The global mobile payment market is poised to explode over the next few years. One report predicts it will quadruple by 2014, reaching $630 billion in value.[i] According to this report, the growth across all market segments is being driven by the wide adoption of smartphones and the increased use of app stores.[ii] In the first quarter of 2011, worldwide smartphone shipments grew 83 percent to 101 million units,[iii] and global smart phone sales are projected to hit 468 million units in 2011, a 57.7 percent increase from 2010, according to Gartner, Inc.[iv]
The United States has the largest number of smartphone shipments among all countries.[v] As of December 2010, 43.6 percent of U.S. mobile phone owners browse the mobile Internet, use applications, or download content (up from 35.7 percent in December 2009).[vi] Meanwhile, the number of people who are using their mobile phones just for voice has declined 16 percent year-over-year.[vii] Despite the fact that the United States leads in terms of smartphone adoption, until now it has lagged behind other regions—such as Latin America and South Asia—when it comes to mobile payments. That, however, is changing.
Recently, numerous new mobile payment ventures have been announced and various players—including mobile carriers, financial institutions, alternative payment providers and Internet companies—have thrown their hats in the mobile-payments ring. These new ventures include, among others:
– Visa’s plan for a digital wallet, set to launch this fall;
– ISIS, a mobile payment network joint venture formed by AT&T, T-Mobile USA, Inc. and Verizon Communications Inc.;
– Square, Inc., an electronic payments service that allows consumers to use their smartphones or tablet devices to accept card charges; and
– Starbucks Corp.’s mobile payment app, by which customers may pay for in-store purchases with select smart phones.
The demand for mobile payments in the United States is clear from the number of these recent announcements. What is not clear, however, is whether existing regulations should be applied to these mobile payments or how the newly created Consumer Financial Protection Bureau (CFPB) will exercise its regulatory authority over the emerging industry. While laws on the subject exist, they fail to address the degree to which technology has outpaced regulations. For example, paper receipts and certain disclosure requirements simply do not work with the technological reality of payment via mobile devices. Legal clarity for mobile payments is needed. But in providing legal clarity, regulators (including the CFPB) must not impede innovation and efficiencies; they must acknowledge that because mobile payments are fundamentally different, they do not neatly fit the prior regulatory mold.
The mobile phone as an access device or point-of-sale terminal changes the payment paradigm of the past.
As technology has evolved, the fundamental elements of a payment have changed. Twenty years ago, consumers walked up to the physical point of sale, pulled cash, a check, or a card out of their wallet, made a payment, and received their goods or services and the associated paper receipt.[viii] In the late 1990s, with the advent of the Internet and the subsequent growth of eCommerce, we saw consumers take the same behavior online, except that payment was made via a computer and goods were subsequently delivered to the customer at an agreed-upon time and location. The receipt was presented electronically to the consumer on a computer at the time the transaction was completed and the consumer had the ability to print that receipt wherever the consumer was located. It was clear that the merchant could not provide this receipt physically to the customer (other than with the goods themselves) because the parties were not in the same physical location and thus the ability to deliver a receipt electronically via the computer terminal combined with a receipt accompanying the goods was deemed legally sufficient.[ix]
The payment model is changing once again with the introduction of mobile payments, which can occur either remotely or at the physical point of sale where either the consumer or the merchant uses a smartphone to effectuate payment. In this new model, consumers may pay by bumping their smartphones with someone else’s phone or by launching an app that logs into a digital wallet. Alternatively, the merchant may accept payment by using its smartphone as a point-of-sale terminal. So what do we do with legal requirements that made sense in the physical world, where merchants could provide paper receipts[x] and hand consumers a coupon or promotion, and the Internet world, where everything was delivered at a future point in time?
Existing laws must be updated.
For starters, existing consumer protection laws need to be updated so they take this new payment model into consideration. Merchants using slick new technologies like Square, which allow them to accept payment via their smartphones while standing in front of the customer, may not be able to print a receipt while selling pickles at the farmer’s market or flowers at the train station. One assumes they will have the ability, through use of the software underlying the new hardware, to generate and send an electronic receipt to an email address provided by the customer. But this immediately raises two questions: 1) Is the payment transaction initiated using a mobile device covered by Regulation E? and 2) If the transaction is subject to Regulation E, is the provision of an electronic receipt without a paper option legally sufficient?
Specifically, it is important to note that the definition of an electronic terminal in Regulation E currently excludes transfers initiated via telephone. [xi] A smartphone is a clearly a telephone, but did the drafters contemplate the ability to initiate payments or receive payments via a smartphone when they wrote this law? And are regulators and participants in the payment system treating the smartphone as exempt from Regulation E? This certainly does not appear to be the case; to the contrary, it seems expected that a mobile phone used to initiate electronic fund transfers from consumer asset accounts will be subject to Regulation E. But this is an obvious area where clarity would prove beneficial.
