“We make sure we help members understand all the things they can do to mitigate fraud activity, such as setting up transaction alerts, adjusting daily limits on their cards, or even locking them if they are not in use,” Felder says.
Beyond member communication, Daukas at TwinStar says the credit union needs to also communicate with its board of directors, supervisory committee, and state and federal regulators.
TwinStar treats breaches as an incident that affects business continuity, so it activates its business continuity planning team. Additionally, the credit union notifies its insurance company and a third-party PR firm it holds on retainer.
After addressing administrative tasks, however, credit unions face the decision of whether to reissue credit cards.
Card reissuance, especially en masse, is a pricy endeavor for any credit union. It can also cause member inconvenience, especially if the breach occurs in a high-usage time, like the holiday season.
The Instant Issuance Question
Instant issuance can mitigate a member’s time without a card. Those programs carry a high up-front cost, though long-term cost and convenience savings are potentially significant.
“It’s cheaper than having to use a third-party to create and mail the plastics,” Felder says.
It takes time to reissue, and the member might be without a card from some time, Redwood’s Felder says. And then wherever that card is registered, members have to update that information.
But there are tangible benefits to a mass reissue.
With new plastic, credit unions can head off fraud losses before they occur.
So, how does a credit union know when it makes more sense to reissue versus wait for potential fraud losses to occur?
Like anything else, practice helps.
“When the TJ Maxx, Target, and Home Depot breaches hit, the entire industry learned about the management of these processes,” Daukas says. “In the beginning, I would say the risk of unknown fraud losses, combined with a fearful consumer, led most credit unions to mass reissue cards.”
Now, the industry is more aware and has more data on which to base decisions.
“Unfortunately, historical evidence provides more accurate correlations,” Parker says. “Theoretically, the more breaches we have [to learn from] the better we would be at predicting losses.”
Historical evidence provides more accurate correlations. Theoretically, the more breaches we have [to learn from] the better we would be at predicting losses.
Redwood has several rules of thumb for making the decision to mass reissue, Felder says.
For example, if 15% of its card portfolio has confirmed fraud, a mass reissue is necessary.
Also, if pin numbers are compromised as part of the breach, a mass reissue is necessary.
Further, if Redwood can identify a common point of compromise, it will reissue cards that have been used at that location and notify the merchant and local law enforcement.
The level of information compromised should also play into a credit union’s decision to reissue. Did the breach include non-public information such as social security numbers? If it was card related, were card and pin numbers stolen?
“We believe there is a spectrum of risk that runs with the volume of consumers involved and what type of information,” Daukas says.
At the end of the day, the best a credit union can do is arm members with information to keep themselves abreast of any fraudulent activity that might occur on their accounts. In conjunction, an institution should base its response not on gut feel, but on risk thresholds and other available data.
Through its own internal monitoring, TwinStar has seen how close its fraud loss assumptions need to be to its true losses before a mass reissuance strategy makes sense.
“You don’t know the fraud loss that is involved with a monitor-and-react strategy,” Daukas says. “But credit unions must use data and not gut feeling.”