Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)

Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign. Pursuant to Presidential Policy Directive (PPD) 41, the FBI, CISA, and ODNI have formed a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response to this significant cyber incident. The UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities. This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.

As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. The FBI is engaging with known and suspected victims, and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action.

As the lead for asset response activities, CISA took immediate action and issued an Emergency Directive instructing federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products from their network. CISA remains in regular contact with our government, private sector and international partners, providing technical assistance upon request, and making needed information and resources available to help those affected recover quickly from this incident. CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises.

As the lead for intelligence support and related activities, ODNI is helping to marshal all of the Intelligence Community’s relevant resources to support this effort and share information across the United States Government.

To report suspicious or criminal activity related to information found in this statement, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices. To request incident response resources or technical assistance related to this statement, visit https://www.us-cert.gov/report.

New York credit card surcharge rules US Supreme Court Update

Can New York state general businesses surcharge credit cards? No, it’s illegal. The US Supreme Court recently ruled on credit card surcharge rules for class action lawsuit Expressions Hair Design, et al., Petitioners v. Eric T. Schneiderman, Attorney General of New York, et al. Judgement issued May 1 2017, sending the case back to lower court.

US Supreme Court History of case
https://www.supremecourt.gov/search.aspx?filename=/docketfiles/15-1391.htm

EXPRESSIONS HAIR DESIGN v. SCHNEIDERMAN ( )
808 F. 3d 118, vacated and remanded. https://www.law.cornell.edu/supremecourt/text/15-1391

Expressions Hair Design v. Schneiderman, NYS Attorney General oral arugments
https://lawaspect.com/case-expressions-hair-design-v-schneiderman/

EXPRESSIONS HAIR DESIGN LLC v. SCHNEIDERMAN, Decided: September 29, 2015
http://caselaw.findlaw.com/us-2nd-circuit/1714180.html

EBA paves the way for open and secure electronic payments for consumers under the PSD2

The European Banking Authority (EBA) published today its final draft Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. These RTS, which were mandated under the revised Payment Services Directive (PSD2) and developed in close cooperation with the European Central Bank (ECB), pave the way for an open and secure market in retail payments in the European Union.  

Following 18 months of intensive policy development work and an unprecedentedly wide number of stakeholders’ views and input, these final draft RTS are the result of difficult trade-offs between the various, at times competing, objectives of the PSD2, such as enhancing security, facilitating customer convenience, ensuring technology and business-model neutrality, contributing to the integration of the European payment markets, protecting consumers, facilitating innovation, and enhancing competition through new payment initiation and account information services.   

The EBA received 224 responses to its Consultation Paper, in which more than 300 distinct concerns or requests for clarifications were raised. In the feedback table published today as part of the RTS, the EBA has summarised each one of them and provided its assessment as to whether changes have been made to the RTS as a result of such concerns.   

In particular, one of the key concerns addressed by these final draft RTS relates to the exemptions from the application of strong customer authentication on the basis of the level of risk involved in the service provided; the amount and recurrence of the transaction; and the payment channel used for the execution of the transaction. In this respect, the EBA has introduced two new exemptions: one based on transaction-risk analysis based on defined fraud levels and the other for payments at so called ‘unattended terminals’ for transport or parking fares. The exemption on transaction risk analysis is linked to a predefined level of fraud and is subject to an 18-month review clause after the application date of the RTS.   

In addition, the EBA has also increased the threshold for remote payment transactions from EUR 10 to EUR 30, and has removed previous references to ISO 27001 and to other specific characteristics of strong customer authentication, so as better to ensure the technological neutrality of the RTS and to facilitate future innovations.    

With regards to the communication between account servicing payment service providers (ASPSPs), account Information service providers (AISPs) and payment initiation service providers (PISPs), the EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. This is linked to the PSD2 no longer allowing the existing practice of third party access without identification (at times referred to as ‘screen scraping’ or, mistakenly, as ‘direct access’) once the transition period provided for in PSD2 has elapsed and the RTS applies.   

However, in order to address the concerns raised by a few respondents, the final RTS now also require that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.  

Legal basis and background

The draft RTS have been developed according to Article 98 of the revised Payment Services Directive (EU) 2015/2366 (PSD2), which mandates the EBA, in close cooperation with the ECB, to draft Regulatory Technical Standards (RTS) specifying the requirements of the strong customer authentication (SCA), the exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials, and the requirements for common and secure open standards of communication (CSC) between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers (PSPs). The PSD2 provides that the RTS will apply 18 months after adoption of the RTS by the EU Commission as a Delegated Act.

