks voluntarily commit to reduce their credit card fees in line with the current voluntary proposals submitted by Visa and MasterCard.”
In response to ongoing merchant complaints, the Canadian government has been pressing the card companies to cut interchange. Indeed, the government pledged in its 2014 budget to take steps to ensure lower card fees for retailers, and lower costs for consumers by extension. And Oliver warned the card companies they had better keep their promises. “If the reductions in interchange fees are not passed along to merchants or the overall cost of accepting credit cards increases at any time during the period covered by these commitments due to actions taken by Visa or MasterCard, the government reserves the right to rescind its acceptance of the voluntary commitments,” he said.
The Retail Council of Canada said its members were “delighted” about the deal heralded by Oliver’s office, but also said it intends to push for further reductions. The RCC claims to represent and lobby for about 70 percent of retail stores in Canada. “For our merchants, this is an important first step towards ending the escalation of credit card fees that have been ballooning in Canada for the past seven years – fees that, until today’s announcement, went completely unchecked." said Diane J. Brisebois, President and Chief Executive Officer of the RCC. "While we’ve made a start today, everyone is still paying too much.”
Visa Canada said it took action to forestall regulations. But if conditions change so will the company’s commitment. “Visa has long maintained our opposition to regulatory approaches which impair a functioning market, and that position has not changed,” Visa Canada said in a statement. “Visa believes the undertaking establishes stability and predictability for the Canadian payments industry.
"Importantly, the nature and content of the undertaking will avoid the kinds of regulatory measures that, when attempted in other markets, have left consumers worse off. … Visa enters into this undertaking with the full expectation that the government is committed to a level playing field. If Visa or our clients are disadvantaged as a result of entering into this undertaking, Visa reserves the right at any time to terminate or amend it.”
Interchange has been a bone of contention between merchants, banks and the card companies worldwide. The government of Australia forced the card companies to effectively halve credit card interchange in 2003. In the United States, Visa and MasterCard have had to contend with multiple court challenges to their pricing structures. Then there was the Durbin Amendment to the 2010 Dodd-Frank Act, which mandated cuts in debit card interchange rates – a move that has reportedly diminished U.S. card-issuer earnings by billions of dollars a year. Canadian merchants also tried, unsuccessfully, to challenge interchange in court several years ago.
Reports in the Canadian press, quoting bank sources, suggest the impact of the lower credit card interchange will be minimal at the six-big banks that dominate the Canadian market. Analysis by one of those banks, Canadian Imperial Bank of Commerce, said the fee reductions will result in 0.4 percent to 0.6 percent decline in earnings per share at the nation’s leading banks in 2015. A report by National Bank of Canada stated, “the announced reduction to interchange fees would have a fairly minimal impact on the earning of the Big Six Canadian banks.”
Michael Gokturk, CEO at Payfirma, an ISO with operations in the United States and Canada, said the new rates would seem to have little impact on ISOs and acquirers. “The impact of this announcement falls into one of two categories, based on how the ISOs or acquirers bill their merchants,” Gokturk said. “If merchants are set up on an ERR [enhanced rate recovery] or any other model which has a component of interchange differential, then there is no obligation for the acquirer or ISO to pass along savings to the merchant. If their customer base was acquired under an interchange plus [cost-us] model, then there will be mandatory savings to the merchant without any loss of revenue to the ISO,” he said.
Gokturk added that some merchant categories may pay more under the change, depending on how the rate cuts play out. “What this means are the grocery store rates and gas station rates, which benefit from a significantly reduced interchange cost [now], would actually increase to pull the average to 1.5 percent due to the sheer volume of credit card transactions,” Gokturk said. “Also, many premium card types that offer rewards and benefits to cardholders carry a much higher cost than 1.5 percent; as a result, we could see a drastic cutback of these type of rewards if the cost were to be reduced significantly.”
This could result in some backlash, depending on how the card companies interpret the agreement Gokturk added. “For example, the language could also be interpreted to mean the total average cost of accepting credit card will be at 1.5 percent, without regard to card type or industry,” he said. “Accordingly, we will have to take a measured approach to what this reduction actually means for all stakeholders, not just acquirers.”
Laszig joins, Train moves up, Watkins departs The Green Sheet
Friday, November 21, 2014
T he Green Sheet Inc. is delighted to announce that payments industry executive Dale S. Laszig has joined our team as a staff writer. She has been a long-time contributing writer to our publication and, for the 2013-2014 year, she was also author of the Street SmartsSM column.
Dale's areas of special interest include business development, POS technology, marketing, writing and editing. As a consultant, she has helped business owners leverage industry knowledge, best practices and electronic transaction technology to achieve strategic goals. Always willing to put skin in the game, she is an active member of The Electronic Transactions Association, as well as the Women's Network in Electronic Transactions, and has volunteered on multiple committees and at tradeshows to help maintain high standards for the industry as a whole.
"We are thrilled to have someone of Dale's high caliber join us," said Kate Gillespie, President and Chief Executive Officer of The Green Sheet. "Her ability to form lasting relationships, her industry knowledge, technical know-how and strong work ethic will all be a great asset to us as we go forward."
