Mobile payments. Financial services and digital businesses converge

Transcription

1 Mobile payments Financial services and digital businesses converge Paul Anning, Kate Johnson and Emily Jones of Osborne Clarke discuss the key legal and regulatory issues in the fast-developing world of mobile payments. A paradigm shift is occurring in the way we pay for things. More of us will start using our mobile phones instead of cash to pay for goods in shops and to transfer money to each other and to businesses. Artist: Andy Lovell The following players are behind the increase in the use of mobile payments: Mobile network operators (MNOs) keen to win the wallet war and to understand and retain their customers by building additional revenue streams and offering differentiated services. Financial institutions (FIs) pursuing the opportunity to secure new customers or further embed existing ones. Retailers focusing on the potential goldmine of consumer shopping behaviour and payment transaction data. Regulators wishing to promote the digital economy, enhance competition in banking, and (at European level) encourage the single market. As a result, the payments sector is seeing a massive convergence of financial services and digital businesses, offering new products, applying cutting-edge technology and engaging in bespoke business arrangements. This article considers the main contractual and regulatory aspects of structuring these complex, multi-faceted partnering arrangements. WHICH MODEL? Although most people tend to think of mobile payments as paying for something using a mobile phone (instead of cash, cheque, or credit or debit card), it is in fact a broad term that encompasses a number of different models and product types. The common thread is that they all, at some level, involve a mobile phone (see box What is a mobile payment? ). 1

2 This article focuses on mobile payments where the mobile phone (or a sticker attached to the phone) is the payment instrument enabling payments from a stored value (or electronic money) account held with an FI. The key issue for an MNO entering the mobile payments market is that it will be stepping into new and alien territory: that of financial services regulation. With this in mind, the MNO may opt for one of the following models: Stay outside regulation An MNO can elect not to offer its own payment functionality and essentially play the role of a technical service provider, or choose to work within the limited network or mobile device exemptions in the Payment Services Regulations 2009 (SI 2009/209) and the Electronic Money Regulations 2011 (SI 2011/99) (see box Electronic money regime ). Become regulated An MNO could decide to go it alone and establish its own prepaid mobile payment product. In this case, the MNO would have to obtain its own authorisation as an electronic money institution (EMI) and become subject to the relevant financial services regulatory regime. Partner with an FI This is currently the most common route as it generally avoids the need for the MNO to become directly subject to financial services regulation. The MNO relies on the FI s regulatory authorisation by (in the UK) the Financial Conduct Authority (FCA) as a credit institution or EMI, and its card scheme membership (with MasterCard or Visa, for example), as well as on its expertise, experience and technology. At the same time, the MNO uses its own brand strength and customer base to distribute the mobile payments product to the widest possible market. The FI, as issuer of the electronic money, holder of the stored value account and provider of payment services, bears all the regulatory responsibility 2 What is a mobile payment? A mobile phone can be used to make payments in a number of ways: Mobile phone as a payment instrument. This is what most people envisage by the term mobile payment. It is the ability to use a mobile phone (or a sticker attached to a mobile phone) to make contactless (or near-field communication (NFC)) payments for goods and services at the point of sale. The payments are made from a stored value (or electronic money) account held with a financial institution. The service will be accessed through an app downloaded onto the mobile phone, typically into a wallet provided by the mobile network operator, and/or a website operated by the financial institution. Mobility. The features of a mobile phone can be capitalised on to promote a brand and drive sales (and therefore payments) through the mobile device; for example, enabling vouchers or other incentives to be housed on the mobile phone or to springboard off a phone s GPS functionality to deliver targeted (and generally short-lived) offers to the mobile phone, such as on entry into a shopping mall. Purchasing service. This involves using the billing functionality of a normal mobile phone contract to allow the user to buy goods and services from third parties and have the cost added to his or her monthly mobile phone bill. Access/authentication. Mobile phones can be used as an additional or alternative gateway into traditional/existing banking services, in the same way that a PC is the portal for online banking. Examples are mobile banking or mobile money remittance (like mpesa). Acceptance. Mobile phones can also be used to accept payments; that is, enabling the mobile phone to be used as a point of sale device by a merchant or service