FTC Report Issues Recommendation on Mobile Payments
This year, 2013, is definitely shaping up to be the “Year of Mobile” at the FTC, as predicted last month. Just last week the FTC’s latest Staff Report, Paper, Plastic,... Mobile – An FTC Workshop on Mobile Payments (“Staff Report,” PDF) serves to kick the ball further downfield in the FTC’s mobile push and begins to address issues in the burgeoning mobile-based payment market. The Staff Report, which summarizes discussions, follow-ups and preliminary recommendations resulting from the FTC’s April 2012 workshop on Mobile Payments (workshop presentations and archived webcast available at http://www.ftc.gov/bcp/workshops/mobilepayments/), arrives ahead of yet another FTC mobile - “Cramming Roundtable” - workshop to cover third party charges this May 8.
Despite the stunning growth of mobile devices, from smartphones, netbooks and tablets, the nascent mobile payments industry remains firmly in the infancy stage, with a great deal of uncertainty and opportunity even though 83% of financial services executives believe, according to a recent survey, that mobile payments will “achieve widespread mainstream consumer adoption” by 2015.
As the FTC notes “mobile payments offer many potential benefits, [and] they also raise consumer protection concerns” as many larger players (including, according to the Staff Report, Google, Intuit, AT&T, Verizon, T-Mobile, VISA, Verifone and others) have or are entering the mobile payments market while the mobile payment arena itself relies on larger numbers of “moving parts” than other payment methods, which include hardware manufacturers, OS and application developers, data brokers, coupon/loyalty program administrations, payment card networks, advertising companies, retailers and merchants. Reflecting last April’s workshop discussions, the newly issued Staff Report focuses on three main areas as potential stumbling blocks to widespread mobile payment acceptance.
The Staff Report’s three areas of consumer protection focus are Dispute Resolution, Security and Privacy, which in turn riff against the FTC’s earlier and broader “Privacy Framework” (Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers (Mar. 2012), available at http://ftc.gov/os/2012 /03/120326privacyreport.pdf (“Privacy Framework”) in which the FTC stated that its foundational recommendations of (1) “privacy by design,” (2) simplified choice for businesses and consumers, and (3) greater transparency all apply equally to mobile applications, as well as other online venues.
Dispute resolution. The Staff Report highlights that consumer confusion on rights and protections offered by mobile payment services linked to differing payment sources vary significantly, which could stymy market growth. Where consumers using mobile payment schemes linked to credit and debit cards are generally capped at a $50 liability (or $500 in the case of debit cards if the unauthorized charges are not reported within two business days) funding schemes linked to pre-paid and gift cards garner no analogous federal statutory protections capping losses from unauthorized usage.
Although the Consumer Financial Protection Bureau is delving into mechanisms for extending current protections offered credit/debit cards to “general purpose reloadable cards” the end result remains unclear. However, the FTC has filed comments with the CFPB on the matter covering four protections that apply to other cards, including liability limits, fee disclosures, resolution procedures and payment authorization standards.
Interestingly, according to the FTC, a number of companies (three of seven companies embracing funding from stored value cards, according to staff reviews) have stepped in to fill the liability gap by voluntarily limiting customer’s liability to $50 for unauthorized use of such cards. Nevertheless, the Staff Report recommends that (a) companies develop clear policies for consumers regarding unauthorized charges, and (b) that policymakers should consider providing balanced and consistent protections across differing mobile payment options for consumers. One specific concern highlighted in the Staff Report, “cramming” or the practice of unauthorized third-party charges on consumer’s mobile bills, received enough attention in light of mobile carrier billing practices to become the main topic of the FTC’s upcoming Roundtable on May 8th.
Consumer Data Security in Mobile Payments. While payment security is always the 800 pound gorilla in any commercial online transaction, the security zoo surrounding mobile payments is particularly well-stocked with primates of all types and a key reason why, according to a March 2012 Federal Reserve study, consumers have not widely used or embraced mobile payments to date.
