The Green Sheet Online Edition
April 13, 2009 • Issue 09:04:01
Some clouds but no rain
A storm is brewing in Washington, where Democrats control both the White House and U.S. Congress for the first time in a generation. Faced with a financial crisis that many politicians blame on extensive deregulation of the financial services industry, President Obama's administration and Congress have made financial services re-regulation one of the first orders of business.
Credit card fees are on the docket, and retailers are pushing to have interchange added to that debate. Meanwhile, the Federal Trade Commission is angling for more consumer protection powers, which could portend more attention from Washington on data breach legislation.
Bills that would add teeth to consumer credit-protection laws have already survived the initial rounds of voting in the House and Senate.
In the House, Rep. Caroline Maloney, D-N.Y., is sponsoring HR 627, The Credit Cardholder's Bill of Rights of 2009, and HR 1456, The Consumer Overdraft Protection Practices Act of 2009.
HR 627, which boasts more than a dozen co-sponsors, including House Financial Services Committee Chairman Barney Frank, D-Mass., is essentially the same bill that passed the House overwhelmingly but was defeated in the Senate during the last Congress. The legislation takes aim at some of the most contested card-issuer practices, such as spiraling interest rates.
HR 1456 would further regulate fees for bounced checks and overdraft loans.
In the Senate, Sen. Chris Dodd, D-Conn., a long-time champion of consumer credit protections, has crafted The Credit Card Accountability, Responsibility and Disclosure Act (Credit CARD Act). It mostly calls for reforms in cardholder protections, but also asks for a study by the Government Accountability Office of the impact of interchange fees on both merchants and consumers.
During a recent hearing on the bill, however, Dodd voiced concerns about interchange pricing, suggesting opponents of interchange may have an ally in Congress. Noting that interchange creates revenues based on card volumes (and not the underlying creditworthiness of cardholders), he said he was concerned credit card companies are headed for a repeat of the mortgage market meltdown that began last year.
Retailers grabbed hold of that notion and are running with it.
"We know that one of the causes of our current financial crisis is that the business model with respect to mortgage lending shifted," Mallory Duncan, General Counsel for the National Retail Federation, said in a speech at the annual meeting of the National Association of Attorneys General held in Washington. "Rising interchange has caused the same thing to happen in the credit card market."
#h4 Even politicians have PCI problems
Ensuring the integrity of card payments and related information has been a legislative issue for years; now it's become an issue for Sen. Norm Coleman, R-Minn. Coleman has been locked in legal battles with one-time comedian and liberal commentator Al Franken over Coleman's U.S. Senate seat, which Franken appears to have won by a very slim margin in the November 2008 election.
Coleman made headlines in early March 2009 when his campaign alleged its Web site had been breached two months earlier and that stolen confidential donor data was circulating on the Web.
However, Adria Richards, a Minneapolis-based information technology consultant, asserts the site was never hacked. Richards claims that in the process of researching the alleged breach she found a database listing campaign donors who used credit cards for online donations. Included in the database, which she said was readily accessible to someone who understood basic Web design, were truncated card numbers.
According to several data security experts, access to cardholder information is a clear violation of Minnesota's data security law, considered among the strictest state laws in the nation.
That law requires any organization conducting business in Minnesota that suspects a breach of unencrypted personal customer data to notify those individuals "in the most expedient time possible and without unreasonable delay." The Coleman campaign never notified donors until March of a breach it said it discovered in January.
Coleman is no stranger to data security issues. In 2007, he authored legislation proposing timely notifications for breaches involving federal agency databases. That bill, the Federal Agency Data Protection Act, never made it to the Senate floor.
Richards (who blogs on the Web site www.butyoureagirl.com) said the Coleman Web site gaff isn't uncommon. "This is not an isolated situation," she insisted during an interview on The Rachel Maddow Show on MSNBC.
Interchange under fire
Duncan and representatives of several other retailer trade groups turned up the rhetoric a notch or two on March 30, announcing a grassroots campaign to push for congressional action on interchange.
The groups, operating under auspices of the Merchants Payments Coalition, are running radio, television, Internet and print ads in the districts of eight members of the House Financial Services Committee whom the groups hope will take up their cause with the committee.