provider. under, and for ensuring compliance with, the applicable regulatory regime (see box Regulatory regime: consumer protection ) and the applicable card scheme rules. From a regulatory perspective, the MNO will not usually be the issuer, but will simply be a distributor of the product. There is no regulated activity of arranging the issuance of, or administering, electronic money. LEGAL AND REGULATORY Assuming that the MNO chooses to partner with an FI, then the partnering arrangements between the MNO and the FI will be the key contractual relationship. However, there are numerous others, all of which will be important to some extent: for example, between the FI and the customer, the card scheme and the FI (and potentially also the MNO), and the MNO s and FI s respective trusted service managers (TSM) (see box Typical structure of the partnership model ). As each partnering arrangement will be bespoke, so too will the underlying contract. While essentially commercial in nature, the agreement has multiple facets to it: Build, test and implement, for the mobile payment solution itself. Outsourcing, for its operation (there are multiple interdependencies between the MNO and FI). Partnering, for the joint marketing efforts and the sharing of costs and rewards. Regulatory, for the distribution by the MNO of the FI s financial services product.

3 This results in a complex, hybrid agreement, the key legal and regulatory elements of which are explored below (see also box Partnering arrangements ). Ownership of the customer The FI, as the regulated party, must have the relationship with the end user of the mobile payment service, so it follows that the FI issues the customer terms and conditions. This can be the cause of much debate when choosing the type of model for the mobile payment service, particularly as it will generally be the MNO that has the historic relationship with the end user, but it is a point that must be conceded if the partnership model is chosen. Generally, the MNO s handset, and airtime terms and conditions, will not be affected (except, possibly, as regards data protection and privacy matters). As part of this, the parties will need to establish how the customer s personal data will be processed, and his or her consent obtained where necessary (see Data protection below). Marketing The parties will need to agree where, to whom and how they will market the product, which will involve crosslicensing of trademarks, so that the FI s customer terms and conditions can carry the MNO s brand and the MNO can use the FI s brand in its marketing. Electronic money regime The use of electronic money (e-money) is regulated by the second Electronic Money Directive (2009/110/EC) (2EMD), implemented in the UK by the Electronic Money Regulations 2011 (SI 2011/99). E-money is defined in 2EMD as electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions as defined in the [Payment Services Directive (2007/64/EC)], and which is accepted by a natural or legal person other than the electronic money issuer. A key feature of this definition is that the e-money must be capable of being accepted as a means of payment by third parties. If the value stored electronically can be used with the issuer only, then it does not constitute e-money. This takes so-called closed-loop cards (gift cards, store cards, petrol cards, and so on) out of the regulatory regime. Open-loop cards are those which are widely accepted ( general purpose cards), usually because they are issued under the MasterCard or Visa or other card scheme. There is also an exemption for semi-closed-loop e-money products, known as the limited network exemption, which applies where monetary value [is] stored on specific pre-paid instruments, designed to address precise needs that can be used only in a limited way, because they allow the electronic money holder to purchase goods or services only in the premises of the electronic money issuer or within a limited network of service providers under direct commercial agreement with a professional issuer or because they can be used only to acquire a limited range of goods and services. The scope of this limited network exemption is not clear, and how it is interpreted and applies varies significantly across EU member states. As a result, it is under review. In the context of mobile payments, there is another key exemption, known as the mobile device exemption. Broadly, this takes monetary value used to pay for goods or services where the goods or services bought are delivered to, and are to be used through, the mobile device, outside the e-money regulatory regime, as long as the mobile network operator does not act only as an intermediary. Both parties will be keen to drive use of the product through different advertising channels. The FI will need to use its regulatory profile to do this, whether marketing in the UK or under a European passport (passporting is the exercise of the right available to a firm authorised under one of the EU single market directives to carry on activities in another EEA member state, on the basis of its home state authorisation) (see Cross-border offerings below). The FI should expect to review all marketing and promotional materials to ensure compliance with all applicable laws and regulations (including the general body of advertising rules), although the parties will wish to agree a pragmatic