Bonneville Bancorp is taking an unusually drastic — and seemingly counterintuitive — approach to fighting fraud. To make sure its customers use their PIN codes, shoring up security for debit purchases, it is prohibiting signature debit payments in some states.
Though PIN codes provide an additional layer of security, signature debit transactions generally earn issuers more money, and observers say it is unheard of for a bank to consider its fraud losses severe enough to switch off that revenue stream.
According to a notice on Bonneville's website warning of "high amounts of fraudulent card activity in California, Florida and Georgia," customers in those states must use their PIN codes for any debit transactions. "No signature transactions will be allowed," the notice asserts.
"All I can think of is that the fraud was so high that the lost interchange revenue is worth it compared to the cost of issuing new accounts," said Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc. "It's a statement admitting PIN is more secure, so it contradicts all the marketing messages" from most other banks.
In most cases, "banks are sending out new communications that are reinforcing the policy that you should always use your signature," Litan said. Bonneville's approach is "very unusual," she said.
Ryan Nielsen, a vice president at Bonneville, said that the $34 million-asset bank, which has one branch in Provo, Utah, is going to keep signature transactions switched off in the three states for the foreseeable future, and that this approach was suggested by its processor, First Data Corp.
"We had several fraud activities in those states in a short amount of time," Nielsen said, and although Bonneville is evaluating other methods of addressing that fraud, it does not know when it will change its approach.
Nielsen said he believes other banks have shut off signature transactions in response to fraud, but did not know which. First Data said its executives were not available to comment.
Litan said that Bonneville's message is so striking because banks have gone out of their way to encourage signature debit use over PIN debit. These pitches usually play up the convenience or offer a reward, but JPMorgan Chase & Co. has gone even further in presenting signature as the safer approach because it does not require consumers to risk exposing their PIN code by using it. This message was featured prominently on mailings JPMorgan Chase customers received in April.
JPMorgan Chase defended this by stressing that it wanted to reassure customers about the security of debit cards, but Litan said there is no confusion about which is the more secure method.
"From a pure technical security standpoint, PIN is much more secure," she said. "There's no two ways about it."
Bonneville is likely seeing fraud from criminal rings based in the states where it has barred signature transactions, Litan said. In recent weeks, many news reports spotlighted Florida as the setting for large amounts of card fraud.
Litan said Bonneville's pinpoint focus on specific states indicates that the stripe data of its customers' cards has been stolen with a skimming device to copy the stripe's data, then written onto physical cards that are used by fraudsters in those states.
"The cards can be skimmed anywhere, but that's where they're being used," she said.
Aaron McPherson, a research manager for payments at the Framingham, Mass., research firm IDC Financial Insights, said that Bonneville's response is so striking because it is so public — it is the most prominent notice on the company's website.
"Banks do periodically get hit by fraud rings, but usually they try to keep it as quiet as possible because they don't want their customers to be worried about using their cards," he said. "Even if their fraud is really bad, they don't want customers to know about it."
Another reason is that in addition to losing signature debit revenue, any bank taking this step would incur an immediate customer service cost.
"If they're not accustomed to using the PIN, then they probably don't remember it," and those customers will start calling as soon as they realize a PIN has become mandatory in some states, McPherson said. "The cost of those calls alone probably is going to be worse than the fraud."
Bonneville's decision probably suggests that its fraud-detection system is too weak to help the bank identify and block these suspicious transactions as they occur, McPherson said. "Any decent fraud system will allow you to tag transactions coming from those high-risk states and give them a higher risk score so they go through more stringent checks," he said.
Neilsen did not return a call asking about the capabilities of Bonneville's fraud system and its expected customer service costs.
Brian Riley, a research director in the bank cards practice at TowerGroup, said such a drastic approach is rare because fraud-detection systems can usually allow for transaction blocking based on finer criteria than which state a transaction is made in.
However, such a far-reaching approach is not unheard of. In 2006, in response to a major breach of card and PIN data, Citigroup Inc. briefly blocked transactions in three countries. "Citibank just quickly shut the country down, but they only did it for about three days, just to put their hands around it," Riley said.
By contrast, Bonneville's signature debit block has been in place for over a month without a clear date for it to expire. "This is a shotgun approach," Riley said, and if this type of fraud is affecting other banks, "I think you'll see a much more rifled strategy."