TJX Data Breach -- 45 Million Cardholder Accounts -- Thieves Had Encryption Key

In the past few days, newspapers, TV and the internet have all been saturated with news about the TJX data breach. Most reports state that information about 45.7 million credit and debit cards was stolen. According to the Washington Post, approximately 75% of the cards had expired by the time of the theft or the data stolen did not include security information. In September 2003, TJX started "masking" much of the sensitive data, meaning that it was partially or completely overwritten with asterisks. In other words, card account numbers would have been stored as "**** **** **** 1234."

This information follows on reports earlier this week of the arrest of a number of people in Florida who were caught buying gift cards at Wal-Mart using stolen TJX card data and then using those gift cards at Sam's Club stores (an affiliate of Wal-Mart) to purchase electronics and jewelry. Police estimate the scam netted $8 million. These bad guys are not suspected of the TJX data theft but rather are thought to have obtained the stolen card numbers from the data thieves. They created new credit cards reflecting the stolen account numbers which they then used to buy gift cards at a number of Wal-Marts across Florida.

The information for most of the news reports comes from a 10-K report which TJX filed with the Securities and Exchange Commission on March 28, 2007. The most ominous, and to my knowledge, so far unreported factoid in the filing is this:

Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.

The 10-K also states that one reason TJX has had difficulty determining what data was stolen because many of the files in question have been deleted in the normal course of business.

TJX's filing lays out the time line for the discovery and reporting of the intrusion.

On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

In an (un)related matter, the TJX Board recently approved a $1 Billion stock buy-back. program.

California Supreme Court to Hear Miller v. Bank of America

The California Supreme Court has agreed to hear the appeal in Miller v Bank of America and decide the question: Does California law, which provides that a bank account into which public benefit funds or Social Security payments have been electronically deposited is exempt from attachment and execution, prohibit a bank from exercising its right to setoff as to charges - such as overdraft fees and insufficient fund fees - arising out of use of that same account?

The trial court applied Kruger v. Wells Fargo Bank (1974) 11 Cal.3d 352 (Kruger), a California Supreme Court decision which prohibited a bank from utilizing the banker’s setoff against public benefits to recover on an account holder’s delinquent but separate credit card account. The First Appellate District reversed, holding that the setoff to collect a debt owed the bank related to the account against which setoff is exercised is significantly different from Kruger in which the debt's origin was an unrelated account.

While the legal question at issue may at first glance appear to be somewhat technical and trivial, in reality, large sums of money and significant issues of public policy are at stake in this case. The First Appellate District explained:

When it ruled on summary judgment, the court also certified a plaintiff class consisting of “All California residents who have, have had or will have, at any time after August 13, 1994, a checking or savings deposit account with Bank of America into which payments of Social Security benefits or other public benefits are or have been directly deposited by the government or its agent.” In 2003, the Bank had 1,079,414 such accounts. Each month more than $800 million in government benefits is electronically deposited into class members’ accounts. Between January 1994 and May 2003, the Bank debited at least $284,211,273 in NSF and other overdraft fees from accounts containing Social Security direct deposits.

The trial court ordered Bank of America to pay compensatory damages and restitution of $296,650,220, an astonishingly large amount even for an entity like Bank of America. The appeals court reversed, however, finding a distinction between using setoff to satisfy a debt not tied to the operation of the account being debited (prohibited by Kruger) and the facts in Miller.

Collecting a debt unrelated to the bank account, such as a credit card debt, does not implicate the internal balancing of a single bank account. Neither Miller nor his various supporting amici curiae have cited, and we have not found, a single case that interprets Kruger to prohibit a bank from applying a deposit against a negative balance in a single bank account, or towards fees assessed because of that negative balance; indeed, the distinction between that practice and the banker’s setoff against an independent account that was of concern in Kruger was observed in a closely related context. In Lopez v. Washington Mut. Bank, FA (9th Cir. 2002) 302 F.3d 900, the Ninth Circuit concluded that federal law exempting Social Security benefits from seizure6 did not prohibit a bank from debiting a customer’s account for overdrafts and NSF fees. (Id. at pp. 902-906.)

The appellate court was also concerned that prohibiting banks from practicing standard setoff procedures on accounts receiving public benefits, would drive banks away from providing banking services to benefit recipients.

