Download:
pdf |
pdfSupporting Statement for the
Recordkeeping and Disclosure Requirements Associated with Regulation II
(FR II; OMB No. 7100-0349)
Summary
The Board of Governors of the Federal Reserve System (Board), under authority
delegated by the Office of Management and Budget (OMB), has extended for three years,
without revision, the Recordkeeping and Disclosure Requirements Associated with Regulation II
(FR II; OMB No. 7100-0349). As described below, Regulation II - Debit Card Interchange Fees
and Routing (12 CFR Part 235) requires certain debit card issuers (referred to as “covered
issuers”) to develop and implement, and at least annually review and update, certain fraudprevention policies and procedures to be eligible to receive the fraud-prevention adjustment. In
addition, the rule requires such a debit card issuer to annually notify its payment card networks
that it is eligible to receive the fraud-prevention adjustment, and to notify its payment card
networks when it is no longer eligible to receive the fraud-prevention adjustment. Finally,
Regulation II requires all debit card issuers and, in some situations, payment card networks to
retain evidence of compliance with the requirements in Regulation II for a prescribed period of
time. The Paperwork Reduction Act (PRA) classifies these recordkeeping and disclosure
requirements associated with Regulation II as an information collection.
The estimated total annual burden for the FR II is 22,251 hours.
Background and Justification
Section 1075 of the Dodd-Frank Wall Street Reform and Consumer Protection Act
(Dodd-Frank Act),1 which was enacted on July 21, 2010, amended the Electronic Fund Transfer
Act (EFTA) by adding a new section 920 regarding interchange fees and rules for debit card
transactions (15 U.S.C. § 1693o-2). The Board’s Regulation II implements section 920 of the
EFTA.2
Among other things, Regulation II imposes a cap on the amount of any interchange fee
that an issuer that, together with affiliates, has assets of $10 billion or more (covered issuer), may
receive for most debit card transactions.3 Under the rule, a covered issuer is allowed to receive an
interchange fee of up to 21 cents plus 5 basis points multiplied by the value of the transaction.4
In addition to this amount, a covered issuer may receive a “fraud-prevention adjustment” of no
1
See Pub. L. No. 111-203, § 1075, 124 Stat. 1376, 2068-74 (July 21, 2010).
EFTA 920 also requires the Board to disclose aggregate or summary information, at least every two years,
concerning the cost incurred, and interchange fees charged or received, by debit card issuers or payment card
networks in connection with the authorization, clearance, or settlement of debit card transactions as the Board
considers appropriate and in the public interest. Regulation II thus imposes a reporting requirement compelling the
submission of information to the Board. This reporting requirement is implemented in the form of two surveys
collected by the Board: Debit Card Issuer Survey (FR 3064a; OMB No. 7100-0344) and Payment Card Network
Survey (FR 3064b; OMB No. 7100-0344). This reporting requirement is not the subject of this collection, as the
FR 3064a and FR 3064b survey are separately reviewed and accounted for under the PRA.
3
12 CFR Part 235.
4
12 CFR 235.3.
2
�more than 1 cent per transaction if the issuer complies with certain fraud-prevention standards set
forth in Regulation II.5 In addition to these interchange fee provisions, Regulation II prohibits
any issuer (i.e., not just covered issuers) or payment card network from directly or indirectly
restricting the number of payment card networks on which an debit card transaction may be
processed to less than two unaffiliated networks, and from directly or indirectly inhibiting the
ability of a merchant to direct the routing of debit card transactions for processing over any
payment card network that may process such transactions.6
To promote compliance with the substantive requirements of Regulation II described
above, sections 235.4 and 235.8 of Regulation II contain certain information collection
requirements. This information is not available from other sources.
Description of Information Collection
Recordkeeping Requirements
Sections 235.4(b)(1) and (2) - Develop and Implement Fraud-Prevention Policies and
Procedures. Section 235.4(b)(1) requires that, in order to be eligible to receive or charge the
fraud-prevention adjustment, a covered issuer must develop and implement policies and
procedures reasonably designed to take effective steps to reduce the occurrence of, and costs to
all parties from, fraudulent debit card transactions, including through the development and
implementation of cost-effective fraud-prevention technology. Section 235.4(b)(2) requires that a
covered issuer’s fraud-prevention policies and procedures address the following:
• Methods to identify and prevent fraudulent debit card transactions,
• Monitoring of the volume and value of its fraudulent debit card transactions,
• Appropriate responses to suspicious debit card transactions in a manner designed to limit
the costs to all parties from and prevent the occurrence of future fraudulent debit card
transactions,
• Methods to secure debit card and cardholder data, and
• Such other factors as the issuer considers appropriate.
