FRII_20220726_omb

Supporting Statement for the
Recordkeeping and Disclosure Requirements Associated with Regulation II
(FR II; OMB No. 7100-0349)
Summary
The Board of Governors of the Federal Reserve System (Board), under authority
delegated by the Office of Management and Budget (OMB), has extended for three years,
without revision, the Recordkeeping and Disclosure Requirements Associated with Regulation II
(FR II; OMB No. 7100-0349). Regulation II - Debit Card Interchange Fees and Routing (12 CFR
Part 235) implements standards for assessing whether interchange transaction fees for electronic
debit transactions are reasonable and proportional to the cost incurred by the issuer with respect
to the transaction, and establishes rules for payment card transactions as required by
section 920(a) of the Electronic Fund Transfer Act (EFTA) (15 U.S.C. § 1693o-2(a)).
Regulation II limits the interchange transaction fee that covered issuers (issuers that,
together with affiliates, have assets of $10 billion or more) can charge for electronic debit
transactions. Under the rule, a covered debit card issuer is allowed to receive or charge an
interchange transaction fee in the amount of 21 cents plus 5 basis points multiplied by the value
of the transaction. In addition, a covered issuer may receive or charge an amount of no more than
1 cent per transaction (the fraud-prevention adjustment) for the costs associated with preventing
fraudulent electronic debit transactions (fraud-prevention adjustment) if the issuer complies with
the standards and requirements set forth in the rule. In addition to these interchange fee
provisions, Regulation II prohibits any issuer (i.e., not just covered issuers) or payment card
network from directly or indirectly restricting the number of payment card networks on which an
electronic debit transaction may be processed to less than two unaffiliated networks, and from
directly or indirectly inhibiting the ability of a merchant to direct the routing of electronic debit
transactions for processing over any payment card network that may process such transactions.
Finally, Regulation II prohibits any issuer from receiving net compensation from a payment card
network with respect to electronic debit transactions or debit card-related activities within a
calendar year.
Debit card issuers must retain records demonstrating their compliance with the
requirements in Regulation II for at least five years after the end of the calendar year in which
the electronic debit transaction occurred. In addition, any person (including an issuer or payment
card network) subject to an investigation or enforcement proceeding involving Regulation II
must retain records pertaining to the matter until the final disposition of the matter, unless an
earlier time is allowed by court or agency order. 1 The Paperwork Reduction Act (PRA) classifies
reporting, recordkeeping, or disclosure requirements of a regulation as an information collection.
1

In addition, section 920(a)(3)(B) of the EFTA requires the Board to disclose aggregate or summary information, at
least every two years, concerning the costs incurred, and interchange transaction fees charged or received, by issuers
or payment card networks in connection with the authorization, clearance or settlement of electronic debit
transactions as the Board considers appropriate and in the public interest. Thus, sections 235.8(a) and (b) of
Regulation II impose a reporting requirement compelling the submission of information to the Federal Reserve
(12 CFR 235.8(a) and (b)) and this reporting requirement is implemented in the form of two surveys collected by the
Board (Debit Card Issuer Survey (FR 3064a) and Payment Card Network Survey (FR 3064b); OMB No.

The estimated total annual burden for the FR II is 22,294 hours.2
Background and Justification
Section 1075 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
(Dodd-Frank Act),3 which was enacted on July 21, 2010, amended the EFTA by adding a new
section 920 regarding interchange transaction fees and rules for debit card transactions
(15 U.S.C. § 1690-2).
Subsection 920(a)(3) of the EFTA requires the Board to prescribe regulations
establishing standards for assessing whether the amount of any interchange transaction fee
charged or received by a covered issuer is reasonable and proportional to the costs incurred by
the issuer with respect to the transaction. Section 920(a)(5)(B) authorizes the Board to prescribe
regulations to establish standards for the fraud-prevention adjustment. Section 920(a)(8)(C)
authorizes the Board to prescribe regulations to ensure that a network fee is not used to directly
or indirectly compensate an issuer with respect to an electronic debit transaction, and is not used
to circumvent or evade the restrictions of EFTA section 920(a). Section 920(b)(1)(A) requires
the Board to prescribe regulations providing that an issuer or payment card network shall not
directly or indirectly restrict the number of payment card networks on which an electronic debit
transaction may be processed to fewer than two unaffiliated networks. Section 920(b)(1)(B)
requires the Board to prescribe regulations providing that an issuer or payment card network
shall not directly or indirectly inhibit the ability of merchants to direct the routing of electronic
debit transactions for processing over any payment card network that may process such
transactions.
On July 20, 2011, the Board implemented the information collection requirements
contained in section 235.4 and section 235.8 of Regulation II.4 The recordkeeping standards in