There was also considerable testimony that extending Kruger to internal account balancing practices would have adverse consequences not implicated in the context of a traditional banker’s setoff. Bank witnesses testified that prohibiting a bank from debiting an account for overdrafts, chargebacks and NSF fees when a customer account contains directly deposited public benefits will cause banks to substantially curtail the services available to such account holders. Consequences might include dishonoring any checks that would overdraw those accounts instead of offering overdraft protection; dishonoring other payment requests, such as automatic bill payments, that could overdraw the account; placing maximum holds on deposited funds; forbidding online or telephone banking; and canceling or restricting account holders’ use of ATM and debit cards.

The United States also weighed in on the issue. The Treasury Department expressed similar concerns on behalf of the federal government. According to the Treasury, the injunctive relief would likely cause banks to reduce the range of services available to recipients of government benefits in order to minimize the risk of overdrafts, or cause higher prices for such services, working a significant detriment on both the plaintiff class and the general public interest. Other approaches banks potentially could take to address the increased risk of loss from overdrafts would include requiring account holders to maintain a segregated balance of nonbenefit funds in their accounts or attempting to return direct deposits of benefits that are directed to overdrawn accounts and instead requiring deposit by check. These changes, the Treasury says, would undermine the federal government’s goals of affording recipients of public benefits the same consumer protections offered other account holders and encouraging financial institutions to offer electronic banking services, including direct deposit, to individuals who traditionally do not use banks. There is no indication that any such consequences were implicated in Kruger.

Miller's counsel, as one would expect, was described as "ebullient" and quoted as saying " I have confidence that in granting the petition [for review] it intends to reinforce the public policy rule it set forth in 1974."

Google Regisers as E-Money Issuer in EU

On March 19th, the UK Financial Services Authority authorized Google Payment Limited to issue electronic money in that country. With its UK registration, its fairly simple under European Union rules for Google to "passport" into other EU jurisdictions and be allowed to issue e-money across the continent. Under Paypal's UK registration, for example, it is authorized to passport into 24 other countries.

There's no official word from Google on its plans in the EU, but clearly, it has plans.

PayPal Not Worried About Competition from Google Checkout

Yesterday, CNET News ran an interview with PayPal's Chief Technology Officer Scott Thompson. There are several questions about phishing and security, but I thought the most interesting part was a question about competition from Google.

Can you comment on the competition you might be seeing from Google Checkout? Have you seen any loss of market share or revenue?
Thompson: Sure. The first thing I would say is payments are really hard to deal with. It's a business that is built around precision. There is no margin for error in anything associated with payments, and that's the relationship we have with both buyers and sellers on the eBay site and our customers and merchants on eBay. Beyond that I fully expect that because payments is such a big business, that all the competitors that we know of today are going to be there tomorrow, and there is probably going to be a whole lot more that people are dreaming of right now in start-ups in Silicon Valley and elsewhere.

So there is always going to be competition, and I actually love good competition. It raises your game to a higher level when you have good competition. So as it relates to Google Checkout, where as you would expect we are very aware of what they are doing, we don't think they are in a payment system business. We think they are specifically in a check-out business, and there is quite a bit difference between checkouts and payments. I would argue that we have such a lead in the business of global payments that if somebody wants to chase after us a little bit, I think they are going to realize it's hard to do, and I think they will fully appreciate and understand the head-start we have. Nobody here is overly confident, but I think what we need to do is have a strategy and focus on that and not on any competition.

In addition, we learn that micropayments are tough:

How big do you see the market for micropayments? It seems like you would have the infrastructure to do that more broadly. Are you seeing content owners like music or print publishers going in that direction?
Thompson: Micropayments is a remarkably big opportunity. I said doing payments is hard. Well, micropayments is extremely hard, and that is why nobody has cracked the code on it yet. It's just very, very tough to do. You probably recall 10 to 12 years ago the phone companies thought micropayments (would be a way to) extend their billing reach further into their customer set. But every phone company that tried that has realized that this is a whole lot harder than they thought, and they all backed off those initiatives. So, I think somebody at some point will come up with a real cute idea on this, and it will be one that changes the game. I think that's one where you stay tuned. It probably plays out two or three years from today

and PayPal currently has no plans to enter the world of online banking:

Is PayPal planning to move into online banking services?
Thompson: If you are PayPal, you can never say never. But I can tell you, we don't do online banking today. In the near term, we don't intend to do online banking. We have a rate payments business. We have tremendous future growth opportunities in the payment business that we are in. We are completely focused on that online payments business, and we view something like online banking as an adjacency that may be of interest some number of years from today. But now we are solely focused on online payments, and we don't want to be distracted.

China Bars Conversion of Virtual Currency into Material Products

A number of news outlets are reporting on a recent rules issued by the Chinese government limiting the use of virtual currency in that country. The best online explanation I've found is a story by Mure Dickie in the Financial Times.

