Casey: Troubling Regulatory Gap in Oversight of Some Payment Processors
WASHINGTON, DC – U.S. Senator Bob Casey (D-PA) today expressed concern after reviewing the circumstances surrounding the breach of financial information of 1.5 million people from payment processor Global Payments, Inc., revealing that consumers are at risk due to weakly enforced and poorly coordinated regulation efforts.
“It is clear that personal financial information of my constituents and consumers across the country is not adequately protected,” said Senator Casey. “Regulatory agencies must consistently and vigorously enforce laws already on the books and improve coordination to ensure that all payment processors are subject to proactive oversight.”
After reviewing the oversight process of payment processors like Global Payments, Senator Casey sent a letter outlining his concerns to the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the Federal Trade Commission (FTC), the National Credit Union Administration (NCUA), the Securities and Exchange Commission (SEC), and the Office of the Comptroller of the Currency (OCC).
Senator Casey noted certain payment processors are not subject to the same kind of proactive, preventive measures used by those regulated by banks. Those payment processors regulated by the FTC only face action after errors are made known. Moreover, when a payment processor is not associated with the card issuing bank, a disjointed notification process leads to long delays between a security breach and potentially affected customers being made aware of the problem.
Global Payments is a Maryland-based company that provides payment processing services to MasterCard and Visa cardholders, among others. Last month, Senator Casey called on the company to be more forthcoming and immediately aid any consumers whose identity was stolen.
The full text of Senator Casey’s letter is below:
The Honorable Ben S. Bernanke
Board of Governors of the Federal Reserve System
The Honorable Martin J. Gruenberg
Federal Deposit Insurance Corporation
The Honorable Jon Leibowitz
Federal Trade Commission
The Honorable Debbie Matz
National Credit Union Administration
The Honorable Mary L. Schapiro
Securities and Exchange Commission
The Honorable Thomas J. Curry
Comptroller of the Currency
Dear Ladies and Gentlemen:
I write to you today with concerns regarding the oversight of Global Payments, Inc. It is my understanding that a data breach at Global Payments resulted in the theft of financial information from up to 1.5 million accounts. The breach was discovered in early March 2012; however, a public announcement by Global Payments was not made until nearly a month later.
Following this breach, I wrote to Global Payments to express my concern and my staff has reached out to staff at the Federal Trade Commission (FTC) and the Federal Reserve to learn more about oversight of their operations. I am troubled by the discrepancies identified in how different payment processors are regulated. It is my understanding that the regulatory requirements for merchant payment processors like Global Payments are different than those that apply to payment processors associated with banks. As part of their safety and soundness reviews, the prudential regulators take a proactive approach to payment processors that are associated with banks, working with the banks to ensure that these processors have in place the necessary safeguards to protect consumer information. However, merchant payment processors like Global Payments appear to undergo less scrutiny. These processors are regulated by the FTC, which takes action to sanction negligent institutions, but does not undertake the same kind of preventative review.
Consumers have an expectation that when they use payment cards, their personal financial information will be kept safe, regardless of who is processing the payment. It is crucial that the safeguards taken by payment processors be subject to a uniformly high level of scrutiny, and federal regulators must work together to ensure the safety of consumer information.
Should a breach occur despite these efforts, consumers must also be informed in a timely manner. Identity theft can result in significant hardships for account holders and often requires substantial time and resources to resolve, making it critical that victims of identity theft receive notification of the incident as soon as possible. Unfortunately, during the Global Payments case there was a troubling delay in notifying account holders. I have been told that upon discovering the breach, Global Payments notified the card associations, such as VISA and MasterCard. These associations then notified the issuing banks, who then notified consumers. This lengthy chain exists when payment processors are not associated with the issuing bank. It puts consumers last and results in a significant lag between when a consumer’s identity is stolen, and when they are made aware of the theft.
As our consumers’ use of payment cards has grown, so has the risk represented by security breaches like the one at Global Payments. Congress enacted significant protections for consumer financial information with the passage of the Gramm-Leach-Bliley Act. I encourage the regulators responsible for enforcing these safeguards to work together to ensure that consumers can rely upon consistent protection of their financial data.
Thank you for your consideration of my views.
Robert P. Casey, Jr.
United States Senator