12 CFR Part 235, Appendix A to Part 235 - Official Board Commentary on Regulation II

prev | next
View PDF at GPO Pt. 235, App. A
Appendix A to Part 235—Official Board Commentary on Regulation II
Introduction
The following commentary to Regulation II (12 CFR part 235) provides background material to explain the Board's intent in adopting a particular part of the regulation. The commentary also provides examples to aid in understanding how a particular requirement is to work.
2(a) Account
1. Types of accounts. The term “account” includes accounts held by any person, including consumer accounts (i.e., those established primarily for personal, family or household purposes) and business accounts. Therefore, the limitations on interchange transaction fees and the prohibitions on network exclusivity arrangements and routing restrictions apply to all electronic debit transactions, regardless of whether the transaction involves a debit card issued primarily for personal, family, or household purposes or for business purposes. For example, an issuer of a business-purpose debit card is subject to the restrictions on interchange transaction fees and is also prohibited from restricting the number of payment card networks on which an electronic debit transaction may be processed under § 235.7.
2. Bona fide trusts. This part does not define the term bona fide trust agreement; therefore, institutions must look to state or other applicable law for interpretation. An account held under a custodial agreement that qualifies as a trust under the Internal Revenue Code, such as an individual retirement account, is considered to be held under a trust agreement for purposes of this part.
3. Account located in the United States. This part applies only to electronic debit transactions that are initiated to debit (or credit, for example, in the case of returned goods or cancelled services) an account located in the United States. If a cardholder uses a debit card to debit an account held outside the United States, then the electronic debit transaction is not subject to this part.
2(b) Acquirer
1. In general. The term “acquirer” includes only the institution that contracts, directly or indirectly, with a merchant to provide settlement for the merchant's electronic debit transactions over a payment card network (referred to as acquiring the merchant's electronic debit transactions). In some acquiring relationships, an institution provides processing services to the merchant and is a licensed member of the payment card network, but does not settle the transactions with the merchant (by crediting the merchant's account) or with the issuer. These institutions are not “acquirers” because they do not provide credit to the merchant for the transactions or settle the merchant's transactions with the issuer. These institutions are considered processors and in some circumstances may be considered payment card networks for purposes of this part (See§§ 235.2(m), 235.2(o), and commentary thereto).
2(c) Affiliate
1. Types of entities. The term “affiliate” includes any bank and nonbank affiliates located in the United States or a foreign country.
2. Other affiliates. For commentary on whether merchants are affiliated, see comment 2(f)-7.
2(d) Cardholder
1. Scope. In the case of debit cards that access funds in transaction, savings, or other similar asset accounts, “the person to whom a card is issued” generally will be the named person or persons holding the account. If the account is a business account, multiple employees (or other persons associated with the business) may have debit cards that can access the account. Each employee that has a debit card that can access the account is a cardholder. In the case of a prepaid card, the cardholder generally is either the purchaser of the card or a person to whom the purchaser gave the card, such as a gift recipient.
2(e) Control [Reserved]
2(f) Debit Card
1. Card, or other payment code or device. The term “debit card” as defined in § 235.2(f) applies to any card, or other payment code or device, even if it is not issued in a physical form. Debit cards include, for example, an account number or code that can be used to access funds in an account to make Internet purchases. Similarly, the term “debit card” includes a device with a chip or other embedded mechanism, such as a mobile phone or sticker containing a contactless chip that links the device to funds stored in an account, and enables an account to be debited. The term “debit card,” however, does not include a one-time password or other code if such password or code is used for the purposes of authenticating the cardholder and is used in addition to another card, or other payment code or device, rather than as the payment code or device.
2. Deferred debit cards. The term “debit card” includes a card, or other payment code or device, that is used in connection with deferred debit card arrangements in which transactions are not immediately posted to and funds are not debited from the underlying transaction, savings, or other asset account upon settlement of the transaction. Instead, the funds in the account typically are held and made unavailable for other transactions for a period of time specified in the issuer-cardholder agreement. After the expiration of the time period, the cardholder's account is debited for the value of all transactions made using the card that have been submitted to the issuer for settlement during that time period. For example, under some deferred debit card arrangements, the issuer may debit the consumer's account for all debit card transactions that occurred during a particular month at the end of the month. Regardless of the time period between the transaction and account posting, a card, or other payment code or device, that is used in connection with a deferred debit arrangement is considered a debit card for purposes of the requirements of this part.
3. Decoupled debit cards. Decoupled debit cards are issued by an entity other than the financial institution holding the cardholder's account. In a decoupled debit arrangement, transactions that are authorized by the card issuer settle against the cardholder's account held by an entity other than the issuer, generally via a subsequent ACH debit to that account. The term “debit card” includes any card, or other payment code or device, issued or approved for use through a payment card network to debit an account, regardless of whether the issuer holds the account. Therefore, decoupled debit cards are debit cards for purposes of this part.
4. Hybrid cards.
i. Some cards, or other payment codes or devices, may have both credit- and debit-like features (“hybrid cards”). For example, these cards may enable a cardholder to access a line of credit, but select certain transactions for immediate repayment (i.e., prior to the end of a billing cycle) via a debit to the cardholder's account, as the term is defined in § 235.2(a), held either with the issuer or at another institution. If a card permits a cardholder to initiate transactions that debit an account or funds underlying a prepaid card, the card is considered a debit card for purposes of this part. Not all transactions initiated by such a hybrid card, however, are electronic debit transactions. Rather, only those transactions that debit an account as defined in this part or funds underlying a prepaid card are electronic debit transactions. If the transaction posts to a line of credit, then the transaction is a credit transaction.
ii. If an issuer conditions the availability of a credit or charge card that permits pre-authorized repayment of some or all transactions on the cardholder maintaining an account at the issuer, such a card is considered a debit card for purposes of this part.
5. Virtual wallets. A virtual wallet is a device (e.g., a mobile phone) that stores several different payment codes or devices (“virtual cards”) that access different accounts, funds underlying the card, or lines of credit. At the point of sale, the cardholder may select from the virtual wallet the virtual card he or she wishes to use for payment. The virtual card that the cardholder uses for payment is considered a debit card under this part if the virtual card that initiates a transaction meets the definition of debit card, notwithstanding the fact that other cards in the wallet may not be debit cards.