A formal notice quietly issued to officials last month by the Communist party and government departments, including the central bank, has ordered “strict differentiation between virtual exchanges and online commerce in material products”.

The notice says: “The People's Bank of China will strengthen management of the virtual currencies used in online games and will stay on the lookout for any assault by such virtual currencies on the real economic and financial order.”

Virtual money can only be used to buy virtual products and services the companies provide themselves, issuance will be limited, and users are “strictly forbidden” from trading it into legal tender for a profit, says the notice.

The new restrictions appear to be a reaction to the growing popularity of a virtual money product known as "QQ Coins."

The restrictions follow Beijing’s growing concern about the influence of currencies created by internet companies, particularly the wildly popular "QQ Coins" issued by Hong Kong-listed messaging and games provider Tencent.

Tencent's messaging system is used by an estimated two-thirds of Chinese internet users and its QQ Coins have been accepted as payment by other companies as well as sold for legal tender.

It isn't clear what exactly is China's primary concern about virtual currencies. The AP says the worry is "money laundering or illicit trade." The Asia Times, however, has suggested that there is concern that the virtual currency could harm China's real currency.

The so-called "QQ" coin - issued by Tencent, China's largest instant-messaging service provider - has become so popular that the country's central bank is worried that it could affect the value of the yuan.

Public prosecutor Yang Tao issued this warning: "The QQ coin is challenging the status of the renminbi [yuan] as the only legitimate currency in China."

Some additional interesting tidbits on QQ coins from the Asia Times:

Tencent boasts more than 220 million users, and its QQ coins can be purchased with a bank, telephone or "QQ" card at an official price of 1 yuan (12.5 cents) per coin. Originally, the virtual coins were designed to pay for Tencent services such as electronic greeting cards, online games and anti-virus software. Now, however, they have reportedly developed into an alternative currency traded on the black market and used for other, less savory services, such as online gambling and private chats with "QQ girls".

Xinhua, China's official news agency, reports cases of people earning thousands of yuan per month trading in QQ coins, which they can win by playing online QQ games that pay out one coin for every 10,000 points earned. Xinhua also reports that the operators of some Internet forums are now paid in QQ coins rather than the official currency. And there is evidence that other online sites not associated with Tencent also accept QQ coins.

In addition, unofficial online vendors have sprung up to take advantage of QQ fever. They accumulate large numbers of coins by hiring professional game players to win them and also through gambling ploys, inside connections at entertainment companies and even by hacking into user accounts and simply stealing them. Then they sell the virtual currency below its official value, at a rate of 0.4-0.8 yuan per coin.

Tencent recently reported that its 2006 revenues were $358.6 million, an increase of 96% over the previous year. Net profit was $136 million, a whopping 119% jump over 2005. I can't find an official statement (at least one in English) on either the Tencent or QQ.com sites responding to the new rules on virtual currency.

I can't wait to see if other countries follow the Chinese example and attempt to limit the use of virtual currencies to purchase material goods. I don't see how such a rule could be successfully implemented without a corollary prohibiting the sale of virtual goods for real money. If you want to prevent financial transactions which are illegal in this world from taking place in a virtual world, you will have to severely limit the movement of money and goods between the two.

House ILC Hearings Postponed to March 29

UPDATED

The House Financial Services Committee hearings on the Industrial Bank Holding Company Act legislation have been postponed until March 29, 2007. A list of persons who will testify has finally been posted on the committee's web site, although no prepared statements are available.

The witnesses will be:

Panel One:

• The Honorable Donald L. Kohn, Vice Chairman Board of Governors of the Federal Reserve System
• The Honorable Shelia C. Bair, Chairman, Federal Deposit Insurance Corporation
• John E. Bowman, Chief Counsel, Office of Thrift Supervision
• Erik R. Sirri, Director, Market Regulation, Securities and Exchange Commission
• G. Edward Leary, Commissioner, Department of Financial Institutions, State of Utah

Panel Two:

• Michael J. Wilson, International Vice President Director, Legislative and Political Action Department, United Food and Commercial Workers International Union
• Mark Macomber President and CEO, Litchfield Bancorp, Litchfield, Connecticut, On behalf of America’s Community Bankers
• Jim Ghiglieri, President, Alpha Community Bank, Toluca, IL, On behalf of Independent Community Bankers of America
• Earl McVicker, Chairman & CEO, Central Bank & Trust Co., Hutchinson, KS, On behalf of American Bankers Association
• John L. Douglas, Alston & Bird LLP, Atlanta, GA, On behalf of American Financial Services Association
• Mr. Marc Lackritz, Co-CEO, Securities Industry and Financial Markets Association

The Folly of the New Presidential Dollar Coins

Today's Washington Post contains an interesting and amusing story questioning why the U.S. Mint is issuing new dollar coins when the world is moving away from cash to electronic forms of money.

