CUNA Mutual CEO Calls Card Fraud a 'Runaway Train'
Calling plastic card fraud a "runaway train," CUNA Mutual Group CEO Jeff Post said the time is coming when the insurance provider may not be able to insure credit unions' card programs and credit unions won't be able to afford to offer them.
To help prevent that from happening, CMG is in the process of putting together a set of plastic card security best practices while also trying to spark awareness of the problem among credit unions, the card associations, regulators and legislators alike.
Indeed, Post took the opportunity at CUNA's Governmental Affairs Conference just weeks ago to discuss these concerns with CUNA CEO Dan Mica, Treasury Secretary John Snow, and a number of credit union leaders in attendance at the conference.
"Dan Mica and I talked with John Snow about this before he addressed the GAC, and he was very interested in this," Post suggested. "He's the Treasury Secretary, and anything that puts this nation's financial institutions at risk is a major concern for him."
That credit card fraud is a burgeoning problem isn't new, but Post believes the situation has reached the crisis level.
"The middle of last year we identified this as a concern-it was not a crisis then," Post told The Credit Union Journal. At that time, CMG identified 231 credit unions with "significant plastic card losses" and visited every one of them.
"We audited their protection devices, we tightened underwriting standards and then we hoped to see losses start to decrease," he related. "The 231 we worked with did see some modest improvement, but then we found 400 more had started to look like the original 231.
"Insurance is a concept that works when we have the unfortunate few who have claims and the fortunate many who don't," he continued. "Where we're headed is a situation where the unfortunate many have claims, and the fortunate few don't. Insurance doesn't work in that environment."
CUNA Mutual currently insures about 5,500 credit unions' plastic card programs. Of those, approximately 700 of them can be classified has having had "significant losses"- defined by CMG as CUs with a loss ratio of over 200% that have blown through their deductible and have incurred losses that were twice what the premium cost-leaving another 4,800 that haven't had significant loses.
"But they don't have the proper protections in place," he cautioned. "We are paying out $2 (on plastic card insurance claims) for every dollar that we take in. [Some] credit unions don't the proper protections in place. Criminals are getting smarter, and we're not getting support from Visa and MasterCard, so what we have is a perfect storm causing an incredible amount of fraud."
Over the next four to eight weeks, CMG will be working with stakeholders from credit unions to card processors to create a three-pronged approach to stanch the fraud hemorrhage:
- Build awareness of the problem among CUs, card processors and other stakeholders.
- Develop plastic card best practices.
- Work with the trade associations and lawmakers to develop legislation that would force Visa and MasterCard to enforce their own rules (in particular, the two card associations both have rules-which largely haven't been enforced- against merchants reading and retaining the full magnetic stripe data on cards, which can then be hacked into by fraudsters, as was the case in the BJ's Wholesale Club case and others).
"We're not going to eliminate fraud, but we must slow it down," Post offered. "We don't want to get to the point where credit unions can't afford to offer cards anymore. I don't know how close we are to that point. Six months? A year? But this is a pretty alarming trend, and it adds up in a hurry. At some point, we will not be able to offer insurance on these products, and if that happens, about 984% of credit unions won't be able to offer cards. About 50% of the fraud we are encountering is on debit cards, and you can't be much of a financial institution without a debit card these days."
Post said he couldn't say at what point CUNA Mutual Group would get out of the cards insurance business, saying that is a decision his board will have to make-if it comes to that-not him.
When CUNA Mutual Group analyzed the original 231 credit unions identified as having a significant problem with card fraud, certain commonalities appeared. For example, some of those CUs actually had excellent fraud protection tools in place, but they weren't using them to their full extent (such as only monitoring card usage only during the week or not putting daily limits on cards or always checking the CVV codes).
"You've got to have the monitoring tools in place, and you have to use them 24-7," Post advised.
Post recently gathered about a half-dozen of the movement's largest CU CEOs to discuss a number of issues facing credit unions. "They spent about two minutes talking about conversions, about two-and-a-half minutes on taxation, and then about two hours on card fraud," he related. "They see the losses, they see the rate increases and the raised deductibles, and they ask, 'Do you really have to make that much money on this?' Then I explain that we're still only taking in $1 for every $2 we're paying out, and they see that it's still a runaway train. I've told them I don't even mind making this a loss leader for a while, but I can't let this wipe out $4, $5 or $6 of every dollar we're taking in."
He noted that if Visa and MasterCard started to enforce their own rules it would go a long way toward "slowing down this runaway train." Indeed, Post said the card associations have a much more secure infrastructure in place in Europe and Canada.
"In the U.S., fraud losses are paid by the issuing institution, but in Canada, those losses are paid by Visa and MasterCard," he commented. "[The card associations] would be a lot more interested in solving this problem if it were their problem."
For example, in other countries, credit card users are given a key fob that has a six-digit PIN that changes every 30 seconds. If a hacker manages to get a cardholder's name and account number, the hacker still can't make any fraudulent transactions without also having the key fob. "Again," Post observed, "this isn't going to eliminate every type of fraud. If someone steals your purse, and both the card and key fob are in that purse, then they're going to get you. But the idea is to make it tougher. The message the card associations need to hear is that while it may cost them to build in this technology, but it will cost them more if they don't."
'Put A Stop To This'
The message to lawmakers, Post suggested, is that it's time to fix this problem, and it's not going to get fixed unless someone forces the issue. "Your citizens are having their identities stolen because of companies that aren't acting responsibly," Post said, "and the time has come when Washington needs to step in and be the 200-ton gorilla to put a stop to this. Credit card holders in Europe and elsewhere already have these protections. Don't American consumers deserve the same?"
While CUNA Mutual Group may feel like a 200-ton gorilla in the credit union space, the fact is that to Visa and MasterCard, "we're just a gnat," Post said, though he indicated he does plan to try to meet with Visa's CEO on this issue.
CUNA Mutual is also meeting with NCUA representatives to discuss this issue, as well.
"NCUA will not allow credit unions-other than the really big ones, like Navy or State Employees-to self insure their cards programs," he explained. And even the "big guys" are having second thoughts about continuing to self insure, Post said, noting that SECU CEO Jim Blaine has indicated he is looking to buy insurance for his card program.