lexpert payments oct 29 2014 - mobile payments regulation

Mobile Payments Regulation

Lisa Abe-Oldenburg

October 29, 2014Revolutionary Payment Solutions 2014

Introduction

• Federal and Provincial Regulation Overview• Prepaid Card Rules• Global Digital Payments Standard• Canadian Bankers Association Update• Consumer Protection Update with respect to m-payments• Code of Conduct for the Debit and Credit Industry• Canadian NFC Mobile Payments Reference Model• Cross-border payments and international regulation• AML and FCAC

Federal Regulation

• Bank Act, Cooperative Credit Associations Act , Trust and Loan Companies Act, Insurance Companies Act and Regulations

• Federal Act respecting the Canadian Payments Association and the regulation of Systems and arrangements for the making of payments (Canadian "Payments Act")

• Federal Act respecting payment card networks ("Payment Card Networks Act")

• Federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act

• Federal Payment Clearing and Settlement Act• Federal Bills of Exchange Act• Federal Competition Act

Federal Regulations

• Canadian Bankers Association (CBA) mobile guidelines• Federal public sector privacy Act • Federal private sector privacy law - Personal Information

Protection and Electronic Documents Act ("PIPEDA")• Federal Anti-Spam Law ("CASL")

Provincial Regulation

• Consumer protection laws – provincial statutes and regulations• Most Canadian provinces have enacted laws that govern gift/prepaid

and credit cards• BC

• Prepaid Purchase Cards Regulation• Business Practices and Consumer Protection Act

• Alberta• Reg 146/2008 Gift Card Regulation• Fair Trading Act and Cost of Credit Disclosure Regulation

• Manitoba• Consumer Protection Act and Regulations• Prepaid Purchase Card Regulation• Gift Cards Act• Cost of Credit Disclosure Act

Provincial Regulation

• Consumer protection laws – provincial statutes and regulations• Ontario

• Consumer Protection Act and Regulations (cover gift and credit cards)

• Nova Scotia• Consumer Protection Act and Regulations• Gift Card Regulations

• PEI• Consumer Protection Act• Gift Cards Act and Regulations

• Quebec• Consumer Protection Act• Money-Services Businesses Act

• Also laws in NB, Sask, Nfld, Yukon, Nunavut

Prepaid Card Rules

• Is it a prepaid gift card or credit card?• Does definition of "cards" extend to "Apps"? Types of cards not covered by the gift card rules

include:• promotional gift cards given away for free or at a discount• loyalty cards or club cards used to collect rewards or

points• pre-paid phone cards• pre-paid credit cards

Prepaid Card Rules

No Expiry Date for Gift Cards• The Ontario Consumer Protection Act bans most retail

business gift cards from having an expiry dateGift cards that can have an expiry date include:• Gift cards for one specific service (for example, a gift

certificate for a massage at a spa may come with an expiry date and lose its value if not used)

• Gift cards issued for charitable purposesDisclosure of Terms• The Act requires that all restrictions and conditions must

be stated in clear and visible writing for the customer

Prepaid Card Rules

No extra charges to use a gift card, such as:• Activation fees or added service fees to purchase the card

or to use the card• Fees that reduce the value of the gift card over time, i.e.

dormancy fees No sales tax (HST) to buy a gift card• HST is charged on items or services purchased using a

gift card.When can a business charge a fee?• Customization of a gift card• Replacement of a lost or stolen card

Prepaid Card Rules

Special rules for gift cards from shopping malls• The shopping mall can charge an activation fee up to

$1.50 at the time the card is purchased.• Keep their value for 15 months from the date of purchase.