Sit down in the handsome office of Edmund C. Moy, the director of the Mint. Ask him to comment on the quote attributed to Albert Einstein: "Insanity is doing the same thing over and over again, expecting different results."

Point out that the future of money is relentlessly shifting away from physical cash. Ask him if he has lost his blooming mind. The Congress made me do it, he replies.

Moy is referring to the Presidential Dollar Coin Act of 2005 which requires the mint to issue new dollar coins featuring the images of U.S. Presidents.

Post staff writer Joel Garreau reports that percentage of transactions made in cash versus check or debit or credit cards has declined from 21% in 2003 to an estimated 15.7% in 2008. Use of electronic payment methods, on the other hand, is expected to grow to 65% with checks taking the remaining share of the payments market.

Cash is increasingly reduced to three arenas, [cultural anthropologist Jack] Weatherford says. It is used for transactions performed by poor people -- "the unbanked population," as they are picturesquely known; anybody's small purchases -- like an ice cream cone; and for illicit activities like tax evasion, extramarital trysts and drug scores -- for which anonymity is at a premium.

Garreau notes that the transformation of money from cash to computers has occurred in a short span of time.

Computerized money produces the world we live in today. It may be hard to remember, but at the beginning of the 1990s, only 5 percent of grocery stores accepted credit cards. Now, you sign for your pomegranates. Similarly, travelers to distant lands no longer stock up on exotic cash. They are confident their money cards will meet their every need the instant they land, wherever that might be.

The next frontier is to delete even the plastic from our "plastic," says Tim Attinger, who describes himself as being in charge of ridding the United States of cash and checks. He is the senior vice president of product innovation and development for Visa USA. "I dream of a day when kids on the corner selling lemonade will take Visa payments," he says. "Not next year, but it can happen."

In Asia, it is already common to pay for things by simply waving your chip-equipped cellphone at a point-of-sale terminal, moving money with a beep as quickly as commuters sail through the Dulles Toll Road with an EZ Pass. Devices are being deployed in the United States that allow you to pay simply by pressing your fingertip to a scanner.

At that point, our bodies become our money.

His last line may be a bit too Orwellian, but his point is well taken.

And what about the initial question of why the government would start a long term dollar coin program when prior similar coins have failed and people are moving away from cash anyway? The answer is "seniorage."

Because it costs the Mint 20 cents to make the new dollar coin, and people pay a dollar for it, the margin on each one is 80 cents. If people proceed to squirrel the coin away, and not put it in circulation, this is wonderful. The government gets to keep that 80 cents forever.

The economics of minting coins may be a bit more complicated than that analysis, but it's true that the point of the new dollar coins, just like the 50 state quarters and Lewis and Clark nickels, is to make money off of coin collectors.

Frank Says ILC Legislation Still Necessary Even After Wal-Mart Withdrawal

Despite Wal-Mart's withdrawal of its application for an FDIC-insured ILC charter, Rep. Barney Frank, Chairman of the House Financial Services Committee, thinks federal legislation regarding Industrial Loan Corporations is still necessary. In a statement posted to the committee's website, Frank said:

I appreciate the constructive step by Wal-Mart not to pursue an ILC
charter, but it does not in my judgment, remove the need to legislate in this area.

In addition, the committee now lists the March 22, 2007 hearings on H.R. 698, the Industrial Bank Holding Company Act of 2007 on its website, although no information on witnesses is provided.

I wonder if Wal-Mart was invited.

Wal-Mart Withdraws Application for Bank Approval

Wal-Mart withdrew it's application for an Industrial Loan Charter today. The retailer issued the following press release:


BENTONVILLE, Ark., March 16 /PRNewswire-FirstCall/ -- Wal-MartFinancial Services President Jane Thompson released the following statement today: "We notified the FDIC today that Wal-Mart has withdrawn the application we made in July 2005 for an Industrial Loan Company (ILC) charter. "This action follows January's FDIC decision to extend the moratoriumon a number of pending ILC applications. "Unlike dozens of prior ILC applications, Wal-Mart's has been surrounded by manufactured controversy since it was submitted nearly twoyears ago. At no stage did we intend to use the ILC to establish branchbanking operations as critics have suggested -- we simply sought to reduce credit and debit card transaction costs. "Wal-Mart's financial services already save customers over $245 milliona year so they can live better. Since the approval process is now likely totake years rather than months, we decided to withdraw our application tobetter focus on other ways to serve customers. We fully intend to continueto introduce new products and services that champion those who deserveconvenient, lower priced financial services."

