On June 29, a mobile app developer entered into an agreement with the FTC and the New Jersey AG to settle allegations that the developer engaged in deceptive and unfair practices by marketing its rewards app, called “Prized,” as being free of malicious software, also known as “malware.” However, according to the FTC, the true purpose of the mobile app was to uploaded malware onto consumers’ mobile devices capable of mining virtual currencies for the software developer. This process allegedly reduced the battery life of consumers’ devices and caused consumers to burn through their monthly data plans. Under terms of settlement, the developer and accompanying mobile app are (i) prohibited from creating and distributing malicious software, and (ii) required to pay $50,000 to the state of New Jersey, with $5,200 due immediately, and the remaining $44,800 payable if the developer fails to comply with the terms of the consent order or the New Jersey Consumer Fraud Act within three years of the order.
On November 5, the CFPB published a report titled “Mobile Financial Services” to summarize the results of its June 2014 Request for Information on the opportunities and challenges associated with the use of mobile financial services (MFS) by traditionally underserved consumers. With 44% of unbanked individuals owning a smartphone, the report notes that MFS has the potential to be a promising tool for underbanked and unbanked consumers to manage their finances. According to the report, consumers using MFS save time and money because they can check their balances any time and have access to certain tools that help them manage their money. The report highlights mobile Remote Deposit Capture as particularly attractive to unbanked consumers because it allows them to take a picture of and deposit checks remotely, reducing the limitations of branch hours and locations. Additional key takeaways from the report include: (i) MFS would likely be most effective for underserved consumers if paired with consultative or assistance services; (ii) privacy and security concerns remain a significant risk; and (iii) digital access and digital financial literacy need improvement, such as enhancing affordable access to technology and educating consumers and intermediaries about safe and effective use of the technology.
While 2014 is closing out with worldwide cyber-threats, at BuckleySandler, we’re going to close out our first year publishing Digital Insights & Trends on an optimistic note. Looking forward, we welcome a mobile payments development that could be cause for cyber-celebration in 2015 and the years to follow.
As financial services lawyers, we usually navigate the regulatory concerns of e-commerce providers in the financial sector for a clientele of banks, other financial institutions and technology companies. But we are keenly aware that access to financial services is vital even for those without access to traditional banks. This reality, referred to as the “unbanked” problem, has preoccupied financial service providers (and consumer advocates, and policymakers) for decades. Mobile payment technology may be the solution. Read more…
The “sharing economy” is an e-commerce darling, making household names of companies like Airbnb and Lyft, with lesser-known businesses such as RelayRides and MoneyParking emerging daily. Also called the peer-to-peer business model, the digital sharing economy was estimated at $26 billion in a 2013 Economist article, with Forbes estimating 25% annual growth. Its benefits have been touted by the public, some politicians and the press, and range from reduced environmental impacts and information asymmetry to increased social and trust communities, in addition to financial rewards for consumers on both sides of the sharing transaction.
While legions of users connect to car-sharing, home-sharing, parking-sharing and goods-sharing sites through smartphone apps, legal challenges pile up, because some aspects of the sharing economy aren’t strictly legal. Consider, for example, the subpoena from New York Attorney General Eric Schneiderman to accommodation-sharing site Airbnb, based on Schneiderman’s claim that most Airbnb hosts are violating a law prohibiting subletting homes for less than 30 days. In his April op-ed in the New York Times (“Taming the Digital Wild West”), Schneiderman also says Uber may be violating state laws on price gouging. Read more…
On August 19, the FTC approved final orders resolving allegations that two companies: (i) misrepresented the level of security of their mobile applications; and (ii) failed to secure the transmission of millions of consumers’ sensitive personal information. The FTC alleged that one company’s application assured consumers that their credit card information was stored and transmitted securely even though the company disabled a higher level of security validation, which allowed such credit card information to be intercepted. In addition, the company allegedly failed to have an adequate process for receiving vulnerability reports from security researchers and other third parties. The FTC alleged that the second company also disabled enhanced security validation despite claiming that it followed industry-leading security precautions, which also left consumers’ information vulnerable to interception. The final settlement orders require both companies to establish comprehensive programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit the companies from misrepresenting the level of privacy or security of their products and services.
