Embed Size (px)
Citation preview
Mobile Payments: U.S. Regulatory Landscape and Developments
June 12, 2013
Daniel S. Meade Timothy P. Tobin Mark W. Brennan
www.hoganlovells.com
Overview
• What are Mobile Payments?• Payments Regulation• Money Transmitter Licensing• Privacy Landscape• FCC Regulation• TCPA• CAN-SPAM• Data Security
2
www.hoganlovells.com
What are Mobile Payments?
A mobile device is necessary to effectuate the transaction
• A variety of platforms and technologies– P2P payments (e.g., apps/email/text - clearXchange)– M-Commerce payments (e.g., Paypal access)– Contactless payments (NFC-based) – Virtual wallets (e.g., Google Wallet, Isis)– Mobile payment acceptance – dongles or “swipe attachments”
(e.g., Square)– Barcode scanning– Direct mobile billing
• Recent statistics
3
www.hoganlovells.com
Payments Regulation
• Statutes and regulations applicable in U.S.:– Truth in Lending Act and Regulation Z for credit card-based
products (disclosures and error resolution)– Electronic Funds Transfer Act and Regulation E for debit card-
based products (disclosures and error resolution)• Includes requirements for third-party access device providers
– Gramm-Leach-Bliley privacy and data security requirements– FinCEN/state money transmitter registration/licenses– Anti-money laundering and OFAC requirements – E-SIGN Act– Funds covered by FDIC or NCUA deposit insurance?– General state and federal consumer protection statutes and
prohibition on UDAP and UDAAP
4
www.hoganlovells.com
Payments Regulation (cont’d)
• Use of mobile devices can bring in other statutory or regulatory requirements– TCPA and CAN-SPAM– California and FTC mobile privacy disclosure guidelines
• New emerging payments are ahead of current statutory and regulatory framework– FinCEN statement on virtual currency
• Available at http://fincen.gov/statutes_regs/guidance/html/FIN-2013-G001.html
– CFPB proposal on general reloadable prepaid cards
5
www.hoganlovells.com
Money Transmitter Licensing
• In general, a state money transmitter license is required whenever an entity is transmitting money.
• In general, most states take the view that if the money is received by the entity or the money goes on to the books of the entity either as stored value or for transfer to another person or place, it is likely transmitting money.
• Merely providing the information for other parties to perform a money transfer is not actually transmitting money, but is more akin to merchant processing, and therefore is not the business of money transmission (e.g., Dwolla).
6
www.hoganlovells.com
Money Transmitter Licensing (cont’d)
• In most states, applicants and licensees are subjected to: – minimum net worth requirements– annual audited financial statements– on-site examination, and – surety bond requirements.
• Application/Licensing fees are generally between $1,000-$5,000 annually.
7
www.hoganlovells.com
Money Transmitter Licensing (cont’d)
Date Name Action
01/28/2013 Netspend Holding, Inc. &Netspend Payment Service, Inc. Cease and Desist Order
01/28/2013 Skrill USA, inc. Cease and Desist Order01/22/2013 Pelican Personified, Inc. Cease and Desist Order
01/22/2013
Square, Inc.http://www.idfpr.com/dfi/CCD/Discipline/SquarePersonifiedCDOrder13C
C208.pdf
Cease and Desist Order
01/07/2013 TouchPay Holdings, LP Cease and Desist Order10/03/2012 D I Collectibles, Inc Cease and Desist Order07/27/2012 QuickDinero, Inc. (MT-76) Cease and Desist Order07/23/2012 Dinar Corp, Inc Cease and Desist Order
8
Ramifications for Failure to Obtain License:Recent Illinois Disciplinary Actions
www.hoganlovells.com
Money Transmitter Licensing (cont’d)
Facecash and Mt. Gox as recent examples of Licensing issues• http://www.thinkcomputer.com/corporate/whitepaper
s/heldhostage.pdf• Dwolla’s Mt. Gox/Bitcoin Account seized by ICE in
May 2013 http://www.washingtonpost.com/blogs/wonkblog/wp/2013/05/15/the-coming-political-battle-over-bitcoin/
9
www.hoganlovells.com 10
Privacy Landscape
• Sectoral approach, but Gramm-Leach-Bliley Act is Touchstone– Depository institutions & non-banking entities engaged in “financial
activities”– May not cover all entities in payments ecosystem
• FTC Act: Unfair or Deceptive Acts
• Dodd-Frank Act: Unfair, Deceptive or Abusive Acts or Practices (Consumer Financial Protection Bureau)
• State “little FTC Acts” and financial privacy laws
www.hoganlovells.com 11
Privacy Landscape (cont’d)
• So many apps lacking “privacy by design” – Unexpected data collection– Unexpected data sharing– What to do: notice/consents/controls
• Regulators paying attention: – California AG actions and guidance:
• Warning Letter to App Developers • Lawsuit against Delta Airlines• “Privacy on the Go: Recommendations for the Mobile Ecosystem” (Jan. 10 2013)
– FTC Guidance– US NTIA multi-stakeholder self-regulatory code– Guidance from various organizations (FPF/CDT)
www.hoganlovells.com 12
• Customer Proprietary Network Information (“CPNI”)• Open Internet Transparency Rule• Title III of the Communications Act, as amended
FCC Regulation
www.hoganlovells.com 13
• Implemented by the FCC• Restricts the use of “automatic telephone dialing systems”
and the delivery of prerecorded messages.• Requires “prior express consent,” subject to certain
exceptions• Applies to both voice calls and to text/SMS messages. • Imposes other requirements related to telemarketing.
