The media attention on the Equifax breach has been primarily on consumer harm. There's real consumer harm, but it's generally not direct pecuniary harm. Instead, the direct pecuniary harm from the breach will be borne by banks and merchants, and it's going to expose the move to Chip (EMV) cards in the United States without an accompanying move to PIN (as in Chip-and-PIN) to be an incredibly costly blunder by US banks. Basically, Visa, Mastercard, and Amex have built the commercial equivalent of the Maginot Line. A great line of defense against a frontal assault, and totally worthless against a flanking assault, which is what the Equifax breach will produce.
Let's start with consumer harm before getting to the Chip issue. The consumer harm here is real, but it's complicated. Assuming that the hackers use/sell the stolen information, I would expect them to do one of two things (these aren't the only possibilities, but they're probably the easiest). First, they can open up new accounts by pretending to be a different consumer. I would expect this to be primarily credit card accounts, as it's possible to apply remotely, and no bank account needed to pull off the fraud. Many card issuers verify consumer ID on applications primarily using credit report data, and that data source is now utterly compromised.
It's possible that fraudsters will borrow money on other types of loans, but they will generally need to have bank accounts into which the disbursed funds can be deposited and/or appear in person, and that will just make the fraud more difficult. Getting a real credit card issued based on someone else's credit is by far the easiest way to monetize the data. The second thing hackers can do is file fake tax returns and get tax refunds that aren't owed to them. In other word, the hacking is only the first step in a two-step crime. First the data is stolen, then it is monetized through fraudulent transactions.
Notice who gets defrauded in both situations. It's not the consumer. The consumer is not liable for an account s/he didn't open, and has no liability to return a fraudulently induced tax refund. Yes, both situations can create a lot of hassle for the consumer, as the card issuer or the government might believe that the transactions were legitimate and that the consumer is on the hook. And the fake credit card account will effect the consumer's credit score and thus the consumer's future cost of credit, cost of insurance, and possible employment opportunities. There's plenty of consumer harm here (and this isn't to mention emotional suffering and anxiety). But there's unlikely to be direct pecuniary losses to consumers. Pecuniary losses for consumers will be in the form of having to pay for credit freezes (and unfreezes), for credit monitoring, etc. But these are expenses that the consumer chooses, not which are forced upon the consumer, even if most sensible consumers would incur at least some of these expenses (namely credit freezes).
Allocation of Fraud Losses: the Chip Card Maginot Line
So who bears the pecuniary costs of the fraud enable by the hacking? With the fake tax returns, it's the government, be it US Treasury or state and local tax authorities. With the credit cards, however, it's more complicated. Federal law provides that consumers are not liable for unauthorized credit card transactions beyond $50. Card network policies (which are probably not specifically enforceable by consumers, but which would surely be UDAAP/UDAP violations if not honored) generally waive all consumer liability. So this means consumers aren't on the hook. Instead, losses fall on card issuers and merchants, with card network (Visa/MC/Amex) rules determining the allocation.
Card network rules prescribe that for card-not-present transactions, such as all on-line transactions, the merchant generally absorbs fraud losses. Since 2015, card network rules in the US have also prescribed that for card-present transactions, when a physical card is presented, the bank bears the loss unless the card is a Chip card. If the card is a Chip card and the merchant does not use a Chip reader, then the loss shifts to the merchant. But if the card is a Chip card and the merchant does use a Chip reader, the loss shifts back to the bank.
Most cards being issued in the US are now Chip cards. The whole purpose of Chip technology is to make it difficult to physically counterfeit credit cards. It's easy enough to make a fake magnetic stripe card. But Chip cards include a microchip that is much more difficult to forge. In this regard, Chip cards are like the Maginot line. They are built to withstand a direct assault by a fraudster Wehrmacht. But they have a huge vulnerability—they rely on issuer only issuing the cards to the right consumers. If a Chip card is issued in the name of a real consumer to a fraudster, the issuing bank is stark naked. The card is a real, legitimate card. That's exactly what the fraudsters should be able to get with the Equifax data. The use of such a fraudulently issued card use may not even trigger any antifraud alerts, and if it does, it will be the fraudster who is contacted, not the consumer in whose name the card was issued. So just as the Maginot line turned out to be rather useless because it wasn't extended all the way to the English Channel, allowing the Wehrmacht to flank it through the Ardennes, so too is Chip by itself vulnerable to this sort of "flanking" attack. (To be fair, there are some other vulnerabilities for Chip cards--if the Chip is disabled, for example, the card then falls back to a magnetic stripe use at most merchant terminals, and that allows for old-fashioned type counterfeiting fraud.)
