7-28-98, Statement of Russell Schrader

WRITTEN STATEMENT

VISA U.S.A. INC.

BEFORE THE

COMMITTEE ON

BANKING AND FINANCIAL SERVICES

U.S. HOUSE OF REPRESENTATIVES

JULY 28, 1998

Chairman Leach, Ranking Member LaFalce, and Members of the Committee on Banking and Financial Services, United States House of Representatives ("Committee"), my name is Russell Schrader. I am Senior Vice President and Assistant General Counsel of Visa U.S.A. Inc. ("Visa"). I thank you for the invitation to participate in this hearing. Visa is the largest consumer payments system in the United States and the world. Visa is an association of over 21,000 financial institution members from around the world that issue Visa brand cards. Consumers hold more than 641 million Visa cards globally, and these cards are accepted at more than 14 million merchant locations and at more than 403,000 automated teller machines. Visa provides transaction authorization, clearing and settlement, and risk management services to Visa financial institution members and supports more than $1 trillion in payment transactions annually around the globe. Visa’s transaction volume in the United States is approximately $525 billion per year.

Visa appreciates the opportunity to appear today before the Committee to discuss how better to protect consumers and financial institutions from the recent efforts of those unscrupulous information brokers who fraudulently obtain consumer information from financial institutions. This type of fraud is one of the latest versions of the ever-evolving schemes of those who would defraud financial systems. We applaud Chairman Leach and the Members of the Committee for focusing on the problem so quickly.

VISA’S EXTENSIVE INFORMATION PROTECTION
AND FRAUD PREVENTION EFFORTS

We believe that there are few companies better qualified than Visa to discuss the prevention and detection of financial fraud. Visa has been a leader in combating fraud for more than a decade. To guard against unauthorized access to information in the Visa systems, we have long employed the most advanced security procedures, protections and technology available. These procedures include protections with respect to the use of Visa cards in virtually all circumstances. We have kept pace with new technology and the ways people use our products today and will use our products in the future. Recently, for example, we developed the Secure Electronic Transaction, or SET, program, which is a standard or protocol for using encryption and digital signature technologies to make Internet transactions secure, convenient and efficient for consumers, merchants and Visa member financial institutions. SET automatically encrypts purchase orders and Visa payment card information so that a merchant never sees payment information in decrypted form. This makes SET transactions extraordinarily secure. In addition, SET uses digital signatures to authenticate merchants, consumers and Visa members to one another. Under SET, these digital signatures perform similar functions that are today performed in face-to-face shopping by the presence of a plastic Visa card, which itself has a variety of security features, by a Visa flag on the card, and by a Visa sticker on the merchant’s door.

Preventing fraud and protecting personal information involving Visa credit and debit cards is a top priority to Visa and its members. We view it as essential to protecting the integrity of our brand and maintaining the confidence of consumers and merchants that use our products and services. Through significant investments in technology, cooperative efforts between Visa, its members, and law enforcement agencies, and a wide variety of educational initiatives, the incidence of Visa-system fraud in recent years has been cut sharply. This has happened even as the volume of card transactions has grown dramatically.

For instance, Visa’s ratio of fraud-to-sales stood at 0.15% in 1992. Last year, it was down to a record-breaking rate of just 8 cents per $100, or 0.08%. Similarly, Visa’s losses from the submission of fraudulent credit card applications were down 23.6% year over year, as of March 31, 1998. Indeed, during recent years the absolute number of fraudulent transactions in the Visa system has actually been reduced, even as Visa card volume has soared. We are extremely proud of the success of our many fraud prevention efforts.

We are not content with these successes alone, however. In fact, Visa remains firmly committed to its ongoing efforts to drive the fraud loss numbers even lower. In our intensive attack on fraud, Visa and its member financial institutions have developed a varied arsenal of fraud control programs. Visa has developed these programs over many years, and is continuously refining them to respond to new or anticipated fraud schemes. A brief review of our fraud control efforts includes the following programs, each of which is used to thwart those who would steal personal information and use it to engage in fraudulent transactions.

