FTC Releases Staff Report on Mobile Payments

Banking and Financial Services Update

On March 8, 2013, the Federal Trade Commission (“FTC”) issued a staff report, entitled Paper, Plastic… or Mobile: an FTC Workshop on Mobile Payments, on the mobile payments industry and its effects on consumers (the “Report”).1 The Report, based on a workshop held by the FTC on April 26, 2012,2 addresses a number of issues that the FTC has found notable in the mobile payments space. While the Report does not announce any new policy initiatives, it highlights areas on which the FTC may focus in its future regulatory and enforcement activity and legislative advocacy with respect to consumer protection and privacy laws. The Report addresses five main topics of concern to the FTC with respect to mobile payments, often reiterating some of the positions taken by participants in the workshop.

Dispute Resolution

The Report begins with a discussion of dispute resolution protections, focusing on fraudulent payments and unauthorized charges. The FTC’s primary concern in this area is the varying levels of protection for consumers when using mobile payments. The Report largely adopts the position articulated by Consumers Union and the Consumer Federation of America in describing the variation of statutory protections based on the underlying funding source, characterizing credit cards as receiving the most protection, debit cards less protection, and prepaid cards the least. Given the existing lack of regulatory error resolution requirements for prepaid cards that are not currently subject to Regulation E, the FTC expresses explicit support for the extension of protections to general purpose reloadable prepaid cards through the Consumer Financial Protection Bureau’s pending advanced notice of proposed rulemaking. Otherwise, the FTC emphasizes that consumers may not understand the differences among the protections provided when using the various funding sources indirectly through a mobile payment system, and therefore encourages appropriate disclosure rather than unification of the existing error resolution regimes for products already subject to protections under Regulations E and Z.

Mobile Carrier Billing

The Report states that there are no specific federal statutory protections regarding consumer disputes about fraudulent or unauthorized charges placed on mobile carrier bills. It argues that the practice of third parties placing fraudulent charges onto a phone bill (known as “cramming”), which originally arose in the context of landline billings, is becoming more prevalent in mobile payments. The Report states that cramming is a fundamental threat to the mobile payments platform generally, as it risks undermining the overall security of the payment system. The FTC’s position is that consumers should be given three “basic protections” against cramming: (1) the ability to block all third-party charges on mobile accounts; (2) clear and prominent disclosures provided by mobile carriers informing customers that third-party charges may be placed on their accounts, and an explanation of how to block those charges; and (3) the establishment of a dispute resolution process. The FTC also highlights other suggested protections, such as advance notice of each recurring charge coupled with an opportunity to cancel, that may prove problematic for the industry. The FTC is organizing a separate roundtable on fraudulent charges on mobile platforms, which it expects to take place in May 2013.

Consumer Data Security

The Report discusses both the perception and reality of data security in mobile payments. It cites research from the Federal Reserve that suggests data security concerns are the largest reason for non-adoption of mobile payments, and cautions that the reputation of the industry as a whole may be impaired by bad actors. Substantively, the Report acknowledges that there are existing data security requirements at the federal and state levels, and so does not appear to advocate new requirements, although it does encourage the use of both “end-to-end” encryption technology and “dynamic data authentication,” a process in which a unique set of payment information is generated for each transaction. The FTC also encourages education of consumers as to steps they can take to protect their own data.

Privacy

According to the Report, use of mobile payments raises “significant privacy concerns,” due to the number of companies involved in mobile payments and the large amount of data being collected. In addition, mobile payments add new actors, such as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators. Specifically, the Report notes that mobile payments allow for the collection and aggregation of personal and purchase data in a way that is not possible with traditional payments, where the merchant has detailed data about purchases, the financial institution has detailed data about the customer, but neither has both. The Report does not discuss, however, the effect of existing law, such as the Gramm-Leach-Bliley Act, on privacy obligations in the payments realm. Instead, the FTC reiterates concepts from its earlier, more general report on privacy in the face of technological change: (1) “privacy by design,” wherein companies consider and address privacy at each stage of product development, (2) simplified choices and (3) greater transparency.3 Mobile privacy more generally will remain a hot topic with the FTC and other agencies, and is the subject of a variety of on-going inquiries, including through a multi-stakeholder process organized by the Department of Commerce.

International Mobile Payment Issues

Finally, the Report briefly discusses other countries’ experience with mobile payments, noting that countries have seen the space evolve in different directions. The Report notes that the Organization for Economic Cooperation and Development’s Committee on Consumer Policy, along with other government and international organizations, have been studying consumer protection concerns in a variety of markets.

Conclusion

While the Report says little about specific policy initiatives of the FTC in connection with the concerns raised in the Report, it makes clear that these issues are on the FTC’s radar. The Report provides participants in all segments of the mobile payments space with a glimpse into possible points of regulatory and enforcement emphasis in the coming years, as new technologies and innovations expand the mobile payment options available to consumers.

If you have any questions regarding this update, please contact David Teitelbaum (+1.202.736.8683, dteitelbaum@sidley.com), Joel Feinberg (+1.202.736.8473, jfeinberg@sidley.com), James Huizinga (+1.202.736.8681, jhuizinga@sidley.com), John Van De Weert (+1.202.736.8094, jvandeweert@sidley.com), Thomas Devlin (+1.202.736.8752, tdevlin@sidley.com) or the Sidley lawyer with whom you usually work.

1 The full text of the report can be found at http://ftc.gov/os/2013/03/130306mobilereport.pdf.

2 The materials from the workshop can be found at http://www.ftc.gov/bcp/workshops/mobilepayments/.

3 FTC, Protecting Consumer Privacy in an Era of Rapid Change, http://ftc.gov/os/2012/03/120326privacyreport.pdf.

The Banking and Financial Services Practice of Sidley Austin LLP

The Banking and Financial Services Practice group offers counseling, transaction and litigation services to domestic and non-U.S. financial institutions and their holding companies, as well as securities, insurance, finance, mortgage, and diversified companies that provide financial services. We also represent all sectors of the payments industry, including payment networks and processors, money transmitters, and payors and payees in various systems. We represent financial services clients before the U.S. Department of the Treasury, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau and state regulatory agencies, as well as financial services regulators in other jurisdictions where we have offices. In addition, we represent clients before the United States Supreme Court, other federal courts and state courts.

To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe.

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.