"We don't think we can fix the economic crisis without addressing the incentives behind irresponsible credit card lending by reforming the interchange fee system and addressing this unfair burden," said Hank Armour, Chief Executive Officer at the National Association of Convenience Stores. And he told reporters during a conference call announcing the start of the campaign, "we'll spend what it takes" for MPC to be heard in Congress.
Tom Wenning, Executive Vice President and General Counsel with the National Grocers Association, added, "First it was subprime mortgages. Now another financial storm is on the horizon, and as Congress tries to rein in credit card fees, they could miss the biggest problem, and that is why we're launching this aggressive campaign to reform interchange fees and rules."
Also participating on that conference call was Scott Hartman, President and CEO of Rutters Farm Stores, which operates 50 convenience stores in central Pennsylvania. "I'm mad as hell," Hartman told reporters, adding that his firm paid $4.6 million in credit card fees last year alone.
The Financial Services Subcommittee on Financial Institutions and Consumer Credit scheduled a vote for April 1, 2009, on HR 627. Maloney's proposal differs from Dodd's legislation in several key respects; most notably, HR 627 makes no mention of interchange.
The MPC hasn't been specific about the changes it wants to see, although those members on the March 30 call offered a few ideas, for example, letting an MPC-like group negotiate interchange on behalf of members directly with Visa Inc. and MasterCard Worldwide.
"This is a grass-roots campaign to let everyone know just how expensive these cards are [for retailers to accept] and to see if we can get some kind of reform," Duncan said.
Apparently, attaching an interchange amendment to Maloney's bill isn't a viable option. According to at least one Capitol Hill staffer, House rules do not allow for the legislative add-ons not considered germane to the primary topic; interchange is not germane to HR 627, the staffer said.
David Goch, a partner in the Washington, D.C., law firm Webster, Chamberlain & Bean and General Counsel for the Electronic Transactions Association, conceded that while legislation addressing interchange could be enacted in the current Congress, he doesn't think it will happen.
"Legislation is possible, but I think the industry is being very responsive" to retailers' concerns, Goch said. "I think Congress is willing to step back and give the [involved] parties an opportunity to deal with it." The ETA isn't taking any chances, however. In an e-mail alert sent on the same day as MPC's press conference, Carla Balakgie, ETA's CEO, called on members to contact their representatives in Congress "for a showing of grass-roots support of the ETA's position to leave interchange alone."
FTC power grab
In other legislative news, the Federal Trade Commission has delivered a wish list to Congress, requesting additional consumer protection rule-making and enforcement powers.
In statements to the House Sub committee on Commerce, Trade and Consumer Protection, FTC Chairman Jon Liebowitz said the agency is determined to take a tough stand against those who bilk consumers with bogus credit schemes, especially in the current economy.
The FTC is responsible for enforcing both consumer protection and fair competition laws. Its consumer protection mission includes oversight of the consumer credit activities of nonbank financial services companies.
It takes its marching orders from the Electronic Fund Transfer Act, the Fair Credit Billing Act, Fair Debt Collection Practices Act, the Truth in Lending Act and the Unlawful Internet Gambling Enforcement Act, among other key consumer protection laws.
The FTC reported it has taken action on more than 70 consumer protection cases involving financial services companies over the past five years.
The FTC's Competition Bureau investigates and initiates legal proceedings against anti-competitive business practices. In this capacity, the commission can impose fines, restrict activities and even close down companies found to be egregiously violating anti-trust and fair competition laws.
"Given the current state of the economy and consumers' financial situation, the FTC has increased its emphasis on protecting consumers" from predatory lenders and other illegal credit practices, Liebowitz said. "The FTC's future law enforcement efforts will continue to focus on protecting consumers in financial distress from illegal harmful practices."
Liebowitz urged lawmakers to add more teeth to certain laws, such as allowing the FTC to impose civil penalties for unfair and deceptive business practices.
"To be effective in doing more to protect consumers, the commission will need more resources," he said in prepared testimony.
Regarding the Payment Card Industry (PCI) Data Security Standard (DSS), Rep. Bennie G. Thompson, D-Miss., Chairman of the House Committee on Homeland Security, said, "The essential flaw with the PCI Standards is that it allows companies to check boxes, but not necessarily be secure. Checking boxes makes it easier to assess compliance with a Standard. But compliance does not equal security."