Address Verification Service

The Address Verification Service is a fraud prevention system that allows mail-order or telephone-order merchants to verify automatically that a billing address provided by a cardholder at the time of purchase is the same one currently on file with the institution that issued the credit card (the "Issuer"). This service helps merchants minimize the risk that they will accept fraudulent mail and telephone orders from information brokers or others using stolen cardholder information.

Card Activation

Under this method for delivering a bankcard to the consumer who requested the card, the Issuer waits for the customer to confirm that the card has been received by him or her before activating the account. Cards are blocked from use at the time of mailing. For a card to be activated, the cardholder typically must call the Issuer, often from the same phone number provided to the Issuer, and must confirm receipt and provide proof of identity.

Card Security Features

Security features on bankcards include alphanumeric, pictorial, and other design and functional elements. The precise physical dimensions and placement of these features are specified by the Visa U.S.A. Operating Regulations and are difficult to copy exactly. These card security features can be checked by merchants at the point-of-sale to ensure the card is authentic.

Card Verification Value

Card Verification Value ("CVV") is a unique three-digit "check number" encoded on the magnetic stripe of all valid cards. The CVV number is calculated by applying an algorithm -- i.e., a complex mathematical formula -- to the stripe-encoded account information. It is automatically verified on-line by the Visa system at the same time a transaction is authorized.

Cardholder Risk Identification Service

The Cardholder Risk Identification Service ("CRIS") is a transaction scoring and reporting service that employs advanced neural network technologies to develop artificial intelligence risk-scoring models that help identify fraudulent transaction patterns. CRIS is available by subscription exclusively through Visa. It can be used by Issuers as a stand-alone fraud detection system or together with their internal fraud detection methods.

Exception File

Visa’s Exception File is a worldwide database of account numbers of lost/stolen cards or other cards that Issuers have designated for confiscation, referral to Issuers, or other special handling. All transactions routed to Visa’s stand-in processing system have their account numbers checked against the Exception File.

Issuer’s Clearinghouse Service

The Issuer’s Clearinghouse Service ("ICS") is an application verification system shared by Visa and other bankcard associations. ICS verifies an applicant’s address, phone and Social Security numbers, and whether that applicant has a history of excessive applications or credit card fraud or credit abuse. Visa requires that all U.S. Issuers use ICS.

NRI Reporting

This computer program was developed by Visa for reporting transactions in which merchandise was shipped to, but not received by, a Visa cardholder -- so-called Not Received Items ("NRI"). All Visa Issuers are required to report NRI mailing information, whether or not fraud has occurred. Visa then forwards this information along with reported NRI fraud transactions to the U.S. Postal Service on a daily basis. This information allows the Postal Service to conduct timely and efficient investigations of mail fraud.

Risk Identification Service

The Risk Identification Service ("RIS") identifies concentrations of fraudulent activity at merchant locations. RIS monitors activities such as reported fraud transactions, suspected fraud activity and merchant deposits. By carefully monitoring these activities and imposing timely corrective measures, Visa members can reduce their exposure to fraud and subsequent financial losses.

VisaLine

VisaLine is a service that provides an interactive computer network dedicated to the communication of time-sensitive risk management and business information between Visa and its members and their third-party processors. VisaLine facilitates fraud prevention by enabling rapid communication among Visa members about the latest fraudulent schemes.

Education Efforts

Active participation and cooperation by Visa, its members, their merchants and law enforcement and other government agencies have made Visa’s education programs extremely successful. For instance, to combat counterfeit losses on cash advances from bank tellers -- one of the leading types of fraud -- Visa produced and distributed the Cash Advance Procedures video, which educates bank tellers on the proper procedures for cash disbursement. Visa also produced two other videos, one primarily for law enforcement agencies called Counterfeit Cards, and a video on the proper procedures for card acceptance at the point-of-sale called Card Acceptance Procedures.

In addition, each year Visa makes over 100 fraud prevention presentations to industry and law enforcement groups. These presentations include up-dated information regarding fraud, fraud trends, and technical developments in an effort to reduce bankcard fraud.

