When I was the CEO of a large credit union in California, I saw firsthand how consumers could panic -- and rightly so -- when their credit or debit cards were lost or stolen.
We obviously couldn't always prevent the initial panic, but we knew what to do to fix the problem: Reassure the member/customer, make sure the old card was canceled, wipe out any fraudulent charges, and issue a new card at no cost.
It was the simple, right way to do business, and thankfully our way of doing business is the norm throughout the country at credit unions and banks to this day.
I thought about all this last week as Sony announced that the personal information of its roughly 77 million consumers had been compromised in a data breach (and a second major breach was reported this week).
Those consumers were correctly advised by the media to contact their bank or credit union and ask that their debit and credit cards be reissued. As I write, I know firsthand that credit unions are working with their members affected by this breach, and reissuing cards to them at no cost. Again, that's the right way to do business, and we have a legal and ethical responsibility to absorb the cost.
But, contrary to what some might think, the expense for taking this action is not and will not be reimbursed by Sony. Rather, credit unions and banks rely on interchange revenue to cover the cost of debit program administration, including in these circumstances, reacting to a merchant data breach.
When all is said and done, credit unions and banks will have spent millions on what appears to be a major security failure caused by Sony's inability to protect its consumer data.
This is another reason why members of Congress should support senators Jon Tester (D-MT) and Bob Corker's (R-TN) legislation (S. 575) to delay new interchange rules proposed by the Federal Reserve Board that are slated to go into effect July 21 of this year.
Today, the debit interchange rate is a percentage of the total value of a transaction; under the board's proposed rule, the rate could not exceed $0.12 per transaction. This capped rate would be significantly below the operational cost of providing debit program services, including fraud protection. An exemption to the cap is provided for smaller institutions, but it won't work; there's no way to actually enforce the exemption.
The board's proposed rule will affect all debit-card-issuing credit unions and other financial institutions. Data breaches such as the one we learned about last week will only exacerbate the problem for credit unions because the proposal and the underlying legislation would not allow these costs to be taken into consideration in terms of our ability to collect interchange revenue.
And sadly, while the size of Sony's data breach is significant, this is not the first merchant data breach and it certainly will not be the last.
Yes, credit unions will continue to protect their members when merchants lose consumer data. But if the senators' legislation is not enacted, merchants will receive a windfall while credit unions will cover even more of the costs of merchant data breaches -- costs they will have no other way to make up but to raise fees on consumers when they would prefer not to do so. That's why we continue to encourage all senators to support the legislation to delay and study the impact of debit interchange fee regulation.
Whether one is a credit union CEO or a consumer, it's clear that data theft is a major and growing problem, and unfortunately, there will be many instances in which cards will need to be canceled and reissued.
We standby as always, ready to help, but we need to be able to afford the cost of helping the consumer.