The mall can apply a dormancy fee after 15 months up to a maximum amount of $2.50 per month

• Consumers can request a 3-month extension before dormancy fees are charged

• The fees and conditions must be clearly printed on the shopping mall gift card

Prepaid Card Rules

Prepaid credit and debit cards• New Federal Prepaid Payment Products Regulations,

SOR/2013-209 came into force May 1, 2014 • Regulations apply to prepaid payment products that are issued

in Canada by a federally regulated financial institution• The Regulations do not apply to prepaid products issued by

provincially regulated institutions or retailers• The Financial Consumer Agency of Canada (FCAC) will be

responsible for enforcing compliance with the new rules• Financial institutions have said that the regulations will apply to

all prepaid cards in the market, regardless of when the cards were purchased, according to a statement from the department of finance

Prepaid Card Rules

Prepaid credit and debit cards• Regulations define “prepaid payment product” as a

payment card, whether physical or electronic, that is — or can be — loaded with funds and that can be used by the card holder to make withdrawals or purchase goods or services

• Regulations apply to cards used to make purchases or withdraw funds via a payment network such as American Express, MasterCard or Visa

Prepaid Card Rules

Prepaid credit and debit cards• Prohibit maintenance fees for a year after the cards are activated• No expiry date• Requirement for certain terms and conditions attached to the cards

to be displayed on the exterior packaging• Requirement that federally regulated financial institutions disclose

a list of all the fees associated with the card in an information box that is printed in a visible location on the card's packaging

• Requirement that certain key information be given to the consumer before the card is issued in a manner that is "clear, simple and not misleading"

Prepaid Card Rules

Global Digital Payments Standard• October 2013 – Credit Card Networks American Express,

MasterCard and Visa proposed a Global Digital Payment Standard for online shopping

• Designed to enhance the security of digital payments and simplify the purchasing experience

• Allows issuers, merchants or digital wallet providers to use a digital "token" instead of a shopper's card account number to process a transaction

• Account numbers are "tokenized" to provide security to the cardholder

Prepaid Card RulesGlobal Digital Payments Standard• According to CyberSource “Tokenization" is a security process where data is

replaced by identification symbols that retain the contents of the original data in a secure manner. Each set of sensitive data becomes its own unique pattern. So if data systems were compromised, hackers would get a tokenized number instead of a customer’s credit card number

• Consumers will no longer have to enter personal account information when shopping online or on a smart device

• Tokens support all payment actions and checkout models including one-time authorization, capture and settlement, recurring and subscription billing, credit and partial credit, split capture, reauthorization, and standard checkout

Prepaid Card Rules

Global Digital Payments Standard• Tokens are already used for such redeeming offers, paying bills

and initiating purchases online or in a brick-and-mortar store• Unlike EMV, tokenization doesn’t require a mass overhaul of a

payment system. Instead, it works with an organization’s existing structures, with the heavy lifting being done by the tokenization vendor that stores the credit card data, generates the tokens, and keeps track of them through the entire transaction process

• Eliminates the need for merchants, digital wallet operators or others to store card account numbers – won't be the source of a stored data compromise

• To be available to all payment networks and payment participants

Prepaid Card Rules

Global Digital Payments Standard• Merchants, financial institutions and other industry players

would need to agree to use tokens instead of traditional account numbers and to be able to route and pass the token consistently

• The standard would also include more data fields to provide more transaction information to improve fraud detection and expedite the approval process

• It's important to establish the foundation for a global, interoperable payments environment

• Comparable to how the industry came together to develop and use the magnetic stripe, EMV and NFC on a global scale

Prepaid Card Rules

Global Digital Payments Standard• Timeframe for the standard to become effective will be determined by

how quickly the industry can come together to develop and adopt the final global standard

• New tokenization framework currently being developed by EMVCo (collectively owned by American Express, Discover, JCB, MasterCard, China UnionPay, and Visa) for the world’s major payments networks, will enable EMV chip card transactions to be made on a mobile phone

• In September, MC and VISA launched their token services in the US and will expand more broadly to other major markets during the course of 2015

• Will support Cloud Based Payments and Apple's NFCpayments service

Canadian Bankers Association Update

• Oct. 15 2014 - The Canadian Bankers Association (CBA) released the results of its latest research, How Canadians Bank, which shows that Canadians of all ages are embracing new technologies in their daily lives and value innovative ways to make their banking more accessible and convenient

• Keys trends include the fact that online and mobile banking use continues to grow and payments are quickly evolving as mobile wallets and “tap and go” contactless payments become more widely available

• Checking account balances using bank mobile apps, flashing phones to make purchases and taking pictures of cheques to deposit them from mobile phone.