Issuer Fraud Control Guide

This manual was developed for Visa Issuers’ fraud control and investigation units. It describes how the bankcard system works and the various fraud types and how to handle them. Information on Visa programs to identify and control fraud is also included. Over 3,500 of these manuals have been distributed to Visa Members.

VISA’S SUPPORT OF LAW ENFORCEMENT

Visa has established a special Fraud Control Unit to provide resources to law enforcement officers investigating and prosecuting credit and debit card fraud. It helps educate and train law enforcement officers, including community crime prevention officers, as well as merchants about credit and debit card fraud. These efforts are integral to Visa’s assault on financial fraud. They include the following:

BIN-Checker Terminals

A large portion of counterfeit cards are lost or stolen cards that have been re-encoded by the counterfeiter. Visa has provided 400 so-called "BIN-Checkers" to law enforcement agencies nationwide to check on such cards when recovered. A BIN-Checker reads and displays the account number and expiration date from the card’s magnetic stripe. It also indicates the name of the Issuer, if the bank is one of the one thousand banks in the BIN-Checker.

These terminals have been deployed to United States Secret Service field offices, and U. S. Customs and Immigration offices at all international airports in the U.S. They also have been provided to most major city police departments in the country. We have had a number of credit card arrests due to the utilization of these terminals.

Law Enforcement BIN Directory

Visa’s Fraud Control Unit, as well as many Visa member financial institutions, receive numerous phone calls from law enforcement officers. Often, these calls are made to determine the phone number of the Issuer whose cards were recovered during an arrest or a search warrant. To assist law enforcement officers in readily obtaining the correct information to identify and contact the victim bank, Visa has developed two programs which are accessible twenty-four hours a day, seven days a week:

PC-Based On-Line BIN Directory. Accessed via a personal computer, this system allows a law enforcement officer to access the Visa Fraud Control database and obtain the Issuer name and fraud department phone number.

Terminal-Based On-Line BIN Directory. By utilizing a specially programmed merchant terminal, law enforcement officers can access the on-line directory simply by swiping the card through the terminal. Once the card is swiped, the account number, cardholder name and expiration date from the magnetic stripe are displayed and can be compared to the information embossed on the face of the card. The terminal then automatically dials the Visa Fraud Control database and displays the name of the Issuer and fraud department telephone number. If the magnetic stripe is damaged or will not read, the officer can key enter the account number and expiration date.

Education

Visa keeps law enforcement abreast of the credit card fraud problem by offering a three-hour workshop for officers. To date, over 20,000 law enforcement officers have participated in this program. It includes updated information on trends and criminal activity in bankcard fraud. Visa published a Law Enforcement Training Officers Manual for instructors. Visa also produced two videos for these workshops, Altered and Counterfeit Cards: The High Tech Hold-Up, produced in conjunction with California Police Officers Standards and Training ("POST"), and Counterfeit Cards. Training materials, including the Credit Card Manual for Prosecutors and Investigators, are provided to all officers attending scheduled trainings.

Security Guide

Visa managed the production of a law enforcement security guide that depicts the security features of bankcards. This guide includes a toll-free telephone number for officers to call to verify the status of any recovered cards. These guides are available to law enforcement officers through Visa Fraud Control workshops and other industry meetings.

Law Enforcement 800 Number

Officers may call a special toll-free telephone number (1-800-FOR-VISA) to check cards in the possession of an individual being detained. When the inquiry is made, the officer is told the status of a Visa card and is given the Issuer name, contact person, and telephone number. The Issuer is notified within twenty-four hours of the inquiry so that the bank’s fraud investigator can contact the law enforcement agency if the agency has not already done so.

Recovered Account Analysis

Visa Fraud Control staff provides assistance to law enforcement when additional information is needed in connection with account numbers that have been recovered due to arrests and/or searches. Issuers are identified and contacted with the information provided to Visa by the law enforcement officer. Issuers are requested to reply directly back to the law enforcement officer. This service has a two-fold benefit -- valuable time is saved for the investigating officer, and Visa Issuers are promptly notified that their account numbers have been recovered.

