LON-MOW036PUIB-680 Payments Regulation Paper Ami Patel

Financial Services

THE REGULATION OF TRADITIONAL AND ALTERNATIVE ELECTRONIC PAYMENTS THE CASE FOR A LEVEL PLAYING FIELD

AUTHORS Tony Hayes Ross Frisbie First published December 2011

Note: While this paper assesses a number of laws and regulations, it is not intended to constitute legal advice (even to lawyers, a number of regulations and provisions are subject to interpretation). As such, this paper reflects our perspectives and represents a diligent effort to draw attention to issues that are likely to increase in importance over time. CONTENTS

1. EXECUTIVE SUMMARY...... 1

2. WHY THE REGULATORY TREATMENT OF PAYMENTS MATTERS NOW...... 5

3. OVERVIEW OF ALTERNATIVE ELECTRONIC PAYMENTS...... 7

3.1. DEFINITIONS...... 7

3.2. MARKET SIZE...... 8

3.3. TAXONOMY...... 12

4. NOTABLE CHANGES TO PAYMENTS LAW AND REGULATION, 2008-2011...... 19

4.1. OVERDRAFT CHANGES (REG E)...... 19

4.2. THE CREDIT CARD ACT...... 22

4.3. CHECK CLEARING ORDER...... 24

4.4. DODD-FRANK AND THE DURBIN AMENDMENT...... 25

5. OVERVIEW OF PAYMENTS AND PAYMENTS PROVIDER REGULATION...... 27

5.1. TIMELINE OF CONSUMER PROTECTION AND PAYMENTS PROVIDER REGULATION...... 27

5.2. REGULATIONS THAT PROTECT CONSUMERS...... 29

5.3. OTHER REGULATIONS GOVERNING PAYMENTS...... 33

5.4. REGULATION OF DEPOSITORIES...... 34

6. DETAILED DISCUSSION: CONSUMER PROTECTIONS...... 35

6.1. BANKRUPTCY PRIORITY AND DEPOSIT INSURANCE...... 35

6.2. THE CONSUMER FINANCIAL PROTECTION BUREAU...... 38

6.3. ELECTRONIC FUND TRANSFER ACT/REG E...... 40

6.4. EQUAL CREDIT OPPORTUNITY ACT/REG B...... 43

6.5. FAIR CREDIT REPORTING ACT/REG V...... 44 6.6. FINANCIAL PRIVACY (GLB/REG P)...... 45

6.7. FUNDS AVAILABILITY/REG CC...... 46

6.8. STATE LAWS AND FEDERAL PREEMPTION...... 47

6.9. TRUTH IN LENDING ACT AND FAIR CREDIT BILLING ACT/REG Z...... 49

6.10. TRUTH IN SAVINGS ACT/REG DD...... 52

6.11. UNCLAIMED PROPERTY/ESCHEATMENT...... 54

6.12. UNFAIR OR DECEPTIVE ACTS OR PRACTICES/REG AA...... 57

6.13. UNIFORM COMMERCIAL CODE CHECK PROVISIONS...... 58

7. DETAILED DISCUSSION: OTHER REGULATIONS GOVERNING PAYMENTS...... 61

7.1. DURBIN AMENDMENT/REG II...... 61

7.2. PAYMENT CARD IRS REPORTING (HERA §3091)...... 61

7.3. AML/KYC...... 63

7.4. TYING ARRANGEMENTS/REG Y...... 67

7.5. PAYMENT SYSTEM INTEGRITY...... 69

7.6. FINANCIAL MARKET UTILITIES/REG HH...... 70

8. DETAILED DISCUSSION: REGULATION OF DEPOSITORIES...... 73

8.1. PRUDENTIAL SUPERVISION OF DEPOSITORIES...... 73

8.2. SYSTEMIC REGULATION (SIFIS AND G-SIFIS)...... 77

8.3. COMMUNITY REINVESTMENT ACT/REG BB...... 79

8.4. OTHER LAWS...... 81

9. GLOSSARY OF ALTERNATIVE PAYMENTS PROVIDERS...... 85

10. GLOSSARY OF ACRONYMS AND REGULATIONS...... 87

ABOUT OLIVER WYMAN...... 93 1. EXECUTIVE SUMMARY

The US payments industry has undergone a number of significant changes in recent years. No component of the ecosystem has stood still – new competitors, new technologies, significant growth, shifting customer behaviors, and changing economics have all contributed to today’s dynamic landscape. Practically every week brings announcements of new product offerings, alliances between established and startup companies, or new projections for the growth of emerging technologies.

Yet one aspect of the payments ecosystem – the regulatory landscape – has remained relatively static.

This paper provides a thorough and necessary examination of the gaps, differences, and ambiguities in the regulation of electronic payments. Because of the lens through which we view payments, some highly visible innovations that will likely prove significant – such as embedding payment card information in a mobile phone – have relatively few consequences here. Conversely, certain distinctions that may appear to be arbitrary or are invisible or irrelevant to consumers can be of considerable regulatory importance.

The paper begins with an overview of alternative electronic payments, including the key participants and various measures of the size of these markets. Alternative electronic payments account for a relatively small share of the overall payment market today, but they are growing much more quickly than traditional payment types. PayPal has already grown to where it would be a top-10 card issuer.

The paper then develops a regulatory-based taxonomy for more than 50 alternative payments providers. Many of them simply facilitate payments over the existing credit, debit, and ACH payment systems, by making transactions easier, faster, or less expensive for merchants and/or consumers. While these companies use sophisticated technology and will impact the payments industry in many ways, from a regulatory perspective their involvement does not change the nature of the underlying payment. Consumers enjoy all the protections that they would if the alternative company was not involved.

A number of companies, though, have developed new business models that do not neatly fit into today’s regulatory structure. These companies fall into four categories

•• New Plastic: Until recently, “paying with plastic” generally meant using a credit card or a debit card linked to one’s checking account. Today, there are a half-dozen other types of cards that consumers can use: open-loop prepaid cards, closed-loop merchant gift cards, open-loop gift cards, decoupled debit cards, employer-arranged payroll cards, and electronic benefit cards. While these cards have some characteristics of debit cards – a consumer uses a piece of plastic to pay for a purchase using stored funds – key regulatory differences exist

Copyright © 2011 Oliver Wyman 1 •• Non-Plastic Asset Accounts: Other companies (with PayPal the largest by far) have developed products where consumers can load funds (often via a traditional electronic payment) into an account held by the alternative company and then use those funds to make P2P transactions or purchases with a merchant. These tend to be used primarily online •• Mobile Carrier Billers: These companies allow consumers to charge purchases directly to their mobile phone statements, rather than use their mobile phones as the means to make traditional electronic payments. They do not house customer funds •• Virtual Currencies: These providers allow consumers to exchange money for points or credits, usually to purchase non-physical goods or services. Consumers can fund an account with either a traditional or alternative electronic payment. This category is the “most alternative” of the lot. This category raises conceptual questions about where the boundary of financial regulation resides or ought to reside, and ambiguities extend to matters well beyond FS regulation.

The bulk of the paper then examines each law and regulation applicable to traditional payments. For each law, there is a discussion of the law, whether and how it applies to alternative electronic payments, any key gaps or ambiguities in coverage, and the implications of those gaps or ambiguities.

Our analysis indicates that traditional and alternative electronic payments, as well as their providers, receive different treatment under a variety of laws and regulations. We believe the US payment system would benefit from a realignment of the laws and regulations that govern payments activities.

These laws and regulations fall into three categories •• Regulations that protect consumers: Three large discrepancies exist between A collection of no fewer than 13 laws, consumer protections offered for enacted separately over the course traditional versus alternative payment of decades to address specific issues, mechanisms: dispute resolution protects consumers today. As a result, procedures, deposit insurance, and the extent of consumer protection across abandoned property traditional payments and alternative payment companies is uneven. The creation of the Consumer Financial Protection Bureau should address enforcement gaps, but it cannot address statutory coverage gaps, and it may be unable to supervise non-depositories until it has a permanent director.

•• Other regulations governing payments: Key gaps exist around money Another six laws directly regulate payment laundering, payment card IRS activities. In each case, traditional reporting, product tying restrictions, payments providers are disadvantaged and overall maintenance of payment relative to alternative providers. system integrity

2 Copyright © 2011 Oliver Wyman •• Regulation of depositories: This regime creates a disparity whereby Depository institutions are subject to a the economics and other aspects of comprehensive regulatory regime whose otherwise identical payments systems burden is not shared by other companies, can vary significantly on the basis of including companies engaged in who operates them. alternative electronic payments. Some of the pertinent regulations include: prudential regulation (e.g., examinations, capital requirements, regulatory reporting, enforcement proceedings, etc.); systemic regulation (SIFIs and G-SIFIs); and other laws such as the Community Reinvestment Act/ Reg BB, Affiliate transactions/Reg W, Management interlocks/Reg L, and Insider loans/Reg O.

A modernized and consistent regulatory framework would enhance consumer protection, maintain the safety and soundness of the US payment system, and help promote a level competitive playing field across all forms and methods of payment. This level playing field is necessary because

•• Consumers expect and deserve parity in the protection they receive, regardless of their chosen payment method or provider •• Money-laundering and know-your-customer laws apply differently to traditional and alternative electronic payments. Gaps in coverage may give rise to national‑security concerns.

The marketplace for payments has evolved more quickly than the regulatory framework governing its use. Now is the right time to review these laws, with an eye towards ensuring that consumers are protected, outdated and anticompetitive laws are identified and addressed, competitors share a common compliance burden, and payments remain among the most innovative areas in financial services.

We hope that this paper will provide the necessary fact base for policymakers and the industry alike to advance the dialogue on these important payments issues.

2. WHY THE REGULATORY TREATMENT OF PAYMENTS MATTERS NOW

Understanding the regulatory landscape has assumed a new urgency in recent years due to a confluence of factors

•• Alternative electronic payments, while still a modest share of the overall market, are rapidly gaining share, as they are growing faster than traditional electronic payments, such as credit cards, debit cards, and the ACH •• Some alternative providers have deep pockets, and occasionally more resources than the incumbent, highly regulated providers. Google’s market capitalization is now higher than any US bank1; the same is true of several other technology companies, such as Microsoft and Apple, which have yet to unveil financial services offerings. Meanwhile, startups also have the wherewithal to compete meaningfully. Square, which has grown quickly by enrolling merchants, many of whom might not have previously accepted credit cards, has a valuation exceeding $1 BN.2 •• Innovations in business models have created new ambiguities and gaps. Many laws were written decades ago, before certain business models or the participation of non-banks were contemplated •• Increasingly stringent regulation of depositories can lead to the same payments activity receiving different scrutiny or generating different economics, depending on whether a bank or a technology startup provides the payments service •• In recent years, some shortcomings in the regulatory regime have manifested themselves – bankruptcies rendering gift cards worthless, data breaches at companies not overseen by field examiners, lawsuits over product fine print – in ways that render these regulatory issues real, rather than merely academic concerns •• For some products, no differences in consumer protection may exist today due to companies voluntarily offering them. Nonetheless, not all companies offer such protections, and there is no guarantee that those offering them will continue to do so. Already, there have been lawsuits about certain practices of alternative payments providers.

The creation of the Consumer Financial Protection Bureau places a number of laws previously enforced by multiple agencies under one roof. And with a “neighborhood cop on the beat,” as it refers to itself,3 a new opportunity exists to review some aspects of payments regulation.

1 As of December 7, 2011, the market capitalization of Google was $202 BN, higher than each of the “Big Four” banks – Wells Fargo ($143 BN), JP Morgan ($129 BN), Citigroup ($87 BN), and Bank of America ($63 BN) 2 “Rival of PayPal Lures Big Money,” Wall Street Journal, June 29, 2011 3 Per www.consumerfinance.gov/the-bureau

3. OVERVIEW OF ALTERNATIVE ELECTRONIC PAYMENTS

3.1. DEFINITIONS

We consider traditional payments to consist of cash and checks, which are discussed only briefly, as well as “traditional electronic payments” such as credit cards, debit cards linked to a bank account, and Automated Clearing House (ACH) transactions. These have existed for some years, and the associated regulatory landscape, both for payments themselves and the institutions offering them, are well established. While not all laws cover all traditional electronic payments, and new laws and regulations are regularly enacted, at any given time industry participants generally have a clear understanding of the landscape.

T able 1: TRADITIONAL AND ALTERNATIVE ELECTRONIC PAYMENTS

TRADITIONAL PAYMENTS ALTERNATIVE ELECTRONIC PAYMENTS Cash All other electronic payment methods Checks Credit cards (We divide these alternatives into five categories, as described in the taxonomy in Section 3.3) Debit cards linked to a checking account ACH

“Alternative electronic payments” consist of everything else. They have no simple definition, as more than 50 companies operate in various ways across the payments value chain (Section 9 has a list). Many are simply front ends to established payment mechanisms, for which existing regulations continue to apply irrespective of marketing innovations.

Section 3.3 develops a taxonomy that places alternative electronic payments into five categories as seen through a regulatory lens, which is different from how a marketer or technologist would see them. For instance, “mobile payments” may represent a single category to marketers, but from a regulatory perspective, mobile payments transactions fall into several distinct categories, depending on the precise source of funds, payment network used, and whether the transaction is directly charged to the customer’s mobile phone bill. Similarly, how a prepaid debit card or a merchant gift card program chooses to domicile customer funds is not relevant to some parties, but it has important regulatory consequences.

However one slices and dices the market – and there is no shortage of available statistics – alternative electronic payments have arrived. As the charts and projections below highlight, they are material, increasingly varied, and fast growing.

Payment volumes

First, while traditional electronic payments represent the majority of all electronic payments, alternatives are both an increasingly material part of overall payments and faster growing than traditional payments. Over the last 10 years, E-commerce has steadily gained share (as shown in Exhibit 1 below), displacing many brick-and-mortar retailers (with Borders’ physical bookstores as one of the most recent casualties). Brick-and-mortar merchants accept traditional payments but relatively few alternative payment methods. The reverse is true online, where cash, checks and ACH transactions are difficult to accept, while credit, debit, and a range of alternative payment methods are widely utilized.

E xhibit 1: US E-COMMERCE SALES, % OF TOTAL RETAIL SALES 1999Q4-2011Q3

0% 99Q4 00Q4 01Q4 02Q4 03Q4 04Q4 05Q4 06Q4 07Q4 08Q4 09Q4 10Q4

Source: Department of Commerce Quarterly E-Commerce report

Second, E-commerce tends to use a greater variety of payment options than offline commerce. The following graphics are taken from the checkout pages of various E-commerce websites. While options such as PayPal, Bill Me Later, and Google Checkout tend to be unavailable in the “real world,” they have substantial penetration among E-commerce merchants.

Credit Card

PayPal (What’s this?)

Bill Me Later ® (See Terms)

Credit/Debit Card

Pay by money order/check. (Print and fax or mail order)

Fast checkout through Google

*PAYMENT TYPE: Visa Visa *CARD NUMBER: Mastercard Discover American Express *EXPIRATION DATE: PayPal Bill Me Later®

The most established alternative payment method is PayPal. As shown in Exhibit 2, PayPal payment volume is growing much faster than the card networks, albeit from a lower base.

E xhibit 2: PAYPAL VS. PAYMENT CARD VOLUMES GLOBAL VOLUMES, 2003=100

800

700 Paypal 600 Visa 500

400 MC

300 Amex 200 Discover 100 Diners 0 club 2003 2004 2005 2006 2007 2008 2009 2010

Source: Nilson Report, eBay SEC filings and presentations Note: Network volumes include credit and debit card volume

Copyright © 2011 Oliver Wyman 9 Third, no discussion of alternative payments would be complete without referencing Facebook. While its user base is now reported to be leveling off, from December 2004 to September 2011 it grew at an 8.5% compound monthly growth rate. Just as we have E-commerce and M-commerce, we are now at the beginning stage of F-commerce.4

Facebook Credits began as a payment method for online games. They can now be purchased in the real world, with more than a dozen merchants selling Facebook Credits gift certificates.5

Media companies have begun to use Facebook to distribute their content. The BBC and Warner Brothers have pages where Facebook users can watch certain movies or TV shows and pay using Facebook Credits.6

A further 90 merchants, which do not support commerce with Facebook Credits just yet, now enable Facebook users to earn Facebook Credits by performing such actions as filling out a survey, placing a (real-world) order for goods, receiving an insurance quote, or being approved for a credit card.7

As a result, Facebook Credits now represents a material amount of Facebook’s revenue. According to one industry estimate,8 Facebook Credits accounted for 5% of Facebook’s 2009 revenue, will account for 11% in 2011, and its share is expected to continue to grow. In absolute terms, this amounts to $39 MM in 2009 and $470 MM in 2011.

E xhibit 3: FACEBOOK USERS (MM), DEC. 2004 – SEP. 2011

800

700

600

500

400

300

200

100

0 Dec Jun Dec Jun Dec Jun Dec Jun Dec Jun Dec Jun Dec Jun 2004 2005 2005 2006 2006 2007 2007 2008 2008 2009 2009 2010 2010 2011

Source: Facebook Note: Geometric interpolation used between disclosed data points

4 “Attention Facebook Shoppers: Get Ready For F-Commerce,” Forbes, June 27, 2011 5 Facebook states that 12 merchants sell Facebook Credits gift certificates in the US (www.facebook.com/ help/?faq=132765076799349) and has a store locator at www.facebook.com/FacebookCredits?v=app_154977384515365. A November 2011 search across US zip codes identified 13 merchants selling Facebook Credits gift certificates 6 The Warner Brothers Facebook page (apps.facebook.com/wbplayer/?ref=ts) allows Facebook users to watch selected Warner Brothers movies. The BBC has a Facebook page (www.facebook.com/DoctorWho) that allows Facebook users to watch various episodes of Doctor Who. Both allow unlimited viewing for 48 hours after purchase 7 List available at www.facebook.com/credits (last accessed November 14, 2011) 8 “Facebook ‘Credits’ Revenue Now Growing Faster Than Its Ads,” Ad Age, September 20, 2011

T able 2: MARKET SIZES FOR VARIOUS ASPECTS OF ALTERNATIVE PAYMENTS

CATEGORY MARKET SIZE E-Commerce volume, US •• $167 BN in 20109 •• $176 BN in 2010, rising to $279 BN in 2015 (10% CAGR).10 PayPal transaction volume •• $92 BN overall in 201011 •• $3.4 BN of digital goods purchased in 201012 •• $3 BN of mobile payments volume in 201113 •• As a credit card company, PayPal’s volume as of 2010 would make it a top-ten US issuer.14 Prepaid debit and payroll cards •• $24 BN in value loaded in 2009, rising to $105 BN in 2014 (34% CAGR).15 Open-loop prepaid cards •• $148BN in value loaded in 2010, rising to $354BN in 2014 (24% CAGR)16 Mobile commerce, US •• $6 BN in 2011, rising to $31 BN in 2016 (39% CAGR).17

Mobile commerce, worldwide •• $49 BN in 2010, rising to $86 BN in 2011 (65% growth).18

Mobile banking payment volume, US •• $16 BN in 2010, rising to $214 BN in 2015 (68% CAGR).19

Mobile banking payment volume, worldwide •• $240 BN in 2001, rising to $670 BN in 201520 •• $241 BN in 2011, rising to $1 TN in 2015.21 Mobile banking payment volume using near-field •• $50 BN in 2014.22 communication technology, worldwide P2P payment volumes •• 11 billion payments worth $865 BN in 2010.23

Mobile banking usage, US •• 17% of adults, or 19% of mobile customers.24

Penetration of bill-to-carrier services, US •• Zong has partnerships with 250 mobile carriers accounting for 80% of the market.25 Facebook Credits awareness/interest •• Over 3.2 million Facebook members “like” the Facebook Credits page.26 Commerce in physical goods on Facebook •• Estimates range from $100 MM to $1.2 BN.27

Purchases of virtual goods, US •• $1.1 BN in 2010, rising to $2.5 BN in 2013 (31% CAGR) •• 12% of Americans purchased a virtual good in 2009.28

9 Department of Commerce; statistics available at www.census.gov/retail/#ecommerce 10 “US Online Retail Forecast, 2010 To 2015,” Forrester Research, February 28, 2011 11 Per www.paypal-media.com/about 12 Estimate per Aite as reported in “EBay Buying Mobile Pay Provider Zong to Push PayPal Beyond the Web,” American Banker, July 8, 2011 13 “Mobile Payments Grows Worldwide, But Business Issues Remain,” American Banker, July 11, 2011 14 PayPal’s global volume is roughly equal to the sixth largest US card issuer, Discover. Discover had $92 BN in purchase volume in 2010 (Nilson Report, Issue 966, February 2011, p.8), while PayPal had “nearly $92 BN” in 2010 payment volume (per www.paypal-media. com/about). PayPal’s US volume of $54 BN in 2010 places it in between #7 U.S. Bancorp ($74 BN) and #8 Wells Fargo ($49 BN) 15 Estimate per Aite as reported in “Prepaid Cardholders Content, But Long-Term Users Prove Elusive,” American Banker, July 6, 2011 16 “Eighth Annual Prepaid Card Forecast”, Mercator Advisory Group, November 2011 17 “Mobile Commerce Forecast: 2011 To 2016,” Forrester Research, June 17, 2011 18 Estimate per Gartner as reported in “Mobile Payment Market to Grow 38% in 2011: Gartner,” American Banker, July 22, 2011 19 Estimate per Aite as reported in “EBay Buying Mobile Pay Provider Zong to Push PayPal Beyond the Web,” American Banker, July 8, 2011 20 Estimate per Juniper as reported in “Mobile Payments Grows Worldwide, But Business Issues Remain,” American Banker, July 11, 2011 21 Ibid. Estimate per Yankee Group 22 Estimate per Juniper as reported in “Does the Bridge to NFC Still Need to be Built?” American Banker, June 23, 2011 23 Estimate per Aite as reported in “Fiserv’s CashEdge Acquisition Powers Up Its P-to-P,” American Banker, July 1, 2011 24 Estimate per Luth Research as reported in “Banks speed adoption of mobile banking apps,” Dayton Business Journal, July 10, 2011 25 Per the CEO of Zong as reported in “EBay Buying Mobile Pay Provider Zong to Push PayPal Beyond the Web,” American Banker, July 8, 2011 26 Per the Facebook Credits page. Available at www.facebook.com/credits#!/FacebookCredits (last accessed November 14, 2011) 27 Per Digital Trends “Consumer Spending on Facebook To Reach $1.2 BN,” April 12, 2011. Available at www.onlinemarketing-trends.com/2011/04/consumer-spending-on-facebook-to-reach.html 28 Survey and estimate per Gridley and Company report “The Virtual Goods Ecosystem,” December 2010

Digital Transactions has published a “field guide” to alternative payments companies for several years. The number of companies “spotted” has grown from 21 in 2009 to 35 in 2011. A guide published just a few years earlier would likely have only had a few names.

Our examination includes these 35 companies, as well as many others that operate in the marketplace. We also include some companies that belong to a category (e.g., closed-loop merchant gift cards, virtual currencies) whose members are sufficiently numerous that they cannot and need not be listed in their entirety.

We only include companies that are customer facing and require the customer to establish some sort of account or relationship with them. Thus, we do not list various hardware and software companies that, while critical to the alternative transactions ecosystem, generally do not factor into the regulatory landscape. We also focus primarily on companies that serve the US market.

Even this list is hardly exhaustive, given the rapid growth and rapid changes in the sector. In the several months since the 2011 field guide was published, several companies on the list have already been sold, exited the market, or changed their business model (see Table 4).

3.3. TAXONOMY

In the course of reviewing more than 50 companies and categories of companies involved in alternative electronic payments, we have identified five broad categories from a regulatory perspective: Traditional Payment Facilitators, New Plastic, Non-Plastic Asset Accounts, Mobile Carrier Billers, and Virtual Currencies. The glossary in Section 9 lists all of these companies.

Each category is relatively homogenous, with its members generally having common traits regarding regulatory coverage and gaps, and key issues and questions. On occasion, different companies within a category have slightly different issues (such as the application of Regulation E to different New Plastic companies, or the availability of deposit insurance for accounts at New Plastic and Non-Plastic Asset Account companies), but there are many more similarities than differences within each category.

CATEGORY KEY FEATURES Traditional Payment Facilitators •• The actual transaction is a credit, debit, or ACH transaction (or other types of payments in a few cases) •• The Facilitator provides a means (software, hardware, website, smart phone app) of conducting transactions that is faster, easier, less expensive, etc. for the merchant, customer, or both. New Plastic •• Customers tend to use a physical piece of plastic to conduct the transaction •• Customers have funds stored in an account that cannot be accessed through typical bank transactions (e.g., no checks, no branches) •• This account may serve as a bank account substitute •• The funds may be loaded by a third party (e.g., employer direct deposit or EBT) or by the customer (e.g., GPR cards) •• The account may be reloadable, or not (e.g., merchant gift cards). Non-Plastic Asset Accounts •• Customers fund accounts, usually by a traditional electronic payment (credit, debit, or ACH); the company then holds the funds, which can be subsequently used for merchant payments. Alternatively, these services can function as intermediaries, decoupling the consumer payment from the merchant payment (in which case the service is a Facilitator) •• Customers typically use the account for remote transactions (E-commerce, P2P) rather than in-person transactions; customers tend not to have a physical piece of plastic •• The company housing the funds may be a depository or a non-depository institution; deposit insurance coverage can vary. Mobile Carrier Billers •• Companies allow customers to charge purchases directly to their mobile phone bills •• Companies do not hold customer funds. Virtual Currencies •• Customers load funds, either with a traditional electronic payment or from a New Plastic or Non-Plastic Asset Account •• The funds are converted into a non-dollar-denominated account (points, credits) •• Customers typically use Virtual Currencies for virtual goods purchases, although it is expected that customers will soon be able to conduct a broader range of activities – “real” commerce, P2P transactions, etc. •• Legal ambiguities may surround these accounts in matters besides consumer financial protection.

