Skip to content
 

Sec. 235.4 - Fraud-prevention adjustment. [With amendments effective October 1, 2012]

[This section was added as an Interim Final Rule, to be effective October 1, 2011. The rule was made final, with amendments effective October 1, 2012.]

§ 235.4 Fraud–prevention adjustment

(a) In general. If an issuer meets the standards set forth in paragraph (b) of this section, it may receive or charge an additional amount of no more than 1 cent per transaction to any interchange transaction fee it receives or charges in accordance with § 235.3.

(b) Issuer standards. To be eligible to receive the fraud-prevention adjustment, an issuer shall—

(1) Develop and implement policies and procedures reasonably designed to–

(i) Identify and prevent fraudulent electronic debit transactions;

(ii) Monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions;

(iii) Respond appropriately to suspicious electronic debit transactions so as to limit the fraud losses that may occur and prevent the occurrence of future fraudulent electronic debit transactions; and

(iv) Secure debit card and cardholder data; and

(2) Review its fraud-prevention policies and procedures at least annually, and update them as necessary to address changes in prevalence and nature of fraudulent electronic debit transactions and available methods of detecting, preventing, and mitigating fraud.

(c) Certification. To be eligible to receive or charge a fraud-prevention adjustment, an issuer that meets the standards set forth in paragraph (b) of this section must certify such compliance to its payment card networks on an annual basis.
 

 

Effective 10/1/2012, section 235.4 is amended to read as follows:

 

(a) In general. Subject to paragraph (b) of this section, an issuer may receive or charge an amount of no more than 1 cent per transaction in addition to any interchange transaction fee it receives or charges in accordance with § 235.3.

(b) Issuer standards. (1) To be eligible to receive or charge the fraud-prevention adjustment in paragraph (a), an issuer must develop and implement policies and procedures reasonably designed to take effective steps to reduce the occurrence of, and costs to all parties from, fraudulent electronic debit transactions, including through the development and implementation of cost-effective fraud-prevention technology.

(2) An issuer’s policies and procedures must address—

(i) Methods to identify and prevent fraudulent electronic debit transactions;

(ii) Monitoring of the volume and value of its fraudulent electronic debit transactions;

(iii) Appropriate responses to suspicious electronic debit transactions in a manner designed to limit the costs to all parties from and prevent the occurrence of future fraudulent electronic debit transactions;

(iv) Methods to secure debit card and cardholder data; and

(v) Such other factors as the issuer considers appropriate.

(3) An issuer must review, at least annually, its fraud-prevention policies and procedures, and their implementation and update them as necessary in light of—

(i) their effectiveness in reducing the occurrence of, and cost to all parties from, fraudulent electronic debit transactions involving the issuer;

(ii) their cost-effectiveness; and

(iii) changes in the types of fraud, methods used to commit fraud, and available methods for detecting and preventing fraudulent electronic debit transactions that the issuer identifies from—

(A) its own experience or information;

(B) information provided to the issuer by its payment card networks, law enforcement agencies, and fraud-monitoring groups in which the issuer participates; and

(C) applicable supervisory guidance.

(c) Notification. To be eligible to receive or charge a fraud-prevention adjustment, an issuer must annually notify its payment card networks that it complies with the standards in paragraph (b).

(d) Change in Status. An issuer is not eligible to receive or charge a fraud-prevention adjustment if the issuer is substantially non-compliant with the standards set forth in paragraph (b), as determined by the issuer or the appropriate agency under § 235.9. Such an issuer must notify its payment card networks that it is no longer eligible to receive or charge a fraud- prevention adjustment no later than 10 days after determining or receiving notification from the appropriate agency under § 235.9 that the issuer is substantially non-compliant with the standards set forth in paragraph (b). The issuer must stop receiving and charging the fraud-prevention adjustment no later than 30 days after notifying its payment card networks.

