Banks must take more active role in preventing data breaches, fraud
Dee Crisp, president and CEO of Government Employees Federal Credit Union (GEFCU), recently penned an op-ed published in The Hill, which inappropriately sought to place significant blame on retailers for data breaches.
Mr. Crisp claims that as cyberattacks and data breaches continue, financial institutions such as the GEFCU are left picking up the tab. Unfortunately, the GEFCU and other financial institutions are being less than forthright in how they selectively discuss the costs of fraud.
The reality is that these banks and credit unions are compensated in advance for losses through interchange “swipe fees.” Merchants pay these swipe fees to banks and card networks every time a card is swiped. Those fees add up to an estimated $48 billion per year, a portion of which is assessed specifically to compensate financial institutions should fraud occur. The banks and credit unions are paid in advance, even if no fraud occurs, and their oft-repeated claims of being uncompensated are simply untrue and misleading .
Mr. Crisp goes on to cite the recent findings of the Verizon 2015 Payment Card Industry Compliance Report, and focuses on retailers’ preparedness for chip card integration. However, Mr. Crisp fails to disclose, as previously reported by Politico, that 30 percent of financial institutions were found noncompliant compared to 26 percent of retailers in that same study. He further fails to include the findings of the 2014 Ver- izon Data Breach Investigations Report, which found that, in 2013, 34 percent of reported data breaches occurred at financial institutions and 13 percent occurred at government agencies, while only 10.8 percent occurred at retail institutions.
What these reports show is that cyberattacks are a threat to any institution or company — including government agencies — that accept card payments and, rather than seeking to shift responsibility, we should be working cooperatively and collaboratively to advance the best system to protect consumers, which today is clearly “chip-and-PIN” technology.
Let’s not forget that the easiest way to reduce fraud costs is to prevent it in the first place. This is why retailers are investing over $8 billion to install new payment terminals to accept more secure chip credit cards. But these new terminals won’t help consum- ers unless financial institutions issue these new cards to their customers. As reported in the August 2014 issue of Credit Union Times, in a piece titled “Most Credit Unions Will Miss EMV Deadlines,” this is something which credit unions in particular have been incredibly slow to do.
Chip-and-PIN technology is neither new nor rare, nor untested. Chip-and-PIN cards were introduced in the UK in 2005, and resulted in an immediate 67 percent reduction in fraud. Today, chip-and-PIN cards are in use in 80 countries. The Federal Reserve Board of Governors reported in March 2013 that including a personal identification number, or PIN, makes debit card transactions up to 700 percent more secure. A study conducted by Chip & PIN Security Now! also found that 82 percent of cardholders are supportive of chip-and-PIN and 52 percent said they would switch banks if their financial institution didn’t issue chip-and-PIN cards.
It is long past time for Mr. Crisp, the GEFCU and other financial institutions to stop pointing fingers and seeking legislation — at both the state and federal level — that seeks to shift liability rather than advance established and constructive solutions. If they want to reduce the costs associated with fraud, they need to step up to the plate and work with retailers to invest in solutions that prevent credit card fraud from happening in the first place.
Let’s not forget that the easiest way to reduce fraud costs is to prevent it in the first place.