Traditional Payment Facilitators

Members of this category, as the name suggests, mostly operate through the existing credit card, debit card, and ACH payments systems (with a handful handling checks, gift cards, or even cash). They facilitate transactions by creating innovative technological solutions that make transactions faster, easier, or less expensive for the merchant, or customer, or both, by

•• Enabling consumers to send payments to merchants who would not accept cards otherwise, because the setup costs would be high given their transaction volumes, or the interchange costs would be high relative to their operating margins •• Allowing consumers to shop online without disclosing their card account information, thereby enabling customers concerned about fraud and identity theft to conduct E-commerce transactions with confidence •• Enabling consumers to use payment cards when not physically carrying them •• Enabling consumers who have cash but not a credit or debit card to conduct E-commerce transactions.

T able 4: EXAMPLES OF TRADITIONAL PAYMENT FACILITATORS

PAYMENT METHOD COMPANIES Cash Ukash, ZipZap Credit card AprivaPay, Billing Revolution, ChargeSmart Credit card, via PayPal Bling Nation29 Debit/EFT Acculynk’s Paysecure, CashEdge’s Popmoney30 ACH clearXchange, eLayaway, Mazooma, Noca, Rialto Commerce, NACHA’s Secure Vault Payments, Fiserv’s ZashPay Check, check-to-ACH Global Standard Financial Gift/loyalty cards Mocapay Traditional lending Bill Me Later (via partner banks) Multiple methods Card.io: Credit, debit Google Checkout31: Credit, debit Google Wallet: Credit, prepaid eBillme: ACH, cash (via partner institutions) Heartland Payment Systems’ Mobuyle: Credit, debit, gift Intuit GoPayment: Credit, signature debit Isis: Credit, debit MobilePay USA: Credit, debit, loyalty mPayy: ACH, stored value Verifone’s PAYware Mobile: Credit, signature debit, PayPal Square: Credit, debit ProPay’s Zumogo: Credit, debit

From a regulatory perspective, the fact that a Facilitator is involved in a transaction in some fashion is generally not relevant. Customers still enjoy the same protections they would without the Facilitator, and the company conducting the transaction is still subject to the same regulations as would be the case without the Facilitator. Except where otherwise noted, discussions about alternative companies do not address Traditional Payment Facilitators.31

29 Bling Nation suspended its service (per “Bling Nation’s Business Model Doesn’t Quite Stick,” American Banker, June 8, 2011). Its website stated for a while, cryptically, “Get ready for the next generation” (e.g., when accessed August 28, 2011). The website has since been deactivated (last accessed November 14, 2011) 30 On June 29, 2011, CashEdge announced that it had agreed to be acquired by Fiserv for $465 MM (press release available at www.cashedge.com/news-events-press-releases-20110629.php). The deal closed on September 14 (press release available at www.cashedge.com/news-events-press-releases-20110914.php) 31 Google Checkout will be absorbed into Google Wallet (“Google Folding Checkout Service to Fuel Mobile Wallet”, American Banker, November 18, 2011). The transition appears to have begun, per the document “Google Checkout Transitioning to Google Wallet”, available at www.google.com/support/wallet/bin/answer.py?answer=1691527

“Paying with plastic” once meant using a credit card or perhaps a debit card linked to one’s bank account. Today, consumer wallets contain many new types of plastic

•• Open-loop prepaid cards. Some of these are general-purpose reloadable (GPR) cards that consumers may use as a bank account substitute, such as those provided by Green Dot, netSpend, etc. Various special-purpose cards also exist, such as CardSmith in the campus card space, BillMyParents for monitoring children’s spending, and so forth. Such cards are often issued by a bank. The largest issuers of prepaid cards are a mix of the largest overall depositories (e.g., JP Morgan), and institutions issuing them on behalf of others (e.g., MetaBank, The Bancorp Bank, Columbus Bank and Trust, GE Money) •• Closed-loop merchant gift cards. Many merchants have replaced paper-based gift certificates with a physical piece of plastic that has a magnetic stripe. These are generally non-reloadable and anonymous. Merchants have no general obligation to segregate customer funds and place them with a depository institution, so customers face a risk of loss should the merchant become bankrupt •• Open-loop gift cards that operate on a card network •• Decoupled debit cards, e.g., Tempo Payments32 •• Employer-arranged payroll cards that serve as a checking account substitute, e.g., U.S. Bancorp’s AccelaPay •• Electronic benefit transfer (EBT) cards for federal and state government programs. Based upon a recent survey, 90 federal, state and local programs in 36 states had approximately 20 MM prepaid cards outstanding, generating more than one billion annual transactions worth $35 BN.33

While these may resemble debit cards to a consumer – the consumer typically has a physical piece of plastic to pay for something, using funds stored in an account somewhere – differences exist between their regulatory treatment and traditional payments. These differences, though, are less than in other categories, and GPR cards are increasingly viewed by many as a traditional banking product. Indeed, some GPR card issuers are themselves banks, and others such as Green Dot are becoming banks.34 Unlike other alternative companies, such institutions are therefore subject to the depository regulations discussed in Section 8, and they may also be subject to greater regulation than other alternative companies in other areas.

32 Tempo Payments was reported to be planning to shut down, as a consequence of the Federal Reserve’s final rules to implement the Durbin Amendment. “Blaming the Fed’s Durbin Rule, Tempo Payments Prepares to Shut Down,” Digital Transactions, July 11, 2011. As of November 14, 2011, its website simply says “Email: [email protected]” 33 Federal Reserve report “Government Administered General-Use Prepaid Cards,” July 2011. Available at www.federalreserve.gov/publications/other-reports/files/government-prepaid-report-201107.pdf 34 In February 2010, Green Dot announced its intention to acquire Bonneville Bancorp and thereby become a bank holding company, which required Green Dot to submit an application to the Federal Reserve. In November 2011, the Federal Reserve approved its application

This category consists of services that facilitate P2P transactions and, unlike Traditional Payment Facilitators, require or permit a consumer to load funds into an account held by the alternative provider. Transactions are done mostly (but not entirely) online, whereas New Plastic transactions, like debit cards, tend to involve mostly in-person transactions. Examples include

•• Amazon Payments •• FaceCash •• Obopay •• eBay’s PayPal •• Western Union.

This category has similarities to New Plastic, as both involve (or can involve) customer funds held at a non-depository. While these categories are not identical from a regulatory perspective, they share a number of regulatory similarities and differences relative to traditional electronic payments.

It should also be noted that customers engage in two different types of transactions with Non- Plastic Asset Accounts. Before making a transaction, a customer must first fund the account. This step is itself generally a traditional electronic transaction involving a credit card, debit card, or ACH transaction, for which the consumer protections of a traditional payment apply.

It is the second transaction step (transferring these funds to a merchant or to another person) as well as the housing of customer funds at a non-depository institution that make Non-Plastic Asset Accounts alternative.

Lastly, while most of these services are operated by non-depositories (including PayPal, which is by far the largest), a few are operated by depositories. Examples include

•• American Express’s Serve •• Dwolla •• PerkStreet Financial.

For the purposes of this paper, we consider these products to constitute traditional payments, as these services are generally subject to the same regulatory regime, if the customer funds are held in deposit accounts.

These companies allow consumers to charge a purchase directly to their mobile phone statement, rather than use their mobile phone as the means to make what is an otherwise traditional electronic payment. Examples include

•• BilltoMobile •• BOKU •• Mobile Giving Foundation •• OpenMarket •• Payfone •• Zong.35

Mobile Carrier Billers do not house customer funds, so certain consumer protections (e.g., bankruptcy priority and deposit insurance, escheatment, funds availability, etc.) are not relevant.

Virtual Currencies

These providers allow consumers to exchange money for points or credits, usually to purchase non-physical goods or services. These points and credits generally cannot be withdrawn or converted back into dollars. Consumers can fund an account with either a traditional or alternative electronic payment. Examples include

•• Facebook Credits •• Microsoft Points •• Skype Credit36 •• Currencies issued by games companies (Nintendo, Second Life, Zynga, etc.).

This category is perhaps the “most alternative” of the bunch. Many consumer-protection laws as written do not apply to, or are ambiguous with respect to, Virtual Currencies, as these may not be considered financial accounts. This category raises conceptual questions about where the boundary of financial regulation resides or ought to reside. This paper, for instance, does not address frequent-flier miles, which could be viewed as being in the same conceptual neighborhood as Virtual Currencies. The ambiguities surrounding Virtual Currencies extend well beyond consumer financial protection, touching upon such issues as property law, contract law, gambling, taxation, and the like.

35 On July 7, 2011, eBay announced it would acquire Zong for $240 MM (press release available at www.paypal-media.com/#ebay- inc-to-acquire-zong). The deal closed on August 11 (press release available at www.paypal-media.com/news#ebay-inc-completes- acquisition-of-zong) 36 Unlike the other Virtual Currencies, Skype Credit is denominated in “dollars” (or in another currency of a customer’s choosing). This does not appear to lead to a different treatment from the other Virtual Currencies. Given the ambiguities in their regulation, however, such differences cannot be ruled out

4. NOTABLE CHANGES TO PAYMENTS LAW AND REGULATION, 2008-2011

In the last few years, there have been four notable changes to the regulation of retail payments: overdraft changes, the Credit CARD Act, check clearing order, and the Dodd-Frank Act and accompanying Durbin Amendment. While each change was designed to enhance consumer protections and disclosure, each has cost the financial services industry several billion dollars.

4.1. OVERDRAFT CHANGES (REG E)

Until the early 1990s, the economics of low-balance checking accounts was straightforward, if not necessarily attractive. Customers tended to pay a monthly maintenance fee as well as fees for certain types of transactions, such as writing checks. Certain segments (e.g., students, seniors) paid lower or possibly no fees. Overdraft (OD) fees37 for overdrawing an account existed, but their primary intent was to deter the overdraft, rather than provide meaningful revenue. Higher-balance customers were largely exempt, as the spread earned on their balances covered their operating costs.

In the 1980s and 1990s, various banks experimented with different demand deposit account (DDA) value propositions to find a solution that worked for both providers and customers.

•• In 1986, Twin City Financial (TCF), a Minnesota thrift, pioneered the concept of free checking.38 It was a small institution, and its loan book had enough high-yielding loans to make the economics of free checking work for it. In just a few years, TCF had as many checking accounts as the state’s largest bank, many times its size. Despite this success, free checking did not immediately catch on elsewhere •• In 1995, First Chicago introduced a $3 fee for conducting a transaction with a teller that could have been handled by telephone or through an automated teller machine (ATM). This was waived on accounts with over $2,500 and relationships over $15,000. This was seen as the first time a major bank explicitly charged account holders for dealing with a teller.39 While other banks introduced similar fees, many later dropped this approach.

A 1991 law, the Truth in Savings Act,40 required banks to provide various disclosures to customers about the fees incurred and interest earned on deposit accounts. It prohibited, inter alia, banks from using “free” to describe an account with a maintenance fee or a minimum-balance or a maximum-transaction requirement to avoid fees.41 In 1994, the Federal Reserve provided further guidance on the boundaries of “free” checking.42 Fees associated with overdrawing an account or involving ATM usage were permitted in “free” checking accounts, as a customer could avoid incurring the fee.

37 The distinction between non-sufficient funds (NSF) and overdraft (OD) fees is not particularly important in this context; we use the terms interchangeably 38 “Practicing Thrift – Austerity Pays Off for A Midwestern S&L,” Barron’s, September 21, 1987 39 “Need a Teller? A Big Bank Plans $3 Fee,” New York Times, April 27, 1995 40 Enacted as Subtitle F of Title II of the Federal Deposit Insurance Corporation Improvement Act of 1991 (Public Law 102-242); codified as 12 USC §§4301-4313 41 Ibid., §262(d); codified as 12 USC §4302(d) 42 The official staff commentary for the Truth in Savings Act regulations was published on August 8, 1994 (Federal Reserve document 94-19224)

Copyright © 2011 Oliver Wyman 19 And in 1994, free checking took off. That year, Washington Mutual was one of the first large institutions to promote free checking,43 and others soon followed its lead. Over time, free checking became a highly popular product. It did not eliminate fee revenue. Instead, its mix shifted away from maintenance fees and towards transaction-related fees. At the same time, debit interchange began to account for an increasing share of revenue, as the popularity of debit cards grew.

While consumers can avoid OD fees simply by not performing transactions that would cause their account balance to go negative, OD prevalence increased in part due to the rise of debit card use. Customers who might have been diligent in balancing their checkbooks when writing checks may have been less so when using a debit card.

According to a detailed study conducted by the FDIC on overdraft practices,44 during a 12-month period, a quarter of bank customers had an OD transaction. The OD revenue, however, was very concentrated, with fewer than 10% of bank customers accounting for over 80% of OD revenue.45

T able 5: PREVALENCE AND CONCENTRATION OF OVERDRAFTS AND OVERDRAFT REVENUE

NUMBER OF ANNUAL OVERDRAFTS 0 1-4 5-9 10-19 20+ % customers 74% 12% 5% 4% 5% % customers overdrafting - 46% 19% 16% 19% Average OD revenue/customer - $64 $215 $451 $1,610 % total OD revenue - 7% 9% 16% 68%

By 2005, the OD issue was on the regulators’ radar. That year, the four federal banking regulators jointly issued non-binding guidance,46 which included some 17 best practices regarding ODs, including that banks should

•• “Obtain affirmative consent of consumers to receive overdraft protection” •• “Alert consumers before a transaction triggers any fees” •• “Demonstrate when multiple fees will be charged”.

43 Washington Mutual Press Release, “Washington Mutual Celebrates a Decade of FREE CHECKING; Rodeo Grandmas Ride into Town to Usher in Next Decade,” November 8, 2004 44 FDIC Study of Bank Overdraft Programs. Available at www.fdic.gov/bank/analytical/overdraft/FDIC138_Report_Final_v508.pdf 45 Ibid., Tables IX-11, IX-12, and IX-13 46 Published in the Federal Register at 70 FR 9127-9132

20 Copyright © 2011 Oliver Wyman In May 2008, the Federal Reserve issued draft regulations regarding overdrafts.47 It sought comment on, inter alia, whether OD fees should be “opt-in” or “opt out.” In November 2009, it issued final regulations,48 which took effect in summer 2010. Key features of the regulation included

•• A bank must obtain the affirmative consent of new and existing customers before charging for an OD arising from an ATM or point-of-sale (POS) debit transaction •• A customer can revoke this consent any time after giving it •• Banks can charge for ODs arising from checks and recurring debit transactions without customer consent •• Banks cannot, however, condition the paying of ODs arising from check or recurring debit card transactions on receiving customer consent to charge for ODs on ATM/POS debit overdrafts. Similarly, banks cannot discriminate against non-consenting customers by imposing any differences in any account features (such as the amount of a monthly fee) beyond the OD feature itself.

These regulations amended Regulation E, which implements the Electronic Fund Transfer Act.

In parallel, the Federal Reserve amended Regulation DD, which implements the Truth in Savings Act, to require banks to disclose on customer account statements their total OD fees paid in the current period and year to date. This final rule was issued in January 200949 and took effect in January 2010.

In November 2010, the Federal Deposit Insurance Corporation (FDIC), which regulates state- chartered banks not supervised by the Federal Reserve, provided “final guidance” implementing these regulations.50 The FDIC noted in its letter that it “expects” institutions, inter alia, to “Monitor programs for excessive or chronic customer use, and if a customer overdraws his or her account on more than six occasions where a fee is charged in a rolling twelve-month period, undertake meaningful and effective follow-up action.”

In June 2011, the Office of the Comptroller of the Currency (OCC), which regulates national banks, provided its own “proposed guidance” that outlines the principles it expects banks to follow.51 These included having “prudent limitations” on the availability of ODs, ongoing monitoring of accounts to detect “indications” of excess ODs, and not choosing a transaction processing order solely to maximize OD revenue. Its guidance was similar, but not identical, to the FDIC’s guidance. Section 4.3 discusses this guidance in more detail.

47 Published in the Federal Register at 73 FR 28904-28964 48 Published in the Federal Register at 74 FR 59033-59056 49 Published in the Federal Register at 74 FR 5584-5594 50 FDIC Financial Institution Letter FIL-81-2010. Available at www.fdic.gov/news/news/financial/2010/fil10081.pdf 51 “Guidance on Deposit-Related Consumer Credit Products,” published in the Federal Register at 76 FR 33409-33413

The evolution of credit cards has parallels with the rise of free checking. Several decades ago, both products tended to have a one-size-fits-all pricing structure. Over time, pricing became increasingly tailored to the individual, with lower headline pricing. Both products experienced a dramatic surge in balance growth, and customers who followed the terms and conditions got a better deal than was previously available to them. Nonetheless, opposition in some quarters led to legislative and regulatory changes to curb various industry practices.

In the 1970s and earlier, credit card lending was largely local or regional – as was banking in general. Few issuers had scale, and they lent to high credit-quality customers, in part because of usury laws. Although issuers used direct mail, it was much less prevalent than it would become several decades later. In the early days, bank managers would even personally review applications to determine a credit limit. Credit card lending became a national business in the 1980s and an intensively scale-driven business in the 1980s and 1990s.

Credit card portfolios lost money in the late 1970s through the combination of high inflation and usury laws’ lack of indexing for inflation. A key 1978 Supreme Court case established that when a national bank serves an out-of-state customer, the usury laws of the bank’s state govern the maximum interest rate that may be charged, not the customer’s state.52 That enabled Citibank to relocate its credit card operations to Sioux Falls, South Dakota, in 1981. Citi’s then-CEO would later describe how he personally appealed to the governor to enact usury law reform, so that the business could continue to operate in New York. When those efforts failed, his team evaluated other states’ laws and ultimately moved the card business to South Dakota.53 Other lenders followed suit.

As competition intensified, issuers adopted new pricing structures. Pricing became much more varied, and issuers adopted scientific test-and-learn approaches. For instance, in 1998, one issuer had some 28,000 product offerings in the marketplace.54

Practices like universal default clauses and “any time any reason” clauses came into use as a result of serving customers of increasingly varied credit quality. While intended to serve as a risk-management tool, they attracted criticism in some quarters.

Partly in response to these practices, the Credit Card Accountability Responsibility and Disclosure Act (Credit CARD Act) was enacted in May 2009,55 prohibiting specific practices used by some – but not all – card issuers. It also delegates a limited amount of power to regulators in certain areas.

52 Marquette Nat. Bank of Minneapolis v. First of Omaha Service Corp, 439 U.S. 299 (1978) 53 “Secret History of the Credit Card,” Frontline, November 23, 2004. Available at www.pbs.org/wgbh/pages/frontline/shows/credit/ interviews/wriston.html 54 “This Is a Marketing Revolution,” Fast Company, April 30, 1999 55 Public Law 111-24

22 Copyright © 2011 Oliver Wyman The majority of its provisions fall into three categories •• Restricting issuers’ ability to reprice existing risk •• Reducing certain fees and curtailing certain business practices •• Ensuring that underwriting takes into account the customer’s ability to repay.

The first category is perhaps the most significant aspect of the law. An issuer can now only change the interest rate on existing balances if one of the following occurs56

•• The customer is 60+ days past due (and the interest rate must then revert to the non- penalty rate should the customer make on-time payments for six months) •• The interest rate is tied to an index (e.g., prime), and the index moves •• The customer’s promotional rate (which now must last for at least six months) expires. The lender must disclose the go-to rate at origination •• A customer on a negotiated workout plan specifying the interest rate fails to comply with the plan’s terms.

Lenders must also provide greater advance notice (45 days) when raising interest rates on future balances. Lenders that raise interest rates must revisit such decisions at least every six months. If an interest rate increase was based on some factor (e.g., declining customer credit quality, changes in the macro environment), and that factor then reverses itself, the lender must lower the interest rate accordingly.57

The second category (fees and business practices) consists of a laundry list of provisions, including but not limited to the following

•• An issuer must provide greater advance notice of changes to key account terms −− 45 days, instead of 15 days previously −− A customer can decline such changes and continue to pay off existing balances under the previous terms without being penalized by the issuer for doing so •• Customer payments above the minimum required payment must be applied to the highest-rate tranche first •• So-called “double-cycle billing” is prohibited •• Customers must have at least 21 days after a statement cycle to make a payment •• Customers must opt-in for an issuer to impose an over-the-limit fee •• Penalty fees, such as late payment fees and over-the-limit fees, must be “reasonable and proportional” to the issuer’s costs, as determined by the Federal Reserve, or else fall within a safe harbor •• Sundry provisions (posting cardholder agreements to websites, caps on fees for subprime cards, payments received by 5pm must be posted on the same day, no inactivity fees, etc.).

56 Credit CARD Act §101(b)(2) created Truth in Lending Act §171, which contains these provisions 57 Credit CARD Act §101(c) created Truth in Lending Act §148, which contains these provisions

•• When underwriting a customer, either for a new card or for a credit limit increase, an issuer must “consider the ability of the consumer” to make the required payments •• Consumers under 21 must, inter alia −− Have an adult cosigner with the ability to repay, or else demonstrate their own ability to repay, to apply −− Have an adult cosigner consent to a credit limit increase −− Opt in to receive prescreened card offers.

These changes amended the Truth in Lending Act (TILA). The Federal Reserve, in turn, amended its Regulation Z, which implements TILA.

4.3. CHECK CLEARING ORDER

Until recently, banks had discretion to choose the order in which they process payment transactions, so long as they disclosed their process and the associated consequences. When a customer has multiple payment items (checks, ATM transactions, or debit card transactions) clear on the same day, the order in which they are processed has implications for overdraft fees.

Some banks chose to process items by check number or in chronological order. Other banks chose to process items either “low-to-high” or “high-to-low,” where the size of an item influences its processing order. Supporters of high-to-low ordering noted that it ensures that big-ticket items (which may represent such things as rent or car payments) get paid if the customer does not have funds to cover all items. Detractors asserted that the motivation for this process is to maximize fee revenue.

Historically, how banks processed payments not did attract much regulatory scrutiny. This changed in 2005, when the bank regulators issued the overdraft guidance discussed in Section 4.1. One of the 17 non-binding best practices addressed the order of transaction clearing

“Explain impact of transaction clearing policies. Clearly explain to consumers that transactions may not be processed in the order in which they occurred, and that the order in which transactions are received by the institution and processed affect the total amount of overdraft fees incurred by the consumer.” 58

Over time, an increasing number of institutions adopted a high-to-low policy. Nearly a quarter of institutions processed transactions high-to-low, nearly half low-to-high, nearly a fifth by check number, and the remainder in chronological order or in some other order.59

58 70 FR 9132 59 FDIC overdraft study supra, p. 11

24 Copyright © 2011 Oliver Wyman The Federal Reserve’s 2009 OD regulations discussed in Section 4.1 did not address the issue of transaction order. The FDIC’s November 2010 final guidance to implement these changes (also mentioned in Section 4.1) did, with explicit requirements replacing best practices. For instance, the FDIC now “expects financial institutions to not process transactions in a manner designed to maximize the cost to consumers.”60

A number of lawsuits have been filed in the last several years regarding the high-to-low processing of checks and debit card transactions. One law firm estimated that nearly 60 lawsuits were pending as of 2010.61 These lawsuits tend not to allege specific violations of federal laws – indeed, one even acknowledged no cause of action under federal law and that banks had disclosed their policies in their accounts’ terms and conditions. Instead, lawsuits have used such common-law concepts as fair dealing and unjust enrichment, as well the consumer-protection laws of certain states.62

4.4. DODD-FRANK AND THE DURBIN AMENDMENT

The Dodd-Frank Act is large. It runs to over 2,300 pages,63 contains over 500 sections, and has a 15-page table of contents. As is the case for all such laws, dozens if not hundreds of amendments were proposed while it was debated. One of them, the Durbin Amendment,64 was introduced on the floor of the Senate, and to the surprise of both Christopher Dodd and Barney Frank, it was adopted.

The Durbin Amendment addresses a variety of topics relating to debit cards. It has two key provisions

•• For financial institutions with $10 BN or more in worldwide assets, debit card interchange shall be “reasonable and proportional” to certain variable costs incurred by debit issuers for that transaction •• For all financial institutions, debit cards must participate in at least two unaffiliated payment networks, permitting greater merchant routing choice.

The amendment directed the Federal Reserve to issue regulations (now known as Regulation II) to implement it. In December 2010, the Federal Reserve issued draft regulations65 that included two potential interchange rate alternatives on which it sought public comment

•• Alternative 1: Regulated institutions can receive $0.07 per debit transaction regardless of their cost structure (a so-called “safe harbor”). Issuers with higher variable cost structures for authorization, clearance, and settlement may receive that variable cost, up to a maximum of $0.12 per transaction •• Alternative 2: Interchange for all regulated issuers is capped at $0.12 per transaction.

60 FDIC FIL-81-2010 supra, p. 1 61 Available at www.krcl.com/index.php?src=news&submenu=News&srctype=detail&category=Publications&refno=176 62 The complaint for one such lawsuit can be found at www.bofaoverdraftsettlement.com/courtdocuments.aspx. The settlement agreement for another, referencing the alleged causes of action, can be found at www.overdraftsettlement.com/ documents/preliminary%20approval%20order.pdf 63 The final version printed by the Government Printing Office ran to 849 pages, as it used different fonts, margins, etc. than draft versions printed by Congress, whose last printed version ran to over 2,300 pages. As a result, press references to the law’s length use numbers close to both values 64 Dodd-Frank §1075 65 Published in the Federal Register at 75 FR 81722-81763

Copyright © 2011 Oliver Wyman 25 The permitted level of interchange in the draft rule was significantly less than what the industry expected and would have lowered industry revenue by over 70%. There were several unresolved issues in the draft rule, including whether cards should be in two unaffiliated debit networks (without regard to PIN vs. signature debit) or whether each type of debit transaction (PIN and signature) must be able to be routed over two distinct payment networks.

In response to this draft rule, the Federal Reserve received approximately 11,000 comment letters – an unprecedented number. Many regulations receive only dozens of comments, or even fewer.

After due consideration, the Federal Reserve issued a final rule in June 2011,66 several months behind schedule. The final rule changed the permitted level of interchange, and it addressed several items not covered in the draft regulations.