Credit Card Resource Manual For Prosecutors and Investigators

This informational manual is distributed to prosecutors and to law enforcement officers attending Visa workshops. It was developed to provide an understanding of how the bankcard system works and includes information on fraud types and fraud schemes.

LEGISLATIVE RESPONSE TO THE CONTINUAL
EVOLUTION OF FINANCIAL FRAUD SCHEMES

These extensive fraud detection and prevention programs have achieved unprecedented success. However, we recognize that credit and debit card fraud and theft will never be eliminated completely. Those who specialize in defrauding the financial systems are extremely sophisticated. They constantly employ new mechanisms and technologies, and continually develop new schemes. Their goals are to circumvent existing protections and stay one step ahead of detection.

Visa has long been strongly supportive of legislative efforts to address financial fraud in its many forms. For instance, we have been actively involved in efforts to address the problem of identity theft (i.e., the unlawful assumption of a consumer’s identity for the purpose of defrauding the consumer and financial institutions). In particular, Visa supports the Identity Theft and Assumption and Deterrence Act of 1998, which was introduced in the House by Representative Shadegg (H.R. 4151) and in the Senate by Senator Kyl (S. 512). This legislation would prohibit activities performed "with the intent to commit, or otherwise promote, carry on, or facilitate" identity theft. We believe that, if enacted, this legislation would provide significant protections to consumers and financial institutions alike, and substantially reduce the incidence of this type of fraud.

Visa applauds Chairman Leach, Representative Castle, Representative LaFalce, and the other Members of the Committee for rapidly focusing on one of the more recent fraud-related schemes -- namely, the theft of consumer information from financial institutions by unscrupulous information brokers. These information brokers frequently obtain this information by engaging in so-called "pretext calling." This involves an information broker posing as a customer and badgering an institution with inquiries until the broker finds an employee who is duped into providing information about that customer’s accounts or other holdings. It has been reported that these information brokers then make that information -- which may include details about account balances, investments such as stock portfolios and mutual funds, and even the contents of safe-deposit boxes -- available for sale to others, including through the World Wide Web. The fraudulent information brokers not only victimize consumers, but financial institutions as well. The innocent employee believes he is providing helpful customer service to a valued bank client.

Visa’s extensive experience combating financial fraud underscores the importance of addressing this problem in a manner that provides adequate flexibility to cover all forms of fraudulent activity by information brokers, no matter how cleverly those activities may be designed to avoid detection and prosecution under the law. Based on our experience, we believe legislative approaches that attempt to enumerate a list of prohibited fraudulent activities should be avoided. They create the potential for gaps in coverage that may be exploited in years to come by crafty criminals armed with new technologies. Remember, probing for weaknesses and "chinks in the armor" is what unscrupulous information brokers and those bent on defrauding banks and their customers do for a living. In addition, any attempt to enumerate specifically every prohibited activity runs the risk that unanticipated criminal acts will not be included, with the future implication that at least some of those activities are permissible. Our experience shows that sophisticated thieves and other fraudulent operatives will identify these gaps in statutory coverage. They will exploit them to the greatest extent possible in the years to come.

Visa recommends that, to guard against this problem, any bill that addresses the practices of unscrupulous information brokers should be drafted broadly enough to address the key issue -- the fraudulent obtaining of consumer information from financial institutions by unscrupulous information brokers. Such legislation should be comprised of a blanket prohibition on obtaining consumer information from a financial institution with intent to defraud or with intent to assist another person in doing so. This approach provides the flexibility necessary to prohibit the fraudulent activities of information brokers and others, now and in the future, no matter how fraud schemes may be structured. Furthermore, since there is no doubt that these fraudulent activities are criminal acts, we also recommend that such legislation treat the offense solely as a criminal act, determined by the well-established legal elements of fraud, rather than as a civil offense. In this regard, Visa has been strongly supportive of the establishment of sentencing guidelines that encourage the levying of appropriately severe penalties on individuals who commit financial fraud -- particularly fraud involving credit and debit cards -- and that also serve as an effective disincentive for those who consider engaging in this type of fraud.

