Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 8, the FTC released a report on mobile payments by consumers. The report, based on a FTC workshop held in April 2012, focuses on financial, security, and privacy consumer protections. The FTC encourages companies to develop clear dispute resolution policies to address customer claims of fraudulent mobile payments or unauthorized charges. The report highlights “special concerns” with mobile carrier billings, in which mobile carriers place charges on phone bills on behalf of third-parties, based on the FTC’s concern that there are no federal statutory protections governing consumer disputes about fraudulent or unauthorized charges placed on mobile carrier bills. The FTC also encourages industry-wide adoption of strong security measures and suggests ways sensitive financial information can be kept secure during the mobile payment process, including end-to-end encryption. The report highlights the need for mobile payment companies to practice “privacy by design,” incorporating strong privacy practices, consumer choice, and transparency into their products from the outset. Finally, the report notes privacy issues arising from the consolidation of consumers’ personal information in the mobile payment process.
On February 19, the Electronic Transactions Association’s (ETA) Mobile Payments Committee released three resources to help firms navigate emerging issues in the mobile payments market. The Committee is an industry-wide task force of representatives from credit card networks, processors, mobile network operators, developers, financial institutions, and device manufacturers. The first resource, “Best Practices and Guidelines for Mobile Payment Solutions,” addresses security, privacy and competition issues relevant to merchants, consumers, federal and state legislators, federal regulators, merchant acquirers, credit card issuers, and infrastructure providers. In the second, a white paper entitled “Beyond the Hype: Mobile Payments for Merchants,” the Committee provides a comprehensive overview of the current state of mobile payments, as well as analysis of the risks and costs for merchants to consider before deploying mobile payments solutions. Finally, the Committee issued a “Mobile Payments Glossary of Terms.”
On February 14, the PCI Security Standards Council, the open global forum responsible for setting payment security standards, issued guidelines for merchants on the factors and risks they must address to protect card data when using mobile devices. The guidance addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device. The guidance also (i) provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance, and (ii) recommendations regarding the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer. The PCI Security Standards Council also recently released guidance for securing payment card data in cloud environments, and guidance regarding security for payment transactions conducted over the Internet.
Recently, NACHA – The Electronic Payments Association’s Council for Electronic Billing and Payment, released final guidelines to facilitate the use of Quick Response (QR) codes for a variety of consumer bill payment functions, including viewing bills, making payments, enrolling for eBills, and setting up payees in online banking. The guidelines provide voluntary standards for using QR codes in both biller direct and consolidator/aggregator billing and payment models, and provides recommends for (i) QR code size, (ii) data to be included in the QR code, and (iii) layout of the data represented in the QR code. The guidelines are intended to establish a single QR code format that can be printed on a paper bill and scanned by a consumer’s mobile phone using a biller, mobile banking, or generic QR code reader to allow billers and service providers to enable QR encoding in a standardized format, provide certainty for biller and banking clients, and ensure a consistent consumer experience.
On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow.
On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.
On November 20, the European Parliament adopted a nonbinding resolution calling for the development of common rules and standards for personal credit and debit card payments. The resolution explains that such rules would bring the card payment market “closer to its full potential and efficiency.” The Members of Parliament called on the European Commission to develop the legislative proposals needed to extend the current single Euro payments area (SEPA) regulation, which governs euro credit and direct debit transactions among banks, to the market for card, internet and mobile payments, but cautioned that lawmakers should avoid regulating the internet and mobile payment market too heavily, so as not to hinder its growth and innovation. The resolution also claims that current fees for handling card payments are high relative to the costs they need to cover, but does not call for caps. Finally, the resolution states that minimum security requirements for card, internet and mobile payments should be the same in all EU member states.
Recently, Canada’s Department of Finance published a consultation paper that proposes an addendum to the Code of Conduct for the Credit and Debit Card Industry in Canada to apply the Code to mobile payments. The Code, which took effect in August 2010, is a voluntary measure applicable to credit and debit card networks and covers point-of-sale, Internet, and phone payment methods. The addendum would extend the Code to apply explicitly to payments initiated by consumers that access a deposit or credit account through a payment network accessed by mobile device at the point-of-sale. The addendum also would clarify the way in which five of the ten elements of the code would apply to mobile payments. For example, the addendum would prohibit credit and debit card functions from co-residing in the same mobile payment application. Canada’s Department of Finance has invited stakeholder comments on all aspects of the proposal.
On August 30, NACHA – The Electronic Payments Association, proposed guidelines to facilitate the use of Quick Response (QR) codes for consumer bill payments. A QR code is a type of barcode readable by a mobile device equipped with a QR application. The guidelines, developed by NACHA’s Council for Electronic Billing and Payment, seek to establish a single QR code format to serve consumer bill pay needs through a variety of channels, including a biller’s website, a financial institution’s online bill pay website site, or other aggregation bill pay websites. The proposal recommends guidelines for the QR code size and format, billing data to be included, and encoding format. NACHA has requested comment from interested parties by September 19, 2012 and expects to prepare a final version of the guidelines before the end of 2012.
Recently, the Federal Reserve Banks of Atlanta and Boston published a report on an April 2012 meeting of the Mobile Payments Industry Workgroup and representatives from federal and state banking regulators, the FTC, and the FCC to review the regulatory landscape for mobile payments. The paper notes that (i) remote payments and money transfers are beginning to emerge to facilitate person-to-person payments and cannot be ignored from a regulatory perspective, (ii) growth in nonbank money transfer services is subjecting more nontraditional technology-based companies to state money transmitter licenses and related regulatory oversight, and (iii) the CSBS and the Money Transmitter Regulators Association are creating a nationwide cooperative supervisory system for the coordinated multistate examination of money transmitters. The report also reflects the meeting participants’ consensus that the existing regulatory framework is sufficient for today’s mobile payment services. Still, the report states that the CFPB plans to review mobile payment disclosure practices to ensure that consumers have sufficient information in the event of account discrepancies, assess how disclosures are provided to consumers, and evaluate how the parties in mobile payment transactions handle error resolution and liabilities.