Permitted debit card interchange •• Financial institutions with at least $10 BN in worldwide assets will have their interchange rate capped at $0.21 per transaction + 0.05% of the transaction value. Issuers that qualify may receive an additional $0.01 per transaction to help recover some of their fraud‑prevention costs •• The regulation directs banks’ regulators to look at all monies paid from a network to an issuer (including incentives and signing bonuses) to ensure compliance with the interchange cap (the “anti-circumvention” provision) •• These new rates went into effect on October 1, 2011.

Debit network participation •• All debit cards (regardless of the issuer’s size) must participate in at least two unaffiliated payment networks. In most cases, this means that every debit card will be in one signature debit network and one PIN debit network that is not affiliated with the signature brand (i.e., prohibition of cards that exclusively participate in Interlink with Visa, or Maestro with MasterCard) •• The majority of banks already comply with this requirement; every issuer must comply by April 1, 2012.

The Federal Reserve recently issued a series of FAQs to provide additional guidance on how issuers and networks are to interpret the regulation. Additionally, it is seeking public comment on its proposed industry surveys, which it will conduct every two years and use as the basis for adjustments to Regulation II over time.

66 Published in the Federal Register at 76 FR 43394-43475

Payments are regulated by a variety of laws, some explicitly designed to protect consumers and others governing the overall environment in which payments and payment firms operate.

This section outlines 25 laws and regulations relevant to the payments industry or the regulation of payments providers, and it examines how they apply to traditional and alternative electronic payments. Sections 6-8 discuss them in more detail.

5.1. TIMELINE OF CONSUMER PROTECTION AND PAYMENTS PROVIDER REGULATION

Before addressing the substance of these laws, several interesting and important points are worth noting

•• Consumer protection is distributed across a number of laws/concepts, which were written over the course of decades •• Only some laws relevant to payments specifically discuss payments. Conversely, no single law encompasses all payments-specific issues in one place •• The scope of the companies, products, and transactions covered by different laws varies. Across different laws, some key definitions can vary or be ambiguous. Some apply to depositories only. Some apply to one type of payment only (e.g., protections specific to credit cards), while others apply to a category of payment, but the category is defined, with the benefit of hindsight, in a way that turns out to be narrow or ambiguous (e.g., “credit” in TILA, “asset account” in EFTA). Others apply broadly, but the lack of a prudential regulator for some companies gave rise to an enforcement gap •• The recently created Consumer Financial Protection Bureau (CFPB) assumes responsibility for enforcing most federal laws that touch upon consumer protection. It will not receive the power to regulate non-banks, however, until a permanent director is in place.67 While this will harmonize the treatment of depository institutions and alternative providers, the CFPB may interpret laws differently from how the prudential regulators and the Federal Trade Commission (FTC) have done so historically.

Table 6 summarizes the 13 laws and regulations most pertinent to consumer protection within payments. For each, we note when the law was enacted, which regulators had been responsible for enforcement, and whether responsibility shifts to the CFPB.

67 A report issued jointly by the Inspectors General of the Treasury Department and Federal Reserve on January 10, 2011 (available at www.treasury.gov/about/organizational-structure/ig/Documents/OIG-CA%2011004%20Committee%20of%20Financial%20 Services%20Response%20CFPB.pdf) concludes that the CFPB can exercise, in the absence of a permanent director, the existing authorities that were transferred from other regulators to it, but not the new authorities created by Dodd-Frank

REGULATORS INVOLVED CFPB TO CONSUMER PROTECTION ENACTED (PRE DODD-FRANK) ENFORCE? Unfair or deceptive acts or 1938 (UDAP) Bank regulators, various other Yes practices/Reg AA federal regulators, FTC otherwise (Note: “Abusive” practices will 1975 (UDAP for banks) also be regulated when the CFPB 2010 (“abusive” practices) assumes its new powers) Truth in Lending Act and Fair Credit 1968 (TILA) Bank regulators, various other Yes Billing Act/Reg Z 1975 (FCBA) federal regulators, FTC otherwise Fair Credit Reporting Act/Reg V 1970 Bank regulators, various other Yes federal regulators, FTC otherwise Equal Credit Opportunity Act/ 1974 Bank regulators, various other Yes Reg B federal regulators, FTC otherwise Electronic Fund Transfer Act/Reg E 1978 The Federal Reserve, in Yes consultation with the other bank regulators; FTC otherwise Funds availability/Reg CC 1987 The Federal Reserve, in Yes consultation with the other bank regulators Truth in Savings Act/Reg DD 1991 The Federal Reserve, in Yes consultation with the other bank regulators Financial privacy (GLB/Reg P) 1999 The bank regulators, NCUA, Yes SEC, state insurance regulators; FTC otherwise Consumer Financial 2010 None Yes Protection Bureau Bankruptcy priority and Deposit insurance in 1933; FDIC, bankruptcy courts No deposit insurance major bankruptcy laws in 1898, 1938, 1978 State laws and federal preemption 1864 (preemption) The states, OCC; federal No, but the Various (state laws) courts resolve disputes over OCC must preemption decisions consult it Unclaimed property/escheatment Varies by state; model laws The states No created in 1954, 1966, 1981, 1995 Uniform Commercial Code Varies by state; first model The states No check provisions law in 1952

A recurring theme throughout our paper is that consumer-protection laws do not always contemplate new business models, partly because they predate alternative payments by years if not decades. Exhibit 4 illustrates the development of consumer-protection laws, credit cards, and alternative electronic payments.

Fair Credit Reporting Bankruptcy priority and Funds deposit Equal Credit availability insurance Opportunity First UCC check provisions Fair Credit Consumer Financial State laws Billing; UDAP Protection Bureau and federal for banks preemption Unclaimed Financial property/ Electronic privacy escheatment Fund Truth in TILA Transfer Savings

1960s and Earlier 1970s 1980s 1990s 2000s 2010s

checkout

5.2. REGULATIONS THAT PROTECT CONSUMERS

Most of the aforementioned 13 consumer-protection laws are specific federal laws. Several are collections of state or federal laws. Some address issues specifically related to payments (e.g., electronic fund transfers, disputed transactions, fraudulent checks, etc.). Others apply to issues that are broader but encompass payments (e.g., disclosures, funds availability, privacy, non-discrimination, unclaimed property, UDAP, etc.).

Tables 7 and 8 summarize our findings. Table 7 discusses various issues about each consumer-protection law, while Table 8 summarizes the gaps that exist for each type of alternative payments provider in our regulatory-based taxonomy.

In reviewing the laws in Table 7, we have noted whether a law is conceptually relevant to alternative payments (e.g., check fraud per se is not, while resolving disputed transactions is). In some cases, a law is relevant to some, but not to all types of alternative electronic payments (for example, many laws do not apply to Mobile Carrier Billers as they do not hold customer funds). We have also specified whether the law, as written, covers alternative electronic payments (for some, it may vary by type of alternative electronic payment or be a matter of interpretation). Finally, for laws that are relevant but do not extend to a particular type of company, we have noted whether those companies appear to provide the protection anyway.68

68 Since we cannot list out all companies, we generally use PayPal and BilltoMobile as examples, noting other companies occasionally if relevant. In some cases, most alternatives provide a particular protection, but counterexamples can also be found

APPLICATION TO ALTERNATIVE ELECTRONIC PAYMENTS/PROVIDERS CONSUMER DOES THE LAW IF NOT, DO THEY PROVIDE PROTECTION* IS IT RELEVANT TO THEM? COVER THEM? PROTECTION ANYWAY? COMMENTS Bankruptcy priority and Yes (except for Mobile Some alternatives hold N/A This represents a significant deposit insurance Carrier Billers) customer funds in FDIC- gap, both in theory and insured accounts at in practice. Merchant gift depositories, while others cards have no protection do not in bankruptcy. Most GPR cards are FDIC insured, but not all are, and some open- loop gift cards are not Consumer Financial Yes Yes N/A The CFPB may close some Protection Bureau enforcement gaps, by placing all supervision/ enforcement in one agency. It may also interpret laws differently from how current regulators do Electronic Fund Transfer Yes Unclear; mostly not. Reg PayPal and most GPR cards EFTA’s application to Non- Act/Reg E E “lite” applies to some offer the equivalent. A few Plastic Asset Accounts and New Plastic companies. alternatives do not some types of New Plastic EFTA’s status elsewhere remains unclear – even is ambiguous, as “asset PayPal is uncertain whether account” has yet to be fully it applies to them defined. Does not apply to Mobile Carrier Billers Equal Credit Opportunity Yes No, unless they permit Presumably Presumably no substantive Act/Reg B a customer to defer consumer gap exists repayment. May apply (e.g., no companies to decoupled debit and discriminate). The law, Mobile Carrier Billers however, creates a compliance burden for credit and charge card issuers, which Dodd- Frank increases Fair Credit Reporting Act/ Yes, but only if they use Yes N/A While the law covers Reg V credit bureau data all companies, credit cards make greater use of credit reports, so the law impacts them more than alternatives Financial privacy Yes Mostly – Mobile Carrier Mobile Carrier Billers Some companies such (GLB/Reg P) Billers are not covered, provide comparable as Facebook have had and the status of Virtual protections well-publicized privacy Currencies is unclear concerns; unclear if these issues involve their financial activities Funds availability/Reg CC Yes (except for Mobile No – depositories only Yes No apparent gaps. Carrier Billers) While alternative P2P transactions tend to post immediately, this is not a statutory protection State laws and Yes Yes N/A Alternatives cannot have federal preemption state laws preempted, so they are subject to more state consumer-protection laws than national banks

30 Copyright © 2011 Oliver Wyman APPLICATION TO ALTERNATIVE ELECTRONIC PAYMENTS/PROVIDERS CONSUMER DOES THE LAW IF NOT, DO THEY PROVIDE PROTECTION* IS IT RELEVANT TO THEM? COVER THEM? PROTECTION ANYWAY? COMMENTS Truth in Lending Act and Yes No. Few if any alternative PayPal customers have no While disclosures apply to Fair Credit Billing Act/Reg Z companies extend “credit” liability for unauthorized all creditors, TILA’s liability as defined by these laws transactions, but its user limit on unauthorized agreement does not have a transactions only applies to “Schumer box.” PayPal and credit cards. Alternatives BilltoMobile have dispute- do not always disclose resolution processes in fees/costs as clearly as line with the FCBA; BOKU do credit cards in their does not. account applications. No alternative company The FCBA offers greater appears to provide claims- consumer protection (e.g., and-defenses protections. merchant disputes) than the EFTA. Some providers offer this protection, but not all do Truth in Savings Act/Reg DD Partially No – depositories only Unclear Business-model differences mean that only some aspects of TISA are relevant to alternatives. They do not break out fees as clearly as depositories do with their fee schedules (or as credit card issuers do under TILA) Unclaimed property/ Yes (except for Mobile Yes PayPal does; others have Some alternatives have escheatment Carrier Billers) not always done so. Some used inactivity fees/ Virtual Currencies, in account forfeiture to claim particular, do not seem inactive customer funds to comply Unfair or deceptive acts or Yes Yes N/A No gap in principle. practices/Reg AA Different agencies enforced this for depositories and non-depositories before Dodd-Frank transferred authority to the CFPB Uniform Commercial Code No N/A N/A The spirit of the law, as check provisions applied to other forms of payment, is relevant, but not the law itself

* As discussed in Section 4, many of the recent changes to retail banking regulation consisted of amending and expanding existing laws and regulations rather than creating new ones. Thus, they do not appear separately in this table.

SOME OR ALL TRADITIONAL CONSUMER NON-PLASTIC MOBILE PAYMENTS PROTECTION NEW ASSET CARRIER VIRTUAL LAW OR ISSUE PROVIDERS GAP PLASTIC ACCOUNTS BILLERS CURRENCIES 1. Bankruptcy priority and deposit insurance or N/M

2. Consumer Financial Protection Bureau ( )

3. Electronic Fund Transfer/Reg E Mostly , some and Mostly

4. Equal Credit Opportunity/Reg B Mostly N/M, some

5. Fair Credit Reporting/ Reg V N/M, if not using credit scores or credit report information

6. Financial privacy (GLB/Reg P) ( ) or ( )

7. Funds availability/ Reg CC N/M

8. State laws and federal preemption

9. Truth in Lending and Fair Credit Billing/Reg Z 9a. Claims and defenses

9b. Billing errors Mostly , some Some , some

9c. Unauthorized May be grouped May be grouped transactions Mostly , some with billing errors Mostly , some with billing errors 9d. Other provisions Mostly N/M, some

10. Truth in Savings/Reg DD Mostly N/M, some N/M

11. Unclaimed property/ or (CG); escheatment or N/M fewer gaps than before 12. Unfair or deceptive acts or practices/Reg AA

13. Uniform Commercial Code check provisions Some , some N/M Some , some

Covered by the law; no compliance gaps Not covered by the law, but it offers a comparable protection voluntarily Status unclear; difficult to assess Not covered by the law. Does not offer the protection or, in a few cases, offers less protection

(CG) Covered by the law, but a compliance gap appears to exist N/M Not a meaningful concept

A further six laws directly impact payments. Each treats traditional payments or payments providers differently from alternative electronic payments or payments providers.

Table 9 lists these laws and comments on their application to alternative electronic payments. Table 10 summarizes the coverage gaps by type of alternative provider.

T able 9: OTHER PAYMENTS-RELATED LAWS

DOES THE LAW APPLY REGULATORY ISSUE TO NON‑DEPOSITORIES? IMPLICATIONS Durbin Amendment/Reg II Generally not. Any company The revenue stream of debit card issuers with assets of $10 BN+ is significantly involved in debit transactions impacted. Alternative companies’ interchange rates can be as high as 30% is subject to the interchange and are not subject to price controls. Lower debit interchange will undermine and network participation the business model of those Facilitators that sought to use the ACH to requirements, but other types of undercut debit on price. The requirement that all debit cards participate in two payments are not covered unaffiliated networks applies to all providers, regardless of the technology used to conduct the transaction Payment card IRS reporting Partially. It applies to all payment Merchants may be incented to switch to payments systems not tracked by the (HERA §3091) card transactions. In principle, IRS. Smaller merchants also have an incentive to switch from cards to alternative it also applies to three-party electronic payments, where a de minimus threshold (200+ transactions totaling networks. While it appears that $20,000+) applies to the reporting requirement for three-party networks but PayPal will report, the status of not payment card networks. other alternatives is unclear. A small-merchant exemption applies Traditional electronic payments providers may incur compliance costs not to three-party networks but not to borne by all alternatives. card networks AML/KYC Some alternatives are covered; Unlike many other laws, many aspects of KYC/AML are principles-based, with others are not. Without prudential requirements a function of the potential risks. Thus, assessing the size of the supervision, alternatives that are compliance gap is difficult. Transaction limits imposed by some alternatives subject to AML/KYC may have a reduce but do not eliminate the potential for their customers to launder money. lower compliance burden A recent FinCEN regulation has clarified the extent of KYC/AML coverage for “prepaid access.” It remains unclear if Virtual Currencies are covered; not all of them appear to be registered as money service businesses

Tying arrangements/Reg Y Generally not. For non‑depositories, While anti-tying provisions exist in the anti-trust laws, depositories face a much only if they rise to an anti‑trust concern more stringent standard. It may become more of an issue as alternatives gain market power. Facebook now requires all games operating on Facebook to accept only Facebook Credits for payment. Assessing the exact impact is hard, as card issuers have simply not built business models that rely on bundling Payment system integrity Yes, but in practice, the larger card This is a combination of specific laws (e.g., unlawful Internet gambling) and networks and merchant processors payments provider support of various law-enforcement and public-policy objectives. face more of the burden for emerging issues While many if not most providers discuss these issues in customer agreements, in practice the efforts to keep sales of illegal, counterfeit, and pirated goods and services off payment systems tend to be borne especially by traditional card networks and merchant processors

Financial market utilities/ Theoretically; highly unlikely FSOC has not elected to use this power to regulate any retail payment systems, Reg HH in practice but it has also chosen not to exempt them altogether. This could be another source of differential regulation of traditional and alternative providers

TRADITIONAL PAYMENTS ALTERNATIVE ELECTRONIC PAYMENTS BHCS, BHC- NON-BHC- NON-PLASTIC MOBILE OWNED CARD OWNED CARD DEGREE NEW ASSET CARRIER VIRTUAL LAW OR ISSUE NETWORKS NETWORKS OF GAP PLASTIC ACCOUNTS BILLERS CURRENCIES 1. Durbin Amendment/ Reg II

2. Payment card Varies ( ) ( ) IRS reporting (HERA §3091) 3. AML/KYC Mostly ( ) ( )

4. Tying arrangements/ Reg Y

5. Payment system ( ) ( ) integrity

6. Financial market Not likely but possible Very unlikely utilities/Reg HH

5.4. REGULATION OF DEPOSITORIES

Many banking laws regulate the provider of banking services in addition to – and apart from – the particular services they offer. Depository institutions in particular are subject to a comprehensive regulatory regime whose burden is generally not shared by other companies, including companies engaged in alternative payments. Section 8 discusses six of these laws in detail.

Tblea 11: OTHER LAWS REGULATING DEPOSITORIES

DOES THE LAW APPLY REGULATORY ISSUE TO NON-DEPOSITORIES? IMPLICATIONS Prudential regulation •• Examinations No Depositories have on-site field examiners who look at all aspects of the provider’s operations – a 1,800 page manual spells this out in detail. Alternatives have nothing comparable, other than MSB regulation, which is not as stringent or comprehensive •• Capital requirements No Generally not a binding constraint, as banks are more highly levered than alternative companies. However, a financially distressed alternative company can continue to operate without regulatory oversight (other than MSB laws), required actions, or possibly even disclosure of the fact •• Regulatory reporting No Less information is known about the size, financial performance, or financial health of alternatives •• Enforcement proceedings No Regulators have a full arsenal of tools for addressing issues that arise at depositories – informal actions, formal written agreements, prompt corrective action directives, the ability to fine people and companies, the ability to remove key employees •• Receiverships No There is no guarantee that an alternative company in financial distress will be taken over by another company; the operations of failed depositories usually carry on under new ownership Systemic regulation Theoretically possible The vast majority of credit card balances and a majority of checking account balances are (SIFIs and G-SIFIs) but almost certainly will held at institutions that automatically became SIFIs. Two of the four major card networks are not happen operated by institutions that automatically became SIFIs. The details of SIFI regulation are still being determined. Once in place, it will enlarge the regulatory coverage gap between traditional payments providers – many of whom are now or will become SIFIs – and alternatives Community Reinvestment Act/ No Alternative companies, which like depositories hold on to consumer funds, do not Reg BB have to comply with it Other laws Generally not. Interlocks Each of these laws further contributes to the compliance burden borne by •• Management interlocks/Reg L are only prohibited if they depositories. Regulation L in particular has the potential to impose a competitive •• Affiliate transactions/Reg W rise to the level of creating disadvantage on banks if a waiver cannot be obtained •• Insider loans/Reg O anti-trust concerns

Some 13 consumer-protection laws/regulations apply to traditional payments •• Bankruptcy priority and deposit insurance •• The Consumer Financial Protection Bureau •• Electronic Fund Transfer Act/Reg E •• Equal Credit Opportunity Act/Reg B •• Fair Credit Reporting Act/Reg V •• Financial privacy (GLB/Reg P) •• Funds availability/Reg CC •• State laws and federal preemption •• Truth in Lending Act and Fair Credit Billing Act/Reg Z •• Truth in Savings Act/Reg DD •• Unclaimed property/escheatment •• Unfair or deceptive acts or practices/Reg AA •• Uniform Commercial Code check provisions.

This section reviews each law/regulation, its application to alternative electronic payments, the gaps that arise, and the implications of those gaps.

6.1. BANKRUPTCY PRIORITY AND DEPOSIT INSURANCE

Background

Since the Great Depression, the regulatory regime for depositories has included deposit insurance. Today, customer deposits are insured for up to $250,000 per account, or more under certain circumstances (e.g., an additional $250,000 for each additional person on an account, unlimited coverage for noninterest bearing accounts, etc.). If a depository fails, the FDIC usually finds an acquiring institution to assume its deposits over the course of a weekend – and acquiring institutions often assume both uninsured and insured deposits. In the rare case that a bank fails and no acquirer can be found, the FDIC mails checks to customers for their insured deposits within days.

Bankruptcy laws have also been on the books in the US for a long time. The Bankruptcy Act of 1898 was the first modern bankruptcy law. Subsequent laws were enacted in 1938 and 1978, and lesser revisions have occurred regularly since. Bankruptcy law establishes priorities for the repayment of different creditors. These rules, however, are not exhaustive, and the different facts and circumstances of every bankruptcy case mean that a certain amount of discretion will always reside with the bankruptcy judge.

Copyright © 2011 Oliver Wyman 35 A number of preferences in bankruptcy are well-known: debtor-in-possession financing, back taxes, and unpaid employee wages up to a certain amount are near the top. Meanwhile, common equity holders are at the very bottom.

The law contemplates consumer protection: consumer layaway deposits, for instance, are also given a priority.69 Gift certificates and their electronic successor, the closed-loop merchant gift card, however, receive no special priority. Their fate in bankruptcy – like that of many stakeholders – varies enormously. At best, a bankruptcy judge will direct that gift cards be honored in full, which can be of limited usefulness if the merchant is liquidating. At worst, cardholders must stand in the same line as general unsecured creditors. Given the many large merchant bankruptcies in recent years, this is a non-trivial consideration.

Implications for alternative payments

A scan of merchant bankruptcies in the last several years demonstrates just how varied the treatment of gift cards has been. The following examples show the range of outcomes for merchant gift card holders in bankruptcy

•• Honored in full, and the company remained in business or was bought (many) •• Honored in full, but with the company liquidating, cards have only limited utility (many) •• Balance honored in full, but with conditions −− Time limitation, e.g., can only be used for a few weeks/months (Blockbuster70) −− Use limitation, e.g., can be used in physical stores but not online (KB Toys71) −− Purchase requirements, e.g., customer must buy goods worth 2x the card to use the card (Sharper Image72) •• Balance not honored in full, e.g., 50% haircut on value (Ski Market73) •• Dishonored, e.g., a company immediate shuts down (many) −− Sometimes, competitors have offered discounts to customers handing over their gift cards (Saks Fifth Avenue, Toys “R” Us).74

When gift card holders have become unsecured creditors, it has sometimes taken years for them to receive any value out of the bankruptcy estate.75

69 11 USC §507(a)(7) allows consumer layaway deposits to be prioritized, up to a certain amount. The amount in the statute ($1,800) is indexed for inflation and is currently $2,425 70 Blockbuster filed for bankruptcy in September 2010, and it continued to honor its gift cards. In March 2011, with an auction of its assets underway, Blockbuster announced it would stop honoring gift cards in two weeks, when it expected the auction to be completed. In April 2011, Dish Network acquired various assets from the bankruptcy estate, but it did not assume the gift card liabilities 71 Consumer Reports reported that KB Toys, which filed for bankruptcy in December 2008, agreed to honor gift cards purchased by New York residents through at least January 11, 2009. Article available at news.consumerreports.org/money/2008/12/new-yorkers-get.html 72 “Sharper Image: Calling All Gift Cards,” Wall Street Journal, April 13, 2011 73 Ski Market petitioned its bankruptcy judge to allow gift card holders to redeem half their value for a one-week period, after the Connecticut attorney general threatened to oppose the retailer’s sale. See “Judge approves deal for Ski Market gift card holders,” Patriot Ledger, January 19, 2010 74 Saks Fifth Avenue’s Premier Salon offered a 30% discount to gift card holders of Georgette Klinger (according to article at www.buzzle. com/articles/are-your-gift-cards-completely-worthless.html). Toys “R” Us offered a 15% discount on one item to KB Toys gift card holders (according to article available at www.walletpop.com/2009/01/12/turn-your-kb-toys-gift-card-into-15-off-at-toys-r-us) 75 The Sharper Image filed for bankruptcy in February 2008. In July 2011, the bankruptcy estate determined that it could make (small) payments to holders of unused gift cards. “Consumers Win in Sharper Image Bankruptcy Case,” NBC Chicago, July 7, 2011

36 Copyright © 2011 Oliver Wyman This lack of consumer protection has given rise to a cottage industry in the private sector, which includes gift card exchanges and even bankruptcy insurance for gift cards.76

Besides affecting consumers after the fact, the prospect of merchant bankruptcies weighs on consumers’ minds. According to one survey, some 47% of gift card buyers and 38% of non-buyers of gift cards are worried about the prospect of specific merchants going bankrupt, leaving their cards worthless.77

Customers tend to fare better with other alternative companies. Non-financial companies issuing gift cards tend not to segregate customer funds. By contrast, the other New Plastic companies tend to have customer funds held at financial institutions and may be FDIC- insured. For instance, GPR cards that operate on a traditional payment network must provide FDIC insurance, as required by the network’s operating rules.78

Since 2008, customers of other New Plastic companies have increasingly received the benefit of deposit insurance. As mentioned above, these companies may choose to segregate customer funds and hold them at a depository institution. If so, there arises the conceptual question of who receives the benefit of the deposit insurance. Is it the alternative company itself, with its customer funds treated as a single account capped at $250,000, or is each customer separately insured on a pass-through basis? In November 2008, the FDIC General Counsel issued an updated version of “General Counsel’s Opinion Number 8,” 79 which concluded that all such funds will be treated as deposits for purposes of deposit insurance, and that each customer will separately enjoy the benefit of deposit insurance on a pass-through basis, if certain processes are followed.

Nonetheless, such companies are not required to place funds with a depository institution, and if they cannot pass on the increasing cost of deposit insurance to customers (which now exceeds the interest earned on many low-balance checking accounts), they have a financial incentive not to do so. At least some Visa and MasterCard open-loop gift cards are also not FDIC-insured.80

Similarly, customers of Non-Plastic Asset Accounts may have the option to have their funds insured. PayPal, for instance, allows customers to choose whether to invest their funds in a pooled account at an FDIC-insured depository or in an uninsured money market fund.