process for this. Equally, the MNO will want to ensure that its brand is presented and used consistently in any marketing material and that it complies with general marketing laws and guidelines. Distribution and other activities The MNO will have a significant distribution network on which the FI may wish to impose constraints, such as ensuring that the network does not misrepresent the product, give advice to a prospective customer, perform identity checks on behalf of the FI, accept funds (unless this is intended), or offer redemption of the funds once loaded. Some form of regulatory compliance guide, manual or dos and dont s list will be essential, particularly where the distribution network involves sub-distributors. Anti-money laundering (AML) The level of AML requirements can vary, from none, through to simplified due diligence and full customer due diligence. This has obvious implications for the product, which the MNO needs to understand. Also, while ordinarily the FI will perform AML checking itself, in some scenarios it may be performed by the MNO. This effectively amounts to an outsourcing of the AML checking by the FI to the MNO, with all the attendant formalities and requirements of such an arrangement. 3

4 Regulatory regime: consumer protection One of the main drivers behind the development of payment services legislation over the past few years is the protection of consumers. In the UK, there are three key pieces of legislation to be aware of: Payment Services Regulations 2009 (SI 2009/209). These give various rights to consumers when using a payment service (such as the right to a refund for unauthorised transactions) and also prescribe specific information that must be included in the customer terms and conditions. These regulations also prescribe the licensing regime applicable to payment institutions. (For more information, see feature article Payment services regime: the nuts and bolts, com/ ) Electronic Money Regulations 2011 (SI 2011/99). These regulations apply where prepaid (or stored) value is involved. The key elements are the right of the customer to redeem his or her funds at any time and at par value, and the restrictions on the ability to take breakage (that is, lay claim to unused funds after a certain period of time has elapsed). These regulations also prescribe the licensing regime applicable to electronic money institutions. Money Laundering Regulations 2007 (SI 2007/ 2157). A mobile payment provider needs to understand the product it is offering and the risks of the product being used to facilitate money laundering or terrorist financing, and so should structure the product and build controls around those risks. One of the key elements that affects the customer relationship is the requirement to undertake customer due diligence, and the ability to perform simplified due diligence in certain circumstances. Providers also need to anticipate the potential sensitivities involved in complying with the customer identification verification requirements. The card scheme rules also impose (through the adoption of EMVCo s standards) an effective limit of 25 ( 20) on contactless transactions. This helps mitigate customer concerns around security. The industry is looking at how best to improve security so that customers feel comfortable undertaking higher value contactless transactions. For example, it should be possible to give full control to the customer through the mobile device to allow him or her to set additional authorisation requirements for different transaction amounts, such as requiring a PIN for transactions over a certain amount before the mobile phone is presented for a second time at the NFC (near-field communication) enabled point of sale terminal. Regulatory change There are a number of regulatory changes on the horizon that will affect the payments sector; in particular, the data protection landscape is likely to change significantly over the next few years once the proposed EU Data Protection Regulation comes into force. Compliance with applicable law Usually a general obligation to comply with all applicable laws and regulations will suffice; however, in this context, there may be a need to delve deeper into the detail and consider relevant regulation and card scheme requirements and to consider how these expressions apply not just to the parties, but also to the underlying product. Lost and stolen Research shows that nowadays many of us will miss our mobile phone more quickly than our wallet. However, there remains the risk of unauthorised transactions in the intervening period before the consumer contacts the call centre and the phone is blocked. This calls for a straightforward and effective process for preventing fraudulent transactions, which is also important for building consumer confidence in mobile payment products. The process could involve: the consumer first calling its MNO, which in turn tells the FI; the MNO performing a warm handover to the FI (whereby the MNO passes the call over to the FI); or the consumer calling both the MNO and the FI. Any dependencies between the parties need to be clearly identified in the agreement and, where appropriate, be made subject to measurement, reporting and service level agreements. There must also be complete transparency to the customer about the required process in the terms and conditions. Card schemes rules Approval from