The hearing, which took place on March 31, also featured testimony from executives of Visa, the PCI Security Standards Council, the Department of Justice and the NRF. The NRF blasted PCI for being "onerous, confusing and constantly changing."
David Hogan, Senior Vice President and Chief Information Officer at the NRF, said that if the card companies were serious about reducing card data thefts, they should make it so there's never any need for retailers to keep card numbers.
Visa and MasterCard chargeback rules, which require merchants to produce receipts for disputed transactions, make it so that's not possible, he added.
#h4 Ads push lawmakers to act
The Merchants Payments Coalition has a grassroots effort underway to spur Congress to act on legislation to reform interchange. The group is purchasing ad space on television, radio, the Internet and print media in the congressional districts of eight newly elected members of the House Financial Services Committee.
These districts include thousands of merchants who are now being called to action by their association representatives, the MPC claims. One 30-second television ad depicts a domino-like array of credit cards and equates interchange with predatory lending before calling on viewers to contact their representatives in Congress to urge action on interchange. The Electronic Transactions Association sprang into action as soon as the ads began airing, alerting members by e-mail of upcoming committee votes on credit card legislation in the House and Senate and urging them to e-mail elected officials in the two chambers to leave interchange alone.
The eight House members MPC is targeting with ads are:
Data breach legislation not a priority
Data security continues to grab headlines, but not much congressional attention. Washington insiders suggest that absent a spate of serious breaches, data security and related legislation are less likely to be addressed now than during the last Congress.
Goch, the ETA's General Counsel, agrees. "I think there's just too much on Congress' plate," he said, and added the one wild card is the FTC. The new chairman is seen as vocally pro-consumer, and if problems with data breaches get out of hand, he might use the agency's consumer protection mandate to take action. That, in turn, might force the hand of Congress, Goch noted.
The FTC has authority over data breach cases under several statutes, including the Identity Theft Assumption and Deterrence Act of 1998. In February, the FTC disclosed the settlement of a civil complaint against an online electronics company, Compgeeks, which was breached, compromising data of "hundreds of consumers."
At least one member of the FTC, J. Thomas Rosch, has gone on the record in support of better arming the commission to fight cyber-crimes. In remarks to the American Bar Association in 2007, Rosch (whose term as a Commissioner expires in 2012) complained the FTC's legal powers aren't sufficient in the Internet age. "[O]ur standard remedies for deceptive and unfair practices - namely consumer redress or a disgorgement order - are frequently impractical," he said.
Meanwhile, a group of senators, led by Sen. Bill Nelson, D-Fla., is planning a bill that calls for a federal cyber-security czar and mandatory threat assessments of "critical" public and private networks by the Department of Homeland Security. They revealed this on March 20 after several senators discovered their office computers had been hacked by foreign invaders, possibly Chinese nationals, Nelson's office said.
As of press time, however, only two data breach bills were pending: SB 139, the Data Breach Notification Act, introduced in January 2009 by Sen. Diane Feinstein, D-Calif., and HR 122, Protecting the Privacy of Social Security Numbers Act of 2009, introduced by Rep. Rodney Frelinghuysen, R-N.J.
SB 139 bill does not mention a cyber-security czar or mandatory threat assessments, and as of press time, no other senators had signed on as co-sponsors. HR 122 has four co-sponsors; it deals exclusively with breaches involving Social Security numbers.
States' data breach laws
Advocates of federal data breach legislation argue that a uniform federal statute is preferable to state-by-state legislation. At least 44 states have enacted laws detailing requirements for notifying customers affected by breaches involving personal customer and transaction data, but there is insufficient uniformity, according to many experts.
For example, many states have laws requiring card issuers to notify cardholders of suspected breaches, but at least one state, Minnesota, requires breached organizations to issue such notifications. Similar requirements have also been proposed in Texas and California, according to Jill Miller, an attorney with the Southfield, Mich., law firm of Jaffe, Raitt, Heuer & Weiss P.C.
A legislative update appearing on the ETA's Web site (www.electran.org) notes lawmakers in New York are poised to consider the Electronic Fund Transfer Privacy Act, which addresses financial data privacy protection. Lawmakers in Washington State have bills before them that would make companies responsible for credit and debit card data breaches liable for the resulting costs to bank card issuers. In addition, the ETA notes bills pending in the New Jersey legislature that would expand liability for data breaches.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.