[Please Note: This testimony was presented to the Subcommittee by Edward Yingling, Executive Director of Government Relations for the ABA]

Testimony of Phillip Hudson

on behalf of the

American Bankers Association

before the

House Banking Subcommittee

on Financial Institutions and Consumer Credit

24 September 1997

Madam Chairwoman and members of the Subcommittee, I am Phil Hudson, Executive Vice President of the Bank Card/Electronic Division of First Security Service Corporation in Salt Lake City, Utah. I am pleased to be here today to discuss debit cards on behalf of the American Bankers Association ("ABA"). The ABA brings together all categories of banking institutions to best represent the interest of this rapidly changing industry. Its membership – which includes community, regional, and money center banks and holding companies, as well as savings associations, trust companies and savings banks – makes ABA the largest banking trade association in the country.

Some legislators and the media have recently raised questions about debit cards that may be used without personal identification numbers ("PINs’). These cards are sometimes called "check cards." It is clear that educational efforts are needed with respect to how cards are used and what consumer protections are in place. The banking industry is hard at work on that educational effort. We thank you, Madam Chairwoman, for calling these important hearings to discuss these issues. The hearings will serve to create a very important dialogue. We appreciate the opportunity to explain the growing popularity and convenience of these cards and how both the card association policies and federal law protect consumers from fraud and unauthorized use of their cards.

In my testimony, I would like to make three key points:

• Consumers are enthusiastically embracing debit cards because they are easy and safe to use, and accepted at thousands of places around the world. Merchants like the debit "check" cards because they do not require new equipment, upgrades, or new communication lines.
  
  
• The industry has already adopted standards that protect consumers from liability for unauthorized use of debit cards. The industry’s policies go beyond the significant federal protections afforded under the Electronic Fund Transfer Act.
  
  
• No legislation is necessary to protect consumers because the industry has already adopted high standards of protection. Statutory provisions are invariably inflexible and fail to anticipate every situation, creating unintended, inappropriate, or unworkable consequences.

If these cards are going to be successful and accepted by consumers, it is important that consumers understand how the cards are used and understand their rights, protections, and responsibilities. The ABA, VISA and MasterCard are taking steps to ensure that consumers fully understand these matters by providing disclosures and their informative materials.

I. Enhanced Debit Cards Are Very Popular With Consumers.

The original debit cards were typically only used at ATMs and some debit card point of sale ("POS") terminals (e.g., gas stations and grocery stores). These cards require the use of a PIN on all transactions.

More recently, banking institutions have provided enhanced debit cards. These enhanced cards contain a VISA or MasterCard logo. They are usable at ATMs and POS terminals with a PIN, but also may be used with a signature authorization anywhere MasterCard or VISA credit cards are accepted.

These cards are very popular with consumers because they avoid the hassles, delays, and costs associated with writing a check. A debit transaction usually takes less time than a check transaction and requires no identification. In addition, they are more universally accepted than checks: many retailers do not accept checks, but do take VISA and MasterCard. Consumers who revolve credit card balances can avoid additional interest by paying from their checking account with their debit card rather than using their credit card. Debit cards offer a convenient payment option for people who do not have credit cards.

Simply put, banking institutions have developed a great product that consumers have enthusiastically embraced for a variety of reasons.

Some of the issues raised involve debit cards usable without a PIN. It might be useful to explain how PIN and PINless transactions are processed. Transactions authorized by a signature are processed differently than those authorized by PIN. A PIN transaction is sometimes described as "on-line," though that term is not universally used or defined. This means that at the time of the transaction, the ATM or POS terminal sends an electronic message to the bank that issued the card. The message is an authorization request. If approved by the issuing bank, the amount is debited to the consumer’s account immediately. PIN transactions are usually processed through local or regional networks such as STAR, NYCE, and HONOR, or through a national network such as PLUS, INTERLINK, CIRRUS, and MAESTRO.

In contrast, PINless debit card transactions are processed for settlement much as credit card transactions are. Two messages are routed to the card issuing bank at different times: (1) a request for authorization, and (2) the actual settlement transaction. These transactions are sometimes termed "off-line" because settlement occurs later. The request for authorization and the response are made at the time of the transaction. The authorization confirms that the account is valid and adequate funds are available in the account at that moment. The issuing bank may institute a hold in the funds, but the account is actually debited later. Transactions are batched by the merchant’s bank, usually at the end of the day, and then transmitted for settlement. Because of the delay between authorization and settlement, it is possible that, notwithstanding a hold, funds may not be available when the transaction actually reaches the bank for settlement. However, merchants that received authorization are guaranteed payment. If funds are unavailable for final payment, the bank issuing the card usually is responsible for the loss.