7100-0344). However, the reporting requirement contained in sections 235.8(a) and (b) is not the subject of this
PRA submission, as the FR 3064a and FR 3064b surveys are separately reviewed and accounted for under the PRA.
2
An entity’s primary federal financial regulator is authorized to enforce compliance with the requirements of
Regulation II (15 U.S.C. §§ 1693o(a) and 1693o-2(d); 12 CFR 235.9). However, for purposes of the PRA, the Board
is estimating the burden of complying with the recordkeeping a nd disclosure requirements of Regulation II for the
estimated 527 entities subject to the enforcement authority of the Board, Office of the Comptroller of the Currency,
Federal Deposit Insurance Corporation, and National Credit Union Administration (collectively, the federal banking
agencies). Such entities may include, among others, state member banks, national banks, insured state nonmember
banks, savings associations, branches and agencies of foreign banks, commercial lending companies owned or
controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act, and
federally-chartered credit unions, if the entity issues a debit or credit card or authorizes the use of a debit card to
perform an electronic debit transaction, and has consolidated assets of $10 billion or more (hereinafter, issuers). The
interchange transaction fee limitations, including the fraud-prevention adjustment, do not apply to (1) interchange
fees charged or received by an issuer with assets of less than $10 billion together with its affiliates, (2) electronic
debit transactions made using debit cards issued pursuant to a government-administered payment program and
(3) electronic debit transactions made using certain general-use, reloadable prepaid cards (12 CFR 235.5).
3
See Pub. L. No. 111-203, 1075,124 Stat. 1376, 2068-74 (July 21, 2010).
4
See 76 FR 43394 (July 20, 2011) (adopting section 235.8 of Regulation II); 76 FR 43478 (July 20, 2011) (adopting
section 235.4 of Regulation II as an interim final rule). On August 3, 2012, the Board adopted section 235.4 of
Regulation II as a final rule, making various changes to the interim final rule. See 77 FR 46258 (August 3, 2012).

2

Regulation II help to promote compliance with its underlying substantive requirements. This
information is not available from other sources.
Description of Information Collection
Recordkeeping Requirements
Sections 235.4(b)(1) and (2) – Develop and Implement Fraud-Prevention Policies
and Procedures. Section 235.4(b)(1) requires that, in order to be eligible to receive or charge the
fraud-prevention adjustment, a covered issuer must develop and implement policies and
procedures reasonably designed to take effective steps to reduce the occurrence of, and costs to
all parties from, fraudulent electronic debit transactions, including through the development and
implementation of cost-effective fraud-prevention technology. Specifically, section 235.4(b)(2)
requires that a covered issuer’s fraud-prevention policies and procedures address the following:
• Methods to identify and prevent fraudulent electronic debit transactions,
• Monitoring of the volume and value of its fraudulent electronic debit transactions,
• Appropriate responses to suspicious electronic debit transactions in a manner designed to
limit the costs to all parties from and prevent the occurrence of future fraudulent
electronic debit transactions,
• Methods to secure debit card and cardholder data, and
• Such other factors as the issuer considers appropriate.
Section 235.4(b)(3) – Review and Update Fraud-Prevention Policies and Procedures.
Section 235.4(b)(3) requires that a covered issuer must review its fraud-prevention policies and
procedures, and their implementation, at least annually, and update them as necessary in light of:
• Their effectiveness in reducing the occurrence of, and cost to all parties from, fraudulent
electronic debit transactions involving the issuer,
• Their cost-effectiveness, and
• Changes in the types of fraud, methods used to commit fraud, and available methods of
detecting and preventing fraudulent electronic debit transactions that the covered issuer
identifies from:
o Its own experience or information,
o Information provided to the issuer by its payment card networks, law enforcement
agencies, and fraud-monitoring groups in which the issuer participates, and
o Applicable supervisory guidance.
Section 235.8(c) – General Compliance Records Retention. Section 235.8(c)(1)
requires that any debit card issuer subject to Regulation II (i.e., not just covered issuers) shall
retain evidence of compliance with the requirements in Regulation II for a period of not less than
five years after the end of the calendar year in which the electronic debit transaction occurred. In
addition, section 235.8(c)(2) requires that, where any person subject to Regulation II (e.g., an
issuer or payment card network) receives actual notice that it is subject to an investigation by an
enforcement agency, such person must retain the records until final disposition of the matter.
Compliance with this general recordkeeping requirement involves retaining records to
demonstrate fulfillment of the other requirements in Regulation II. The burden associated with
generating the records that must be retained under this general recordkeeping requirement have