• 31% of Canadians do some banking using their mobile device, up from 19% in 2012 and only 5% in 2010

• 43 % of Canadians expect to be conducting their banking using mobile devices in the near future

• 3 % of Canadians have deposited a cheque by taking a picture with their mobile phone

• 57 % of Canadians value making purchases with a mobile device and 61 % value contactless payments

• 23 % of Canadians said they don’t think they will be carrying cash in 10 years and 54 % don’t anticipate using cheques


• Half of people over the age of 65 bank primarily online now• 40 % say that their in-branch banking is decreasing, with

only 13 % of Canadians now doing the majority of their banking in branches

• Online banking remains the most common method of paying routine bills for 48 % of Canadians, followed by pre-authorized bank account withdrawals (18 %). Only two % now pay most of their bills by cheque

• 72 % of respondents report that new technologies have added a great deal of value to their banking and 90 % appreciate innovation enabling them to bank at times that are convenient to them


• Canada has a secure, efficient and innovative payments system built on the foundation of strong financial institutions

• When making a purchase, consumers can choose to use cash, cheques, debit and credit cards, as well as other electronic payments services like PayPal, e-mail money transfers, bank transfers and mobile payments. Many of these options are available for both in-store or online purchases

• Innovation in payments technology has increased the country’s productivity and expanded the size of the Canadian economy. A study by IHS Global Insight found that electronic payments have contributed $196 billion to the Canadian economic growth in the last 25 years


• Canadians are among the biggest users of debit cards in the world, with only residents of Sweden, the United States and the Netherlands doing more transactions per person

• Debit cards are accepted by 481,000 retailers in Canada, and more than 4.5 billion transactions were done using the Interac® network in 2013

• New forms of electronic debit payment are becoming more widespread as Canadians can use their debit card through Interac to make purchases at online retailers and pay money through e-mail money transfers


• Interac Flash, debit card users can now wave their card in front of a reader to make small value transactions

• Regardless of the type of transaction, debit card users are always protected so, if they become the victim of fraud, they will be reimbursed by their financial institution

• The debit card landscape is changing and more competition is coming to debit card payments

• Both Visa Canada and MasterCard Canada are starting to make debit services available to Canadians through their secure networks

Consumer Protection Update

• Principles of Consumer Protection for Electronic Commerce 1. Consumers should be provided with clear and sufficient

information to make an informed choice about whether and how to make a purchase.

2. “Vendors” should take reasonable steps to ensure that the consumer’s agreement to contract is fully informed and intentional.

3. Vendors and “intermediaries” should respect the privacy principles set out in the CSA International’s Model Code for the Protection of Personal Information.


• Principles of Consumer Protection for Electronic Commerce (cont.)4. Vendors and intermediaries should take reasonable steps to ensure

that “transactions” in which they are involved are secure. Consumers should act prudently when undertaking transactions.

5. Consumers should have access to fair, timely, effective and affordable means for resolving problems with any transaction.

6. Consumers should be protected from unreasonable liability for payments in transactions.

7. Vendors should not transmit commercial E-mail without the consent of consumers, or unless a vendor has an existing relationship with a consumer (CASL compliance)

8. Government, business and consumer groups should promote consumer awareness about the safe use of electronic commerce.


• Provincial consumer protection statutes and regulations• Consumer agreements have specific requirements, e.g.

minimum payment obligations, disclosure, signature, writing, delivery, content/terms, express opportunity to accept or decline, cooling off periods, cancellation rights, amendment

• Internet Agreements are formed by text-based Internet communications have their own unique requirements


• Provincial consumer protection statutes and regulations• Also separate requirements for:

• Remote Agreements – when the consumer and supplier are not present together

• Direct Agreements – when the consumer agreement is negotiated or concluded at a place other than the supplier's place of business or marketplace

• Credit, credit card and payday agreements with consumers• E.g. liability for unauthorized credit card charges capped at $50 (CPA, s.