6. General-use prepaid card. The term “debit card” includes general-use prepaid cards. See § 235.2(i) and related commentary for information on general-use prepaid cards.
7. Store cards. The term “debit card” does not include prepaid cards that may be used at a single merchant or affiliated merchants. Two or more merchants are affiliated if they are related by either common ownership or by common corporate control. For purposes of the “debit card” definition, franchisees are considered to be under common corporate control if they are subject to a common set of corporate policies or practices under the terms of their franchise licenses.
8. Checks, drafts, and similar instruments. The term “debit card” does not include a check, draft, or similar paper instrument or a transaction in which the check is used as a source of information to initiate an electronic payment. For example, if an account holder provides a check to buy goods or services and the merchant takes the account number and routing number information from the MICR line at the bottom of a check to initiate an ACH debit transfer from the cardholder's account, the check is not a debit card, and such a transaction is not considered an electronic debit transaction. Likewise, the term “debit card” does not include an electronic representation of a check, draft, or similar paper instrument.
9. ACH transactions. The term “debit card” does not include an account number when it is used by a person to initiate an ACH transaction that debits that person's account. For example, if an account holder buys goods or services over the Internet using an account number and routing number to initiate an ACH debit, the account number is not a debit card, and such a transaction is not considered an electronic debit transaction. However, the use of a card to purchase goods or services that debits the cardholder's account that is settled by means of a subsequent ACH debit initiated by the card issuer to the cardholder's account, as in the case of a decoupled debit card arrangement, involves the use of a debit card for purposes of this part.
2(g) Designated Automated Teller Machine (ATM) Network
1. Reasonable and convenient access clarified. Under § 235.2(g)(2), a designated ATM network includes any network of ATMs identified by the issuer that provides reasonable and convenient access to the issuer's cardholders. Whether a network provides reasonable and convenient access depends on the facts and circumstances, including the distance between ATMs in the designated network and each cardholder's last known home or work address, or if a home or work address is not known, where the card was first issued.
2(h) Electronic Debit Transaction
1. Debit an account. The term “electronic debit transaction” includes the use of a card to debit an account. The account debited could be, for example, the cardholder's asset account or the account that holds the funds used to settle prepaid card transactions.
2. Form of payment. The term “electronic debit transaction” includes the use of a card as a form of payment that may be made in exchange for goods or services, as a charitable contribution, to satisfy an obligation (e.g., tax liability), or for other purposes.
3. Subsequent transactions. The term “electronic debit transaction” includes both the cardholder's use of a debit card for the initial payment and any subsequent use by the cardholder of the debit card in connection with the initial payment. For example, the term “electronic debit transaction” includes using the debit card to return merchandise or cancel a service that then results in a debit to the merchant's account and a credit to the cardholder's account.
4. Cash withdrawal at the point of sale. The term “electronic debit transaction” includes a transaction in which a cardholder uses the debit card both to make a purchase and to withdraw cash (known as a “cash-back transaction”).
5. Geographic limitation. This regulation applies only to electronic debit transactions that are initiated at a merchant located in the United States. If a cardholder uses a debit card at a merchant located outside the United States to debit an account held in the United States, the electronic debit transaction is not subject to this part.
2(i) General-Use Prepaid Card
1. Redeemable upon presentation at multiple, unaffiliated merchants. A prepaid card is redeemable upon presentation at multiple, unaffiliated merchants if such merchants agree to honor the card.
2. Selective authorization cards. Selective authorization cards, (e.g., mall cards) are generally intended to be used or redeemed for goods or services at participating retailers within a shopping mall or other limited geographic area. Selective authorization cards are considered general-use prepaid cards, regardless of whether they carry the mark, logo, or brand of a payment card network, if they are redeemable at multiple, unaffiliated merchants.
2(j) Interchange Transaction fee
1. In general. Generally, the payment card network is the entity that establishes and charges the interchange transaction fee to the acquirers or merchants. The acquirers then pay to the issuers any interchange transaction fee established and charged by the network. Acquirers typically pass the interchange transaction fee through to merchant-customers.
2. Compensating an issuer. The term “interchange transaction fee” is limited to those fees that a payment card network establishes, charges, or receives to compensate the issuer for its role in the electronic debit transaction. By contrast, payment card networks generally charge issuers and acquirers fees for services the network performs. Such fees are not interchange transaction fees because the payment card network is charging and receiving the fee as compensation for services it provides.
3. Established, charged, or received. Interchange transaction fees are not limited to those fees for which a payment card network sets the value. A fee that compensates an issuer is an interchange transaction fee if the fee is set by the issuer but charged to acquirers by virtue of the network determining each participant's net settlement position.
2(k) Issuer
1. In general. A person issues a debit card by authorizing the use of debit card by a cardholder to perform electronic debit transactions. That person may provide the card directly to the cardholder or indirectly by using a third party (such as a processor, or a telephone network or manufacturer) to provide the card, or other payment code or device, to the cardholder. The following examples illustrate the entity that is the issuer under various card program arrangements. For purposes of determining whether an issuer is exempted under § 235.5(a), however, the term issuer is limited to the entity that holds the account being debited.
2. Traditional debit card arrangements. In a traditional debit card arrangement, the bank or other entity holds the cardholder's funds and authorizes the cardholder to use the debit card to access those funds through electronic debit transactions, and the cardholder receives the card directly or indirectly (e.g., through an agent) from the bank or other entity that holds the funds (except for decoupled debit cards, discussed below). In this system, the bank or entity holding the cardholder's funds is the issuer.