There are several reasons that credit card and check card transactions are processed using this dual message system. One reason is that the thousands of issuers and retailers use different systems. For example, some merchants use a hand imprinter and physically deposit slips with their bank for processing. In the travel and entertainment industry, the amount authorized may differ from the final amount, e.g., the amount authorized represents the total charge, but the final bill includes a tip. In addition, it is more efficient to batch transactions at the end of the day than to transmit them individually. Also, historically, settlement was paper-based and authorization was done separately.

Some have asked why all debit card transactions cannot require PINs. In part, this is because merchants are reluctant to process PIN transactions because doing so requires installing special equipment. Like all widely used methods of payment, debit cards can only work in the marketplace if they are accepted at a wide variety of places. In other words merchants must broadly accept the payment mechanism. Many merchants, however, are currently unwilling to go to the expense of installing equipment that processes PIN transactions. They are hesitant to make such an expensive investment since check cards, which require no new equipment, upgrades, or new communication lines, have been enthusiastically accepted by consumers, and problems with these cards have been minimal. In addition, merchants hesitate to invest in expensive equipment that may have to be replaced or supplemented in the near future as other new payment devices using even more advanced technology emerge. For example, banking institutions are examining how smart cards (cards containing a computer chip) may be used in the future in credit card and debit cards, as well as new products such as stored value cards. Adoption of this new technology would mean installation of new equipment for retailers.

Thus, limiting debit card transactions to those that require PINs would deny consumers use of debit cards at many, many locations, and greatly limit their utility.

II. Consumers Are Protected by Industry Standards and Current Law.

Notwithstanding their great convenience and popularity, check cards usable without a PIN may be more vulnerable to unauthorized use than cards that require use of a PIN – a thief or unauthorized user may use the card by forging a signature. So far, experience has shown that fraudulent use of these cards has been minimal. However, to ensure that consumers are not subject to unwarranted risk, VISA and MasterCard have adopted policies which provide greater protection for consumers than does current federal law. Specifically, under their new policies, MasterCard and VISA limit liability to a maximum of $50 for unauthorized use; VISA waives the $50 liability if the consumer notifies the bank within two business days of discovering the unauthorized transactions or loss or theft of the card.

Regardless of these bank card association protections, consumers are already well protected by federal law if they report the loss of their card in a timely fashion. Specifically, under the Electronic Fund Transfer Act ("EFTA"), liability is limited to $50 if the consumer reports the loss or theft two business days after discovering the loss or theft. Most banking institutions have always waived even this $50.

For consumers who fail to report the loss within two business days, EFTA limits the liability to $500, representing:

• up to $50 for unauthorized transfers made in the two day period; and
  
  
• the amount of unauthorized transfers that occurred after the 2 business days and before the consumer notifies the banking institution – if the banking institution’s losses would not have occurred if the consumer had notified the bank in that period.

If the consumer fails to notify the banking institution about unauthorized transfers appearing on a statement within 60 days after the institution’s transmittal of the statement, the consumer’s liability is unlimited for subsequent unauthorized transfers (i.e., those made 60 days after transmittal of the statement). These periods can be extended for "extenuating circumstances," for example, if the consumer was on vacation or ill. It is also worth noting that the burden of proof is on the bank to show that a transaction was authorized. This liability is similar to that applied to unauthorized use of checks pursuant to the Uniform Commercial Code.

If these cards are going to be successful and accepted by consumers, it is also important that consumers understand how the cards are used and consumers’ rights, protections, and responsibilities. Both card associations, as well as the ABA, are taking steps to ensure that consumers fully understand these matters by developing disclosures and other informative materials.

Banking institutions have also taken steps to prevent and detect fraudulent use of debit cards: after all, ultimately, banking institutions absorb the losses. For example, most banking institutions limit the amount that may be withdrawn from an account by debit card in a single day. Some card issuers have installed special software and neural networks that develop profiles of consumer use habits and alert banks to unusual activity that might suggest fraud. Some banking institutions require consumers to call and provide personal information to activate the cards before they may be used. This helps prevent thieves from using cards intercepted in the mail.

III. Legislation is Unnecessary.

Several bills have been introduced in the House proposing to put some of these voluntary measures into statute. We oppose these bills. We believe the industry’s voluntary measure obviates the need for legislation. In addition, statutory provisions invariably are inflexible and fail to anticipate every existing and future situation, creating unintended, inappropriate, or unworkable consequences.