Philly FRB Examines "Cost Hurdles" to Increased Acceptance of Prepaid Cards

The Payment Card Center at the Federal Reserve Bank of Philadelphia has released a discussion paper entitled General-Use Prepaid Cards: The Path to Gaining Mainstream Acceptance. Authored by James C. McGrath, this though-provoking paper examines the prepaid card market, where it works, where it hasn't been as successful, and offers some ideas as to particular applications have fallen into the second category rather than the first.

Clearly, general-use prepaid cards show promise, both to reduce costs and inefficiencies in existing applications and to provide cost-effective and flexible financial service alternatives to a large market of underserved consumers. At the same time, they face some unique challenges that must be addressed as the product matures. Some of these challenges stem from the newness of the product: Consumer protections and regulatory oversight remain in the early stages. Other gaps pertain more to the business model. For example, while prepaid cards may provide attractive options to many paper-based applications, many programs are themselves quite complex and costly and require operational and technological sophistication. Last, some functional limitations need to be addressed in order to improve usability and spur adoption.

The paper will address these challenges in turn. First, it will note the perceived vulnerability of prepaid cards to money laundering and will discuss other relevant regulatory issues. It then examines the profit function within the business model, looking at factors affecting costs and revenues. Finally, it addresses two issues that may accelerate consumer adoption: payroll card portability and improved and extended reloadability options. Generally, the paper finds that initiatives are already underway or that others likely to be implemented will address many of these challenges. Doing so should strengthen the value propositions underlying a number of the product applications discussed and lay the groundwork for future prepaid innovations.

This paper follows on a paper released by the PCC last month which examined money laundering risks associated with prepaid cards: Prepaid Cards: Vulnerable to Money Laundering?

Ohio Rep. to Reveal Secret -- Wal-Mart Wants a Bank

Today's New York Times reports that Rep. Paul Gillmor (R-OH) is planning to release information which reveals Wal-Mart has a grand plan to begin providing financial services to the public. Well, kinda sorta. What he has is a copy of undated email which suggests that Wal-Mart was revising leases with tenants that are banks to reserve the right to offer financial services itself.

In an interview last night, Mr. Gillmor said the Wal-Mart was including a clause in some tenant leases that would allow the company to some day expand its banking operations. Wal-Mart currently offers branded credit cards, check cashing and other services through partnerships with financials [sic] institutions.

The retailer claims that nothing nefarious is going on.

A Wal-Mart spokeswoman confirmed last night that the company had updated some of its tenant leases late last year to include the language in question but implied that it had been an option all along.

“There is nothing new here,” the spokeswoman, Mona Williams, said. “While we recently updated language in our leases, similar language has been in our agreements for at least five years.”

Gillmor's bombshell comes before next week's hearings before the House Financial Services Committee on the subject of corporate ownership of Industrial Loan Corporations. Emoolaw reported on those hearings earlier this week. Unfortunately, there's still no witness list posted on the committee's web page, so we don't know what exactly what subjects those hearings will cover.

There are valid safety and soundness reasons for keeping general commercial firms out of the business of banking. But dozens of big corporations already own ILCs and have been approved for FDIC insurance. There are perfectly legitimate reasons for a retailer like Wal-Mart to want to own an FDIC insured ILC -- most notably, the ability to "acquire" credit card transactions on its own. Retailers currently pay banks a hefty fee for access to the credit card networks, even though the bank often just turns the business over to a processor. By being its own bank, a retailer can significantly reduce the cost of accepting credit cards. It's unclear to me why Wal-Mart should be denied that business opportunity while many other big corporations get direct access to this important payment mechanism.

The hearings next week should focus on the legal and economic issues and avoid the drama of psuedo-spectacular revelations like Gillmor's email. The policy discussion here should be about access to payment systems, supervision of financial institutions and the modern definition of "the business of banking." Let's hope that House members can avoid the "Is Wal-Mart Good or Evil" debate.

Sen. Chris Dodd Suggests Legislation Necessary to Curb Credit Card Abuses

In a speech on Tuesday to the National League of Cities, Senator Chris Dodd (D-CT) suggested that legislation would be necessary to curb abuses of credit card issuers.

I'm a strong advocate of credit cards; don't misunderstand me. But the abuse by the financial institutions in making it impossible for people to get out from underneath these financial problems is causing us serious, serious problems. We've already had hearings on this, and my hope is that we'll pass legislation that'll prohibit some of the practices that have made it so difficult for people to manage their financial affairs in a more solid and safe way.