Virtual currencies are not FDIC-insured, nor do they have bankruptcy protection.

76 A company called Leverage offers insurance on gift cards that it sells. “Not worth the plastic they’re printed on,” WSJ Marketwatch, March 3, 2008 77 “Borders Gives a Gift to the Prepaid Industry in Chapter 11,” Mercator Advisory Group, August 2011 78 American Express appears to be the exception; its recently launched GPR card is not FDIC-insured. The Cardmember agreement is available at www212.americanexpress.com/dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/ giftcardsandtravelerscheques/gpr_cardmemberagreement.do?vgnextoid=0b52457192b2d210VgnVCM100000defaad94RCRD&vgn extchannel=95ddb81e8482a110VgnVCM100000defaad94RCRD&appInstanceName=default&name=gpr_cardmemberagreement&t ype=intbenefitdetail (undated; last accessed November 14, 2011) 79 Published in the Federal Register at 73 FR 67155-67157 80 Examples include the Giving Tree GiveCard. Terms and conditions available at www.givingtreelife.com/terms-and-conditions (undated; last accessed November 14, 2011)

Background

In 2007, Harvard Law School professor Elizabeth Warren wrote a 12-page article, “Unsafe at Any Rate,” which proposed a Financial Product Safety Commission.81 The paper’s title alludes to Ralph Nader’s 1965 book, Unsafe at Any Speed, which cast a critical eye on safety shortcomings in cars. Her idea became law in three years, an extraordinarily quick journey for an idea this transformational.

Warren envisioned an agency analogous to the Consumer Safety Product Commission, which oversees some 15,000 consumer products.82 The first paragraph of her paper lays forth her philosophy

“It is impossible to buy a toaster that has a one-in-five chance of bursting into flames and burning down your house. But it is possible to refinance an existing home with a mortgage that has the same one-in-five chance of putting the family out on the street – and the mortgage won’t even carry a disclosure of that fact to the homeowner … Why are consumers safe when they purchase tangible consumer products with cash, but when they sign up for routine financial products like mortgages and credit cards they are left at the mercy of their creditors?”

The CFPB’s official purpose is to enforce the law to ensure that “all consumers have access to markets for consumer financial products and services and that the markets for consumer financial products and services are fair, transparent, and competitive.”83 The CFPB also has a number of broad objectives84, including that •• Consumers are provided with timely and understandable information to make responsible decisions about financial transactions •• Consumers are protected from unfair, deceptive, or abusive acts and practices and from discrimination •• Markets for consumer financial products and services operate transparently and efficiently to facilitate access and innovation.

To realize these objectives, there are five “primary functions” for the CFPB85

•• Conducting financial education programs •• Collecting, investigating, and responding to consumer complaints •• Collecting, researching, monitoring, and publishing information relevant to the functioning of markets to identify risks to consumers and the proper functioning of such markets •• Supervising companies for compliance and taking appropriate enforcement actions •• Implementing federal consumer financial law through rules, orders, etc.

81 “Unsafe at Any Rate,” Democracy: A Journal of Ideas, Issue 5, Summer 2007. Available at www.democracyjournal.org/article.php?ID=6528 82 Per www.cpsc.gov/about/faq.html 83 Dodd-Frank §1021(a) 84 Dodd-Frank §1021(b) 85 Dodd-Frank §1021(c)

•• A research function to analyze and report on marketplace developments in financial products, consumer awareness about products’ costs, risks, and benefits, and consumer behavior with financial products •• A community affairs function •• A function to collect and track consumer complaints about their financial products. It will, inter alia, create a centralized database of such complaints and share information with other regulators •• An Office of Fair Lending and Equal Opportunity •• An Office of Financial Education, which will develop and implement initiatives to help consumers make better financial decisions •• An Office for Service Member Affairs •• An Office of Financial Protection for Older Americans •• A Consumer Advisory Board, to provide information on emerging industry practices.

The CFPB assumes the responsibility for rulemaking and enforcement for some 18 existing consumer-protection laws (some of which do not pertain to payments). It can request whatever information it needs from institutions subject to its jurisdiction and can take violators to court. Depositories with under $10 BN in assets will continue to have their prudential regulator conduct examinations for compliance with consumer-protection laws. The CFPB will inspect larger depositories and all non-depositories. To facilitate the transition, it will work out agreements with other regulators to transfer some of their staff to the CFPB.

In 2011, the CFPB began the rulemaking process for identifying firms that it will inspect for compliance with consumer-protection laws.87 It identified six markets for inclusion in an initial rule •• Debt collection •• Consumer reporting •• Consumer credit •• Money transmitting and check cashing •• Prepaid cards •• Debt relief services.

Two of these – money transmitting and prepaid cards – are areas in which alternative providers participate.

86 Dodd-Frank §§1013, 1014 87 Press release available at www.consumerfinance.gov/pressrelease/consumer-financial-protection-bureau-seeks-public-input-on-key- element-of-nonbank-supervision-program

Under CFPB enforcement, consumer-protection laws will be applied regardless of a company’s legal structure. Before Dodd-Frank, alternative companies were not subject to compliance examinations. The CFPB may also issue new regulations for the laws that it enforces, which could address some gaps and ambiguities in today’s regulations.

Nonetheless, the CFPB’s establishment does not resolve all issues

•• While the inspection gap will close, coverage gaps that exist in the consumer-protection laws will still exist, as the CFPB cannot rewrite existing law •• Part of the unequal playing field between traditional and alternative electronic payments arises from laws other than consumer-protection laws, which Sections 7-8 discuss in detail. Those gaps will continue to exist.

6.3. ELECTRONIC FUND TRANSFER ACT/REG E

Background

The 1978 Electronic Fund Transfer Act (EFTA)88 is among the few laws in our analysis that focuses on payments. Its preamble highlights a lack of clarity on consumer protections in electronic payments that existed at the time

“[D]ue to the unique characteristics of such systems, the application of existing consumer protection legislation is unclear, leaving the rights and liabilities of consumers, financial institutions, and intermediaries in electronic fund transfers undefined.”89

Ironically, ambiguities about EFTA’s scope still exist, as its key term “asset account” has yet to be fully clarified.

EFTA contains several types of consumer-protection provisions, including •• Disclosure requirements (e.g., fees associated with an ATM transaction must be disclosed before the transaction occurs) •• Statement requirements (e.g., institutions must provide statements for accounts at least quarterly when no transactions are made, and monthly when transactions are made, for accounts that permit electronic transactions) •• Receipt requirements (e.g., customers must receive a receipt for every transaction that involves an electronic transfer).

88 Enacted by Title XX of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (Public Law 95-630), which created EFTA as Title IX of the Consumer Protection Act; codified as 15 USC §§1693-1693r 89 15 USC §1693(a)

40 Copyright © 2011 Oliver Wyman The most significant consumer protection in EFTA may be its error-resolution procedures, which cover unauthorized electronic transactions and electronic transactions where an incorrect amount is debited. This protection is not as expansive as that provided by the Truth in Lending Act and Fair Credit Billing Act, which have provisions that cover merchant disputes and offer “claims and defenses” for purchases made by credit cards.

Customers who follow certain procedures have a cap on their liability for erroneous transactions. If a customer loses an “access device” for an account, liability is capped at $50 by notifying the institution within two days of the loss. If a customer takes longer, liability rises to $500 of unauthorized transactions, if the institution can prove that it would have avoided the loss with more timely notice. If a customer does not provide notice within 60 days, then the customer is liable for all unauthorized transactions occurring after the 60-day period.

A different procedure exists for errors not associated with the theft or loss of an access device, such as when a customer receives $X from an ATM but the account is debited $Y, or a hacker siphons off funds and the customer only learns of it by looking at the next statement. In these cases, the customer has two months after the statement cycle containing the transaction to dispute it. The institution then has 10 days to investigate and determine whether an error had occurred. An institution may choose to take more than 10 days; if it does so, it must give the customer a provisional credit within 10 days and complete its investigation within 45 days.

Implications for alternative payments

EFTA’s exact scope remains unclear, as it pertains to transactions involving an “asset account.” It explicitly declares deposit accounts to be asset accounts, but it leaves the status of other accounts ambiguous. Neither the law nor Regulation E defines “asset account” in a way that makes it clearly apply (or clearly not apply) to most alternatives.

Indeed, even the largest such company, PayPal, is uncertain as to EFTA’s exact scope. A recent eBay annual report stated

“Although there have been no definitive interpretations to date, PayPal has assumed that its service is subject to the Electronic Fund Transfer Act and Regulation E.” 90

The following year, perhaps not wishing to concede the point while still offering comparable consumer protections, PayPal slightly modified its position

“Although there have been no definitive interpretations to date, PayPal has taken actions as though its service is subject to the Electronic Fund Transfer Act and Regulation E.” 91

90 eBay 2009 10-K, p. 29 91 eBay 2010 10-K, p. 16

“Under federal law, your liability for Unauthorized Transactions is determined by how quickly you report it to us. If you tell us within two (2) Business Days (as defined below) after you learn of the compromise of your Credentials, you can lose no more than $50 if someone used your Credentials without your permission. If you do NOT tell us within two (2) Business Days after you learn of the compromise of your Credentials, and we can prove we could have stopped someone from using your Credentials without your permission if you had told us, you could lose as much as $500.” 92

FaceCash, a company enabling consumers to conduct electronic transactions by phone, allows merchants to see the customer’s photo, thereby reducing (but not eliminating) fraud in such transactions. The company does not seem to contemplate the possibility of unauthorized transactions. Its “information for individuals” page addresses a number of questions. For an important question on that list (“What if I lose my phone, or my phone is stolen?”), it provides the following response

“If your phone is lost or stolen, there’s no need to worry – unless the thief is your identical twin. Even if the thief can access your phone, your password, the FaceCash app, and your data, they still probably won’t look very much like you. On the off chance that the cashier isn’t paying attention, you can always lock your FaceCash app with the PIN you create when you sign up just by signing into the web site.” 93

For New Plastic, the story is even more complicated. In 2006, bank regulators created the concept of “Reg E lite”94 for payroll cards. This consists of all Regulation E provisions, other than periodic statements; instead, providers must allow customers to view at least 60 days’ worth of transactions through a website or by phone. In 2011, the US Treasury announced that it will permit federal payments to be loaded onto prepaid cards, so long as providers abide by several conditions, including providing Regulation E lite protections to their customers.95

There has been speculation that Regulation E lite may be extended to other New Plastic or Non-Plastic Asset Account products, and there have been efforts in Congress to implement a legislative solution. But for now, Regulation E coverage does not appear to extend beyond those alternatives that have been explicitly covered – hence PayPal’s uncertainty.

Virtual Currencies may remain outside the scope of Regulation E – some question whether they are “asset accounts,” or even “assets.” In terms of consumer protections, some Virtual Currencies provide protections that are broadly comparable to TILA/EFTA protections, but not all do. Facebook, for instance, requires that customers submit a claim regarding a disputed transaction within 30 days, or else a claim is waived “to the fullest extent permitted by law”.96 Meanwhile, Zynga’s terms and conditions state that all purchases are non-refundable but do not seem to address the issue of unauthorized or erroneous transactions at all.97

92 Available at payments.amazon.com/sdui/sdui/helpTab/Personal-Accounts/User-Agreement-Policies/Unauthorized-Transactions- Policy (dated October 2, 2007; last accessed November 14, 2011) 93 Available at www.facecash.com/individuals.html (undated; last accessed November 14, 2011) 94 12 CFR §205.18 95 Published in the Federal Register at 75 FR 80335-80340 96 From the version on www.facebook.com/payments_terms (dated October 14, 2011; last accessed November 14, 2011) 97 Available at www.zynga.com/about/terms-of-service.php (dated November 30, 2010; last accessed November 14, 2011)

Background

The Civil Rights Movement in the US has resulted in a number of laws and court actions that have struck down the barriers that some citizens faced in a variety of activities, such as receiving an education, obtaining employment, using public facilities, voting, and participating in other aspects of life.

The 1974 Equal Credit Opportunity Act (ECOA)98 offers protections in financial services, providing procedural and substantive safeguards to prevent discrimination on the basis of race, sex, national origin, marital status, age (if one is old enough to enter into a contract), receiving public assistance, or exercising one’s rights under ECOA. The Act does not establish a right to receive credit, but it prevents lenders from considering various factors when making credit decisions.

Many ECOA provisions limit the types of actions that lenders may take. Other provisions provide certain rights to lending customers. Most are only relevant to loans (such as the right to know the outcome of an application within 30 days, to obtain credit without a co‑signor if one meets a lender’s credit standards, etc.). Other such rights, which extend only to lending products, are relevant to non-lending products. A customer changing his or her name or marital status has the right to keep accounts in his or her former name, and a customer has the right to have an account in either one’s birth name or married name.

ECOA also imposes recordkeeping requirements on lenders. “Credit” is defined more expansively than in the Fair Credit Billing Act or the Truth in Lending Act. Essentially, it includes any extension of credit where the borrower incurs a debt that does not have to be immediately repaid. All types of lenders, depository and non-depository, are covered. The Federal Reserve enforces ECOA for banks through its Regulation B.

Dodd-Frank, besides transferring authority to regulate ECOA to the CFPB, also added a provision to ECOA requiring lenders to track information about business loan applicants99

•• Whenever a business applies for credit, the lender shall inquire whether the business is women-owned, minority-owned, or a small business. The applicant may decline to answer •• The lender shall keep this information separate from the rest of the application; in particular, underwriters shall not access it •• Every lender shall annually provide to the CFPB information about each business loan application, including −− The application number and date −− The amount applied for and amount received −− The action taken on the application and the date of the action −− The census tract of the business’s principal place of business

98 Enacted as Title III of Public Law 93-495; codified as 15 USC §§1691-1691f 99 Dodd-Frank §1071

Copyright © 2011 Oliver Wyman 43 −− The business’s annual revenue −− The race, sex, and ethnicity of the business’s principal owners −− Any additional information that the CFPB determines would aid in fulfilling the purposes of this requirement.

Implications for alternative payments

ECOA creates an uneven playing field: it imposes a greater compliance burden on several forms of payment, due to the combination of ECOA’s scope (“credit”) and business model differences between different forms of payments.

As the Federal Reserve Bank of Boston noted in a guide on ECOA, “few people believe that purposeful discrimination is prevalent.”100 Thus, one certainly hopes that ECOA’s existence does not confer a substantive advantage to companies not subject to it. Nonetheless, complying with ECOA requires a not inconsiderable amount of time and effort for credit and charge card issuers, who are subject to it. Among alternatives, only Mobile Carrier Billers and deferred debit cards would appear subject to it.

The business loan data collection provision has not yet taken effect, but it will further increase the compliance requirements for credit and charge card issuers relative to alternative providers.

6.5. FAIR CREDIT REPORTING ACT/REG V

Background

The 1970 Fair Credit Reporting Act (FCRA)101 regulates the use of third-party consumer information by establishing the legal framework for “consumer reporting agencies.” These include the familiar credit bureaus, as well as such specialty information providers as “nationwide specialty consumer reporting agencies,” which collect information on matters such as employment history, insurance claims, check writing, and the like.

FCRA regulates how such information can be disclosed, how long derogatory information can be maintained, and how consumers can dispute incorrect information. Other requirements relate to how lenders can use bureau information in the loan application process. For instance, institutions taking adverse action against a customer (e.g., denying an application, offering a less than most favorable interest rate) that is based on bureau information must disclose to the customer the action taken and provide contact information for the bureau. That bureau, in turn, must furnish a free copy of the customer’s credit report upon request.

100 Federal Reserve Bank of Boston document “Closing the Gap: A Guide To Equal Opportunity Lending.” Available at www.bos.frb.org/commdev/closing-the-gap/closingt.pdf 101 Enacted as Title VI of Public Law 91-508; codified as 15 USC §§1681-1681x

44 Copyright © 2011 Oliver Wyman FCRA’s scope is broad. Users of credit bureau information are covered by the law, regardless of whether they are depositories or not. The Federal Reserve enforces the law through its Regulation V, while the FTC enforces it for non-depositories, including the consumer reporting agencies themselves.

Implications for alternative payments

Given the law’s expansive scope, in theory no differences should arise between the treatment of traditional and alternative electronic payments. In practice, FCRA imposes a greater compliance burden on traditional payments providers, because of business model differences between the two. When originating a credit card or even a deposit account, banks must assess the credit risk of an applicant (for depositors, so that they can manage the risk of the customer overdrafting), which requires the use of credit reports. Providers of alternative electronic payments, by contrast, generally do not assume credit risk in the course of providing customers payments services. As a result, they use credit reports less and therefore do not incur the same compliance obligations.

6.6. FINANCIAL PRIVACY (GLB/REG P)

Background

The primary function of the 1999 Gramm-Leach-Bliley Act (GLB)102 was to repeal Glass‑Steagall’s separation of commercial banking, investment banking, and insurance underwriting. Several GLB sections, however, establish consumer protections related to financial privacy.103 In summary, financial institutions must safeguard their consumer information, annually disclose how they use this information, and allow consumers to opt‑out of having their information shared for marketing purposes.

The scope of these provisions extends to any “financial institution,” which in turn is defined as any institution engaged in any activity that banking law defines to be “financial in nature.” The various supervisors of regulated financial companies (e.g., banks, thrifts, broker-dealers, investment companies, insurance companies, etc.) enforce these provisions. The FTC enforces GLB against companies lacking such a regulator. The Federal Reserve does so through its Regulation P.

Implications for alternative payments

As written, GLB would appear to cover most types of alternative companies. Non‑depositories are covered if they engage in any activity deemed a financial activity in the Bank Holding Company Act.104 While not mentioning payments by name, the definition of financial activity does include “lending, exchanging, transferring, investing for others, or safeguarding money or securities”.105

102 Public Law 106-102 103 GLB §§502-509, codified as 15 USC §§6802-6809 104 The GLB privacy provisions cross-reference Bank Holding Company Act §4(k), which is codified as 12 USC §1843(k) 105 12 USC §1841(k)(4)

Copyright © 2011 Oliver Wyman 45 There are several ambiguities, though. GLB’s protections commence when a “customer relationship” is established, a term which it leaves to the regulators to define. In Regulation P, privacy protections apply only to customers who have a “continuing relationship” with a financial institution.106 Many examples of continuing relationships are mentioned, as well as examples where no such relationship exists, such as ATM transactions.107

Unlike other types of alternative payments, Mobile Carrier Billers do not require customers to establish accounts with them to use their services. As such, their services seem analogous to ATM transactions, and thus Regulation P would not seem to apply. New Plastic and Non- Plastic Asset Accounts involve ongoing relationships and thus are covered. Indeed, PayPal and BilltoMobile both allow their customers to prevent information-sharing for marketing purposes.

It is possible that Virtual Currencies would remain outside the scope of Regulation P, but uncertainty about these companies extends to matters far beyond financial services. For some companies, such as Facebook, there have been well-documented concerns about privacy issues, where user information is used in ways that are not readily apparent to the user. Whether these issues involve Facebook Credits in any way, and whether Facebook Credits would be covered by a long-rumored settlement with the FTC over privacy issues remains unclear.

6.7. FUNDS AVAILABILITY/REG CC

Background

The 1987 Expedited Funds Availability Act (EFAA)108 specifies how quickly banks must make funds available to customers after making a deposit. It applies only to depository institutions. The Federal Reserve enforces it through its Regulation CC.

When a customer deposits a check, it may take several days for the bank to collect the funds. Banks thus have a strong incentive not to make funds available to customers before collecting on items – doing so would expose them to the risk of check kiting. In order to promote uniformity in banks’ funds availability policies, and to encourage banks to process checks more quickly, EFAA was enacted. It specifies time periods for different types of deposits, which are generally aligned with credit risk. For instance

•• Cash deposits, electronic deposits, and checks drawn on various government entities must be made available the next business day109 •• Most other checks must be made available within two business days. The first $200 of such checks must generally be made available the next business day.110

These rules contain certain exceptions. For instance, banks can take more time when handling large checks, new accounts, accounts that have been recently overdrawn, checks suspected of being fraudulent, and other similar situations. 106 12 CFR §216.3(h) 107 12 CFR §216.3(h)(2)(ii)(A) 108 Enacted as Title VI of the Competitive Banking Equality Act of 1987 (Public Law 100-86); codified as 12 USC §§4001-4010 109 Cash deposits not made in person (e.g., at an ATM) must be made available by the second business day 110 This amount was originally $100 but was recently increased to $200 (by Dodd-Frank §1086) and will be indexed to inflation going forward

46 Copyright © 2011 Oliver Wyman Until 2004, checks generally had to be physically handled as part of the clearing process, but banks can now exchange electronic copies,111 a change which has helped to reduce the time required to process checks.

Implications for alternative payments

As alternatives tend not to handle checks or cash, many of EFAA’s provisions are not directly relevant.

While a statutory gap may exist in principle, most of the time one does not exist in practice. Generally, when a Non-Plastic Asset Account customer makes a P2P transaction, the funds tend to be available immediately. This is because different customers’ funds are generally held at the same institution, so the alternative company faces no credit risk in such transfers (assuming the transaction is not fraudulent).

6.8. STATE LAWS AND FEDERAL PREEMPTION

Two separate but interrelated concepts – state laws and federal preemption – are important to consider in any evaluation of how alternative payments are regulated.

Background: State laws

In many aspects of commerce, state governments and the federal government can both enact laws. In general, we do not discuss the details of state laws – the volume of laws across the 50 states and territories makes this impossible – but it is important to note that state laws supplement federal laws in some places. For instance, we note in Section 6.9 that transactions conducted by Mobile Carrier Billers are not covered under the Fair Credit Billing Act because they do not satisfy its definition of “credit”. California state law, however, has several provisions that appear to address these transactions

“A telephone bill may only contain charges for products or services, the purchase of which the subscriber has authorized.” 112 “Any person, corporation, or billing agent that charges subscribers for products or services on a telephone bill shall … [p]rovide a means for expeditiously resolving subscriber disputes over charges for a product or service, the purchase of which was not authorized by the subscriber.” 113

Most, if not all, states regulate businesses that handle cash or negotiable instruments as money service businesses (MSBs). Section 7.3 discusses MSB regulation in more detail.

111 The Check Clearing for the 21st Century Act (Public Law 108-100), which was enacted in 2003 and took effect in 2004, generally allows for check images to serve as the equivalent of the paper original 112 California Public Utilities Code §2890(a); available at www.leginfo.ca.gov/calaw.html 113 Ibid., §2890(d)(2)(D)

Federal law is “the supreme law of the land,” superseding state law where they conflict.114 Preemption is the process whereby a state law in conflict with a federal law is made inoperative for certain types of companies. The amount of preemption varies significantly across industries. Banking law has historically provided a significant amount of preemption for national banks.

The US has a “dual banking” system, in which both the states and the federal government charter and supervise depository institutions. National banks debuted during the Civil War, through the National Banking Acts of 1863 and of 1864.115 These laws established the OCC and gave it sole power to regulate national banks, unless a provision of federal law explicitly gives the states some authority to do so. The OCC regularly preempts state laws impacting national banks, simply by informing them that they may disregard the state law. If a state disagrees, it can go to court to have the OCC’s preemption order overturned.

In practice, banks generally have been successful in having preemption decisions upheld. Courts have a general policy, across industries, of deferring to regulators. If a court is asked to rule on the validity of a regulator’s decision (in this case, an OCC preemption decision), it will generally address just the narrow issue of whether the decision was “reasonable”.116 The idea is that regulators are subject-matter experts, so judges should not second-guess their conclusions unless they are clearly erroneous. Barnett Bank v. Nelson (1996), a key pre-Dodd-Frank Supreme Court case,117 further clarified that any state law that “prevents or significantly interferes” with a national bank’s exercise of its powers can be preempted.

Dodd-Frank makes some changes to the preemption regime. The OCC can no longer preempt state laws that offer greater consumer protection than what exists under federal law, unless the law prevents or significantly interferes with its powers as articulated in Barnett. Judges who hear preemption disputes are explicitly authorized to review the substance of preemption decisions for themselves, rather than have to defer to the OCC’s stance.118 In light of the particular language used in Dodd-Frank, however, there is disagreement about exactly how preemption will change as a result.119 In any event, the concept itself still exists, even if some of the details will change.

Implications for alternative payments

This is the only area of regulation in our paper where consumers receive greater consumer protections with alternative companies than with traditional payments companies, as national banks can, through preemption, avoid having to comply with certain state laws.

114 US Constitution, Article VI, Clause 2 115 Two previous national banks, the First Bank of the United States (1791-1811) and the Second Bank of the United States (1816-1836), were sui generis 116 This policy of deference, or “Chevron deference” is formally articulated in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984) 117 Barnett Bank of Marion County, N. A. v. Nelson, Florida Insurance Commissioner, et al., 517 U.S. 25 (1996) 118 Dodd-Frank §1044 119 “Preemption May Not Be As Weak As You Have Heard,” American Banker, March 15, 2011

48 Copyright © 2011 Oliver Wyman California law has already impacted one of the alternative companies mentioned in this paper. In October 2010, California updated its laws governing money transmission and payment instruments. Among its new provisions is a requirement that issuers of payment instruments (which generally include New Plastic and Non-Plastic Asset Accounts) must maintain a surety bond equal to 50% of “the average daily outstanding payment instrument and stored value obligations in California,” subject to a $500,000 minimum and $2,000,000 maximum.120 This provision took effect on July 1, 2011.121

On June 29, 2011, FaceCash stopped serving customers based in California and refunded the money they had loaded into their FaceCash accounts. It offered the following explanation

“Even though Think Computer Corporation, the company that runs FaceCash, is capable of meeting both of these requirements, the unfortunate reality is that the California Department of Financial Institutions (DFI) requires licensees to have far more than the dollar figures specified by the statute. The DFI has been unwilling to provide a single number to us explaining how much money is actually required to obtain a license.”122

6.9. TRUTH IN LENDING ACT AND FAIR CREDIT BILLING ACT/REG Z

We discuss the Truth in Lending Act (TILA) and the Fair Credit Billing Act (FCBA) together (and will generally refer to them collectively as TILA), as the FCBA amended TILA, and the Federal Reserve implements both through its Regulation Z.