3. BIN-sponsor arrangements. Payment card networks assign Bank Identification Numbers (BINs) to member-institutions for purposes of issuing cards, authorizing, clearing, settling, and other processes. In exchange for a fee or other financial considerations, some members of payment card networks permit other entities to issue debit cards using the member's BIN. The entity permitting the use of its BIN is referred to as the “BIN sponsor” and the entity that uses the BIN to issue cards is often referred to as the “affiliate member.” BIN sponsor arrangements can follow at least two different models:
i. Sponsored debit card model. In some cases, a community bank or credit union may provide debit cards to its account holders through a BIN sponsor arrangement with a member institution. In general, the bank or credit union will authorize its account holders to use debit cards to perform electronic debit transactions that access funds in accounts at the bank or credit union. The bank or credit union's name typically will appear on the debit card. The bank or credit union may directly or indirectly provide the cards to cardholders. Under these circumstances, the bank or credit union is the issuer for purposes of this part. If that bank or credit union, together with its affiliates, has assets of less than $10 billion, then that bank or credit union is exempt from the interchange transaction fee restrictions. Although the bank or credit union may distribute cards through the BIN sponsors, the BIN sponsor does not enter into the agreement with the cardholder that authorizes the cardholder to use the card to perform electronic debit transactions that access funds in the account at the bank or credit union, and therefore the BIN sponsor is not the issuer.
ii. Prepaid card model. A member institution may also serve as the BIN sponsor for a prepaid card program. Under these arrangements, a program manager distributes prepaid cards to the cardholders and the BIN-sponsoring institution generally holds the funds for the prepaid card program in an omnibus or pooled account. Either the BIN sponsor or the prepaid card program manager may keep track of the underlying funds for each individual prepaid card through subaccounts. While the cardholder may receive the card directly from the program manager or at a retailer, the BIN sponsor authorizes the cardholder to use the card to perform electronic debit transactions that access the funds in the pooled account and the cardholder's relationship generally is with the BIN sponsor. Accordingly, under these circumstances, the BIN sponsor, or the bank holding the pooled account, is the issuer.
4. Decoupled debit cards. In the case of decoupled debit cards, an entity other than the bank holding the cardholder's account enters into a relationship with the cardholder authorizing the use of the card to perform electronic debit transactions. The entity authorizing the use of the card to perform electronic debit transaction typically arranges for the card to be provided directly or indirectly to the cardholder and has a direct relationship with the cardholder with respect to the card. The bank holding the cardholder's account has agreed generally to permit ACH debits to the account, but has not authorized the use of the debit card to access the funds through electronic debit transactions. Under these circumstances, the entity authorizing the use of the debit card, and not the account-holding institution, is considered the issuer. An issuer of a decoupled debit card is not exempt under § 235.5(a), even if, together with its affiliates, it has assets of less than $10 billion, because it is not the entity holding the account to be debited.
2(l) Merchant [Reserved]
2(m) Payment Card Network
1. In general. An entity is a considered a payment card network with respect to an electronic debit transaction for purposes of this rule if it routes information and data to the issuer from the acquirer to conduct authorization, clearance, and settlement of the electronic debit transaction. By contrast, if an entity receives transaction information and data from a merchant and authorizes and settles the transaction without routing the information and data to another entity (i.e., the issuer or the issuer's processor) for authorization, clearance, or settlement, that entity is not considered a payment card network with respect to the electronic debit transaction.
2. Three-party systems. In the case of a three-party system, electronic debit transactions are processed by an entity that acts as system operator and issuer, and may also act as the acquirer. The entity acting as system operator and issuer that receives the transaction information from the merchant or acquirer also holds the cardholder's funds. Therefore, rather than directing the transaction information to a separate issuer, the entity authorizes and settles the transaction based on the information received from the merchant. As these entities do not connect (or “network”) multiple issuers and do not route information to conduct the transaction, they are not “payment card networks” with respect to these transactions.
3. Processors as payment card networks. A processor is considered a payment card network if, in addition to acting as processor for an acquirer and issuer, the processor routes transaction information and data received from a merchant or the merchant's acquirer to an issuer. For example, if a merchant uses a processor in order to accept any, some, or all brands of debit cards and the processor routes transaction information and data to the issuer or issuer's processor, the merchant's processor is considered a payment card network with respect to the electronic debit transaction. If the processor establishes, charges, or receives a fee for the purpose of compensating an issuer, that fee is considered an interchange transaction fee for purposes of this part.
4. Automated clearing house (ACH) operators. An ACH operator is not considered a payment card network for purposes of this part. While an ACH operator processes transactions that debit an account and provides for interbank clearing and settlement of such transactions, a person does not use the ACH system to accept as a form of payment a brand of debit card.
5. ATM networks. An ATM network is not considered a payment card network for purposes of this part. While ATM networks process transactions that debit an account and provide for interbank clearing and settlement of such transactions, a cash withdrawal from an ATM is not a payment because there is no exchange of money for goods or services, or payment made as a charitable contribution, to satisfy an obligation (e.g., tax liability), or for other purposes.
2(n) Person [Reserved]
2(o) Processor
1. Distinction from acquirers. A processor may perform all transaction-processing functions for a merchant or acquirer, but if it does not acquire (that is, settle with the merchant for the transactions), it is not an acquirer. The entity that acquirers electronic debit transactions is the entity that is responsible to other parties to the electronic debit transaction for the amount of the transaction.
2. Issuers. A processor may perform services related to authorization, clearance, and settlement of transactions for an issuer without being considered to be an issuer for purposes of this part.
2(p) Route
1. An entity routes information if it both directs and sends the information to an unaffiliated entity (or affiliated entity acting on behalf of the unaffiliated entity). This other entity may be a payment card network or processor (if the entity directing and sending the information is a merchant or an acquirer) or an issuer or processor (if the entity directing and sending the information is a payment card network).
2(q) United States [Reserved]
Section 235.3Reasonable and Proportional Interchange Transaction Fees
3(a) [Reserved]
3(b) Determining Reasonable and Proportional Fees
1. Two components. The standard for the maximum permissible interchange transaction fee that an issuer may receive consists of two components: a base component that does not vary with a transaction's value and an ad valorem component. The amount of any interchange transaction fee received or charged by an issuer may not exceed the sum of the maximum permissible amounts of each component and any fraud-prevention adjustment the issuer is permitted to receive under § 235.4 of this part.
2. Variation in interchange fees. An issuer is permitted to charge or receive, and a network is permitted to establish, interchange transaction fees that vary in their base component and ad valorem component based on, for example, the type of transaction or merchant, provided the amount of any interchange transaction fee for any transaction does not exceed the sum of the maximum permissible base component of 21 cents and 5 basis points of the value of the transaction.
3. Example. For a $39 transaction, the maximum permissible interchange transaction fee is 22.95 cents (21 cents plus 5 basis points of $39). A payment card network may, for example, establish an interchange transaction fee of 22 cents without any ad valorem component.