Official Board Commentary

 

4(b) Issuer Standards

1. In general. Section 235.4(b) does not specify particular policies and procedures that an issuer must implement. Rather, an issuer must determine which policies and procedures are reasonably designed to achieve the objectives set forth in the standards. An issuer’s policies and procedures must include fraud-prevention technologies and other methods or practices reasonably designed to detect, prevent, and mitigate fraudulent electronic debit transactions. An issuer does not satisfy the standards in § 235.4(b) if it merely develops policies and procedures; the issuer also must implement those policies and procedures. Implementing an issuer’s fraud-prevention policies and procedures should include training the issuer’s employees and agents, as appropriate.

2. An issuer’s policies and procedures should address, among other things, fraud related to debit card use by unauthorized persons, which is a type of fraud that can be effectively addressed by the issuer, as the entity with the direct relationship with the cardholder and that authorizes the transaction. Examples of use by unauthorized persons include the following:

(i) A thief steals a cardholder’s wallet and uses the debit card to purchase goods, without the authority of the cardholder.

(ii) A cardholder makes a $100 purchase at a merchant. Subsequently, the merchant’s employee uses information from the debit card to initiate a subsequent transaction for an additional $100, without the authority of the cardholder.

(iii) A hacker steals cardholder account information from a merchant processor and uses that information to make unauthorized purchases of goods or services.

Paragraph 4(b)(1)(i). Identify and prevent fraudulent debit card transactions.

1. In general. An issuer shall develop and implement policies and procedures reasonably designed to identify and prevent fraudulent electronic debit transactions. These policies and procedures should include activities to prevent, detect, and mitigate fraud even if the costs of these activities are not recoverable as part of the fraud- prevention adjustment. The issuer’s policies and procedures may include the following:

(i) An automated mechanism to assess the risk that a particular electronic debit transaction is fraudulent during the authorization process (i.e., before the issuer approves or declines an authorization request). For example, an issuer may use neural networks to identify transactions that present increased risk of fraud. As a result of this analysis, the issuer may decide to decline to authorize these transactions. An issuer may not be able to determine whether a given transaction in isolation is fraudulent at the time of authorization, and therefore may have policies and procedures that monitor sets of transactions initiated with a cardholder’s debit card. For example, an issuer could compare a set of transactions initiated with the card to a customer’s typical transactions in order to determine whether a transaction is likely to be fraudulent. Similarly, an issuer could compare a set of transactions initiated with a debit card and common fraud patterns in order to determine whether a transaction or future transaction is likely to be fraudulent.

(ii) Practices to support reporting of lost and stolen cards or suspected incidences of fraud by cardholders or other parties to a transaction. As an example, an issuer may promote customer awareness by providing text alerts of transactions in order to detect fraudulent transactions in a timely manner. An issuer may also report debit cards suspected of being fraudulent to their networks for inclusion in a database of compromised cards.

(iii) Practices to help determine whether a user is authorized to use the card at the time of a transaction. For example, an issuer may specify the use of particular technologies or methods, such as dynamic data, to better authenticate a cardholder at the point of sale.

2. Review of authentication methods. The issuer’s policies and procedures should include an assessment of the effectiveness of the different authentication methods that the issuer enables its cardholders to use, including a review of the rate of fraudulent transactions for each authentication method. If one method of authentication results in significantly lower fraud losses than other method(s) of authentication enabled on the issuer’s debit cards, the issuer should consider practices to encourage its cardholders to use the more effective authentication method. It should also consider methods for reducing fraud related to the authentication method that experiences higher fraud rates. In addition, the issuer should monitor industry developments and consider adopting, where practical, new method(s) of authentication that are materially more effective than the methods currently available to its cardholders.

Paragraph 4(b)(1)(ii). Monitor the incidence of, reimbursements received for, and losses incurred from fraudulent electronic debit transactions.

1. In order to inform its policies and procedures, an issuer must be able to track its fraudulent electronic debit transactions over time. Accordingly, an issuer must have policies and procedures designed to monitor the types, number, and value of fraudulent electronic debit transactions. In addition, an issuer must track its and its cardholders’ losses from fraudulent electronic debit transactions, its fraud-related chargebacks to acquirers, and any reimbursements from other parties. Other reimbursements could include payments made to issuers as a result of fines assessed to merchants for noncompliance with Payment Card Industry (PCI) Data Security Standards or other industry standards.