Background

The initial purpose of TILA (1968)123 was to ensure that consumers could meaningfully understand the cost of credit and compare products across different companies through the standardization of certain forms and key terms.

TILA applies to a broad set of closed-end loans as well as lines of credit, and its scope extends to both depositories and non-depositories. Historically, the Federal Reserve enforced TILA through its Regulation Z, while the FTC enforced it for non-depositories.

In 1975 FCBA124 amended TILA by adding provisions to “protect the consumer against inaccurate and unfair credit billing and credit card practices.” Similarly, most provisions of the Credit CARD Act (discussed in in Section 4.2) are TILA amendments.

TILA’s provisions are relatively complex – the OCC has produced a 256-page compliance guide for national banks.125 Many provisions fall outside the scope of our paper.

120 California Financial Code §1817(d); available at dfi.ca.gov/licensees/moneytransmitters 121 Ibid., §1872(b) 122 Available at www.facecash.com/legal/ca.html 123 Enacted as Title I of the Consumer Credit Protection Act (Public Law 90-321); codified as 15 USC §§1601-1665e 124 Enacted as Title V of Public Law 93-495; codified as 15 USC §§1666-1666j 125 Available at www.occ.gov/publications/publications-by-type/comptrollers-handbook/truth-in-lending-handbook.pdf

Copyright © 2011 Oliver Wyman 49 Some provisions, though, are important in the payments context. For instance, TILA limits the liability of a credit card user for unauthorized transactions to $50, and the burden of proof is on the credit card issuer, not the consumer.126 Many credit card issuers go beyond this and do not hold customers liable for any amount of unauthorized transactions.

TILA also provides the dispute-resolution process that is well known to credit card customers,127 which includes the following key steps •• A borrower has the right to dispute a transaction for up to 60 days after the end of the statement cycle containing the transaction, by providing written notice •• A lender has 30 days from receiving such notice to acknowledge it •• A lender has two full billing cycles, and in no event more than 90 days, to make a determination and either adjust the borrower’s account or else explain why no action is warranted.

TILA addresses unauthorized transactions, as does EFTA, but it goes further. It also covers merchant disputes, such as when a consumer fails to receive goods or services from a merchant, or a merchant delivers goods or services inconsistent with what was promised. This is a particularly strong consumer protection.

TILA includes a second, less well-known provision that also extends beyond EFTA’s protections. TILA’s “claims and defenses” provision128 allows consumers to take up any legal rights that they may have with a merchant instead with the credit card company itself. To use this provision, a customer must

•• Have a dispute for over $50, and the claim is not a tort (e.g., a purchase is itself covered, but not liability/negligence arising from a purchase) •• Reside within the same state, or else within 100 miles, of the merchant129 •• Have not paid for the transaction. Money is fungible of course, but this provision is defined in a pro-consumer way: The consumer is presumed to pay off the disputed transaction last. Payments are assumed to go towards interest, fees, etc. first and then towards all non-disputed transactions. So long as the customer’s outstanding credit card balance exceeds the amount of the transaction, this condition is met.

Notably, this provision has no time limit, whereas merchant disputes are limited to 60 days after the statement cycle. Since card networks or merchant processors often have policies restricting the time period for chargebacks, if a customer asserts claims and defenses after the chargeback period, the credit card company, rather than the merchant, would reimburse the customer.

While powerful, this provision remains obscure – even some government websites appear not to be familiar with all of the details of claims and defenses.

126 Per 15 USC §1643 127 As discussed in Section 6.3, disputes arising from electronic transactions involving a deposit account (or an “asset account”) are governed by EFTA/Reg E 128 TILA §170; regulation at 12 CFR §226.12(b) 129 As the physical location of internet and telephone sales are not addressed in the law and regulation, determining whether an individual has claims-and-defenses rights for such transactions can be complicated

Given that most alternative electronic payments do not involve an extension of credit, many TILA provisions are not directly applicable. The provisions related to disputed payments, of course, are directly relevant.

Alternative companies are covered by TILA, but only if they meet the definition of “creditor.” Consumers also receive TILA’s protections when alternatives act as Facilitators. If a customer conducts a credit card transaction through an intermediary (such as a Non-Plastic Asset Account), and it pays for the transaction and charges the customer’s credit card for that exact amount (rather than debiting the customer’s prepaid balance), then the transaction is covered by TILA as though the customer had made the purchase directly with the credit card.130

New Plastic and Non-Plastic Asset Accounts are not otherwise covered by TILA, because they are not creditors. Customers use their own funds to pay for a transaction (assuming that they cannot overdraft). GPR cards generally offer protections for billing errors and unauthorized transactions. PayPal does as well.131

Mobile Carrier Billers, although they extend credit, are not covered by TILA, because the term “creditor” only applies to a company if it

“(1) regularly extends … consumer credit … payable by agreement in more than four installments or for which the payment of a finance charge is or may be required, and “(2) is the person to whom the debt arising from the consumer credit transaction is initially payable …” 132

Neither part of the first condition of “creditor” is satisfied. The consumer does not incur a finance charge. No finance charges exist in such transactions, and even if transaction fees were to be considered a “finance charge,” they are generally paid by the merchant rather than the consumer. Nor does the consumer have the option of paying in installments; mobile phone bills must be paid in full every month (or are prepaid).

The second condition is not met either. The Mobile Carrier Biller is not itself a creditor; instead, the customer’s mobile carrier is. It may be possible for the mobile carrier itself to be covered by TILA if the first condition can somehow be met, but not the Mobile Carrier Biller.

One Mobile Carrier Biller, BOKU, says as much in its terms and conditions

“We are not required to issue refunds if a product or service turns out to not meet your expectations, or if the Publisher does not fulfill its commitments. We have no obligation, and cannot guarantee that, we will resolve any disputes related to any transaction to your satisfaction. The Boku Service is provided “AS IS” and without warranty.”133

130 TILA Official Staff Interpretations, comment #2 regarding 12 CFR §226.13(a)(3) 131 Available at cms.PayPal.com/us/cgi-bin/?cmd=_render-content&content_ID=ua/UserAgreement_full&locale.x=en_US (dated November 1, 2011; last accessed November 14, 2011) 132 15 USC §1602(f) 133 Available at www.boku.com/about/terms (dated August 15, 2011; last accessed November 14, 2011)

Copyright © 2011 Oliver Wyman 51 To be fair, this statement is undoubtedly intended, in part, to make the point that there is no consumer protection associated with “expectations.” Given that a certain amount of their business may well consist of impulse purchases, reiterating this point may be important to them. But a clear regulatory gap exists, as BOKU has chosen not to offer a dispute-resolution mechanism for legitimate billing errors.

Meanwhile, another Mobile Carrier Biller, BilltoMobile, does not mention the Fair Credit Billing Act by name but does provide a comparable billing-dispute process. According to its terms of use,134 BilltoMobile customers have 90 days (which can be extended in certain situations) to file a dispute. The merchant is then given 20 days to resolve the dispute. Should the dispute remain unresolved thereafter, BilltoMobile will make a final determination within 40 days.

Additionally, the spirit of other TILA provisions is also applicable to alternative electronic payments. Credit card applications must contain the famous “Schumer box,” with disclosures for many key aspects of a particular product offering in a standardized way (even down to the font size).135 Credit cards have many more terms and conditions relating to costs than do alternative electronic payments, as they have credit-related features in addition to payment- related features. Nonetheless, alternative providers can have costs and other account features for which no comparable disclosure is mandated. PayPal’s user agreement is some 23 pages long. While many banks also have long agreements for their products, they also have concise, standardized summaries of key terms, something which is lacking in the PayPal user agreement. The issue of disclosures is also addressed by the Truth in Savings Act, which the next section covers.

6.10. TRUTH IN SAVINGS ACT/REG DD

Background

The 1991 Truth in Savings Act (TISA)136 explicitly applies only to depository institutions and brokers of deposit accounts. TISA contains a number of specific provisions that generally relate to transparency when applying for an account and in account statements. Some of its provisions have counterparts in TILA. The Federal Reserve enforces TISA through its Regulation DD. As with many other consumer-protection laws, the CFPB received enforcement authority in July 2011.

134 Available at www.billtomobile.com/legal (dated October 26, 2010; last accessed November 14, 2011) 135 In 1988, the Fair Credit and Charge Card Disclosure Act (Public Law 100-583) amended TILA to require that card solicitations contain certain specified information “in a tabular format”. Regulation Z requires, for instance, that disclosures for credit card interest rates be shown in at least 16-point type (12 CFR §226.5a(b)(1)) 136 Enacted as Subtitle F of Title II of the Federal Deposit Insurance Corporation Improvement Act of 1991 (Public Law 102-242); codified as 12 USC §§4301-4313

52 Copyright © 2011 Oliver Wyman TISA requires that banks must, inter alia •• Make disclosures regarding the interest rate earned on deposits, any minimum account balance required to earn that rate, and any penalties for early withdrawals •• Provide schedules, as may be specified by regulators, in “clear and plain language” containing a description of all fees, charges, interest rates, terms and conditions, etc., minimum balances that affect these items, and any minimum-balance account opening requirement •• Distribute updated versions of these schedules to any existing customers, whenever changes are made to any terms and conditions that “adversely affect” the customer •• Make various disclosures about interest earned, fees paid, etc. on periodic statements.

TISA also prohibits banks from •• Using “free” or “no cost” to describe an account that has a minimum-balance or maximum-transaction requirement in order to avoid fees (as discussed in Section 4.1) •• Making misleading advertisements or announcements about account terms and conditions.

To facilitate compliance, the law directs regulators to produce model forms for banks to use.

Implications for alternative payments

Many of TISA’s provisions are not directly relevant to alternative payments providers, as most do not allow customers to earn interest, and most (besides GPR cards) do not impose monthly charges. Rather, alternatives tend to charge the customer or the merchant on a per‑transaction basis.

Nonetheless, the spirit of TISA (like the spirit of TILA) is relevant to alternatives. Depositories are required to make a schedule of their fees available to a customer upon request.137 PayPal’s aforementioned user agreement does include a fee schedule, but this is in the middle of the agreement, which is made that much more complex by also covering foreign countries in the same agreement.

Similarly, it is not immediately clear whether alternative providers proactively disclose material changes in key terms, as depositories must, when those changes are adverse to the consumer.

In April 2011, the Pew Charitable Trusts released a report on banks’ checking account disclosures, in which it concluded that checking account disclosures can be improved upon beyond what is currently required in TISA and EFTA disclosures.138 Pew has been working with the CFPB on the issue.139 Should the CFPB adopt new account disclosures along these lines, it is unclear whether products other than checking accounts would be covered (or could be covered, if it uses authority under TISA, which extends to depositories only).

137 12 USC §4305(a)(1) 138 Pew Health Group document “Hidden Risks: The Case for Safe and Transparent Checking Accounts.” Available at www.pewtrusts.org/ uploadedFiles/wwwpewtrustsorg/Reports/Safe_Checking_in_the_Electronic_Age/Pew_Report_HiddenRisks.pdf. The checking account model disclosure is on page 10 139 “Durbin, Reed Call on CFPB to Require Simple Disclosure of Checking Account Fees,” American Banker, November 4, 2011

Background

Unclaimed property is a concept extending well beyond financial services: All US states have laws addressing this issue to ensure that apparently ownerless property is not left in legal limbo. These laws require abandoned property to be transferred to the state after a certain amount of time. Escheatment is the process whereby unclaimed property is so transferred.

The National Conference of State Commissioners, a body that promotes uniformity in certain types of state laws, has written several model laws related to escheatment, most recently the Uniform Unclaimed Property Act (1995).140 A majority of, but not all, states have adopted one of its model laws governing escheatment.

The law requires companies holding customer property (e.g., deposit accounts, securities, uncashed checks, insurance policies, unclaimed refunds on utility bills, etc.), to make efforts to notify customers with inactive accounts, and after a certain amount of time, to hand over the property to the state. Similarly, the states have an obligation to maintain searchable records of such property, to enable long-lost owners to reclaim it later.

Given that unclaimed property ultimately goes to the state, financial institutions have an incentive to extract value by continuing to collect monthly fees, imposing inactivity fees, or other means. Such fees can be a point of contention between financial institutions and the states. Conversely, states have an incentive to discourage the collection of such fees, because they reduce the amount of funds they receive.

Section 5 of the model law provides some general restrictions on dormancy charges. Dormancy charges must be “not unconscionable,” and the company imposing them must “regularly [impose] the charge, which is not regularly reversed.”

For gift cards, gift certificates, and general-use prepaid cards, the Credit CARD Act provides specific limitations on inactivity fees.141

Implications for alternative payments

Escheatment laws generally apply to all types of intangible property, held at any type of company. Thus, for all alternatives besides Mobile Carrier Billers, the concept is relevant.

There may be some question as to which property category is most applicable for a particular account, as the model law contains 14 categories of property with varying time periods, as well as an “all other” category. The principle, though, that unclaimed property ultimately escheats to the state is clear cut.

140 A good summary, prepared by the National Association of State Treasurers, is available at their website at www.nast. org/2008treasurymgmt/TMC%20Unclaimed%20Property%20Sessions/THUR10amDEC11NicoleJulalUniformUPAct.pdf. The text of the model law, along with section-by-section commentary, is available at www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/uupa95.pdf 141 Credit CARD Act §401(2) created EFTA §915, which contains these provisions

54 Copyright © 2011 Oliver Wyman Some alternative companies, however, do not address escheatment policies in their terms and conditions. Others have (or had) policies that seem inconsistent with escheatment laws. Among New Plastic companies, only a handful of GPR card terms and conditions mention escheatment. One possible explanation is the issue arises only infrequently, as customers tend to keep relatively low balances, and many products’ fee structures are such that a balance would likely not remain after several years of inactivity. In general, companies are not obliged to disclose every state law that they follow. These companies may simply have chosen to be silent on this issue to avoid confusion for the majority of customers for whom this issue will not arise, but it is difficult to tell for certain.

Among Virtual Currencies, as recently as the summer of 2011 Facebook’s terms and conditions regarding Facebook Credits had several provisions that appear inconsistent with escheatment policies

“3. Purchasing and Using Credits ... 6. If you leave a balance of credits unused for 3 years, we may redeem those credits by sending virtual gifts to your Facebook friends or donating the credits to a nonprofit organization of our choice (and charging standard redemption fees for those transactions). 7. If you deactivate your account and do not reactivate it within 6 months, or if you delete your account, you will lose any accumulated credits. 8. If we deactivate your account and you do not meet any conditions necessary to reinstate it within 6 months, we may redeem those credits by donating the credits to a nonprofit organization of our choice (and charging standard redemption fees for those transactions).” 142

This policy appeared to be inconsistent with escheatment law for several reasons •• A general principle is that a holder of customer property cannot do whatever it wishes. It must turn the property over to the state after a specified amount of time •• The choice of a three-year timeframe may have been intended to coincide with the typical inactivity period in state laws; however, the specific law of a particular customer’s state controls. As not all states have the same period, the time period should be based on the state where the customer last resided •• There does not appear to be a basis in escheatment law for the different treatment of deactivated and deleted accounts relative to inactive accounts •• The treatment of inactivity fees is a particularly complex topic. Facebook stated that it will charge its standard redemption fees (its merchant discount is currently 30%). This is a de facto inactivity fee. Such fees are permitted, but many states impose limits on them, usually in terms of a per-month fee. Depending on the balance in a Facebook Credits account, this practice may well have been consistent – but it might not have been.

142 Facebook Payment Terms, available at www.facebook.com/payments_terms (previous version dated June 28, 2011; last accessed August 28, 2011)

Copyright © 2011 Oliver Wyman 55 Facebook has begun selling Facebook Credits in the “real world,” and non-game merchants have begun accepting them as payment, as discussed in Section 3.2. Perhaps for this reason, it recently updated its escheatment policies:

“4. Purchasing and Using Credits … 6. If you leave a balance of credits unused for a period of time set forth by your state, county or other governing body in its unclaimed property laws, or if you delete your account and leave a Credits balance, or if we deactivate your account and you do not meet any conditions necessary to reinstate it within 6 months, we may process your balance in accordance with our legal obligations, including by submitting funds associated with your Credits balance to the appropriate governing body where required by law.” 143

It is also possible that Facebook learned from the example of Skype, which had terms and conditions inconsistent with escheatment policy.

Skype offers Skype Credit, which can be used to pay for its internet telephone service. It used to have a policy whereby after 180 days of inactivity, any unused Skype Credit in an account would revert to Skype. In 2009, a class-action lawsuit was filed, alleging that this policy violated state laws related to gift certificates. In 2010, it was settled before it went to trial.144 Skype has since amended this policy, now stating that Skype Credit becomes “inactive” if unused for 180 days, but that it can be reactivated thereafter.145 Interestingly, foreign customers fare less well. Unused Skype Credit still expires in six months for its Japanese customers.146

Zynga, meanwhile, has even more stringent terms than in Facebook’s former policy

“1.11.2. Accounts NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, YOU ACKNOWLEDGE AND AGREE THAT YOU SHALL HAVE NO OWNERSHIP OR OTHER PROPERTY INTEREST IN THE ACCOUNT, AND YOU FURTHER ACKNOWLEDGE AND AGREE THAT ALL RIGHTS IN AND TO THE ACCOUNT ARE AND SHALL FOREVER BE OWNED BY AND INURE TO THE BENEFIT OF ZYNGA. ZYNGA RESERVES THE RIGHT TO TERMINATE ANY ACCOUNT THAT HAS BEEN INACTIVE FOR 180 DAYS.” 147

This policy does not explicitly address whether any unused funds associated with an inactive account are forfeited when Zynga terminates the account.

Microsoft Points’ terms and conditions148 do not explicitly address escheatment. The closest statements appear to be the following

“We encourage you to redeem your Points” “We have no obligation to continue making offers available for Points redemption.”

143 Facebook Payment Terms, available at www.facebook.com/payments_terms (dated October 14, 2011; last accessed November 14, 2011) 144 “Skype Lawsuit To Yield Credit For Customers,” Wall Street Journal, January 14, 2010 145 Available at www.skype.com/intl/en-us/legal/terms/tou (dated October 2011; last accessed November 14, 2011) 146 Ibid. 147 Available at www.zynga.com/about/terms-of-service.php (dated November 30, 2010; last accessed August 14, 2011) 148 Available at explore.live.com/microsoft-service-agreement?ref=none&mkt=en-us (dated August 1, 2010; last accessed November 14, 2011)

56 Copyright © 2011 Oliver Wyman Linden Lab, maker of the popular Second Life virtual reality game, permits accounts to remain inactive indefinitely, so long as a customer is not delinquent or in violation of its terms of use. Nonetheless, it would more generally just as soon not have to address financial regulation. Among the few Linden Lab policies that even address the topic broadly are the following

“Linden Lab can’t and won’t become a virtual banking regulator. Banking regulation, whether in the real or virtual world, is complex and intensive, and is a government activity. Linden Lab is not empowered to regulate the businesses of banking or securities. We can and will take steps, however, to ensure the stability of the Second Life economy, and that is what we are doing.” 149 “DON’T give out your password if someone promises they’ll login and fill your account with L$. That’s just dumb!” 150

By contrast, PayPal’s user agreement explicitly acknowledges escheatment laws – and many attendant provisions at that. The states would presumably find it to be a model example of a proper escheatment policy

“If you do not log in to your Account for two or more years, PayPal may close your Account and send the Balance to your primary address, or, if required, escheat (send) your Balance to your state of residency. PayPal will determine your residency based on the state listed in your primary address. If your address is unknown or registered in a foreign country, your funds will be escheated to the state of Delaware. Where required, PayPal will send you a notice prior to escheating or closing your Account. If you fail to respond to this notice, your Balance will be escheated to the required state. If you would like to claim any escheated funds from the state, please contact your state’s Unclaimed Property Administrator.” 151

6.12. UNFAIR OR DECEPTIVE ACTS OR PRACTICES/REG AA

Background

The Federal Trade Commission Act created the FTC in 1914 to regulate certain activities in commerce. As with many laws passed in the Progressive Era, it contains broad, sweeping language: for instance, when first passed, the act declared

“[U]nfair methods of competition in commerce are hereby declared unlawful.” 152

In 1938, this power was expanded:

“[U]nfair methods of competition in commerce, and unfair or deceptive acts or practices in commerce, are hereby declared unlawful.” 153

149 Available at wiki.secondlife.com/wiki/Linden_Lab_Official:New_Policy_Regarding_Inworld_Banks (dated May 10, 2011; last accessed November 14, 2011) 150 Available at wiki.secondlife.com/wiki/How_to_make_money#Are_there_scams.3F (dated December 22, 2010; last accessed November 14, 2011) 151 PayPal user agreement supra, §7.3 152 Act of September 26, 1914 (“An Act To create a Federal Trade Commission, to define its powers and duties, and for other purposes”), (38 Stat. 719, ch. 310), §5 153 Act of March 21, 1938, “An Act To amend the Act creating the Federal Trade Commission, to define its powers and duties, and for other purposes,” (52 Stat. 111, ch. 49), §3 established this as §5(a) (which later became §5(a)(1) of the act, which was later renamed the Federal Trade Commission Act); codified as 15 USC §45(a)(1). In 1975, “in commerce” was amended to read “in or affecting commerce”

Copyright © 2011 Oliver Wyman 57 The FTC enforces this prohibition on unfair or deceptive acts or practices (UDAP) against companies lacking a federal regulator. Banks and “common carriers” (such as airlines and railroads) were notably excepted, perhaps because they were among the few industries with federal regulators. In 1975, the bank regulators were given the power to enforce UDAP against banks154 (although, curiously, “bank” was itself not defined until 1991155), as were the thrift regulators in 1979.156 The Federal Reserve does so through its Regulation AA. As with many other consumer-protection laws, UDAP enforcement shifted to the CFPB in 2011.

The FTC has longstanding policies on unfairness and deceptiveness.157 The Federal Reserve and FDIC jointly issued guidance, broadly similar to the FTC’s guidance, in 2004.158

Owing to the broad nature of UDAP, Regulation AA forbids relatively few practices explicitly,159 as doing so would invite unscrupulous companies to skirt the line. Instead, banking regulators tend to use consent agreements or lawsuits after the fact to get companies to change business practices.

Some states have their own UDAP laws. As discussed in Section 4.3, some lawsuits have cited those laws rather than the federal UDAP law.

Dodd-Frank expanded the scope of UDAP to cover “abusive” acts and practices.160

Implications for alternative payments

This is one of the few areas of consumer protection discussed in this paper where there is no gap (or there will be no gap, going forward) between traditional and alternative electronic payments. Traditional and alternative payments companies are both subject to UDAP. Before Dodd-Frank transferred enforcement responsibility to the CFPB, different regulators enforced UDAP for depositories and non‑depositories. Any differences that may have existed will presumably disappear when the CFPB assumes its enforcement powers.

6.13. UNIFORM COMMERCIAL CODE CHECK PROVISIONS

Background

The Uniform Commercial Code (UCC), like the abandoned property laws discussed in Section 6.11, is a “model law” drafted by legal scholars. Whereas many states have enacted one of the abandoned property model laws, all states have enacted the UCC, and most have done so in identical or nearly-identical form in order to facilitate commerce.

154 Section 202(a) of the Magnuson-Moss Warranty—Federal Trade Commission Improvement Act (Public Law 93-637) created Federal Trade Commission Act §18(f)(1); codified as 15 USC §57A(f)(1) 155 Section 212(g) of the Federal Deposit Insurance Corporation Improvement Act of 1991 (Public Law 102-242) added a definition of “bank” to the FTC Act 156 Public Law 96-37 amended the FTC Act in various places to give thrift regulators comparable powers to bank regulators 157 The FTC formulated its policy on unfairness in 1980 (available at www.ftc.gov/bcp/policystmt/ad-unfair.htm) and deception in 1983 (available at www.ftc.gov/bcp/policystmt/ad-decept.htm) 158 Available at www.federalreserve.gov/boarddocs/press/bcreg/2004/20040311/default.htm 159 Regulation AA, codified as 12 CFR §227.1 et seq., only has three sections with specifically prohibited practices (§§227.13-227.15) 160 Dodd-Frank §1031

58 Copyright © 2011 Oliver Wyman The UCC addresses many topics related to commerce, such as the sale of goods, leases, and, of note here, checks. Some check-related provisions address operational matters, while others provide consumer protections. For instance

•• Banks have an obligation to honor checks drawn by customers and can be held liable for any damages arising to the customer from the bank’s failure to honor a properly drawn check161 •• Banks shall retain the ability to furnish customers with copies of their checks for up to seven years after payment162 •• Customers have up to a year to dispute an unauthorized payment from their account. To exercise this right, they must “exercise reasonable promptness” in examining their statements for unauthorized payments and must “promptly” notify their bank of an unauthorized payment.163

Implications for alternative payments

The UCC provisions, of course, do not directly pertain to alternative payments providers. Nonetheless, the protections afforded by these provisions are relevant. TILA and EFTA provide protections for credit cards and asset accounts. These laws (plus the ACH’s regulations) together ensure that all non-cash traditional payments have strong consumer protections.164

Most, but certainly not all, alternative electronic payments provide similar protections (the sections on TILA and EFTA discuss this in more detail) regarding unauthorized transactions. The UCC’s requirement that consumers be able to view old checks goes further than what is offered by many alternative providers. For instance, consumers have a right to see images of old checks going back years, while many alternatives limit transaction histories to 30 or 90 days. The liability incurred by banks for failing to honor a properly drawn check does not appear to exist for alternative electronic payments.

