Prepaid Cards, New Technologies, and Emerging Payment Systems, Including Mobile Wallets, Virtual Currencies, and EMV Cards: New Opportunities and Overcoming Regulatory and Compliance Challenges Claude Goetz Davis Wright Tremaine LLP ACI Prepaid Card Compliance Conference September 30 th October 1 st, 2015 Chicago, Illinois
Mobile Devices are Changing Retail Payments Includes: Purchases, Bill payments, Charitable donations, Payments to another person, or Any other payments using a mobile phone Access points: Web page through mobile browser, SMS, or downloadable app on phone Payment: Charged to credit card, deducted from prepaid account, or withdrawn directly from bank account Source: Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services 2014 (March 2014) 2
Consumers Using Their Phones to Make Payments 30% Growth in consumer use of mobile payments 25% 20% 15% 10% 5% 23% 24% 24% 15% 17% 11% Mobile phone users reported using mobile payments Smartphone users reported using mobile payments 0% 2011 2012 2013 Source: Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services 2014 (March 2014) 3
How are Consumers Using Mobile Payments? Made payment via text message, 13% Transferring money from another person using a mobile phone, 39% Paid for parking, a taxi or public transit using mobile phone, 9% Paying bills, 66% Paying for product or service at store, 39% Online purchases, 59% Source: Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services 2014 (March 2014) 4
How are Consumers Using Mobile Payments? Growth in use of POS mobile payments services 18% 16% 14% 12% 10% 8% 6% 4% 2% 0% Share of smartphone users who reported making a POS purchase with their smartphone in the past 12 months 1% 6% 17% 2011 2012 2013 Source: Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services 2014 (March 2014) 5
Mobile Phones: Gateway to the Unbanked? Mobile phones, including smartphones, are prevalent among unbanked and underbanked 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Cell Phone Usage Among Unbanked & Underbanked 50% Smartphones 64% Smartphones Unbanked Underbanked 69% 88% Source: Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services 2014 (March 2014) 6
Mobile Phones: Gateway to the Unbanked? High penetration among younger generations, minorities, and lowincome offers potential for expanding financial access 64% Smartphones Source: Board of Governors of the Federal Reserve System, Consumers and Mobile Financial Services 2014 (March 2014) 7
Point of Sale Innovations bought 8
Catalyst: Growth in Alternative Payment Providers In January 2014, it was estimated that APPs will account for 59% of online transactions and that e-wallets will equal cards in terms of market share in 2017 Peer-to-peer payment market expected to reach $17 billion in 2019 Growth of P2P Market, APPs for online transactions, e- wallets, mobile payments, Buy Buttons Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 9
Bank Secrecy Act FDIC Deposit Insurance Anti-Money Laundering Compliance Data breach/security State Privacy and Security Statutes OFAC Truth in Savings Act Truth in Lending Act / Reg Z Truth in Billing Electronic Fund Transfer Act / Regulation E OFAC Reg D State Money Transmitter Laws Regulation B Unfair, Deceptive or Abusive Acts and Practices Laws Card brand rules Durbin Amendment Regulation DD Reg CC Check 21 TISA/Reg DD Gift card Identity-Theft Red Flags Regulation II Gramm-Leach-Bliley Act E-SIGN Act Fair Credit Reporting Act Escheat Business of banking / Deposit-Taking 10
The Clearing House Diagnosis: An Uneven Playing Field in Data Privacy and Security Financial Institutions are subject to extensive regulatory, supervisory and enforcement scrutiny by their prudential regulators GLBA Interagency Guidelines More stringent implementing regulations and consequences Safety and soundness Banks ultimately bear customer service and fraud costs Alternative Payment Providers (APPs) provide products and services utilizing backbone of existing payment systems and avoid the reach of prudential regulators GLBA FTC Safeguards Rule Not subject to regular examinations, enforcement actions or oversight Lighter substantive requirements Lower odds of facing enforcement actions or sanctions Banks and APPs engaging in functionally similar activities should be subject to similar regulatory regimes. The Clearing House Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 11
