Credit unions—and their members-- pay a steep price after data breaches

Recent data breaches have had a severe impact on everyone involved: consumers, retailers and financial institutions. However, there seem to be some misconceptions in the public discussion about the unique impact of data breaches on credit unions.

The Credit Union Natl. Assn. (CUNA) and the credit union system feel obligated to refute these false claims in the hope that all parties in the electronic payments system can move past the futile finger-pointing and work together to improve security and protect our customers.

ADVERTISEMENT
First, despite the claims of NACS' Lyle Beckwith in The Hill, merchants are not required to reimburse financial institutions for the cost of card re-issuance after a data breach. Nothing in the Visa and MasterCard network rules provide for merchants to cover the costs of card re-issuance. This cost can be quite substantial, particularly for smaller financial institutions such as credit unions: the recent Target breach has cost credit unions about $5.68 per card affected, and that doesn't even include actual fraud losses.

Second, it is also not the case, as Beckwith alleges, that there are "forced reimbursements" from merchants to card issuers to cover the cost of fraud losses after a breach. After a recent data breach at TJ Maxx, Visa, MasterCard and the retailer reached a settlement to address the card issuers' fraud losses and re-issuance costs, but the credit unions involved received only pennies on the dollar. (And if network rules really did provide for "forced reimbursements," then there would be no need for this type of settlement in the first place.) Furthermore, the notion that the Durbin amendment forces merchants to pay credit unions for the costs of fraud is flawed. The Durbin amendment only applies to debit transactions, not credit, and the rate adjustment does not cover the cost of card re-issuance.

The Target breach alone has already cost credit unions more than $30 million, and those numbers are expected to rise in the coming weeks as more of the cooperative financial institutions report their costs and as fraud losses are incurred down the road. These expenses will not be reimbursed to credit unions by Target and other retailers. And because of credit unions' cooperative structure, these costs are ultimately borne entirely by credit union members, who are ordinary Americans, not rich shareholders or CEOs.

The truth of the matter is that when data breaches like the recent one at Target occur, America's credit unions spend millions of dollars without skipping a beat to protect consumers by re-issuing cards, monitoring accounts and reimbursing customers for fraud. Credit unions pay a steep price after data breaches that they did not cause, all in the name of protecting their members.

Data breaches are a threat to all parties in the payments system. Financial institutions and merchants must work together to implement the best solutions to secure the system and protect consumers from fraud and identity theft, even though these solutions may be costly. While we have all had our disagreements about issues in the past, now is the time to put our customers first and collaborate to ensure the best outcome for Americans.

Magill is executive vice president of Government Affairs at the Credit Union National Association.

More in Technology

Happy Holidays becomes 'Happy Data Breaches'

Read more »