Assuming that Regulation E does apply to mobile payment transactions, Section 205.9 of Regulation E requires that a financial institution make a receipt available to a consumer at the time the consumer initiates an electronic fund transfer at an electronic terminal. In the official staff commentary to this section, the Federal Reserve Board goes on to explain that receipts need only be provided if customers elect to receive one (but they must be available if customers so elect) and that receipts that are not furnished due to the terminal running out of paper or due to a mechanical jam.[xii] This requirement and the associated commentary have traditionally been viewed as requiring that a paper, not just an electronic receipt, be made available at the point of sale. Compliance with this requirement would, however, stifle the business models and limit the ability of many merchants to actually do business. It would also limit the convenience that mobile payments can offer millions of smartphone users.
There is also the issue of unauthorized transfers under Regulation E.[xiii] For example, under the mobile payments paradigm, how do we deal with situations where users have logged into devices and asked to be “remembered” so they don’t have to authenticate before making payments from the associated device? Is a transaction by a family member or friend using that device without permission considered unauthorized? Or should the customer who asked to be remembered on the device be responsible for setting up the device so others could not use it without permission?
Using the “actual authority” standard for unauthorized transactions under Regulation E, providing someone with a computer or mobile device from which the original user has not logged out (resulting in a situation where the second user makes financial transactions from the original user’s account) would appear to be considered unauthorized use because the second user did not have actual authority to transact using the original user’s account. While the original user may have acted negligently, Comment 2 in the official staff commentary to Section 205.6(b) of Regulation E makes clear that negligence does not increase the consumer’s liability for unauthorized use. But is this the appropriate result?
Consider a credit or debit card. If the cardholder were to hand the card to a third party but not specifically authorize the purchase of a specific item, Comment 2(m) of the official staff commentary to Regulation E provides that the party furnishing the access device is in fact liable unless it notifies the financial institution that use privileges by the third party have been revoked. Should the same be true for a mobile phone? In the same way that users were previously instructed to safeguard their PIN numbers and not write them on their cards, should we allow users to authenticate via mobile devices and then hand them to someone else? Arguably, the law should be updated to clarify that authenticating via a mobile device (but failing to safeguard that mobile device) makes the consumer liable for payments associated with the device until the customer notifies the underlying financial institution(s) to stop any payments using the device. Any other result would put a disproportionate amount of risk on the merchant and issuer community.
But these are not easy issues. Consumers use mobile devices in a way different from how they use traditional access devices. Playing games, watching movies, and reading the news are but a few examples where users may log into an account to make payments related to their consumption of digital goods. Of course, there are an equal number of cases where consumers use the mobile device for payments in brick-and-mortar settings (using near field communication (NFC) or other available technology). In each of these scenarios, however, it is feasible that the user would log into a payment account or electronic wallet and ask that they be remembered based on their device identifier. Yet phones are passed around to our children, our spouses, our friends and sometimes even strangers in a way that we don’t pass our wallets or other payment forms in our wallets around. This is something that the law needs to contemplate to strike the right balance.
Yet another area of legal uncertainty is with the Bank Secrecy Act (BSA), which requires financial institutions to keep records of cash purchases of negotiable instruments, file reports of cash transactions exceeding $10,000, and report suspicious activity that might signify money laundering, tax evasion, or other criminal activities.[xiv] .In addition, the U.S. Department of the Treasury has implemented a series of regulations that direct various financial institutions to implement the BSA’s Consumer Identification Program (CIP).[xv] These covered financial institutions must collect certain information to verify the identity of each customer, customer being defined generally as a person who opens a new account. At a minimum, the covered institutions must obtain identifying information from each customer before opening the account, including name, date of birth for individuals, address, and identification numbers.
CIP requirements do not apply to all financial institutions. Rather, CIP regulations cover only a specific set of designated financial institutions, including banks, savings associations, credit unions, broker-dealers, futures commissions merchants, introducing brokers and mutual funds.[xvi] By contrast, while “money service businesses” are obliged to report suspicious activity, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) has made it clear they are not required to collect the same amount of information from their customers that banks are. Because collecting information imposes costs, chartered and non-chartered institutions can be expected to battle over how CIP obligations should apply to mobile payments.
A key question facing this emerging industry will be whether mobile payment systems create BSA obligations. And if not, should they? What if a mobile payment technology provides the customer with the ability to load funds onto a mobile device without any underlying account? What information, if any, must these emerging payment systems collect from their customers under the CIP requirements? Should an institution that is hosting payment services offered by another in the mobile equivalent of a wallet be required to gather the same amount of data from the user as a bank that is settling transactions for its customers? Whether mobile payment systems are subject to the BSA and CIP requirements is unclear, with the answer likely turning on both the form of the payment system and the functionality it is enabling. In other words, what can you pay for and whom can you pay? As noted above, many types of mobile payment systems with different players, functions and forms are emerging. The analysis of whether BSA or CIP obligations are triggered would be different for each one.
The future may be closer than it appears.