Now if we were in the pre-Chip world in the US, the situation would be the same: the card issuer would be liable for card-present fraud. But now after a major investment by issuers and merchants in new security technology, we see the result being sort of like the huge expense of building the Maginot line. Yes, it prevented the Wehrmacht from rolling through Alsace. But all it meant was that they had to side-step it through Luxembourg and Belgium.
Where the direct pecuniary losses fall will depend on whether fraudsters use fake accounts for on-line transactions (probably safer for them as they aren't going to have to appear in person) or for in-person, card-present transactions.For the card-present transactions, though, the issuers will be eating the fraud losses, but the merchants will absorb the card-not-present losses. This seems quite unfair to merchants--they have no ability to prevent this sort of fraud loss, yet they will be the ones absorbing the costs for the card-not-present fraud, even though the card issuers are the least cost avoiders of the harm because they could better screen card applications. Given the number of consumers' whose data was involved, the potential losses for both merchants and banks are staggering and potentially systemic.
All of this leaves me wondering what bank regulators are advising about know-your-customer compliance for card issuers in the wake of this data breach. Can card issuers that rely on data from CRAs for consumer ID verification actually be said to have verified their customers now? I can't see how, although I also don't see regulators doing anything about it because the alternative would seriously upset the card issuer business model. What we're likely to have, then, is a regulatory bailout of card issuers by virtue of inaction and nonenforcement of KYC rules. Let's just hope that there isn't a fraudulently issued card that ends up being used for terrorism finance. This is something about which Congress should really press the prudential regulators: how are they going to ensure that the banking system is protected against massive fraud and how are they going to ensure that the fraud isn't used for terrorism finance or other nefarious purposes?
This afternoon, I am off to New Orleans and the annual meeting for the National Association of Bankruptcy Trustees (NABT). Tomorrow (September 15) from 12:30 - 2:30 PM, we are holding a public meeting for the Committee on Chapter 7 of the American Bankruptcy Institute's Commission on Consumer Bankruptcy. If you are at the NABT meeting, come and listen to our full schedule of fourteen speakers. The room location should be in the program and will be in the public meeting space for the conference.
If you would like to speak to us, there will be another opportunity for persons attending the National Conference of Bankruptcy Judges (NCBJ) in Las Vegas. The Committee on Case Administration & the Estate will be holding a public meeting at NCBJ on the morning of October 10. More information about requesting a time to speak is available at the call for participation. There also will be public meetings for the full Commission at the ABI's Wedoff Consumer Bankruptcy Conference to be held in November in Chicago, Illinois, and the Winter Leadership Conference to be held in December in Palm Springs, California.
Of course, you don't have to come to a meeting to send us your suggestions and comments. Anyone can send an email to ConsumerCommission@abiworld.og. I route all of those emails directly to the persons working on the issues raised as well as make them available to everyone involved with the Commission. Now is a particularly good time to write us as the committees are working on preliminary drafts. The topics the Commission is addressing are also available on our web site.
