August 19, 2017

Regulatory Questions Abound as Mobile Payments Clamor for Position in Apps

People frequently associate mobile payments with “tap and pay” — walking into a store, flashing your smartphone, and then walking out with stuff. But in-store sales really aren’t the focus of companies working on mobile payment issues. That’s because payment in stores generally isn’t a problem in need of a fix. Swiping a payment card at a terminal is quick and painless. Even dipping a chip-card is getting faster. And thanks to regulation, consumers generally don’t have to consider data security tradeoffs when choosing between different ways to pay.

In contrast, buying things while browsing over the Internet on our phones — in apps or via browsers — is a miserable process. It’s kind of amazing that we haven’t fixed the basic process of buying things over our phones, given how dependent we are on our phones for Internet browsing. The average iPhone user unlocks his phone 80 times a day. And the average American smartphone user spends five hours a day browsing on his phone. Yet, shopping cart conversion rates are abysmal over mobile phones. Estimates vary, but one recent study found that when consumers use their phones to shop online, they purchase items they put in their shopping carts only 1.53% of the time. Imagine being a store owner where over 98% of the people in your lines just wander off because they’re too frustrated with the process of giving you money. Analysts generally attribute the difference to the difficulty consumers have completing lengthy checkout forms, which require that they input payment credentials, billing addresses, shipping addresses and other information into a tiny screen with their thumbs. For me personally, one checkout process took me about 130 thumb taps.

Last holiday season, a diverse group of companies rushed to fill that gap. In June, PayPal enabled “One Touch,” which allows consumers to stay logged into their PayPal account on specific devices and, accordingly, buy stuff with one touch. That same month Apple announced that it will be expanding Apple Pay so that consumers can use their thumbprints to purchase things in apps, as well as on the Safari browser (even when they’re surfing on a desktop). Apple also integrated payments into iMessage, making payments as casual as chatting. Not to be outdone, Facebook announced in September that it has partnered with what TechCrunch describes as “all the major players” in the payments industry to enable credit card and debit payments for Messenger’s 1 billion users.

Amazon’s Echo bypasses phones entirely by allowing you to pay for things by speaking into the air. Apple followed up with its own voice-activiated payments on Siri.

And oh by the way, Google Payments already gives you the option of storing and autofiling payment card credentials if you’re browsing the Internet using the Chrome browser. Safari does too.

Of course, big banks aren’t giving up without a fight. JPMorgan Chase launched its own mobile wallet for in-app purchases, barely in time for Black Friday. Once a consumer downloads the app and creates a login, his pre-existing Chase cards are “automatically” enrolled in the wallet. According to Chase, that touches one out of every two American households.

All of these offerings are pretty much interchangeable to consumers: they’re made to be very convenient, “frictionless” ways to pay. From a design perspective, the goal is a nearly invisible payments layer, because the aim is to minimize any disruption of the consumer’s interaction with the merchant’s website. It’s gotten to the point where some consumers are complaining that they don’t know how to slow the payments process down.

On the one hand, all of these options are great for consumers. But on the other hand, there may be all kinds of differences under the hood of these payment devices that consumers won’t be able to see. A payment tool may gather, use, or share consumer data differently than what consumers expect. They may have different standards for protecting consumer data from hackers and thieves. Or, in extreme cases, they may do things that are patently illegal — for example creating phantom account for consumers and then billing them for them. (Heck, in some cases, the apps may even be from imposter companies.) Until very recently, consumers haven’t had to think about these potential differences because they’ve been living in a payments world dominated by plastic cards offered by highly-regulated banks.

Take supervisory examinations, as an example. Banks are generally examined for compliance with consumer protection requirements. This means that regulators send specialized examiners to banks’ places of business to speak with employees and review their records to make sure they’re following the law. Examiners will review email and phone exchanges, to understand if consumers are given the proper disclosures. They’ll review consumer complaints to ensure that consumers are treated fairly. Because JPMorgan Chase is a bank, it’s subject to examinations. So when Chase Pay hits the market, it will have had its tires kicked (or it least can have its tires kicked) by the government. This is a good thing for consumers and also arguably the bank. But it’s also a business cost — compliance and preparing for examinations requires a significant investment of money and, perhaps more importantly, delays the bank’s ability to get a product to market. (Notably, despite being announced in 2015 and Chase’s position as the leading wholly-owned payment provider for merchants, Chase Pay is still only accepted at two major retailers.)

New payment-focused fintech companies are subject to a wide variety of other regulations, but generally don’t have regulators coming on-site to examine their operations for consumer protection concerns. There are odd exceptions, but it’s far from a level playing field. For instance, companies that are very large players in the market for sending payments from the U.S. to other countries (“remittances”) are subject to examination. So if a company is a “larger participant” in remittances market and also offers retail consumer payments in smartphones, the latter could be swept up in an examination for the former. Elsewhere, companies that have contractual relationships with credit card issuers may be considered “service providers” to banks. At least one commentator, for instance, has opined that Apple’s service provider relationship with credit card-issuing banks makes Apple Pay subject to consumer protection examinations for unfair, deceptive, and abusive acts and practices. But many of the new payment services being offered to consumers won’t require the companies to have pre-existing contracts with consumers’ payment card issuers. How do browser extensions fit in the patchwork quilt of consumer protection examinations? Are messaging apps that allow for payment connectivity “third party service providers” from an examination perspective? How do you even examine for consumer disclosures when a payment is made over a speaker?

There are many more unanswered questions. For instance, what responsibility — from a regulatory perspective — do app stores have for protecting consumers from imposter payment apps?

Is the lack of a level playing field fair to banks? More importantly, is it fair to consumers?

Do the old divisions that treat these companies differently still make sense?