Section 235.4Fraud-Prevention Adjustment
4(b) Issuer Standards
Section 235.4Fraud-prevention adjustment
4(a) [Reserved]
4(b)(1) Issuer standards
1. An issuer's policies and procedures should address fraud related to debit card use by unauthorized persons. Examples of use by unauthorized persons include, but are not limited to, the following:
i. A thief steals a cardholder's wallet and uses the debit card to purchase goods, without the authority of the cardholder.
ii. A cardholder makes a purchase at a merchant. Subsequently, the merchant's employee uses information from the debit card to initiate a subsequent transaction, without the authority of the cardholder.
iii. A hacker steals cardholder account information from the issuer or a merchant processor and uses the stolen information to make unauthorized card-not-present purchases or to create a counterfeit card to make unauthorized card-present purchases.
2. An issuer's policies and procedures must be designed to reduce fraud, where cost effective, across all types of electronic debit transactions in which its cardholders engage. Therefore, an issuer should consider whether its policies and procedures are effective for each method used to authenticate the card (e.g., a chip or a code embedded in the magnetic stripe) and the cardholder (e.g., a signature or a PIN), and for different sales channels (e.g., card-present and card-not-present).
3. An issuer's policies and procedures must be designed to take effective steps to reduce both the occurrence of and costs to all parties from fraudulent electronic debit transactions. An issuer should take steps reasonably designed to reduce the number and value of its fraudulent electronic debit transactions relative to its non-fraudulent electronic debit transactions. These steps should reduce the costs from fraudulent transactions to all parties, not merely the issuer. For example, an issuer should take steps to reduce the number and value of its fraudulent electronic debit transactions relative to its non-fraudulent transactions whether or not it bears the fraud losses as a result of regulations or network rules.
4. For any given issuer, the number and value of fraudulent electronic debit transactions relative to non-fraudulent transactions may vary materially from year to year. Therefore, in certain circumstances, an issuer's policies and procedures may be effective notwithstanding a relative increase in the transactions that are fraudulent in a particular year. However, continuing increases in the share of fraudulent transactions would warrant further scrutiny.
5. In determining which fraud-prevention technologies to implement or retain, an issuer must consider the cost-effectiveness of the technology, that is, the expected cost of the technology relative to its expected effectiveness in controlling fraud. In evaluating the cost of a particular technology, an issuer should consider whether and to what extent other parties will incur costs to implement the technology, even though an issuer may not have complete information about the costs that may be incurred by other parties, such as the cost of new merchant terminals. In evaluating the costs, an issuer should consider both initial implementation costs and ongoing costs of using the fraud-prevention method.
6. An issuer need not develop fraud-prevention technologies itself to satisfy the standards in § 235.4(b). An issuer may implement fraud-prevention technologies that have been developed by a third party that the issuer has determined are appropriate under its own policies and procedures.
Paragraph 4(b)(2) Elements of fraud-prevention policies and procedures.
1. In general. An issuer may tailor its policies and procedures to address its particular debit card program, including the size of the program, the types of transactions in which its cardholders commonly engage, fraud types and methods experienced by the issuer, and the cost of implementing new fraud-prevention methods in light of the expected fraud reduction.
Paragraph 4(b)(2)(i). Methods to identify and prevent fraudulent debit card transactions.
1. In general. Examples of policies and procedures reasonably designed to identify and prevent fraudulent electronic debit transactions include the following:
i. Practices to help determine whether a card is authentic and whether the user is authorized to use the card at the time of a transaction. For example, an issuer may specify the use of particular authentication technologies or methods, such as dynamic data, to better authenticate a card and cardholder at the time of the transaction, to the extent doing so does not inhibit the ability of a merchant to direct the routing of electronic debit transactions for processing over any payment card network that may process such transactions. (See§ 235.7 and commentary thereto.)
ii. An automated mechanism to assess the risk that a particular electronic debit transaction is fraudulent during the authorization process (i.e., before the issuer approves or declines an authorization request). For example, an issuer may use neural networks to identify transactions that present increased risk of fraud. As a result of this analysis, the issuer may decide to decline to authorize these transactions. An issuer may not be able to determine whether a given transaction in isolation is fraudulent at the time of authorization, and therefore may have implemented policies and procedures that monitor sets of transactions initiated with a cardholder's debit card. For example, an issuer could compare a set of transactions initiated with the card to a customer's typical transactions in order to determine whether a transaction is likely to be fraudulent. Similarly, an issuer could compare a set of transactions initiated with a debit card and common fraud patterns in order to determine whether a transaction or future transaction is likely to be fraudulent.
iii. Practices to support reporting of lost and stolen cards or suspected incidences of fraud by cardholders or other parties to a transaction. As an example, an issuer may promote customer awareness by providing text alerts of transactions in order to detect fraudulent transactions in a timely manner. An issuer may also report debit cards suspected of being fraudulent to their networks for inclusion in a database of potentially compromised cards.
Paragraph 4(b)(2)(ii). Monitoring of the issuer's volume and value of fraudulent electronic debit transactions.
1. Tracking its fraudulent electronic debit transactions over time enables an issuer to assess whether its policies and procedures are effective. Accordingly, an issuer must include policies and procedures designed to monitor trends in the number and value of its fraudulent electronic debit transactions. An effective monitoring program would include tracking issuer losses from fraudulent electronic debit transactions, fraud-related chargebacks to acquirers, losses passed on to cardholders, and any other reimbursements from other parties. Other reimbursements could include payments made to issuers as a result of fines assessed to merchants for noncompliance with Payment Card Industry (PCI) Data Security Standards or other industry standards. An issuer should also establish procedures to track fraud-related information necessary to perform its reviews under § 235.4(b)(3) and to retain and report information as required under § 235.8.
Paragraph 4(b)(2)(iii). Appropriate responses to suspicious electronic debit transactions.
1. An issuer may identify transactions that it suspects to be fraudulent after it has authorized or settled the transaction. For example, a cardholder may inform the issuer that the cardholder did not initiate a transaction or transactions, or the issuer may learn of a fraudulent transaction or possibly compromised debit cards from the network, the acquirer, or other parties. An issuer must implement policies and procedures designed to provide an appropriate response once an issuer has identified suspicious transactions to reduce the occurrence of future fraudulent electronic debit transactions and the costs associated with such transactions. The appropriate response may differ depending on the facts and circumstances, including the issuer's assessment of the risk of future fraudulent electronic debit transactions. For example, in some circumstances, it may be sufficient for an issuer to monitor more closely the account with the suspicious transactions. In other circumstances, it may be necessary to contact the cardholder to verify a transaction, reissue a card, or close an account. An appropriate response may also require coordination with industry organizations, law enforcement agencies, and other parties, such as payment card networks, merchants, and issuer or merchant processors.
