Digital Transactions Authoritative, insightful and timely information for payments professionals
Linda Punch
A consensus is forming that regulations specific to mobile payments are coming, but questions about when, who will be involved, and exactly what issues they’ll address are far from settled.
With mobile payments increasingly capturing headlines and consumers’ imaginations, can the attention of lawmakers and regulators be far behind?
Following a series of actions targeting credit, debit, and prepaid cards over the past few years, Congress and federal regulators are beginning to scrutinize mobile payments. The Senate and the House of Representatives earlier this year held hearings on mobile payments, and one government agency, the Federal Trade Commission, in April sponsored a one-day conference with speakers from payment networks, mobile-technology firms, vendors, and other interested parties.
Industry groups, including automated clearing house network governing body NACHA and the Retail Payments Risk Forum also are monitoring developments in mobile payments and assessing the possible need for regulations to protect consumers.
Thus far, many industry participants and regulators are content with the status quo, primarily because mobile payments are still in the early stages of development and existing controls appear adequate. But the nature of mobile payments raises the specter of future regulatory action as the fast-changing market matures.
“It’s a big transformation of the payment experience and overall infrastructure and therefore will have a heck of a lot a new regulation,” says Rick Oglesby, senior analyst at Boston-based research firm Aite Group LLC. “A lot of times that regulation tends to come after the private sector has already moved, so we may see some catch-up here.”
Myriad of Laws
Many industry participants contend there is no need for new regulations because mobile-payment models currently available are tied to existing payment methods such as credit or debit cards, says Cynthia Merritt, assistant director of the Retail Payments Risk Forum, a research group at the Federal Reserve Bank of Atlanta.
The forum formed a mobile-payments working group with the Federal Reserve Bank of Boston to talk with banks, card networks, telecommunications companies, regulators, and others involved in mobile payments.
“From our perspective right now, what we’ve heard from the industry is that the mobile device is an access device, it’s a channel that will basically leverage existing payment mechanisms,” Merritt says. “With that said, the existing laws, regulations, rule sets associated with those payments will follow the payment method—the credit card, the debit card, even an ACH payment method—through the mobile channel, and they’ll rely on existing clearing and settlement networks.”
Regulators told the working group that the existing regulatory framework and supervisory guidance is applicable in the mobile channel, Merritt says. “At this time, there really isn’t a need for new regulatory measures,” she says.
But even the existing regulations pose a challenge for mobile-payments developers and consumers because of the diversity of the players involved, says Paul A. Carruba, an attorney with Adams & Reese LLP, Jackson, Miss. Mobile-payment networks can include network operators, financial institutions, third-party processors, handset manufacturers, and a host of other participants, and often the individual players are governed by different regulations.
“There’s not any one law or regulation that deals with mobile payments or with mobile banking,” says Carruba, a former banker who works with banks in implementing mobile-payment programs. “It’s just across the board.”
Mobile payments can be governed by a myriad of laws and regulations in the banking area alone, he says, including the Electronic Fund Transfer Act, the Truth in Lending Act, and the Dodd-Frank Act.
“There’s not any one law, like electric funds transfer—you’ve got the EFTA, we have Regulation E to implement that. We’ve got the Expedited Funds Availability Act, we’ve got Reg CC that deals with availability of funds,” he says. “But there’s not any one piece, one regulation that deals with that.”
Privacy Qualms
That means banks and credit unions have to go through an analysis of every regulatory area that currently exists for financial institutions and decide which ones are going to be applicable to their mobile-payments programs, according to Carruba.
“If a credit card is used for the payment transaction, then Truth in Lending and Regulation Z could be applicable to that transaction,” he says. “If that mobile phone is going to be used to make payments online, cutoff times for loans, penalties assessed if you miss a payment, there could be some implications under Truth in Lending and Reg Z.”
At the same time, non-banking regulators, including the Federal Communications Commission, oversee telecom operators or other mobile-payments participants.
Companies aren’t the only ones that might be confused by the current regulatory landscape. The fact that there is no one regulator governing mobile payments also creates problems for consumers.
“The different ways to pay by mobile device, and the varying consumer protections that apply to each, create the potential for confusion when a consumer is faced with a transaction gone wrong,” Suzanne Martindale, staff attorney for Consumers Union, told a Senate subcommittee holding hearings on mobile payments in March. “Consumers need to know where to complain and how to get their money back in case of errors or unauthorized use.”
In addition, while credit and debit cards have mandatory protections under existing law, prepaid cards don’t, Martindale said.
“Mobile payment[s] linked to a prepaid phone deposit or phone bill are especially problematic, because they do not fit neatly into existing legal categories,” she said.
Despite the oversight of the wide variety of regulatory agencies governing mobile payments, many are concerned the laws won’t be adequate to protect consumers as more sophisticated and innovative programs emerge. Of greatest concern is the protection of consumer data and privacy.