H.R. 2234, introduced by Representative Charles Schumer (D-NY), amends EFTA to modify the liability provisions and disclosure requirements for debit cards and to impose additional requirements on debit card issuers. Specifically, under this bill, if an unauthorized transaction is made using a debit card that requires no code or other unique identifier to use the card, the consumer’s liability is limited to $50. This limited liability goes beyond just PINless transactions and also applies to transactions where a PIN is required, such as an ATM withdrawal. The bill, in effect, eliminates the consumers’ responsibility to notify the bank within two business days of learning of the unauthorized use or theft or loss of the card, and to alert the bank when unauthorized transactions appear on their periodic statement. In addition, the bill requires that any card usable without a PIN must be "validated" before it can be used. Under EFTA, validation means providing with the card an explanation of the consumer’s liability and requiring that the card be validated in response to the consumer’s request for validation and upon verification of the consumer’s identity. This appears to apply not only to first issuance cards, but also replacement cards.

H.R. 2319, introduced by Congressman Thomas Barrett (D-WI), also modifies the liability provisions in a similar fashion, essentially limiting liability to $50, though it appears that this limited liability only applies to transactions where no PIN is required. In addition, the bill reduces to three business days the time period in which card issuers must provisionally credit an account when a consumer claims an unauthorized transaction. Finally, the bill requires new disclosures when the card is issued and on periodic statements.

We do not believe that legislation is necessary to address consumer liability for PINless debit card transactions. We believe that MasterCard and VISA’s new policies make it unnecessary. As explained earlier, those policies already limit consumer liability for unauthorized use to $50. In addition, unlike the bank card association policies, the bills allow the banking institutions no discretion to make modifications regardless of circumstances. For example, in some cases the card holder may have been involved in perpetrating fraudulent use of the card. Moreover, the Schumer bill, unnecessarily applies the limited liability even in cases where a PIN was required for the particular transaction.

There are several issues that you have raised in your invitation letter, Madam Chairwoman. In particular, you asked about consumer responsibility, the need for validation of cards, provisional credit of accounts, disclosures, and privacy. Let me discuss each of these in turn.

Consumer responsibility. We believe that consumers have a responsibility to protect their debit card and PIN, to notify their banking institution in a timely fashion when the card has been lost or stolen, and to review their periodic statements in a reasonable time and inform the banking institution of any unauthorized transactions. The existing tiered liability provisions of EFTA to some degree recognize these responsibilities while still providing consumers generous liability limitations. As noted earlier, EFTA limits liability to $50 if the consumer notifies the banking institution within two business days of learning of the unauthorized transaction or the loss or theft of the card. The liability increases only if consumers fail to notify the banking institution in a timely fashion if the card is lost of stolen or if they fail to review their account statement and notify the banking institutions of unauthorized transactions. After all, as we all know, in our economy, losses, including fraud losses, are generally passed on in the form of higher prices to all consumers of a product. It is in everyone’s interest – and fundamentally fair – that a consumers be responsible for notifying a bank of the loss, theft, or fraudulent use of their card.

Validation of cards. You asked, Madam Chairwoman, whether credit card issuers now require validation for use of new cards and whether it would help consumers better understand the potential risks involved with debit cards. Credit cards are often issued subject to validation procedures, though it varies depending on the bank and the geographical area of the card recipients. In areas where fraud and mail theft are a problem, this procedure has proved helpful in reducing mail thefts of cards. However, some banking institutions, depending on the volume of their card base, the location of their customers, and the level of fraud in that area, have no need to establish these systems. Validation is also sometimes used for debit cards when the debit card, usable without a PIN, is first issued. Validation is not usually used for replacement cards or cards the consumer has requested.

We do not believe that legislation should mandate validation. First, the voluntary efforts of VISA obviate the need: under its new policy, banking institutions must validate unsolicited, first issuance cards. Second, H.R. 2234 demonstrates how legislation can inappropriately sweep too broadly -- H.R. 2234 requires validation for all debit cards usable without a PIN, including replacement cards and cards the consumer has requested. In these cases, validation may not be necessary because the consumer is aware of the card’s PINless usability feature from prior experience.

Provisional Credit. Madam Chairwoman, you also asked about regulations that require financial institutions to provisionally credit a customer’s account when the customer makes a claim that a transaction was unauthorized. Generally, under current law, banking institutions must provisionally credit the account within 10 business days. They are allowed 20 days for POS transactions. Often banks voluntarily provisionally credit an account faster, depending on the circumstances.

These time periods are often, but not always, adequate to investigate a claim. Additional time is usually needed to investigate POS transactions for a number of reasons. For one, the investigation process is usually manual rather than automated and often involves a complicated routing process. For example, routing may go from the bank’s processor, to a national or regional switch, to the merchant’s processor, before it finally reaches the merchant. The merchant’s paper response is similarly routed back to the issuing bank. The process may be further delayed by merchants whose systems may not be set up to retrieve data quickly. Though some parts of the routing process may be automated and there is a trend toward full automation, today’s process for retrieving POS transaction information is often manual and time-consuming.