On August 1, the FTC released a staff report on the agency’s review of shopping apps—those used for comparison shopping, to collect and redeem deals and discounts, and to complete in-store purchases. The FTC staff examined information available to consumers before they download the software onto their mobile devices—specifically, information describing how apps that enable consumers to make purchases dealt with fraudulent or unauthorized transactions, billing errors, or other payment-related disputes. The staff also assessed information on how the apps handled consumer data. The FTC staff determined that the apps studied “often failed to provide pre-download information on issues that are important to consumers.” For example, according to the report, few of the in-store purchase apps provided any information prior to download explaining consumers’ liability or describing the app’s process for handling payment-related disputes. In addition, according to the FTC, most linked privacy policies “used vague language that reserved broad rights to collect, use, and share consumer data, making it difficult for readers to understand how the apps actually used consumer data or to compare the apps’ data practices.” The FTC staff recommends that companies that provide mobile shopping apps to consumers: (i) disclose consumers’ rights and liability limits for unauthorized, fraudulent, or erroneous transactions; (ii) clearly describe how they collect, use, and share consumer data; and (iii) ensure that their strong data security promises translate into strong data security practices. The report also includes recommended practices for consumers.
On June 11, the CFPB released a request for information (RFI) about how consumers are using mobile financial services (MFS) to access products and services, manage finances, and achieve financial goals, with a focus on “economically vulnerable” consumers. The request does not cover point of sale payments, except with respect to mobile payment products targeted to underserved consumers. The request states that the information will be used to inform the CFPB’s “consumer education and empowerment strategies.” On June 12, the CFPB hosted a field hearing on MFS, which included presentations from consumer advocates and emerging mobile services providers regarding the future potential of MFS to reach the underserved. Read more…
On June 3, the CFPB announced that it will hold a field hearing on mobile financial services on June 12, 2014, in New Orleans, LA. The event is open to members of the public who RSVP and also will be streamed live on the CFPB’s website. Consistent with the CFPB’s past practice of providing limited advance information about field hearings, the announcement states only that the event will feature remarks from Director Richard Cordray, as well as testimony from consumer groups, industry representatives, and members of the public.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On January 15, the FTC announced that a major mobile technology company agreed to resolve allegations that it violated Section 5 of the FTC Act by failing to inform account holders that entering their password on their mobile device would open a 15-minute window in which children could incur unlimited charges within certain mobile applications with no further action from the account holder (in-app purchases). The settlement is open to public comment through February 14, 2014. Once finalized, the proposed settlement will require the company to refund at least $32.5 million to consumers who allegedly were billed for accidental or unauthorized in-app purchases by minors. The company will manage the remuneration process, including by providing notice to consumers and providing refunds promptly upon consumer request. Any funds remaining after 12 months of the final agreement must be remitted to the FTC. The company also must alter its billing practices to ensure it obtains express, informed consent before charging accountholders for in-app purchases.
On September 27, California became the first state to enact online tracking legislation, which requires website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different sites or online services. The bill requires operators to disclose whether other parties have access to a consumer’s personally identifiable information when a consumer uses the operator’s site or service. The state also enacted SB 46, which expands the state’s data breach notice law (i) to apply to certain personal information that would permit access to an online account—user name or email address, in combination with a password or security question and answer, and (ii) to require that in such cases, security breach notification be made by sending notice using a method other than email. Both bills take effect on January 1, 2014.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. BuckleySandler attorneys Margo Tank and David Whitaker raise legal considerations surrounding the regulatory uncertainty in mobile payments in their article, “Is Regulatory Uncertainty an Impediment to Mobile Payments?” earlier this year. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Margo, David, and Ian Spear discuss the recent guidance and flexible guidelines issued by the FFIEC and FTC. Another recent article by Margo and David provides a list of the accessibility items financial services companies should consider when developing their websites and mobile apps.