Citigroup Inc., Capital One Financial Corp. and J.P. Morgan
Chase & Co. rejected a $19 million pact backed by MasterCard
Inc. last month over the huge Target Corp. data breach, resulting
in the settlement's unexpected failure, people familiar with the
matter said.
News that the settlement didn't obtain approval from enough
banks was reported last month. The names of the big banks opposing
the pact hadn't previously been reported.
The three banks decided to quash the pact that was negotiated on
the industry's behalf by MasterCard because they thought it was too
small to cover their losses in the incident, the people said.
As a result, the carefully negotiated pact is now in flux as
other banks and credit unions hope that they can get a better deal
in court, while Target and MasterCard discuss what their next move
should be.
Target's breach was one of the largest in recent years, exposing
40 million credit and debit cards to fraud and causing an unknown
amount of losses to card-issuing banks.
Trade groups representing community banks and credit unions
estimate that they have spent more than $350 million to reissue
credit and debit cards and deal with other issues related to the
Target breach and a subsequent hacking at Home Depot Inc.
Thieves made $9 billion of fraudulent transactions that were
tied to existing card accounts last year, according to Javelin
Strategy & Research, a unit of consulting firm Greenwich
Associates LLC.
The settlement's unusual defeat underscores the banking
industry's growing frustration with both the hacking incidents that
have hit U.S. retailers in the past year and the relatively small
reimbursements they have received for their losses.
The rejection by the three institutions was especially important
because as MasterCard's largest U.S. credit-card issuers, they
carried more sway than other issuers. The three represent roughly
40% of all purchases made on MasterCard-branded credit cards, or
100 million cards, according to the Nilson Report, a Carpinteria,
Calif.-based newsletter that tracks industry data.
MasterCard announced the settlement with Target in April, but
the deal didn't receive the required 90% backing from banks
representing cardholder accounts that were affected by the data
breach.
Banks typically support such agreements, which are negotiated on
their behalf by card networks. In 2010, for example, banks
supported settlements that called for Heartland Payment Systems
Inc. to pay more than $100 million to Visa Inc. and MasterCard
issuers for a large 2008 breach.
More recently, thieves have exposed card information from a
string of well-known merchants, including Home Depot, Neiman Marcus
Group Ltd., Staples Inc., Sears Holdings Corp.'s Kmart chain,
International Dairy Queen Inc. and others.
Retailers have responded by installing technology at checkout
counters that, combined with new cards embedded with computer
chips, is designed to prevent thieves from creating counterfeit
cards.
Small banks and credit unions have long griped that settlements
like Target's pay them just pennies on the dollar for their
losses.
In this case, however, the big banks also were unhappy with the
payouts that they would have received, said the people familiar
with the matter. In addition, the card issuers wanted to send a
message to merchants that they are unhappy with their security
efforts, they said.
While cardholders aren't responsible for unauthorized purchases,
lenders are on the hook to cover the cost of fraud and expense of
reissuing cards when a breach occurs. MasterCard and Visa typically
negotiate with the breached entities to recover losses for their
card-issuing banks.
With the future of a potential settlement unclear, more
negotiations and court hearings loom. Target had the right to
extend the voting deadline in a bid to secure more support, but it
didn't do so. Representatives of MasterCard and Target have held
conversations about their next steps, according to other people
familiar with the talks.
Meanwhile, large card issuers are paying increased attention to
proceedings in a Minnesota court case in which small banks and
credit unions have sued Target over the breach. While large issuers
officially aren't part of the litigation, they could eventually
become plaintiffs in the case if it receives class-action status in
coming months.
Neither MasterCard nor Target disclosed how much support the
proposed settlement received. They also didn't disclose how issuers
voted.
It also isn't clear what it will take for Citigroup, Capital One
and J.P. Morgan Chase to support a potential new settlement.
The Target breach exposed credit- and debit-card accounts to
potential fraud during the 2013 holiday shopping season. The
Minneapolis-based retailer agreed in March to pay $10 million to
settle a consumer class-action suit tied to the breach.
Access Investor Kit for Capital One Financial Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US14040H1059
Access Investor Kit for Citigroup, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US1729674242
Access Investor Kit for JPMorgan Chase & Co.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US46625H1005
Access Investor Kit for MasterCard, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US57636Q1040
Access Investor Kit for Target Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064
Subscribe to WSJ: http://online.wsj.com?mod=djnwires