In a recent letter to the CFPB, Michigan credit unions urged the consumer watchdog to supervise retailers “that pointedly fail to take proper steps” to ensure the protection of consumer data.
The Michigan Credit Union League, which represents 98 percent of the state’s credit unions and their 4.6 million members, said the recent Target data breach has cost state credit unions $1.1 million in member assistance, remuneration and fraud prevention.
“As an industry, we are just beginning to assess the impact, and MCUL fully expects these costs to increase as the industry learns more and any actual fraud occurs,” MCUL said. “Since the Target event, new breach events have come to light… These events serve to shed further light on the problem that retailers are not implementing proper security protocols and care to protect the sensitive personal and financial information they obtain from their consumers.”
MCUL said consumers would benefit from supervision of the retail industry, which “relies on largely self-policing standards that are inadequate to the point of consumer deception.”
“MCUL believes that the Dodd-Frank Act’s provisions regarding supervision of nonbank covered persons that engage in behavior that poses risks to consumers in this area provides clear authority for this supervision,” MCUL said.
According to Dodd-Frank, a consumer financial product or service is defined as the “selling, providing or issuing [of] stored value or payment instruments.” Many major retailers like Target offer store-branded credit and debit payment options, which MCUL said qualify as “payment instruments” under Dodd-Frank.
“The Durbin amendment effectively shifted billions of dollars of interchange income from financial institutions into retailers’ pockets, with no meaningful price-relief or discernible consumer benefit having resulted,” MCUL said. “However, financial institutions still bear the brunt of the risk and the cost for a retailer’s lack of preparation and failure to adequately store and protect consumer data. This liability dynamic represents an arbitrary windfall that does nothing to encourage real reform or consumer protection and cuts at financial institutions particularly hard—lost revenue, and lost wherewithal to pay for the sins of the retail community. It is time to bring shared accountability back into the equation for data breach liability.”