Given the ambiguity associated with the regulatory landscape for mobile phones and payments, the Consumer Financial Protection Bureau (CFPB), which was created under Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, has mobile payments on its radar as an area ripe for regulation. Based on prior publications on mobile payments, it appears that privacy and consumer protection issues will be central to the CFPB’s efforts.[xvii]
Falling within this scope and included within the CFBP’s charter is the authority to prohibit acts or practices that are “unfair, deceptive, or abusive.” Specifically, the CFPB may prescribe rules applicable to a covered person or service provider that identify certain acts or practices associated with any transaction with a consumer for a consumer financial product or service (or the offering of a consumer financial product or service) as unlawful, unfair, deceptive or abusive.[xviii] While the CFPB has been given rather broad authority in this realm—including the authority to define, through rulemaking, unfair, deceptive, and abusive practices—much remains to be seen in terms of how it will exercise this authority.
Of note, the CFPB is not limited to the Federal Trade Commission’s 1983 definition of deception. Rather, the CFPB is empowered to prevent practices that are deceptive “under federal law”—an arguably more expansive standard.[xix] Additionally, the new rulemaking authority provides the CFPB with significant new power to craft disclosure rules. Specifically, the CFPB has the power to prescribe rules to ensure that the features of any consumer financial product or service—both initially and over the term of the product or service”-are fully, accurately, and effectively disclosed to consumers in a manner that permits consumers to understand the costs, benefits, and risks associated with the product or service, in light of the facts and circumstances.”[xx] The bureau may include a “model form” disclosure in any final rule it prescribes that may be used at the option of the covered person for provision of the required disclosure.[xxi] The enabling legislation leaves open how exactly the CFPB will exercise these new powers.
When issuing these rules, regulators must consider and address specific issues applicable to mobile payments. Disclosures on a mobile device are by nature different and necessarily more limited than in other contexts. Consider, for example, that disclosures via a smart phone can be delivered to the customer when they are most relevant—immediately before incurring an obligation, liability or expense—rather than via a 30-page agreement at a single point in time. Specific disclosure requirements such as font sizes or proximity requirements will have to be revisited to see what is possible given the screen size of a smart phone. The CFPB, in enacting the new rules and drafting model disclosures, should be mindful of both the unique concerns as well as consumer benefits presented by mobile payments, and seek to formulate rules that protect consumers while also fostering innovation in this emerging industry
——————————————————————————–
[i] Juniper Research, Press Release, Mobile Payments Market to Quadruple by 2014, reaching $630bn in value, although still only accounting for around 5% of ecommerce retail sales, May 4, 2010, available at [ii”>http://juniperresearch.com/viewpressrelease.php?pr=173.
[ii] Id.
[iii] Canalys, Press Release, Android increases smart phone market leadership with 35% share, May 4, 2011, available at [iv”>http://www.canalys.com/pr/2011/r2011051.html.
[iv] STM Publishing Group, “Global Smartphone Sales to Hit 468 Million in 2011—Says Gartner Report,” April 7, 2011, available at [v”>http://www.stm-publishing.com/?p=930.
[v] Canalys, Press Release, Google’s Android becomes the world’s leading smart phone platform; Canalys reveals smart phone market exceeded 100 million unites in Q4 2010, January 31, 2011, available at [vi”>http://www.canalys.com/pr/2011/r2011013.html.
[vi] ComScore, Webinar, Mobile Year in Review 2010, Mar. 15, 2011, at p. 7, available at ([vii”>http://www.comscore.com/Press_Events/Presentations_Whitepapers/2011/2010_Mobile_Year_in_Review_-_U.S).
[vii] Id.
[viii] Receipts are required to be provided by a merchant to a consumer at the time of an electronic fund transfer from the consumer’s asset account. See 12 C.F.R. § 205.9.
[ix] Id.
[x] Id.
[xi] 12 C.F.R. § 205.2(h).
[xii] Official Staff Commentary to § 12 CFR 205.9, comment 9(a)(5).
[xiii] 12 C.F.R. § 205.6.
[xiv] 31 U.S.C. § 5311-5332.
[xv] 31 C.F.R. § 103.121-123 & 103.131.
[xvi] 31 C.F.R. § 103.121-123 & 103.131.
[xvii] See Suzanne Martindale and Gail Hillebrand, “Pay at Your Own Risk? How to Make Every Way to Pay Safe for Mobile Payments,” March 15, 2011, Banking & Finance Law Review, Forthcoming. Available at http://ssrn.com/abstract=1787587. On April 1, 2011, Ms. Hillebrand was appointed associate director of consumer education and engagement in the CFBP.
[xviii] Dodd-Frank Wall Street Reform and Consumer Protection Act § 1031, 12 U.S.C. § 5531, Pub. L. No. 111-203 (2010) (“Dodd-Frank”).
[xix] Dodd-Frank § 1031(d).
[xx] Dodd-Frank § 1032(a).
[xxi] Dodd-Frank § 1032(b).