On April 26th, the FTC gathered private sector representatives, regulators, and academics for a workshop to discuss the state of the mobile payment industry. Some commentary has interpreted regulators’ comments at the workshop to be a signal that regulators intend to use a “light touch” as the industry matures, but the phrase only partially hits the mark.
Regulators from both the US and the EU gave the industry one good reason to be hopeful. Neither jurisdiction appears anxious to establish new mobile payment-specific regulations in the near future. Yet, industry participants must be careful not to take their optimism too far. Hesitance to layer on new requirements is not the same as reluctance to enforce existing financial services regulations strictly.
A common theme emerged across multiple panels: Regulators will approach mobile payment products from the default perspective that the regulatory regimes applying to underlying payment devices—predominately credit, debit, and prepaid cards—will apply in equal force to mobile payment products that make use of those devices. In particular, regulatory priorities were on display in a morning session in which two FTC staffers presented the results of a survey of the privacy and dispute policies of 19 mobile payment products. Though the discussion proceeded at a high level of generality, it appeared clear that the FTC expected to see many of the same features in these two policies for mobile payment providers as they would in the policies for traditional payment systems.
One clear takeaway should be that in an already complex financial services regulatory environment, mobile payment providers do not need to be subject to additional new regulations to face substantial compliance burdens. For instance, mobile payments will require providers to implement new information security policies to satisfy the Gramm-Leach-Bliley Act’s Safeguards Rule, as customer information may flow to more parties and/or through devices with more varied security capabilities than are typical for traditional payment systems. Furthermore, providers will have to consider how the fraudulent transaction and dispute resolution provisions of Regulation E and Regulation Z will interact with new payment systems, including how they will allocate liability among program participants, in order to draft appropriate disclosures and contracts.
In fact, two of the biggest reasons to be excited about the future of mobile payments are also reasons providers must not take compliance lightly, even if they have experience in traditional payment systems. Mobile payment products are diverse and novel. First, diversity, driven in part by broad definitions of what constitutes the mobile payment industry, reduces the likelihood that providers will find a clear analog in traditional payment systems to guide compliance decisions. Mobile payment systems vary on at least six major dimensions—who offers the product, payment transmission technology, whether the product is open- or closed-loop, underlying funding source(s), security features, and rewards programs—each of which could affect how current regulations apply. Second, novelty in numerous aspects of the consumer experience, from establishing accounts to completing a transaction to reviewing activity after the fact, further increases the likelihood that providers will be operating in uncharted territory. Both factors suggest that business solutions designed to meet the application of existing regulations to traditional payment systems may need to be retooled for the new fact patterns presented by mobile payment products.
The FTC Workshop, a recording of which is still available online, provided a glimpse of how US regulators view the mobile payment industry. An upcoming EU conference on “Card, Internet, and Mobile Payments,” scheduled to be held in Brussels and webcast live on May 4th, may provide additional guidance on international compliance. The EU conference will be based, in part, on a previously released draft green paper entitled, “Towards an integrated European market for card, internet and mobile payments.”
With mobile payment-specific regulation off the table for now, providers should monitor how regulators draw parallels between traditional payment systems and new mobile products. Any similarities identified will be the basis for regulatory enforcement unless and until the industry matures to the point that regulators feel more substantial guidance would be appropriate.