• The Fed conducts U.S. monetary policy to promote maximum employment, stable prices, and moderate long-term interest rates in the U.S. economy
• The Fed promotes the stability of the financial system and seeks to minimize and contain systemic risks through active monitoring and engagement in the U.S. and abroad
• The Fed also promotes the safety and soundness of individual financial institutions and monitors their impact on the financial system as a whole
• The Fed is the lender of last resort to member banks (through discount window lending)
• In “unusual and exigent circumstances,” the Fed may extend credit beyond member banks, to provide liquidity to the financial system, but not to aid failing financial firms
• The Fed may initiate a resolution process to shut down firms that pose a grave threat to financial stability. The FDIC and the Treasury Secretary have similar powers

• Regulates non-bank mortgage-related firms, private student lenders, payday lenders, and larger consumer financial entities
• Does not supervise insurers, SEC and CFTC registrants, auto dealers, sellers of non-financial goods, real estate brokers and agents, and banks with assets less than $10 billion
• Writes rules to carry out federal consumer financial protection laws

• Protects consumers from unfair and deceptive practices in the marketplace
• Maintains competition to promote a marketplace free from anticompetitive mergers, business practices, or public policy outcomes

• Full range of regulatory coverage that parallels the U.S. federal regulatory system (to the extent not preempted by federal laws and regulations)
• Regulate most entities operating in the state
• Regulatory oversight often applies even to businesses that operate over the web or via mobile platforms and in the absence of a physical presence in the state, as long as such businesses transact with consumers and businesses in that state

The European Commission, European Central Bank, and other European national and regional authorities, together with the European Payments Council (EPC) administer the SEPA rules in Europe

• NACHA and the EPC define, maintain, and enforce the operation of electronic fund transfers running through the automatic clearing house (ACH) network in the U.S., and respectively the Single Euro Payments Area (SEPA) network in Europe
• NACHA and the EPC perform parallel roles in the U.S. and Europe, and each of them also pursues additional initiatives beyond ACH and SEPA

• Unfair, deceptive, or abusive acts and practices can cause significant financial injury to consumers, erode consumer confidence, and undermine the financial marketplace. Under the Dodd-Frank Act, it is unlawful for any provider of consumer financial products or services or a service provider to engage in any unfair, deceptive, or abusive act or practice
• The CFPB enforces UDAAP rules to prevent unfair, deceptive, or abusive acts or practices for consumer financial products and services. Consequently, the UDAAP regulations apply to any entity that markets or provides financial products and services to consumers

• Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45) prohibits “unfair or deceptive acts or practices in or affecting commerce.” This prohibition applies to all persons engaged in commerce, including banks. The FTC has is authorized under Section 8 of the Federal Deposit Insurance Act (FDIA) to take appropriate action when unfair or deceptive acts or practices (UDAP) are discovered
• Given the overlap in terminology between UDAAP and UDAP, it is not surprising that the FTC and the CFPB could overlap in their regulatory activities. Indeed, the FTC's regulatory mandate requires the FTC to look for other violations of parallel laws and regulations when the FTC identifies UDAP violations in the course of its audits.

• The EFTA - Regulation E is the primary regulatory framework for e-commerce
• Regulation E protects consumers engaging in electronic fund transfers (EFTs) and remittance transfers, including:
• • transfers through automated teller machines (ATMs);
  • point-of-sale (POS) terminals;
  • ACH systems;
  • telephone bill-payment plans in which periodic or recurring transfers are contemplated;
  • remote banking programs; and
  • remittance transfers
• The Dodd-Frank Act transferred rulemaking authority under the EFTA from the Fed to the CFPB

• The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) is a comprehensive regulatory framework that restructured large areas of e-commerce and e-banking, including the creation of the Consumer Financial Protection Bureau (CFPB)
• Dodd-Frank covered a wide range of e-commerce and e-banking regulatory matters, and was implemented through material revisions to existing rules and legislation coupled with new legislation and reassignment of enforcement obligations among existing and newly created federal agencies. For example, Dodd-Frank covered issues such as the orderly liquidation authority of financial entities (Title II), reassignment of various agencies responsibilities (Title III), regulation of insurance (Title V), regulation of bank and savings associations (Title VI), regulation of payment and settlement activities (Title VIII), the establishment and assignment of duties to the CFPB (Title X), and more
• Dodd-Frank was subsequently rolled back in some e-banking and e-commerce areas by the Economic Growth, Regulatory Relief and Consumer Protection Act, which became effective in 2018
• A much broader bill designed to materially scale back Dodd-Frank (the Financial Choice Act) was passed in the House of Representatives in 2017, but failed in the Senate

