Mobile Payments: an Evolving Landscape

Home , Alternative payments, Mobile banking, Mobile payment

Mobile Payments: An Evolving Landscape

s a relatively new financial service, mobile payments Market Characteristics Ahave the potential to signifi- cantly change how consumers pay The mobile payments marketplace for goods and services. Generally, is continuing to expand. More than mobile payments1 are defined as the 87 percent of the U.S. population 2 use of a mobile device—commonly, now has a mobile phone, and more but not exclusively, a smartphone or than half of those mobile phones 3 tablet computer—to initiate a trans- are smartphones. Nearly one-third fer of funds to people or businesses. of mobile phone users in 2012 have The widespread adoption of mobile reported using mobile devices to make payments raises critical issues, includ- a purchase. Consumers spent over ing the extent to which financial insti- $20 billion using a mobile browser or 4 tutions may lose payments-system application during the year, and this market share; the adequacy of legal number is likely to grow as smart- protections and disclosures received phone ownership increases and mobile by consumers; and, more generally, payments platforms become more how banks can ensure compliance widespread. Mobile payments can be with existing laws and regulations. made at the point-of-sale (POS) or to Although the potential benefits of facilitate person-to-person payments. mobile payments have received In either case, mobile payments are considerable attention in the media facilitated by the increasing popular- and trade publications, less scrutiny ity of smartphones, the availability has been given to understanding the of POS terminals that are equipped unique risks and supervisory issues to process transactions using near- 5 raised by this technology. This article field communications (NFC), and describes mobile payments technolo- the growth of alternative cloud-based gies, identifies the risks associated mobile payment solutions. At least with mobile payments, and discusses six NFC-equipped cell phones are 6 the existing regulatory framework for sale in the United States, and 50 that applies to the use of these percent of smartphones could be NFC- 7 technologies. equipped by 2014. Projections for

1 For purposes of this article, mobile payments do not include payments made using financial institution-spon- sored online bill payment services. For a discussion of mobile banking, see Jeffrey M. Kopchik, “Mobile Banking Rewards and Risks,” Supervisory Insights, Winter 2011 at http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin11/mobile.htm. 2 Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services,” March 2012, at http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf. 3 Javelin Strategy & Research, “Mobile Payments Hits $20 billion in 2012,” September 2012 (private study available for a fee; also on file with authors). 4 Ibid. 5 NFC is a short range wireless communication using an NFC-enabled payment card or smartphone. 6 Robin Sidel and Amir Efrati, “What’s in Your Mobile Wallet? Not Much,” Wall Street Journal, September 26, 2012, at http://online.wsj.com/article/SB10000872396390444180004578016383395015570.html. 7 Mercator Advisory Group, “Too Early to Call: Five Mobile Giants,” May 2012 (private study available for a fee; also on file with authors).

3 Supervisory Insights Winter 2012 Mobile Payments continued from pg. 3

U.S. smartphone and global NFC-ready nal or communicate their payment POS market penetration are shown in credentials through a bar code or Chart 1. other cloud-based solution to make a payment. ISIS (a consortium of three mobile telecommunications providers) is conducting NFC mobile wallet pilot projects in Austin, Texas and Salt Lake City, Utah. According to a 2012 study conducted by Cellular News, 60 to 80 percent of U.S. consumers would use a mobile wallet from one of the major brands, such as Google, PayPal, or Apple, if available.10

Mobile Payments Technologies

Mobile payments can be initiated using different core technologies, either individually or in combination. As the mobile payments marketplace continues to evolve, it is unlikely that any one technology will become dominant in the near term. Retail merchants do not know which mobile payments technologies consumers will The four major credit card brands find preferable, creating little immedi- (MasterCard, Visa, Discover, and ate incentive for investment in new American Express) offer contactless POS terminals that can accept mobile payment technology at the POS, and payments. Similarly, consumers have at least six major merchants accept little interest in acquiring the capabil- contactless payments in their stores.8 ity to make mobile payments until In partnership with MasterCard and merchants accept them, or additional Visa, Google introduced a mobile incentives are offered making it worth- wallet in 2011.9 A mobile wallet while for consumers to try a new form allows users to load payment account of payment. The mobile payments information on their smartphones, technologies increasing in popularity enabling them to choose the payment are identified in Table 1. option. Depending on the underlying technology, users may wave their smartphones near the POS termi-

8 See Mercator, supra n. 7 at 32 and 13. 9 Pew Research Center, “The Future of Money: Smartphone Swiping in the Mobile Age,” April 17, 2012, at http:// www.pewinternet.org/Reports/2012/Future-of-Money/Overview.aspx. 10 “If PayPal Offered a Mobile Wallet, 8 in 10 Consumers Would Use It,” Cellular News, June 2012, at http://www. cellular-news.com/story/54726.php.