161 UCC §4-402(b) 162 UCC §4-406 163 Ibid. 164 Purely cash transactions do not involve the intermediation of a financial institution, thus limiting the application of consumer‑protection laws. Consumers, of course, have a variety of protections through laws relating to fraud, theft, etc., which are perhaps distinct from consumer financial protection per se

7. DETAILED DISCUSSION: OTHER REGULATIONS GOVERNING PAYMENTS

This section discusses an additional six laws (or more precisely, parts or collections of laws) that represent key issues with important consequences for payments

•• Durbin Amendment/Reg II •• Payment card IRS reporting (HERA §3091) •• AML/KYC •• Tying arrangements/Reg Y •• Payment system integrity •• Financial market utilities/Reg HH.

The regulation of traditional and alternative electronic payments differs in each case. While these gaps may not be visible to consumers, the regulatory differences that arise are just as significant, if not more so, than the differences arising in consumer protection.

7.1. DURBIN AMENDMENT/REG II

Background

Section 4.4 discusses the Durbin Amendment and Regulation II in some detail.

Implications for alternative payments

The revenue stream of debit card issuers with assets of $10 BN+ is significantly impacted. Alternative companies’ interchange rates can be as high as 30% and are not subject to price controls. Lower debit interchange will undermine the business model of those Facilitators that sought to use the ACH to undercut traditional debit cards on price. The requirement that debit cards participate in two unaffiliated networks applies to all debit transactions processed over payment card networks, regardless of the technology used to conduct the transaction. Thus, it will apply to transactions conducted by Facilitators, but not to other alternative electronic payments.

7.2. PAYMENT CARD IRS REPORTING (HERA §3091)

Background

Congress passed the Housing and Economic Recovery Act of 2008165 (HERA) to improve the regulation of the Government Sponsored Enterprises (GSEs), especially the mortgage giants Fannie Mae and Freddie Mac, and to address other policy issues arising out of the

165 Public Law 110-289

Copyright © 2011 Oliver Wyman 61 mortgage/foreclosure crisis. HERA §3091 requires every “payment settlement entity” to report to the IRS annually on the gross payment volumes of its merchant customers. The goal was to improve tax law compliance, thereby yielding revenue to offset HERA’s costs.166

The scope of HERA §3091 is expansive. The concept of a payment settlement entity includes both merchant acquirers for payment card transactions, as well as settlement organizations for three-party network transactions.

This provision took effect for transactions occurring in 2011. In early 2012, processors will have to report to the IRS the name, address, tax ID, and monthly gross payment volume of every US merchant for whom they processed “one or more payments.” They will also have to furnish these merchants with a Form 1099-K containing this information.

Implications for alternative payments

In principle, HERA §3091 makes few distinctions between traditional and alternative payments providers. In practice, this remains to be seen. The IRS’s final regulations, published in August 2010,167 address a number of technical issues but do not name any specific examples of three- party settlement organizations (such as PayPal). Nor do they address conceptual issues arising with Virtual Currencies. For instance, Facebook customers buy Facebook Credits (at a fixed exchange rate168) and then use them to purchase items for use in over 500 different applications or games.169 In a narrow sense, companies that operate Facebook applications do not receive money from their customers; they receive Facebook Credits, which they can convert into money. It is possible that this distinction – or even the fact that some such networks may be below the radar – may prevent them from having to comply, either in law or in practice.

It is our understanding that the IRS will require PayPal and certain other large three-party networks to comply, but that the application of HERA §3091 to other such companies may remain unsettled.

Three-party networks (but not payment cards) have a de minimis exemption. They do not have to report information about merchants with either fewer than 200 transactions or under $20,000 of gross payment volume in a year. As a result, HERA §3091 may provide an incentive for unscrupulous merchants to switch from traditional to alternative payments systems. Meanwhile, traditional payments providers, as well as certain others such as PayPal, may have a compliance burden not shared by other market participants.

166 HERA §3091 is part of Subtitle B of Title III of HERA, which is titled “Revenue Offsets” 167 Published in the Federal Register at 75 FR 49821-49836 168 One Facebook credit costs $0.10, per www.facebook.com/help/?page=1038 (last accessed November 14, 2011) 169 Ibid.

Background

Money laundering is an ancient crime, perhaps as old as money itself. It is also big business. While estimates naturally vary as illegal activities tend to go unreported, the IMF has stated that a consensus estimate for such activities is 2-5% of global GDP.170

While the term “money laundering” dates to the 1930s,171 laws specifically addressing it did not arise until the 1970s and 1980s. Unlike many other laws that we discuss, the legislative framework governing money laundering consists of many distinct laws and regulations, enacted at different times for different purposes. Additionally, while some aspects of these laws impose specific requirements, many aspects are more principles-based than rules-based, with the specific requirements varying across institutions (or across customers of an institution) on the basis of their particular risks. Bank examiners would treat a rural community bank very differently from, say, the private banking operations of a money-center bank catering to a global clientele.

In the industry, various acronyms are used to describe these laws, including KYC (know your customer), AML (anti-money laundering), BSA (Bank Secrecy Act), and various combinations thereof. We use “AML/KYC” to describe these laws.

The first such law, the BSA, was enacted in 1970.172 The fight against organized crime was growing in importance; that same year, another law created the now-famous RICO statute and the witness protection program, among other things.173 Initially, the BSA focused on reporting requirements for banks and other institutions in transactions involving cash and negotiable instruments, as well as recordkeeping requirements. The law did not mention money laundering by name. The term itself may have been first used officially in a 1982 court case, United States v. $4,255,625.39.174 In 1986, money laundering itself became a crime,175 as did structuring, the breaking down of large transactions into smaller ones – a practice also known more colorfully as “smurfing.”176 In 1996, the “suspicious activity report” (SAR) was developed. Unlike “currency transaction reports” which must be filed in specific situations

170 Address by IMF Managing Director Michel Camdessus, “Money Laundering: The Importance of International Countermeasures,” February 10, 1998. Available at www.imf.org/external/np/speeches/1998/021098.htm 171 The origin of the term “money laundering” is not entirely clear, and the assertion that it derives from laundry operations or Al Capone is widely reported as urban legend without evidence supporting or refuting it. The IRS’s own discussion of the history of money laundering (www.irs.gov/compliance/enforcement/article/0,,id=112999,00.html) does not address the history of the term itself. At least one law enforcement official has offered the specific story that US Treasury agents pursuing Al Capone coined the term, as Capone laundered money through hundreds of commercial laundries in Chicago (Chris Mathers, Crime School: Money Laundering: True Crime Meets the World of Business and Finance, Firefly Books, 2004, pp. 21-22) 172 Enacted as Titles I and II of Public Law 91-508; codified as 31 USC §§5311-5332 and elsewhere. Title II was formally named the “Currency and Foreign Transactions Reporting Act,” although it and “Bank Secrecy Act” now tend to be used interchangeably 173 The Organized Crime Control Act of 1970 (Public Law 91-452) was enacted the same month as the BSA. Title IX of this Act is the RICO (Racketeer Influenced and Corrupt Organizations) statute, and Title V established the Federal Witness Security Program 174 The case’s curious name derives from the procedures used in civil forfeiture cases, in which a disputed asset is treated as a party to certain judicial proceedings. United States v. $4,255,625.39 concerned the proceeds of several alleged money launderers for Columbia drug smugglers, who deposited as much as $1 MM at a time in cash at a Florida bank, and some $242 MM overall in under a year 175 The Money Laundering Control Act of 1986 was enacted as Subtitle H of Title I of the Anti-Drug Abuse Act of 1986 (Public Law 99-570). The substantive provisions in Subtitle H address several other issues as well, including the structuring of transactions to evade reporting requirements and the forfeiture of assets. The prohibition on money laundering is codified as 18 USC §1956, and a prohibition on using the proceeds of illegal activities in monetary transactions is codified as 18 USC §1957 176 The term was apparently first used in the early 1980s, at the height of the cartoon’s popularity in the US, by Florida investigators. In a particular money laundering ring, a ringleader (nicknamed “Papa Smurf”) directed many individuals (the “smurfs”), who each bought numerous $5,000 cashier’s checks in different cities and deposited them at two Miami banks. (John Madinger, Money Laundering: A Guide for Criminal Investigators, Chapter 21: “Diabolically Clever Laundering Schemes”)

Copyright © 2011 Oliver Wyman 63 (such as transactions involving over $10,000), SARs must be filed whenever an institution knows or suspects the funds in a transaction are derived from illegal activity, facilitate an illegal activity, have no legitimate purpose, or are attempting to circumvent detection. After 9/11, Congress passed the USA PATRIOT Act. One component, the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001,177 requires financial institutions to verify their customers’ identities when they open accounts. BSA-related matters are administered by the Financial Crimes Enforcement Network (FinCEN), a bureau within the US Treasury.

Meanwhile, other laws have arisen to prevent certain foreign countries and foreign nationals from accessing the US financial system. Some predate the BSA. Over the years, the US has imposed trade sanctions against certain foreign countries or senior members of foreign governments on national security grounds or to fulfill foreign policy objectives. These sanctions have included restricting such countries and their citizens from accessing the US financial system. The rise of terrorism, organized crime, and drug cartels in recent years has led to the prohibition of many other individuals from accessing the US financial system. The Office of Foreign Assets Control (OFAC), another body within the US Treasury, administers the collection of laws, regulations, and executive orders imposing these restrictions. Such blacklisted individuals are known as specially designated nationals (SDNs). Unlike some other aspects of AML/KYC, where compliance tends to be risk-based and principles-based, the monitoring of SDNs is more absolute. OFAC’s current SDN list178 contains nearly 12,000 individuals or entities across 30 different sanctions programs.179 The penalties for OFAC violations can be severe. In 2009, two foreign banks were fined over $200 MM and $500 MM for OFAC violations, where they knowingly engaged in the violations. In 2011, a US bank was fined $88 MM for OFAC violations – even though the violations were not intentional and it did not attempt to conceal the violations. The size of the fine was attributed in part to its not reporting the violations once they became known.

Another aspect of KYC/AML relates to “politically exposed persons” (PEPs). This concept was introduced, if not by that name, with the Foreign Corrupt Practices Act (FCPA), a 1977 law180 that generally prohibits US individuals and corporations from paying bribes to foreign countries and officials. This law applies to all types of companies, not just financial institutions. Since many industries lack federal regulators, violations by such companies tend to be uncovered through a law enforcement investigation or by a whistleblower. For banks, by contrast, prudential regulators regularly assess their compliance, and shortcomings would be immediately noticed. Today, PEPs include current and former officeholders of governments, political parties, and state-owned enterprises. As with other KYC/AML issues, the intensity of monitoring and the threshold of presumed suspicious behavior is tied to the underlying risk and governed more by principles than rules. A US small-town mayor with a small checking account, for instance, should be subject to less scrutiny than the finance minister of an oil-rich country opening an offshore private banking account.

177 Enacted as Title III of the USA PATRIOT Act (Public Law 107-56). Its substantive provisions are codified in various places in the USC 178 Available at www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx (dated November 3, 2011; last accessed November 14, 2011) 179 The list of OFAC sanctions programs is available at www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx (dated November 3, 2011; last accessed November 14, 2011) 180 Enacted as Title I of Public Law 95-213; codified as 15 USC §78dd-1 et seq.

64 Copyright © 2011 Oliver Wyman KYC/AML requirements thus largely consist of verifying customer identity at account opening, ongoing monitoring of transactions, and ongoing monitoring of customer identity. While the specific requirements vary by institution, customers can be generally grouped into three categories with different degrees of required scrutiny: ordinary customers, PEPs, and SDNs.

As Section 8 discusses in more detail, depositories are subject to a comprehensive regulatory regime. This includes KYC/AML; the examination guide for just these issues runs to over 400 pages.181 Banks, in general, verify their customers’ identities at account origination, and they have procedures in place for ongoing monitoring and, when necessary, reporting suspicious transactions to regulators. The monitoring of PEPs is more stringent than that of ordinary customers. Transactions involving SDNs are generally prohibited altogether.

Essentially all large banks rely on third parties to assist in their KYC/AML compliance. At account opening, banks may use physical IDs to verify people, but they may also use third-party databases, especially for companies. Lexis-Nexis, for instance, tracks 450 MM individuals and 150 MM companies.182 A variety of companies have produced PEP and SDN databases, which banks use to identify such customers. World-Check’s PEP database, the largest in the industry, monitors hundreds of thousands of PEPs globally.183 Besides databases of names, so-called “negative news screenings” help to assess the risk level associated with individuals and companies.

Banks are not the only companies that must comply with KYC/AML requirements. So-called “money service businesses” (MSBs) – check-cashers, remittance companies, payday loan companies, and the like – do as well. These are generally state-licensed and state-regulated companies, submitting filings to FinCEN as necessary. While a number of alternative providers are MSBs, not all are.

Until recently, activities related to stored value (including prepaid cards) did not fall within the definition of MSBs and thus the KYC/AML regime. In 2009, the Credit CARD Act directed the US Treasury to develop KYC/AML regulations regarding “the sale, issuance, redemption, or international transport of stored value, including stored value cards.”184 In July 2011, FinCEN issued a final rule to implement this.185 This long-awaited rule represented the first major rewrite of KYC/AML matters relating to stored value since 1999 and has closed some of the gaps that had existed between traditional and alternative electronic payments.

Implications for alternative payments

Assessing the precise regulatory gap between traditional and alternative payments in KYC/AML is complex. Unlike most other laws discussed in this paper, KYC/AML is more principles-based than rules-based. Thus, if a particular institution receives less regulatory scrutiny, it may be justified if this reflects a lower risk profile given its customers, or it may constitute a regulatory gap. In either case, banks face a much greater compliance burden than other types of institutions, given their comprehensive prudential regulation. Given that

181 Available at www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf 182 Per www.lexisnexis.co.uk/pdf/brochures/kyc.pdf 183 Per www.world-check.com/politically-exposed-person-pep-compliance 184 Credit CARD Act §503 185 Published in the Federal Register at 76 FR 45403-45420

Copyright © 2011 Oliver Wyman 65 banks are subject to full prudential supervision, it seems that any violation, knowingly or not, would be more likely to be uncovered, thereby exposing them to greater financial penalties than companies where violations could remain undiscovered more easily.

FinCEN’s rule, which took effect in September 2011, addresses various types of New Plastic companies in considerable detail. The general idea is that programs that pose relatively few KYC/AML risks are exempt from MSB regulation, while those that present higher risks are to be regulated. For instance

•• Closed-loop prepaid programs are covered if they permit access to more than $2,000 of funds in a day •• EBT cards issued by government entities are exempt •• Payroll cards and open-loop prepaid cards are covered if they permit international transfers, transfers between users, or loading of money from non-depository sources.

Regulated programs shall verify customer identities, establish a KYC/AML program, report suspicious activities, and maintain records. Prepaid cards tend to involve multiple parties: a program sponsor (which designs and markets the product), a bank (which issues the card, houses the funds, and handles back-office functions), and retailers (such as grocery stores and drug stores, which sell the cards). They can generally allocate their KYC/AML responsibilities amongst themselves.

The language of the FinCEN regulation is expansive and would seem to cover Non-Plastic Asset Accounts as well, given the general scope and language of “prepaid access” used in the regulation.

PayPal has long considered itself subject to KYC/AML. PayPal has been registered with each US state that regulates money transmitters, or else it has received an official determination that it does not have to register.186 It also reports suspicious transactions involving transactions over $2,000 and keeps heightened records on certain transactions over $3,000. In customer disclosures, PayPal notes that it screens customers against OFAC lists.187 It is not immediately clear to what extent, or under what circumstances, PayPal verifies customer identity or requests additional information to do so, but in its customer agreements it reserves the right to do so. With the FinCEN regulation now in effect, PayPal may well update its policies again. Another Non-Plastic Asset Account, Obopay, provides less information about its policies (perhaps because it is privately held), but it notes that it is subject to KYC/ AML requirements. It also has transaction limits,188 which are low enough that they may reduce the need for SAR reporting.

It is unclear whether Virtual Currencies are covered by the FinCEN regulation. One question (among others) is whether they constitute “funds.” Although over 15,000 MSBs have registered with California, a number of California companies offering Virtual Currencies do not appear to be so registered. Microsoft, which issues Microsoft/Xbox Points, does not appear on Washington’s MSB list. Zynga is also not listed.

186 eBay 2009 10-K, p. 42 187 PayPal AML statement available at cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=ua/AML_full&locale.x=en_US (dated May 11, 2009; last accessed November 14, 2011) 188 Available at www.obopay.com/consumer/velocityLimitsPublic.do (last accessed November 14, 2011)

66 Copyright © 2011 Oliver Wyman It is unclear whether Facebook operates Facebook Credits within a MSB. Facebook uses a MSB subsidiary (Facebook Payments Inc.) to handle “payments to developers related to our Facebook Credits program.” While remitting funds to developers may require MSB registration, it is less clear whether Facebook Credits is itself so regulated. Given that many MSBs list DBAs in their registration, and Facebook Payments Inc. does not list Facebook Credits as one, it might not be. Facebook is – for the time being – still privately held, so it does not have to make the same disclosures as, say, eBay does about PayPal’s operations. Facebook Credits could well be subject to full KYC/AML regulation, but it is difficult for outsiders to ascertain.

Given the relative newness of Virtual Currencies, AML/KYC may not yet be an issue for them. But that does not render this an academic concern, if history is any guide. Transaction limits, while certainly limiting the potential for KYC/AML issues, do not stop them completely, as groups of people can always “smurf” transactions. It has recently been reported that North Korea, which uses counterfeiting and underground casinos to obtain foreign currency, has taken an interest in online games as a new source of funds.189 Certainly, a combination of “smurfs”, hard-to-trace forms of value, and countries or organizations with an incentive to circumvent KYC/AML controls may well lead to innovative ways of financing illicit activity.

One major accounting firm recently noted in a presentation on Virtual Currencies that “a digital currency revolution will … cause KYC rules for certain transactions to become irrelevant.” 190

7.4. TYING ARRANGEMENTS/REG Y

Background

Tying arrangements make the sale (or the terms and conditions of a sale) of one good or service contingent on the buyer also purchasing (or not purchasing) an unrelated product or service from the same company (or a different company). The Sherman Antitrust Act prohibited tying only indirectly, as part of a broader prohibition on any “restraint on trade or commerce.” 191 A section of the Clayton Antitrust Act192 prohibits one form of product tying, the conditioning of a sale on the buyer not purchasing products from a competitor, if the effect “may be to substantially lessen competition or tend to create a monopoly in any line of commerce.” Most of the details of product tying have been fleshed out through a large body of court cases over the subsequent decades.

The heightened regulatory regime for banks dates to 1970. A provision of the Bank Holding Company Amendments Act of 1970193 prohibits product tying, specifically that a bank shall not “extend credit, lease or sell property of any kind, or furnish any service, or fix or vary the consideration for any of the foregoing” conditioned on the customer obtaining or not obtaining any other product from the institution. Unlike the antitrust laws, this is an absolute standard, rather than one that kicks in only when a behavior rises to the level of creating a

189 “North Korea uses virtual weapons and wizardry to magic up real world cash,” Financial Times, August 6, 2011 190 KPMG, “Monetising Game Play on Social Network Sites,” KPMG eGaming Summit. March 31, 2011. Available at www.slideshare.net/ jonmatonis/monetising-game-play-on-social-network-sites?from=ss_embed (last accessed November 14, 2011) 191 Sherman Antitrust Act §1; codified as 15 USC §1 192 Clayton Antitrust Act §3; codified as 15 USC §14 193 Enacted as Title I of Public Law 91-607; BHCAA §106 (codified as 12 USC §1972) addresses tying

Copyright © 2011 Oliver Wyman 67 monopoly or lessening competition. There is an exception allowing the Federal Reserve to offer exemptions, but they must not be “contrary to the purposes” of this prohibition.

The Federal Reserve implements this provision through its wide-ranging Regulation Y, a portion of which addresses this topic.194 Using its ability to grant exemptions, it has established a “traditional bank product exemption.” Under this exemption, banks can, for instance, offer discounts on pricing on the basis of a customer’s combined balance. This exemption is not absolute, however.

A variety of companies have been subject to antitrust enforcement proceedings related to tying. These companies – such as Kodak, IBM, and Microsoft – had significant market share in their respective products at the time. No individual bank, of course, has a market share remotely approaching theirs, yet banks face a different regulatory regime from non-banks.

Some corporate customers have alleged that some banks have tried to tie corporate lending and securities underwriting, which prompted a GAO study in 2003.195 Notwithstanding these allegations, the study concluded

“[T]he available evidence did not substantiate these claims. Corporate borrowers could not provide documentary evidence to substantiate their claims.” 196

Implications for alternative payments

The issue of tying may be relatively small compared to the other issues discussed in this section. While a clear difference exists between what banks and other companies can do, it is still early days for alternative payments companies. Another factor that makes it difficult to assess this burden is that card issuers have simply not built business models that rely on bundling, as the tying restrictions pre-date the rise of credit card lending.

If nothing else, banks will continue to face a compliance burden. As the Federal Reserve noted in the aforementioned GAO study

“Federal Reserve examiners review the anti-tying programs of bank holding companies and state member banks as part of the regular compliance reviews of these organizations. … [E]xaminers … recently conducted targeted anti-tying examinations at several large banking organizations. The targeted exams indicated that the banking organizations reviewed generally have adequate policies and procedures to ensure compliance with the anti-tying restrictions of section 106, and the agencies generally did not uncover unlawful tying arrangements in these examinations. … The special anti-tying rules … are quite complex. We concur with [the GAO’s] finding that this complexity has led to some uncertainty and confusion, both among banks and their customers, as to what actions by a bank are prohibited and permissible under the statute.” 197

194 Permissible exceptions to the anti-tying provision are contained in 12 CFR §225.7 195 GAO study 04-03, “Bank Tying: Additional Steps Needed to Ensure Effective Enforcement of Tying Prohibitions,” October 2003 196 Ibid., p. 4 197 Ibid., p.52

68 Copyright © 2011 Oliver Wyman As the market share of alternative companies continues to increase, it is possible that they may engage in activities that depositories cannot. Facebook’s developer website states the following

“NOTE: Per the Facebook Credits Terms, all games on the Facebook Platform (including mobile web apps) must exclusively process payments through Facebook Credits.” 198

Previously, Facebook’s merchants could accept credit cards or other forms of payment not controlled by Facebook.

Were Facebook a bank, it is interesting to consider what a bank regulator might do upon discovering this policy in a periodic examination. Facebook Credits is relatively modest in size today, but the question remains as to what industry practices may become prevalent when alternatives enjoy even greater market share and power in the future, as all predictions suggest they will.

7.5. PAYMENT SYSTEM INTEGRITY

The concept of Payment System Integrity encompasses specific laws (for example, against unlawful Internet gambling199) and also includes the support of payments providers in fulfilling various law-enforcement and public-policy objectives. Many, if not most, providers discuss these issues in customer agreements. Nonetheless, efforts to block the sale of illegal, counterfeit, and pirated goods and services tend to be borne by traditional card networks and merchant processors.

A recent example concerns WikiLeaks. In November 2010, WikiLeaks released US State Department diplomatic cables in unredacted form. In response, US regulators urged the major payment system operators to “turn off” WikiLeaks, in order to remove the site’s primary source of funding. All of the major card networks, plus PayPal, complied, claiming that WikiLeaks may have violated their terms of service for encouraging illegal activity. The result was twofold: WikiLeaks funding collapsed and the remaining donations were pushed to peripheral alternative payment mechanisms that lacked strong regulatory oversight. To the extent that payments are a vital funding source for a wide range of legal and illegal activities, retaining regulatory oversight over the payment system in its entirety is paramount to retaining control.

There is a philosophical argument over the level of control that governments or regulators should have in a free market economy, and also questions surrounding who will regulate the regulators. These are certainly important considerations, but they must be balanced against the need to monitor and combat the funding of terrorist activities, money laundering, drug trafficking, tax evasion, and other activities that rely upon the under-handed use of existing payment systems.

198 Per developers.facebook.com/credits (last accessed November 14, 2011) 199 The Unlawful Internet Gambling Enforcement Act of 2006 was enacted as Title VII of the SAFE Port Act (Public Law 109-347). It applies to all companies, and the Federal Reserve enforces it against depositories through its Regulation GG

Background

Dodd-Frank Title VIII creates the concepts of the “financial market utility” (FMU) and the “systemically important financial market utility” (SIFMU). As discussed in Section 8.2, the Financial Stability Oversight Council (FSOC) can designate any type of financial company as a systemically important financial institution (SIFI) under Title I. It can similarly designate a FMU as a SIFMU under Title VIII.200 While Title VIII uses similar procedures for SIFMU designation as does Title I for SIFI designation, the substantive criteria for evaluating systemic importance and the specific powers granted to the FSOC are different.

In evaluating an FMU for systemic importance, the FSOC is directed to consider201

•• The aggregate value of the transactions it processes •• Its aggregate exposure to its counterparties •• Its “relationship, interdependencies, or other interactions” to other FMUs •• The effect of its failure on “critical markets, financial institutions, or the broader financial system” •• Any other factors that it deems appropriate.

The Federal Reserve has responsibility for the prudential standards and supervision of SIFMUs. The scope of these standards may include202

•• Risk management policies and procedures •• Margin and collateral requirements •• Participant/counterparty default policies and procedures •• The ability to clear and settle financial transactions •• Capital and financial resource requirements •• Other standards as necessary to support the principles of promoting risk management, promoting safety and soundness, reducing systemic risk, and supporting the stability of the financial system.

In addition, the SIFMU examination regime includes the following elements

•• The Federal Reserve can obtain any information it needs from a SIFMU, as well as from any FMU as part of determining whether it should be regulated as a SIFMU •• It can block any change to a SIFMU’s rules, procedures, or operations that it believes would materially affect its risks •• It shall inspect each SIFMU at least annually •• If a SIFMU uses services provided by other companies, the Federal Reserve can regulate those services to the same extent as it can regulate the SIFMU itself •• The general framework of enforcement mechanisms that apply to depository institutions shall apply to SIFMUs.