We believe that H.R. 4321, the "Financial Information Privacy Act," with certain modifications, can provide a useful first step toward addressing this problem. In particular, section 1003(a) of the draft contains the framework upon which an effective prohibition could be structured. We are concerned, however, that the language included in section 1003(a) could have unintended consequences. It could prohibit certain activities which would not rise to the level of a criminal act. For example, under section 1003(a)(1), it would be a crime for a consumer to obtain his or her own information if the consumer misstated the reason for obtaining the information (e.g., where the consumer wishes to conceal the true reason for obtaining the information, such as in connection with a tax audit, criminal investigation, or a divorce proceeding). Similarly, a reporter or an academic conducting research on public offerings would be guilty of a crime under section 1003(a)(1) if the researcher obtained a publicly available prospectus from an investment banker, while representing that he or she was interested in purchasing stock rather than revealing the true research motives. Although misstating the truth in such contexts may raise moral questions, it would not appear appropriate to subject such behavior to criminal sanctions.

This issue could, however, be addressed by modifying section 1003(a) to prohibit only those activities that are conducted with "intent" to defraud or otherwise harm the financial institution or consumer. By using an intent standard, the legislation would comprehensively prohibit the types of activities in which unscrupulous information brokers engage, without inadvertently criminalizing behavior which may, in some cases, be morally questionable but which should not be criminally actionable.

This same type of issue would arise under subsection (b) of section 1003 of the bill. That subsection prohibits any person from receiving previously stolen customer information if the person knows or has reason to know that it was obtained in a manner which violates section 1003(a). This prohibition would have the unintended consequence of causing even innocent parties to be subject to the criminal prohibition. For example, if a diligent consumer or financial institution hires a private investigator to retrieve stolen information from an unscrupulous information broker, that investigator would violate the prohibition in subsection (b) once he or she successfully obtained the information. Furthermore, the consumer or the financial institution also would violate section 1003(b) if the investigator provided the information to the consumer or the financial institution. This illustrates the importance of including a fraudulent "intent" standard in any such prohibition.

Furthermore, the focus of today’s hearing is on an issue that has arisen in the context of, and most directly impacts, financial institutions. Thus, Visa strongly recommends that if legislation on this matter grants enforcement authority to any government agencies, the appropriate enforcement authorities are the federal banking agencies. The Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the Office of Thrift Supervision have the experience, expertise and existing authority to address issues relating to financial institution fraud. In addition, provisions granting enforcement powers to the federal banking agencies should be structured to ensure the agencies are granted authority to investigate and prosecute the information broker. Section 1004 of H.R. 4321 would create confusion on this point because it incorporates enforcement provisions typically used by the banking agencies to address violations by a financial institution. The enforcement provisions appear unnecessary and inappropriate to prosecute fraudulent acts in which financial institutions are the victims of unscrupulous information brokers. In order to address this issue, we recommend that section 1004 be modified to clarify that the federal banking agencies have authority to proceed against "any person who violates the provisions [of H.R. 4321] with respect to" the banking organizations within their respective jurisdictions. This would enable the banking agencies to bring actions which would protect the organizations within their jurisdiction as well as the consumers who are victimized by these information brokers.

Finally, it is important to note that existing law already provides significant protections to consumers who are harmed when their personal information is stolen and used to engage in unauthorized transactions in the consumer’s name. For example, under the federal Truth in Lending Act, if a thief steals a cardholder’s credit card account number, the consumer’s liability is limited to $50 for unauthorized use of the card. Many Issuers voluntarily provide even greater protection by eliminating the credit cardholder’s liability entirely. The federal Electronic Fund Transfer Act also provides similar protections for debit cards, which are strengthened for Visa cardholders by the voluntary liability rules adopted by Visa and its members.

* * * * *

Once again, Visa appreciates the opportunity to appear before you today. Combating fraud is a top priority for Visa and its member financial institutions, and we strongly support the efforts of Chairman Leach and the Members of this Committee to address the fraud issues that have recently arisen in the context of certain practices of information brokers. We look forward to working with the Committee and its staff to develop legislative responses to this problem that appropriately protect consumers and financial institutions from fraudulent information brokers, while not unnecessarily impinging on innocent parties. I will be happy to answer any questions that you may have.