Impact of Apple Pay on the Mobile Payments Market Apple Pay adoption a mixed story Recent Pymnts and InfoScout survey data show declines in use: Consumers that have tried Apple Pay: March 2015 15.1% of eligible iphone 6 & 6 Plus users June 2015 13.1% Consumers using Apple Pay in a store where its accepted: March 2015 48% of eligible iphone 6 & 6 Plus users June 2015 33% Consumer not using Apple Pay because they are not familiar with how it works: March 2015 31% of eligible iphone 6 & 6 Plus users June 2015 34% Source: Pymnts.com, available at http://www.pymnts.com/in-depth/2015/apple-pay-adoptionthe-falling-side-of-the-bell-curve/ (August 5, 2015). 12
Impact of Other Mobile Payment Technologies Non-Apple mobile payment solutions Samsung Pay / Loop Pay Android Pay Others Will mobile payment adoption rates significantly increase? In-store payment isn t a consumer pain point swiping works Tokenization and Host Card Emulation 13
How Tokenization Works TOKEN VAULT 1234 = 0001 2345 = 0002 3456 = 0003 4567 = 0004 1234 1234 1234 1234 0000 0000 0000 0001 Sensitive Value TOKEN SYSTEM Inert Token Tokenization is a data security technique that replaces sensitive data (e.g., credit card number) with surrogate data (token) that has no or little value. Tokenization limits the scope of where the sensitive data needs to be processed or stored. 14
Benefits of Tokenization Easier, cheaper and more secure Easier and Cheaper: Tokenization can be managed internally or outsourced Format interoperates with existing systems and applications Puts less technical overhead on infrastructure Reduces compliance obligations by allowing fewer systems to audit and lower security controls Continued 15
Benefits of Tokenization (cont d) Easier, cheaper and more secure More Secure: Reduces exposure by centralizing sensitive data in one location (token vault) Unlike encryption, tokens cannot be reversed without access to the token vault Reduces burden of encryption key management Provides data masking by default 16
Limitations of Tokenization Tokenization cannot be used on all types of data (e.g., emails, Internet transmissions, databases, files) Just like encryption, cannot protect data before it is tokenized (e.g., RAM scraper problem) or if a party is able to de-tokenize the data Similarly formatted tokens may not be distinguishable from the real data type Continued 17
Limitations of Tokenization (cont d) Tokens are not meaningful to third parties unless they have access to the token vault or are provided a means to associate the token back to the sensitive data Tokenization can result in duplicative tokens unless the token system is set up to prevent collision Tokens do not validate the underlying data or its source, and should be coupled with assurance methods to validate identity 18
How Host Card Emulation (HCE) Works Host Card Emulation (HCE) creates a software-based virtual smart card that does not rely on the device s Secure Element. First introduced in 2011 by SimplyTapp but popularized by Google s Android phone. 19
Use of Tokenization in HCE Tokenization may be used in conjunction with HCE Tokens can be used in place of the PAN on the device, or other sensitive data, to add an additional layer of security Google Wallet uses tokenization and does not store the PAN on the device or pass the PAN to the merchant 20
HCE Security Supplements The primary criticism of HCE is that it is not as secure as using the Secure Element. The following can be used to supplement the security of a HCE deployment: Encryption or tokenization of sensitive data stored on the device or in the cloud Use of tamper-proof software to stop all transactions if external changes are attempted Device fingerprinting to uniquely identify the authorized device and disallow any transactions from other devices 21
THANK YOU! Claude Goetz claudegoetz@dwt.com 212.603.6415 22
Disclaimer This presentation is a publication of Davis Wright Tremaine LLP. Our purpose in making this presentation is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Attorney advertising. Prior results do not guarantee a similar outcome. Davis Wright Tremaine, the D logo, and Defining Success Together are registered trademarks of Davis Wright Tremaine LLP. 2015 Davis Wright Tremaine LLP. 23