4. Overview
• Article 3, 4 and 4A
• Check Case Law Update
• Corporate Account Takeover
• EMV Migration Update
• Prepaid Update
• Regulation E Proposal
• U.S. DOE’s Student Card Rule
• NY Department of Labor’s Proposed Payroll Card Rule
• Tax Refund Fraud
• Brokered Deposits
5. Check Law Update
• UCC 4-406(f): Claim notice timeframe
• Notice of claim must be given within one year
• Statute of repose
• UCC 4-103: Permits contractual modification of standard of care
• Courts generally uphold notice periods of 60 and even 30 days
• Manifestly unreasonable standard
• Clemente Brothers, 14 N.E.3d 367 (N.Y. 2014)
• 14-day notice period… upheld!
• Corporate context
• Court explicitly reserves consumer standard
• Compare Saint Bernard School, 95 A.3d 1063 (Conn. 2014)
6. Check Law Update
• Holder in Due Course
• RR Maloan Investments, 428 S.W.3d. 355 (Tex. App. 2014)
• Check Cashing Service
• Joint Payees
• And = Dual endorsement required
• Or = Single endorsement sufficient
• Remotely deposited item case (2014 WL 4277256)
• Encoding Errors
• Troy Bank (2014 WL 4851511)
• $100K v. $1K
• Federal Reserve Op. Circ. 3 adjustment not exclusive remedy
9. Corporate Account Takeover
• UCC 4A: Bank liable for unauthorized transfers other than:
• Customer fails to report within one year (often contractually shortened)
• Commercially Reasonable Security Procedures
• March 2015 FFIEC Guidance – Financial institutions should:
• Securely configure systems and services.
• Review, update, and test incident response and business continuity plans.
• Conduct ongoing information security risk assessments.
• Perform security monitoring, prevention, and risk mitigation.
• Protect against unauthorized access.
• Implement and test controls around critical systems regularly.
• Enhance information security awareness and training programs.
• Participate in industry information-sharing forums, such as the Financial Services
Information Sharing and Analysis Center.
• Cybersecurity Assessment Tool
• https://www.ffiec.gov/cyberassessmenttool.htm
10. Corporate Account Takeover
• Security Procedures
• Patco Construction, 684 F.3d 197 (1st Cir. 2012)
• Security software allowed bank to set dollar threshold to trigger a
security challenge question.
• Initially, bank set the threshold at $100,000.
• Bank later lowered the threshold to $1, requiring security challenge questions on
every transaction.
• Hacker obtained customer’s banking information and authenticated a series of
transactions close to $600,000.
• Bank was unable to retrieve $243,406 of these funds
• Layered security did not carry the day
• Settings permitted hackers greater access to credentials
• Bank failed to implement appropriate monitoring
11. Corporate Account Takeover
• Security Procedures
• Choice Escrow, 754 F.3d 611 (8th
Cir. 2014)
• Dual control security procedure made available
• Customer rejected procedure
• Attorneys fees recoverable
• Chavez v. Mercantile Commercebank (2015 WL 509509)
• Forgery Case
• UCC 4A-201: Signature is not adequate security procedure
• 14-day notice provision upheld
18. Costs Associated with EMV
Costs are
Front-loaded;
Benefits are
Delayed
Reissuanc
e of
Payment
Cards
Replacing
POS
Terminals
and ATMs
Dual
Interface?
Customer
Service
Back
Office
Upgrades
Consumer
Education
19. EMV Benefits…But Not a Panacea
• Card skimming is more difficult
• EMV payment cryptography are dynamic and uses attributes of the
transaction
• Data on the magnetic stripe tells the terminal it’s a chip card and to
process as a chip transaction
• PIN with payment card increases security above transactions without a
PIN
But…
• Card number, expiration date and cardholder name sent in the clear from
chip card to terminal
• Skimmer software can steal the data elements
• Data can be used for purchases on websites, over the phone or through
the mail
20. EMV Considerations
The payment ecosystem is made up of hundreds, if not
thousands, of connections that enable authorizations to
route through 18 competitive debit networks
The ability to process EMV will not be supported by
everyone at the same time
Other countries have taken nearly ten years to fully
deploy chip technology
Solution must satisfy U.S. law
Acquirer processor challenges
28. EMV Deployment Estimates…
VISA
As of August 31, 2015
•20% of the 720 million Visa-branded credit, debit and prepaid cards in the
U.S. contained an EMV chip.
•Of the 142 million Visa EMV cards in issue as of August, 63%, were credit
and 37% were debit and prepaid.
•300,000 merchant locations were enabled for chip card acceptance at the
end of August, up 20% from 247,000 at the end of June but still far short of
the country’s approximately 8 million card-accepting locations.
•36,663 ATMs, about 7% of the estimated 535,800 bank and retail ATMs in
the U.S., can now read EMV chip cards.
•Australia, Brazil and Canada took 2 to 3 years to reach 60 to 70 % chip on
chip. Took 4 to 5 years to reach 90% chip on chip.
Source: PYMNTS.com
29. EMV Deployment Estimates…
PULSE
•90% of U.S. financial institutions either have begun issuing EMV debit cards
or plan to do so by the end of the year.
•25 percent of U.S. debit cards – approximately 71 million cards – will be
migrated to chip by the end of 2015.
•The percentage is expected to rise to 73 percent by the end of 2016 and 96
percent by the end of 2017.
•Large banks report the lowest average cost of $2.17 per chip card, while
credit unions have the highest average cost at $2.90 per chip card.