200 The FSOC can regulate whole companies as FMUs, as well as the “payment, clearing, or settlement activity” within a larger financial company under Title VIII. For simplicity, we shall use “FMU” and “SIFMU” to refer to both situations 201 Dodd-Frank §804(a)(2) 202 Dodd-Frank §805(c)

70 Copyright © 2011 Oliver Wyman The language used in Title VIII is sufficiently expansive that retail payments systems could be regulated as SIFMUs. Nonetheless, its intended purpose seems to be to regulate wholesale payments systems for several reasons

•• Dodd-Frank Title VII mandates the clearing of derivatives, thereby lowering the risks borne by derivatives end users, while simultaneously increasing the riskiness and interconnectedness of clearing organizations. In short, Title VII reduces overall risks while concentrating the remaining risk in a few institutions. Title VIII, in turn, manages and mitigates these risks •• Numerous provisions in Title VIII involve the SEC and CFTC, neither of which is involved in retail payments •• Only some of the language used in Title VIII (whose formal name is “Payment, Clearing, and Settlement Supervision”) is used in retail payments. Conversely, much of the language and the concepts specific to retail payments (e.g., authorization, merchant processing, etc.) are absent •• Elements of the Federal Reserve’s SIFMU prudential supervision regime address concepts that are much more applicable to wholesale payments than retail payments (e.g., counterparty default, collateral requirements).

Similarly, fundamental differences in the size and interconnectedness of retail and non-retail payments markets exist

•• In 2009, the Depository Trust and Clearing Company (one of the companies that may be designated as a SIFMU203) settled $1.48 quadrillion in securities transactions.204 This is roughly a thousand times the volume of the card networks •• Tri-party repo outstandings amounted to $2.5 TN pre-crisis.205 This market is three times larger than card outstandings206 but consists of only two institutions, which clear all tri-party repos207 •• Clearing services (for securities, repos, etc.) are inherently systemically risky – the failure of one institution necessarily puts other financial institutions at risk. By contrast, retail payments markets connect financial institutions to customers. If a credit or debit card network (somehow) ceased to function, this would be unlikely to trigger cascading failures of other institutions.

In July 2011, the FSOC approved a final rule208 establishing the processes and general principles for designating FMUs as SIFMUs.209 The rule itself does not provide much insight into whether it will designate retail payments systems as SIFMUs, nor does it address the particulars of the enhanced prudential supervision that SIFMUs would face.

203 As the DTCC states, “DTCC recognizes that it plays a systemically important role to ensure the continued stable operations of the global clearance and settlement system and the containment and resolution of potential risks within the system” (DTCC Principles of Governance, available at www.dtcc.com/legal/compliance/governance/Principles_of_Governance_DTCC.pdf) 204 Per www.dtcc.com/about/business 205 The volume of tri-party repos outstanding reached a pre-crisis peak of $2.8 TN. Federal Reserve Bank of New York Staff Report number 477, “The Tri-Party Repo Market before the 2010 Reforms,” November 2010, p. 17 206 All revolving debt (of which credit cards are the largest component) in April 2008 amounted to $931 BN. Federal Reserve Statistical Release G.19, May 2008 207 Federal Reserve study 477 supra, p. 8 208 To be codified as 12 CFR Part 1320. Published in the Federal Register at 76 FR 44763-44776 209 Strictly speaking, the final rule only addresses payment market utilities, not payment, clearing, and settlement activities

“Within payment systems, the Council expects to focus on FMUs that operate large-value systems and not on FMUs that operate low-value systems for which there appear to be readily available and timely alternative payment mechanisms. However, the Council has decided against including in the final rule any categorical exclusion for FMUs operating retail payment or other systems, both because there are not clear distinctions between various types of systems, and because such an exclusion would impair the Council’s ability to respond appropriately to new information, changed circumstances, and future developments. The Council has also decided against including in the final rule a rebuttable presumption that retail payment systems are not systemically important.” 210

Meanwhile, the Federal Reserve has issued a draft version of what will become Regulation HH, which establishes the risk management standards that shall apply to SIFMUs.211 The comment period on the draft version of Regulation HH concluded in May 2011.

Implications for alternative payments

It is likely that traditional payment networks will not become SIFMUs. If so, this issue does not create further differences in the treatment of traditional and alternative electronic payments. Nonetheless, the possibility of traditional payment networks being deemed SIFMUs cannot be ruled out. Given the criteria that the FSOC must use, and the smaller volume (at present) of alternative payments, if, say, the card networks become SIFMUs, it is likely that alternatives would not.

As yet, no companies have become SIFMUs, and the FSOC has not spelled out the heighted regulation that SIFMUs will face. It therefore remains speculative as to what a regulatory gap here might entail.

210 76 FR 44769 211 Published in the Federal Register at 76 FR 18445-18454

Sections 6 and 7 discuss laws and regulations pertaining to payments. Many banking laws regulate providers of banking services apart from the particular services they offer. Depository institutions, in particular, are subject to a comprehensive regulatory regime whose burden is generally not shared by other companies, including companies engaged in alternative electronic payments.

Much of this regulation is a necessary consequence of depositories’ unique access to FDIC-insured deposits and Federal Reserve programs. Nonetheless, this regime creates a disparity whereby the economics and other aspects of otherwise identical payments systems can vary significantly on the basis of who operates them. Addressing this distinction might not yield easy solutions.

Some of the key considerations with respect to depository regulation include

•• Prudential supervision of depositories −− Examinations −− Capital requirements −− Regulatory reporting −− Enforcement proceedings −− Receiverships •• Systemic regulation (SIFIs and G-SIFIs) •• Community Reinvestment Act/Reg BB •• Other laws −− Affiliate transactions/Reg W −− Management interlocks/Reg L −− Insider loans/Reg O.

8.1. PRUDENTIAL SUPERVISION OF DEPOSITORIES

Overview

The prudential supervision of depositories is a broad topic. While fully describing it easily exceeds the scope of this paper, a former Comptroller nicely summarized it

“Banking is one of the longest regulated and most closely supervised of business enterprises in the Western world. The bank supervisory process … is uniquely extensive and comprehensive and exerts extraordinary authority through ongoing supervisory communication and other informal means. Bank examiners have access to all aspects of a bank’s affairs and the flow of communication between a bank and the supervisory agency is open and continuous …

Copyright © 2011 Oliver Wyman 73 Bank management is expected to be open and forthcoming with bank examiners. Examiners expect to get the information they need when they ask for it, and they expect to be told important things without having to ask.” 212

Bank regulators, however, have many more tools at their disposal than just omniscience, and the substantive differences between bank and non-bank regulation is much broader than just disclosing information in confidence to regulators. In recent years, this has been increasingly codified, as another former Comptroller has noted

“In 1958, Professor Kenneth Culp Davis, in his landmark treatise on administrative law, cited banking regulation as the ‘outstanding example’ in the federal government of the regulation of an entire industry through informal methods – once characterized by someone as ‘regulation by raised eyebrow.’ While he subsequently moderated that view, I think he would be staggered by the prescriptiveness of modern bank regulation. Today, the formal regulations of the four federal banking agencies – OCC, FDIC, OTS and FRB – take up almost 3,000 pages in the Code of Federal Regulations.” 213

The Federal Reserve undertakes bank holding company (BHC) supervision through its Regulation Y.

Examinations

As noted above, depositories are subject to regular and comprehensive examinations. The largest banks each have 15-20 field examiners today, which may rise soon to 30-35.214 And these examiners work cheek-by-jowl with bank personnel, day-in and day-out. The most senior field examiner meets with a bank’s CEO every month. The BHC field examination manual is over 1,800 pages long.215

The prudential regulators have specified various aspects of payments activities. For instance, in June 2011, the Federal Financial Institutions Examination Council (FFIEC), the coordinating body for the various prudential regulators, issued updated guidance relating to how banks shall authenticate their customers when they conduct online transactions.216

Alternative companies have taken note of this regime. As eBillMe notes on its website “Banks have spent billions of dollars to create these secure authentication processes and secure banking systems. Over the last few years, many banks have implemented double authentication to make it even more difficult for hackers to break into their systems.” 217

212 Remarks by the Acting Comptroller of the Currency before the New York Bankers Association, July 14, 2005. The full speech is available at www.occ.gov/news-issuances/speeches/2005/pub-speech-2005-68.pdf 213 John D. Hawke, “Banking Legislation in Retrospect: Whence Came the Deluge?”, the 2011 Banking Institute of the Center for Banking and Finance of the University of North Carolina School of Law, March 31, 2011. Available at www.law.unc.edu/documents/banking/ programs/hawkeafterdinnerremarks.pdf 214 “The Regulator Down the Hall,” Wall Street Journal, June 20, 2011 215 The July 2011 version of the Bank Holding Company Supervision Manual, which is 1,840 pages long, is available at www.federalreserve.gov/boarddocs/supmanual/bhc/bhc.pdf 216 Available at www.ffiec.gov/press/pr062811.htm 217 Available at www.ebillme.com/features/safe (last accessed November 14, 2011)

While banks have always had to maintain an adequate level of capital as determined by regulators, the nature of capital requirements has changed over time. As a former Comptroller once noted

“When I started practicing law the head of supervision at the Federal Reserve was once asked how much capital a bank needs. His answer was ‘I can’t tell you, but I know it when I see it.’”218

Various laws and other initiatives in the US began in earnest in the 1980s. In 1988, the first global capital accord, Basel I, was adopted by a number of countries.219

The FDIC Improvement Act of 1991 created a formal regime that links regulators’ powers to banks’ capital levels. Banks fall into one of five categories – “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized,” or “critically undercapitalized” – on the basis of their capital levels, as measured by several different metrics.220 Institutions in the lower capital categories face increasingly severe restrictions on their activities, while regulators can assume greater power over them. Notably, regulators are directed, with only a few narrow exceptions, to place critically undercapitalized institutions into receivership within 90 days.

Capital requirements have continued to evolve in the decades since. While the details of Basel II, Basel III, and other aspects of capital management are outside the scope of this paper, it is important to note that regulators are continuing to improve the supervision of banks by requiring them to measure the risks inherent in their activities and to hold sufficient capital against these risks.

Capital requirements: Implications for alternative payments

Financial companies tend to be more highly levered than non-financial companies. In good times, therefore, the fact that banks are subject to capital requirements does not disadvantage them – they are already more highly levered than most non-financial companies not in distress.

In trying times, however, this can be an issue. Banks are simply not permitted to operate without adequate capital. When a bank’s capital level falls to the lower supervisory levels, regulators take action, up to and including failing the bank in an orderly fashion. By contrast, no authority monitors or regulates the capital levels of unregulated private companies, generally speaking. Should an alternative company find itself in distress, it runs the risk of ceasing operations suddenly, and customers have no advance-warning system to inform them outside of the rumor mill and whatever the institution chooses to disclose about its state of affairs.

Many states have money-transmitter laws that contain net-worth and surety-bond requirements. Some alternative companies may be bound by these requirements, although these are not part of a comprehensive supervisory regime as they are for banks.

218 Hawke remarks supra 219 The Basel I accord is available at www.bis.org/publ/bcbsc111.pdf 220 FDICIA §131 created Federal Deposit Insurance Act §38 (codified as 12 USC §1831o), which contains these provisions

As with public companies, depositories (both public and private) must file highly detailed financials. While regulatory filings do not contain the same qualitative information as public company reporting, their quantitative reporting is even more standardized and detailed, running to hundreds of line items that facilitate direct comparisons across institutions. Besides providing a basis for assessing financial health, these filings also provide considerable detail about the performance of a business, making it impossible for certain basic aspects of a company’s operations to remain opaque.

Enforcement proceedings: Background

Regulators generally expect to get the information they need to assess an institution’s financial health and compliance with the law. The free flow of information encourages issues to be resolved quickly and proactively. But when this does not happen, regulators have a variety of enforcement mechanisms at their disposal.

Informal agreements, such as a board resolution or a memo of understanding, can be used for small issues. For larger issues, bank regulators regularly enter into consent agreements, which are publicly disclosed and spell out in some detail the remedial steps that the institution will take. In some agreements, an institution may be given 30 to 60 days to complete over 10 different tasks to the regulator’s satisfaction. Such agreements do not spell out the potential consequences of failing to do so – they do not have to. An even more severe variant – the prompt corrective action – also exists, which tends to spell out the consequences of not restoring the institution’s capital level to an acceptable level. Lastly, regulators can impose fines for violations of certain laws and can remove personnel who have engaged in serious misconduct.

Enforcement proceedings: Implications for alternative payments

This sort of regime does not exist for alternative providers. While MSB regulation exists, it tends not to be nearly as stringent or comprehensive.

Receiverships: Background

One of the many functions of bank regulators is to place insolvent institutions into receivership. Both the FDIC, which handles bank and thrift receiverships, and the National Credit Union Administration (NCUA), its counterpart for credit unions, have a statutory obligation to take action at the lowest cost to their respective deposit insurance funds.221 As a result, they can choose to liquidate an institution, operate it under conservatorship, or find a buyer for part or all of its operations, as circumstances require.

221 This requirement for banks dates to 1991, when it was added by Section 141(a) of the FDIC Improvement Act of 1991. It is codified as 12 USC §1823(c)(4). Credit unions have an analogous requirement, to “resolve the problems of insured credit unions at the least possible long-term loss to the Fund” per the Federal Credit Union Act §216(a)(1) (codified as 12 USC §1790d(a)(1))

76 Copyright © 2011 Oliver Wyman Usually, regulators find a buyer for a failed institution. In the course of resolving 200+ bank failures since 2010, the FDIC has found a buyer for the branches and deposits of failed institutions about 95% of the time. In the few cases where a failed institution has little franchise value and a buyer cannot be found, it liquidates the institution and mails checks for the insured deposits.

In some cases, when an institution has failed and no buyer could be immediately found, the regulators continued to operate the institution under conservatorship, so that it could be later sold or else wound down in an orderly fashion. For example, banker’s banks and corporate credit unions provide services to other institutions, rather than serve the public directly. The two largest corporate credit unions, which together provided services to over 1,100 other credit unions, failed in 2009,222 followed by another three in 2010.223 The NCUA placed each of them into conservatorship and continued to operate them while it sought a more permanent resolution. Similarly, the largest banker’s bank, which served 1,500 other banks, failed in 2009.224 Upon its failure, the FDIC created a bridge bank so that it could continue to operate.225 A second banker’s bank failed that year, and the FDIC again created a bridge bank,226 which it was able to sell a month later.227

Receiverships: Implications for alternative payments

Despite the contentious topics of bailouts and “too big to fail,” the above-mentioned, low- profile institutions generated little publicity when they entered conservatorship. All insured depository institutions pay deposit insurance premiums precisely to address this sort of situation, and incumbent management and shareholders lost everything.

Alternative payments companies that find themselves in financial distress may well end up having to file for bankruptcy, as there is no means of continuing their operations via government conservatorship, short of using Dodd-Frank’s orderly liquidation authority. Bankruptcies lead to liquidation with some regularity, whereas it can be business as usual for the customers of failed depositories.

8.2. SYSTEMIC REGULATION (SIFIS AND G-SIFIS)

Background

Until Dodd-Frank became law in 2010, the regulation of most financial companies was based on their legal structure. Banks, thrifts, credit unions, BHCs, broker-dealers, insurance companies, mutual funds and the like each had their own regulatory regime. Meanwhile, certain other types of companies (such as hedge funds and PE funds exempt from the Investment Advisor Act of 1940 as well as traditional non-depository lenders) did not face prudential oversight. Dodd- Frank does not eliminate these existing regimes, but it complements them by introducing the concepts of systemic regulation and SIFIs.

222 Per www.ncua.gov/news/press_releases/2009/MR09-0320.htm 223 Per www.ncua.gov/news/press_releases/2010/MA10-0924NCUACorporateReforms.pdf 224 “Silverton failure hits Capital Bank, many others,” Triangle Business Journal, May 4, 2009 225 FDIC press release PR-61-2009; available at www.fdic.gov/news/news/press/2009/pr09061.html 226 FDIC press release PR-237-2009; available at www.fdic.gov/news/news/press/2009/pr09237.html 227 FDIC press release PR-6-2010; available at www.fdic.gov/news/news/press/2010/pr10006.html

Copyright © 2011 Oliver Wyman 77 Dodd-Frank Title I created the FSOC. It has 10 voting members, mostly the heads of federal regulatory bodies, with the responsibility for the “big picture” of monitoring for systemic risks without regard to companies’ legal structures. By a 2/3 vote, it can designate any financial company as SIFI, thereby subjecting it to enhanced prudential regulation.

Dodd-Frank delegates most of the details to the FSOC, including which institutions shall be designated SIFIs, the specific rules to be used, and the nature of the heightened regulatory scrutiny. That said, Dodd-Frank does spell out certain details •• The FSOC is directed to consider some 10 factors including most notably the “nature, scope, size, scale, concentration, interconnectedness, and mix of activities of the company”228 •• BHCs with at least $50 BN of assets are automatically SIFIs229. Those that had $50 BN of assets in 2010 and had received TARP money shall remain SIFIs even if they cease to be BHCs230 •• The enhanced prudential regulation may include such elements as risk-based capital requirements, leverage limits, liquidity requirements, resolution plans, concentration limits, contingent capital, enhanced public disclosures, and short-term debt limits231 •• If the FSOC determines that a SIFI poses a “grave threat” to financial stability, then it can limit the SIFI’s ability to offer products or conduct M&A, and it can require a SIFI to cease activities or impose conditions on them.232

In October 2011, the FSOC issued an updated version of a proposed rule and guidance on the process it will use in determining whether to designate non-BHCs as SIFIs.233 Under this approach, the FSOC would undertake a three-stage analysis to identify potential SIFIs. Firms that have over $50 BN in assets and meet at least one other quantitative criterion would then be subject to a deeper, more qualitative analysis by the FSOC. Afterwards, it would vote on whether to designate the company as a SIFI.

The FSOC has yet to lay out the enhanced prudential standards for SIFIs. The Federal Reserve previously indicated that the FSOC would issue regulations in the summer of 2011.234 As of November 2011, it has said that regulations should be issued “soon.”235

Meanwhile, the Financial Stability Board, an international body that includes all G-20 members, has begun a similar process at the global level. In November 2011, it produced an initial list of global SIFIs (G-SIFIs). These 29 banks236 include eight US banks. Five banks (Bank of America, Citigroup, HSBC, JP Morgan Chase, Wells Fargo) have US retail operations237 and account for a significant share of US credit card and debit cards. While the list is provisional and does not specify specific prudential requirements for individual institutions, the FSB notes that they will face surcharges ranging from 1 to 2.5 percentage points, with the possibility that institutions could face a 3.5 percentage point surcharge in the future.238

228 Dodd-Frank §113(a)(2)(G) 229 Dodd-Frank §165(a)(1) 230 Dodd-Frank §117(b) 231 Dodd-Frank §115(b)(1) 232 Dodd-Frank §121(a) 233 Published in the Federal Register at 76 FR 64264-64283 234 “Bernanke Says Fed Will Propose Rules on Systemic Firms in Coming Months,” Bloomberg, July 20, 2011 235 “Fed’s Yellen: Long-Awaited Batch of Dodd-Frank Rules Due Out Soon,” American Banker, November 14, 2011 236 FSB document “Policy Measures to Address Systemically Important Financial Institutions”. Available at www.financialstabilityboard.org/publications/r_111104bb.pdf 237 ING, which has US operations, is also on the list, but it is selling its US retail operations to Capital One, which is not on the list 238 FSB document supra

It is still early days for the FSOC and systemic regulation. While the FSOC has met nine times,239 it has had few discussions on SIFI regulation, and the designation of SIFIs (beyond those BHCs that automatically became SIFIs) is not expected to begin until early 2012.240 Nonetheless, it is already clear that the majority of traditional electronic payments will be subject to systemic regulation

•• The automatic SIFIs account for about 85% of credit card outstandings and 88% of credit card purchase volume241 •• At YE2010, these institutions held 62% of transaction account balances,242 a convenient proxy for debit card usage.

American Express and Discover are automatically SIFIs because of their BHC status and size; their payment networks will thus be subject to heightened regulation. By contrast, it is not clear whether the Visa or MasterCard networks will become SIFIs, although they handle somewhat greater payment volumes.

The draft rules regarding SIFI regulation imply that all SIFIs will have at least $50 BN in assets. This would mean that no alternative company would become a SIFI at the present time, as all are smaller than this threshold.

In the traditional payments space, having one set of payment networks subject to SIFI regulation and another set exempt would create a significant regulatory gap.

Regardless of the precise details that will come shortly, SIFIs will at a minimum face higher compliance costs and capital requirements, providing several sources (if not more) of competitive disadvantage relative to alternative companies.

8.3. COMMUNITY REINVESTMENT ACT/REG BB

Background

The 1977 Community Reinvestment Act (CRA) 243 was enacted to reduce redlining and disinvestment244, two issues that were once unfortunately common, as well as to ensure more broadly that depository institutions meet the credit needs of the communities that they serve. As noted in its preamble

“The Congress finds that … regulated financial institutions have continuing and affirmative obligation to help meet the credit needs of the local communities in which they are chartered.” 245

239 Per www.treasury.gov/initiatives/fsoc/Pages/council-meeting-minutes.aspx (last accessed November 14, 2011) 240 “Move to Round Out Risk Panel,” Wall Street Journal, June 23, 2011 241 Oliver Wyman analysis of credit card data for 2010 from the Nilson Report, Issue 966 (February 2011) 242 Oliver Wyman analysis of regulatory financial data provided by SNL 243 Enacted as Title VIII of the Housing and Community Development Act of 1977 (Public Law 95-128); codified as 12 USC §§2901-2908 244 Redlining is the refusal to lend to certain customers on the basis of geography. Disinvestment involves accepting deposits from an area but making loans elsewhere 245 12 USC §2901(a)(3)

Copyright © 2011 Oliver Wyman 79 While the CRA does not address payments per se, it applies to some companies that accept customer funds but not others. Each of the banking regulators has enacted regulations to implement it; the Federal Reserve does so through its Regulation BB.246 Dodd-Frank did not transfer enforcement responsibility for CRA to the CFPB, presumably because CRA requires that regulators take actions “consistent with the safe and sound operation” of depositories247 when enforcing CRA and the CFPB does not have responsibility for bank safety and soundness.

CRA delegates many details to regulators. These regulations were overhauled most recently in 1995,248 before online banks had become significant. Broadly, CRA distinguishes between full-service banks, which both accept deposits and originate a wide range of loans, and limited- purpose banks, which may conduct a limited range of lending activities (or none at all) and may participate in activities less defined by geography than those of branch-based banks.

In both cases, many aspects of CRA revolve around the concept of an “assessment area,” which is the geographic area where a bank serves customers, and where CRA in turn gives it an obligation to reinvest. Banks have a certain amount of latitude in defining their assessment area(s).

Full-service banks are evaluated on the basis of lending, investment, and service tests

•• The lending test evaluates its “record of helping to meet the credit needs of its assessment area(s) through its lending activities by considering a bank’s home mortgage, small business, small farm, and community development lending” 249 •• The investment test evaluates its “record of helping to meet the credit needs of its assessment area(s) through qualified investments that benefit its assessment area(s) or a broader statewide or regional area that includes the bank’s assessment area(s)”250 •• The service test evaluates its “record of helping to meet the credit needs of its assessment area(s) by analyzing both the availability and effectiveness of a bank’s systems for delivering retail banking services and the extent and innovativeness of its community development services” .251

The regulations spell out in some detail the activities reviewed for each of these tests.

By contrast, limited-purpose and wholesale banks are evaluated on the basis of a “community development test” which evaluates “all qualified investments, community development loans, and community development services that benefit areas within the bank’s assessment area(s) or a broader statewide or regional area.”252 Banks do not have to originate loans themselves but can instead participate in loans originated by others.

CRA evaluations can serve as a powerful carrot – or as a stick. All banks ultimately receive one of four scores: “outstanding,” “satisfactory,” “needs to improve,” or “substantial noncompliance.” Unlike safety-and-soundness scores, these scores are released publicly. When banks apply for regulatory approval for such activities as acquiring another bank, the regulators must

246 Codified as 12 CFR Part 228 247 CRA §802(b); codified as 12 USC §2901(b) 248 Minor revisions to CRA regulations, not relevant to this discussion, have been made since 1995 249 12 CFR §228.22(a) 250 12 CFR §228.23(a) 251 12 CFR §228.24(a) 252 12 CFR §228.25(e)(1)

80 Copyright © 2011 Oliver Wyman consider their CRA performance. As part of obtaining the approval of the wider community when conducting bank mergers, a number of banks have made commitments relating to CRA. Indeed, agreements between banks and NGOs relating to CRA commitments became sufficiently common that a 1999 law mandated that such agreements be publicly disclosed.253

Implications for alternative payments

Alternative companies are not subject to CRA. For Mobile Carrier Billers, CRA is not conceptually relevant as they do not hold customer funds. For Non-Plastic Asset Accounts and New Plastic companies holding funds at a depository, the responsibility for complying with CRA rests with the depository.

A regulatory gap therefore exists for the Non-Plastic Asset Accounts and New Plastic companies not holding customer funds in a depository, as well as for Virtual Currencies. These companies hold customer funds but unlike depositories do not have to use these funds in their communities. Of course, some conceptual questions about assessment areas exist, as they have for online banks since they first appeared.254

8.4. OTHER LAWS

A variety of other, smaller laws contribute to the overall regulatory framework for depository institutions. In this section, we discuss three of them: Affiliate transactions/Reg W, Management interlocks/Reg L, and Insider loans/Reg O.

Background: Affiliate transactions/Reg W

The Federal Reserve Act imposes limits on transactions between a BHC’s depository and non-depository subsidiaries. Section 23A imposes conditions on loans and asset purchases made by depositories involving non-depository affiliates. Section 23B requires transactions between depository and non-depository subsidiaries to be on market terms.

These requirements exist because depository institutions can conduct a narrower set of financial activities than other subsidiaries, as they can accept FDIC-insured deposits. In essence, the 23A and 23B limitations are intended to prevent depositories from allowing the benefits of deposit insurance to extend to non-depository affiliates. The Federal Reserve enforced these provisions through a collection of Board and staff interpretations until 2003, when it consolidated them into its Regulation W.

