Commercial Financial Services Brief: Can My Bank Recover Costs Related to Replacing Debit or Credit Cards?

more+
less-
more+
less-

Many financial institutions are counting the costs they are incurring for replacing customer debit or credit cards as a result of recently discovered security breaches at various national retailers. These costs will be substantial for many banks. Even if a bank has not replaced and is not currently planning to replace cards, as more and more breaches come to light customer pressure will build for cards to be replaced. 

Does a bank have any options to try to recoup these costs? In 2007 Minnesota adopted a law that permits card issuers to recover their costs against retailers involved in security breaches in certain cases. Minnesota is one of three states in the country that have laws authorizing card issuers to recover some costs in the event of a breach.

Specifically, Minnesota Statutes § 325E.64 provides that a business that accepts a credit card, debit card or stored value card cannot retain the contents of the card security code, PIN verification code or the full contents of the magnetic stripe data after receiving the authorization for the transaction or, in the case of a PIN debit transaction, for more than 48 hours after receiving the authorization for the transaction.  If the business violates this restriction and a security breach occurs, the business is obligated to reimburse the financial institution that issued any card affected by the security breach for the costs of reasonable actions undertaken by the financial institution to protect cardholders’ information and continue to provide services to cardholders.  The actions of a card issuer for which reimbursement may be available include:

  • the cancellation or reissuance of any access device affected by the breach,
  • the closure of any deposit accounts affected by the breach,
  • the opening or reopening of any deposit accounts affected by the breach,
  • any action to stop payments or block transactions with respect to the deposit accounts,
  • the refunds or credits made to cardholders to cover the costs of any unauthorized transactions relating to the breach,
  • the notification of cardholders affected by the breach, and
  • the recovery of costs for damages paid by the financial institution to cardholders injured by the breach.

In addition to this law there may be other claims that might be asserted against a merchant in connection with a security breach.  If your financial institution has incurred, or anticipates incurring, costs related to any of these security breaches, whether costs of reissuance of the cards, closing accounts, refunding amounts to affected customers or providing notifications to affected consumers, you should consult legal counsel to evaluate the rights you may have, whether under this law or otherwise, to recover some or all of your costs.  If your bank decides to replace debit / credit cards as a result of this type of security breach, you will want to keep records of relevant facts involving the decision, including:

  • Documenting customer requests for card replacements,
  • Documenting the decision-making process regarding the appropriate response to such requests or the need to take a more proactive approach, such as simply replacing all cards that may have been affected,
  • Documenting the process used by the bank to respond to the breach, and
  • Documenting and tracking the costs incurred by the bank in making its response.