It will be interesting to see what action Dodd takes on this issue in the Senate.

Rep. Frank to Hold Hearings on ILCs

The American Banker reported on Monday that the Rep. Barney Frank (D-MA), chairman of the House Financial Services Committee, will hold hearings on March 22 on whether to close "the loophole" that allows general commercial firms to own a type of financial institution known as an Industrial Loan Corporation. At the time of this writing, there is no mention of the hearings on the Committee's website.

Frank and Rep. Paul Gilmour (R-OH) have introduced the Industrial Bank Holding Company Act of 2007 (H.R. 698) which would put an end to the practice. Frank and Gilmour proposed similar legislation in the prior Congress, but the issue has taken on new steam with the recent application by Wal-Mart to purchase an ILC. That request prompted the FDIC to extend a moratorium on applications by ILCs for deposit insurance. In explaining its actions, the FDIC noted:

In 2006, the FDIC received more than 13,800 comment letters regarding the proposed Wal-Mart Bank’s 2005 deposit insurance application. Most of these comments expressed opposition to granting deposit insurance with respect to this particular applicant; however, some commenters raised more universal concerns about industrial banks. Over 640 of the more general comments were specifically focused on the risk posed to the deposit insurance fund by industrial banks owned by commercial companies or by holding companies without a Federal consolidated bank supervisor.

For its part, Wal-Mart has expressed an interest in owning an ILC in order to provide cheaper and more convenient financial services to its customers. Business Week covered the story well when Wal-Mart first expressed interest in entering the banking world back in 2005.

Kmart Settles with FTC Over Gift Card Practices

The Federal Trade Commission announced yesterday that it had entered into a consent order with Kmart regarding certain of the retailer's practices regarding its gift card program. This is the FTC's first law enforcement action concerning gift cards.

The FTC alleged that Kmart failed to disclose a dormancy fee it charged holders of its gift card. After 24 months of nonuse, Kmart levied a $2.10 per month service fee for each inactive month, retroactive to the issuance of the card. That means if you didn't spend your card in 2 years, Kmart would "zap" $50.40 from the balance of the card. This retroactive dormancy fee was often not disclosed before purchase, or was explained in tiny type or in text obscured by packaging. In addition, Kmart advertised that their gift cards function like cash and "never expire."

Under the consent decree, Kmart agrees to clearly and prominently disclose expiration dates and fees associated with its gift cards. In addition, Kmart will not attempt to collect dormancy fees on any cards issued prior to the consent order and will create a mechanism by which consumers who were charge such fees make seek reimbursement. The consent order does not constitute an admission of guilt by Kmart.

The consent decree was approved by the Commission on a 5-0 vote. Commissioners Harbour and Leibowitz, however, wrote separately stating their opinion that the order does not go far enough and that Kmart should be required to disgorge profits it made collecting the dormancy fees.

The FTC will accept public comments on the consent order through April 10, 2007 after which it will decide whether to make the order final.

The Key to Mobile Payment Success -- Failing Fast

The barage of news on mobile payment initiatives is almost overwhelming. The Wall Street Journal tells us that "Mobile Banking Shifts into High Gear" while Paymentnew.com delves into Visa's Mobile Platform Initiative. Every day brings another announcement:

• McDonalds will now take mobile payments in Japan through DoCoMo
• Near Field Communications will make mobile payments viable
  
• Cyphermint introduces its PayCash Mobile wallet
• Discover pilots mobile payments with Motorola
• Citi and Obopay team to test mobile person-to-person payment system
• Elan (a unit of U.S. Bancorp) and Sapphire Mobile Systems partner to offer mobile payments
• MasterCard will pilot a global payment system that will use mobile phone technology

Amongst all the hype, I finally found a nugget of wisdom to help make sense of all of this -- and from a Canadian publication nonetheless. The February 2007 issue of ITWorldCanada (now my favorite maple leaf tech journal) reports on a speech by W. Roy Dunbar, MasterCard's president of global technology and operations, ar the Card Forum & Expo in May 2006:

Dunbar says MasterCard has plenty of good ideas; the question is knowing which ones to pick. Dunbar joined MasterCard two years ago after more than a decade at Eli Lilly. One of the main concepts he brought with him from the pharmaceutical industry was the idea of failing fast -- that is, testing ideas quickly and discarding them if they don't work. In this way, one can accelerate the process of finding ideas that do work.