the card scheme is required for the mobile payment solution as a whole, as well as the key component parts (that is, the TSM, handset and SIM). While this is primarily the responsibility of the FI, the MNO will be keenly interested in this aspect. Both the FI and MNO will need to be able to comply with the changes, so they should build into initial discussions the impact of the changes on the product, and the costs of compliance. Given the asymmetry between the parties involved, the MNO may wish to be kept updated by the FI on regulatory change and to be involved in discussions with regulators should any specific concerns be raised on the product. DATA PROTECTION The potential monetisation of data plays an important part in the business cases supporting mobile payments projects. Both the FI and MNO will have legal responsibilities and obligations under data protection legislation in respect of the personal data collected, and both parties are likely to hold and wish to use the same personal data, but for different purposes. It is therefore important to 4

5 Typical structure of the partnership model Merchant acquirer Acquiring agreement Merchant EMVCo Card scheme Card scheme rules Scheme waivers for product, handset and SIM NFC capability at point of sale Sale of goods or services Financial institution (FI) Customer T&Cs Customer FI-TSM Partnering agreement Mobile network operator (MNO) NFC enabled handset and airtime T&Cs MNO-TSM Handset manufacturer SIM manufacturer TSM = trusted service manager. A TSM is a third party contracted to each of the FI and MNO which facilitates the secure exchange of data to and from the SIM. NFC = near-field communication. EMVCo = the global standard for EMV chip-based payment cards. analyse exactly where those responsibilities fall, which will turn on who has ownership of the customer and his or her data. Often this reduces down to what rights a party has to send marketing and promotions to the customer (whether for its own products and services or those of third parties), and what restrictions it is subject to. These rights and restrictions do not necessarily need to follow the core contractual relationship between the FI and the customer (see Ownership of the customer above). Agreeing a common framework A pragmatic way of approaching this analysis is for the parties respective data protection specialists to discuss, establish and agree data flows and a framework covering the key points before drafting the relevant provisions. It can be helpful to map the data flows using a diagram (see box Enrolment phase: a data protection view ). This approach also helps flush out differences of view on the application and interpretation of the data protection legislation, and clarifies important issues such as: the nature of personal data being processed; the scope of the purposes for which the personal data are being collected, processed and shared; the allocation of data controller and data processor roles; and responsibilities for each category of personal data. (The data controller determines the purposes for which, and the manner in which, any personal data are processed, and the data processor processes personal data on behalf of the data controller.) Once this is understood, the mechanisms for providing fair processing notices (under the Data Protection Act 1998 in the UK) and, where necessary, getting customer consent can be agreed (see box Fair processing (UK position) ). The interpretation of data protection legislation can frequently differ between the commercial parties to an arrangement, and in the context of mobile payments these differences can be magnified because the parties are from sectors whose historical approach reflects quite different data collection purposes and risk appetites. For example, UK-based FIs operate in a regulated environment in which the FCA has greater powers and is more likely to levy higher fines for data security breaches than the UK s data protection authority, the Information Commissioner s Office (ICO). 5

6 Who collects the data? Collected personal data will broadly fall into two categories: information about the customer provided or obtained during the enrolment process and activation of the mobile payment service, and collected in the course of service provision (for example, when the customer calls the contact centre); and the transaction data generated each time the customer makes a purchase or transfers funds. Typically, there will be two entry points to a mobile payment service for a prospective user: the website and a mobile application. Although each entry point will be operated under the MNO brand, the user will enter into a contract directly with the FI. This means that the personal data will be collected by the FI (rather than by the MNO). This has important implications in terms of which party is best placed practically to provide the fair processing notice and, if necessary, to obtain consent. Processing the data The FI will need to process or use the personal data to provide the mobile payment service, share with third parties (such as its TSM and credit scoring agencies), enable service enrolment and provision, comply with its regulatory requirements (such as AML requirements), and to contact the customer with service messages and for operational reasons. It may also want to contact the user to cross-sell financial products. The MNO does not