4 Supervisory Insights Winter 2012 Table 1: Mobile Payments Technologies

Near Field Cloud Based Image Based Communications

Wireless protocol that Leverages mobile connec- Coded images similar to allows for encrypted tion to the Internet to obtain barcodes used to initiate exchange of payment credentials not stored on the payments. Credentials may credentials and other data at mobile device. be encrypted within image close range. or stored in cloud.

Carrier Based Proximity Based Mobile P2P

Payments billed directly Geolocation used to initiate Payment initiated on mobile to mobile phone account. payments. Merchant will device using recipient’s Merchants paid directly identify active users within email address, mobile phone by mobile carrier, bypass- range and verify identity. number, or other identifier. ing traditional payment Credential exchange is Payment is via ACH, card networks. cloud-based. networks, or intra-account transfer.

Although the emerging technolo- bank account information or a prepaid gies identified in Table 1 can facili- card to establish and fund an account. tate mobile payments, established This allows mobile payments compa- retail payments channels (automated nies to leverage existing banking rela- clearing house (ACH), credit/debit tionships to verify identities, satisfy networks, electronic funds transfers federal anti-money laundering (AML) (EFT), and intra-account transfers) requirements, and fund accounts. remain the principal ways mobile Thus, with regard to the transfer of payments accounts are funded and funds, the risks associated with mobile transactions settled. The only notable payments should be familiar to finan- exception is mobile carrier-based cial institutions and their regulators, payments models, which currently and the corresponding risk controls have only limited adoption in the are well established.11 United States. Mobile payments typi- cally require users to provide verifiable

11 Michele Braun, James McAndrews, William Roberds, and Richard Sullivan, “Understanding Risk Management in Emerging Retail Payments,” Federal Reserve Bank of New York Economic Policy Review, September 2008, at www.newyorkfed.org/research/epr/08v14n2/0809brau.pdf.

5 Supervisory Insights Winter 2012 Mobile Payments continued from pg. 5

bank, has taken appropriate steps to Understanding and Managing make this service secure by protecting Mobile Payments Risk the customer’s funds and confidential account information. Encrypting Mobile payments present the same sensitive information stored on the types of risks to financial institutions mobile device and providing the abil- associated with many traditional ity to disable or wipe the device clean banking-related products, including if it is lost or stolen are examples of Bank Secrecy Act (BSA)/Anti-Money effective controls that should be care- Laundering (AML) compliance, fraud, fully considered as part of any mobile credit/liquidity, operations/IT, reputa- payments service. Table 2 identifies tion, and vendor management. As is the risks posed by mobile payments the case with any new product offer- and briefly describes the challenges in ing, a financial institution should have mitigating those risks. a review and approval process suffi- ciently broad to ensure compliance The regulatory expectations for with internal policies and applicable managing mobile payments are gener- laws and regulations. However, unlike ally consistent with those associated most banking products that allow with other financial services delivered institutions to control much of the through more traditional channels. interaction, mobile payments require No safe harbors or carve-outs from the coordinated and secure exchange coverage for mobile payments exist. of payment information among several Thus, mobile payments providers unrelated entities. Making matters must determine how to comply with more challenging is that much of the existing legal requirements when the innovation in the mobile payments application to mobile payments may marketplace is driven by entrepre- not be readily apparent. For example, neurial companies that may not be creative solutions may be required familiar with supervisory expectations to display disclosures on a mobile that apply to banks and their service device’s small screen. As not all mobile providers. Depending on the type of payments give rise to the same rights, mobile payment, financial institutions consumers could become confused may find that the effective manage- about which consumer protections ment of risks involves partnering apply, or whether they apply at all, with application developers, mobile resulting in reputation risk. Consum- network operators, handset manufac- ers also may not understand which turers, specialized security firms, and regulators supervise the parties provid- others. ing the mobile payments service. Some mobile payments products may Financial institutions should be provide contractual rights similar to particularly conscious of the potential those contained in certain consumer and perceived risk of fraud in mobile protection statutes; however, these payments. Customers are more likely contractual provisions do not have the to adopt mobile payments if they are force of law as described below. confident that the provider, often their