“There’s a whole ecosystem developing that’s beyond the payments ecosystem,” Aite Group’s Oglesby says. “We think of the payments ecosystem as the four-party model. It’s the consumer, it’s the merchant, it’s the payment networks, and the banks. But within the mobile-payments arena there’s a whole bunch of new providers, primarily on the digital-marketing side, who are getting involved in that process as well as exchanging data back and forth trying to enable all these marketing solutions.”
‘Detailed Profiles’
For example, using phones for mobile payments enables providers to collect marketing data, such as itemization of the products purchased or a consumer’s search history, which can be shared with merchants or other organizations, he says.
In comments to the Federal Trade Commission at the April mobile-payments workshop, the Center for Democracy and Technology noted that using a smart phone in a brick-and-mortar store could provide more consumer data to more companies than traditional offline credit card transactions.
“Without strong user privacy controls, mobile payments will enable companies to build detailed profiles about your shopping habits and turn your cell phone into a magnet for telemarketing, spam, and online behavioral advertising,” it said.
Mobile payments can expose consumer data to companies not traditionally included in credit card transactions, according to the CDT.
“In addition to credit card issuers and payment processors, mobile-payment services also involve the mobile-payment provider (i.e. Google, in the case of Google Wallet), the mobile-operator (i.e. Verizon or AT&T), and third-party apps that consumers download (such as a budget app),” the CDT said.
What’s more, many mobile-payment services will collect consumers’ contact information when they register with the service.
“Mobile-payment services and apps can be programmed to provide merchants with consumers’ phone numbers, e-mail addresses, and purchase histories during a transaction in a store—so long as the merchant’s point-of-sale system is able to receive this information,” the group said.
Such activity can weaken the protective effect of existing privacy laws, including those restricting telemarketing and spam, according to the CDT. For example, the Telephone Consumer Protection Act requires telemarketing companies to honor do-not-call lists. However, the prohibition doesn’t apply to companies with which the consumer has an established business relationship (EBR).
“Because traditional credit card transactions do not reveal consumers’ telephone number to merchants, most merchants today are unlikely to make telephone or text solicitations to consumers—even when they have an EBR. However, mobile-payment payment services and apps can be programmed to give merchants consumers’ telephone numbers during transactions. This frees every merchant from whom a consumer makes a purchase—no matter how small—to direct telephone or text solicitations to the consumer, even if the consumer is on the national DNC list,” the CDT said.
‘Multiple Agencies’
But not all agree that mobile payments need further regulation.
“Mobile technology and processes are just beginning to emerge and we don’t know which practices the public will like or what methods will provide new benefits until the technology begins to coalesce,” Mallory Duncan, senior vice president at the Washington, D.C.-based National Retail Federation, told the FTC in April. “The government should not impose regulations that would forestall yet-do-be-imagined advances and innovations in order to avoid potential harm based largely on speculation.”
Any privacy rules developed for mobile payments should be no more restrictive than those for the underlying form of payment, Duncan added.
“Retailers have always wanted to know their customers so they can serve them better and that doesn’t change simply because the method of payment changes,” he said. “Mobile might help retailers get to know their customers more like they knew their customers generations ago, and offer more personalized service.”
With growing concerns about how mobile payments will affect consumer privacy and data, lawmakers and regulators are likely to keep a close eye on the industry. Of special concern will be non-banks rolling out programs with no ties to financial institutions, attorney Carruba says.
“The thing that I have seen so far in terms of concern on the part of the legislators is with payments outside of the banking industry, because there already are so many controls in place for banking,” he says. “Since all of this is relatively new for the non-banking industry, there just aren’t a lot of regulations in place that govern that.”
Deciding which agency will oversee mobile payments could complicate efforts to regulate the industry, Carruba adds.
“The financial-services industry is very clear: the FDIC [Federal Deposit Insurance Corp.], the OCC [Office of the Comptroller of the Currency], the CPFB [Consumer Financial Protection Bureau], the Federal Reserve, and the regulatory agencies that are examining financial institutions,” he says. “Outside of the financial industry, you don’t have the network of regulators to enforce whatever types of regulations come through.”
Adds Aite’s Oglesby: “Because a lot of this is fairly new, and rapidly developing, there’s still a lot of question in the government as to who really owns the regulation of it, which to me means that probably multiple agencies will get involved.”
One agency that might get involved is the CFPB, which in May said it would examine prepaid card fees, disclosures, possible changes in existing regulation, and other information about the payment channel. Created by 2010’s Dodd-Frank Act, the controversial CFPB has broad regulatory power over a host of consumer financial products.
Just how the regulatory environment for mobile payments will change won’t be clear until the market matures in the U.S., the Atlanta Fed’s Merritt says.
“It’s really at a very nascent stage of the development,” she says, adding that thus far the business model is that “banks are conducting the financial-services part while the telecoms are providing more of the pipes. But that can change in the future. We just don’t know how that’s going to turn out.”
