By Mike Rebeiro, Global Head, Technology and Innovation, Peter Snowdon, Partner, and Jamie Gray, Associate, Norton Rose Fulbright LLP
A number of banks and financial institutions have announced mobile payment collaborations with well-known mobile handset manufacturers, using the mobile handset’s global branding as part of the sales proposition. Others are choosing to develop their own solutions, to be launched using their own branding. In either case, banks and financial institutions have been quick to recognise the potential for mobile payment solutions, and for good reasons.
Mobile payment solutions provide opportunities to improve customer ‘on-boarding’ and retention, to obtain insights about customer behaviours and to enable new distribution channels for delivery of value-added financial services and products.
With opportunities such as these, however, come risks. This article explains how mobile payment solutions typically work and considers some of the commercial, regulatory and compliance risk areas for banks, financial institutions and their suppliers.
1 What is a mobile payment?
Mobile payment solutions typically involve a cardholder (a shopper), a card issuer (for example, the cardholder’s bank), a merchant (for example, a shop) and a merchant acquirer (the shop’s bank). They can also involve a mobile network operator (MNO) and a ‘trusted service manager’. The trusted service manager acts as an intermediary between banks/merchants and the MNO, and manages the security aspects of the transaction necessary for a mobile payment to occur, in association with the MNO-provided SIM.
Into this mix, however, mobile handset manufacturers have recently launched a disruptive technology. They have embedded technology in the handset that would do away with the need to rely on a MNO-provided SIM or a trusted service manager for authentication of a mobile payment transaction.
This would greatly reduce the role of the MNO to that of a channel of data carriage, and looks set to significantly recast the existing profile of the mobile payments industry. It also leaves open for negotiation what the revenue-sharing split for the various stakeholders should be in relation to revenue generated from each mobile payment transaction.
Additional Authentication for Mobile Payments
The diagram below maps the authorisation processes for a typical credit card transaction, including the additional authentication processes involved when a mobile payment transaction is made using a:
- wallet payment method (using host card emulation);
- tokenisation method for a real credit card number.
Some data that feed into the authorisation processes differ from those data processed in a traditional credit card transaction, but many aspects of the authorisation processes remain unchanged. The key difference is the additional layer of authentication procedures for a mobile payment.
Key: n Wallet payment (host card emulation)
n Tokenisation (for a real credit card number)
2 What are the key contracting risks?
Parties who wish to work together to launch a mobile payments solution will typically use a collaboration agreement or a more sophisticated joint venture model.
The collaboration agreement (or other contractual vehicle) will need to address the following types of risks and commercial considerations:
- the parties’ respective financial and other contributions;
- revenue sharing arrangements for generated revenue. For example, will the supplier of a handset-enabled payment solution be charging a bank or financial institution any transactional or interchange fees? Who will bear the additional costs charged by credit card networks to provide additional data to, say, ‘tokenise’ card data for mobile payments?
- allocation of responsibility in relation to the discharge of regulatory obligations;
- licensing and ownership of intellectual property rights;
- control over use of trademarks in promotional activities;
- compliance with anti-money laundering (AML) regulations;
- customer ‘ownership’. Banks and financial institutions will look to include contractual provisions that help prevent ‘disintermediation’ between them and their customers by the other contracting party;
- exploitation of transaction data generated by the service offering (for example, through big data analytics). This may depend on what can be done with customer data under the applicable data protection legislation;
- security obligations to prevent cyber intrusion;
- exclusivity (if any), subject to competition / antitrust law controls;
- continuity of service on termination; and
- the parties’ respective tax positions.
3 What are the key regulatory issues?
Regulatory initiatives in this area generally focus on consumer protection, promoting effective competition and implementing AML and financial crime measures.
Different regulatory regimes apply to mobile payments broadly according to the type of payment service or product on offer and the jurisdiction at issue. In Europe, for example, the main EU frameworks that currently regulate mobile payments are:
- the Payment Services Directive (for firms carrying out money remittance, executing payment transactions and other payment services);
- the E-Money Directive (for issuers of electronically stored value or ‘e-money’); and
- EU anti-money laundering legislation (requiring firms to establish policies and procedures to prevent and detect money laundering and terrorist financing activities).
Compliance in relation to data storage, information security, and risk management are also relevant considerations for both financial institutions and MNOs in many jurisdictions.
Due to concerns about the burden of becoming regulated as financial institutions, an MNO that is involved in the provision of a mobile payment service will typically seek to form a collaboration with a financial institution which is already regulated (such as a merchant acquirer, or an ‘e-money’ or ‘stored value’ issuer) who will be responsible for:
- the regulated aspects of the business; and
- compliance with any relevant payment scheme rules (such as card scheme rules).
The task of performing AML screening typically falls on the financial institution (but there are certain mobile payment solutions and certain jurisdictions where the AML requirements dictate that screening must be performed by the MNO).
4 What can we expect in the future?
Change is likely to remain the operative word for the mobile payments industry for some time to come. As more and more valuable financial data migrates to mobile, we can expect increased regulatory oversight in most jurisdictions. Trust is hard won and very easily lost. Inevitably, therefore, there will be an increased emphasis (both commercially and from a regulatory perspective) on security, steps to prevent cyber intrusion and data protection.