Paragraph 4(b)(2)(iv). Methods to secure debit card and cardholder data.
1. An issuer must implement policies and procedures designed to secure debit card and cardholder data. These policies and procedures should apply to data that are transmitted by the issuer (or its service provider) during transaction processing, that are stored by the issuer (or its service provider), and that are carried on media (e.g., laptops, transportable data storage devices) by employees or agents of the issuer. This standard may be incorporated into an issuer's information security program, as required by Section 501(b) of the Gramm-Leach-Bliley Act.
Paragraph 4(b)(3) Review of and updates to policies and procedures.
1. i. An issuer's assessment of the effectiveness of its policies and procedures should consider whether they are reasonably designed to reduce the number and value of fraudulent electronic debit transactions relative to non-fraudulent electronic debit transactions and are cost effective. (See comment 4(b)(1)-3 and comment 4(b)(1)-5).
ii. An issuer must also assess its policies and procedures in light of changes in fraud types (e.g., the use of counterfeit cards, lost or stolen cards) and methods (e.g., common purchase patterns indicating possible fraudulent behavior), as well as changes in the available methods of detecting and preventing fraudulent electronic debit transactions (e.g., transaction monitoring, authentication methods) as part of its periodic review of its policies and procedures. An issuer's review of its policies and procedures must consider information from the issuer's own experience and that the issuer otherwise identified itself; information from payment card networks, law enforcement agencies, and fraud-monitoring groups in which the issuer participates; and supervisory guidance. For example, an issuer should consider warnings and alerts it receives from payment card networks regarding compromised cards and data breaches.
2. An issuer should review its policies and procedures and their implementation more frequently than annually if the issuer determines that more frequent review is appropriate based on information obtained from monitoring its fraudulent electronic debit transactions, changes in the types or methods of fraud, or available methods of detecting and preventing fraudulent electronic debit transactions. (See§ 235.4(b)(1)(ii) and commentary thereto.)
3. In light of an issuer's review of its policies and procedures, and their implementation, the issuer may determine that updates to its policies and procedures, and their implementation, are necessary. Merely determining that updates are necessary does not render an issuer ineligible to receive or charge the fraud-prevention adjustment. To remain eligible to receive or charge a fraud-prevention adjustment, however, an issuer should develop and implement such updates as soon as reasonably practicable, in light of the facts and circumstances.
4(c) Notification.
1. Payment card networks that plan to allow issuers to receive or charge a fraud-prevention adjustment can develop processes for identifying issuers eligible for this adjustment. Each issuer that wants to be eligible to receive or charge a fraud-prevention adjustment must notify annually the payment card networks in which it participates of its compliance through the networks' processes.
Section 235.5Exemptions for Certain Electronic Debit Transactions
1. Eligibility for multiple exemptions. An electronic debit transaction may qualify for one or more exemptions. For example, a debit card that has been provided to a person pursuant to a Federal, State, or local government-administered payment program may be issued by an entity that, together with its affiliates, has assets of less than $10 billion as of the end of the preceding calendar year. In this case, an electronic debit transaction made using that card may qualify for the exemption under § 235.5(a) for small issuers or for the exemption under § 235.5(b) for government-administered payment programs. A payment card network establishing interchange fees for transactions that qualify for more than one exemption need only satisfy itself that the issuer's transactions qualify for at least one of the exemptions in order to exempt the electronic debit transaction from the interchange fee restrictions.
2. Certification process. Payment card networks that plan to allow issuers to receive higher interchange fees than permitted under §§ 235.3 and 235.4 pursuant to one of the exemptions in § 235.5 could develop their own processes for identifying issuers and products eligible for such exemptions. Section 235.5(a)(2) permits payment card networks to rely on lists published by the Board to help determine eligibility for the small issuer exemption set forth in § 235.5(a)(1).
5(a) Exemption for Small Issuers
1. Asset size determination. An issuer would qualify for the small-issuer exemption if its total worldwide banking and nonbanking assets, including assets of affiliates, other than trust assets under management, are less than $10 billion, as of December 31 of the preceding calendar year.
2. Change in status. If an exempt issuer becomes covered based on its and its affiliates assets at the end of a calendar year, that issuer must begin complying with the interchange fee standards (§ 235.3), the fraud-prevention adjustment standards (to the extent the issuer wishes to receive a fraud-prevention adjustment) (§ 235.4), and the provisions prohibiting circumvention, evasion, and net compensation (§ 235.6) no later than July 1.
5(b) Exemption for Government-Administered Payment Programs
1. Government-administered payment program. A program is considered government-administered regardless of whether a Federal, State, or local government agency operates the program or outsources some or all functions to third parties so long as the program is operated on behalf of the government agency. In addition, a program may be government-administered even if a Federal, State, or local government agency is not the source of funds for the program it administers. For example, child support programs are government-administered programs even though a Federal, State, or local government agency is not the source of funds. A tribal government is considered a local government for purposes of this exemption.
5(c) Exemption for Certain Reloadable Prepaid Cards
1. Subaccount clarified. A subaccount is an account within an account, opened in the name of an agent, nominee, or custodian for the benefit of two or more cardholders, where the transactions and balances of individual cardholders are tracked in such subaccounts. An account that is opened solely in the name of a single cardholder is not a subaccount.
2. Reloadable. A general-use prepaid card is “reloadable” if the terms and conditions of the agreement permit funds to be added to the general-use prepaid card at any time after the initial purchase or issuance. A general-use prepaid card is not “reloadable” merely because the issuer or processor is technically able to add functionality that would otherwise enable the general-use prepaid card to be reloaded.