Given the volume and types of sensitive financial information that could flow through the mobile payment channel, as well as the additional potential complexity involved with some mobile payments, the Staff Report recommends that mobile payments be “end-to-end encrypted” and that mobile payment providers could, among other various techniques, utilize “dynamic data authentication” (where unique user payment credentials are generated per individual transaction) thereby cutting off the potential for downstream misuse. The FTC Staff Report further recommends that mobile payment providers “encourage adoption of strong security measures by all companies in the mobile payments chain” beyond those mandated currently by various federal and state data security laws.
Not letting consumers fully off the hook, however, the FTC recommends they utilize strong passwords to unlock smartphones and, if available, secondary passwords to access any payment apps. They note, too, that consumers “should be informed that if a phone with mobile payment apps is stolen, they can contact their mobile carrier immediately and have the phone and all payment apps disabled.”
In short the FTC Staff Report issues a calm “call to arms” for those in the mobile payment chain while the relative size of the domestic market remains small.
Privacy. Privacy. Privacy. If location, location, location is the uber mantra for physical real estate, then privacy, privacy, privacy is the digital analog, at least when it comes to consumer data usage and collection. The Staff Report flatly states “the use of mobile payments raises significant privacy concerns” resulting from – and this will come as no surprise to those who follow the FTC’s pronouncements - the huge amounts of data at issue and the large number of companies involved in mobile payment ecosystems, which enables players to collect and analyze personal and purchase data in ways far more comprehensive that what may be available in more traditional payment regimes.
Above and beyond the troika of banks, merchants and payment card networks/clearing houses that are involved in “traditional” payment methods, mobile payments add a slew of supporting cast and characters, such as hardware manufacturers, OS and application developers, mobile phone carriers, data brokers, coupon/loyalty program administrations, advertising companies and third party retailers. As a result, “any or all of these parties may have access to more detailed data about a consumer and the consumer’s purchasing habits as compared to data collected when making a traditional payment” leading to additional privacy concerns with the rise of “Big Data.” (See The Privacy Legal Implications of Big Data: A Primer).
In response to privacy concerns the FTC, again not surprisingly, calls upon the mobile payment industry to embrace and adopt the three basic practices recommended in the agency’s Privacy Framework: 1) privacy by design, 2) simplified choice for businesses and consumers, and 3) greater transparency, which we covered in depth with the release of the preliminary Privacy Framework (Review of FTC’s Proposed Privacy Framework and What’s Next for the FTC’s Proposed Privacy Framework?), and revisited when the final Privacy Framework was issued last year (FTC Issues Final Commission Report on Protecting Consumer Privacy). With regards to mobile the Staff Report expressly highlights “geolocation information” as a specific potential concern for the mobile payment world.
Additionally, the Staff Report recommends providing “appropriate choices to consumers about data collection and use related to mobile payments,” including giving consumers the ability to restrict disclosures not necessary to payment completion, which ties into the FTC’s “greater transparency” push and dovetails neatly with the another recent FTC staff report covering mobile privacy disclosures (FTC Releases Recommendations for Mobile Privacy Disclosures).
Finally, the Staff Report briefly touches on issues and lessons to be learned from mobile payment technologies in use abroad and parallel work being done, for example, by the Organization for Economic Cooperation and Development (OECD)’s Committee on Consumer Policy (Report on Consumer Protection in Online and Mobile Payments (Aug 2012)) and the International Consumer Protection and Enforcement Network.
Conclusion. To date the FTC has taken active and proactive stances on framing issues and building out support for its recommendations in disclosures, privacy in the online world and associated data security practices. The agency’s enforcement actions on same have likewise stepped up a notch and we expect this to continue, particularly in the mobile arena, over the coming year. All companies would be well served to consider how, regardless of potential FTC actions, to best implement the underpinnings of privacy by design, simplified and clear but meaningful timely disclosures and examine how to provide transparent useful information in connection with any consumer mobile transaction or service. To discuss the latest Staff Report or any other aspect of FTC scrutiny or recommendations feel free to contact me or any of the attorneys at the InfoLaw Group.