Section 235.4(b)(3) - Review and Update Fraud-Prevention Policies and Procedures.
Section 235.4(b)(3) requires that a covered issuer must review its fraud-prevention policies and
procedures, and their implementation, at least annually, and update them as necessary in light of:
• Their effectiveness in reducing the occurrence of, and cost to all parties from fraudulent
debit card transactions involving the issuer,
• Their cost-effectiveness, and
• Changes in the types of fraud, methods used to commit fraud, and available methods of
detecting and preventing fraudulent debit card transactions that the covered issuer
identifies from:
o Its own experience or information,
o Information provided to the issuer by its payment card networks, law enforcement
agencies, and fraud-monitoring groups in which the issuer participates, and
5
6
12 CFR 235.4.
12 CFR 235.7.
2
�o Applicable supervisory guidance.
Section 235.8(c) - General Compliance Records Retention. Section 235.8(c)(1)
requires that any debit card issuer subject to Regulation II (i.e., not just covered issuers) shall
retain evidence of compliance with the requirements in Regulation II for a period of not less than
five years after the end of the calendar year in which the debit card transaction occurred. In
addition, section 235.8(c)(2) requires that, where any person subject to Regulation II (i.e., a debit
card issuer or payment card network) receives actual notice that it is subject to an investigation
by an enforcement agency,7 such person must retain the records until final disposition of the
matter.
Compliance with this general recordkeeping requirement involves retaining records to
demonstrate fulfillment of the substantive requirements in Regulation II. The Board believes that
the records required to demonstrate compliance with Regulation II are generated in the ordinary
course of business, and that the incremental burden associated with retaining these records is
minimal.
Disclosure Requirements
Sections 235.4(c) and (d) - Annual Fraud-Prevention Compliance Notification and
Change-in-Status Notification. Section 235.4(c) requires that, to be eligible to receive or charge
a fraud-prevention adjustment, a covered issuer must annually notify its payment card networks
that it complies with the fraud-prevention standards set forth in section 235.4(b). Section
235.4(d) requires that, no later than 10 days after a covered issuer determines or receives a
notification from the appropriate agency under section 235.98 that the covered issuer is
substantially non-compliant with the fraud-prevention standards set forth in section 235.4(b), a
covered issuer must notify its payment card networks that it is no longer eligible to receive or
charge a fraud-prevention adjustment. The covered issuer must stop receiving and charging the
fraud-prevention adjustment within 30 days after providing such notification to its payment card
networks.
Regulation II does not prescribe the form that these notifications must take. The Board
understands that debit card issuers use information technology to provide these notifications to
their payment card networks.
Respondent Panel
The FR II panel comprises debit card issuers and payment card networks. However, with
respect to payment card networks, only the recordkeeping requirements in section 235.8(c)(2)
may apply. As stated above, the Board believes that the records required to be retained pursuant
to section 235.8(c) are generated in the ordinary course of business, and that the incremental
7
Compliance with Regulation II is enforced by seven different federal agencies (i.e., Board, Office of the
Comptroller of the Currency, Federal Deposit Insurance Corporation, National Credit Union Administration,
Secretary of Transportation, Securities and Exchange Commission, and Federal Trade Commission), depending on
the identity of the debit card issuer or payment card network. See section 235.9.
8
See supra note 7.
3
�burden associated with retaining these records is minimal. As such, for purposes of the PRA, the
Board is not including payment card networks in its estimate of the burden of complying with the
FR II.
With respect to debit card issuers, whereas the other information collections in the FR II
apply only to covered issuers, the recordkeeping requirements in section 235.8(c) apply to all
debit card issuers (i.e., not just covered issuers). As stated above, the Board believes that the
records required to be retained pursuant to section 235.8(c) are generated in the ordinary course
of business, and that the incremental burden associated with retaining these records is minimal.
