Lawyers on Overtime

  A slew of lawsuits, bills and new regulations is keeping card industry lawyers and lobbyists hopping. How will the industry's operating practices be affected?
  Rarely has the card industry been under fire on so many fronts.
  Over the past few years, antitrust charges were leveled at the bank card industry, first by a group of disaffected retailers, and then by the U.S. Department of Justice. A settlement of the retailers' groundbreaking lawsuit earlier this year and the ruling in the DoJ case shook the very foundations of the bank card system: the so-called honor-all-cards policies are out and exclusionary membership rules are likely to be, too, unless card-association appeals succeed.
  And fees charged by the bank card industry, including currency-conversion fees and overlimit fees, became the target of legal action.
  Meanwhile, direct marketers, credit-counseling agencies, credit bureaus and other businesses tied to the card industry are faced with regulatory and legal challenges on everything from how they share confidential information with affiliates to how they safeguard electronic cardholder data.
  The industry is still awaiting passage of a bankruptcy reform bill. Industry-backed legislation that would make it more difficult for consumers to file bankruptcy passed the House of Representatives in March but stalled in the Senate.
  What's more, card issuers are struggling to comply with a requirement in the USA Patriot Act that requires them to confirm the identity of individuals that open new accounts.
  Many of these legal activities promise to leave a permanent mark on how the card industry markets and prices its products. What's unknown is how much it will cost the card industry to comply with the new laws and regulations.
  The legal challenges come under four broad categories-antitrust, Internet fraud and identity theft, privacy, and fees.
  * Antitrust. Visa USA and MasterCard International are still trying to deal with the fallout from the ruling by U.S. District Court Judge Barbara S. Jones in 2001 in an antitrust suit filed by the Justice Department. In that case, Jones ruled that the associations' exclusionary rules that forbid member issuers from developing relationships with American Express Co. or Discover Financial Services Inc. were anti-competitive. Both associations are appealing the ruling.
  In a second case involving more than five million merchants lead by Wal-Mart Stores Inc., MasterCard and Visa USA reached agreements whereby they will eliminate their honor-all-cards rules come January. Under those policies, merchants that want to accept Visa- or MasterCard-branded credit cards also must accept the associations' offline (signature-based) debit cards.
  As part of the settlements, the associations will pay $3 billion in damages to the merchants and substantially reduce their offline debit card interchange rates ("The Retailers' Home Run," July). The plaintiffs' attorneys are seeking more than $500 million in fees. A hearing on the proposed settlements was scheduled for late September in U.S. District Court in Brooklyn, N.Y.
  Despite the settlements, the associations' debit card legal woes aren't over. Several major retailers, including Home Depot, Toys 'R Us and Meijer, withdrew from the class action to pursue separate lawsuits against Visa and MasterCard.
  The two antitrust cases and the currency-conversion fee case "just suggest the beginnings of a large number of antitrust challenges," says David A. Balto, a former Federal Trade Commission policy director now in private law practice in Washington, D.C.
  For example, a recent Visa bylaw change would impose penalty fees on any top-100 Visa check card issuer that defects to another brand to avoid the fallout of Visa's $2 billion settlement in the merchant case ("Visa: You Can't Leave Us Even If You Don't Love Us," September). The bylaw, which Visa quietly approved in June, "poses really serious antitrust concerns that will probably lead to new antitrust disputes," Balto says.
  Rules concerning antitrust in the card industry "are really murky, and the law seems to be evolving in a fashion that's not looking as benignly at the card associations' activities," Balto says.
  * Internet Fraud/Identity Theft. A group of online merchants in May filed a federal class-action lawsuit against Visa USA, MasterCard, American Express Co. and Discover, contending the card companies failed to take appropriate measures to address fraud and theft in the Internet, telephone-order and mail-order industries. Also named as co-conspirators in the suit were Visa and MasterCard issuing and acquiring banks. The suit was filed in the U.S. District Court for the Eastern District of North Carolina.
