Mobile Payments: FTC Voices Concerns About Consumer Risks

The Federal Trade Commission (FTC) has long explored mobile payment compliance and consumer protection issues with reports dating to the days of flip phones. As technology has developed and proliferated, creating new benefits and risks to consumers, the FTC has been aggressive in exploring ways to protect them. It has held workshops, issued reports, and undertaken enforcement actions involving mobile technology and its impact on consumer payments. In a staff report issued on March 8, the FTC published its latest guidance on this rapidly expanding field and the consumer protection issues it generates. The report, prepared by the FTC staff, is a follow up to the "Paper,Plastic. . . or Mobile" workshop the FTC held on April 26, 2012 in which industry participants discussed the progress mobile payment technology (morning session) and the potential consumer vulnerabilities such technology can create, including dispute resolution, data security, and privacy issues (afternoon session).

The FTC has defined mobile payments broadly to "include[ ] technologies and products in which a payment is made using a mobile device, such as payments made through Near Field Communication (NFC) technologies, mobile apps, online checkout wallets, and mobile carrier billing." At the April 26 workshop, participants identified multiple ways in which these technologies benefit consumers. In addition to the convenience of payment, mobile payment makes it easier for consumers to use coupons or loyalty programs. In the new report, FTC staff also acknowledged that "[m]obile payments . . . may provide under-served communities with greater access to alternative payment systems." An alternative payment system also benefits businesses, who may see lower transaction costs thanks to consumers choosing to pay with their mobile devices, not their credit or debit cards. More broadly, "[m]obile payments may also spur competition among payment methods, benefitting consumers and merchants alike.

Where the workshop took a balanced approach to benefits and drawbacks, the new report focuses almost entirely on the risks and concerns the workshop panelists identified: dispute resolution; consumer data security; and privacy. One of the greatest benefits mobile payments provide to both consumers and businesses -- flexibility -- is the source of the problem for dispute resolution, specifically the web of statutory requirements that may protect some consumers or businesses, but not others, and certainly not in the same ways. For example, a fraudulent transaction involving a credit card has a statutory liability capof $50, but if the same transaction involves a gift card, the FTC Act, the FTC's general consumer protection mandate, is the sole statutory protection (the Consumer Financial Protection Bureau has proposed a rule related to gift card laws and the FTC hascommented). The FTC is evaluating whether to implement "consistent protections across mobile payments," and, as it does, urges businesses to "develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers."

The FTC singles out mobile carrier billing for special attention. Like gift cards, there are no specific statutory protections for consumers who find fraudulent third-party charges on their phone bills, a practice known as "cramming." The new report notes an FTC comment to the Federal Communications Commission ("FCC") that "consumers should be able to block all third party wireless charges" and should have "clear[ ] and prominent[ ]" service provider information about third-party charges and how to block any unwanted charges. The FTC also wants providers to establish a clear dispute resolution system. The FTC will host a workshop on mobile cramming on May 8 to assess the breadth of potential solutions to cramming, including those that industry stakeholders have provided to the FCC.

The FTC report also refers to a Federal Reserve study that found data security to be a chief consumer worry related to mobile payments. The FTC encourages "all companies in the mobile payments chain" to adopt safeguards like end-to-end encryption and dynamic data authentication, reminding businesses that harm to consumers due to a data breach can not only harm the reputation of the business, but also can trigger liability under state or federal data security laws.

A frequent concern of the FTC, the report highlights the privacy anxieties associated with the distinction between data collection capabilities in "traditional" and mobile payments. In a traditional payment, data is split among the merchant (purchase) and the credit card company or bank (contact information; location of purchase). No one entity has all of the purchaser's information. Mobile payments add many new players at each step of the payment chain and provide a "mobile payments ecosystem to gather and consolidate personal and purchase data in a way that was not possible under the traditional payments regime." Such collection and consolidation is not inherently bad, but it does raise the potential for increased risks to consumer data privacy. To help protect consumer privacy and ease privacy concerns, the FTC previously offered three privacy principles in its March 2012 report Protecting Consumer Privacy in an Era of Rapid Change. The FTC continues to encourage businesses to follow these principles of "privacy by design," consumer choice, and transparency in a new mobile payments report.

As it develops a more complete framework for mobile payments, the FTC is looking to the experiences of other countries for both the manner in which the mobile payments systems operate as well as the manner of their regulation. The new report includes short descriptions of practices or policy proposals in other countries and by multinational organizations, indicating which models the FTC may explore in determining how to address the consumer privacy, security, and trust issues that arise as mobile payment technology develops.

© Arnold & Porter Kaye Scholer LLP 2013 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.