3

already been accounted for under other information collection requirements. In particular
FR 3064a requires debit card issuers to submit summary data regarding its debit card transactions
each year. The incremental burden (not already accounted for under other information collection
requirements) associated with retaining these generated records is minimal.
Disclosure Requirements
Sections 235.4(c) and (d) – Annual Fraud-Prevention Compliance Notification and
Change-in-Status Notification. Section 235.4(c) requires that, to be eligible to receive or charge
a fraud-prevention adjustment, a covered issuer must annually notify its payment card networks
that it complies with the standards under section 235.4(b). Section 235.4(d) requires that, no later
than 10 days after a covered issuer determines or receives a notification from the appropriate
agency under section 235.9 that the covered issuer is substantially non-compliant with the
standards set forth in section 235.4(b), a covered issuer must notify its payment card networks
that it is no longer eligible to receive or charge a fraud-prevention adjustment. The covered
issuer must stop receiving and charging the fraud-prevention adjustment within 30 days after
providing such notification to its payment card networks.
Respondent Panel
The FR II panel comprises debit card issuers and payment card networks.
Time Schedule for Information Collection
The recordkeeping requirement associated with the initial development and
implementation of fraud-prevention policies and procedures under sections 235.4(b)(1) and (2)
of Regulation II occurs on a one-time basis. The recordkeeping requirement associated with an
issuer’s ongoing review and implementation of its fraud-prevention policies and procedures
under section 235.4(b)(3) occurs on a continuous basis and must occur at least annually.
Documentation associated with these fraud-prevention recordkeeping requirements is maintained
by each issuer; therefore, such records are not collected or published by the Federal Reserve
System.
The general recordkeeping requirement in section 235.8(c)(1) of Regulation II requires
issuers to retain records that demonstrate compliance with the requirements of Regulation II for
not less than five years after the end of the calendar year in which the electronic debit transaction
occurred. Section 235.8(c)(2) states that if an issuer or payment card network receives actual
notice that it is subject to an investigation by an enforcement agency, such person shall retain the
records until final disposition of the matter, unless an earlier time is allowed by court or agency
order. Documentation associated with these general recordkeeping requirements is maintained by
each issuer or payment card network; therefore, such records are not collected or published by
the Federal Reserve System.
The fraud-prevention compliance notification required under section 235.4(c) must be
provided by an issuer to its payment card networks annually. The fraud-prevention change-instatus notification required under section 235.4(d) is event-generated and must be provided by an

