Target, Retailers Use Dodd-Frank to Skimp on Data Security

Chutzpah, thy name is the National Retail Federation!

In the wake of the recent credit and debit card breach at Target that may have compromised the data of up to 110 million consumers, the leading retail trade association argued in federal court on Friday that it should pay even less for fraud prevention and cleanup after fraud losses.

Joined by the National Association of Convenience Stores and the National Restaurant Association, the NRF claimed to the court that it is actually against the law for banks and credit unions to charge retailers for fraud losses in debit card processing fees. “The inclusion of fraud losses in the allowable costs recoverable … cannot be justified,” the groups maintained in a legal brief (page 20).

The interchange fees that banks and credit unions charge merchants for debit card transactions — what retailers pejoratively call “swipe fees” — have been subject to price controls since the passage of the Dodd-Frank financial overhaul in 2010. Dodd-Frank’s Durbin Amendment, which came about as a result of heavy lobbying by Target, Wal-Mart and other big retailers, states that the debit interchange fees charged to retailers must be “reasonable and proportional to the cost incurred by the issuer [bank or credit union issuing the card] with respect to the transaction.”

CEI opposed the Durbin Amendment from the start, because we believe price controls are a violation of individual property rights and turn out to be impractical. But many who voted for the Durbin Amendment believed that the price-setting process would be similar to rate regulation of electricity and phone service, in that the fee set would allow for infrastructure and service costs plus what is judged as a “reasonable rate of return.”

What happened, though, was that ever since the Fed began implementing the provision, the retail lobby has argued that the provision not only bars banks and credit unions from profiting on the fees charged to retailers, only a very limited portion of costs could actually be recovered in the fee.

The result has been both a massive cost-shifting for debit card processing from retailers to consumers — a sharp reduction of free checking for low-balance account and the virtual end of debit card rewards — as well as much less resources from retailers to fight hacking and cyber attacks. And the retailers’ latest lawsuit — arguing the fees still allow banks and credit unions to recover too many data security costs — would raise consumer costs even further and make card purchases even more vulnerable to attacks.

Before going any further, it’s important to note how the cleanup process for a data breach works. The retailer reports the breach, but the customers’ banks and credit unions — big and small — do most of the cleanup.

As noted by Wisconsin Credit Union League CEO Brett A. Thompson, upon a data breach at Michaels craft stores in 2011, the financial institutions “had to determine which states were involved, monitor potentially compromised accounts, manually reduce limits for both ATM and PIN transactions, monitor ATM transactions in the affected states, notify debit card holders of potential fraud on their accounts, issue new debit cards to those whose accounts were compromised and refund money to fraud victims.”

In the aftermath of the target breach, many community banks and credit unions are working overtime as well, so that consumers have minimal disruptions. In East Tennessee, Citizens National Bank canceled and reissued 1,000 credit and debit cards potentially affected, but took the step of calling each customer beforehand.

Similarly, Michigan First Credit Union in Lathrup Village, Mich., also took fast and diligent action. According to Credit Union Times, “Michigan First quickly identified approximately 1,500 members who had shopped at Target during the period when criminals were apparently intercepting records.” It then canceled and quickly replaced the cards, hand-delivering them to members in some instances.

But if retailers have their way, these Main Street financial institutions, and the credit and debit networks that they are a part of, will be severely hampered in their ability to help consumers after a retailer’s data breach and to improve infrastructure to help prevent such attacks in the first place.

While NRF general counsel Mallory Duncan waxed eloquent to Reuters that “The technology that exists in cards out there is 20th-century technology and we’ve got 21st-century hackers.” the NRF makes the incredible argument in its lawsuit that retailers shouldn’t pay for anything beyond the cost of the 19th century technology of paper checks. In setting the debit card fees that banks and credit unions can charge retailers, the Fed must “create a closer equivalency between the debit card system and the checking system,” the retailers’ brief argues (page 17).

The retail lobby had already persuaded the Fed that very few fixed costs — such as computers to process cards — could be considered in setting the fee, even though the statute doesn’t expressly bar this. This decision in itself made the fees retailers could be charges much lower than they had to be, with banks and credit unions having little choice but to shift these costs to consumers through new banking fees and sharp reductions in free checking accounts.

Yet retailers want the fees they pay to banks and credit unions to be even lower. They are arguing that the Fed cannot even include fraud monitoring costs, as it currently does, in setting what retailers can be charged. The brief lists “costs for monitoring transactions before authorization” as an “impermissible” cost to include in the fee.

The Federal Reserve calls the retailers’ interpretation of the Durbin Amendment absurd. Citing the laws mandate that debit card fees be “reasonable,” the Fed argued in its brief that “permitting issuers to recover at least a portion of their fraud losses through interchange fees is reasonable” (page 67).

As for the retailers’ argument that the Fed should set fees for debit cards “closer” to those of paper checks, the Fed’s brief acknowledges language in the statute to “consider the functional similarity” between debit cards and checks. But it then makes the rather obvious point that the Fed “reasonably concluded that it may take into account not only similarities, but also differences, between checking and electronic debit transactions.”

Although the retailers largely convinced a George W. Bush-appointed federal judge of their points in July, the bipartisan three-judge panel at the U.S. Court of Appeals in Washington, D.C., appeared highly skeptical last Friday. When the attorney for the NRF and other groups argued that the government must prevent retailers from being charged for fraud and other costs, he got an earful from Harry Edwards, whom President Jimmy Carter appointed to the court in 1980.

“I can tell you, none of us is buying that,” Edwards told the attorney. But just in case the courts buy the NRF’s bill of goods, Congress should repeal the Durbin Amendment, or at least fix it so Target and other retailers can’t skimp out of paying for the data breaches they enable.