IP&IT analysis: With mobile wallets set to transform the way in which consumers make payments, Kate Johnson and Emily Jones, Partners, and Clare Burman, Associate Director, at Osborne Clarke, consider the legal aspects underpinning the emerging field of mobile payments.
This article was first published on Lexis®PSL Commercial on 23 July 2015. Click for a free trial of Lexis®PSL.
How is the field of mobile payments developing?
Kate Johnson and Clare Burman (KJ & CB): For UK users this is a rapidly developing area. Options such as Pingit, Paym, and PayPal are already available to UK consumers, and with Zapp (backed by the major banks), Samsung Pay and Android Pay in the process of launching UK products, there are more and more options available to consumers who wish to use mobile payments.
In the UK, retailers are also increasingly installing the technology required in order to accept mobile payments. This is likely to gather pace over summer 2015 as retailers who do not have chip and pin machines will soon start to be held liable for fraudulent card transactions. Since many banks rolled out plastic cards with contactless-enabled chips as standard, consumers have got used to ‘tap and go’ so the move to mobile payments is the next obvious step.
What are the challenges around the security of such payment systems?
Emily Jones (EJ): As with any new technology enabled product, there are challenges around keeping pace with the evolving threat landscape, especially because mobile payments require multiple transfers of data between different systems operated by all of the entities involved.
Compliance with the numerous laws and regulations, standards such as PCI-DSS, and requirements imposed by regulators and card schemes is also a challenge. There are new laws on the horizon such as the proposed EU General Data Protection Regulation (GDPR) and the proposed Network and Information Security Directive, that will bring the threat of much higher fines and additional requirements about how quickly companies will need to respond to data security breaches and who they will need to notify.
Lastly, there is an added challenge of reassuring users that the systems are secure amid a series of high profile security breaches in various sectors. Banks and other providers need to rise to this challenge if they want to generate customer trust and confidence in using mobile payments and ultimately ensure that mobile payments gain broader take-up.
Who carries the data protection risk?
EJ: The data protection risk will fall on a number of parties involved in providing mobile payments. Depending on the chosen delivery model and product, there will be complex data flows requiring careful assessment so that the risk and responsibility can be allocated properly.
Any of the parties acting as ‘data controllers’, by deciding the purposes for which and the manner in which any personal data are processed, will need to comply with the UK Data Protection Act 1998 (DPA 1998). Where cross-border arrangements are in place other local laws may be relevant which could impose stricter requirements.
While data controllers are ultimately responsible for any breaches of DPA 1998, they will seek to flow down obligations and liability to their processors, so in reality all parties will carry some risk whether from a legal or contractual perspective. Regardless of the legal or contractual allocation of risk, all parties will want to ensure that data protection issues are addressed and mitigated to avoid reputational damage associated with data protection breaches.
Could banks conceivably refuse to allow payments through mobile wallets?
KJ & CB: Many of the mobile wallets are likely to be classed as ‘payment initiation services’ when the second Payment Services Directive takes effect–likely in Autumn 2017. At that stage, the banks will generally be required to allow access, except in limited circumstances where there are security concerns.
In the interim, it seems unlikely that UK banks will refuse to allow payments through mobile wallets, as this is an area in which they are also investing–the parent company of Zapp (launching soon in the UK) is owned by a consortium of UK banks. The big question is when the banks will join the party and launch their own mobile payment products–this is probably when mobile payments will really gain traction given the trusted status of banks in their relationships with their customers.
Who bears the costs of any transaction from a mobile wallet?
KJ & CB: In most models the customer does not tend to bear the cost of transactions from a mobile wallet. Generally it would be the merchant who bears the transaction cost.