VISA has reduced the time to provisionally credit accounts to five business days. However, this only applies to transactions processed through its network – which has an automated inquiry process. Transactions requiring PINs, for example, are often processed through regional networks which lack the automated inquiry process. Moreover, unlike legislative proposals such as H.R. 2319, VISA’s policy has flexibility to allow for exceptions if the circumstance or account history warrants.

It is critical for banking institutions to have sufficient time to investigate claims of unauthorized transactions. Otherwise, as experience has shown, fraud artists use these rules to facilitate their schemes – they make false claims of large unauthorized transactions, then withdraw the provisionally credited funds before the bank can discover that the claim was false. For these reasons, we oppose any statutory reductions of the time in which financial institutions must provisionally credit an account.

Disclosures. Another of your questions, Madam Chairwoman, asked what information must be furnished to consumers related to debit cards. EFTA mandates a number of disclosure requirements including:

• initial disclosures;
• disclosures when a card is sent that requires validation;
• receipts for transactions;
• periodic statement disclosures; and
• annual notices of error resolution procedures.

Initial disclosures. Initial disclosures must be proved at the time the consumer contracts for an electronic fund transfer or before the first electronic fund transfer is made. The initial disclosures contain:

1. an explanation of the consumer’s liability for unauthorized electronic fund transfers;
   
   
2. the telephone number and address of the person to be notified in the event of an unauthorized transfer;
   
   
3. the banking institution’s business days;
   
   
4. the type of transfers permitted and any limitations;
   
   
5. any fees for electronic fund transfers;
   
   
6. a summary of the consumer’s right to receipts and periodic statements, and notices related to preauthorized transfers;
   
   
7. a summary of the consumer’s right to stop payment of a preauthorized electronic fund transfer and the procedure for doing so;
   
   
8. a summary of the banking institution’s liability to the consumer for failure to make or stop certain transfers;
   
   
9. an explanation of when the banking institution may provide information concerning the consumer’s account to third parties; and
   
   
10. a notice explaining error resolution procedures.

Notices with cards to be validated. Notices explaining the consumer’s rights and liabilities must accompany cards which must be validated before they may be used.

Receipts. Financial institutions must make a receipt available at the time the consumer initiates an electronic fund transfer at an electronic terminal such as an ATM. The receipt must contain the amount, date, and type of the transfer, a number or code identifying the consumer’s account, the terminal location, and the name of any third party to or from whom funds are transferred.

Periodic statement. For any account with electronic fund transfer capabilities, banking institutions must send periodic statements for each monthly cycle in which an electronic fund transfer has occurred and at least quarterly if no transfer has occurred. Some exceptions apply. The periodic statement must contain: transaction information; the account number; any fees imposed for electronic fund transfers or for account maintenance; account balances at the beginning and close of the statement period; the address and telephone number for inquiries; and the telephone number to call to ascertain whether preauthorized transfers to the account have occurred.

Annual error resolution notice. Banking institutions must mail or deliver to consumers at least once a year an error-resolution notice. This notice explains how the consumer should contact the banking institution and what information to provide if the consumer believes a receipt or statement is wrong. In addition, it explains how much time the consumer has to notify the institution of an error, the investigation process, and when funds will be credited.

As you can see, Madam Chairwoman, EFTA disclosures are quite comprehensive and numerous. While we do not believe that it is necessary to add to them at this time, we are examining whether and how to improve notices to ensure that consumers understand how these enhanced debit cards are used and consumers’ protections, liabilities, and responsibilities. We will be happy to share with you and the Subcommittee any conclusions we reach.

In addition, as we all know, legalistic, required disclosures often are unread, and sometimes new requirements can be counterproductive by adding volumes of legalese. The ABA, MasterCard, and VISA are all working to increase consumer understanding of debit cards, including consumers’ risks and rights, through extensive educational efforts – efforts that will be in plain English.

Privacy. Madam Chairwoman, you asked about how debit card spending habits are tracked and whether they differ with how credit card spending habits are tracked. As we mentioned earlier, some banking institutions monitor spending habits in order to detect unusual activity that may suggest fraud. Otherwise, we are not aware of any banking institutions that share customer spending habit information with merchants or other third parties.

Conclusion.

ABA applauds you, Madam Chairwoman, for calling a hearing on this important matter. We hope that you and the Subcommittee have a better understanding of how debit cards work, the convenience they offer consumers, and consumers’ rights and protections. We believe that the enthusiastic consumer acceptance of enhanced debit cards demonstrates the value of this popular product. We also think that the industry has responded to any confusion and concern about liability and other matters with voluntary efforts to ensure that consumers are properly informed and protected. Legislation is unnecessary.

We appreciate the opportunity to present ABA’s view on enhanced debit cards.