Paragraph 4(b)(1)(iii). Respond to suspicious electronic debit transactions.

1. An issuer may identify transactions that it suspects to be fraudulent after it has authorized or settled the transaction. For example, a cardholder may inform the issuer that the cardholder did not authorize a transaction or transactions, or the issuer may learn of a fraudulent transaction or possibly compromised debit cards from the network, the acquirer, or other parties. An issuer must have policies and procedures in place designed to implement an appropriate response once an issuer has identified suspicious transactions or transactions likely to be fraudulent. The appropriate response is likely to differ depending on the circumstances and the risk of future fraudulent electronic debit transactions. For example, in some circumstances, it may be sufficient for an issuer to monitor more closely the account with the suspicious transactions. In other circumstances, it may be necessary to reissue cards or close the account. An appropriate response may also require coordination with industry organizations, law enforcement agencies, and other parties, such as payment card networks, merchants, and issuer or merchant processors. An appropriate response would be reasonably designed to mitigate fraud losses due to suspicious transactions and transactions alleged to be fraudulent across all parties to such transactions.

2. An issuer’s policies and procedures do not provide an appropriate response if they merely shift the loss to another party, other than the party that committed the fraud.

Paragraph 4(b)(1)(iv). Secure debit card and cardholder data.

1. An issuer must have policies and procedures designed to secure debit card and cardholder data that are transmitted by the issuer (or its service provider) during transaction processing, that are stored by the issuer (or its service provider), and that are carried on media (e.g., laptops, transportable data storage devices) by employees or agents of the issuer. This standard may be incorporated into an issuer’s information security program, as required by Section 501(b) of the Gramm-Leach-Bliley Act.

Paragraph 4(b)(2) Annual review

1. Periodic updates of policies and procedures. In general, an issuer must review its policies and procedures at least annually. In certain circumstances, however, an issuer may need to review and update its policies and procedures more frequently than once a year. For example, during a particular year, there may be significant changes in fraud types, fraud patterns, or fraud-prevention methods or technologies. If a significant change occurs, an issuer must review and, if necessary, update its fraud-prevention policies and procedures to address the significant change, even if the issuer has reviewed its policies and procedures within the preceding year.

4(c) Certification.

1. To be eligible to receive the fraud-prevention adjustment, each issuer must certify its compliance with the Board’s fraud-prevention standards to the payment card networks in which it participates on an annual basis. Payment card networks that plan to allow issuers to receive or charge a fraud-prevention adjustment will develop their own processes for identifying issuers eligible for this adjustment. An issuer need not certify if it chooses not to receive any fraud-prevention adjustment available through a network.

 

Effective 10/1/2012, the Official Board Commentary section 235.4 is amended to read as follows:

4(a) [Reserved]

4(b)(1) Issuer standards

1. An issuer’s policies and procedures should address fraud related to debit card use by unauthorized persons. Examples of use by unauthorized persons include, but are not limited to, the following:

i. A thief steals a cardholder’s wallet and uses the debit card to purchase goods, without the authority of the cardholder.

ii. A cardholder makes a purchase at a merchant. Subsequently, the merchant’s employee uses information from the debit card to initiate a subsequent transaction, without the authority of the cardholder.

iii. A hacker steals cardholder account information from the issuer or a merchant processor and uses the stolen information to make unauthorized card-not-present purchases or to create a counterfeit card to make unauthorized card-present purchases.

2. An issuer’s policies and procedures must be designed to reduce fraud, where cost effective, across all types of electronic debit transactions in which its cardholders engage. Therefore, an issuer should consider whether its policies and procedures are effective for each method used to authenticate the card (e.g., a chip or a code embedded in the magnetic stripe) and the cardholder (e.g., a signature or a PIN), and for different sales channels (e.g., card-present and card-not-present).

< >3. An issuer’s policies and procedures must be designed to take effective steps to reduce both the occurrence of and costs to all parties from fraudulent electronic debit transactions. An issuer should take steps reasonably designed to reduce the number and value of its fraudulent electronic debit transactions relative to its non-fraudulent electronic debit transactions. These steps should reduce the costs from fraudulent transactions to all parties, not merely the issuer. For example, an issuer should take steps to reduce the number and value of its fraudulent electronic debit transactions relative to its non-fraudulent transactions whether or not it bears the fraud losses as a result of regulations or network rules.