As such, for purposes of the PRA, the Board is not including debit card issuers that are not
covered issuers in its estimate of the burden of complying with the FR II.
Thus, for purposes of the PRA, the Board estimates that the respondent panel for the
FR II consists of 531 covered issuers. In reaching this estimate, the Board noted that although
debit card issuers can take a variety of forms, substantially all debit card issuers are depository
institutions. Therefore, the Board’s estimate reflects the number of depository institutions subject
to the enforcement authority of the Board, Office of the Comptroller of the Currency, Federal
Deposit Insurance Corporation, or National Credit Union Administration that had consolidated
assets of $10 billion or more as of December 31, 2023. On an annual basis, the Board publishes
on its website a list of depository institutions with consolidated assets of $10 billion or more
based on reported assets as of December 31 of the previous calendar year.9 Such entities may
include, among others, state member banks, national banks, insured state nonmember banks,
savings associations, branches and agencies of foreign banks, commercial lending companies
owned or controlled by foreign banks, and organizations operating under section 25 or 25A of
the Federal Reserve Act, and federally-chartered credit unions. Such an entity is a debit card
issuer if the entity authorizes the use of a debit card to perform a debit card transaction.
Frequency and Time Schedule
The recordkeeping requirement associated with the initial development and
implementation of a covered issuer’s fraud-prevention policies and procedures under sections
235.4(b)(1) and (2) of Regulation II occurs on a one-time basis. The recordkeeping requirement
associated with a covered issuer’s ongoing review and implementation of its fraud-prevention
policies and procedures under section 235.4(b)(3) occurs on a continuous basis and must occur at
least annually. Documentation associated with these recordkeeping requirements is maintained
by each covered issuer; therefore, such records are not collected or published by the Federal
Reserve System.
The general recordkeeping requirement in section 235.8(c)(1) of Regulation II requires
all debit card issuers (i.e., not just covered issuers) to retain records that demonstrate compliance
with the requirements of Regulation II for not less than five years after the end of the calendar
year in which the debit card transaction occurred. Section 235.8(c)(2) provides that if an issuer or
payment card network receives actual notice that it is subject to an investigation by an
enforcement agency, such person shall retain the records until final disposition of the matter,
unless an earlier time is allowed by court or agency order. Documentation associated with these
9
See https://www.federalreserve.gov/paymentsystems/regii-interchange-fee-standards.htm.
4
�general recordkeeping requirements is maintained by each issuer or payment card network;
therefore, such records are not collected or published by the Federal Reserve System.
The fraud-prevention compliance notification required under section 235.4(c) must be
provided by a covered issuer to its payment card networks annually. The fraud-prevention
change-in-status notification required under section 235.4(d) is event-generated and must be
provided by a debit card issuer to its payment card networks within ten days of the issuer
determining on its own, or receiving notification from the appropriate agency, that the issuer is
substantially non-compliant with the standards set forth in section 235.4(b). These notifications
are not collected or published by the Federal Reserve System.
Public Availability of Data
There are no data related to this information collection available to the public.
Legal Status
The FR II is authorized by section 920(a)(3) of the EFTA (15 U.S.C. § 1693o-2(a)(3)).10
The fraud-prevention and disclosure requirements are additionally authorized by section
920(a)(5) of the EFTA (15 U.S.C. § 1693o-2(a)(5)).11 Regulation II’s general recordkeeping
requirement is mandatory. Regulation II’s fraud-prevention recordkeeping requirements and
disclosure requirements are required to obtain a benefit.
The FR II is generally not submitted to the Board or to any of the federal financial
regulatory agencies. In the event that the Board obtains such information, it may be kept
confidential under exemption 4 of the Freedom of Information Act (FOIA) to the extent that it
contains commercial or financial information both customarily and actually treated as private (5
U.S.C. § 552(b)(4)). If such information is obtained through the examination or enforcement
process, it may be kept confidential under exemption 8 of the FOIA (5 U.S.C. § 552(b)(8)).
Consultation Outside the Agency
There has been no consultation outside the Federal Reserve System.