Related documents:

Related links:

Financial CHOICE Act Will Turbocharge the American Economy

Washington, June 28, 2016 – 15 national conservative organizations and prominent activists announced they “wholeheartedly endorse” the Financial CHOICE Act, saying the Republican plan to replace the failed Dodd-Frank Act will “turbocharge the American economy.”

“If we want the economy to improve — if we want to give all Americans the chance to prosper again — we need to put an end to Washington’s destructive regulatory agenda once and for all,” the conservative groups write in their endorsement letter.  “The Financial CHOICE Act aims to curb regulations to create opportunity and choice for investors, consumers, and entrepreneurs nationwide.”

The conservative organizations highlighted key features of the Financial CHOICE Act in their endorsement, noting the Republican plan will end taxpayer-funded bailouts for “too big to fail” banks, demand accountability from financial regulators, and “end the crony debit card price control scheme.”

“The Financial CHOICE Act will replace Dodd-Frank’s Orderly Liquidation Authority, which allows financial institutions to be bailed out at the taxpayers’ expense, with a newly updated subchapter of the bankruptcy code.”

“The Durbin Amendment imposed price controls and other mandates on debit card transaction fees with the false promise that billions would be passed on to consumers. Consumers have not received the promised discount. In fact, studies show that many consumers have lost access to free checking and debit card rewards as a result.”

“Housed at the Federal Reserve, the CFPB has the ability to put entire industries out of business with the snap of its fingers. Its unelected director can simply declare financial products “abusive” and outlaw them without Congressional approval. The Financial CHOICE Act will replace the single director with a bipartisan, five-member committee subject to congressional oversight and appropriations.”

“Dodd-Frank is a failure.  Democrats told us it would ‘promote financial stability,’ ‘end Too Big to Fail,’ and ‘lift the economy.’  But Dodd-Frank has done the exact opposite,” said House Financial Services Committee Chairman Jeb Hensarling (R-TX).  “The Financial CHOICE Act offers economic growth for all and bank bailouts for none.  It’s the Republican plan to reignite growth by replacing Dodd-Frank with real reforms that work.”

To read the letter, click here. (PDF download from Federal website)

To learn more about the Financial CHOICE Act, visit FinancialServices.house.gov/CHOICE.

 

Merchants Oppose Poison Pill That Undercuts Competition, Main Street and Consumers

“Without debit reform’s competition-enhancing standards, banks would be free to return to the days of unfettered price fixing.”

June 24, 2016 WASHINGTON (BUSINESS WIRE)

Yesterday, Chairman Jeb Hensarling of the House Financial Services Committee gave a speech about his commitment to helping Main Street and ending government bailouts. Unfortunately, the draft bill he released later in the day does the exact opposite.

Section 335 of chairman’s Hensarling’s discussion draft of the “CHOICE Act” favors the interests of fewer than two percent of the nation’s largest banks and the credit-card brands over the interests of small retailers, their employees and consumers in every Congressional district in the country.

This bill would turn back reforms that created a freer market and prevented Visa and MasterCard from price-fixing the fees their member banks charge merchants when customers swipe a debit card to buy something. Rep. Hensarling would turn the clock back six years to when financial institutions operated this “swipe fee” business as a rigged market without competition.

The reforms Rep. Hensarling proposes to repeal also brought competition into the debit- routing market, where previously there was none. Repealing these reforms removes requirements for networks to compete and paves the way for network monopolies, reducing our payment security while raising costs for all American consumers and retailers and harming our economy as a whole.

“Without debit reform’s competition-enhancing standards, banks would be free to return to the days of unfettered price fixing,” said Mallory Duncan, chairman of the Merchants Payments Coalition and senior vice president and general counsel at the National Retail Federation. “It’s important to remember that despite the smokescreen the big banks put up, debit reform is an incontrovertible success and should be protected.”

Join the millions of Main Street businesses in every Congressional district in calling for Chairman Hensarling to remove his poison-pill language that leaves the debit- card market without competition.

The Merchants Payments Coalition represents 2.7 million stores, including restaurants, supermarkets, drug stores, convenience stores, gas stations, on-line merchants and others, with 50 million employees, fighting unfair credit-card fees and working for a competitive and transparent system for merchants and consumers.

Contacts
Merchants Payments Coalition
Michael Flagg, 202-253-4164