Recent Developments in Mobile Financial Services Solutions€¦ · Recent Developments in Mobile...
Transcript of Recent Developments in Mobile Financial Services Solutions€¦ · Recent Developments in Mobile...
Recent Developments in Mobile Financial Services Solutions
December 12, 2012
www.schnader.com 1
Introduction
Mobile Financial Services
Technology Issues
Regulatory Issues
www.schnader.com 2
Mobile Financial Services
Mobile Banking – Allows bank customers to check balances, monitor transactions, obtain other account information, transfer funds, locate branches or ATMs, and, sometimes, pay bills.
www.schnader.com 3
• Mobile Payments – allows consumers to make payments, transfer money, make donations, or pay for goods and services.
• Mobile banking and Mobile payments have the potential to expand access to financial services to the unbanked and underbanked by reducing transaction costs and increasing the use of financial services products and services.
www.schnader.com 4
• A recent survey found that individuals under the age of 25 are increasingly underbanked and feel comfortable with alternative financial services.
Online Banking
• Usage is evenly split between men and women.
• 30% - 30 and 44
• 20% - age 60 and older
www.schnader.com 5
Mobile Financial Services and Shopping
• Compare prices when shopping
• Receive offers and promotions based on location
• Track finances and budget
• POS Purchases
• May appeal more to underbanked and unbanked consumers
www.schnader.com 6
Underbanked Consumers
• Has a checking, savings or money market account, but also uses alternative financial services such as payday loans, check cashing services or payroll card.
• 91% of underbanked individuals have a mobile phone, 57 % have a smart phone. This is more than the general population.
www.schnader.com 7
Unbanked Consumers
• Do not currently have a checking, savings or money market account
• Among individuals who are unbanked, 64% have a mobile phone, 18% have a smart phone.
www.schnader.com 8
Advantages
Advantages for Consumers • Consumers do not need to carry cash or credit cards• Ability to send money abroad via person-to-person mobile
payment services• Remote wipe capability is available on smartphones and
tablet devices for added securityAdvantages for Businesses
• Can reach more customers without an increased investment in technology
• Merchants don’t have to keep as much cash on hand • Open up markets for entry level merchants
www.schnader.com 9
Why not?
• Top reasons for not using mobile banking
Banking needs are met without mobile banking
Security concerns
Lack of confidence in technology to perform accurately
Cost of data access on mobile phones
Small size of the phone screen
www.schnader.com 10
Non-U.S. Mobile Payment Services
• Safaricom and Vodafone (Africa) launched M-PESA—an SMS-
based payment service targeting the unbanked, prepaid mobile
subscribers in Kenya.
• Paybox by MobilkomAustria—an SMS-based system that also has
an NFC system for mobile ticketing for mobile transport
• NTT DoCoMo, Inc. (Japan)—Osaifu-Keitai® mobile wallet service
• Western Union® —Mobile application provides P2P money transfers
from the sender’s bank account to the recipient’s Western Union
cash card
• e-Transfer by Interac, Inc. (Canada)—Provides the ability to send
and receive money directly from one bank account to another using
online or “mobile banking” through a participating financial institution
without sharing any personal or financial informationwww.schnader.com 11
Current Technologies
• NFC (Near Field Communications) - Google Wallet
• Carrier Billing
• Apps
• Card Readers
www.schnader.com 12
History
Initially payments in mobile phones were made through text messages. But this mode of payment would sometimes be slow and unreliable and hence could not be relied upon for making larger payments. This led to the development of the NFC application for mobile phones.
www.schnader.com 13
NFC Technology
NFC technology has enabled the exchange of data between devices and is compatible with the existing contactless infrastructure already in use for payments.
NFC can also work when one of the devices is not powered by a battery (e.g. on a phone that may be turned off, a contactless smart credit card, a smart poster etc.).
www.schnader.com 14
NFC Technology
A short-range (4 inches) high frequency wireless communication technology which is an extension of the ISO/IEC 14443 proximity-card standard (contactless card, RFID) that combines the interface of a smartcard and a reader into a single device.
www.schnader.com 15
NFC Technology
NFC technology is currently aimed at being used with mobile phones. There are three main use cases for NFC:
* card emulation: the NFC device behaves like existing contactless “smart” cards
* reader mode: the NFC device is active and can read a passive RFID tag.