A historic vote was announced overnight that signals a new era for large pension reform. As is often the case, "reform" here means that ordinary, hard-working folks will suffer a significant amount of pain as big companies are relieved of some liabilities, but the hope is it will be less painful than the alternative. The revolution began in 2014, when Congress adopted the Multiemployer Pension Reform Act (MPRA). The Pension Benefit Guaranty Corporation guarantees a portion of the benefits due to participants in pension plans that have become insolvent, but as a result, it is also facing a nearly $100 million shortfall in its ability to cover the projected volume of its existing guarantees. Congress attempted to avert disaster by allowing particularly large and especially distressed pension funds to slash benefits themselves in order to maintain solvency. Ordinarily, this extraordinary action would, if possible at all, require an insolvency filing and court oversight of some kind, but the MPRA allows plans who aggregate benefits for many companies (multiemployer plans) to apply to the Treasury Department for administrative permission to abrogate their pension agreements and cut benefits with no court filing or general reorganization proceeding. There are, of course, restrictions on the level of distress required for such a move and the degree of proposed cuts, but the MPRA allows large pension funds to reduce the pension benefits of thousands of beneficiaries with simple administrative approval. The plan participants get a vote on such proposals, but the law builds in a presumption: Treasury-approved cuts go into effect unless a majority of plan beneficiaries votes to reject the cuts.The Obama Treasury rejected the first five applications and approved only one during the course of 2016. A change in administrations has predictably turned this around, as the Trump Treasury has approved two more applications and rejected none in the first nine months of 2017. The most notable approval was for the New York Teamsters Conference, a $1.2 billion fund covering nearly 35,000 beneficiaries of nearly 200 companies. The Trump Treasury wasted no time in approving within less than three months the New York Teamsters fund's May 2017 application for benefit cuts of about 20% for active participants (a small minority) and about 30% for retired participants (the great bulk of beneficiaries). Plan beneficiaries were polled on this approved application, and more than 2:1 voted against it. But as in the other two cases of approved cuts, about two-thirds of participants failed to cast a ballot, so the presumption of approval was not rebutted; that is, a majority of voters did not reject the cuts, as non-voters were counted as "yes" votes.
This is a massive change in direction for pension reform and the process by which it is achieved. An anti-labor Trump administration can be expected to approve many more of these benefit cut applications--for better or worse--and a quiet revolution in pension reform will occur with very little neutral oversight. Maybe this is better than watching many multiemployer plans collapse under the weight of a growing pension burden, possibly bringing the PBGC down with it, but this is a disturbing development no matter how one feels about pension reform generally.
We are about to hit an anniversary of sorts, a year since Venezuela was surely going to default on its debt ... except that it still hasn't, so the U.S. government has decided to nudge it along. Retroactive debt sanctions imposed on August 25 prohibit, among other things, extending new credit to the government of Venezuela and its state oil company PDVSA beyond 30 days and 90 days, respectively, as well as any transactions in previously issued government debt, and, separately, any direct or indirect, old or new bond-buying from the Venezuelan government. The sanctions are a big headache for U.S. bank compliance departments, but they also got some glorious creative juices running. Mark & Mitu offer a contrarian reading of the sanctions order and one of the general licenses issued by the Treasury's Office of Foreign Assets Control (OFAC) as part of its implementation. As M&M read it, Venezuela cannot restructure all its debt in a debt swap (that would require issuing new bonds), but it could amend some of its old bonds using collective action clauses (CACs), and gain breathing room until oil prices recover, things change, or pigs fly.
The M&M reading rests on an OFAC license passage that seems to undo a chunk of the executive order: it permits "all transactions related to, the provision of financing for, and other dealings in" previously issued Venezuelan securities listed in the annex to the license. The list includes nearly all outstanding Venezuelan debt securities, except one bond that the government had issued to itself last December and tried to unload at a deep discount in May-June. (An extra-dodgy specimen.) Would "all transactions related to" and "financing for" Venezuela's outstanding bonds include amending the bond terms to give Venezuela more time to repay ... or even writing down the debt?
The idea behind the license seems to be to let U.S. banks trade outstanding Venezuelan debt for as long as they do not send new money to the Maduro government. Here is OFAC on the idea behind this Rube Goldberg set-up:
The Government of Venezuela is selling assets for much less than they are worth at the expense of the Venezuelan people and using proceeds from these sales to enrich supporters of the regime. Bonds and other securities are among the assets being sold. The prohibitions and related general licenses are meant to prevent U.S. persons from contributing to the Government of Venezuela's corrupt and shortsighted financing schemes while mitigating market disruptions and harm to investors.
