FRII_20190719_omb

Supporting Statement for the
Recordkeeping and Disclosure Requirements Associated with Regulation II
(FR II; OMB No. 7100-0349)
Summary
The Board of Governors of the Federal Reserve System (Board), under authority
delegated by the Office of Management and Budget (OMB), has extended for three years,
without revision, the Recordkeeping and Disclosure Requirements Associated with Regulation II
(FR II;1 OMB No. 7100-0349). Regulation II - Debit Card Interchange Fees and Routing
(12 CFR Part 235) implements, among other things, standards for assessing whether interchange
transaction fees for electronic debit transactions are reasonable and proportional to the cost
incurred by the issuer with respect to the transaction, as required by section 920(a) of the
Electronic Fund Transfer Act (EFTA) (15 U.S.C. § 1693o-2(a)).
Regulation II limits the interchange transaction fee that covered issuers can charge for
debit card transactions. Under the rule a covered debit card issuer is allowed to receive or charge
an amount of no more than 1 cent per transaction for the costs associated with preventing
fraudulent electronic debit transactions (fraud-prevention adjustment), if the issuer complies with
the standards and requirements set forth in the rule. In addition, issuers must retain records
demonstrating their compliance with the requirements in Regulation II for at least five years after
the end of the calendar year in which the electronic debit transaction occurred, any person or
issuer subject to an investigation or enforcement proceeding involving Regulation II must retain
records pertaining to the matter until the final disposition of the matter, unless an earlier time is
allowed by court or agency order. The Paperwork Reduction Act (PRA) classifies reporting,
recordkeeping, or disclosure requirements of a regulation as an information collection.2
The estimated total annual burden for the FR II is 22,341 hours. Further, there are an
estimated 542 debit card issuers regulated by the federal financial regulatory agencies that are
required to comply with the recordkeeping and disclosure provisions under sections 235.4 and
235.8(c) of Regulation II (12 CFR 235.4 and 235.8(c)).3

1

The internal Agency Tracking Number previously assigned by the Board to this information collection was
“Reg II.” The Board is changing the internal agency tracking number for the purpose of consistency.
2
See 44 U.S.C. § 3501 et seq.
3
An entity’s primary federal financial regulator is authorized to enforce compliance with the requirements of
Regulation II (15 U.S.C. §§ 1693o(a) and 1693o-2(d); 12 CFR 235.9). However, for purposes of the PRA, the Board
is estimating the burden of complying with the recordkeeping and disclosure requirements of Regulation II for the
estimated 542 entities subject to the enforcement authority of the Board, Office of the Comptroller of the Currency,
Federal Deposit Insurance Corporation, or National Credit Union Administration (collectively, the federal financial
regulatory agencies). Such entities may include, among others, state member banks, national banks, insured state
nonmember banks, savings associations, branches and agencies of foreign banks, commercial lending companies
owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve
Act, and federally-chartered credit unions, if the entity issues a debit or credit card or authorizes the use of a debit
card to perform an electronic debit transaction, and has consolidated assets of $10 billion or more (hereinafter,
issuers). The interchange transaction fee limitations, and accordingly, the provisions on the fraud-prevention
adjustment, do not apply to (1) electronic debit transactions made using debit cards issued pursuant to a governmentadministered payment program and (2) certain general-use, reloadable prepaid cards (12 CFR 235.5).

Background and Justification
Section 1075 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
(Dodd-Frank Act),4 which was enacted on July 21, 2010, amended the EFTA by adding a new
section 920 regarding interchange transaction fees and rules for debit card transactions
(15 U.S.C. § 1690-2).
Subsection 920(a) of the EFTA required the Board to prescribe regulations establishing
fraud-related standards and other regulations relating to interchange transaction fees (15 U.S.C.
§§ 1693o-2(a)(3), (5) and (8)). Under section 920(a)(3)(B) of the EFTA, the Board may require
any issuer (or agent of an issuer) or a payment card network to provide the Board with such
information as may be deemed necessary to carry out the provisions of the subsection.5 On
July 11, 2011, the Board implemented the information collection requirements contained in
section 235.4 and section 235.8 of Regulation II.6 The recordkeeping standards in Regulation II
help to promote compliance with its underlying substantive requirements.
Description of Information Collection
Section 235.4(b)(1) and (2) - Develop and Implement Fraud-Prevention Policies and
Procedures (fraud-prevention recordkeeping requirement). Section 235.4(b)(1) requires that,
in order to be eligible to receive or charge the fraud-prevention adjustment, an issuer must
develop and implement policies and procedures reasonably designed to take effective steps to
reduce the occurrence of, and costs to all parties from, fraudulent electronic debit transactions,
including through the development and implementation of cost-effective fraud-prevention
technology. Specifically, section 235.4(b)(2) requires that an issuer’s fraud-prevention policies
and procedures address the following:
1. Methods to identify and prevent fraudulent electronic debit transactions
2. Monitoring of the volume and value of its fraudulent electronic debit transactions
3. Appropriate responses to suspicious electronic debit transactions in a manner designed to
limit the costs to all parties from and prevent the occurrence of future fraudulent
electronic debit transactions
4. Methods to secure debit card and cardholder data
5. Such other factors as the issuer considers appropriate