6 Supervisory Insights Winter 2012 Table 2: Mobile Payments Risks

Category Risk Challenge

BSA/AML Failure to satisfy recordkeep- Ensuring emerging mobile payments ing, screening and reporting models developed (and sometimes requirements intended to detect managed by third-party service financial crimes, deter illicit providers) satisfy BSA/AML/OFAC cross-border payments, and requirements. prevent terrorist financing.

Fraud Failure to prevent or deter Ensuring adequate security of account unauthorized transactions, the data and other sensitive information interception of confidential and providing methods of “turning off” information, or other fraudulent access to mobile accounts in the event activity. of loss or theft of mobile device. Educat- ing consumers regarding the need to password-protect and otherwise secure their mobile devices.

Compliance Failure to comply with applica- Developing ways to translate disclosure ble consumer protection laws, and response requirements to the mobile disclosure requirements, and environment. supervisory guidance.

Credit/Liquidity Possible loss from a failure to Managing mobile payments credit risk collect on a credit obligation or linked to underlying payment type (e.g., otherwise meet a payments- credit/debit card, ACH credits/debits, related contractual commitment. prepaid, EFT, etc.).

Operations/IT Failure to protect confiden- Ensuring mobile payments solutions tial financial information or satisfy requirements to safeguard applications. customer information (e.g., Gramm- Leach-Bliley Act) and that such products are developed/configured in a secure manner.

Reputation Negative consumer experience Selecting and actively managing mobile may reflect poorly on the bank payments technology partners and or discourage the use of mobile ensuring customer satisfaction with new payments. products.

Vendor Third party may fail to meet Ongoing due diligence of partner Management expectations, perform poorly, or relationships with entrepreneurial suffer bankruptcy. companies that may be unfamiliar with operating in regulated environment.

7 Supervisory Insights Winter 2012 Mobile Payments continued from pg. 7

and regulations governing traditional Legal and Supervisory credit card payments. Table 3 provides Framework an overview of selected federal laws and regulations with applicability to To date, no federal laws or regu- mobile payments transactions. lations specifically govern mobile payments. However, to the extent Mobile payments technologies that a mobile payment uses an existing do not use the existing payments infra- payment method, such as ACH or structure would not be subject to laws EFT, the laws and regulations that and regulations that currently cover apply to that method also apply to such payments. In addition, certain the mobile payment. For example, a mobile payments providers may be mobile payment funded by the user’s subject to the jurisdiction of one or credit card will be covered by the laws more federal or state regulators

Table 3: Laws and Regulations That Apply to Mobile Payments Transactions

Law or Regulation / Coverage Applicability to Key Obligations / Description Mobile Payments Other Information Electronic Fund Transfer Generally includes any “transaction Applies when the The rule establishes consumer Act (EFTA) / Regulation E12 initiated through an electronic terminal, underlying payment rights to a number of disclosures telephone, computer, or magnetic tape is made from a and error resolution procedures Establishes rules for that instructs a financial institution consumer’s account for unauthorized or otherwise electronic fund trans- either to credit or debit a consumer’s via an EFT. erroneous transactions. The fers (EFTs) involving account.” This includes transactions disclosures include upfront consumers. such as debit card transactions, direct disclosures regarding, among deposits and withdrawals, and auto- other things, the terms and mated teller machine (ATM) transac- conditions of the EFT service and tions. The regulation generally applies how error resolution procedures to financial institutions, but certain will work. provisions apply to “any person.”

Truth in Lending Act Generally applies to “creditors” that Applies when the Creditors are required to provide (TILA) / Regulation Z13 offer or extend credit to consumers and underlying source of disclosures to consumers includes both open-end and closed-end payment is a credit describing costs; including inter- Establishes rules regard- credit products, including credit cards. card (or other credit est rate, billing rights, and dispute ing consumer credit; account covered by procedures. intended to help consum- TILA and Regulation Z). ers understand the cost of credit and compare credit options.