3. Marketed or labeled as a gift card or gift certificate. i. Electronic debit transactions made using a reloadable general-use prepaid card are not exempt from the interchange fee restrictions if the card is marketed or labeled as a gift card or gift certificate. The term “marketed or labeled as a gift card or gift certificate” means directly or indirectly offering, advertising or otherwise suggesting the potential use of a general-use prepaid card as a gift for another person. Whether the exclusion applies generally does not depend on the type of entity that makes the promotional message. For example, a card may be marketed or labeled as a gift card or gift certificate if anyone (other than the purchaser of the card), including the issuer, the retailer, the program manager that may distribute the card, or the payment network on which a card is used, promotes the use of the card as a gift card or gift certificate. A general-use prepaid card is marketed or labeled as a gift card or gift certificate even if it is only occasionally marketed as a gift card or gift certificate. For example, a network-branded general purpose reloadable card would be marketed or labeled as a gift card or gift certificate if the issuer principally advertises the card as a less costly alternative to a bank account but promotes the card in a television, radio, newspaper, or Internet advertisement, or on signage as “the perfect gift” during the holiday season.
ii. The mere mention of the availability of gift cards or gift certificates in an advertisement or on a sign that also indicates the availability of exempted general-use prepaid cards does not by itself cause the general-use prepaid card to be marketed as a gift card or a gift certificate. For example, the posting of a sign in a store that refers to the availability of gift cards does not by itself constitute the marketing of otherwise exempted general-use prepaid cards that may also be sold in the store along with gift cards or gift certificates, provided that a person acting reasonably under the circumstances would not be led to believe that the sign applies to all cards sold in the store. (See, however, comment 5(c)-4.ii.)
4. Examples of marketed or labeled as a gift card or gift certificate.
i. The following are examples of marketed or labeled as a gift card or gift certificate:
A. Using the word “gift” or “present” on a card or accompanying material, including documentation, packaging and promotional displays;
B. Representing or suggesting that a card can be given to another person, for example, as a “token of appreciation” or a “stocking stuffer,” or displaying a congratulatory message on the card or accompanying material;
C. Incorporating gift-giving or celebratory imagery or motifs, such as a bow, ribbon, wrapped present, candle, or a holiday or congratulatory message, on a card, accompanying documentation, or promotional material;
ii. The term does not include the following:
A. Representing that a card can be used as a substitute for a checking, savings, or deposit account;
B. Representing that a card can be used to pay for a consumer's health-related expenses—for example, a card tied to a health savings account;
C. Representing that a card can be used as a substitute for travelers checks or cash;
D. Representing that a card can be used as a budgetary tool, for example, by teenagers, or to cover emergency expenses.
5. Reasonable policies and procedures to avoid marketing as a gift card. The exemption for a general-use prepaid card that is reloadable and not marketed or labeled as a gift card or gift certificate in § 235.5(c) applies if a reloadable general-use prepaid card is not marketed or labeled as a gift card or gift certificate and if persons involved in the distribution or sale of the card, including issuers, program managers, and retailers, maintain policies and procedures reasonably designed to avoid such marketing. Such policies and procedures may include contractual provisions prohibiting a reloadable general-use prepaid card from being marketed or labeled as a gift card or gift certificate, merchandising guidelines or plans regarding how the product must be displayed in a retail outlet, and controls to regularly monitor or otherwise verify that the general-use prepaid card is not being marketed as a gift card. Whether a general-use prepaid card has been marketed as a gift card or gift certificate will depend on the facts and circumstances, including whether a reasonable person would be led to believe that the general-use prepaid card is a gift card or gift certificate. The following examples illustrate the application of § 235.5(c):
i. An issuer or program manager of prepaid cards agrees to sell general-purpose reloadable cards through a retailer. The contract between the issuer or program manager and the retailer establishes the terms and conditions under which the cards may be sold and marketed at the retailer. The terms and conditions prohibit the general-purpose reloadable cards from being marketed as a gift card or gift certificate, and require policies and procedures to regularly monitor or otherwise verify that the cards are not being marketed as such. The issuer or program manager sets up one promotional display at the retailer for gift cards and another physically separated display for exempted products under § 235.5(c), including general-purpose reloadable cards, such that a reasonable person would not believe that the exempted cards are gift cards. The exemption in § 235.5(c) applies because policies and procedures reasonably designed to avoid the marketing of the general-purpose reloadable cards as gift cards or gift certificates are maintained, even if a retail clerk inadvertently stocks or a consumer inadvertently places a general-purpose reloadable card on the gift card display.
ii. Same facts as in comment 5(c)-5.i, except that the issuer or program manager sets up a single promotional display at the retailer on which a variety of prepaid cards are sold, including store gift cards and general-purpose reloadable cards. A sign stating “Gift Cards” appears prominently at the top of the display. The exemption in § 235.5(c) does not apply with respect to the general-purpose reloadable cards because policies and procedures reasonably designed to avoid the marketing of exempted cards as gift cards or gift certificates are not maintained.
iii. Same facts as in comment 5(c)-5.i, except that the issuer or program manager sets up a single promotional multi-sided display at the retailer on which a variety of prepaid card products, including store gift cards and general-purpose reloadable cards are sold. Gift cards are segregated from exempted cards, with gift cards on one side of the display and exempted cards on a different side of a display. Signs of equal prominence at the top of each side of the display clearly differentiate between gift cards and the other types of prepaid cards that are available for sale. The retailer does not use any more conspicuous signage suggesting the general availability of gift cards, such as a large sign stating “Gift Cards” at the top of the display or located near the display. The exemption in § 235.5(c) applies because policies and procedures reasonably designed to avoid the marketing of the general-purpose reloadable cards as gift cards or gift certificates are maintained, even if a retail clerk inadvertently stocks or a consumer inadvertently places a general-purpose reloadable card on the gift card display.
iv. Same facts as in comment 5(c)-5.i, except that the retailer sells a variety of prepaid card products, including store gift cards and general-purpose reloadable cards, arranged side-by-side in the same checkout lane. The retailer does not affirmatively indicate or represent that gift cards are available, such as by displaying any signage or other indicia at the checkout lane suggesting the general availability of gift cards. The exemption in § 235.5(c) applies because policies and procedures reasonably designed to avoid marketing the general-purpose reloadable cards as gift cards or gift certificates are maintained.
6. On-line sales of prepaid cards. Some web sites may prominently advertise or promote the availability of gift cards or gift certificates in a manner that suggests to a consumer that the web site exclusively sells gift cards or gift certificates. For example, a web site may display a banner advertisement or a graphic on the home page that prominently states “Gift Cards,” “Gift Giving,” or similar language without mention of other available products, or use a web address that includes only a reference to gift cards or gift certificates in the address. In such a case, a consumer acting reasonably under the circumstances could be led to believe that all prepaid products sold on the web site are gift cards or gift certificates. Under these facts, the web site has marketed all such products as gift cards or gift certificates, and the exemption in § 235.5(c) does not apply to any products sold on the web site.
