NAFCU Services Blog

May 24, 2023
Categories: Fraud Credit Cards

Regulatory Rundown: Reg II Impacts and Takeaways

By: Ann Davidson, VP of Risk Consulting | Allied Solutions

Small dollar (< $50), high volume fraudulent transactions are on the rise. More and more, small dollar fraud can be traced back to PINless transactions. Either the merchant does not require the PIN for small dollar transactions or the transaction is made in a remote environment.

With card not present (CNP) transactions now making up 33% of all plastic card transactions ecommerce merchants want a seat at the payment rails table. The rise in digital transactions led to Regulation II including card not present transactions, allowing ecommerce merchants to route the transaction down their network of choice and impact the interchange fee the ecommerce merchant will receive.

What is Regulation II?

Regulation II initially went into effect in 2011 to establish two unaffiliated network choices along with interchange fees debit card present transactions. A Reg II amendment is going into effect in 2023 that will impact card not present debit transactions. Card not present transactions include all remote transactions where the card wasn’t swiped, tapped, or inserted. By nature, these transactions are performed online and there is no option to enter a PIN in a remote environment.

Who is impacted by Reg II?

All financial institutions who issue debit cards must adhere to Reg II for CNP offering at least two unaffiliated networks for routing of the transaction. Based on the limited security measures in place, card holders may be impacted by an increase in fraudulent transactions.

What are the new Reg II rules?

Under the previous 2011 Reg II rule, all debit card issuers were required to have at least two unaffiliated networks for card present debit transactions. Now all card not present transactions must adhere to the enhanced Reg II rule. An unaffiliated network is a payment system other than Visa or MasterCard (i.e., STAR, Pulse, NYCE etc.)

Are there any fraud concerns involving Reg II?

Yes. There are concerns that an increase in unaffiliated networks will cause a spike in fraud. When a transaction is PINless (which constitutes a CNP transaction) the ecommerce merchant decides which network to use. In the absence of a PIN, the transaction is routed down the debit PIN rails for authorization. The online merchant will use the least expensive routing which may translate to less protection for your credit union and your member.

Another concern is that certain network rules may prevent your financial institution from having dispute or chargeback rights. This can become very costly for your credit union when multiple fraudulent transactions are involved.


How can my credit union stay protected AND compliant?

Credit unions need to be aware of the impending requirement for two unaffiliated networks in place for CNP transactions and prepare for the implementation of Reg II for card not present transactions.

Have at least two unaffiliated networks in place. The Federal Reserve Board believes that this rule will “encourage competition between networks and incentivize them to improve their fraud-prevention capabilities.” Credit unions must have two unaffiliated payment networks to remain compliant.

Review your network agreements. Payment network agreements may have been signed years ago so it’s important to make sure your networks are providing up-to-date protection. Review all network agreements and operating rules to understand your velocity limits, the maximum number of transactions that can be performed in a 24-hour period on a single debit card. Inquire with your network providers if a PIN for debit transactions in a card present environment can be made mandatory.

Explore additional layers of security. Other layers of security should include address verification, 3DSecure 2.0, an enterprise fraud monitoring system and CVV2/CVC2/CID verification for CNP transactions. When investigating potentially fraudulent transactions, confirm entry codes. Card present/chip-on-chip will be entry mode code 05 whereas card not present/key entered transactions will have an entry mode code 01 or 81. Investigate what settings on your core system can limit the number of transactions on the same card.

How can members stay protected?

Members likely have no awareness of the impact Reg II may have on their money security. They simply need to complete their transaction. Members can stay protected against fraud by continuing to monitor their account balances and verify that each transaction is legitimate.

Regulation II rules are expanding this summer. Is your fraud prevention strategy ready?

Credit unions and members alike must stay vigilant and resilient against all types of card fraud.

*The information provided on this article does not, and is not intended to, constitute legal advice. Instead, all information on this article are for general information purposes only and the financial institutions should work with their legal counsel with respect to any legal matter referenced on this article.


About the Author