* P2P mode: two NFC devices are communicating together and exchanging information.
www.schnader.com 16
NFC Technology* Mobile ticketing — an extension of the existing contactless infrastructure, airline tickets, concert/event tickets, and others.
* Mobile payment — the device acts as a debit/credit payment card, or as electronic money.
* Smart poster — the mobile phone is used to read RFID tags on outdoor billboards in order to get info.
* Electronic keys — car keys, house/office keys, hotel room keys, etc.
www.schnader.com 17
NFC TechnologyA patent licensing program for NFC is currently under development by Via Licensing Corporation http://www.vialicensing.com.
A public platform independent Near Field Communication (NFC) library is released under the free GNU General Public License by the name libnfc. http://www.libnfc.org
In December 2008 the application eCL0WN[2] was released which allows you to read and copy biometric passports with certain Nokia phones. http://www.derkeiler.com/pdf/Mailing-Lists/Full-Disclosure/2008-12/msg00575.pdf
www.schnader.com 18
NFC Technology v. Bluetooth
NFC has shorter set-up time. Instead of performing manual configurations to identify Bluetooth devices, the connection between two NFC devices is established at once (under a tenth of a second). The maximum data transfer rate of NFC (424 kbit/s) is slower than Bluetooth (2.1 Mbit/s). NFC has a shorter range, which provides a degree of security and makes NFC suitable for crowded areas where correlating a signal with its transmitting physical device (and by extension, its user) might be difficult. NFC is compatible with existing RFID structures.
www.schnader.com 19
NFC Technology - Hacks
Eavesdropping
The RF signal for the wireless data transfer can be picked up with
antennas. The distance from which an attacker is able to
eavesdrop the RF signal depends on numerous parameters, but
is typically a small number of meters. Also, eavesdropping is
extremely affected by the communication mode. A passive
device, which does not generate its own RF field is much harder
to eavesdrop on than an active device.
www.schnader.com 20
NFC Technology - Hacks
Data modification
Data destruction is relatively easy to realize. One possibility to perturb the
signal is the usage of an RFID jammer. There is no way to prevent such an
attack, but if the NFC devices check the RF field while they are sending, it is
possible to detect it.
Relay attack
Because NFC devices are usually also implementing ISO/IEC 14443
functionality, relay attacks are also feasible on NFC. For this attack the
adversary has to forward the request of the reader to the victim and relay
back its answer to the reader in real time, in order to carry out a task
pretending to be the owner of the victim’s smart card.
www.schnader.com 21
Carrier Billing
• ISIS – T- Mobile and Verizon
• Sprint - NFC based
• Others
www.schnader.com 22
Apps
• Flint
• Level up
• Braintree
www.schnader.com 23
Card Readers
www.schnader.com 24
Consumer/Regulatory Issues
• Payment-related information is not always easy to access, read, understand and complete
• Billing statements are not always clear
• Information on loyalty and rewards programs is not always clear
www.schnader.com 25
Consumer/Regulatory Issues
• Difficulty determining if transaction was successful
• Personal information may raise privacy issues
• Correcting errors can be difficult, if not impossible
www.schnader.com 26
Consumer/Regulatory Issues
• Automatic repeat purchases or automatic subscriptions
• Termination of Trial periods, “Free” products• Data pass marketing• In multi-party payment schemes with numerous
actors (e.g., mobile operators, credit providers, merchants, apps developers), consumers may have difficulty understanding who to turn to in case of problem with the transaction
www.schnader.com 27
REGULATORY STRUCTURES
Federal
State
Non-U.S.
www.schnader.com 28
DATA PROTECTION AND LIABILITY FOR DATA THEFTS
As the market for mobile financial services has developed and grown, the protection of consumers’ financial information from unauthorized access and potential identity theft should be of paramount importance.
Authenticating consumers’ identification, keeping the data transfer process safe from viruses, malware, and other attacks is also of vital importance in this entire process.
Information held by Banks and other service providers are of vital importance and there lays a risk pertaining to leakage, tampering and unauthorized access to data. There needs to adequate measures and safeguards to for customer data protection.
www.schnader.com 29
REGULATORY MEASURES
Under GLB, both the security and the privacy of a consumer’s non-public personal information (“PI”) are protected. PI can be considered to be as personally identifiable information:
•Provided by a consumer to a financial institution
•Resulting from a transaction or service for the consumer
•Otherwise obtained by the financial institution.
www.schnader.com 30
Money Laundering• Number of active mobile payment service accounts globally - 15 million• Some mobile payment service providers offer open-loop prepaid cards
that are connected to the accounts of their customers; through this originally domestic providers may offer cross-border services, as this grants customers or third persons who were handed over the prepaid card access to the global ATM network.