4. For any given issuer, the number and value of fraudulent electronic debit transactions relative to non-fraudulent transactions may vary materially from year to year. Therefore, in certain circumstances, an issuer’s policies and procedures may be effective notwithstanding a relative increase in the transactions that are fraudulent in a particular year. However, continuing increases in the share of fraudulent transactions would warrant further scrutiny.

5. In determining which fraud-prevention technologies to implement or retain, an issuer must consider the cost-effectiveness of the technology, that is, the expected cost of the technology relative to its expected effectiveness in controlling fraud. In evaluating the cost of a particular technology, an issuer should consider whether and to what extent other parties will incur costs to implement the technology, even though an issuer may not have complete information about the costs that may be incurred by other parties, such as the cost of new merchant terminals. In evaluating the costs, an issuer should consider both initial implementation costs and ongoing costs of using the fraud-prevention method.

6. An issuer need not develop fraud-prevention technologies itself to satisfy the standards in § 235.4(b). An issuer may implement fraud-prevention technologies that have been developed by a third party that the issuer has determined are appropriate under its own policies and procedures.

Paragraph 4(b)(2) Elements of fraud-prevention policies and procedures

1. In general. An issuer may tailor its policies and procedures to address its particular debit card program, including the size of the program, the types of transactions in which its cardholders commonly engage, fraud types and methods experienced by the issuer, and the cost of implementing new fraud-prevention methods in light of the expected fraud reduction.

Paragraph 4(b)(2)(i). Methods to identify and prevent fraudulent debit card transactions.

1. In general. Examples of policies and procedures reasonably designed to identify and prevent fraudulent electronic debit transactions include the following:

(i) Practices to help determine whether a card is authentic and whether the user is authorized to use the card at the time of a transaction. For example, an issuer may specify the use of particular authentication technologies or methods, such as dynamic data, to better authenticate a card and cardholder at the time of the transaction, to the extent doing so does not inhibit the ability of a merchant to direct the routing of electronic debit transactions for processing over any payment card network that may process such transactions. (See § 235.7 and commentary thereto.)

(ii) An automated mechanism to assess the risk that a particular electronic debit transaction is fraudulent during the authorization process (i.e., before the issuer approves or declines an authorization request). For example, an issuer may use neural networks to identify transactions that present increased risk of fraud. As a result of this analysis, the issuer may decide to decline to authorize these transactions. An issuer may not be able to determine whether a given transaction in isolation is fraudulent at the time of authorization, and therefore may have implemented policies and procedures that monitor sets of transactions initiated with a cardholder’s debit card. For example, an issuer could compare a set of transactions initiated with the card to a customer’s typical transactions in order to determine whether a transaction is likely to be fraudulent. Similarly, an issuer could compare a set of transactions initiated with a debit card and common fraud patterns in order to determine whether a transaction or future transaction is likely to be fraudulent.

(iii) Practices to support reporting of lost and stolen cards or suspected incidences of fraud by cardholders or other parties to a transaction. As an example, an issuer may promote customer awareness by providing text alerts of transactions in order to detect fraudulent transactions in a timely manner. An issuer may also report debit cards suspected of being fraudulent to their networks for inclusion in a database of potentially compromised cards.

Paragraph 4(b)(2)(ii). Monitoring of the issuer’s volume and value of fraudulent electronic debit transactions.

1. Tracking its fraudulent electronic debit transactions over time enables an issuer to assess whether its policies and procedures are effective. Accordingly, an issuer must include policies and procedures designed to monitor trends in the number and value of its fraudulent electronic debit transactions. An effective monitoring program would include tracking issuer losses from fraudulent electronic debit transactions, fraud-related chargebacks to acquirers, losses passed on to cardholders, and any other reimbursements from other parties. Other reimbursements could include payments made to issuers as a result of fines assessed to merchants for noncompliance with Payment Card Industry (PCI) Data Security Standards or other industry standards. An issuer should also establish procedures to track fraud-related information necessary to perform its reviews under § 235.4(b)(3) and to retain and report information as required under § 235.8.