• The Truth in Lending Act (TILA) was enacted on May 29, 1968, as title I of the Consumer Credit Protection Act and has been amended extensively since then, including material changes made pursuant to the Dodd-Frank Act. TILA is implemented by Regulation Z
• TILA applies to both e-commerce and e-banking, and generally seeks to ensure that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably. Creditors must use the same credit terminology and expressions of rates. In addition to providing a uniform system for disclosures, TILA regulates credit billing and credit card practices, provides consumers with rescission rights in certain lending transactions, establishes rate caps on certain dwelling-secured loans, regulates home equity lines of credit and certain closed-end home mortgages, and generally prohibits unfair or deceptive mortgage lending practices

• The Consumer Leasing Act (CLA) was originally passed in 1976 and was part of TILA (implemented by Regulation Z). Subsequently, the CLA was restated as Regulation M and was amended further, eventually coming within the regulatory scope of the CFPB
• The CLA generally applies to consumer leases of personal property and requires accurate disclosure of lease terms to help consumers compare different leases, and to compare the cost of leasing with the cost of buying. In addition, the CLA puts limits on balloon payments sometimes due at the end of a lease and regulates advertising

• Implemented under the EFTA through Regulation E and Regulation Z
• The prepaid accounts rule is another fundamental framework for e-commerce given the recent popularity of prepaid accounts as alternative mechanisms to store, distribute, and spend funds by both employers and consumers
• Material amendments to Regulation E were recently finalized and will become effective on April 1, 2019
• Covers disclosures, limitations of consumer liability, error resolution, and periodic statements for certain types of prepaid cards
• Regulates overdraft credit features that may be offered in conjunction with prepaid accounts

• Regulation CC implements the Expedited Funds Availability Act (EFA Act) and the Check Clearing for the 21st Century Act (Check 21)
• Requires banks to make available funds deposited into transaction accounts according to specified time schedules and to disclose their funds availability policies to their consumers
• Expedites the collection and return of checks and electronic checks, and describes requirements that affect banks that create or receive substitute checks

• CAN-SPAM regulates commercial aspects of electronic communications
• Requires warning labels for commercial electronic mail that contains sexually oriented material
• Prohibits senders to charge a fee or imposing other requirements on recipients who wish to opt out
• Separate email violations can trigger penalties up to $41,484

• The TCPA restricts telephone solicitations (i.e., telemarketing) and the use of automated telephone equipment
• Limits the use of automatic dialing systems, artificial, or prerecorded voice messages, SMS text messages, and fax machines
• Specifies several technical requirements for fax machines, autodialers, and voice messaging systems (e.g., requiring identification and contact information of the sender)

• The E-Sign Act provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce
• Allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent
• The E-Sign Act is invoked extensively throughout various other rules and regulations enforced by the FDIC, CFPB, FTC, and other government agencies as a framework for obtaining end consumer consents

• The FCRA (Regulation V) is a regulatory framework for the furnishing, use, and disclosure of information in reports associated with credit, insurance, employment, and other decisions made about consumers
• Imposes a number of obligations on entities that qualify as "consumer reporting agencies" and on persons who use consumer report information (users) or furnish information to consumer reporting agencies (furnishers)
• Requires that furnishers ensure the accuracy of the data placed in the consumer reporting system
• Prohibits the use of consumer reports for impermissible purposes, and requires users of consumer reports to provide certain disclosures to consumers
• Limits certain information sharing between affiliated companies

• The RFPA establishes specific procedures that federal government authorities must follow in order to obtain information from a financial institution about a customer's financial records. Generally, these requirements include obtaining subpoenas, notifying the customer of the request, and providing the customer with an opportunity to object. The RFPA imposes related limitations and duties on financial institutions prior to the release of information requested by federal authorities.
• The RFPA has been amended several times in recent years to permit greater access without customer notice to customer information requested for criminal law enforcement purposes and for certain intelligence activities.

• The primary goal of COPPA is to place parents in control over what information is collected from their young children online.
• COPPA protects children under age 13 and applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children.
• Also applies to operators of general audience websites or online services in some cases.
• Obligations include disclosures, opt-in rights for parents, etc. Parental rights under COPPA parallel aspects of GDPR (this reinforces the general guidance that compliance with GDPR is helpful to achieve universal privacy compliance within the U.S. and globally)

• The payment card industry (PCI) establishes, monitors, and enforces a wide range of standards through the PCI Security Standards Council (PCI Council). These standards govern the processing of payment cards and cardholder data through the member credit card networks. It is important to note that enforcement of compliance with PCI DSS and determination of any non-compliance penalties are carried out by the individual payment networks and not by the PCI Council.