  The suit charges the card companies are violating the Racketeer Influenced and Corrupt Organizations Act (RICO) and other laws by conspiring to commit fraud and theft when processing merchants' Internet and telephone- and mail-order transactions. Plaintiffs in the suit are eGeneral Medical Inc., Howell Automotive and Direct Foreign Exchange PLC.
  The e-merchants decided to sue because they believe their concerns about online fraud are not being properly addressed by the credit card companies, says their attorney, Mark W. Ishman of the Durham, N.C.-based Triangle Law Center.
  The plaintiffs allege that Visa and MasterCard failed to disclose certain transaction and penalty fees to merchants and forced merchants to pay higher fees. Online and mail-order/telephone-order transactions fall under the card-not-present category and are assessed higher interchange rates than conventional, cardholder-present transactions.
  In addition, merchants also bear liability in so-called cybershoplifting cases-when a customer orders a product or service and later denies the transaction-even if the merchant can document the sale, the suit alleges. The e-merchants also allege that the card companies didn't inform online merchants of stolen credit card account numbers, leaving merchants to unwittingly accept fraudulent cards. Ishman cited an incident in February in which a hacker stole 13 million credit card account numbers.
  In that case, the card companies "elected not to cancel these cards but just monitor them," Ishman says. "If there's just one chargeback on each of those cards, (the card companies) are making millions of dollars."
  The suit doesn't specify the damages being sought by merchants. However, it states that merchants paid virtually all the costs associated with fraud and theft while the card companies made millions of dollars from transaction and penalty fees.
  MasterCard has said it is "confident that our practices with respect to our Internet merchants are lawful and appropriate."
  AmEx and Discover don't comment on pending litigation, and Visa was unavailable to comment.
  Data Protection
  The card industry and related companies also are facing tougher regulations in regards to how they protect cardholders' confidential data from security breaches.
  The Federal Trade Commission already has taken action against Guess Inc., the designer clothing and accessory marketer, alleging the retailer misrepresented the security of its Web site, www.guess.com. The FTC in June reached a settlement with Guess under which the retailer will put in place a comprehensive information-security program for its Web site. The settlement also prohibits Guess from misrepresenting the extent to which it maintains and protects the security of personal consumer information.
  It marks the third time the FTC has targeted companies for making false claims about the measures taken on their Web sites to protect consumers' private data, including credit card account numbers.
  The FTC began reviewing Guess security after a consumer in February 2002 broke into the Web site using a commonly known method, so-called structured query language. The consumer gained access to data, including name, credit card number and expiration date, from about 200,000 accounts. The card information accessed was not used for fraud. But the FTC said Guess falsely told visitors to its Web site that it stored such data in an "unreadable, encrypted" form.
  The FTC last year took similar actions against Eli Lilly and Co. and Microsoft Corp., says Jessica Rich, assistant director of the FTC's Bureau of Consumer Protection. Violations of the settlement could result in a fine of up to $11,000 for each incident, Rich says.
  The government later this year will have even more power to pursue financial institutions and other organizations that fail to protect confidential consumer information. That's when the so-called safeguard rule of the Gramm-Leach-Bliley Act of 1999 is expected to be finalized.
  "Under the rule, you have to have reasonable and appropriate security given the kind of information you collect and your business operation," Rich says.
  Under the proposed guidelines, issuers must have in place a procedure for notifying consumers when hackers break into a database and gain access to their "sensitive customer information." The guidelines were developed by the Federal Reserve Board, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
  The proposed guidelines define sensitive customer information as a Social Security number, personal identification number, password or account number in conjunction with a personal identifier such as the individual's name, address or telephone. Sensitive information also would include any combination of components such as user name or password that would allow someone to log onto or access another person's account.
  'Two Extremes'
  But the proposed rule exempts financial institutions from contacting consumers affected by a security breach if the institution concludes it is unlikely the information will be misused, and takes other steps to safeguard customers' interests, such as monitoring account activity. That is likely to be a bone of contention between financial institutions and consumer groups, industry observers say.