4

See Pub. L. No. 111-203, 1075,124 Stat. 1376, 2068-74 (July 21, 2010).
See 15 U.S.C. § 1693o-2(a)(3)(B). Section 920(a)(3)(B) of the EFTA requires the Board to disclose aggregate or
summary information, at least every two years, concerning the costs incurred, and interchange transaction fees
charged or received, by issuers or payment card networks in connection with the authorization, clearance or
settlement of electronic debit transactions as the Board considers appropriate and in the public interest. Thus,
sections 235.8(a) and (b) of Regulation II implement a reporting requirement compelling the submission of
information to the Federal Reserve (12 CFR 235.8(a) and (b)) and this reporting requirement is implemented in the
form of two surveys collected by the Board (FR 3064a and FR 3064b; OMB 7100-0344). However, the reporting
requirement contained in sections 235.8(a) and (b) is not the subject of this PRA review, as the FR 3064a and
FR 3064b surveys are separately reviewed and accounted for under the PRA.
6
See 76 FR 43478 (July 20, 2011) (adopting section 235.4 of Regulation II); and 76 FR 43394 (July 20, 2011)
(adopting other provisions of Regulation II, including 12 CFR 235.8).
5

2

Section 235.4(b)(3) - Review and Update Fraud-Prevention Policies and Procedures
(fraud-prevention recordkeeping requirement). Section 235.4(b)(3) requires that an issuer
must review its fraud-prevention policies and procedures, and their implementation, at least
annually, and update them as necessary in light of:
1. Their effectiveness in reducing the occurrence of, and cost to all parties from, fraudulent
electronic debit transactions involving the issuer
2. Their cost-effectiveness
3. Changes in the types of fraud, methods used to commit fraud, and available methods of
detecting and preventing fraudulent electronic debit transactions that the issuer identifies
from:
a. Its own experience or information
b. Information provided to the issuer by its payment card networks, law enforcement
agencies, and fraud-monitoring groups in which the issuer participates
c. Applicable supervisory guidance
Sections 235.4(c) and (d) - Annual Fraud-Prevention Compliance Notification and
Change-in-Status Notification (fraud-prevention disclosure requirements). Section 235.4(c)
requires that, to be eligible to receive or charge a fraud-prevention adjustment, an issuer must
annually notify its payment card networks that it complies with the standards under section
235.4(b). Section 235.4(d) requires that, no later than 10 days after determining or receiving
notification from the appropriate agency under section 235.9 that the issuer is substantially noncompliant with the standards set forth in section 235.4(b), the issuer must notify its payment card
networks that it is no longer eligible to receive or charge a fraud-prevention adjustment. The
issuer must stop receiving and charging the fraud-prevention adjustment within 30 days after
providing such notification to its payment card networks.
Section 235.8(c) – General Compliance Records Retention (general recordkeeping
requirements). Section 235.8(c)(1) requires that any issuer subject to Regulation II shall retain
evidence of compliance with the requirements in Regulation II for a period of not less than five
years after the end of the calendar year in which the electronic debit transaction occurred. In
addition, section 235.8(c)(2) requires that, where an issuer or person receives actual notice that it
is subject to an investigation by an enforcement agency, they must retain the records until final
disposition of the matter. Because compliance with this general recordkeeping requirement
merely involves retaining records to demonstrate fulfillment of the other individual information
collection requirements in Regulation II, and because further involvement by an employee of the
institution to retain such records is minimal, the burden associated with this general
recordkeeping requirement is negligible for purposes of the PRA and, therefore, is not included
in the estimate of respondent burden.
Respondent Panel
The FR II panel comprises state member banks, national banks, insured nonmember
banks, savings associations, and federally-chartered credit unions.