253 Gramm-Leach Bliley §711 created Federal Deposit Insurance Act §48, which is codified as 12 USC §1831y. The Federal Reserve enforces this through its Regulation G 254 For a mid-1990s discussion of CRA and online banks, see “The Community Reinvestment Act and Internet Banks: Redefining the Community,” Boston College Law Review, Volume 39, Issue 4, Number 4 (July 1998)

All companies are subject to the antitrust laws. One of them, the Clayton Antitrust Act, contains provisions addressing the issue of management interlocks – key personnel who serve multiple unaffiliated companies. Specifically, companies may not have management interlocks if they are

“competitors, so that the elimination of competition by agreement between them would constitute a violation of any of the antitrust laws.” 255

Certain exemptions apply for small businesses.256 As originally passed in 1914, this restriction applied only to board members. In 1990, the prohibition on interlocking board members was extended to include corporate officers.257

Unlike other companies in general, banks face a unique set of significantly greater restrictions on who can serve as a board member or executive. A 1978 law, the Depository Institutions Management Interlocks Act (DIMIA),258 contains bright-line, significant limitations, as opposed to the looser prohibition in the Clayton Antitrust Act. The prudential regulators of depositories and their holding companies enforce this for the institutions they oversee; the Federal Reserve does so through its Regulation L.259

Specifically, DIMIA and Regulation L prevent a director or executive of one institution from serving another institution if any of three conditions apply

•• The institutions have offices (either head offices or branches) in the same community •• The institutions have offices in different communities in the same metropolitan statistical area, and both institutions have over $50 MM of assets •• One institution has assets of at least $2.5 BN and the other has assets of at least $1.5 BN (as adjusted for inflation), regardless of office locations.

Should a person’s positions be permissible at the time, but a change in circumstances then renders it an impermissible interlock, that person must cease serving one of the institutions within 15 months – or within a shorter timeframe if the Federal Reserve so requires.

Some exemptions exist. Certain exemptions are automatic, such as for an institution in danger of failing, or for smaller institutions with a low market share in the relevant market. Otherwise, a bank must submit an application to the Federal Reserve, which may grant the exemption if it “finds that the interlock would not result in a monopoly or substantial lessening of competition, and would not present safety and soundness concerns.”260

255 Clayton Act §8(a)(1)(B); codified as 15 USC §19(a)(1)(B) 256 Companies are exempt if they have equity of less than $10 MM or sales of $1 MM, amounts periodically adjusted by the FTC to account for GDP growth. A pair of companies is also exempt if both have competitive sales amounting to less than 4% of their sales, or if either company has competitive sales amounting to under 2% of its total sales (Clayton Act §8(a)(2)) 257 The Antitrust Amendments Act of 1990 (Public Law 101-588) 258 Enacted as Title II of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (Public Law 95-630); codified as 12 USC §§3201-3208 259 Codified as 12 CFR §§212.1-212.8 260 12 CFR §212.6(a)

82 Copyright © 2011 Oliver Wyman Dodd-Frank expanded the scope of prohibited management interlocks.261 It extends DIMIA to cover non-banks regulated as SIFIs. For these institutions, the Federal Reserve cannot grant a waiver allowing management officials to interlock with other SIFIs, other than temporarily due to a change in circumstances.

Background: Insider loans/Reg O

Several sections of the Federal Reserve Act impose restrictions on the amount and terms of loans made to senior executives, directors, or substantial shareholders of depository institutions and their affiliates. The intention of these restrictions is to prevent insiders from using their position within a bank to obtain credit that they could not otherwise obtain or else that would raise safety-and-soundness concerns.

Some provisions date back to the Depression-era rewriting of banking law. A 1978 law added several important restrictions,262 the most notable of which are •• The total amount of loans outstanding to all executive officers and significant shareholders shall not exceed the single-borrower concentration limit (15% of capital for unsecured loans, 25% for secured loans meeting various conditions) •• Any loan made to an executive officer, director, or significant shareholder over $25,000 (since raised to $500,000) must be approved by a majority vote of the board. A board member receiving such a loan shall abstain from voting •• A covered loan must be made “on substantially the same terms” as generally available for comparable transactions and must not “involve more than the normal risk of repayment or present other unfavorable features.”

Besides limitations on large extensions of credit, there is one limitation on small extensions of credit: insiders cannot overdraw their checking accounts.263

In 2010, Dodd-Frank expanded the scope of these restrictions to include derivative transactions, repos, and securities lending and borrowing264 – essentially any credit transaction.

The Federal Reserve implements these provisions through its Regulation O.

Implications for alternative payments

Depositories can obtain exemptions for all three of these laws,265 thereby reducing their impact, although there is no guarantee they can receive an exemption in a given situation.

261 Dodd-Frank §164 262 Section 104(a) of the Financial Institutions Regulatory and Interest Rate Control Act of 1978 (Public Law 95-630) created Federal Reserve Act §22(h) 263 Federal Reserve Act §22(h)(6); codified as 12 USC §375b(6) 264 Dodd-Frank §614 265 A list of the Federal Reserve’s exemptions to regulations granted under the Federal Reserve Act (which includes these three regulations, among others) is available at www.federalreserve.gov/bankinforeg/LegalInterpretations/federalreserveact2011.htm

Copyright © 2011 Oliver Wyman 83 For Regulation W, the precise burden faced by a BHC that operates non-depository subsidiaries depends on the size and complexity of those businesses. Credit card issuers may have some of their card-related activities inside and some outside their depositories, in which case they will face compliance issues that alternative payments providers do not.

Regulation L in particular has the potential to impose a competitive disadvantage on banks if a waiver cannot be obtained. High-tech companies are noted for their serial entrepreneurs, employee job-hopping, and high-profile executives serving on multiple boards. For instance, eBay’s board has four members that interlock, either currently or in the past, with other traditional or alternative financial companies.266 Were all these companies subject to Regulation L, eBay could potentially be required to obtain an exemption for them to serve.267 In cases where possible anti-trust issues have arisen, such as the well-known Apple-Google board example,268 companies have complied with interlock restrictions. Nonetheless, as the Federal Reserve notes in the final section of its Regulation L

“The Board regards the provisions of … the Clayton Act … to have been supplanted by the … more comprehensive prohibitions … in the Interlocks Act.” 269

Regulation O, like Regulation W, primarily imposes a compliance burden generally not shared by alterative payments companies. Loans that might otherwise be approved as a matter of course must instead go before a bank’s board. The concentration limit can be a binding constraint for smaller institutions where outside directors may own businesses that are bank customers. The “unfavorable features” clause contains sufficient ambiguity that it has led to court cases.

When the insider loan provisions were being debated in Congress, the Federal Reserve took the rare step of going on the record to register its opposition to them. One Governor, speaking for the Board a third of a century ago, said

“The Board does not condone abuse of a bank for the benefit of insiders. … However, we believe the adoption of additional restrictions without the benefit of a full factual analysis could result in significant harm to the business of banking and interfere with the provision of credit to the economy … Furthermore, the legislation will severely interfere with the ability of financial institutions to obtain qualified outside directors …. In closing … we believe that it is necessary to consider the cumulative effect of the proposals … Such, almost punitive, provisions should not be imposed since there is no showing of any significant number of instances where outside directors have abused their positions.”270

266 One also serves on the board of Facebook (which operates Facebook Credits), one used to serve on the board of a thrift holding company (which is covered by DIMIA), one is an employee of Facebook Credits (for whom DIMIA may or may not apply, depending on the exact nature of the role), and one used to serve on the board of a government-sponsored enterprise (Board information is from files.shareholder.com/ downloads/ebay/1329099503x0x319736/84b55e77-488d-4496-84a2-0f1eac3be655/EBAY_WebDoc_728.pdf (last accessed November 14, 2011), except for one recently appointed board member, whose biography is available in an eBay 8-K issued on September 29, 2011) 267 Other examples may well exist; eBay simply has more readily available information, as a public company, than many other alternatives 268 Apple and Google had two board members in common – Eric Schmidt, then Google’s CEO, and Arthur Levinson, then chairman and CEO of Genentech (now a wholly owned subsidiary of Roche). They had become interlocking board members at a time when Apple and Google were partners. In 2009, when the two companies had increasingly become competitors, Schmidt resigned from Apple’s board, and Levinson resigned from Google’s board 269 12 CFR §212.9 270 Testimony of Governor Coldwell before the Subcommittee on Financial Institutions Supervision, Regulation and Insurance of the House Committee on Banking, Finance and Urban Affairs, September 28, 1977. Published in the Federal Reserve Bulletin, October 1977, pp. 892-894. Available at fraser.stlouisfed.org/publications/frb/1977/download/60930/frb_101977.pdf

Tblea 12: ALTERNATIVE PAYMENTS PROVIDERS REFERENCED IN THIS PAPER

COMPANY/SERVICE WEBSITE Traditional Payment Facilitators AprivaPay www.apriva.com Billing Revolution www.singleclickcheckout.com Bill Me Later (loans made via partner banks) www.billmelater.com Bling Nation www.blingnation.com (previously; website inactive) Card.io www.card.io ChargeSmart www.chargesmart.com clearXchange www.clearxchange.com eBillme www.ebillme.com eLayaway www.elayaway.com Global Standard Financial www.gsf-inc.com Google Checkout checkout.google.com Google Wallet www.google.com/wallet Intuit GoPayment www.gopayment.com Isis www.paywithisis.com Mazooma www.mazooma.com MobilePay USA www.mobilepayusa.com Heartland Payment Systems’ Mobuyle www.heartlandpaymentsystems.com/mobuyle Mocapay www.mocapay.com mPayy (now part of the Revere Group) www.mpayy.com Noca www.noca.com Acculynk’s Paysecure www.acculynk.com Verifone’s PAYware Mobile www.paywaremobile.com CashEdge’s Popmoney (now owned by Fiserv) www.cashedge.com/products-popmoney.php Rialto Commerce (formerly Moneta) www.rialtocommerce.com NACHA’s Secure Vault Payments www.securevaultpayments.com Square www.squareup.com Ukash www.ukash.com Fiserv’s ZashPay www.zashpay.fiserv.com/consumer ZipZap www.zipzapinc.com ProPay’s Zumogo www.propay.com/zumogo

Copyright © 2011 Oliver Wyman 85 COMPANY/SERVICE WEBSITE New Plastic BillMyParents www.billmyparents.com CardSmith www.card-smith.com Green Dot www.greendotonline.com netSpend www.netspend.com Tempo Payments www.tempo.com (previously; website inactive) U.S. Bancorp’s AccelaPay www.accelapay.com A list of 12 MasterCard-branded GPR cards is available at www.mastercard.us/get-a-prepaid-card.html A list of 23 Visa-branded GPR cards is available at usa.visa.com/personal/cards/prepaid/prepaid-card- online.jsp Non-Plastic Asset Accounts Amazon Payments payments.amazon.com FaceCash www.facecash.com Obopay www.obopay.com/consumer/welcome.shtml eBay’s PayPal www.paypal.com Western Union www.westernunion.com Mobile Carrier Billers BilltoMobile www.billtomobile.com BOKU www.boku.com Mobile Giving Foundation www.mobilegiving.org OpenMarket www.openmarket.com Payfone www.payfone.com eBay’s Zong www.zong.com Virtual Currencies Facebook Credits www.facebook.com/credits Microsoft Points www.xbox.com/en-US/Live/MicrosoftPoints Linden Lab’s Second Life Local Payments wiki.secondlife.com/wiki/Linden_Lab_Official:Local_ Payments_FAQ Nintendo Points www.nintendo.com/games/nintendopointscard Skype Credit www.skype.com/intl/en-us/prices/skype-credit Zynga www.zynga.com/games Traditional Payments (Note: In our regulatory framework, services offered by depository institutions that would otherwise be considered Non-Plastic Asset Accounts are considered Traditional Payments, as these services are generally subject to the same regulatory regime as depositories, if the customer funds are held in deposit accounts) Dwolla www.dwolla.com PerkStreet Financial www.perkstreet.com American Express’s Serve www.serve.com

Tblea 13: ACRONYMS USED IN THIS PAPER

ACRONYM MEANING, RELEVANCE TO REGULATION AND PAPER SECTION(S) ACH Automated Clearing House An electronic network used to make financial transactions. For consumers, it is used primarily for the direct deposit of paychecks and for debiting an account to pay recurring bills. Some Facilitators are making it easier for consumers to conduct ACH transactions for a wider range of purposes. The ACH is overseen by NACHA (various) AML/KYC Anti-money laundering/know-your-customer A catch-all term for the various laws and regulations that seek to prevent individuals and businesses from using the financial system to facilitate crime, money laundering, tax evasion, terrorism, or similar activities (§7.3) BHC Bank holding company An entity that owns one or several depository institutions; the Federal Reserve supervises these organizations. BHCs with at least $50 BN of assets automatically became SIFIs under Title I of Dodd-Frank (various) BSA Bank Secrecy Act A 1970 law that was the first to address money laundering. It requires financial institutions to maintain records of, and to report to regulators on, large cash transactions. The BSA now also requires transactions to be reported if they may facilitate money laundering, tax evasion, or other criminal activities (§7.3) CFPB Consumer Financial Protection Bureau A government agency established by Title X of Dodd-Frank. The CFPB received rulemaking power for all federal consumer financial protection laws and supervision authority for all financial institutions (other than small depositories, which remains with their prudential regulators). Dodd-Frank also gave the CFPB new substantive powers (various) CFR Code of Federal Regulations The codification of government regulations, analogous to the US Code’s role for legislation. Many of the Federal Reserve’s regulations are known commonly by a letter name (e.g., Regulation E), but these regulations also are in the CFR. All banking regulations are located in Title 12 of the CFR (various) CRA Community Reinvestment Act A 1977 law intended to reduce redlining (the refusal to do business in certain parts of communities) and disinvestment (accepting deposits but not making loans). It requires depositories to invest in their local communities and regulators to periodically evaluate depositories on these efforts (§8.3) Credit CARD Act Credit Card Accountability Responsibility and Disclosure Act A 2009 law that restricts certain business practices related to credit cards. It does not regulate the maximum interest rate that can be charged, but it imposes limits on, inter alia, the repricing of existing balances. These provisions were enacted as amendments to TILA. It also has provisions regarding gift cards (§§4.2, 6.9, 6.11) DDA Demand deposit account A deposit account on which a customer can make an unlimited number of check, debit, and ATM transactions (§4.1) DIMIA Depository Institutions Management Interlocks Act A 1978 law that limits the ability of board members and certain executives of one depository institution or non-bank SIFI from serving (interlocking with) another depository. Non‑depository institutions face interlocking restrictions under the Clayton Antitrust Act, but only if the interlocking would create an anti-trust issue (§8.4) EBT Electronic benefit transfer The distribution of government benefits by electronic means such as through cards akin to debit cards. EBT cards are exempt from the Durbin Amendment’s interchange limits and from FinCEN’s 2011 regulation that extends KYC/AML requirements to certain stored-value cards (§§3.3, 7.3)

Copyright © 2011 Oliver Wyman 87 ACRONYM MEANING, RELEVANCE TO REGULATION AND PAPER SECTION(S) ECOA Equal Credit Opportunity Act A 1974 consumer-protection law that contains procedural and substantive safeguards to prevents lenders from engaging in discrimination on the basis of a variety of protected factors. Dodd-Frank added provisions to ECOA that require business lenders to inquire into a business’s ownership and to report information about their business loan applications (§6.4) EFAA Expedited Funds Availability Act A 1987 consumer-protection law that specifies how quickly depositories must make funds available to consumers after making a deposit (§6.7) EFTA Electronic Fund Transfer Act A 1978 consumer-protection law that imposes requirements on electronic transactions involving bank accounts. The law also covers other “asset accounts,” but the scope of these accounts has generally been left ambiguous. For certain non-bank accounts (e.g., payroll cards and prepaid cards onto which government funds are deposited), so-called “Reg E lite” has been introduced. The Federal Reserve’s overdraft regulations were enacted under EFTA/Reg E (§§4.1, 6.3) FCBA Fair Credit Billing Act A 1975 consumer-protection law that amends TILA to provide specific protections for credit card transactions (§6.9) FCRA Fair Credit Reporting Act A 1970 consumer-protection law that regulates how third-party consumer information can be used and mandates disclosures in certain circumstances (§6.5) FDIC Federal Deposit Insurance Corporation The FDIC plays several roles. It is a bank regulator, serving as the federal regulator for state- chartered banks not regulated by the Federal Reserve. It also administers deposit insurance for all banks and thrifts, and it is the receiver for all failed banks and thrifts (various) FinCEN Financial Crimes Enforcement Network A bureau within the US Treasury that administers laws and regulations related to money laundering. In 2011, it issued regulations that extend money-laundering provisions to certain types of stored-value accounts (§7.3) FCPA Foreign Corrupt Practices Act A1977 law that generally prohibits the paying of bribes to foreign countries and officials. The concept of PEPs evolved in part out of the FCPA (§7.3) FFIEC Federal Financial Institutions Examination Council A coordinating body for the various bank regulators. In 2011, it issued updated guidance relating to how banks shall authenticate their customers when they are conducting online transactions (§8.1) FMU Financial market utility A concept created by Title VIII of Dodd-Frank. The FSOC can designate FMUs that are systemically important as SIFMUs, which are then subject to enhanced prudential supervision (§7.6) FR Federal Register All regulations and many other documents produced by regulators are published in this daily government publication. Where possible, this paper includes citations to the Federal Register for important documents (various) FSOC Financial Stability Oversight Council A body created by Title I of Dodd-Frank to monitor for risks to the financial system. It can designate any financial company that is systemically important as a SIFI, which is then subject to heightened prudential supervision (§§7.6, 8.2) FTC Federal Trade Commission A government body established in 1914 to promote consumer protection in commerce and to reduce anti-competitive business activities. The FTC generally enforced consumer-protection laws against non-banks before the CFPB was established (various) G-SIFI Global systemically important financial institutions The global analog to SIFIs. The Financial Stability Board has issued a preliminary list of institutions designated as G-SIFIs. It has also issued a range of capital surcharges for G-SIFIs but has not yet spelled out the other elements of their enhanced prudential supervision (§8.2)

88 Copyright © 2011 Oliver Wyman ACRONYM MEANING, RELEVANCE TO REGULATION AND PAPER SECTION(S) GLB Gramm-Leach-Bliley Act A 1999 law whose primary purpose was to repeal the Glass-Steagall separation of commercial banking, investment banking, and insurance. It also established financial privacy protections, and it required that depositories that enter into agreements with third parties concerning CRA commitments to disclose those agreements (§§6.6, 8.3) GPR General-purpose reloadable A type of prepaid card that operates on a major card network (rather than being accepted just at one merchant), and the card can be topped up after the initial purchase. They increasingly serve as bank account substitutes. Certain GPR cards have “Reg E lite” protections, but not all do. They are exempt from the Durbin Amendment’s interchange limits (various) HERA Housing and Economic Recovery Act of 2008 Section 3091 of this law requires payment card networks and three-party networks to report information about the payment volume processed for their customers to the IRS, to facilitate tax-law compliance. A de minimis exemption applies to the small merchants of three-party networks but not to those of payment card networks (§7.2) MSB Money service business States have laws that regulate companies that engage in various activities involving money (e.g., check cashers, remittance companies, payday lenders) as money service businesses. The PATRIOT Act requires that MSBs register with the US Treasury. States impose some requirements (e.g., surety bonds, net worth requirements) on MSBs, although this regulation is not as strict or comprehensive as the prudential regulation of depositories (§7.3) NCUA National Credit Union Administration The regulator of credit unions (§8.1) OCC Office of the Comptroller of the Currency The regulator of national banks (various) OD/NSF Overdraft/non-sufficient funds Fees charged to consumers if an account is overdrawn as a result of honoring a payment item (OD) or charged because a bank declines to process such an item (NSF). In 2009, the Federal Reserve issued regulations requiring that banks obtain customer consent before charging OD/ NSF fees arising from ATM or POS debit transactions (§§4.1, 4.3) OFAC Office of Foreign Assets Control A body within the US Treasury that administers sanctions against foreign countries and individuals. Companies must ensure that they do not serve customers subject to OFAC sanctions (§7.3) PEP Politically exposed person A category of person subject to heightened KYC/AML scrutiny. Unlike SDNs, PEPs may use the US financial system, but their transactions are monitored with more scrutiny than ordinary customers (§7.3) PIN Personal identification number In the context of debit card transactions, PIN debit transactions are those where a consumer enters a PIN; these are processed in a manner similar to ATM transactions. Customers must consent before a bank can charge OD/NSF fees on a PIN debit transaction that overdraws an account. The level of interchange on PIN debit transactions was historically lower than on signature debit transactions; the Durbin Amendment’s interchange limits do not distinguish between PIN and signature debit (§4.4) USA PATRIOT Act Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act A law passed shortly after 9/11 requiring financial institutions to verify customer identity at account opening. It also requires MSBs to register with the US Treasury (§7.3) SAR Suspicious Activity Report A report that financial institutions must submit to FinCEN when they know or suspect that a transaction involves certain violations of law or the proceeds of illegal activities (§7.3)

Copyright © 2011 Oliver Wyman 89 ACRONYM MEANING, RELEVANCE TO REGULATION AND PAPER SECTION(S) SDN Specially Designated National Foreign individuals or companies designated by OFAC under any of 30 different laws, regulations, or executive orders. In general, SDNs cannot use the US financial system, and financial institutions have an obligation, at account opening and on an ongoing basis thereafter, to ensure that they do not serve SDNs (§7.3) SIFI Systemically important financial institution Financial institutions which are subject to heightened prudential regulation per Title I of Dodd-Frank. All BHCs with at least $50BN of assets are automatically SIFIs; the FSOC can also designate other institutions as SIFIs (§§7.6, 8.2) SIFMU Systemically important financial market utility SIFMUs are companies involved in payments (e.g., clearing, settlement, authorization, remittance) that are analogous to SIFIs and, like SIFIs, subject to enhanced prudential supervision. When the FSOC issued a final rule governing the SIFMU designation process, it indicated the retail payments networks are unlikely to be designated as SIFMUs, although it did not rule out the possibility (§7.6) TILA Truth in Lending Act A 1968 consumer-protection law that standardizes forms, terminology, and disclosures in consumer credit. The FCBA and Credit CARD Act have expanded the law’s scope (§§4.2, 6.9, 6.10) TISA Truth in Savings Act A 1991 consumer-protection law that mandates and standardizes certain disclosures related to deposit accounts. It also regulates the use of the term “free” with respect to checking accounts (§§4.1, 6.9, 6.10) UCC Uniform Commercial Code A law passed in all states in identical or nearly-identical form, in order to facilitate commerce. Of relevance to this paper, the UCC includes provisions relating to checks (§6.13) UDAP Unfair or deceptive acts or practices A very broad consumer-protection law first enacted in 1938. UDAP was extended to cover banks in 1975. The FTC, which enforces UDAP against non-banks, issued policy statements on unfairness in 1980 and deception in 1983. The bank regulators generally have the same policies as the FTC. Relatively few specific business practices have been prohibited under UDAP; instead, consent agreements or lawsuits tend to occur after the fact. In 2010, Dodd- Frank expanded UDAP to prohibit “abusive” practices (§6.12) USC United States Code The compilation of the general and permanent laws of the US, organized by subject matter. Most laws discussed in this paper are in Title 12 (banking) or Title 15 (commerce and trade). Where possible, USC citations are provided for the laws discussed (various)

REGULATION REGULATION NAME AND PAPER SECTION(S) B Equal Credit Opportunity (§6.4) E Electronic Fund Transfers (§§4.1, 6.3) G Disclosure and Reporting of CRA-Related Agreements (§8.3) L Management Official Interlocks (§8.4) O Loans to Executive Officers, Directors, and Principal Shareholders of Member Banks (§8.4) P Privacy of Consumer Financial Information (§6.6) V Fair Credit Reporting (§6.5) W Transactions between Member Banks and Their Affiliates (§8.4) Y Bank Holding Companies and Change in Bank Control (§§7.4, 8.1) Z Truth in Lending (§§4.2, 6.9) AA Unfair or Deceptive Acts or Practices (§6.12) BB Community Reinvestment (§8.3) CC Availability of Funds and Collection of Checks (§6.7) DD Truth in Savings (§§4.1, 6.10) GG Prohibition on Funding of Unlawful Internet Gambling (§7.5) HH Designated Financial Market Utilities (§7.6) II Debit Card Interchange Fees and Routing (§§4.4, 7.1)

ABOUT OLIVER WYMAN

With offices in 50+ cities across 25 countries, Oliver Wyman is a leading global management consulting firm that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, organizational transformation, and leadership development. The firm’s 3,000 professionals help clients optimize their businesses, improve their operations and risk profile, and accelerate their organizational performance to seize the most attractive opportunities.

The firm’s Financial Services practice is a worldwide leader, counting 75 of the global top 100 financial institutions as its clients. The firm has guided some of the world’s most sophisticated institutions on their retail banking and payment strategies.

Oliver Wyman is part of Marsh & McLennan Companies [NYSE: MMC]. For more information, visit www.oliverwyman.com.

About the Authors

TONY HAYES Tony Hayes is a Partner in Oliver Wyman’s North American Retail and Business Banking practice. He is based in the Boston office. Email: [email protected]. Tel: 617 424 3283

ROSS FRISBIE Ross Frisbie is the Chief of Staff in Oliver Wyman’s North American Retail and Business Banking practice. He is based in the New York office. Email: [email protected]. Tel: 646 364 8503 Oliver Wyman is a leading global management consulting firm that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, organizational transformation, and leadership development. For more information please contact the marketing department by email at [email protected] or by phone at one of the following locations:

NORTH AMERICA +1 212 541 8100

EMEA +44 20 7333 8333

ASIA PACIFIC +65 6510 9700

www.oliverwyman.com

Copyright © 2011 Oliver Wyman. All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not a substitute for tailored professional advice on how a specific financial institution should execute its strategy. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisers. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. This report may not be sold without the written consent of Oliver Wyman.