Private Disordering: Payment Card Fraud Liability Rules
Brooklyn Journal of Corporate, Financial and Commercial Law, Vol. 5, pp. 1-48, 2011
49 Pages Posted: 8 Feb 2011 Last revised: 10 Mar 2011
Date Written: February 5, 2011
This Article argues that private ordering of fraud loss liability in payment card systems is likely to be socially inefficient because it does not reflect Coasean bargaining among payment card network participants. Instead, loss allocation rules are the result of the most powerful party in the system exercising its market power. Often loss liability is placed not on the least cost avoider of fraud, but on the most price inelastic party, even if that party has little or no ability to prevent or mitigate losses. Moreover, for virtually identical payment systems, there is international variation in both loss liability rules and security standards, suggesting that at least some variations are suboptimal.
True Coasean bargaining is not possible in payment systems; the transaction costs are too high because of the sheer number of participants. Targeted coordination and competition, however, can achieve outcomes that if not Coasean, are at least optimized relative to the current system. Thus, the Article suggests a pair of complimentary regulatory responses. First, regulators should develop a system for coordinating payment card security measures with governance that adequately represents all parties involved in payment card networks. And second, regulators should pursue more vigorous antitrust enforcement of card networks’ restrictions on merchant pricing in order to expose the costs of participating in a payment system – which include fraud costs – to market discipline. The Article also presents an extended defense of the major existing regulatory intervention in payment card fraud loss allocation, the federal caps on consumer liability for unauthorized payment card transactions.
Keywords: Credit Card, Debit Card, EMV, Chip and PIN, Unauthorized, Fraud, Liability, Least Cost Avoider, Zero Liability Policy, PCI, PCI-DSS
Suggested Citation: Suggested Citation