3

Time Schedule for Information Collection
The recordkeeping requirement associated with the initial development and
implementation of fraud-prevention policies and procedures under section 235.4(b)(1) and (2) of
Regulation II occurs on a one time basis. The recordkeeping requirement associated with an
issuer’s ongoing review and implementation of its fraud-prevention policies and procedures
under section 235.4(b)(3) occurs on a continuous basis and must occur at least annually.
Documentation associated with these fraud-prevention recordkeeping requirements is maintained
by each issuer; therefore, such records are not collected or published by the Federal Reserve
System.
The fraud-prevention compliance notification required under section 235.4(c) must be
provided by an issuer to its payment card networks annually. The fraud-prevention change-instatus notification required under section 235.4(d) is event-generated and must be provided by an
issuer to its payment card networks within 10 days of the issuer determining on its own, or
receiving notification from the appropriate federal financial regulatory agency, that the issuer is
substantially non-compliant with the standards set forth in section 235.4(b). These fraudprevention disclosures are not collected or published by the Federal Reserve System.
The general recordkeeping requirement in section 235.8(c)(1) of Regulation II requires
issuers to retain records that demonstrate compliance with the requirements of Regulation II for
not less than five years after the end of the calendar year in which the electronic debit transaction
occurred. Section 235.8(c)(2) states that if an issuer or person receives actual notice that it is
subject to an investigation by an enforcement agency, the issuer shall retain the records until
final disposition of the matter, unless an earlier time is allowed by court or agency order.
Documentation associated with these general recordkeeping requirements is maintained by each
issuer or person; therefore, such records are not collected or published by the Federal Reserve
System.
Public Availability of Data
There is no data related to this information collection available to the public.
Legal Status
Section 920(a)(3) of the EFTA (15 U.S.C. § 1693o-2(a)(3)), as added by section 1075 of
the Dodd-Frank Act, authorizes the Board to (1) prescribe regulations regarding interchange
transaction fees that an issuer may charge with respect to electronic debit transactions, and to
establish standards to assess whether the amount of any such fee is reasonable and proportional;
and (2) require any issuer or payment card network to provide the Board such information as
deemed necessary. Section 920(a)(5) of the EFTA (15 U.S.C. § 1693o-2(a)(5)), further provides
that the Board may allow for an adjustment to the interchange transaction fee amount received or
charged by an issuer if “(1) such adjustment is reasonably necessary to make allowance for costs
incurred by the issuer in preventing fraud in relation to electronic debit card transactions
involving that issuer and (2) the issuer complies with the fraud-related standards established by
the Board.” Section 920(a)(5) also provides detailed requirements pertaining to the fraud-related

4

standards to be established by the Board and authorizes the Board to promulgate such standards
by rule. In addition, the EFTA (15 U.S.C. §§ 1693o(a) and 1693o-2(d)) authorizes enforcement
of compliance with the requirements implemented under the EFTA by the Board for entities that
the Board has enforcement authority over under section 8 of the Federal Deposit Insurance Act
(12 U.S.C. § 1818), which covers member banks (other than national banks), branches and
agencies of foreign banks (other than federal branches, federal agencies, and insured state
branches of foreign banks), commercial lending companies owned or controlled by foreign
banks, and organizations operating under section 25 or 25A of the Federal Reserve Act
(12 U.S.C. §§ 601 et seq. and 611 et seq.).
Regulation II’s fraud-prevention recordkeeping requirements (12 CFR 235.4(b)) and
disclosure requirements (12 CFR 235.4(c) and (d)) are required in order for an issuer to obtain a
benefit (i.e., to be eligible to receive or charge the fraud-prevention adjustment). Regulation II’s
general recordkeeping requirements for issuers (12 CFR 235.8(c)) are mandatory.
The records and notifications required under sections 235.4(b)-(d) and 235.8(c) of
Regulation II are generally not submitted to the Board or the other federal financial regulatory
agencies. Accordingly, normally no confidentiality issues arise under the Freedom of
Information Act (FOIA) (5 U.S.C. § 552). In the event such records or notifications are obtained
by the Board through the examination or enforcement process, such information may be kept
confidential under exemption 8 of the FOIA, which protects information contained in or related
to the examination or supervision of a financial institution (5 U.S.C. § 552(b)(8)).
Consultation Outside the Agency
There has been no consultation outside the agency.
Public Comments
On April 8, 2019, the Board published an initial notice in the Federal Register
(84 FR 13919) requesting public comment for 60 days on the extension, without revision, of the
FR II. The comment period for this notice expired on June 7, 2019. The Board received two
comments: one from an individual and one from a group of banking associations.
The comment from the individual expressed support of the Dodd-Frank Act, and
generally expressed opposition to any relaxation of rules implementing the Dodd-Frank Act. The
comment from the group of banking associations supported the Board’s proposal to maintain
certain current recordkeeping processes while urging the Board to resist requests to reopen
Regulation II to avoid further regulatory burden associated with the Durbin Amendment to the
Dodd-Frank Act (if any such requests were received). The Board’s recommended renewal,
without revision, of the existing recordkeeping requirements is consistent with the views
expressed in these comments.
After considering the comments received on the proposal, the Board will proceed with
the extension, without revision, of the FR II. On July 18, 2019, the Board published a final notice
in the Federal Register (84 FR 34393).

