Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
“Because It’s Not Monopoly Money”: Emerging Regulatory
Issues for Mobile Payments Andrew Lorentz
Partner, Davis Wright Tremaine LLP
The New Wireless Ecosystem Law Seminars International
Seattle, WA Nov. 5 & 6, 2012
Roadmap
What Would a Banker Think? • Recent Enforcement Actions • Partnering With a Bank • Rules For Prepaid Products
Who Regulates? • CFPB • OCC, FDIC, Fed, FFIEC • Treasury and DOJ • FCC • FTC • State Regulators • Standards Bodies
2
What Would A Banker Think?
3
Recent Enforcement Actions
4
“ABCD” Coordinated Enforcement Actions in 2012: – American Express, Bancorp Bank, Capital One,
Discover – All innovators in retail payments – 3 of 4 settlements > $100 million – Major focus on “UD(A)AP”
• Deceptive practices • CARD Act violations • Age discrimination • FCRA violations
Recent Enforcement Actions
UD(A)AP Enforcement Actions Focus on Liability for Acts of Service Providers – Deceptive marketing of credit
protection products – no use of “abusive” yet – Expect changes in vendor incentives (see CFBP
manual) – Impact on customer
acquisition (?)
5
Partnering with a Bank
Banks are liable for their service providers
Bank Service Company Act, Dodd-Frank, CFPB guidance
FFIEC and FDIC guidance on “third party relationships” (Handbooks, FDIC FIL 44-2008)
Service providers to banks are subject to direct CFPB enforcement jurisdiction under Dodd-Frank
Expect agency to flex these regulatory muscles
Affiliated service providers of “covered persons” under Dodd-Frank are subject to full CFPB jurisdiction
Have disruptors in payments priced for this scrutiny?
6
Coping
7
Coping…more productively
Prepare for protracted due diligence and risk review
Ditch the sales deck – tell ’em how it works
Denial doesn’t get you to market
Deal with culture clash: “bank grade” meets “permanent beta” or “minimum viable product”
NOTE: This happens WITHIN banks as much as between banks and third parties
Regulator access clauses Regulator “soft power” and confidential controls
Data use and security clauses
Detailed contract terms (SLAs, audit, indemnity, COB)
8
“Old” Rules - New Environments
9 Business of banking / Deposit-Taking
Truth in Lending Act / Reg Z
Regu
latio
n B
Bank Secrecy Act
OFAC Reg D
Truth in Savings Act
Regulation II
Gramm-Leach-Bliley Act Fair Credit Reporting Act
Data breach/security
FDIC Deposit Insurance
E-SIGN Act
Unfair, Deceptive or Abusive Acts and Practices Laws
State Money Transmitter Laws
State Privacy and Security Statutes
Card brand rules Gift
car
d
Anti-Money Laundering Compliance
OFAC
TISA/Reg DD
Reg CC
Escheat
Durbin Amendment Identity-Theft Red Flags
Check 21
Truth in Billing Electronic Fund Transfer Act / Regulation E
Regulation DD
Rules for Prepaid Products
Leading source of payment innovation - fastest-growing retail payment type
Incorporated into major mobile payments programs (Google Wallet, Isis)
Offers ability to reach un-banked and under-banked
Advantaged under Durbin = Disproportionate impact
10
Rules for Prepaid Products Electronic Fund Transfer Act/Regulation E
– “Debit” – type protections for prepaid (2013?) • Focus until now on prepaid fees, expiration, and disclosures • Broader applicability to General Purpose Reloadable
prepaid expected – International remittances rules – effective February 2013
• Preparing for impact of rules on forex rates, taxes and fee calculations
Bank Secrecy Act/Anti-Money Laundering Rules – Prepaid device balance (mobile phones too)
at borders (2013?) • Currency and Monetary Instruments
Report (CMIR) – FinCEN Prepaid Access Rule –
effective July 2011 • Anti-money laundering rules for
prepaid access “providers” and “sellers” • FinCEN registration required for “providers”
11
Who Regulates?
12
State Public Utility Commissions State Banking Departments
State Attorneys General
Office of Foreign Assets Control
Payment Networks
State Attorneys General
Who Regulates?
Consumer Financial Protection Bureau
Single-mission federal consumer protection agency created by Dodd-Frank Act
Broad rulemaking, supervisory, and enforcement jurisdiction over “covered persons”
Definition of “covered person” includes “any person that engages in offering or providing a consumer financial product or service.”
13
Who Regulates?
Office of the Comptroller of the Currency
Regulates national banks and federal savings banks
Federal Deposit Insurance Corporation
Primary federal regulator for state insured banks, backup regulator for other insured banks
Authority over “institution-affiliated parties”
14
Who Regulates?
Federal Reserve
Regulates state-chartered member banks
Federal Financial Institutions Examination Council
Coordinates examination standards for banking agencies
FFIEC Outsourcing Booklets – new booklet available on technology service providers
Recent Statement on “Cloud Computing”
15
Who Regulates?
Treasury (includes FinCEN, IRS, OFAC)
Administers BSA/AML, Office of Foreign Assets Control sanctions programs
Department of Justice
Criminal enforcement of BSA/AML
16
Who Regulates?
Federal Communications Commission
Carrier Billing
Truth In Billing Rules
Cramming: “unauthorized, misleading or deceptive charges on your telephone bill”
17
Who Regulates?
Federal Trade Commission
Broad Enforcement Authority over non-bank financial institutions and others:
Dot Com Disclosures; Mobile Disclosures
$52 million sought from 3rd Party Mobile Biller – May 2012
18
Who Regulates?
State Banking and Financial Institution Departments
California defines money transmission to include “receiving money for transmission,” “selling or issuing payment instruments” and “selling or issuing stored value.
Other states broadly similar
Are the funds on your balance sheet…ever? If you “touch the money,” you may need a license
Licensing Logjam in CA; 48 states with licensing regimes
19
Who Regulates?
Standards Bodies National Automated Clearing
House Association (NACHA) – ACH rules and guidelines govern access
and use of the ACH network Payment Networks – Visa, MasterCard,
American Express, Discover – Complex web of private rules and contracts for participants
Data security rules (ACH and PCI rules) incorporated into network participation agreements – PCI Mobile Payment Acceptance Security Guidelines (Sept.
2012) • Risk reduction objectives for developers:
– Transaction data interception prevention – Hardening of mobile platform and application
environments to increase data privacy and security
20
Mobile Payments Outlook
Consumers •Suze Orman says: consumers are
baffled by mobile payments offerings
•Need to be simpler and more compelling to go mainstream – more than just payment function
•Someone needs to win scramble for consumer’s attention
21
Retailers •Formed MCX because unhappy
with Google Wallet, Isis, etc. – want data and customer control
•Focusing on EMV rollout by 2015 (“chip and pin”) – dislike interchange and cost of PCI compliance
•See mobile as transforming retail experience
Questions?
Andrew J. Lorentz, Partner Davis Wright Tremaine LLP
Washington, DC 202.973.4232
www.paymentlawadvisor.com
22
Disclaimer
This presentation is a publication of Davis Wright Tremaine LLP. Our purpose in making this presentation is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
Attorney advertising. Prior results do not guarantee a similar outcome. Davis Wright Tremaine, the D logo, and Defining Success Together are registered trademarks of Davis Wright Tremaine LLP.
© 2012 Davis Wright Tremaine LLP
23