Truth-in-Billing14 Applies to wireless carriers. Applies when mobile Wireless carriers must provide payment results in clear, correct, and detailed billing Requires wireless carriers charges to mobile information to customers. This to provide certain billing phone bill. includes a description of services information to customers. provided and charges made.

12 15 USC § 1693 et seq., 12 CFR 1005. 13 15 USC § 1601 et seq., 12 CFR 1026. 14 47 CFR 64.2401.

8 Supervisory Insights Winter 2012 Law or Regulation / Coverage Applicability to Key Obligations / Description Mobile Payments Other Information Unfair, Deceptive, or Applicable to any person or entity Applies to all mobile Prohibits “unfair or deceptive Abusive Acts or Prac- engaged in commerce. Made applicable payments regardless acts or practices in or affecting tices (UDAP) under the to banks pursuant to Section 8 of the of underlying payment commerce.” The Dodd-Frank Federal Trade Commission Federal Deposit Insurance Act.16 source. Act also added the concept of (FTC) Act /Unfair, Decep- “abusive” practices to “unfair” tive or Abusive Acts or or “deceptive” ones, and gave Practices (UDAAP) under the Consumer Financial Protec- the Consumer Financial tion Bureau (CFPB) authority to Protection Act of 201015 further define abusiveness.

Prohibits “unfair or deceptive acts or practices in or affecting commerce.”

Gramm-Leach-Bliley Act The privacy rules and data security Applies when a Financial institutions are required (GLBA) Privacy and Data guidelines issued under GLBA apply financial institution to provide consumers with Security Provisions17 to “financial institutions,” which handles information certain notices regarding the include depository institutions as well of a “consumer” or privacy of nonpublic personal Establishes rules regard- as nonbanks engaged in financial “customer.” information and allow them to ing consumer privacy and activities. opt out of certain types of infor- customer data security. mation sharing. The GLBA data security provisions give guidance on the appropriate safeguarding of customer information.

Federal Deposit Insur- Applies to “deposits” and “accounts” If the funds underly- Deposit insurance or share ance18 or NCUA Share as defined in laws and regulations of ing a mobile payment insurance does not guarantee Insurance19 the FDIC and National Credit Union are deposited in an that a consumer’s funds will Administration. These include savings account covered by be protected in the event of a Protects funds of deposi- accounts and checking accounts at deposit insurance or bankruptcy or insolvency of a tors in insured deposi- banks and share accounts and share share insurance, the nonbank entity in the mobile tory institutions and of draft accounts at credit unions. owner of the funds payment chain. members of insured credit will receive deposit or unions in the event of fail- share insurance cover- ure of the institution. age for those funds up to the applicable limit.

Note: This table is not exhaustive, and other laws, regulations, and policies may apply.

15 15 USC § 45(a); 12 USC § 5536(a)(1)(B). 16 12 USC § 1818. 17 15 USC § 6801 et seq.; 12 CFR 332 (FDIC privacy rule); 12 CFR 364 App. B (Interagency Guidelines Establishing Information Security Standards, as published in FDIC’s rules). 18 See 12 CFR 330. 19 See 12 CFR 745.

