February 22, 2017

Regulatory Questions Abound as Mobile Payments Clamor for Position in Apps

People frequently associate mobile payments with “tap and pay” — walking into a store, flashing your smartphone, and then walking out with stuff. But in-store sales really aren’t the focus of companies working on mobile payment issues. That’s because payment in stores generally isn’t a problem in need of a fix. Swiping a payment card at a terminal is quick and painless. Even dipping a chip-card is getting faster. And thanks to regulation, consumers generally don’t have to consider data security tradeoffs when choosing between different ways to pay.

In contrast, buying things while browsing over the Internet on our phones — in apps or via browsers — is a miserable process. It’s kind of amazing that we haven’t fixed the basic process of buying things over our phones, given how dependent we are on our phones for Internet browsing. The average iPhone user unlocks his phone 80 times a day. And the average American smartphone user spends five hours a day browsing on his phone. Yet, shopping cart conversion rates are abysmal over mobile phones. Estimates vary, but one recent study found that when consumers use their phones to shop online, they purchase items they put in their shopping carts only 1.53% of the time. Imagine being a store owner where over 98% of the people in your lines just wander off because they’re too frustrated with the process of giving you money. Analysts generally attribute the difference to the difficulty consumers have completing lengthy checkout forms, which require that they input payment credentials, billing addresses, shipping addresses and other information into a tiny screen with their thumbs. For me personally, one checkout process took me about 130 thumb taps.

Last holiday season, a diverse group of companies rushed to fill that gap. In June, PayPal enabled “One Touch,” which allows consumers to stay logged into their PayPal account on specific devices and, accordingly, buy stuff with one touch. That same month Apple announced that it will be expanding Apple Pay so that consumers can use their thumbprints to purchase things in apps, as well as on the Safari browser (even when they’re surfing on a desktop). Apple also integrated payments into iMessage, making payments as casual as chatting. Not to be outdone, Facebook announced in September that it has partnered with what TechCrunch describes as “all the major players” in the payments industry to enable credit card and debit payments for Messenger’s 1 billion users.

Amazon’s Echo bypasses phones entirely by allowing you to pay for things by speaking into the air. Apple followed up with its own voice-activiated payments on Siri.

And oh by the way, Google Payments already gives you the option of storing and autofiling payment card credentials if you’re browsing the Internet using the Chrome browser. Safari does too.

Of course, big banks aren’t giving up without a fight. JPMorgan Chase launched its own mobile wallet for in-app purchases, barely in time for Black Friday. Once a consumer downloads the app and creates a login, his pre-existing Chase cards are “automatically” enrolled in the wallet. According to Chase, that touches one out of every two American households.

All of these offerings are pretty much interchangeable to consumers: they’re made to be very convenient, “frictionless” ways to pay. From a design perspective, the goal is a nearly invisible payments layer, because the aim is to minimize any disruption of the consumer’s interaction with the merchant’s website. It’s gotten to the point where some consumers are complaining that they don’t know how to slow the payments process down.

On the one hand, all of these options are great for consumers. But on the other hand, there may be all kinds of differences under the hood of these payment devices that consumers won’t be able to see. A payment tool may gather, use, or share consumer data differently than what consumers expect. They may have different standards for protecting consumer data from hackers and thieves. Or, in extreme cases, they may do things that are patently illegal — for example creating phantom account for consumers and then billing them for them. (Heck, in some cases, the apps may even be from imposter companies.) Until very recently, consumers haven’t had to think about these potential differences because they’ve been living in a payments world dominated by plastic cards offered by highly-regulated banks.

Take supervisory examinations, as an example. Banks are generally examined for compliance with consumer protection requirements. This means that regulators send specialized examiners to banks’ places of business to speak with employees and review their records to make sure they’re following the law. Examiners will review email and phone exchanges, to understand if consumers are given the proper disclosures. They’ll review consumer complaints to ensure that consumers are treated fairly. Because JPMorgan Chase is a bank, it’s subject to examinations. So when Chase Pay hits the market, it will have had its tires kicked (or it least can have its tires kicked) by the government. This is a good thing for consumers and also arguably the bank. But it’s also a business cost — compliance and preparing for examinations requires a significant investment of money and, perhaps more importantly, delays the bank’s ability to get a product to market. (Notably, despite being announced in 2015 and Chase’s position as the leading wholly-owned payment provider for merchants, Chase Pay is still only accepted at two major retailers.)