need to use the personal data for the delivery of the mobile payment service. In addition, it will have collected personal data already from the user when he or she entered into the mobile phone contract. However, it may wish or expect to be able to use the same personal data to supplement its existing customer databases and to send more targeted and/or different marketing communications. Additionally, either or both parties may wish to use the transaction data to create marketing profiles and share the data with, or sell to, third parties for marketing purposes. Partnering arrangements Partnering arrangements in the field of mobile payments typically demonstrate the following three key characteristics: Cast of many Delivering a great customer experience for making or receiving mobile payments requires a cast of many: from the partners (the service provider (the financial institution (FI)) and the distributor (the mobile network operator (MNO)) or other brand or business) to the underlying TSMs (trusted service managers); from the card scheme to the card and terminal suppliers; and from the user to the regulatory authority (see box Typical structure of the partnership model ). Typically, the customer proposition will not distinguish who does what. Yet there are multiple dependencies from beginning to end: the promotion of the product and any incentives; in a contactless transaction, the handshake between the two TSMs (which takes place when the card or mobile phone is placed on or near the point of sale terminal); and what happens in the case of a lost or stolen mobile phone. It is critical that the partnering arrangements achieve clarity and certainty on these relationships and on the parties respective roles and responsibilities, especially in relation to compliance with applicable laws and regulations. Open marriage Mobile payment solutions have to be ubiquitous: that is, open to all users and available across a full range of mobile phones, networks and financial products. As a result, neither the FI nor the MNO will likely wish to agree exclusivity. The open marriage approach drives several interconnected considerations: the brand hierarchy; customer ownership; and non-exclusivity. Customer ownership is usually top of the agenda for parties embarking on a relationship. It is an area potentially fraught with commercial misunderstanding, technical difficulties and complex regulatory considerations, especially data protection and privacy. Leap of faith Few parties have deep experience in this field, so business cases are inevitably based on unverifiable assumptions: the number of users, devices and payment transactions; the value of those transactions; and the behavioural changes required (across all stakeholders, not just the users). As a result, both parties will ultimately take a leap of faith when they commit to delivering a mobile payments service, whether it is by: formally committing funds and (more importantly) resources; accepting minimum volume commitments; agreeing (some) exclusivity; revenue sharing; or providing customer incentives. The FI will naturally collect data about transactions made using its mobile payment service, but the MNO or wallet owner (subject to technical and security specifications) is potentially able to collect transaction data across all cards held electronically within its phone or wallet. The MNO will also have location data relating to the mobile device. Data controller or processor? In the context of mobile payments, both parties are likely to have the role and responsibilities of data controller and data processor for the same data but in relation to different types of processing purposes. On the basis that each party will be making decisions about the purposes 6

7 Enrolment phase: a data protection view Point of data capture Data controller Data controllers in common and data processors Via mobile network operator (MNO) website Scoring agencies Direct Direct Mobile payment product website Mobile payment product mobile app Financial institution Other processors MNO and manner in which they each process personal data, they will be data controllers in common. To the extent that they make joint decisions in relation to particular categories of data and purposes, they may also be joint data controllers. This can lead to a complex clause covering each of the processing scenarios and the role and allocation of obligations in each case. However, the necessary mutuality of legal and regulatory responsibility, and the associated reputational risk associated with any non-compliance, tends to lead to a fairly balanced approach. SECURITY AND TECHNOLOGY There is an obvious overlap between data protection and the security and technology aspects of mobile payments. A breach of the data controller s obligation to ensure the security of personal data (whether as a result of its own acts or those of its processor or other sub-contractors) is also likely to involve either a breach of regulatory requirements or non-compliance with security standards (such as the PCI Data Security Standard (PCI DSS), which is a required standard across the payment card industry) or both. Most likely, there will also be a breach of duty of confidentiality and contractual obligations to meet technical delivery specifications. Accordingly, it is imperative that the parties consider these elements together. Unlike the