The Federal Trade Commission (“FTC”) recently released a staff report entitled “Paper, Plastic . . . or Mobile? An FTC Workshop on Mobile Payments” which highlighted key issues with the booming mobile payment industry. The FTC noted that while mobile payments provide many potential benefits to customers, they also raise a number of consumer protection concerns. The report identified three primary areas of concern: dispute resolution regarding unauthorized charges, data security, and privacy.
Regarding dispute resolution, the FTC noted that statutory protections for unauthorized charges depend greatly on the payment source funding the mobile payment, and that while mobile payments funded with credit cards and debit cards offer some level of statutory protection, other types of funding mechanisms “do not have the same statutory protections as credit cards and debit cards.” For example, consumers engaging in mobile payments linked to a pre-funded account or stored-value card are not protected from unauthorized charges by any federal statute (other than the FTC Act). Although some companies have provided consumer protections contractually, the FTC found that these protections “are not consistent” and that the companies providing them “could withdraw or modify them at their discretion.”
One of the FTC’s main concerns with the inconsistency of available protections is that consumers “may not recognize that their protections against fraudulent or unauthorized transactions can vary greatly depending on the underlying funding source.” As a result, the FTC encourages companies to develop clear policies regarding fraudulent and unauthorized charges and to clearly convey these policies to consumers.
One way that consumers sometimes receive unauthorized charges is through their mobile device carrier billing. This practice is called “cramming.” The FTC notes that developing an effective strategy for preventing “crammed charges” requires participation by all entities involved in third-party billing, including payment processors and billing aggregators, rather than just mobile carriers themselves. The FTC encourages “meaningful upfront vetting” by these entities to ensure that only legitimate third-party merchants are placing charges, and ongoing monitoring of the practices of content providers and merchants (including their refund and chargeback percentages and their marketing campaigns) to ensure compliance with industry guidelines.
Regarding data security, the FTC notes that one of the most commonly-voiced consumer concerns regarding mobile payments is “whether or not their sensitive financial information can be stolen or intercepted,” and that there is a “perceived lack of security” among many consumers.
The FTC details several technological advances that offer “the potential for increased data security for financial information.” One is end-to-end encryption, which enables encryption through the entire payment chain. Another is dynamic data authentication, meaning that a unique set of payment information is generated for each transaction, such that the authentication data cannot be stolen and used for additional transactions. A third is storing payment information on a secure element that is separate from the rest of a phone’s memory to help thwart hackers who are able to access a phone’s operating system. Overall, the FTC encourages mobile payment providers to increase data security and all companies in the mobile payments chain to adopt strong security measures.
Regarding privacy, the FTC describes significant privacy issues unique to mobile payments, such as the involvement of many new actors in the payment industry (e.g., mobile phone carriers and mobile application developers), and points out that the unique features of the mobile payment ecosystem allow personal consumer data to be gathered and consolidated in ways not possible with traditional payment systems.
To address privacy concerns, the FTC urges companies to adopt a number of basic practices. One is “privacy by design,” meaning that companies should consider and address privacy at every stage of product development, and should limit data collection “to that which is consistent with the context of a consumer’s interaction with that company.” Two, companies should provide appropriate choices to consumers, meaning that they give consumers a choice to restrict disclosure of information that is not necessary for completing a payment transaction. Three, companies should develop ways to provide transparency about their data practices and increase consumer trust, though the FTC notes that meaningful disclosures in the mobile context might be “particularly challenging” given the small screens of mobile devices and the many entities involved in the mobile payments ecosystem. This follows recent efforts by the FTC and the California Attorney General to describe how to make adequate privacy disclosures on a mobile device.
The FTC concludes its report by saying that it “will continue to monitor mobile payment options, and to evaluate whether consumers have adequate protections and the information they need to make informed choices.” The full FTC report is available here.
For those interested in the mobile payment ecosystem, the FTC will be hosting a roundtable on May 8, 2013, to discuss mobile cramming and unauthorized third-party charges on mobile phone bills.
Dorsey’s Financial Services and Cybersecurity, Privacy and Social Media Practice Groups will continue to provide updates as the mobile payment industry develops.