  In developing the guidelines, banking regulators "faced two extremes," says George French, deputy director of the FDIC's Division of Supervision and Consumer Protection.
  At one end, regulators could have required financial institutions to notify consumers "on the merest suspicion" that there was unauthorized access to customer information, French says.
  "If we were stringent and made a blanket statement that if you have a suspicion then you notify, you could get conceivably millions of notifications ... Eventually, the process would lose any value."
  At the other extreme, an issuer might wait until it knows a customer's information is being used for fraud before notifying the cardholder.
  "That would have been to wait until the damage is done," French says. "We tried to strike what we thought was an appropriate balance, leaving some responsibility on the bank to do the right thing. That was the single most important issue we had to wrestle with."
  While the FDIC awaits comment on the proposed guidelines-the deadline is Oct. 14-at least one bill in Congress also addresses fraud from identity theft.
  The U.S. Senate in March approved legislation that would increase penalties on identity-theft crimes. S.B.153, the Identity Theft Penalty Enhancement Act, is sponsored by Sen. Dianne Feinstein, D-Calif. The bill would increase penalties by two years for anyone who commits "aggravated identity theft" in the process of violating federal immigration, firearms and other laws. The proposal also would increase penalties by five years for anyone who commits identity theft for the purpose of committing a terrorist act.
  The bill contains provisions that make it easier for prosecutors to prove identity theft and would amend current law to impose a higher maximum penalty for identity theft used to commit acts of domestic terrorism.
  The measure is now awaiting action in the House. Feinstein has four other identity theft-related measures pending in Congress.
  Action in California
  States also are proposing and passing legislation to fight identity theft.
  In California, three laws took effect July 1 that offer consumers protection against identity theft. Under one law, if an identity-theft victim puts a fraud alert on her credit report, she will receive a free copy of the report for up to a year so she can monitor potential illegal activities on her accounts. Under another law, individuals requesting birth and death records must provide proof of identity and sign a form indicating why the records are being requested.
  Another law requires state government agencies, non-profit organizations, and companies doing business in California to notify state residents if there is a security breach in computer files. Californians must be notified if their names are obtained through unauthorized access of computer data files with at least one of the following-Social Security number, driver's license number, credit or debit card account numbers or passwords for accessing their financial accounts.
  Texas, too, recently enacted legislation to combat identity theft. The law, S.B. 473, sponsored by State Sen. Rodney Ellis, limits disclosure of Social Security numbers on health-insurance cards and non-secure Web sites. It also requires creditors that receive credit reports to take additional steps if a fraud alert has been placed on an account, and allows victims to limit access to their credit reports.
  * Privacy. At the state level, California Gov. Gray Davis in August signed into law the California Financial Privacy Act, which sharply limits financial institutions' sharing of customer data with affiliates. Under the law, sponsored by State Sen. Jackie Speier, financial institutions must obtain a customer's consent before sharing information with third parties. It also establishes standards that financial institutions must follow to inform consumers of their privacy rights. The Legislature passed the bill after a four-year campaign by privacy advocates.
  The new law, which has stronger privacy protections than federal legislation, has repercussions beyond California, says Edmund Mierzwinski, consumer program director for U.S. Public Interest Research Group in Washington.
  "Passage of the bill will force Congress to look at privacy issues as they relate to the Fair Credit Reporting Act," he says.
  In fact, a major bill to amend the FCRA, the federal law governing use of credit reports, is now pending in Congress. H.R. 2622, the Fair and Accurate Credit Transaction Act, would permanently block most state credit-reporting and privacy laws.
  The House on Sept. 11 voted overwhelmingly to reauthorize the FCRA. The bill has received strong backing from the financial industry. That's because under the bill, federal law would preempt state law. The House bill includes seven federal preemptions of state credit-reporting laws.
  Card issuers and other financial institutions favor a uniform national credit-reporting system rather than trying to cope with varying laws at the state level. Currently, California, Connecticut, Illinois, Indiana, Louisiana, Nevada, Texas and Virginia have laws that would be jeopardized if H.R. 2622 passes.