Source: PULSE (Oliver Wyman)
32. Issuer EMV Topics
If you have already deployed EMV Cards…
•Monitor Customer Service/Branch/Social Media channels…improve
messaging and education.
•Be smart about Fallback.
•Be smart about PIN Bypass.
•Be smart about Processor reports and risk mitigation.
•Be smart about CNP transactions.
If you have not deployed EMV Cards…
•Monitor risk mitigation controls.
•Manage the marketing message.
•Encourage PIN on debit.
•Be smart about chargeback processing.
•Be smart about CNP transactions.
33. Merchant EMV Topics
If you have already deployed EMV Terminals…
•Monitor checkout and educate staff to help customer.
•Expect customer confusion/hesitation. (longer ques?)
•Train chargeback staff to represent counterfeit claims.
•Be smart about PIN Bypass.
•Be smart about Processor reports and risk mitigation.
•Be smart about CNP transactions.
If you have not deployed EMV Terminals…
•Manage the marketing message.
•Monitor risk mitigation tools
•Ask for Photo IDs on high-risk transaction.
•Encourage PIN on debit.
•Be smart about chargeback processing.
35. CFPB NPRM for Prepaid Accounts
Proposed Rule issued on November 13, 2014; Final Rule expected Quarter 1
2016
•Scope
•Disclosures
•Error Resolution / Limits on Liability
•Posting of Agreements
•Credit / Overdraft / Force-pay Transactions
36. CFPB NPRM for Prepaid Accounts
Proposed Rule issued on November 13, 2014; Final Rule expected Quarter 1
2016
•Scope
•Disclosures
•Error Resolution / Limits on Liability
•Posting of Agreements
•Credit / Overdraft / Force-pay Transactions
37. SCOPE
Includes:
•Card, code or other device
– Very broad; includes mobile & virtual products
•Does not fall under the general definition of “account” in Regulation E
•Primarily for personal, family, or household purposes (interpreted very broadly)
•Issued on prepaid basis in specified amount or capable of being loaded with funds
after issuance (this is the “prepaid” aspect)
•Meets at least 1 of the following:
– Redeemable at multiple, unaffiliated merchants for goods or services,
– Usable at automated teller machines, or
– Usable for person-to-person or person-to-business transfers
38. SCOPE
Excludes:
•Health savings account, flexible spending account, medical savings account, or a
health reimbursement arrangement.
•Debit cards, DDAs, checking, savings or other consumer asset accounts
•Stored Gift Cards & Gift Certificates, as defined in Gift Card Rule (closed loop)
•Loyalty, Award or Promotional Card, as defined in Gift Card Rule (LAP)
•General-Use Prepaid Card (as defined in Gift Card Rule) that is both
marketed and labeled as a Gift Card or Gift Certificate
NOTE: Reloadability is not a factor
39. Disclosures
Short Form:
•Specific Formatting Requirements (font size, color, and type)
•Incidence Based Fees
•Timing of Disclosure
Long Form:
•Retail Exception (exempt and non-exempt retail)
•Telephone
•Online
40. Model Short Form Disclosure
Model Forms A-10(c) and (d) – with and without overdraft
42. Error Resolution / Limits on Liability
Reg E Lite: (providing account history info in lieu of periodic statements)
•60 day period for reporting unauthorized transfers commencing on:
– Consumer electronically accesses account
– Date FI sends written history upon request
•Safe Harbor: 120 days after transfer
•If oral complaint, may require written follow-up within 10 BD. If you do not
receive written follow-up, you don’t have to credit account.
•Must investigate and determine whether error occurred within 10 BD.
43. Error Resolution / Limits on Liability
• Provide provisional credit within 10 BD for old accounts and 20 BD for
new accounts.
• 45 calendar days to investigate. May take up to 90 days to investigate for
errors re: new accounts, POS or foreign-initiated t/x
• Tell you results within 3 BD after completing investigation. If no error, you
will send written explanation.
44. Posting of Agreements
Quarterly Submission:
•Information on issuer and program manager
•Current agreements offered to the public
•Amended agreements
•Notification of withdrawn agreements
Public Posting:
•Agreements posted on website maintained by CFPB and on Issuer’s own website
45. DOE’s Rule For Student Cards
Rules apply to the disbursement of Title IV funds to financial accounts
offered to students by a college or university under either a Tier 1 or
Tier 2 arrangement.
•Tier 1
– Contract between school and 3PS,
– 3PS performs one, or more functions for processing Title IV payments to accounts:
• Offered under the contact or
• Direct communication
•Tier 2
– Contact between School and FI
• Offer and “directly marketed” by the school
• Direct Marketing = (1) direct marketing from school, (2) co-branding + principally marketed
to students, and (3) Card handed out for institutional purpose (student ID)
46. DOE’s Rule For Student Cards
Specific Requirements
•Student Choice Process
•Student Consent
•Fees
•Contract Disclosure
•“Best Interest of the Student” provisions
– Due diligence reviews every 2 years,
– Termination rights based on student complaints
47. NY Proposed Payroll Card rules
Originally issued by the department in May, reissued October 28 with a new 30
day comment period.
•Written notice and consent
•Language Requirements
•7 day waiting period
•ATM Access
•Fees
•Change in Terms Notice
Comments due next week.
48. Tax Refund Fraud
• Pending bill in Congress (HR 3981)
• Industry / Regulator Outreach and
Coordination
49. Brokered Deposits
FDIC’s FIL 2-2015
•Issued January 5, 2015
•Includes several new FAQs
•Impact on prepaid? Program managers =
deposit brokers, narrowed “primary
purpose” exception
•FDIC Position – nothing to see here