The standards developed and maintained by the PCI Council include the following:

• The Payment Card Industry Data Security Standard for Merchants & Processors (PCI DSS) is a global data security standard that applies to entities involved in the processing of payment cards through the member credit card networks. PCI DSS covers a wide range of vendors, merchants, banks, and payment processors, and addresses 12 categories of security requirements
• The Payment Application Data Security Standard (PA-DSS) is a global standard that parallels PCI DSS and applies to software developers and integrators of applications that store, process, or transmit cardholder data as part of payment authorization or settlement. PA-DSS covers 14 categories of security requirements. It is important for e-commerce merchants and retailers to realize that use of a PA-DSS compliant application by itself does not make the merchant or retailer automatically PCI DSS-compliant because the PA-DSS application must be implemented into a PCI DSS compliant environment and must follow a PA-DSS Implementation Guide provided by the application vendor
• The PCI Point-to-Point Encryption (P2PE) Standard facilitates the development, approval, and deployment of PCI-approved P2PE solutions that increase the protection of cardholder data by encrypting data from the point of interaction within the encryption environment where account data is captured through to the point of decrypting that data inside the decryption environment. The P2PE Standard is directed at P2PE solution providers and other entities that provide P2PE components or P2PE applications for use in P2PE solutions
• The PCI PIN Security Standard establishes a set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. The PCI PIN Security requirements address seven control objectives that are directed at acquiring institutions and agents (e.g., key-injection facilities and certificate processors) responsible for PIN transaction processing on the cardholder accounts. The individual payment brands monitor and enforce compliance with this standard
• The Pin Transaction Security (PTS) Hardware Security Module (HSM) Standard establishes requirements for designing HSMs to meet the security needs of the payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs. The PTS HSM Standard provides vendors with a list of all security requirements against which their products will be evaluated in order to obtain PCI PTS HSM device approval
• The PCI PIN Security Requirements Standard establishes requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. These PIN Security Requirements include 33 requirements organized into seven control objectives. The PIN Security Requirements apply to acquiring institutions and agents responsible for PIN transaction processing on cardholder accounts, but do not apply to issuers. The PIN Security Requirements identify minimum security requirements for PIN-based interchange transactions, outline the minimum acceptable requirements for securing PINs and encryption keys, and protect cardholder PIN numbers
• The PIN Transaction Security (PTS) Point of Interaction (POI) Standard provides vendors with a list of all the security requirements against which their product will be evaluated in order to obtain PCI PTS POI device approval. The PTS POI Standard applies to products in the following categories:
  • PED or UPT POI devices: Complete terminals that can be provided to a merchant “as-is” to undertake PIN-related transactions. This includes attended and unattended POS PIN-acceptance devices
  • Non-PIN acceptance POI devices evaluated for account data protection
  • Encrypting PIN pads that require integration into POS terminals or ATMs. Overall requirements for unattended PIN-acceptance devices currently apply only to POS devices and not to ATMs
  • Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers
• The Card Production and Provisioning (CPP) Standard applies to the security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution. The CPP Standard applies to entities that: a) perform cloud-based or secure element (SE) provisioning services; b) manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or c) manage associated cryptographic keys. The CPP Standard does not apply to vendors who are only performing the distribution of secure elements
• The PCI Card Production and Provisioning Physical Security (CPPPS) Requirements Standard applies to entities involved in payment card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The CPPPS Standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes: card manufacturing, chip embedding, personalization, storage, packaging, mailing, shipping or delivery, and fulfillment
• The PCI Three-Domain Secure (3-D Secure, or 3DS) Standard defines a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. This standard is intended to support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, payment systems). The PCI 3DS Security Requirements applies to EMV 3-D Secure Core Components (ACS, DS, and 3DS Server) and perform certain functions defined in the EMV 3-D Secure Protocol and Core Functions Specification. The PCI Council maintains a set of related standards documents specifying the compliance requirements for entities involved with 3DS transactions, products, or services
• Additional security requirements and assessment procedures for token service providers (EMV payment tokens). This standard establishes physical and logical security requirements and assessment procedures for token service providers that generate and issue EMV payment tokens. A token service provider is an entity that provides a token service comprised of the token vault and related processing, and has the ability to set aside licensed ISO BINS as token BINs to issue payment tokens for PANs

• Visa, MasterCard, and other credit card network operators have established extensive rules that govern the processing, authorization, settlement, and other aspects of payment card processing. These rules apply to e-commerce merchants and retailers that accept payment cards online, via mobile apps, or in physical brick-and-mortar stores
• These rules become more relevant for e-commerce business models that include recurring payment plans and/or aggressive card processing rules. For example, merchants using more sophisticated and aggressive card processing methods or working with vendors that specialize in card fund collection may see their chargeback rate increase towards 1 percent, in which case they may start to come under particular scrutiny from the card network brands, and may eventually even incur fines. Nevertheless, balancing more aggressive card processing programs with good business procedures and fair-but-firm collection practices can significantly increase the next profit margin for e-commerce merchants. It is important to consider other applicable laws and regulations for programs like these, however, including the UDAAP and UDAP frameworks overseen by the CFPB and FTC (see discussion above)

