There is little question that smartphones and tablet computers are re-shaping the delivery of financial services to consumers. The mobile device is rapidly becoming a full-fledged platform for electronic financial services, and especially for mobile payments. Juniper Research and Gartner estimated the worldwide market for mobile payments at $86 billion to $240 billion in 2011, with Juniper predicting an increase to $670 billion by 2015.
While mobile payments are sometimes categorized based on their underlying technologies, or on the source of funds (credit card, debit card, prepaid card, checking account, etc.), what different systems have in common is their reliance on mobile devices for authorizing and managing payments. The proliferation of mobile devices, and service providers to support them, has introduced new and different stakeholders who are competing with financial institutions for dominance in the mobile commerce/mobile payment arena. These include mobile network operators, intermediary service providers, and retailers/merchants. A simple (if imprecise) shorthand way of describing the competitors is to differentiate “bank-centric” and “nonbank-centric” payment service providers. Nonbank-centric payment service providers are multiplying, and are intent on challenging financial institutions for revenues in this growing sector of the economy.
In this rapidly evolving environment, mobile payments present new operational and risk issues for consumers, payment systems providers, and the recipients of the payments. It will be crucial to identify who has legal responsibility and liability for the various risks associated with payment platforms and payment transactions, particularly when transactions go wrong and mobile commerce initiatives fail. Inevitably, some mobile payments will be challenged as unauthorized, or made in error, or misdirected. Some payors will change their minds about payments made and seek to reverse them. Others may be unsatisfied with goods or services received and demand refund of their payments. Claims of breach of privacy, billing errors, and fraud will emerge.
At present, all laws and regulations governing payment methods and networks with their attendant consumer protections are applicable to payments in the mobile environment. However, there is no uniform legal framework for determining where the risk of liability will fall when a mobile payment platform is used. Rights and responsibilities vary significantly depending on the source of funds, the intermediaries involved in processing or facilitating the transaction (i.e., payment network, wireless carrier, money transmitter, technology provider etc.) the method(s) used to transmit the funds from original sender to ultimate recipient, the type of recipient (individual or business), and the location of both the sender and the recipient. As an example, the rights and responsibilities of a consumer using a credit card as the source of funds in a mobile payment transaction are very different than the rights and responsibilities of the same consumer using a checking account as the source of funds. The challenge of risk allocation is likely to be magnified, and complicated, because of the wide variety of intermediaries now involved in the mobile payment service industry, and by the potential for both regulatory overlap (at both the federal and state level) and for regulatory gaps in supervising the sector.
The proliferation of non-bank providers participating in the payment process, and the different process flows used by mobile payment platforms to access sources of funds have outpaced the constructs and assumptions of existing payment systems law. The result is confusion about the distribution of risks and responsibilities among participants and a patchwork application of state laws concerning fees, escheat and money transmitter licensing requirements to various mobile payment services.
Without attempting to answer specific questions, some of the initial legal issues to be addressed in connection with any mobile payment product include:
- Are the mobile payment services appropriately regulated as mere communication services or as money transfer services (or as a hybrid, or even as some other type of service)?
- What advertising rules apply when the products and services are displayed for purchase with mobile payments on handheld devices? (Also known as the “advertising in small spaces” challenge.) Reference to Federal Trade Commission guidance on unfair and deceptive practices is helpful, but may not be determinative, depending on the participants and the structure.
- Who is responsible for providing consumer disclosures for products and services requiring such disclosures, and what protocols will apply to proving that these disclosures were given?
- What privacy rules apply to, and who is responsible for, security of customer data? Should consumers be allowed to select higher or lower levels of identity protection as a matter of their own convenience?
- To what extent should consumers be responsible for unauthorized or fraudulent mobile payments if they handle their mobile devices carelessly or share their identification information with others?
- How will theft of mobile devices or hacking of customer authentication data affect responsibility for unauthorized payments?
- Should the same level of security and privacy protection apply to small-dollar and large-dollar transactions?
- What protocols are essential to ensure accuracy of payment data in transmission? What consequences should follow if the data are compromised in transmission?
- How will payment service providers be licensed or regulated? If providers are to be licensed, are surety bonds an appropriate prerequisite to licensing, based on volume of payments handled, or to cover loss of customer funds in transmission? Should commercial insurance be required as a prerequisite to offering the mobile payment technologies or becoming licensed?
- Where should licensing occur – at the state or federal level? If regulation is at the state level, how will overlapping jurisdiction be managed? Regardless of the licensing and supervisory authority, how will regulators get “up to speed” on mobile commerce and mobile payments in order to supervise the industry effectively and efficiently?
- Should those accepting or facilitating mobile payments be allowed to use customer data for marketing or other purposes? Should consumers have a right to opt-in or opt-out of such data sharing?
- To what extent must mobile payment services be accessible to the disabled, and how might this be achieved?
- Who will keep records of mobile payment transactions, and how? How may consumers obtain these records?
- What obligations and liabilities result when mobile payment systems “go down”? Is unavailability of a mobile payment system the equivalent of denying consumers the right to their funds?
- How will the source of the funds used to make the mobile payment (e.g., bank account, credit card, prepaid credits, etc.) affect the answers to the questions above?
Notwithstanding these thorny legal issues, the future of mobile payments appears bright, because the benefits for payment providers, payment recipients, technology providers, communications providers, and consumers are indisputable. For now, service providers in the emerging mobile payments industry need to both fully understand the risk allocation rules that apply to their products or services, and clearly articulate to customers how that allocation of risk affects them.
About the Authors:
Margo Tank is a partner and R. David Whitaker is counsel to BuckleySandler LLP, a financial services law firm in Washington, DC, New York and Los Angeles. They advise financial services providers and technology companies on structuring business programs and online platforms in compliance with the Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), and on compliance with other state and federal laws governing electronic and mobile financial services transactions, privacy and data security, electronic record management, money transmission and other payment methods (plastic or virtual), advertising and unfair or deceptive acts and practices. Contact them at email@example.com and firstname.lastname@example.org.