  A second California privacy bill, S.B. 27, was pending at CCM's press time. The bill would force companies to record and provide to consumers any information the companies have shared with any third party for direct-marketing purposes. The legislation, introduced by State Sen. Liz Figueroa last December, has already passed the state Senate.
  Under the bill, within 30 days of a customer's request, businesses would have to disclose all data collected about the customer that it has shared with third parties. The bill identified 27 categories of information that would have to be disclosed.
  Also within 30 days of the requests, businesses must provide the complete names and addresses of all third parties that have received any customer data. Under the bill, consumers would be entitled to a $3,000 civil penalty per violation, plus attorney fees and costs.
  The Direct Marketing Association termed the bill "a serious attack" on direct and interactive marketing in the state. California accounts for more than $60 billion in annual sales, about one-eighth of all direct-marketing sales nationwide, according to the DMA. The trade association says the provisions would impose "costly and logistically difficult challenges" for businesses engaged in direct marketing in the state.
  And in a move to prevent limits on telemarketing, the American Teleservices Association in July filed a petition seeking judicial review of a Federal Communications Commission order adopting the do-not-call rules of the Federal Trade Commission ("One Last Fling for Outbound," July). The ATA also asked the FCC to put the new rules on hold until a court reviewed its appeal. The petition, filed with the Tenth U.S. Circuit of Appeals in Denver, contends the FCC's program is unconstitutional, says Tim Searcy, ATA executive director. He notes that certain groups-including charities and political groups-are exempt.
  "The FCC was originally chartered by statute to create a law that balanced First Amendment issues, privacy interests and the economic considerations," he says. "Instead, what they did was they rolled over and did what the FTC did."
  The ATA contends that as many as two million of 6.5 million jobs in the teleservice industry will be lost because of the registry.
  "That means there will be less goods and services sold, less folks involved in the business, and the upstream and downstream economic impacts are substantial," Searcy says.
  The ATA in January had filed a suit in Denver challenging the FTC's registry, which bans most forms of unsolicited sales calls to consumers who sign up. There already are 32 states with their own do-not-call lists. The DMA also has filed suit against the FTC's do-not-call registry.
  Telemarketers must comply with the federal list beginning this month, and face a fine of up to $11,000 per violation. Before gaining access to the registry, telemarketing organizations must fill out an application, pay applicable fees and certify they are accessing the registry solely to prevent calls to telephone numbers on it. The annual cost for a firm to access the directory will be $25 per area code, with a maximum annual fee of $7,375 for the entire country including U.S. territories.
  As of Sept. 2, 48.4 million people had enrolled in the do-not-call registry.
  * Fees. The U.S. Supreme Court in June announced it would hear a case dealing with how credit card issuers disclose overlimit fees to cardholders. The case will be heard this month after the court returns from its summer recess. In the case, Pfennig vs. Household Credit Services and MBNA America Bank N.A., the court will decide whether issuers must disclose overlimit fees as finance charges. Issuers typically disclose these fees as "other charges."
  'Exhausted Themselves'
  Plaintiff Sharon R. Pfennig contends that Household violated the Truth-in-Lending Act by letting her exceed her credit limit and then imposing a fee. MBNA is named in the suit because it later acquired her account.
  In another lawsuit, a California Superior Court judge in April ordered Visa to refund to cardholders nationwide and MasterCard to refund to California cardholders more than $800 million in currency-exchange fees. The associations are appealing the ruling. The judge ruled that the card associations violated California's Unfair Business Practices Act by not disclosing a 1% currency-exchange fee they charged cardholders to convert foreign currency into dollars for final cardholder billing.
  A similar class-action suit was filed in April against American Express Co.
  "My feeling is that the plaintiff bar has kind of exhausted themselves with late fees and other stuff and they've found a new issue" in currency-conversion fees, says attorney Anita Boomstein, partner at New York-based Hughes Hubbard and Reed.
  No matter how these issues are resolved, there is no doubt that the card industry will have to change some of its practices. And in litigious America, new legal challenges are a certainty.