By Robin Sidel
Small banks and credit unions are banding together in a bid to
recover hundreds of millions of dollars in losses incurred from
high-profile data breaches at Target Corp. and Home Depot Inc.
Angry at being squeezed out by bigger banks, the small
institutions now are trying to upend a long-standing industry
practice in which card networks Visa Inc. and MasterCard Inc.
negotiate settlements with breached merchants and then distribute
the proceeds to affected financial institutions.
The smaller firms say the process favors the big banks, even
though the larger institutions can more easily absorb the cost of
such incidents, including issuing new cards.
The frustration reached a boiling point earlier this month, when
the lenders filed a motion objecting to terms of a settlement
Target reached with MasterCard that would see the retailer provide
$19 million to card issuers to cover breach-related losses.
On Monday, small banks and credit unions asked a federal judge
to allow them to pursue additional compensation, marking a
high-profile legal challenge to the traditional deal in which banks
surrender the right to all other reimbursement claims. The banks
contend the Target settlement would cover only a "minimal portion
of the actual SHYdamages."
Meanwhile, a similar court case filed by small card issuers
against Home Depot is drawing fresh support from two industry trade
groups. Home Depot hasn't reached a settlement with Visa or
MasterCard.
The small institutions are "looking to pursue any channel that
makes them whole," says Dan Berger, president of the National
Association of Federal Credit Unions, a trade group.
A survey of 535 banks conducted last year by the American
Bankers Association found that nearly three-quarters of banks with
assets below $1 billion didn't receive any reimbursement for
breaches between 2009 and 2014, while all banks with assets above
$50 billion were SHYreimbursed.
The brewing battle is the latest tussle between merchants and
the card industry, which have been clashing on everything from fees
to card security. It also highlights the far-reaching repercussions
of data hacks, as concerns about cybersecurity mount across all
industries.
Cardholders aren't responsible for unauthorized transactions,
although they are often inconvenienced by fraudulent transactions
on their accounts and the need to get replacement cards and new
account numbers.
Instead, the financial institutions that issue the cards are on
the hook to absorb fraud losses and pay for the cost of new
cards.
This is proportionally a bigger problem for small banks, as it
can cost them more than $10 to replace a card, whereas the nation's
biggest banks can send out new cards for closer to $3 apiece due to
the economies of scale, according to the bankers
SHYassociation.
"When you have to absorb losses for something you had nothing to
do with, it's tough," said Scott Arney, chief executive of the
Chicago Patrolmen's Federal Credit Union, which has 16,600
Visa-branded debit and credit cards in circulation and had $80,000
in fraud losses during 2014. Mr. Arney said he didn't have details
of which breaches accounted for the losses but noted that the
overall problem seems to be getting worse: The credit union has
seen $55,000 in fraud losses during the first quarter of this
year.
In a previous breach, Mr. Arney said, the credit union incurred
losses of about $150,000 and received $1,000 in an industry
settlement.
Trade groups representing community banks and credit unions
estimate they have spent more than $350 million to reissue credit
cards and debit cards and to deal with other issues related to the
Target and Home Depot breaches.
The Target breach exposed 40 million credit- and debit-card
accounts to potential fraud during the 2013 holiday shopping
season. The Minneapolis-based retailer agreed in March to pay $10
million to settle a consumer class-action suit tied to the breach,
without acknowledging wrongdoing.
Community banks and credit unions filed lawsuits against Target
that were eventually consolidated into one case that is now seeking
class-action status. Their efforts, however, were thrown into doubt
earlier this month, because the $19 million settlement that Target
reached with MasterCard calls for issuers who participate in the
settlement to give up their legal claim against Target.
Plaintiffs in the case include Umpqua Bank in Roseburg, Ore.,
which is a unit of Umpqua Holdings Corp.; Mutual Bank in Whitman,
Mass.; Village Bank in St. Francis, Minn.; CSE Federal Credit Union
in Lake Charles, La.; and First Federal Savings of Lorain in
Lorain, Ohio.
At a hearing Monday, U.S. District Judge Paul Magnuson didn't
rule on the plaintiffs' motion to allow issuers that participate in
the settlement to also pursue other ways to get reimbursed.
Previous breach settlements also have required financial
institutions to drop legal pursuits if they participate in a
settlement, but the magnitude and publicity of the Target incident
has attracted more attention from card issuers.
"We have made it very clear throughout the process that
[participation] is entirely an individual choice for issuers," said
Eileen Simon, chief franchise integrity officer at MasterCard.
A Target spokeswoman declined to comment, citing pending
litigation. The retailer defended its pact with MasterCard in a
motion filed Friday in the Minnesota court case, saying "there is
nothing even remotely unlawful" about it.
Visa, meanwhile, hasn't struck a deal with Target, but the
company said it "continues to analyze all relevant information to
ensure we reach a resolution that is accurate and fair to all Visa
clients and participants in the payments system."
Small card issuers are gearing up for a similar fight over last
year's Home Depot breach, which exposed 56 million cards to fraud
after a five-month attack on its payment terminals. A host of
issuer lawsuits against the home-repair chain have been
consolidated in federal court in Atlanta.
"Recovery amounts for credit unions and community banks are
insufficient as compared with the losses," says Diana Dykstra,
president and CEO of the California Credit Union League, which is a
trade group for 365 credit unions that are based in the state. Ms.
Dykstra's group and another trade group, Credit Union National
Association, earlier this month joined the Home Depot lawsuit.
A spokesman for Home Depot declined to comment on the
SHYlawsuits.
Write to Robin Sidel at robin.sidel@wsj.com
Access Investor Kit for The Home Depot, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029
Access Investor Kit for MasterCard, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US57636Q1040
Access Investor Kit for Target Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064
Access Investor Kit for Visa, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US92826C8394
Subscribe to WSJ: http://online.wsj.com?mod=djnwires