4

issuer to its payment card networks within 10 days of the issuer determining on its own, or
receiving notification from the appropriate federal banking agency, that the issuer is substantially
non-compliant with the standards set forth in section 235.4(b). These fraud-prevention
disclosures are not collected or published by the Federal Reserve System.
Public Availability of Data
There is no data related to this information collection available to the public.
Legal Status
The Recordkeeping and Disclosure Requirements Associated with Regulation II is
authorized by section 920(a)(3) of the EFTA (15 U.S.C. § 1693o-2(a)(3)).5 The fraud-prevention
and disclosure requirements are additionally authorized by section 920(a)(5) of the EFTA
(15 U.S.C. § 1693o-2(a)(5)).6 Regulation II’s general recordkeeping requirement for issuers is
mandatory. Regulation II’s fraud-prevention recordkeeping requirements and disclosure
requirements are required to obtain a benefit.
The Recordkeeping and Disclosure Requirements Associated with Regulation II are
generally not submitted to the Board or to any of the federal financial regulatory agencies. In the
event that the Board obtains such information, it may be kept confidential under exemption 4 of
the Freedom of Information Act (FOIA) to the extent that it contains commercial or financial
information both customarily and actually treated as private (5 U.S.C. § 552(b)(4)). If such
information is obtained through the examination or enforcement process, it may be kept
confidential under exemption 8 of the FOIA (5 U.S.C. § 552(b)(8)).
Consultation Outside the Agency
There has been no consultation outside the Federal Reserve System.
Public Comments
On December 3, 3021, the Board published an initial notice in the Federal Register (86
FR 68667), requesting public comment for 60 days on the extension, without revision, of the
FR II. The comment period for this notice expired on February 1, 2022. The Board received two
comment letters in response to the initial notice. The first comment letter was from trade
associations representing debit card issuers; these commenters supported the proposal to extend
for three years, without revision, of the FR II. The second comment letter was from trade
associations representing merchants; these commenters did not provide comments related to the
FR II. Both comment letters addressed substantive issues pertaining to Regulation II that were
unrelated to the regulation’s information collections. The Board adopted the extension, without

5

Authorizing the Board to prescribe regulations regarding interchange transaction fees and require issuers or
payment card networks to provide to the Board such information as deemed necessary.
6
Permitting the Board to allow for the fraud-prevention adjustment and condition it upon compliance with fraudrelated standards promulgated by the Board.

5

revision, of the FR II as originally proposed. On May 24, 2022, the Board published a final
notice in the Federal Register (87 FR 31554).
Estimate of Respondent Burden
As shown in the table below, the estimated total annual burden for the FR II is 22,294
hours. The number of respondents is based on the Board’s list of debit card issuers that have
assets, together with their affiliates, of $10 billion or more, and thus are covered issuers. The list
is generated from the set of institutions in existence on December 31, 2020, according to
available data. While the Board does not anticipate many, if any, new covered issuers, it is
estimated that there may be one per year, and that each new issuer would tak e, on average, 160
hours (i.e., one month) to develop and implement the fraud-prevention policies required by
section 235.4(b)(2), and to train staff to comply with the recordkeeping provisions under
section 235.4(b)(2) and 235.8(c) of Regulation II. Thus, the one-time initial burden for one new
covered issuer is estimated to be 160 hours (total). These recordkeeping and disclosure
requirements represent less than 1 percent of the Board’s total paperwork burden.

FR II
Recordkeeping
Sections 235.4(b)(1) and (2)
Develop and implement fraudprevention policies and
procedures (one-time)
Section 235.4(b)(3)
Review and update fraudprevention policies and
procedures
Section 235.8(c)
General compliance records
retention
Disclosure
Sections 235.4(c) and (d)
Annual fraud-prevention
compliance notification and
change-in-status notification
Total

Estimated
Estimated
Estimated
Annual
number of
average hours annual burden
frequency
respondents7
per response
hours

1

1

160

160

527

1

40

21,080

527

1

1

527

527

1

1

527
22,294

7

Of these respondents, none are considered small entities as defined by the Small Business Administration (i.e.,
entities with less than $600 million in total assets), https://www.sba.gov/document/support--table-size-standards.

6

The estimated total annual cost to the public for the FR II is $1,347,672.8
Sensitive Questions
These collections of information contain no questions of a sensitive nature, as defined by
OMB guidelines.
Estimate of Cost to the Federal Reserve System
The estimated cost to the Federal Reserve System for collecting and processing this
information collection is negligible.

8

Total cost to the public was estimated using the following formula: percent of staff time, multiplied by annual
burden hours, multiplied by hourly rates (30% Office & Administrative Support at $21, 45% Financial Managers at
$74, 15% Lawyers at $71, and 10% Chief Executives at $102). Hourly rates for each occupational group are the
(rounded) mean hourly wages from the Bureau of Labor and Statistics (BLS), Occupational Employment and
Wages, May 2021, published March 31, 2022, https://www.bls.gov/news.release/ocwage.t01.htm. Occupations are
defined using the BLS Standard Occupational Classification System, https://www.bls.gov/soc/.

7