As M&M concede, amending old bonds to give breathing room to the Maduro government would surely run counter to the stated purpose of the executive order-license package. My hunch (DISCLAIMER: AM NO SANCTIONS EXPERT) is that the U.S. government would also view such an amendment as an extension of new credit to Venezuela. OFAC pretty much says so in its Venezuela FAQ:
These prohibitions [on issuing new debt] extend to rollover of existing debt, if such rollover results in the creation of new debt with a maturity of longer than 90 days (with respect to PdVSA) or longer than 30 days (with respect to the rest of the Government of Venezuela). [emphasis added]
So maybe an amendment is not, strictly speaking, a "rollover," but what U.S. bank would want to argue the point with its regulators, let alone OFAC? Consider also OFAC's analysis of drawdowns under existing credit facilities:
If a U.S. person entered into a long-term credit facility or loan agreement prior to the sanctions effective date, drawdowns and disbursements with repayment terms of 90 days or less (for PdVSA) or 30 days or less (for the rest of the Government of Venezuela) are permitted. Drawdowns and disbursements whose repayment terms exceed the applicable authorized tenor are not prohibited if the terms of such drawdowns and disbursements (including the length of the repayment period, the interest rate applied to the drawdown, and the maximum drawdown amount) were contractually agreed to prior to the sanctions effective date and are not modified on or after the sanctions effective date. U.S. persons may not deal in a drawdown or disbursement initiated after the sanctions effective date with a repayment term of longer than 90 days (for PdVSA) or 30 days (for the rest of the Government of Venezuela), if the terms of the drawdown or disbursement were negotiated on or after the sanctions effective date. Such a newly negotiated drawdown or disbursement would constitute a prohibited extension of credit. [emphasis added]
OFAC reiterates this concern with newly negotiated terms, rather than a distinct new IOU, when it gives the green light for U.S. firms to sell their participations in long-term loan facilities ... so long as Venezuela does not get better terms in the bargain.
M&M may well be right that there is daylight between new advances and forgoing payments on old advances, but I just do not see any regulated firm taking the risk. Compliance departments are already running ragged looking for disguised Venezuelan government entities lurking behind every trade. ("U.S. persons are not authorized to purchase, directly or indirectly, bonds on the List of Authorized Venezuela-Related Bonds from the Government of Venezuela." See also Sec. 1(b) of the Executive Order.) Messing around with sanctions is front-page ugly, and banks have to keep their noses clean and their eyes on the prize.
This post diagnoses what went wrong with Equifax and proposes a solution: a public utility regulation regime for consumer reporting agencies in which the CRAs would be restricted in their ability to pay dividends and executive compensation unless they meet certain performance metrics in terms of reporting accuracy, dispute resolution, and data security. Here goes:
If we’re going to have any chance of fixing things with Equifax and other consumer reporting agencies (CRAs), we have to first diagnose what went wrong. Let’s start by keeping in mind that CRAs are essential utilities for consumer credit markets. Consumer credit markets depend on the integrity of the data collected by the CRAs, and part of that data integrity is its security, as with data stolen by a CRA it’s possible to open false accounts.
On the simplest level the problem here is a theft (let’s call this hacking what it is), and Equifax is itself a victim. The problem here isn’t poor Equifax, however, but that there are huge externalities from the theft. If it were just Equifax’s internal operating plans or the secret sauce for the Vantage score that were stolen, the hacking wouldn’t be a matter of public policy concern. But it was consumer records that were stolen, and that means there’s a huge externality from the theft. First, there’s just a loss of consumer privacy, but second, and more alarming, is that those records can be used to create fraudulent accounts, which will potentially harm consumers’ credit in the future.
Now notice that this hacking is different from that of say Target. When Target suffered a data security breach it lost customer records. Equifax didn’t lose customer records. It lost consumer records. That’s an important distinction, and it goes to the heart of the problem with the CRAs. Consumers can, in theory, avoid harm from a data security breach at a merchant by not doing business with the merchant. Moreover, if a consumer believes that a merchant hasn’t been responsible in handling data, the consumer can withhold future business from the merchant.
To be sure, it’s very hard for consumers to evaluate data security at businesses, and few consumers are likely to make purchasing decisions based on merchant data security. But it’s at least theoretically possible with regular merchants. It’s not possible for a consumer to withhold business from a CRA because the consumer does not have a business relationship with the CRA. And this is the key problem: we have a consumer financial services market in which consumers cannot vote with their pocketbooks. Credit reporting isn’t the only market like this—consumers can’t choose their loan servicers or debt collectors—and those markets too have lots of problems because competition isn’t forcing better treatment of consumers. That means, among other things, that there is no punishment in the market for failing to take care of consumer records. So lack of consumer-market competition is problem 1 with CRAs.
