Recent Developments in Mobile Financial Services Solutions

December 12, 2012

www.schnader.com 1

Introduction

Mobile Financial Services

Technology Issues

Regulatory Issues

www.schnader.com 2

Mobile Financial Services

Mobile Banking – Allows bank customers to check balances, monitor transactions, obtain other account information, transfer funds, locate branches or ATMs, and, sometimes, pay bills.

www.schnader.com 3

• Mobile Payments – allows consumers to make payments, transfer money, make donations, or pay for goods and services.

• Mobile banking and Mobile payments have the potential to expand access to financial services to the unbanked and underbanked by reducing transaction costs and increasing the use of financial services products and services.

www.schnader.com 4

• A recent survey found that individuals under the age of 25 are increasingly underbanked and feel comfortable with alternative financial services.

Online Banking

• Usage is evenly split between men and women.

• 30% - 30 and 44

• 20% - age 60 and older

www.schnader.com 5

Mobile Financial Services and Shopping

• Compare prices when shopping

• Receive offers and promotions based on location

• Track finances and budget

• POS Purchases

• May appeal more to underbanked and unbanked consumers

www.schnader.com 6

Underbanked Consumers

• Has a checking, savings or money market account, but also uses alternative financial services such as payday loans, check cashing services or payroll card.

• 91% of underbanked individuals have a mobile phone, 57 % have a smart phone. This is more than the general population.

www.schnader.com 7

Unbanked Consumers

• Do not currently have a checking, savings or money market account

• Among individuals who are unbanked, 64% have a mobile phone, 18% have a smart phone.

www.schnader.com 8

Advantages

Advantages for Consumers • Consumers do not need to carry cash or credit cards• Ability to send money abroad via person-to-person mobile

payment services• Remote wipe capability is available on smartphones and

tablet devices for added securityAdvantages for Businesses

• Can reach more customers without an increased investment in technology

• Merchants don’t have to keep as much cash on hand • Open up markets for entry level merchants

www.schnader.com 9

Why not?

• Top reasons for not using mobile banking

Banking needs are met without mobile banking

Security concerns

Lack of confidence in technology to perform accurately

Cost of data access on mobile phones

Small size of the phone screen

www.schnader.com 10

Non-U.S. Mobile Payment Services

• Safaricom and Vodafone (Africa) launched M-PESA—an SMS-

based payment service targeting the unbanked, prepaid mobile

subscribers in Kenya.

• Paybox by MobilkomAustria—an SMS-based system that also has

an NFC system for mobile ticketing for mobile transport

• NTT DoCoMo, Inc. (Japan)—Osaifu-Keitai® mobile wallet service

• Western Union® —Mobile application provides P2P money transfers

from the sender’s bank account to the recipient’s Western Union

cash card

• e-Transfer by Interac, Inc. (Canada)—Provides the ability to send

and receive money directly from one bank account to another using

online or “mobile banking” through a participating financial institution

without sharing any personal or financial informationwww.schnader.com 11

Current Technologies

• NFC (Near Field Communications) - Google Wallet

• Carrier Billing

• Apps

• Card Readers

www.schnader.com 12

History

Initially payments in mobile phones were made through text messages. But this mode of payment would sometimes be slow and unreliable and hence could not be relied upon for making larger payments. This led to the development of the NFC application for mobile phones.

www.schnader.com 13

NFC Technology

NFC technology has enabled the exchange of data between devices and is compatible with the existing contactless infrastructure already in use for payments.

NFC can also work when one of the devices is not powered by a battery (e.g. on a phone that may be turned off, a contactless smart credit card, a smart poster etc.).

www.schnader.com 14

NFC Technology

A short-range (4 inches) high frequency wireless communication technology which is an extension of the ISO/IEC 14443 proximity-card standard (contactless card, RFID) that combines the interface of a smartcard and a reader into a single device.

www.schnader.com 15

NFC Technology

NFC technology is currently aimed at being used with mobile phones. There are three main use cases for NFC:

* card emulation: the NFC device behaves like existing contactless “smart” cards

* reader mode: the NFC device is active and can read a passive RFID tag.

* P2P mode: two NFC devices are communicating together and exchanging information.

www.schnader.com 16

NFC Technology* Mobile ticketing — an extension of the existing contactless infrastructure, airline tickets, concert/event tickets, and others.