New payment-focused fintech companies are subject to a wide variety of other regulations, but generally don’t have regulators coming on-site to examine their operations for consumer protection concerns. There are odd exceptions, but it’s far from a level playing field. For instance, companies that are very large players in the market for sending payments from the U.S. to other countries (“remittances”) are subject to examination. So if a company is a “larger participant” in remittances market and also offers retail consumer payments in smartphones, the latter could be swept up in an examination for the former. Elsewhere, companies that have contractual relationships with credit card issuers may be considered “service providers” to banks. At least one commentator, for instance, has opined that Apple’s service provider relationship with credit card-issuing banks makes Apple Pay subject to consumer protection examinations for unfair, deceptive, and abusive acts and practices. But many of the new payment services being offered to consumers won’t require the companies to have pre-existing contracts with consumers’ payment card issuers. How do browser extensions fit in the patchwork quilt of consumer protection examinations? Are messaging apps that allow for payment connectivity “third party service providers” from an examination perspective? How do you even examine for consumer disclosures when a payment is made over a speaker?

There are many more unanswered questions. For instance, what responsibility — from a regulatory perspective — do app stores have for protecting consumers from imposter payment apps?

Is the lack of a level playing field fair to banks? More importantly, is it fair to consumers?

Do the old divisions that treat these companies differently still make sense?


Concerned about Internet of Things Security?

There is no shortage of warnings about the need to improve security for the Internet of Things:

Certainly these messages must be raising concerns in organizations that are working on Internet of Things projects.

But it doesn’t seem so.

In our recent research at MIT Sloan Management Review, we found that only 34% of the respondents felt that they needed to improve their IoT data security. If you are trying to decide if the glass is full or empty, that glass seems two-thirds empty to me.

The research included responses from 1,480 executives, managers, and IT professionals working in a wide variety of industries. It focused on the perspective of organizations, not security professionals, and tried to understand their challenges and opportunities associated with the Internet of Things.

One optimistic interpretation of these results is that the reason the 66% are not concerned about IoT data security is that they have heeded the warnings and have taken steps to reduce security concerns. But we also asked respondents about how effective their organizations were at security for IoT data. Figure 1 shows the relationship between concern for IoT data security and the organization’s perceived data security effectiveness. Reporting of a need to improve IoT security changed little with the perceived effectiveness.

Figure 1: Concern for IoT Security and IoT Security Effectiveness

An alternative, more pessimistic interpretation is that organizations need to improve IoT security, but that it is not an important concern. Instead, in order to take advantage of IoT, respondents felt more need to improve their overall analytics capability (58%), analytics talent (52%), IoT specific talent (49%), executive team’s understanding (46%), ability to communicate with customers (45%), and relationships with other groups who understand IoT (40%). In fact, need for improvements in data security (34%) and sensor-data security (27%) were selected less often than any other option we gave respondents to choose from. And in this scenario, respondents could select as many as they felt described their organization, without cost.

Our respondents had a variety of experience with IoT projects. It could be that those who are not active may not yet be aware of potential security issues. Given that most organizations are not yet active with IoT projects, our results could be driven by those inactive organizations. Figure 2 examines organizational concern for IoT data a security as they gain experience with IoT. Concern is higher for organizations active with IoT with some drop as they gain further experience. But it seems that inactive organizations are not solely responsible for the low overall need to improve IoT data security.

Figure 2: Concern for IoT Security and IoT Experience

While IoT security is inherently important, it may be even more salient when combined with another key result from our research—business value from the Internet of Things is related to the amount of data sharing between customers, suppliers, and even competitors. As organizations find value in sharing data with other organizations, they are likely to increase connections with other organizations, leading to increased potential for negative externalities.

Unfortunately, the low perception of need to improve IoT data security coupled with increased IoT deployments and interconnections between organizations seem likely to lead to more headlines that report on IoT security downfalls, not fewer.


GIS Analysis as a Research Communication Tool

The power of geospatial analysis lies in the new ways it provides to look at datasets and the relations among them. It allows you to explore more nuanced questions and discover correlations previously hidden. Used properly, geographic information system (GIS) tools can increase the saliency of a policy issue by expressing your argument visually and often much more effectively. Below is my recent experience in using GIS tools to broaden the audience for my research.

Property Assessment Disparities

Municipalities across the country are under fiscal duress due to cuts in state/federal aid, property tax levy limits, and rising employee fringe benefit costs. Often limited in their ability to generate new revenue streams, municipalities have become overly dependent on property taxes to “keep the lights on”.

Taxes are always a contentious issue and nobody wants to pay more than their fair share. To get a sense of how equitable the property tax burden was in Milwaukee, a city wrestling with all of the challenges noted above, I analyzed 33,000 property sales transactions over a 10-year period and compared them with their corresponding assessment values. By regressing the assessment value/sales price ratio on a host of predictors including building condition, lot size, geographic location, etc., I was able to get a sense of how equitable the city’s property taxation system is. While the findings presented an interesting disparity in who was paying their fair share, the results were neither accessible to the average citizen nor actionable for the policy maker. They required an understanding of my model specification and an ability to interpret coefficients expressed in terms of log odds. [Read more…]