69 and CPAR, s. 58)

• Prepaid card rules

Consumer Protection Update on m-Payments

• December 2013 - research study Mobile Payments and Consumer Protection in Canada published by the Financial Consumer Agency of Canada (FCAC) notes the introduction of m-payments into the Canadian marketplace brings both convenience and potential risks for Canadian consumers

• An m-payment is a payment made with a smartphone or other mobile device instead of a more traditional payment method, such as cash or credit or debit card

• Consumer protections vary across the Canadian marketplace• Users of m-payments in Canada are not all protected equally,

as consumer protection obligations vary by service provider

Consumer Protection Update on m-Payments

• M-payment service providers may sell user data to third-party marketers, who then target consumers with advertising based on demographic, behavioural and geographic information - pose new risks, particularly when products are marketed to vulnerable consumers

• The number of stakeholders involved in an m-payment transaction may increase the level of complexity related to dispute resolution and redress. In the event of an error or unfair treatment, a consumer may be unsure as to how or where to file a complaint or obtain redress

• FCAC is currently developing information to help consumers understand how m-payments work and what their implications are and it is working to make Canadians more aware of profiling and malware threats and the ways they can best protect themselves

Code of Conduct for the Debit and Credit Industry

• A Code of Conduct for the Credit and Debit Card Industry in Canada has been adopted by all payment card networks, including American Express Canada, Discover, THE EXCHANGE, Interac, MasterCard Canada and VISA Canada.

• The Code came into effect in August 2010 • The Code has the following objectives:

• to ensure that merchants are fully aware of the costs associated with accepting credit and debit card payments

• to provide merchants with increased pricing flexibility to encourage consumers to choose the lowest-cost payment option

• to allow merchants to choose freely which payment options they will accept.

Code of Conduct for the Debit and Credit Industry

• Payment card networks have incorporated the Code of Conduct into their contracts, governing rules and regulations. This will ensure that other participants in the networks, including card issuers and payment processors, also follow the Code's provisions.

• FCAC monitors the payment card networks’ compliance with the Code of Conduct

• The FCAC Commissioner has also issued Guidance to clarify the application of some of the Code’s provisions

NFC Mobile Payments Reference Model

• Canadian Banker's Association established Guidelines for various participants in the Canadian mobile commerce ecosystem, which most Canadian banks and credit unions have agreed to adhere to

• Objective: to address challenges and provide a framework for the interactions between the different ecosystem participants. Interoperability between the Mobile Network Operators (MNOs, e.g. Rogers, Bell, Telus, Public Mobile, Wind, Videotron) and payment networks (e.g. Visa, MasterCard, Interac) is a key objective for these guidelines.


• The guidelines outline the functional elements, roles and responsibilities, and interaction models needed for the development of an effective, affordable, and consumer and merchant‐friendly NFC based mobile payments system in Canada

• Binds only those banks and credit unions that participated in its development (along with their partners), but all participants need to be aware of their requirements


• Canadian mobile payments solution framework and ecosystem• convenient, open, safe and secure ecosystem • Typically, payment credentials and mobile device hardware are

managed by different organizations. This creates a unique challenge as it requires multiple parties to work together to successfully deliver NFC mobile payment services.

• The guidelines are limited to the payment model in which payment card credentials are stored on a SIM card or embedded in the secure element of a smartphone, and payment is effected by a user selecting a payment method from the "mobile wallet" stored on the smartphone and tapping the smartphone on an NFC-enabled point-of-sale device. This payment model is presently being rolled out by Canadian financial institutions and mobile network operators.


• Canadian mobile payments solution framework and ecosystem• Guidelines support Visa, MasterCard and Interac specifications for

NFC transactions requiring mobile devices to support the EMV mode and the MSD mode

• Guidelines also contain elements from various other guidelines and regimes, including SEPA, GSMA/EPC, EMVCo, GlobalPlatform, PayEz and AFSCM.