* Mobile payment — the device acts as a debit/credit payment card, or as electronic money.

* Smart poster — the mobile phone is used to read RFID tags on outdoor billboards in order to get info.

* Electronic keys — car keys, house/office keys, hotel room keys, etc.

www.schnader.com 17

NFC TechnologyA patent licensing program for NFC is currently under development by Via Licensing Corporation http://www.vialicensing.com.

A public platform independent Near Field Communication (NFC) library is released under the free GNU General Public License by the name libnfc. http://www.libnfc.org

In December 2008 the application eCL0WN[2] was released which allows you to read and copy biometric passports with certain Nokia phones. http://www.derkeiler.com/pdf/Mailing-Lists/Full-Disclosure/2008-12/msg00575.pdf

www.schnader.com 18

NFC Technology v. Bluetooth

NFC has shorter set-up time. Instead of performing manual configurations to identify Bluetooth devices, the connection between two NFC devices is established at once (under a tenth of a second). The maximum data transfer rate of NFC (424 kbit/s) is slower than Bluetooth (2.1 Mbit/s). NFC has a shorter range, which provides a degree of security and makes NFC suitable for crowded areas where correlating a signal with its transmitting physical device (and by extension, its user) might be difficult. NFC is compatible with existing RFID structures.

www.schnader.com 19

NFC Technology - Hacks

Eavesdropping

The RF signal for the wireless data transfer can be picked up with

antennas. The distance from which an attacker is able to

eavesdrop the RF signal depends on numerous parameters, but

is typically a small number of meters. Also, eavesdropping is

extremely affected by the communication mode. A passive

device, which does not generate its own RF field is much harder

to eavesdrop on than an active device.

www.schnader.com 20

NFC Technology - Hacks

Data modification

Data destruction is relatively easy to realize. One possibility to perturb the

signal is the usage of an RFID jammer. There is no way to prevent such an

attack, but if the NFC devices check the RF field while they are sending, it is

possible to detect it.

Relay attack

Because NFC devices are usually also implementing ISO/IEC 14443

functionality, relay attacks are also feasible on NFC. For this attack the

adversary has to forward the request of the reader to the victim and relay

back its answer to the reader in real time, in order to carry out a task

pretending to be the owner of the victim’s smart card.

www.schnader.com 21

Carrier Billing

• ISIS – T- Mobile and Verizon

• Sprint - NFC based

• Others

www.schnader.com 22

Apps

• Flint

• Level up

• Braintree

www.schnader.com 23

Card Readers

www.schnader.com 24

Consumer/Regulatory Issues

• Payment-related information is not always easy to access, read, understand and complete

• Billing statements are not always clear

• Information on loyalty and rewards programs is not always clear

www.schnader.com 25

Consumer/Regulatory Issues

• Difficulty determining if transaction was successful

• Personal information may raise privacy issues

• Correcting errors can be difficult, if not impossible

www.schnader.com 26

Consumer/Regulatory Issues

• Automatic repeat purchases or automatic subscriptions

• Termination of Trial periods, “Free” products• Data pass marketing• In multi-party payment schemes with numerous

actors (e.g., mobile operators, credit providers, merchants, apps developers), consumers may have difficulty understanding who to turn to in case of problem with the transaction

www.schnader.com 27

REGULATORY STRUCTURES

Federal

State

Non-U.S.

www.schnader.com 28

DATA PROTECTION AND LIABILITY FOR DATA THEFTS

As the market for mobile financial services has developed and grown, the protection of consumers’ financial information from unauthorized access and potential identity theft should be of paramount importance.

Authenticating consumers’ identification, keeping the data transfer process safe from viruses, malware, and other attacks is also of vital importance in this entire process.

Information held by Banks and other service providers are of vital importance and there lays a risk pertaining to leakage, tampering and unauthorized access to data. There needs to adequate measures and safeguards to for customer data protection.

www.schnader.com 29

REGULATORY MEASURES

Under GLB, both the security and the privacy of a consumer’s non-public personal information (“PI”) are protected. PI can be considered to be as personally identifiable information:

•Provided by a consumer to a financial institution

•Resulting from a transaction or service for the consumer

•Otherwise obtained by the financial institution.

www.schnader.com 30

Money Laundering• Number of active mobile payment service accounts globally - 15 million• Some mobile payment service providers offer open-loop prepaid cards

that are connected to the accounts of their customers; through this originally domestic providers may offer cross-border services, as this grants customers or third persons who were handed over the prepaid card access to the global ATM network.