5

Estimate of Respondent Burden
As shown in the table below, the estimated total annual burden for the FR II is 22,341
hours. While the Board does not anticipate many, if any, new covered issuers, it is estimated that
there may be one per year, and that each new issuer would take, on average, 160 hours (one
month) to develop and implement fraud-prevention policies required by section 235.4(b)(2), and
to train staff to comply with the recordkeeping provisions under section 235.4(b)(2) and 235.8(c)
of Regulation II. Thus, the one-time initial burden for one new covered issuer is estimated to be
160 hours (total).
The total burden estimate also includes the 541 returning chartered institutions that,
together with affiliates, have assets of $10 billion or more and that may issue debit cards.7 On
average, Board staff approximate that it will take these institutions 40 hours (one business week)
annually to review their fraud prevention policies and procedures, updating them as necessary, as
required under section 235.4(b)(3); and estimates the annual burden for 541 issuers to be 21,640
hours (total). The Board estimates 541 returning issuers would take, on average, 30 minutes to
comply with the annual notification provision under section 235.4(c); and 30 minutes to comply
with the change in status notification provision under section 235.4(d); and estimates the annual
reporting burden to be 541 hours.
The burden associated with the general recordkeeping requirement in section 235.8(c) is
negligible for purposes of the PRA and, therefore, is not included in the estimate of respondent
burden. These recordkeeping and disclosure requirements represent less than 1 percent of the
Board’s total paperwork burden.
Estimated
number of
respondents8

FR II
Recordkeeping
Section 235.4(b)(2)
Implement policies and
procedures (one-time)
Section 235.4(b)(3)
Review and update policies
and procedures
Disclosure
Sections 235.4(c) and (d)
Annual notification and
change in status

Annual
frequency

Estimated
average hours
per response

Estimated
annual burden
hours

1

1

160

160

541

1

40

21,640

541

1

1

541
22,341

Total

7

The estimated number of institutions is based on 2017 data.
Of these respondents, none are considered small entities as defined by the Small Business Administration (i.e.,
entities with less than $550 million in total assets), https://www.sba.gov/document/support--table-size-standards.
8

6

The estimated total annual cost to the public for these collections of information is $1,286,842.9
Sensitive Questions
These collections of information contain no questions of a sensitive nature, as defined by
OMB guidelines.
Estimate of Cost to the Federal Reserve System
The cost to the Federal Reserve System is negligible.

9

Total cost to the public was estimated using the following formula: percent of staff time, multiplied by annual
burden hours, multiplied by hourly rates (30% Office & Administrative Support at $19, 45% Financial Managers at
$71, 15% Lawyers at $69, and 10% Chief Executives at $96). Hourly rates for each occupational group are the
(rounded) mean hourly wages from the Bureau of Labor and Statistics (BLS), Occupational Employment and Wages
May 2018, published March 29, 2019, https://www.bls.gov/news.release/ocwage.t01.htm. Occupations are defined
using the BLS Standard Occupational Classification System, https://www.bls.gov/soc/.

7