I like the idea of "failing fast." You can make a lot of jokes about the concept, but it does appear to describe what sucessful technology companies do well and what large financial service providers do poorly.

2007 Mobile Financial Services Study

Edgar, Dunn & Company and Mobile Payments World have released their 2007 Mobile Financial Services Study which investigates mobile banking and mobile payments. The study is based on a survey of approximately 500 "thought leaders in mobile payments and financial services from around the world" (which means subscribers to the sponsors' publications).

When asked "which participants in the Mobile Payments value chain will be the most critical to the achievement of critical mass?" 70% of respondents said "merchants" and 65% said "consumers" with smaller numbers citing mobile carriers, financial institutions and handset manufacturers.

Respondents felt there was currently no "killer app" in mobile payments, but thought that transportation, micropayments and mobile wallets had the potential to achieve that status.

In terms of time frame, 60% felt mobile payment adoption would be "gradual" while 40% thought it would be "rapid."

Frequent Errors In FBI's Secret Requests for Financial Records

Yikes. From today's Washington Post.

Frequent Errors In FBI's Secret Records Requests
Audit Finds Possible Rule Violations
By John Solomon and Barton Gellman
Washington Post Staff Writers
Friday, March 9, 2007; A01

A Justice Department investigation has found pervasive errors in the FBI's use of its power to secretly demand telephone, e-mail and financial records in national security cases, officials with access to the report said yesterday.

The inspector general's audit found 22 possible breaches of internal FBI and Justice Department regulations -- some of which were potential violations of law -- in a sampling of 293 "national security letters." The letters were used by the FBI to obtain the personal records of U.S. residents or visitors between 2003 and 2005. The FBI identified 26 potential violations in other cases.

Officials said they could not be sure of the scope of the violations but suggested they could be more widespread, though not deliberate. In nearly a quarter of the case files Inspector General Glenn A. Fine reviewed, he found previously unreported potential violations.

The use of national security letters has grown exponentially since the Sept. 11, 2001, attacks. In 2005 alone, the audit found, the FBI issued more than 19,000 such letters, amounting to 47,000 separate requests for information.

Read the complete article.

Moola Zoola Criminal Trial Postponed (Again)

Federal District Court Judge Michael H. Schneider has again postponed the trial of Robert Arbuckle, who is accused of using his prepaid debit card company Moola Zoola to commit fraud and launder money. The trial had been scheduled to start last fall and then was rescheduled for March 19th. At the request of both the prosecution and defense, the court has set a new deadline of April 30, 2007 for the parties to reach a plea agreement; otherwise, trial will begin on June 4th. The fact that both sides asked for the extra time suggests that they're trying to work out a deal.

Prosecutors allege that Arbuckle issued Moola Zoola debit cards funded with money acquired through a PayPal scam. Money was moved from Moola Zoola account to Moola Zoola account in order to hide the origin of the funds. Ultimately the money was withdrawn from ATMs in the U.S. and Russia.

The case appears to be the first prosecution of money laundering involving debit cards.

Some Fees are More Equal Than Others -- Senate Investigates Credit Cards

U.S. Senate Committee on Homeland Security and Governmental Affairs, Permanent Subcommittee on Investigations held hearings yesterday on the topic "Credit Card Practices: Fees, Interest Rates, and Grace Periods."

Prepared statements from Chairman Carl Levin (D-MI) and ranking minority member Norm Coleman (R-MN) are posted as well as the testimony from the head honchos of Bank of America, Citibank and Chase. The bankers' prepared remarks are pretty standard and pretty boring. Their unscripted remarks, according to news reports, were more forth coming, with the bankers apologizing for most abusive practices and promising to mend their ways.

Much more interesting is the report of Alys Cohen, Staff Attorney at the National Consumer Law Center. The NCLC has documented a number of real world examples which show how bank junk fees, penalty rates, universal default and late payment triggers constitute unfair and abusive practices. For us lawyers, there are lots of good case cites and quotes. My favorite has to be from Perry v. FleetBoston Financial Corp. The court described a bank's ability to change the rules at will as placing consumers in "an Orwellian nightmare, trapped in agreements that can be amended unilaterally in ways they never envisioned." This court went on to
say that it was

reminded of George Orwell's 1946 work, Animal Farm, in which the pigs assume power and change the terms of the animals' social contract, reducing the original Seven Commandments, which included ‘All animals are equal,’ to one—‘All animals are equal, but some animals are more equal than others.’