Problem #2 is that CRAs are huge hacking targets. When Willie Sutton was asked why he robbed banks, he replied incredulously, “Because that’s where the money is.” That’s the problem today. Consumer data, particularly payments data, but also credit histories, is readily monetizable. That makes anyone sitting on such data target for hacking. CRAs are sitting on massive lodes of consumer data because they’re able to do so. Consumers can’t stop ‘em because consumers don’t own the data they produce. But this means we have a bunch of very tempting targets with limited incentives to take care about protecting that data (or ensuring that it is 100% accurate).
So what can we do with these problems? Let’s start with this. We’re not going to get rid of hacking. We can enact a Bloody Code or the like, but it’s not going to stop hacking, especially as it can increasingly be done internationally. Instead, we need a system that incentivizes CRAs to take the appropriate level of care. That means that the CRAs need to “internalize” the costs of the externalities that are produced when they are hacked as they are the “least cost avoider” of the hacking. How can we do that?
Let me start with what I think won’t work: an ex post liability regime. There have been calls to increase CRAs’ liability for breaches and/or inaccurate consumer files. I’m all for that, but I don’t think an ex post liability regime will ever be enough to sufficiently change CRA behavior, especially as a host of procedural problems will continue to bedevil consumer litigation. There will never be complete cost internalization by CRAs even with a much stronger ex post liability regime.
Instead, I think we need to consider moving to a public utility regulation regime for CRAs. What I have in mind is a system in which the CRAs’ ability to pay dividends to shareholders and to dole out executive compensation would be restricted and tied to their meeting various performance standards relating to consumer file accuracy, dispute resolution, and data security.
Public utility regulation is far from perfect, but we’re looking at a situation here in which there is no market discipline because CRAs do not have consumer relationships. Private discipline through ex post liability under-deters. And a command-and-control regime of public liability also under-deters (look how well it’s worked for stopping problems like Wells Fargo). There’s no disclosure regulation tweak or even set of substantive rules that are likely to fix things. Instead, if we want to ensure a minimal level of consumer welfare effects we will have to mandate those levels and tie the CRAs’ ability to pay shareholders and executives to performance on metrics that affect consumers. CRAs profit off of consumer data because and solely because the law tolerates it. There’s no natural right to this data. Instead, the law permits CRAs to gather and sell the data. It’s quite reasonable to qualify that right with a regulatory system that ensures cost internalization.
I recognize that this would take major legislative change. So for those of you who want to play small ball, there are some more targeted fixes that are long overdue. For example, just as consumers have a statutory right to a free annual credit report, they should also have a right to place credit freezes on their accounts for free. State law in a number of states regulates credit freeze fees, but allows fees to be charged. That’s ridiculous. Freezes should be free in all circumstances. Second, federal law really ought to require that all consumer data be stored and transmitted solely encrypted formats. That should be a non-brainer.
So that’s my proposal: create a public utility type regime for regulating CRAs. I’d do this as a board under the CFPB, sort of like PCAOB or the MSRB under the SEC, but that sort of detail seems secondary to recognizing that we need a public utility regime for CRAs.
This is a joint post by Mitu Gulati and Mark Weidemaier.
At the end of last week, press reports noted that Mr. Maduro has given the green light for restructuring talks to begin with holders of Venezuelan debt. Curiously, the Russians may lead the talks. One question is whether bondholders subject to US jurisdiction can participate in a restructuring given recent sanctions levied by the Trump administration. Press accounts suggest that the sanctions were intended to prevent this. Bloomberg reports the sanctions were "designed to prevent investors from engaging in liability management, and, if Venezuela can't pay its debt, a restructuring." The Financial Times reports likewise, quoting a senior analyst who thinks the sanctions will work: "If these sanctions stay in place, then Venezuela cannot restructure."