Paragraph 4(b)(2)(iii). Appropriate responses to suspicious electronic debit transactions.

1. An issuer may identify transactions that it suspects to be fraudulent after it has authorized or settled the transaction. For example, a cardholder may inform the issuer that the cardholder did not initiate a transaction or transactions, or the issuer may learn of a fraudulent transaction or possibly compromised debit cards from the network, the acquirer, or other parties. An issuer must implement policies and procedures designed to provide an appropriate response once an issuer has identified suspicious transactions to reduce the occurrence of future fraudulent electronic debit transactions and the costs associated with such transactions. The appropriate response may differ depending on the facts and circumstances, including the issuer’s assessment of the risk of future fraudulent electronic debit transactions. For example, in some circumstances, it may be sufficient for an issue rto monitor more closely the account with the suspicious transactions. In other circumstances, it may be necessary to contact the cardholder to verify a transaction, reissue a card, or close an account. An appropriate response may also require coordination with industry organizations, law enforcement agencies, and other parties, such as payment card networks, merchants, and issuer or merchant processors.

Paragraph 4(b)(2)(iv). Methods to secure debit card and cardholder data.

1. An issuer must implement policies and procedures designed to secure debit card and cardholder data. These policies and procedures should apply to data that are transmitted by the issuer (or its service provider) during transaction processing, that are stored by the issuer (or its service provider), and that are carried on media (e.g., laptops, transportable data storage devices) by employees or agents of the issuer. This standard may be incorporated into an issuer’s information security program, as required by Section 501(b) of the Gramm-Leach-Bliley Act.

Paragraph 4(b)(3) Review of and updates to policies and procedures.

1. i. An issuer’s assessment of the effectiveness of its policies and procedures should consider whether they are reasonably designed to reduce the number and value of fraudulent electronic debit transactions relative to non-fraudulent electronic debit transactions and are cost effective. (See comment 4(b)(1)-3 and comment 4(b)(1)-5).

ii. An issuer must also assess its policies and procedures in light of changes in fraud types (e.g., the use of counterfeit cards, lost or stolen cards) and methods (e.g., common purchase patterns indicating possible fraudulent behavior), as well as changes in the available methods of detecting and preventing fraudulent electronic debit transactions (e.g., transaction monitoring, authentication methods) as part of its periodic review of its policies and procedures. An issuer’s review of its policies and procedures must consider information from the issuer’s own experience and that the issuer otherwise identified itself; information from payment card networks, law enforcement agencies, and fraud-monitoring groups in which the issuer participates; and supervisory guidance. For example, an issuer should consider warnings and alerts it receives from payment card networks regarding compromised cards and data breaches.

2. An issuer should review its policies and procedures and their implementation more frequently than annually if the issuer determines that more frequent review is appropriate based on information obtained from monitoring its fraudulent electronic debit transactions, changes in the types or methods of fraud, or available methods of detecting and preventing fraudulent electronic debit transactions. (See § 235.4(b)(1)(ii) and commentary thereto.)

3. In light of an issuer’s review of its policies and procedures, and their implementation, the issuer may determine that updates to its policies and procedures, and their implementation, are necessary. Merely determining that updates are necessary does not render an issuer ineligible to receive or charge the fraud-prevention adjustment. To remain eligible to receive or charge a fraud-prevention adjustment, however, an issuer should develop and implement such updates as soon as reasonably practicable, in light of the facts and circumstances.

4(c) Notification.

1. Payment card networks that plan to allow issuers to receive or charge a fraud-prevention adjustment can develop processes for identifying issuers eligible for this adjustment. Each issuer that wants to be eligible to receive or charge a fraud-prevention adjustment must notify annually the payment card networks in which it participates of its compliance through the networks’ processes.

First published on: 
01/16/2014

Banker Tools View All

A collection of useful resources for various areas of the bank which have been developed by members of the BankersOnline staff or have been created and contributed by users of the BankersOnline site.

Banker Tools

Penalties View All

Search Regulations

View Regulations

CFPB Letter Classification

FRB Letter Classification