9 Supervisory Insights Winter 2012 Mobile Payments continued from pg. 9

(e.g. including federal bank regula- the existing payments infrastructure. tors, the Federal Communications Non-bank mobile payments providers Commission, and the Federal Trade are devising ways to streamline the Commission).20 current payments system and reduce transaction costs by limiting the role banks play in mobile payments or Looking Forward eliminating them from segments of the payments process altogether. In the payments business, banks have traditionally served a variety of In economic terms, the elimina- intermediary roles between merchants tion of an intermediary in a transac- and consumers to facilitate non-cash tion between two parties is known payments. Banks issue payment cards as “disintermediation.” Banks could for customers, process payments for increasingly find themselves displaced merchants, manage credit/settlement by non-banks in the mobile payments risk for pending transactions, and marketplace. This evolution could provide a key link to the payments result in the gradual disintermediation networks. In the near term, the major- of banks as the primary provider of ity of mobile payments in the U.S. mobile payments. This disintermedia- marketplace will be funded by the tion could take several forms. One customer’s bank account, and financial possible scenario may be a consolida- institutions will continue to play a key tion of the intermediary roles served role in facilitating mobile payments. by banks in the payments process. However, as mobile payments evolve, Nowhere is this more evident than in non-bank mobile payments providers the payment card acquiring business may start to capture greater market where it is not unusual to have five or share from financial institutions and more banks involved in a single card alter bank/customer relationships. payment.21 In an alternative payments Financial institutions should not model such as PayPal, the non-bank assume their place in the new mobile mobile payments provider assumes at payments marketplace is assured least three of these bank roles (that because they are an integral part of of issuing, acquiring, and sponsoring

20 The FDIC, Office of the Comptroller of the Currency, Federal Reserve Board, and National Credit Union Adminis- tration supervise depository institutions and examine them for compliance with applicable laws and regulations. The Consumer Financial Protection Bureau (CFPB) has consumer protection, examination and enforcement jurisdiction over certain nonbank institutions that offer consumer financial products and services and over depository institutions with more than $10 billion in consolidated assets. The CFPB has sole rulemaking authority for most financial consumer protection laws, including the EFTA and TILA and, as such, is instrumental in the regulation of mobile payments, whether through direct supervision or rulemaking authority. The Federal Communications Commission (FCC) has jurisdiction over wireless carriers and is responsible for the Truth-in-Billing rule. Mobile payments products that include wireless bill charges as a payment method may be subject to the FCC’s authority. The Federal Trade Commission (FTC) has authority to investigate and take enforcement actions under the FTC Act against almost any entity engaged in commerce, with the exception of entities carved out from FTC jurisdiction, for example, depository institutions and common carriers such as wireless providers. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, is the administrator of the Bank Secrecy Act. 21 In the U.S. marketplace, there are at least five distinct roles served by banks involved in processing a single credit/debit card transaction: (1) an issuing bank that holds the customer relationship and authorizes payment; (2) an acquiring bank responsible for providing access to the payment networks; (3) a merchant business bank that holds the funds collected on payments; (4) a settlement bank that moves money among the issuing/acquiring banks; and in some cases (5) a payment card sponsoring bank used to manage bank payment card programs.

10 Supervisory Insights Winter 2012 banks), thereby removing those banks The fundamentals of payments risk from the payments process and reduc- management should remain constant ing their business opportunities. and, as emphasized in this article, banks offering mobile payments need Another potential result of bank to ensure compliance with exist- disintermediation is a loss of access to ing laws and regulations. This is key customer data. This can occur as particularly important when banks customers provide account credentials are working with non-bank third-party to an alternative payments provider to providers that may not be knowledge- fund an account that will be used to able about the regulatory environment pay for all, or a portion of, a transac- in which financial institutions oper- tion. In this scenario, the alternative ate. As a result, banks’ oversight of payments provider and the merchant third-party relationships will become control the actual exchange of increasingly important as mobile payment transaction data. Banks may payments evolve. never see the total value of the transaction or even know the true identity Robert C. Drozdowski of the entity receiving the payment. Senior Technology Specialist Thus, detailed transaction data used to Division of Risk Management identify potential anomalous transac- Supervision tions or provide customized content [email protected] and product offers may no longer be available to the banks in some alterna- Matthew W. Homer tive mobile payments models. It is the Policy Analyst value of this direct connection to the Division of Depositor and customer and transaction information Consumer Protection that is driving these new products and [email protected] partnerships, as banks consider the implications of ceding this important Elizabeth A. Khalil nexus to non-bank mobile payments Senior Policy Analyst providers. Division of Depositor and Consumer Protection [email protected] Conclusion Jeffrey M. Kopchik Mobile payments are poised to Senior Policy Analyst become an important part of the Division of Risk Management payments landscape. However, it is Supervision unclear when they will achieve popu- [email protected] lar acceptance and what forms they will take. The majority of industry observers predict a three-to-five year timeframe, and that a limited number of mobile payments models will exist in the marketplace. Both predictions appear well-founded.

11 Supervisory Insights Winter 2012