Telephone Consumer Protection Act
www.hoganlovells.com 14
• In February 2012, the FCC adopted new rules applicable to prerecorded and autodialed telemarketing calls and text/SMS messages (“robocalls”).
• Callers now must obtain prior express written consent to place prerecorded or autodialed telemarketing calls and messages.
• The written consent must be signed (compliance with the E-SIGN Act is acceptable) and be sufficient to show that the consumer: – (1) received “clear and conspicuous disclosure” of the
consequences of providing the requested consent, i.e., that the consumer will receive future prerecorded and autodialed calls and text/SMS messages by or on behalf of a specific seller; and
– (2) having received this information, agrees unambiguously to receive such calls at a telephone number that the consumer designates.
Telephone Consumer Protection Act (cont’d)
www.hoganlovells.com 15
• The written agreement must be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.”
• The caller/seller bears the burden of demonstrating that a clear and conspicuous disclosure was provided and that unambiguous consent was obtained.
• Effective date: October 16, 2013• The FCC also made other changes to its TCPA rules: how parties
calculate the call “abandonment” rate; adopted an exemption for certain HIPAA-regulated calls; required parties to incorporate an interactive opt-out mechanism for telemarketing robocalls.
Telephone Consumer Protection Act (cont’d)
www.hoganlovells.com 16
Requirements for commercial emails sent to e-mail addresses associated with mobile telephones:
(1) Obtain “prior express authorizations”(2) Cease sending further messages within ten (10) days after receiving
such a request by a subscriber(3) Include a functioning return electronic mail address or other Internet-
based mechanism for opt-outs(4) Provide a functioning opt-out option by the same electronic means
that was used to obtain authorization(5) Ensure that at least one opt-out option is free to the subscriber (6) Identify the sender(7) Keep the opt-out open for at least 30 days after sending the mobile
message
CAN-SPAM
www.hoganlovells.com
Data Security
• GLBA data security rule• Banking Regulators’ supervisory authority over banking payment
interfaces • Federal Financial Institutions Examination Council Guidance
• CFPB prohibition on unfair, deceptive or abusive acts and practices
• PCI DSS and PA DSS• GlobalPlatform Card Specifications• ISO 27001/27002
www.hoganlovells.com
Data Security (cont’d)
• Fraud Threats: • Convenience versus Security:
– user-friendly (e.g., longer period between lock-out) can be at odds with security (e.g., user authentication for each transaction)
– User-friendly (e.g., short pin/passcode) versus security (robust but without complexity)
• Lack of Encryption for contactless payment• Mobile Malware/Malvertising• Rogue Apps• Mobile “Smishing”
www.hoganlovells.com
Data Security
• Stay abreast of developing threats• Follow security standards• User authentication
– Password/keypad locks– Active session lock outs
• Encryption• Remote Wiping• Anti-virus software• Regular audits• Security updates • Data breach preparedness• Contractual controls
www.hoganlovells.com
Questions?
www.hoganlovells.com
Key Contacts
21
Timothy P. TobinPartner, Washington, D.C.T +1 202 637 [email protected]
Daniel S. MeadePartner, Washington, D.C.T +1 202 637 [email protected]
Mark W. BrennanAssociate, Washington, D.C.T +1 202 637 [email protected]
For timely updates subscribe to our blogs, at www.hlregulation.com and www.hldataprotection.com
www.hoganlovells.com
Hogan Lovells has offices in:
AlicanteAmsterdamBaltimoreBeijingBerlinBrusselsBudapest*CaracasColorado Springs
DenverDubaiDusseldorfFrankfurtHamburgHanoiHo Chi Minh CityHong KongHouston
Jakarta*Jeddah*LondonLos AngelesMadridMiamiMilanMoscowMunich
New YorkNorthern VirginiaParisPhiladelphiaPragueRiyadh*RomeSan FranciscoShanghai
Silicon ValleySingaporeTokyoUlaanbaatarWarsawWashington DCZagreb*
"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.
The word “partner” is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing.. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members.
For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com.
Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising.
© Hogan Lovells 2013. All rights reserved.