Public Comments
On January 13, 2025, the Board published an initial notice in the Federal Register (90 FR
2700) requesting public comment for 60 days on the extension, without revision, of the FR II.
The comment period for this notice expired on March 14, 2025. The Board received one
comment from one individual. The comment expressed support for the extension of the FR II as
proposed. The Board adopted the extension, without revision, of the FR II as originally proposed.
On April 28, 2025, the Board published a final notice in the Federal Register (90 FR 17598).
10
Authorizing the Board to prescribe regulations regarding interchange transaction fees and require issuers or
payment card networks to provide to the Board such information as deemed necessary.
11
Permitting the Board to allow for the fraud-prevention adjustment and condition it upon compliance with fraudrelated standards promulgated by the Board.
5
�Estimate of Respondent Burden
As shown in the table below, the estimated total annual burden for the FR II is 22,251
hours. The recordkeeping requirements in sections 235.4(b)(1) and (2) occur on a one-time basis
when a debit card issuer becomes a covered issuer. The Board estimates that there may be three
newly-covered issuers per year, and that each such newly-covered issuer would take, on average,
160 hours (i.e., one business month) to develop and implement the fraud-prevention policies and
procedures required by section 235.4(b)(2), and to train staff to comply with the recordkeeping
provisions under section 235.4(b)(2). Thus, the one-time initial burden for one newly-covered
issuer is estimated to be 160 hours (total). The estimated number of newly-covered issuers is
based on the average annual change in the number of respondents to the Debit Card Issuer
Survey (FR 3064a) from 2011 to 2021.12
The recordkeeping requirements in section 235.4(b)(3) occur on a continuous basis and
must occur at least annually. The Board estimates that each covered issuer would take, on
average, 40 hours (i.e., one business week) to review and update its fraud-prevention policies and
procedures required by section 235.4(b)(2). With respect to the recordkeeping requirements in
section 235.8(c) and (d), and as stated above, the Board believes that the records required to be
retained are generated in the ordinary course of business, and that the incremental burden
associated with retaining these records is negligible. The burden estimate is based on the
standard Board burden calculation methodology. These recordkeeping and disclosure
requirements represent less than 1 percent of the Board’s total paperwork burden.
FR II
Recordkeeping
Sections 235.4(b)(1) and (2)
Section 235.4(b)(3)
Disclosure
Sections 235.4(c) and (d)
Total
Estimated
number of
respondents13
Estimated
Estimated
Estimated
annual
average hours annual burden
frequency per response
hours
3
531
1
1
160
40
480
21,240
531
1
1
531
22,251
12
See Table 12 in the “Interchange Fee Revenue, Covered Issuer Cost, and Covered Issuer and Merchant Fraud
Loss Related to Debit Card Transactions” report series, available at
https://www.federalreserve.gov/paymentsystems/regii-data-collections.htm.
13
Of these respondents, none are considered small entities as defined by the Small Business Administration (i.e.,
entities with less than $850 million in total assets). Size standards effective March 17, 2023. See
https://www.sba.gov/document/support-table-size-standards.
6
�The estimated total annual cost to the public for the FR II is $1,605,410.14
Sensitive Questions
This information collection contains no questions of a sensitive nature, as defined by
OMB guidelines.
Estimate of Cost to the Federal Reserve System
Because the Federal Reserve System does not collect any information for the FR II, the
estimated cost to the Federal Reserve System is negligible.
14
Total cost to the responding public is estimated using the following formula: total burden hours, multiplied by the
cost of staffing, where the cost of staffing is calculated as a percent of time for each occupational group multiplied
by the group’s hourly rate and then summed (30% Office & Administrative Support at $24, 45% Financial
Managers at $87, 15% Lawyers at $88, and 10% Chief Executives at $126). Hourly rates for each occupational
group are the (rounded) mean hourly wages from the Bureau of Labor Statistics (BLS), Occupational Employment
and Wages, May 2024, published April 2, 2025, https://www.bls.gov/news.release/ocwage.t01.htm. Occupations are
defined using the BLS Standard Occupational Classification System, https://www.bls.gov/soc/.
7
�
| File Type | application/pdf |
| File Modified | 2025-07-25 |
| File Created | 2025-07-25 |