In addition, Ann Train, whose eye for detail is unparalleled, has been promoted to the position of senior staff writer. And we bid farewell to Dan Watkins, who has left his post as associate editor to pursue other professional opportunities. For seven years, Dan was an outstanding staff member who could write or revise any type of article needed with speed and accuracy.
We wish Dan well in his future endeavors, congratulate Ann on her promotion and give Dale a hearty welcome to The Green Sheet's editorial team.
Home Depot breached via third-party vendor
Friday, November 21, 2014
I n the wake of the Target Brands Inc. breach that occurred during the 2013 holiday season, it was disclosed that the massive intrusion originated from network credentials stolen by fraudsters from Target's heating, ventilation and air conditioning (HVAC) subcontractor. The Home Depot U.S.A. Inc. recently reported that the same attack vector was used in the breach of its systems in early 2014. That breach reportedly resulted in the theft of 53 million customer email addresses; apparently no payment card information.
On Nov. 6, 2014, Home Depot said an investigation into the breach, which began in April 2014 and was uncovered in September, discovered that fraudsters stole the user name and password of an unnamed third-party vendor that had access to Home Depot's electronic network. "These stolen credentials alone did not provide direct access to the company's point-of-sale devices," Home Depot said. Instead, the hackers employed the user credentials to access Home Depot's network and install malware that targeted the retailer's self-checkout systems in the United States and Canada.
At the time of the breach, Home Depot was in the middle of transitioning some 85,000 POS terminals to the Europay/MasterCard/Visa (EMV) chip card standard to boost security against fraudsters using counterfeit cards at the POS. Following its breach, Target instituted its own EMV transition. But, ironically, neither EMV implementation addresses the source of the breaches: back-door weaknesses in network security.
Ease of intrusion
Chicago-based data security and compliance firm Trustwave has been vocal in its criticism of businesses for having lax security practices when it comes to third-party vendors. Karl Sigler, Trustwave Threat Intelligence Manager, said retailers rely on third-party vendors for all kinds of services, including HVAC maintenance and after hours cleaning crews.
"For a lot of these third-party vendors, it's all about ease of access and [to] be able to get in and do their job as quickly and efficiently as possible," Sigler said, "That opens up vulnerabilities." The main point of vulnerability is via remote access, according to Sigler, where businesses supply vendors with user credentials to access their networks remotely. But, often, those credentials contain weak, easily hackable passwords and PINs, or businesses dole out the same credentials to multiple vendors.
Trustwave conducted research on password strength based on thousands of network penetration tests it performed on businesses in 2013. Out of a sample of over 625,000 passwords, Trustwave was able to crack over half within minutes, and almost 92 percent of them within a month's time. Additionally, Trustwave found that the most common password is Password1, followed by Hello123, and password. Trustwave said weak or default passwords contributed to one third of compromises it investigated in 2013 and 2014.
Sigler pointed out that physical network intrusions are also common. "A lot of the time the easiest method to get into a facility physically is by becoming part of the cleaning crew or the HVAC crew," he said. "And once they have physical access to a system, and you don't have strong protections on the systems inside, it's pretty easy to gain access and install whatever malware they want."
It is for these reasons that third-party vendors are popular targets for fraudsters. "The large organizations are hard to attack directly," Sigler said. "But a lot of these third-party vendors are themselves a smaller shop, and they don't often have proper security controls put in place, the manpower, or they don't have the skills in-house to do it. So it's an easier attack vector. [Fraudsters] are going to take the easiest path to get to the data they want to steal."
Awareness and control
Fortunately, awareness is growing of the security vulnerabilities inherent with third-party vendors and the network access given them by businesses. The PCI Security Standards Council has put a focus on security issues involving third-party vendors in the update to its global data security standard.
Version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS), which becomes the de facto standard for securing networks on Jan. 1, 2015, puts the onus on vendors to clarify for the benefit of merchants which PCI DSS controls they will address and which are the responsibility of merchants. The updated standard also mandates that vendors use unique passwords for each merchant they connect to remotely, and deploy two-factor authentication for those connections as well.
Sigler recommended practical steps businesses can take to make fraud attacks via third-party vendors less likely. First, lock down physical environments. "You should be very aware of the physical environment you're giving [vendors] access to," he said. "If you're giving them access to the entire facility, they should at least be monitored or escorted through rooms or through server situations that have very critical systems."
Second, given that businesses often employ multiple vendors, organizations should have awareness and control over how those vendors access networks. "Because of vendor preferences, [businesses] end up having too many remote access solutions," Sigler said. For example, one vendor might prefer a remote desktop interface; another vendor might use a virtual private network solution.
So businesses should regularly audit how vendors are accessing networks and limit access points to one or two that can be more easily monitored, Sigler noted.
Additionally, if a breach occurs, businesses should be able to recognize and respond to it quickly. "That's the last safety net," Sigler said. "And that involves monitoring your network, monitoring your systems for things that are abnormal – things that you wouldn't expect to see."
To spot abnormal activity, organizations need to establish a baseline of normal activity, which is accomplished by diligently monitoring networks. "They should have a system in place where they both log whenever a third-party vendor logs into their network, then monitor those logs for odd activity," Sigler said. An obvious example of abnormal activity is when a vendor logs onto a network at 3 a.m., he noted.
View prior breaking news