Single Euro Payments Area (SEPA) Regulation in Europe, implemented by Regulation (EU) No 260/2012 of the European Parliament dated March 14, 2012 and European Payments Council Rulebooks

• The National Automated Clearing House Association (NACHA) administers the Automatic Clearing House (ACH) rules in the U.S.
  • The ACH Network connects U.S. banks, financial institutions, and a variety of IT vendors, and enables the movement of money and ACH data between them.
  • NACHA administers a set of operating rules for ACH payments, which define the roles and responsibilities of ACH network participants. These operating rules address issues similar to those covered by the card networks rules, including consumer disclosures, consents, payment processing rules, etc.
• ACH transactions can include debit or credit payments, direct deposit of payroll, deposit of government and Social Security benefits, electronic mortgage and bill payments, online banking payments, person-to-person (P2P) and business-to-business (B2B) payments, etc.
• NACHA transaction flows can involve the following:
  • An originator (e.g., a consumer or business), which initiates either a direct deposit or direct payment transaction using the ACH Network
  • ACH entries are entered and transmitted electronically
  • An originating depository financial institution (ODFI), which enters the ACH entry at the request of the originator
  • The ODFI may aggregate payments from customers and then transmit them in batches at regular, predetermined intervals to an ACH operator
  • ACH operators receive batches of ACH entries from the ODFI. The two current ACH operators are two central clearing facilities operated by the Federal Reserve and the NACHA
  • ACH transactions are sorted and made available by the ACH operator to the Receiving Depository Financial Institution (RDFI)
  • A receiver's account is debited or credited by the RDFI, according to the type of ACH entry. Receivers may include consumers and businesses
  • ACH credit transactions normally settle in one to two business days
  • ACH debit transactions normally settle in one business day
• The European Payments Council (EPC), working with the European Commission, European Central Bank, and other European national and regional authorities, manages the Single Euro Payments Area (SEPA) electronic payments network in Europe.
• The EPC focuses on four main SEPA regulatory frameworks, which cover electronic payment transactions across 34 European countries (both within individual countries and between countries):
  • SEPA Credit Transfer scheme
  • SEPA Instant Credit Transfer scheme
  • SEPA Direct Debit Core scheme
  • SEPA Direct Debit Business-to-Business scheme
• In additional to managing SEPA, the EPC is also currently active in other areas of e-commerce in Europe, and therefore ongoing regulatory activity should be expected to occur in areas such as mobile payments, person-to-person remittances, e-invoicing, payment security, and card standardization.

• UETA provides uniform rules at the state-level governing electronic commerce transactions. UETA parallels the E-Sign Act at the state level and establishes a legal foundation for the use of electronic communications in transactions where the parties have agreed to deal electronically. UETA validates and supports the use of electronic communications and records and places electronic commerce and paper-based commerce on the same legal footing
• UETA rules are primarily for “electronic records and electronic signatures relating to transactions” that are not subject to the Uniform Commercial Code (UCC). But UETA rules do affect sale transactions under Articles 2 and 2A of the UCC. UETA 1) creates a uniform standard for validating online contracts; 2) provides for the validity of transferable records executed on line; and 3) creates consumer protections and safeguards.
• In general, for a typical company involved in e-commerce or e-banking, complying with the E-Sign Act will inherently also achieve UETA compliance. But some subtle differences do exist and can become relevant in some less-common applications

• E-commerce companies must also comply with extensive data privacy and data security legislation in the U.S. and around the world, which may be defined at the provincial level (e.g., Canadian provinces), national level (e.g., U.K., Germany, France), Federal level (e.g., HIPAA, RFPA), state level (e.g., California, New York), regional or common market level (e.g., GDPR within the European Community), or international level (e.g., U.S.-EU Privacy Shield)
• It is also important to understand that a particular e-commerce transaction may be subject to multiple laws and regulations that relate to privacy or data security, and that some of those may establish conflicting requirements (e.g., data retention obligations under PCI DSS regulations v. California or GDPR privacy laws v. tax retention guidelines)
• Companies operating in the telecommunications industry, both wired and wireless, are subject to additional legal and regulatory requirements in the U.S. and in other countries, which address such companies' fundamental role in acting as communication conduits both domestically and internationally.

The regulatory landscape outlined above shows that data privacy and security is a complex topic that affects e-commerce from multiple directions, particularly with respect to data analytics and data monetization, and these issues will be addressed in more detail in a future paper.