On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
Look Before You Invest: Bitcoins, Virtual Currencies, Emerging Payment Products, and Regulatory Compliance
Margo H.K. Tank, Michael Zeldin, and Ian C.B. Spear, attorneys with BuckleySandler LLP in Washington DC, advise financial institutions on electronic financial services, mobile payments, prepaid access and virtual payment methods, in the areas of anti-money laundering, privacy, trade sanctions, and regulatory compliance.
Emerging payment products, such as Bitcoin, present tantalizing investment opportunities. The claim that these products are “unregulatable,” or “free of the power of the state” increases the temptation to participate, because if true, regulatory uncertainty associated with traditional financial industries would be eliminated. Notwithstanding these claims, virtual currency laws and regulations seem primed to explode. Acknowledging that “virtual currency systems offer ‘legitimate’ financial services,” the Department of Justice, for example, has investigated and prosecuted illegal activities involving virtual currencies. As a result, risk-related issues like money laundering, terrorist financing, and economic and trade sanctions remain critical to evaluating investments in emerging payment products. To understand why, consider how the emerging payments industry is regulated now and what additional regulation might emerge.
On September 10, the Federal Reserve Banks issued a public consultation paper that identifies “key gaps and opportunities” in the U.S. payment system. They include: (i) payment recipients prefer other forms of payments than checks but exercise little control over the sender to request a preferred form of payment, (ii) the system lacks a “near-real-time” payment capability, (iii) innovations have not gained significant market penetration while legacy systems tend to be more ubiquitous, (iv) legacy systems lack certain desired features, including, for example, assurance that a payment will not be returned or reversed, (v) cross-border payments are slow and costly, and lack fee and timing transparency, (vi) some digital wallet applications reduce the visibility and choice of payment instrument at the point of sale, (vii) businesses’ legacy payment and accounting systems make straight-through processing difficult, but are costly to change, and (viii) data security fears inhibit adoption of electronic payments. The paper outlines certain desired outcomes and seeks input on strategies and tactics to address the perceived gaps and shape the future of the domestic payment system. Interested stakeholders can submit comments until December 13, 2013.
As the technology continues to grow and become a part of day-to-day life, smartphones and tablets are reshaping the delivery of financial services to consumers. The mobile device is quickly becoming a full-fledge platform for electronic financial services, especially for mobile payments.
The variety and number of mobile devices and service providers to support them has introduced new and different stakeholders – all of whom are competing with traditional financial institutions for dominance in the mobile commerce/mobile payment space. This new and rapidly evolving environment presents new and operational risks for consumers, payment providers, and the recipients of the payments. It will be vital to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions.
To learn more about the mobile technology issues impacting the financial services industry, please review some of our recent articles on the issue. BuckleySandler attorneys Margo Tank and David Whitaker raise legal considerations surrounding the regulatory uncertainty in mobile payments in their article, “Is Regulatory Uncertainty an Impediment to Mobile Payments?” earlier this year. In “Federal Regulators Issue Guidance on Social Media and Mobile Privacy” Margo, David, and Ian Spear discuss the recent guidance and flexible guidelines issued by the FFIEC and FTC. Another recent article by Margo and David provides a list of the accessibility items financial services companies should consider when developing their websites and mobile apps.
On March 27, the Federal Reserve Board presented the findings of a November 2012 online survey of consumers’ use of mobile technology to access financial services and make financial decisions. The report follows a related March 2012 Federal Reserve Board report, and includes the Board’s general findings that (i) mobile phones and mobile Internet access are in widespread use, (ii) the ubiquity of mobile phones is changing the way consumers access financial services, (iii) mobile phones are also changing the way consumers make payments, (iv) security and usefulness concerns continue to be the main impediments to the adoption of mobile financial services, (v) smartphones are changing the way people shop, and (vi) mobile phones are prevalent among unbanked and underbanked consumers. The report points out that the use of mobile phones to make payments at the point of sale has increased more rapidly than the use of mobile phones for banking, and that there is “substantial growth potential” for mobile payments as the ability to make them becomes more widespread.
On March 8, the FTC released a report on mobile payments by consumers. The report, based on a FTC workshop held in April 2012, focuses on financial, security, and privacy consumer protections. The FTC encourages companies to develop clear dispute resolution policies to address customer claims of fraudulent mobile payments or unauthorized charges. The report highlights “special concerns” with mobile carrier billings, in which mobile carriers place charges on phone bills on behalf of third-parties, based on the FTC’s concern that there are no federal statutory protections governing consumer disputes about fraudulent or unauthorized charges placed on mobile carrier bills. The FTC also encourages industry-wide adoption of strong security measures and suggests ways sensitive financial information can be kept secure during the mobile payment process, including end-to-end encryption. The report highlights the need for mobile payment companies to practice “privacy by design,” incorporating strong privacy practices, consumer choice, and transparency into their products from the outset. Finally, the report notes privacy issues arising from the consolidation of consumers’ personal information in the mobile payment process.