7. Temporary non-reloadable cards issued in connection with a general-use reloadable card. Certain general-purpose prepaid cards that are typically marketed as an account substitute initially may be sold or issued in the form of a temporary non-reloadable card. After the card is purchased, the cardholder is typically required to call the issuer to register the card and to provide identifying information in order to obtain a reloadable replacement card. In most cases, the temporary non-reloadable card can be used for purchases until the replacement reloadable card arrives and is activated by the cardholder. Because the temporary non-reloadable card may only be obtained in connection with the reloadable card, the exemption in § 235.5(c) applies so long as the card is not marketed as a gift card or gift certificate.
5(d) Exception
1. Additional ATM access. Some debit cards may be used to withdraw cash from ATMs that are not part of the issuer's designated ATM network. An electronic debit card transaction may still qualify for the exemption under §§ 235.5(b) or (c) with a respect to a card for which a fee may be imposed for a withdrawal from an ATM that is outside of the issuer's designated ATM network as long as the card complies with the condition set forth in § 235.5(d)(2) for withdrawals within the issuer's designated ATM network. The condition with respect to ATM fees does not apply to cards that do not provide ATM access.
Section 235.6Prohibition on Circumvention, Evasion, and Net Compensation
1. No applicability to exempt issuers or electronic debit transactions. The prohibition against circumventing or evading the interchange transaction fee restrictions or against net compensation does not apply to issuers or electronic debit transactions that qualify for an exemption under § 235.5 from the interchange transaction fee restrictions.
6(a) Prohibition of Circumvention or Evasion
1. Finding of circumvention or evasion. A finding of evasion or circumvention will depend on all relevant facts and circumstances. Although net compensation may be one form of circumvention or evasion prohibited under § 235.6(a), it is not the only form.
2. Examples of circumstances that may constitute circumvention or evasion.
The following examples do not constitute per se circumvention or evasion, but may warrant additional supervisory scrutiny to determine whether the totality of the facts and circumstances constitute circumvention or evasion:
i. A payment card network decreases network processing fees paid by issuers for electronic debit transactions by 50 percent and increases the network processing fees charged to merchants or acquirers with respect to electronic debit transactions by a similar amount. Because the requirements of this subpart do not restrict or otherwise establish the amount of fees that a network may charge for its services, the increase in network fees charged to merchants or acquirers and decrease in fees charged to issuers is not a per se circumvention or evasion of the interchange transaction fee standards, but may warrant additional supervisory scrutiny to determine whether the facts and circumstances constitute circumvention or evasion.
ii. An issuer replaces its debit cards with prepaid cards that are exempt from the interchange limits of §§ 235.3 and 235.4. The exempt prepaid cards are linked to its customers' transaction accounts and funds are swept from the transaction accounts to the prepaid accounts as needed to cover transactions made. Again, this arrangement is not per se circumvention or evasion, but may warrant additional supervisory scrutiny to determine whether the facts and circumstances constitute circumvention or evasion.
6(b) Prohibition of Net Compensation
1. Net compensation. Net compensation to an issuer through the use of network fees is prohibited.
2. Consideration of payments or incentives provided by the network in net compensation determination.
i. For purposes of the net compensation determination, payments or incentives paid by a payment card network to an issuer with respect to electronic debit transactions or debit card related activities could include, but are not limited to, marketing incentives; payments or rebates for meeting or exceeding a specific transaction volume, percentage share, or dollar amount of transactions processed; or other payments for debit card related activities. For example, signing bonuses paid by a network to an issuer for the issuer's debit card portfolio would also be included in the total amount of payments or incentives received by an issuer from a payment card network with respect to electronic debit transactions. A signing bonus for an entire card portfolio, including credit cards, may be allocated to the issuer's debit card business based on the proportion of the cards or transactions that are debit cards or electronic debit transactions, as appropriate to the situation, for purposes of the net compensation determination.
ii. Incentives paid by the network with respect to multiple-year contracts may be allocated over the life of the contract.
iii. For purposes of the net compensation determination, payments or incentives paid by a payment card network with respect to electronic debit transactions or debit card-related activities do not include interchange transaction fees that are passed through to the issuer by the network, or discounts or rebates provided by the network or an affiliate of the network for issuer-processor services. In addition, funds received by an issuer from a payment card network as a result of chargebacks, fines paid by merchants or acquirers for violations of network rules, or settlements or recoveries from merchants or acquirers to offset the costs of fraudulent transactions or a data security breach do not constitute incentives or payments made by a payment card network.
3. Consideration of fees paid by an issuer in net compensation determination.
i. For purposes of the net compensation determination, fees paid by an issuer to a payment card network with respect to electronic debit transactions or debit card related activities include, but are not limited to, membership or licensing fees, network administration fees, and fees for optional network services, such as risk management services.
ii. For purposes of the net compensation determination, fees paid by an issuer to a payment card network with respect to electronic debit transactions or debit card-related activities do not include network processing fees (such as switch fees and network connectivity fees) or fees paid to an issuer processor affiliated with the network for authorizing, clearing, or settling an electronic debit transaction.
4. Example of circumstances not involving net compensation to the issuer. The following example illustrates circumstances that would not indicate net compensation by the payment card network to the issuer:
i. Because of an increase in debit card transactions that are processed through a payment card network during a calendar year, an issuer receives an additional volume-based incentive payment from the network for that period. Over the same period, however, the total network fees (other than processing fees) the issuer pays the payment card network with respect to debit card transactions also increase so that the total amount of fees paid by the issuer to the network continue to exceed incentive payments by the network to the issuer. Under these circumstances, the issuer does not receive net compensation from the network for electronic debit transactions or debit card related activities.
Section 235.7Limitations on Payment Card Restrictions
1. Application of small issuer, government-administered payment program, and reloadable card exemptions to payment card network restrictions. The exemptions under § 235.5 for small issuers, cards issued pursuant to government-administered payment programs, and certain reloadable prepaid cards do not apply to the limitations on payment card network restrictions. For example, debit cards for government-administered payment programs, although exempt from the restrictions on interchange transaction fees, are subject to the requirement that electronic debit transactions made using such cards must be capable of being processed on at least two unaffiliated payment card networks and to the prohibition on inhibiting a merchant's ability to determine the routing for electronic debit transactions.