The incomprehensible nature of credit card disclosures was also challenged. Senator Coleman stated:

After wading through that morass, it should come as no surprise to learn that the Government Accountability Office recently reported that disclosures are sometimes written at a “twenty-seventh-grade level.” I can only assume that one would need – after twelve years of grade school and four years of college – a 4-year medical degree, a 5-year PhD, and a 2-year MBA to fully grasp those particular provisions.

Just don't fund that education on your credit card!

Protecting Banks from Retailers' Data Breaches

State Representative Michael Costello has introduced a bill in the Massachusetts legislature which would make retailers whose information systems are compromised reimburse banks for costs associated with cancelling and reissuing customers' accounts and credit cards. House Bill 213 would make a commercial entity which suffers a data breach liable to a bank for the "costs of reasonable actions undertaken by the bank on behalf of customers of the bank as a direct result of an actual breach of data security...." Types of costs covered include:

• cancelling and reissuing a credit card
• closing accounts and blocking transactions
• opening of new accounts
• refunding unauthorized transactions
  

Retailers would argue that they already pay for credit card fraud in the high interchange fees that the card associations assess on every transaction. In addition, the card associations can (but rarely do) fine merchants who don't follow security procedures.

The Wall Street Journal reports that similar legislation at the federal level is possible:

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said yesterday that he believes Congress also will pursue data-security legislation that would require the entity responsible for a breach to bear the costs incurred from customer notification and card reissuance. He also favors a "national trigger" for notification about such a breach.

Rep. Frank wrote to Visa and MasterCard in February 2006 complaining that the responsibility for notifying consumers that their financial information may have been compromised fell to banks rather than the retailers who lost the confidential data.

OTS Releases Guidance on Gift Cards

The Office of Thrift Supervision (OTS) issued guidance on Friday to thrifts that offer gift card programs. According to the OTS press release, approximately 20% of the institutions it regulates issue gift cards in some form. The guidance covers both open-loop or branded cards (e.g., Visa, MasterCard, American Express) as well as closed-loop cards which are typically limited to a single merchant. The OTS document doesn't say much of anything new or helpful, but it does summarize the current state of things. Federal savings associations should follow applicable federal rules, including:

• OTS's advertising rule
• OTS's nondiscrimination rule
• Federal Trade Commission prohibitions on unfair or deceptive trade practices
• Bank Secrecy Act regulations
• USA PATRIOT Act
• OTS's Funds Transfer Rule
• OTS's Electronic Operations Rule
  

As to the $64,000 question -- what's an appropriate anti-money laundering program under the BSA or an appropriate customer identification program under the PATRIOT Act -- there's not much help. Follow risk-based internal controls for an institution of your size and type of business.

The guidance does reiterate the conclusion of an OTS legal opinion from last summer that federal law preempts many state law restrictions on gift cards issued by federal savings associations.

And be sure to check out the OTS's new Consumer Fact Sheet: Buying, Giving, and Using Gift Cards. They went all out on the graphics.

FinCEN Gets New Director

James H. Freis was named the new Director of the Financial Crimes Enforcement Network (FinCEN). FinCEN is the bureau within the Treasury Department which administers the Bank Secrecy Act (BSA). The BSA requires financial institutions and certain other financial service providers to report on certain financial transactions. The data is used by regulatory and intelligence agencies.

Feds Charge Stop & Shop Thieves with Identity Theft

Four California men were arrested on Monday after being caught in the act of modifying a PIN pad at a Stop & Shop store. They were formally arraigned on multiple felony charges in state court. On Wednesday, Federal prosecutors filed a criminal complaint against the men charging aggravated identity theft and conspiracy to traffic in fraudulent access devices. The dollar amount of the fraud is not precisely known at this time, but media reports suggest it’s at least $100,000 and will continue to grow as the investigation proceeds.

Read the AP story in BusinessWeek

Emoolaw posts discussed the discovery of the modified PIN pads and also the arrests of the bad guys.

CFSI Study on PrePaid Cardholder Spending Patterns

The Center for Financial Services Innovation and the Federal Reserve Banks of New York and Chicago released a new study entitled “Cardholder Use of General Spending Prepaid Cards: A Closer Look at the Market.”

The study gathered data from 4 card providers on approximately 2000 card holders. Some of the conclusions the researchers reached include:

1. Card holders spend almost all of the funds loaded on to a card each month
2. Point-of-Sale (POS) transactions significantly outnumber ATM transactions and card holders typically spend most of their money via POS
3. Fee structures and amounts, which had been quite variable, have become more consistent.
   

The paper also discusses which features (rewards programs, credit building, savings features) cardholders find most desirable.

The detailed statistical analysis combined with insightful analysis is a must read. To whet your appetite, I've borrowed a couple of interesting charts: