BOSTON—The steady stream of data breaches is changing how credit unions battle card crime and spotlighting rising fraud costs, which are proving difficult for small CUs to absorb.
Analysts say data breaches have become more frequent in the last year. Following the huge Target compromise, high-profile breaches have included Neiman Marcus, Michaels, Smucker's, Sally Beauty, UPS and JPMorgan Chase.
And earlier this week,
Add in smaller regional stores hit by hackers and it's a lot for financial institutions to deal with, says Shirley Inscoe, senior analyst at Aite Group.
"Even a car wash chain was hit," said Inscoe. "I never thought I'd be worrying about using my card at a car wash. Breaches are happening everywhere and more often."
Inscoe explained that the Target data breach resulted in many issuers doing mass card reissues due to the size of the breach.
"Then, as the breaches kept happening, we saw many issuers shifting to monitoring activity on compromised cards, waiting for suspicious activity and then reissuing as needed," said Inscoe.
But the strategy of closely monitoring compromised cards is less effective today, little more than seven months following the Target hack, according to Inscoe.
She explained that crooks now use the stolen data much faster, "within days instead of months."
That's leading to more mass card reissuing and higher costs for banks and credit unions. Experts question how long banks will continue to absorb the costs before hiking fees.
There, too, is growing concern for the small credit union that is heavily focused on its membership, fee averse and without scale to absorb the growing fraud price tag.
"Credit unions have to constantly stay on top of what the latest threats are and need technology to fight this crime," said Eric Richard, CUNA executive vice president and general counsel. "That is not only expensive but also labor intensive. Credit unions have been complaining about growing compliance costs and now they face growing data security costs. And the tighter the budget the bigger the concern."
Higher Cost of Doing Business
Greg Smith said the increasing number of data breaches is simply leading to a higher cost of doing business.
"It's an unfortunate cost to be sure, but just a cost," said the CEO of the $4.3 billion Pennsylvania State Employees CU, which has reissued about 25,000 to 30,000 cards so far this year.
The Harrisburg, Pa.-based PSECU will absorb the growing expense and has no plans to hike fees, according to Smith.
"It may just mean less back to reserves," he said. "But this is another example of how the business will squeeze out the smaller credit unions as these costs to stay in the game continue to climb."
And the thinking is long gone that smaller CUs fly under crooks' radar. Analysts have stated that cyber criminals understand smaller shops often have weaker defenses.
"We just had one small credit union reach out to us for assistance that is starting to get hammered by card fraud," added Smith.
Cindy Atteberry, who heads the $25 million Joplin Metro CU in Joplin, Mo., said her credit union has been fortunate to have effectively battled recent fraud attempts—but she knows the costs are coming.
"We have done well so far," said the CEO. "But if we do suffer significant fraud losses we are not going to charge our members. We will eat them. But being a small credit union, we will feel it. At the end of the year, that cost has to come from somewhere inside the credit union."
Hansel Hart, president of Palmetto Health CU in Columbia, S.C., told Credit Union Journal his CU recently suffered a "significant" fraud loss within a short period of time. As a result, the $60 million PHCU has temporarily blocked signature debit card usage from certain stores in four states in which the fraudulent charges occurred.
"Reissuing cards is a considerable expense for us," said Hart. "We have had to do it a number of times and it's getting frustrating."
Hart agrees that smaller credit unions feel the losses most when they happen.
"We are fortunate to be in a very good financial position," said Hart about the CU's 11.63% net worth. "We are in a little better position than many credit unions our size. Yet, this is an expense that is hard to budget for and it does cause problems."
While the high-profile breaches garner national media attention, Brad Thaler, NAFCU VP of legislative affairs, contends it's often the smaller, regional breaches that hit some CUs hardest.
"For credit unions, which often have a concentrated local membership, that local breach can have a big impact on the institution," Thaler said.
What can make breaches even harder for credit unions to manage, added Thaler, is their close relationship with members. Thaler said that when members suffer card fraud that they expect to be able to speak with someone at the friendly neighborhood CU where they have close ties.
"This can be especially hard for the small credit union to manage with their limited staff," Thaler observed.
Inscoe said more credit unions, and banks, are turning to instant issue as a way to limit cardholder inconvenience when plastic is cancelled and keep the FI's card top of wallet.
While EMV cards would not have prevented the Target losses, a number of credit unions feel chip cards will limit the institution's exposure and also show members that the credit union is being proactive in the fraud fight.
PSECU's Smith said all the breaches are moving up the EMV timeline at his credit union.
"We are definitely moving up our EMV release," he said. "We are really going to scale that up because we don't want to be the last guy out there with mag stripe."
Palmetto's Hart said his CU, too, will make sure it is ready to move with EMV and be well ahead of the October 2015 Visa and MasterCard liability shift.
All the data breaches signal that behavioral analytics have become a requirement, insisted Chris Silveira.
The manager of fraud intelligence for Guardian Analytics, Mountain View, Calif., explained that crooks have stolen so much consumer payment and personal data that they can build complete profiles of intended victims and act quickly.
"The true impact of all these data breaches goes far beyond simply reissuing cards," Silveira said. "What we are seeing is an erosion of trust—can financial institutions really trust account holders are truly who they say they are. Criminals are hiding behind some very good credentials now."
Silveira said FIs must have fraud strategies in place, such as behavioral analytics, that are threat agnostic.
"If you can't trust an account holder's identity, you need to focus on how they act. Criminals now have what users have, they know what users know," said Silveira. "But they can't truly behave like users behave, and that is the key strategic advantage FIs have now and can act on."