We accept that the sanctions were intended to block a restructuring. But they don't seem to actually do this. There is a rather large loophole that would allow Venezuela to employ a common restructuring technique.The Executive Order imposing the sanctions includes a number of prohibitions. Those contained in Section 1(a) are most important here. Subsections 1(a)(i) and (ii) forbid transactions in new debt: PDVSA debt with a maturity over 90 days, or debt issued by the Republic or its other instrumentalities with a maturity over 30 days. Next, subsection 1(a)(iii) bars transactions in old debt issued by any government entity before the Executive Order's effective date. It's the old debt, of course, that Venezuela needs to restructure. Subsection 1(a)(iii) seems to forbid that.
all transactions related to, the provision of financing for, and other dealings in bonds specified in the Annex to this general license that would be prohibited by Subsection 1(i)(iii) of [the] Executive Order ... are authorized.
What's in the Annex? Only most Venezuela and PDVSA bonds.
The text of License 3 is pretty clear. It's okay to engage in transactions related to most old debt. True, the Executive Order still forbids transactions in most new debt, but the Republic does not have to issue new debt to restructure many of its bonds. That's because most bonds issued by the Republic have CACs. The payment terms of these bonds can be modified with a vote of 75% of the holders (in principal amount). There is no need for new debt.
Bonds without CACs (including PDVSA bonds) are a different story. Absent the sanctions, these bonds would likely be restructured through a technique called the Exit Amendment or Exit Consent, in which bondholders exchange old bonds for new ones and, in the process, vote to strip the old bonds of important contractual protections. This requires the issuance of new debt, so the sanctions likely forbid participation by anyone subject to US jurisdiction. Note, however, that there may be ways to work around the prohibition. For example, US investors might try selling non-CAC bonds to foreign parties. But it would be a risky move; the sanctions also forbid efforts to "evade or avoid" their effect. All in all, we suspect few investors will try.
Others have probably noticed the loophole for CAC bonds, perhaps including officials at the US Treasury. If those officials really want to bar a restructuring, they might want to plug the hole sooner rather than later.
Among emerging market countries that have needed to restructure in recent decades, Venezuela is uniquely dependent on external commercial ties, especially oil exports to the United States by state oil company PDVSA. Because of this, many wonder whether holdout creditors pose a unique threat to the country's restructuring prospects. Unlike, say, Argentina, which could keep most valuable assets away from creditors, Venezuela must worry that holdouts will seize oil receivables. PDVSA's assets include money due from U.S. customers. These intangible assets are located in the United States, where courts can easily divert them to satisfy judgments obtained by holdouts. Note that this logic assumes that courts treat PDVSA as Venezuela's alter ego--a topic discussed several times on this blog--but the assumption is plausible.
But even if we assume that courts will ignore the boundaries between PDVSA and the government, is the risk of asset seizure really so great? The scenario described above presumes that Venezuela structures oil sales to U.S. entities in implausibly straightforward ways. Suppose, for instance, that PDVSA sells oil directly to U.S. buyers in exchange for a promise to pay on delivery. In that case, sure; creditors of both PDVSA and the government will have a field day. But while I am no expert on how PDVSA structures its operations, I would be stunned if things were so simple.
For one thing, to the extent U.S. parties owe money, these debts are likely owed not to PDVSA but to direct or remote subsidiaries. (This fact presumably explains why PDVSA's bondholders wanted a separate guarantee from the company's main Venezuelan subsidiary.) So the receivables would be protected unless the entity that "owned" them was deemed PDVSA's alter ego. More importantly, PDVSA can readily export oil to the U.S. without actually selling oil--either itself or through subsidiaries--to U.S. parties. I'm also no expert in oil and gas transactions, but it should be possible to structure operations so that title to oil passes outside the U.S., ideally to an independent entity that is not itself located in the U.S. In principle, this should protect both the money due from U.S. buyers (which would not belong to PDVSA) and the consideration due from the initial purchaser (which can be transferred outside the U.S. by an entity with few or no ties to the country). True, neither PDVSA nor the government can completely eliminate the threat to oil exports. But the fact that a country depends on oil exports doesn't mean that creditors can easily find attachable assets. Nor does it mean that default will effectively shut the country out of important oil markets.