7(a) Prohibition on Network Exclusivity
1. Scope of restriction.Section 235.7(a) requires a debit card subject to the regulation to be enabled on at least two unaffiliated payment card networks. This paragraph does not, however, require an issuer to have two or more unaffiliated networks available for each method of cardholder authentication. For example, it is sufficient for an issuer to issue a debit card that operates on one signature-based card network and on one PIN-based card network, as long as the two card networks are not affiliated. Alternatively, an issuer may issue a debit card that is accepted on two unaffiliated signature-based card networks or on two unaffiliated PIN-based card networks. See also, comment 7(a)-7.
2. Permitted networks. i. A smaller payment card network could be used to help satisfy the requirement that an issuer enable two unaffiliated networks if the network was willing to expand its coverage in response to increased merchant demand for access to its network and it meets the other requirements for a permitted arrangement, including taking steps reasonably designed to enable it to process the electronic debit transactions that it would reasonably expect to be routed to it. If, however, the network's policy or practice is to limit such expansion, it would not qualify as one of the two unaffiliated networks.
ii. A payment card network that is accepted only at a limited category of merchants (such as a particular grocery store chain, merchants located in a particular shopping mall, or a single class of merchants, such as grocery stores or gas stations) would not satisfy the rule.
iii. One of the steps a network can take to form a reasonable expectation of transaction volume is to consider factors such as the number of cards expected to be issued that are enabled on the network and expected card usage patterns.
3. Examples of prohibited network restrictions on an issuer's ability to contract. The following are examples of prohibited network restrictions on an issuer's ability to contract with other payment card networks:
i. Network rules or contract provisions limiting or otherwise restricting the other payment card networks that may be enabled on a particular debit card, or network rules or contract provisions that specify the other networks that may be enabled on a particular debit card.
ii. Network rules or guidelines that allow only that network's (or its affiliated network's) brand, mark, or logo to be displayed on a particular debit card, or that otherwise limit the ability of brands, marks, or logos of other payment card networks to appear on the debit card.
4. Network logos or symbols on card not required. Section 235.7(a) does not require that a debit card display the brand, mark, or logo of each payment card network over which an electronic debit transaction may be processed. For example, this rule does not require a debit card that is enabled for two or more unaffiliated payment card networks to bear the brand, mark, or logo for each card network.
5. Voluntary exclusivity arrangements prohibited. Section 235.7(a) requires the issuance of debit cards that are enabled on at least two unaffiliated payment card networks, even if the issuer is not subject to any rule of, or contract or other agreement with, a payment card network requiring that all or a specified minimum percentage of electronic debit transactions be processed on the network or its affiliated networks.
6. Affiliated payment card networks. Section 235.7(a) does not prohibit an issuer from including an affiliated payment card network among the networks that may process an electronic debit transaction with respect to a particular debit card, as long as at least two of the networks that are enabled on the card are unaffiliated. For example, an issuer may offer debit cards that are accepted on a payment card network for signature debit transactions and on an affiliated payment card network for PIN debit transactions as long as those debit cards may also be accepted on another unaffiliated payment card network.
7. Application of rule regardless of form factor. The network exclusivity provisions in § 235.7(a) require that all debit cards be enabled on at least two unaffiliated payment card networks for electronic debit transactions, regardless of whether the debit card is issued in card form. This applies to any supplemental device, such as a fob or token, or chip or application in a mobile phone, that is issued in connection with a plastic card, even if that plastic card fully complies with the rule.
7(b) Prohibition on Routing Restrictions
1. Relationship to the network exclusivity restrictions. An issuer or payment card network is prohibited from inhibiting a merchant's ability to route or direct an electronic debit transaction over any of the payment card networks that the issuer has enabled to process an electronic debit transaction for that particular debit card. This rule does not permit a merchant to route the transaction over a network that the issuer did not enable to process transactions using that debit card.
2. Examples of prohibited merchant restrictions. The following are examples of issuer or network practices that would inhibit a merchant's ability to direct the routing of an electronic debit transaction that are prohibited under § 235.7(b):
i. Prohibiting a merchant from encouraging or discouraging a cardholder's use of a particular method of debit card authorization, such as rules prohibiting merchants from favoring a cardholder's use of PIN debit over signature debit, or from discouraging the cardholder's use of signature debit.
ii. Establishing network rules or designating issuer priorities directing the processing of an electronic debit transaction on a specified payment card network or its affiliated networks, or directing the processing of the transaction away from a specified network or its affiliates, except as a default rule in the event the merchant, or its acquirer or processor, does not designate a routing preference, or if required by state law.
iii. Requiring a specific payment card network based on the type of access device provided to the cardholder by the issuer.
3. Merchant payments not prohibited. A payment card network does not restrict a merchant's ability to route transactions over available payment card networks in violation of § 235.7(b) by offering payments or other incentives to encourage the merchant to route electronic debit card transactions to the network for processing.
4. Real-time routing decision not required. A merchant need not make network routing decisions on a transaction-by-transaction basis. A merchant and its acquirer or processor may agree to a pre-determined set of routing choices that apply to all electronic debit transactions that are processed by the acquirer or processor on behalf of the merchant.
5. No effect on network rules governing the routing of subsequent transactions.Section 235.7 does not supersede a network rule that requires a chargeback or return of an electronic debit transaction to be processed on the same network that processed the original transaction.
7(c) Effective Date
1. Health care and employee benefit cards.Section 235.7(c)(1) delays the effective date of the network exclusivity provisions for certain debit cards issued in connection with a health care or employee benefit account to the extent such cards use (even if not required) transaction substantiation or qualification authorization systems at point of sale to verify that the card is only used for eligible goods and services for purposes of qualifying for favorable tax treatment under Internal Revenue Code requirements. Debit cards that may qualify for the delayed effective date include, but may not be limited to, cards issued in connection with flexible spending accounts established under section 125 of the Internal Revenue Code for health care related expenses and health reimbursement accounts established under section 105 of the Internal Revenue Code.
Section 235.8Reporting Requirements and Record Retention
[Reserved]
Section 235.9Administrative Enforcement
[Reserved]
Section 235.10Effective and Compliance Dates
[Reserved]
[76 FR 43466, July 20, 2011, as amended at 76 FR 43467, July 20, 2011; 77 FR 46280, Aug. 3, 2012]

Title 12 published on 2014-01-01

no entries appear in the Federal Register after this date.