• focus is on the software required for interoperability of components, NFC mobile devices and POS systems

• credential issuers will be able to operate on various NFC mobile devices

• NFC contactless reader compliant to ISO 14443 Type A or ISO 14443 Type B will be able to communicate with any NFC mobile device; and any over-the-air platform will be able to communicate with any credential issuer


• Wallet features and functionality• While the guidelines address both hardware and software issues, the

focus is on software; in particular mobile wallet software. The guidelines outline procedures related to mobile wallet design, installation on mobile devices, and execution of mobile payments, including a section on wallet and payment application features, functionality and security

• Three types of mobile wallets: • Proprietary wallet design - only payment credentials from the wallet provider

may be used to make a payment • Collective wallet design - payment credentials from a group of credential

issuers may be used to make a payment • Open wallet design - payment credentials from multiple credential issuers can

be used to make payments

• Open wallets require agreements and business relationships between credential issuers and wallet providers.


• Wallet features and functionality• The guideline acknowledges that the industry will gravitate

toward proprietary and collective wallets• In order to promote openness, the guideline does not allow

mobile wallets, mobile network operators, original equipment manufacturers, secure domain managers and credential issuers to restrict access to payment applications from debit and credit payment networks, prepaid products, transit and loyalty products, and products issued in a foreign currency.

• Emphasis on consumer choice for which payment types may be embedded on a smartphone and for whether use will be password protected.


• Enablement and lifecycle management• Setup steps needed to install, use, maintain and terminate a

mobile wallet and payment application on a mobile device, securely bind the applications and manage these applications over customer lifecycle events (e.g. lost or stolen phones)

• Importance of sound contractual business relationships among the various participants in the mobile payment ecosystem

• Mention possibility of the creation of a central hub organization or central controlling authority to manage those relationships. No detail provided as organization structure, but likely different from the self-regulatory organization proposed by the Task Force for the Payments System Review


• Transactions• Once the initial setup is complete, an NFC based mobile

payment transaction may be performed. • Certain steps are required to perform an NFC mobile payment.

The solution is designed to consider low value, high value and high risk transactions. The solution is characterized by a radio frequency short read range distance that requires the mobile handset to be presented close to the contactless reader to enable a transaction.


• Loyalty and rewards• Loyalty & Rewards is a rapidly evolving space and there are many

types of loyalty and reward programs available to consumers (e.g. bonus points and cash‐back programs, loyalty rewards redemptions, merchant‐funded discount and promotional programs, coupons and vouchers)

• Sets out guidelines for ensuring that these programs can be integrated with NFC mobile payments and how loyalty and rewards programs, couponing rebates and vouchers will operate, whether operated by merchants, issuers or other ecosystem participants

• Merchants and application developers must be mindful to follow the standards set out in the guidelines, including the use of ISO/IEC 14443 for the transmission of loyalty and rewards data using NFC


• Data and security• General guideline that each ecosystem participant should only

have access to the minimum information required to perform its primary role

• Default should be to protect consumer and merchant data• It is not clear who would have access to consumer purchasing

information that would be of interest to merchants• Detailed data and security guidelines and standards are set out in

the guideline - PCI-DSS compliance is the standard for data protection

• The data and security standards may affect development and use of wallet and payment apps in Canada, as the guideline allows information about transactions, loyalty programs and consumers to be used only in certain ways


• Government reaction• The voluntary Code of Conduct for the Credit and Debit Card

Industry in Canada (the Code) must be revised for the quickly evolving mobile payment ecosystem

• Code amendments would need to anticipate all forms of emerging mobile payment technology

• Out-of-scope of the guidelines are remote mobile payments, storing of payment credentials on micro SD memory cards and NFC cases, the use of cloud-based mobile payments (where credentials are stored on a server and accessed by Internet), barcode, bluetooth, passive NFC and RFID and p2p based payments

Cross-border Payments and International Regulation

• The m-payments ecosystem involves a number of industries acting together.