• Some providers even allow for ATM withdrawals without the need for a card. Customers can initiate p2p transactions by passing on a certain code to third parties, who can enter the code into an ATM in order to receive the amount of money linked to that specific code.32
• Some providers cooperate with traditional money remittance services (e.g., Western Union); the remittance service enables third parties that are not customers of the mobile payment service provider to send or receive to or from a customer, also across borders.
www.schnader.com 31
REGULATORY MEASURES
PI generally includes account information, unpublished phone numbers, other contact information, and of course more sensitive information as well.
If there is any breach of data security with respect to PI, by any entity to whom the GLB applies, then that entity would be liable for such a breach. GLB provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.
Does this apply to mobile carriers? Mobile payments?
www.schnader.com 32
REGULATORY MEASURESSection 404 of the Sarbanes-Oxley Act requires companies to implement and practice internal controls in an effort to increase the security of financial data and systems. This section has ensured that Companies keep strict internal controls for ensuring financial data safety. SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 of SOX requires that management perform an assessment of internal controls over financial reporting and obtain attestation from external auditors, on an annual basis.
It would be logical to assume that chances of data theft, data loss or unauthorized access of data would be minimal in cases of entities that comply with GLB safeguards and SOX. Non compliance with these provisions would lead to hefty fines being imposed on the entities.
www.schnader.com 33
NYS Banking Department
• Money Transmitter No person or entity may engage in the business of selling or issuing payment instruments, such as checks, or engage in the business of receiving money for transmission or transmit money without a license from the Superintendent…
• Licensing requirements - Article 13-B of the Banking Law, Sections 640 to 652-B and Superintendent's Regulation Parts 406, 416, 417 and 300.
www.schnader.com 34
NYS Banking Department
• Budget PlannerOnly type B not-for-profit corporations as defined in section 201 of the not-for-profit corporation law of New York, or an entity incorporated in another state having a similar not-for-profit status, shall engage in the business of budget planning.
• Licensing requirements - Article 12-C of the Banking Law, sections 579 to 587, Superintendent's Regulations Parts 402, 404 and 300 and General Business Law Article 28-B.
www.schnader.com 35
California State Banking Department
• Money transmitters includes issuers of payment instruments (money orders), travelers checks and stored value
• California Financial code, Division 1.2, commencing with section 2000
www.schnader.com 36
OECD Policy Guidance
• Service providers should give clear and accurate information regarding the terms, conditions and costs
• Businesses prohibited from engaging in fraudulent or deceptive practices
• Regulatory monitoring to enforce consumer protection
• Facilitate dispute resolution
www.schnader.com 37
Disputes
• Verizon “blockage” of Google Wallet
• Facebook credits – virtual money
www.schnader.com 38
LIABILITY OF BANKS/ VENDORSAn interesting question to consider is that whether any bank or mobile service provider would held liable for any data loss or tampering of data in spite of complying with the above mentioned regulations. For instance there might be loss of data due to a virus attack in the system. The question then is which entity would be liable for such security breaches?
Customers still might have recourse against these entities for traditional claims of negligence, breach of contract or breach of a fiduciary duty but there is not clear cut provision holding an entity liable for loss of data due to acts like hacking.
There is however an increasing view that laws should be changed to assigned greater responsibility to service providers, and other organizations that possess large amounts of personal information.
Such organizations should be legally required to inform their customers as soon as a penetration occurs, and they should be held legally liable for the financial impact on their customers as a result of hacking and identity theft.
www.schnader.com 39
ConclusionThere is no doubt that the amount of transactions carried out through mobile devices are on an increase.
Regulatory constraints have imposed stricter conditions on service providers to ensure that there are adequate measures in place to prevent loss of financial information or unauthorized access of financial information.
As the number of users of mobile payments increase there is going to be a greater challenge in front of the market players and the regulators to ensure that adequate measures have been taken to protect consumers and customer information.
www.schnader.com 40
Schnader, Harrison, Segal & Lewis, LLP140 Broadway, 31st Floor
New York NY 10005212.973.8125
www.schnader.com 41