A revolution in the payment services industry is growing steam as new technologies emerge to support modern ways of purchasing goods and services.
Right now, the payment technologies making big news are mobile payment technologies, and for good reasons. They provide opportunities to improve customer experience, obtain insights about customer behaviour, increase handset sales (for hardware-specific proprietary payment solutions), and enable new channels of delivery for value-added services.
With opportunities, however, come risks – and businesses should consider the commercial, regulatory and compliance risk areas before fully embracing mobile payments.
>What is a mobile payment?
Mobile payment solutions typically involve a cardholder (a shopper), a card issuer (for example, the cardholder’s bank), a merchant (for example, a shop) and a merchant acquirer (the shop’s bank).
They can also involve a mobile network operator (MNO) and a ‘trusted service manager’, who acts as an intermediary between banks/merchants and the MNO – and manages the security aspects of the transaction necessary for a mobile payment to occur, in association with the MNO-provided SIM.
Into this mix, however, mobile handset manufacturers have recently launched a disruptive technology. They have embedded technology in the handset that would do away with the need to rely on a MNO-provided SIM or a trusted service manager for authentication.
This would greatly reduce the role of the MNO to that of a channel of data carriage, and looks set to significantly recast the existing profile of the mobile payments industry.
The diagram below maps the authorisation processes for a typical credit card transaction, including the additional authentication processes involved when a mobile payment transaction is made using a wallet payment method (using host card emulation) or a tokenisation method for a real credit card number.
Some data that feed into the authorisation processes differ from those data processed in a traditional credit card transaction, but many aspects of the authorisation processes remain unchanged. The key difference is the additional layer of authentication procedures for a mobile payment.
What are the key contracting risks?
Parties who wish to work together to launch a mobile payments solution will typically use a collaboration agreement or a more sophisticated joint venture model.
The collaboration agreement (or other contractual vehicle) will need to address numerous types of risks and commercial considerations, including the parties' respective financial and other contributions; revenue sharing arrangements for generated revenue; allocation of responsibility in relation to the discharge of regulatory obligations; licensing and ownership of intellectual property rights; control over use of trademarks in promotional activities; compliance with anti-money laundering (AML) regulations; customer ‘ownership’; exploitation of transaction data generated by the service offering; security obligations to prevent cyber intrusion; exclusivity (if any), subject to competition law controls; continuity of service on termination; and the parties' respective tax positions.
Then there are the regulatory issues. Regulatory initiatives in this area generally focus on consumer protection, promoting effective competition and implementing AML and financial crime measures.
Different regulatory regimes apply to mobile payments broadly according to the type of payment service or product on offer. The main EU frameworks that currently regulate mobile payments are the Payment Services Directive for firms carrying out money remittance, executing payment transactions and other payment services, the E-Money Directive for issuers of electronically stored value or ‘e-money’, and EU anti-money laundering legislation, which requires firms to establish policies and procedures to prevent and detect money laundering and terrorist financing activities.
Compliance in relation to data storage, information security and risk management are also relevant considerations for both financial institutions and MNOs.
Due to concerns about the burden of becoming regulated as financial institutions, an MNO that is involved in the provision of a payment service will typically seek to form a partnership with a financial institution that is already regulated, such as a merchant acquirer, or an 'e-money' or 'stored value' issuer. The financial institution will be responsible for the regulated aspects of the business and compliance with any relevant payment scheme rules.
The task of performing AML screening typically falls on the financial institution, but there are certain mobile payment solutions where the AML requirements dictate that screening must be performed by the MNO.
Change is likely to remain the operative word for the mobile payments industry for some time to come. As more and more valuable financial data migrates to the mobile space, security and steps to prevent cyber intrusion will become a commercial and regulatory imperative.
The new Payment Systems Regulator (PSR) now has jurisdiction over certain payment systems in the UK, and those systems’ participants, such as banks, building societies and other payment service providers. The PSR could well turn its attention to mobile payment solutions in due course.
Sourced from Mike Rebeiro, Peter Snowdon and Jamie Gray, Norton Rose Fulbright