• Some providers even allow for ATM withdrawals without the need for a card. Customers can initiate p2p transactions by passing on a certain code to third parties, who can enter the code into an ATM in order to receive the amount of money linked to that specific code.32

• Some providers cooperate with traditional money remittance services (e.g., Western Union); the remittance service enables third parties that are not customers of the mobile payment service provider to send or receive to or from a customer, also across borders.

www.schnader.com 31

REGULATORY MEASURES

PI generally includes account information, unpublished phone numbers, other contact information, and of course more sensitive information as well.

If there is any breach of data security with respect to PI, by any entity to whom the GLB applies, then that entity would be liable for such a breach. GLB provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies, and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.

Does this apply to mobile carriers? Mobile payments?

www.schnader.com 32

REGULATORY MEASURESSection 404 of the Sarbanes-Oxley Act requires companies to implement and practice internal controls in an effort to increase the security of financial data and systems. This section has ensured that Companies keep strict internal controls for ensuring financial data safety. SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 of SOX requires that management perform an assessment of internal controls over financial reporting and obtain attestation from external auditors, on an annual basis.

It would be logical to assume that chances of data theft, data loss or unauthorized access of data would be minimal in cases of entities that comply with GLB safeguards and SOX. Non compliance with these provisions would lead to hefty fines being imposed on the entities.

www.schnader.com 33

NYS Banking Department

• Money Transmitter No person or entity may engage in the business of selling or issuing payment instruments, such as checks, or engage in the business of receiving money for transmission or transmit money without a license from the Superintendent…

• Licensing requirements - Article 13-B of the Banking Law, Sections 640 to 652-B and Superintendent's Regulation Parts 406, 416, 417 and 300.

www.schnader.com 34

NYS Banking Department

• Budget PlannerOnly type B not-for-profit corporations as defined in section 201 of the not-for-profit corporation law of New York, or an entity incorporated in another state having a similar not-for-profit status, shall engage in the business of budget planning.

• Licensing requirements - Article 12-C of the Banking Law, sections 579 to 587, Superintendent's Regulations Parts 402, 404 and 300 and General Business Law Article 28-B.

www.schnader.com 35

California State Banking Department

• Money transmitters includes issuers of payment instruments (money orders), travelers checks and stored value

• California Financial code, Division 1.2, commencing with section 2000

www.schnader.com 36

OECD Policy Guidance

• Service providers should give clear and accurate information regarding the terms, conditions and costs

• Businesses prohibited from engaging in fraudulent or deceptive practices

• Regulatory monitoring to enforce consumer protection

• Facilitate dispute resolution

www.schnader.com 37

Disputes

• Verizon “blockage” of Google Wallet

• Facebook credits – virtual money

www.schnader.com 38

LIABILITY OF BANKS/ VENDORSAn interesting question to consider is that whether any bank or mobile service provider would held liable for any data loss or tampering of data in spite of complying with the above mentioned regulations. For instance there might be loss of data due to a virus attack in the system. The question then is which entity would be liable for such security breaches?

Customers still might have recourse against these entities for traditional claims of negligence, breach of contract or breach of a fiduciary duty but there is not clear cut provision holding an entity liable for loss of data due to acts like hacking.

There is however an increasing view that laws should be changed to assigned greater responsibility to service providers, and other organizations that possess large amounts of personal information.

Such organizations should be legally required to inform their customers as soon as a penetration occurs, and they should be held legally liable for the financial impact on their customers as a result of hacking and identity theft.

www.schnader.com 39

ConclusionThere is no doubt that the amount of transactions carried out through mobile devices are on an increase.

Regulatory constraints have imposed stricter conditions on service providers to ensure that there are adequate measures in place to prevent loss of financial information or unauthorized access of financial information.

As the number of users of mobile payments increase there is going to be a greater challenge in front of the market players and the regulators to ensure that adequate measures have been taken to protect consumers and customer information.

www.schnader.com 40

KTaylor@schnader.com

Schnader, Harrison, Segal & Lewis, LLP140 Broadway, 31st Floor

New York NY 10005212.973.8125

www.schnader.com 41