The Michigan Credit Union League has asked the Consumer Financial Protection Bureau to consider regulating retail firms that have been victims of card data breaches and also offer store branded credit or debit cards.

“Consumers would certainly benefit from the regulation of a retail industry that, at the moment, relies on largely self-policing standards that are inadequate to the point of consumer deception, as illustrated by the often retroactive enforcement and revocation of certification with their tenets,” MCUL CEO David Adams wrote to CFPB Director Richard Cordray in a Feb. 7 letter.

“MCUL believes that the Dodd-Frank Act's provisions regarding supervision of nonbank covered persons that engage in behavior that poses risks to consumers in this area provides clear authority for this supervision The Dodd-Frank Act defines a consumer financial product or service, and under 12 U.S.C. 5481(15)(A)(v), an example of such is 'selling, providing, or issuing stored value or payment instruments.' Target offers both store-branded credit and debit options, and the debit option draws from customer's existing checking accounts,” he said.

Adams noted the Durbin Amendment increased the resources retailers have to protect consumer data without necessarily increasing their responsibility to do so.

“As I mentioned in a recent letter to the Michigan Congressional delegation, during the passage of Dodd-Frank, the Durbin Amendment effectively shifted billions of dollars of interchange income from financial institutions into retailers' pockets, with no meaningful price-relief or discernible consumer benefit having resulted,” Adams wrote. “However, financial institutions still bear the brunt of the risk and the cost for a retailer's lack of preparation and failure to adequately store and protect consumer data. This liability dynamic represents an arbitrary windfall that does nothing to encourage real reform or consumer protection, and cuts at financial institutions particularly hard – lost revenue, and lost wherewithal to pay for the sins of the retail community. It is time to bring shared accountability back into the equation for data breach liability.”

Target declined to comment directly on the letter, but merely reiterated its position regarding the breach.

“As we have said from day one, our guests will have zero liability for the cost of any fraudulent charges arising from this breach,” said Target spokesman Molly Snyder. “They need to continue to watch their accounts and promptly report any fraud to their issuing bank. I can't speak to the reimbursement process as that is between Target and the banks.”