On March 8, 2013, the Federal Trade Commission (FTC) released a staff report, entitled “Paper, Plastic…or Mobile? An FTC Workshop on Mobile Payments,” addressing its consumer protection concerns in the mobile payments area. The FTC’s preliminary review is a follow-up to the Board of Governors of the Federal Reserve System report, entitled “Consumers and Mobile Financial Services,” that focused on the growth of mobile payments and banking.
The FTC staff report, available here, examines mobile payments as a proven new technology which consumers are expected to adopt widely in the next few years. Thus, the FTC emphasized “its mandate to protect consumers in the commercial marketplace” and “broad jurisdiction over many of the companies that participate in the mobile payments ecosystem.” These include hardware manufacturers, operating system and application developers, data brokers, coupon and loyalty program administrators, payment card networks, advertising companies, retailers and other merchants and in certain cases telecommunications carriers.
The report’s analysis includes technologies and products to facilitate mobile payments using various funding sources (e.g., credit card, debit card, bank and mobile phone accounts), such as Near Field Communications (NFC), mobile apps, online checkout wallets and mobile carrier billing
The report underscores the FTC’s ongoing interest in the mobile payments area. While the agency shares enforcement powers with the Federal Communications Commission and Consumer Financial Protection Bureau (CFPB) over some mobile payment methods, the FTC clearly intends to ensure that consumers have adequate protections and information they need to make informed choices regarding mobile payments. As a result, the report commits the agency to continued evaluation of the mobile payment marketplace as new services and products are developed.
Consumer protection concerns
The FTC staff identifies three primary areas of focus relating to mobile payments: (a) dispute resolution, particularly with mobile carrier billing, (b) data security, and (c) privacy. The report addresses each, provides suggestions and outlines the FTC’s primary concerns in each area.
Dispute Resolution in the Mobile Payments Context: Extended Protections
A most significant concern is the resolution of disputes in the case of fraudulent or unauthorized charges. The FTC staff notes that mobile payment users may not recognize that protections against such charges can vary based on the underlying funding source. For example, transactions involving credit and debit cards are afforded statutory liability protections (e.g., credit card cap liability for unauthorized use at $50) that do not apply to other payment methods (e.g., general purpose reloadable card (GPR), also known as a prepaid debit card).
The general protections of the FTC Act do apply; and some companies have filled the gap with contractual protections in the event of payment disputes involving GPRs. The report cites the FTC’s support for the CFPB possibly extending legal protections to GPRs to (a) limit liability, (b) require disclosure for fees and expiration dates, (c) establish error resolution procedures, and (d) set authorization standards for recurrent payments (the CFPB issued an advanced notice of proposed rulemaking last year to extend Regulation E to GPRs in 2012 although final action is not expected until at least 2014).
The report’s message is clear: Companies should “develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers” so that consumers can understand their rights and protections when deciding whether to pay with a particular mobile device and particular funding mechanism.
Mobile Carrier Billing: A Particular Concern
The FTC staff expresses a special concern about mobile carrier billing (i.e., charging payments directly to a mobile phone bill). As a result, the report calls for carriers to:
(a) enable consumers to block all third party charges on their mobile accounts;
(b) “clearly and prominently” inform customers about possible third-party charges and how to block them; and
(c) establish a clear and consistent process for consumers who wish to dispute such charges and obtain reimbursements.
The report outlines other potential approaches, including standardizing and highlighting third-party billing descriptions, providing notifications to consumers, imposing contractual obligations regarding maintenance and access to customer authorization records, implementing standard dispute policies and allowing consumers to delay payment in good faith dispute situations, without penalty. In the staff’s view, additional protections, such as those already mandated for credit cards, are needed to protect consumers in the mobile payments field.
Interestingly, the report does not address state money transmitter licensing issues that may be raised by mobile carrier billing. However, the FTC staff is organizing a separate roundtable on mobile carrier billing issues for May, 2013.
Consumer Data Security in Mobile Payments
The report finds that a key concern for consumers when making mobile payments is the security of their sensitive financial information. The FTC staff concludes that although the technology to provide enhanced security in the mobile payments market is available (e.g., end-to-end encryption, dynamic data authentication), “it is not clear that all companies are employing it.”
The report recommends that mobile payment providers should “increase data security” and “encourage adoption of strong security measures by all companies in the mobile payments chain.” The FTC staff notes that many federal and state laws also impose data security requirements on businesses that collect and use financial information and other sensitive data. Finally, the report outlines practical steps that consumers themselves can take to secure their sensitive data in the mobile payments marketplace (e.g., password protections, particularly for any payment apps).
The FTC staff finds that mobile payments raise significant privacy concerns, due to the growing number of companies involved in the transactions and their access to detailed consumer data. The report expresses concern about “multiple players within the mobile payments ecosystem” who gather, consolidate and purchase data in a way not possible under traditional payments regimes.
As a result the FTC staff encourages companies in the mobile payments marketplace to implement the three basic principles put forth in the agency’s March 2012 report on “Protecting Privacy in an Era of Rapid Change,” available here:
(a) Privacy by design: companies should consider and address privacy at every stage of product development;
(b) Simplified choices: consumers should be given specific, clear choices about data collection and use in the mobile payments arena; and
(c) Transparency: Companies in the mobile payments field should be transparent about their data collection and use, to increase consumer trust in this growing marketplace. This topic was a key focus of an earlier FTC staff report, released in February, on mobile privacy disclosures, available here.
The world is “going mobile” – a movement that includes making payments through mobile devices and apps. The focus of the Commerce Department’s National Telecommunications and Information Administration on mobile privacy in its multi-stakeholder approach to mobile privacy is likely to include mobile payment companies as they draft principles for industry to adopt. This effort, combined with the Worldwide Web Consortium’s (W3C) Tracking Protection Working Group, and the Digital Advertising Alliance signal a broad focus on data security, privacy and new legal and self-regulatory regimes to address advancements in technology and exciting new innovations, including mobile payments.
The rapid adoption of such new innovations, notably in the mobile payments industry, will lead to ease in commerce but will undoubtedly raise additional questions about whether the government or third party groups must create mechanisms to protect consumers. This latest FTC staff report is further evidence that the agency will continue to be vigilant in protecting consumers using mobile payment methods.