MNO, the FI will be subject to additional security requirements imposed by either its regulator or the card scheme through which it is operating. The MNO will take comfort from this, Fair processing (UK position) but may also seek its own contractual protections, ranging from the simple disclosure of summary audit information to having a right to dictate matters which the security audit should examine. Alternatively, the MNO could seek to rely on the FI or its advisers undertaking an audit, and/or to have a right to audit the FI itself. The scope, frequency, cost and access required in relation to audits are not Under the first principle of Schedule 1 to the Data Protection Act 1998 (DPA), personal data must be processed fairly and lawfully. In particular, an organisation must meet at least one of the conditions in Schedule 2 to the DPA (most likely that the individual has given his consent, or that the processing is necessary for the performance of a contract to which the individual is a party, or for the taking of steps at the request of the individual with a view to entering into a contract). In the case of sensitive personal data (section 2, DPA), the organisation must meet at least one of the conditions in Schedule 3 to the DPA (for example, that the individual has expressly consented to the use of the data by the organisation). Organisations must comply with the fair processing code set out in Part II of Schedule 1 to the DPA. Broadly, this code sets out the requirements for the fair obtaining of personal data and, in particular, the information that should be provided to individuals in relation to the intended processing (the fair processing notice). 7

8 unusual issues in any important outsourcing, but in this context come under much sharper scrutiny given the regulatory and card scheme elements of the arrangement. FIs tend to operate business models that envisage a single, common platform from which the FI as card issuer operates all manner of card programmes, leaving the degree of influence, input and audit/ inspection of the MNO necessarily limited. This also means that FIs will expect to retain full rights to all intellectual property relating to that platform, even where it has developed product-specific features for an MNO. Related information Links from This article is at Topics Communications Practice notes Mobile phone services Mobile payments: current and emerging regulatory and contracting issues For subscription enquiries to PLC web materials please call CROSS-BORDER OFFERINGS The key legislative framework applicable to delivering a mobile payment product comprises the Payment Services Directive (2007/64/EC), the Second Electronic Money Directive (2009/110/EC) and the Third (and soon the Fourth) Money Laundering Directive (2005/60/EC). In principle, there ought to be a harmonised regulatory environment where providers can operate with ease on a pan-european basis using a passport. In practice, however, the passporting regime is fraught with interpretative stumbling blocks, particularly around what constitutes establishment and the nuance between a distributor and agent. Once any passporting issues have been overcome, there is then the thorny area of ascertaining which, if any, local laws and regulations must be overlaid onto the product in the host member state. These local laws do not tend to extend to conduct of business generally, but can throw in variances and discrepancies around AML and KYC (know your customer) requirements, consumer protection and data protection. The impact of these local variances can include having to amend the product features to align with the strictest regime (as, from a regulatory perspective, unless there is the ability to carve up the product geographically, the provider will have to work within the strictures of the harshest regime to ensure pan- European compliance), and having the customer terms and conditions and privacy policy reviewed in each territory to ensure that they comply with all local requirements. Full product and documentation harmonisation is difficult to achieve. Having settled the customer terms and conditions for each member state, these all have to be translated into the local language. There also needs to be operational support in place for dealing with any queries, complaints or other issues related to the use of the mobile payment product. This requires a call centre which can support each relevant local language. WATCH THIS SPACE A number of key elements in mobile payments projects have been examined here, but there are many more parts to these complex, multi-faceted arrangements. They will naturally evolve, particularly as the business cases become clearer and each participant s strategy towards mobile payments develops. Two key external factors will dominate in this fast-developing area: customer behaviour and regulatory intervention. Paul Anning is a partner and head of Osborne Clarke s Financial Institutions Group and Payments team, Kate Johnson is a senior associate in the Payments team and Emily Jones is a partner of Osborne Clarke s Commercial team. Osborne Clarke advised Everything Everywhere in its deal with Barclaycard for its Quick Tap product (the first UK commercial launch of a contactless stored value solution) and is advising a different FI on its arrangements with another MNO for a new stored value mobile payment solution. 8