• Risk of uneven protection• Inconsistencies in the consumer protection framework

result when obligations differ according to the type of entity offering a product or service

• In certain member countries of the Organization for Economic Co-operation and Development, there has been a call for minimum consumer protection standards to apply to all m-payment sources


• In some cases, central banks temporarily suspended the use of mobile payments due to financial and information security concerns (China), or revoked operating licenses owing to failure to sustain business operations (Zambia)

• Widespread deployment and heightened activity in some jurisdictions have raised policy issues, particularly the protection of customer funds


• In a number of jurisdictions outside Canada, legislation has been written that applies to financial institutions and “other entities”; the result is that all providers are subject to the same obligations

• Many central banks have made mobile payment regulations more explicit

• Recent regulatory developments, which is not exhaustive, has included:• the Central Bank of Brazil Law 12865 of 2013, which provides

guidance on mobile payments• the Bank of Uganda Mobile Money Guidelines of 2013• the Central Bank of Sri Lanka Mobile Payments Guidelines for bank-

led and custodian account based mobile payment services of 2011


• the Da Afghanistan Bank Money Service Providers Regulation of 2008

• the Reserve Bank of India Operative Guidelines for Bank Mobile Payments

• the Central Bank of Egypt Regulations Governing Provision of Payment Orders through Mobile Phones.

• Other central banks in Africa, Asia-Pacific, and Latin America have introduced similar rules

• Report coming soon from the FCAC on a review of international developments in various countries of mobile payments and the resulting evolution of consumer protection regulatory frameworks

AML and FCAC Compliance

• Federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act

• Money Services Businesses in Canada must register with Fintrac, maintain records, submit reports, identify clients (KYC) and have a compliance regime

• Apple didn’t register with the U.S. Treasury Department, according to a search of a national register of money service businesses

• If the device maker does not accept and transmit value, and just transmits encrypted card information that is used by the regular payment system to process the payment among regular participants, it wouldn’t be a money services business


• The Apple Pay service, which Apple first announced in September, doesn’t collect transaction information that can be tied to a user, and isn’t itself involved in a transaction at all–money moves directly between a user, the merchant and the user’s bank

• Apple didn’t have to set up an anti-money laundering program for its new Apple Pay service in contrast with competitors such as PayPal or Google

• Under Apple Pay, a phone doesn’t store actual card numbers; it creates a token that is encrypted and stored in the secure element of the device


• Apple is performing a payment enabler role, with technology that facilitates the payment but does not perform any role beyond that

• When a payment is initiated by an enrolled consumer and a merchant, the legal and regulatory responsibilities are reflected between the parties in the payment process

• Apple signed agreements with bank and payment network partners that provide the infrastructure on which Apple Pay will operate


• Financial Consumer Agency of Canada (FCAC) established under section 3 of the Financial Consumer Agency of Canada Act, is responsible for supervising payment card network operators to determine whether they are in compliance with the provisions of this Payment Card Networks Act and the regulations, as well as the Code of Conduct

• As a federal regulatory agency, FCAC is also responsible for: • ensuring that the market conduct of federally regulated financial

entities (including retail associations) complies with federal legislation and regulations

• promoting the adoption of policies and procedures designed to implement legislation, regulation, voluntary codes of conduct and public commitments by federally regulated financial entities


• monitoring federally regulated financial entities’ compliance with voluntary codes of conduct and their own public commitments

• informing consumers about their rights and responsibilities when dealing with financial entities and about the obligations of payment card network operators to consumers and merchants

• providing timely and objective information and tools to help consumers understand, and shop for, a variety of financial products and services

• monitoring and evaluating trends and emerging issues that may have an impact on consumers of financial products and services.

Questions?

Lisa K. Abe- Oldenburg, B.Comm., J.D.

[email protected]

Tel.: 416-777-7475

www.bennettjones.com

• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.

lexpert payments oct 29 2014 - mobile payments regulation

Documents

prepaid cards

debit cards

definition of cards

club cards

discountloyalty cards

types of cards

electronic payment cards

promotional gift cards