The Federal Trade Commission (FTC) has released a staff report on mobile payments, which identifies and makes recommendations for three key issues in the mobile payment industry that the FTC believes present consumer protection concerns: dispute resolution, data security, and privacy.1 The March 2013 report follows an April 2012 mobile payment workshop that was convened by the FTC and attended by mobile payment companies, credit card companies, and consumer advocates.
The report signals the FTC's increased focus on the mobile payment sector, which the FTC attributes to its commitment to ensure consumer protections keep pace with newer technologies and business models. The FTC examined various technologies and practices involved in the mobile payment ecosystem for the purposes of the report, including Near Field Communication (NFC) technologies, mobile apps, online checkout wallets, and mobile carrier billing.
The FTC expressed strong concerns about how users of mobile payments can resolve disputes in the case of fraudulent payments or unauthorized charges. The report observes that consumer protections can vary greatly depending on the underlying funding source utilized by a mobile payment service and consumers remain largely unaware of this variation. For example, mobile payment services may link to a consumer's credit card, debit card, bank account, or mobile phone account as payment sources. The report highlights that while there are federal statutes protecting consumers from unauthorized credit card and debit card transactions,2 similar federal statutes do not exist with respect to pre-funded accounts, stored-value cards (such as gift cards, general purpose reloadable cards (GPR), and pre-paid debit cards), or mobile carrier bills.
With respect to GPRs, the report explains that there are currently no federal statutes that protect consumers from unauthorized charges other than the FTC Act, which prohibits unfair and deceptive acts or practices in or affecting commerce.3 However, the Consumer Financial Protection Bureau (CFPB) is considering whether to extend certain statutory protections to cover GPRs.4 The report describes a comment filed by the FTC to the CFPB in support of extending to GPRs the protections currently applicable to other types of payment cards, namely liability limits, disclosure requirements for fees and expiration dates, error resolution procedures, and authorization standards for recurring payments.5
In the report, the FTC applauds mobile payment service providers that have, through their agreements with consumers, offered certain consumer protections for payment disputes. The report recommends that providers develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers in order to assist them in determining whether to pay using a mobile device, and if so, which mobile payment service and funding system to use. However, the report also expressed concerns that these voluntary consumer protections can be withdrawn or modified by providers. The FTC recommended that, should these protections turn out to be insufficient, policymakers weigh the benefits of providing consistent consumer protection across mobile payment service providers with the costs of implementing consistent consumer protection.
Carrier Billing Dispute Resolution
The report identifies special dispute resolution issues with mobile carrier billing, which is the practice of charging payments directly to mobile phone bills. The FTC expressed concern that the practice of third parties placing fraudulent charges onto consumers' phone bills, known as "cramming," is on the rise. If allowed to proliferate, the report predicts that cramming could undermine mobile carrier billing as a legitimate and trusted payment option.
According to the FTC, outside of the FTC statute prohibiting unfair and deceptive acts and practices, there are no federal statutes that govern consumer disputes involving fraudulent or disputed transactions placed on their mobile phone bills. When disputes arise, consumers' recourse is their agreements with or the goodwill of mobile carriers. In a comment to the Federal Communications Commission (FCC) that is cited in the report, the FTC recommended that consumers receive statutory or regulatory protection from crammed charges that appear on their mobile phone bill. The FTC recommended that:
consumers should have the ability to block all third-party charges on their mobile accounts, including on individual accounts operated by minors;
mobile carriers should clearly and prominently inform their customers that third-party charges may be placed on their accounts and explain how to block such charges at the time of account establishment and renewal; and
mobile carriers should establish a clear and consistent process for customers to dispute suspicious charges placed on their account and obtain reimbursement.6
The report also describes a number of other potential approaches that have been proposed to protect against mobile cramming and reveals that the FTC is in the process of organizing a roundtable for stakeholders in May 2013 to discuss the efficacy of current efforts to stop mobile cramming, the need for new approaches (whether voluntary, regulatory, or statutory), and the costs and benefits of any new approaches.7
Consumer Data Security
According to the report, both the FTC and consumers identify data security as another key concern with regard to mobile payments. The report notes that nearly 42 percent of U.S. consumers who have not made a mobile payment cited concerns about security as their primary reason for not doing so.8
The report expresses optimism regarding mobile payments' potential to increase data security for financial information over traditional payment systems. For example, mobile payment technology permits end-to-end encryption, while under the traditional payment system, financial data often is stored or transmitted unencrypted at some point during the payment process. Mobile payment systems also can use dynamic data authentication, which generates a unique set of payment information for each transaction, whereas credit card magnetic stripes contain static account information that can be used repeatedly for unauthorized transactions.
The report urges companies in the mobile payment chain to employ available technologies to adopt stronger security measures in order to avoid consumer harm, protect the reputation of the mobile payment industry, and comply with federal and state laws that impose data security requirements on businesses that collect and use financial information and other sensitive data.9 The FTC also encourages all stakeholders to raise consumer awareness about mobile payment security and outlines practical steps consumers can take to help secure their financial information.10
Finally, the report expresses the FTC's concerns regarding privacy issues raised by two attributes of mobile payment systems that are not present with traditional payment systems. First, more companies typically are involved in a single mobile payment transaction than in traditional credit card transactions. In addition to the banks, merchants, and payment card networks involved in a traditional payment system, hardware and operating system manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators often are involved in a mobile payment system. Second, much more personal data, as well as purchase data, can be collected and consolidated by some or all of these companies than what typically is collected in traditional point-of-sale credit card transactions. The report acknowledges that while increased data collection and consolidation raise privacy issues, these activities also may provide consumers with potential benefits in the forms of more targeted advertising and less fraud.
The FTC stressed in the report that the consumer privacy recommendations set forth in the FTC's March 2012 staff report on privacy (FTC Privacy Report)11 apply equally to companies in the mobile payment marketplace. In short, the FTC Privacy Report's key recommendations are to (i) practice "privacy by design," which calls for companies to consider and address privacy at every stage of product development; (ii) provide simplified choices for businesses and consumers about data collection and use; and (iii) provide greater transparency about data practices. Given mobile devices' ability to store and transmit precise geolocation information and facilitate increased levels of data collection, the report emphasizes the need for companies in the mobile ecosystem to implement reasonable data collection and security practices in practicing "privacy by design." The report references a recent FTC workshop and report12 as resources for companies to understand how to provide greater transparency about data practices on mobile devices,13 but acknowledges that effective privacy disclosures may be further complicated by the many entities involved in the mobile payment marketplace.
The FTC has made clear through its recent report that it is monitoring the mobile payment space and is interested in strengthening consumer protection to address dispute resolution, data security, and privacy concerns. The FTC has been particularly active in the mobile space this past year, both in terms of policy recommendations and enforcement actions, and we expect this trend to continue. Companies involved in the mobile payment ecosystem should consider the FTC's recommendations and determine how to best implement reasonable data collection and security practices and weave "privacy by design" into their business practices.
Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks relating to the collection, use, and disclosure of consumer data by mobile applications, along with attending to other rapidly changing domestic and international privacy and data security issues. For more information, please contact Lydia Parnes at email@example.com or (202) 973-8801; Tracy Shapiro at firstname.lastname@example.org or (415) 518-9273; Matt Staples at email@example.com or (206) 883-2583; Sharon Lee at firstname.lastname@example.org or (650) 849-3307; or any of the many members of our privacy and data security practice.