On February 19, the Electronic Transactions Association’s (ETA) Mobile Payments Committee released three resources to help firms navigate emerging issues in the mobile payments market. The Committee is an industry-wide task force of representatives from credit card networks, processors, mobile network operators, developers, financial institutions, and device manufacturers. The first resource, “Best Practices and Guidelines for Mobile Payment Solutions,” addresses security, privacy and competition issues relevant to merchants, consumers, federal and state legislators, federal regulators, merchant acquirers, credit card issuers, and infrastructure providers. In the second, a white paper entitled “Beyond the Hype: Mobile Payments for Merchants,” the Committee provides a comprehensive overview of the current state of mobile payments, as well as analysis of the risks and costs for merchants to consider before deploying mobile payments solutions. Finally, the Committee issued a “Mobile Payments Glossary of Terms.”
On February 14, the PCI Security Standards Council, the open global forum responsible for setting payment security standards, issued guidelines for merchants on the factors and risks they must address to protect card data when using mobile devices. The guidance addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device. The guidance also (i) provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance, and (ii) recommendations regarding the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer. The PCI Security Standards Council also recently released guidance for securing payment card data in cloud environments, and guidance regarding security for payment transactions conducted over the Internet.
Recently, NACHA – The Electronic Payments Association’s Council for Electronic Billing and Payment, released final guidelines to facilitate the use of Quick Response (QR) codes for a variety of consumer bill payment functions, including viewing bills, making payments, enrolling for eBills, and setting up payees in online banking. The guidelines provide voluntary standards for using QR codes in both biller direct and consolidator/aggregator billing and payment models, and provides recommends for (i) QR code size, (ii) data to be included in the QR code, and (iii) layout of the data represented in the QR code. The guidelines are intended to establish a single QR code format that can be printed on a paper bill and scanned by a consumer’s mobile phone using a biller, mobile banking, or generic QR code reader to allow billers and service providers to enable QR encoding in a standardized format, provide certainty for biller and banking clients, and ensure a consistent consumer experience.
On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow.
On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.
On November 20, the European Parliament adopted a nonbinding resolution calling for the development of common rules and standards for personal credit and debit card payments. The resolution explains that such rules would bring the card payment market “closer to its full potential and efficiency.” The Members of Parliament called on the European Commission to develop the legislative proposals needed to extend the current single Euro payments area (SEPA) regulation, which governs euro credit and direct debit transactions among banks, to the market for card, internet and mobile payments, but cautioned that lawmakers should avoid regulating the internet and mobile payment market too heavily, so as not to hinder its growth and innovation. The resolution also claims that current fees for handling card payments are high relative to the costs they need to cover, but does not call for caps. Finally, the resolution states that minimum security requirements for card, internet and mobile payments should be the same in all EU member states.
Recently, Canada’s Department of Finance published a consultation paper that proposes an addendum to the Code of Conduct for the Credit and Debit Card Industry in Canada to apply the Code to mobile payments. The Code, which took effect in August 2010, is a voluntary measure applicable to credit and debit card networks and covers point-of-sale, Internet, and phone payment methods. The addendum would extend the Code to apply explicitly to payments initiated by consumers that access a deposit or credit account through a payment network accessed by mobile device at the point-of-sale. The addendum also would clarify the way in which five of the ten elements of the code would apply to mobile payments. For example, the addendum would prohibit credit and debit card functions from co-residing in the same mobile payment application. Canada’s Department of Finance has invited stakeholder comments on all aspects of the proposal.
On August 30, NACHA – The Electronic Payments Association, proposed guidelines to facilitate the use of Quick Response (QR) codes for consumer bill payments. A QR code is a type of barcode readable by a mobile device equipped with a QR application. The guidelines, developed by NACHA’s Council for Electronic Billing and Payment, seek to establish a single QR code format to serve consumer bill pay needs through a variety of channels, including a biller’s website, a financial institution’s online bill pay website site, or other aggregation bill pay websites. The proposal recommends guidelines for the QR code size and format, billing data to be included, and encoding format. NACHA has requested comment from interested parties by September 19, 2012 and expects to prepare a final version of the guidelines before the end of 2012.
Recently, the Federal Reserve Banks of Atlanta and Boston published a report on an April 2012 meeting of the Mobile Payments Industry Workgroup and representatives from federal and state banking regulators, the FTC, and the FCC to review the regulatory landscape for mobile payments. The paper notes that (i) remote payments and money transfers are beginning to emerge to facilitate person-to-person payments and cannot be ignored from a regulatory perspective, (ii) growth in nonbank money transfer services is subjecting more nontraditional technology-based companies to state money transmitter licenses and related regulatory oversight, and (iii) the CSBS and the Money Transmitter Regulators Association are creating a nationwide cooperative supervisory system for the coordinated multistate examination of money transmitters. The report also reflects the meeting participants’ consensus that the existing regulatory framework is sufficient for today’s mobile payment services. Still, the report states that the CFPB plans to review mobile payment disclosure practices to ensure that consumers have sufficient information in the event of account discrepancies, assess how disclosures are provided to consumers, and evaluate how the parties in mobile payment transactions handle error resolution and liabilities.