Earlier this month, the Bureau of Consumer Protection of the Federal Trade Commission (FTC) submitted comments to the Consumer Financial Protection Bureau (CFPB) in response to the CFPB’s June 2014 request for information (RFI) on “how consumers are using mobile financial services to access products and services, manage finances and achieve their financial goals.” The CFPB’s particular focus for this RFI was how these products and services are used by, and affect, economically vulnerable consumers.
Consistent with the FTC’s overall focus on privacy and consumer protection, the FTC comments on mobile financial services focus on five potential consumer protection issues:
- Potential liability for unauthorized charges using prepaid or stored value products (such as in-app “wallets”);
- Unfair billing practices on mobile carrier bills (e.g., “cramming”);
- Privacy concerns relating to the collection, use, sharing, and storage of consumers’ personal and financial data;
- The security of this information; and
- The potential use of consumers’ information by data brokers and other third parties (e.g., “big data” concerns).
The FTC comments emphasized, as a preliminary matter, that the FTC has conducted a number of workshops, released multiple reports, and, of course, pursued enforcement actions for Section 51 violations by a number of companies that provide mobile commerce services. The FTC notes that, in doing so, it has “worked to ensure that consumer protections keep pace as mobile commerce transitions from concept to reality.” As such, the FTC has already identified, and taken steps to address, these issues. In this regard, the FTC comments explain why each of these five issues comes into play in the mobile financial services space, and provide insight on how the FTC has addressed each issue to date.
The issues can be divided into two groups: those particular to mobile financial services, and those that are general consumer protection concerns applicable in the mobile space as well.
ISSUES PARTICULAR TO MOBILE FINANCIAL SERVICES
The FTC identified consumer protection issues specific to mobile payments and virtual “wallets,” as well as carrier billing practices.
The FTC notes that the statutory protections that consumers have for first-party credit or debit transactions “generally do not apply when a consumer uses a prepaid or gift card, or moves money into a stored value account within the app [e.g., a ‘wallet’], to make a mobile payment transaction.” As a result, the FTC notes, consumers must rely on the mobile app, or the prepaid card, for any protections, such as for unauthorized charges or other losses. The FTC recommends that consumers seek out mobile payments services with readily accessible disclosures about how the payment service works and the remedies available if there is a billing dispute or problem with the service. In parallel, the FTC recommends that companies provide clear disclosures about mobile services and highlight any applicable limitations on consumer liability and policies and procedures for resolving consumer disputes.
With regard to carrier billing, the FTC commented that the service has the potential to be beneficial to consumers, in particular those who do not have or do not want to use credit cards. However, the FTC expressed concern that certain practices can also be a means to engage in unfair or deceptive practices in the form of mobile cramming, which is “the unlawful practice of placing unauthorized third-party charges on mobile phone accounts.” In the typical fraud pattern, a consumer will be signed up and billed without knowledge or consent for a third-party service such as ringtones. The FTC has brought enforcement actions against companies that have engaged in deceptive practices relating to carrier billing and has also provided a number of recommendations to providers on how to protect consumers. For example, the FTC recommends that mobile carriers “give consumers the option to block all third-party charges on their phone accounts” and that they disclose any such charges clearly and conspicuously. For participants in the carrier billing market, the FTC recommends that these companies take action to make sure their advertisements for any products or services charged to mobile phone bills are not deceptive, and that the companies have express, informed consent prior to billing for any such products or services.
GENERAL CONSUMER PROTECTION CONCERNS
The remaining issues raised by the FTC relate to the collection and use of consumer personal information, including financial information. The FTC has been focused on privacy and security concerns relating to consumer information for a number of years now, and the adoption of mobile devices, combined with the ability to use these devices to access financial services, has heightened these concerns. Nevertheless, the FTC’s general privacy framework still applies, meaning that companies should still provide consumers with notice and choice regarding the collection, use, storage, and sharing of their information.
The FTC has focused over the past few years on privacy issues raised by the adoption of mobile technologies and the interconnectedness of consumer devices. As the comments note, the “FTC held three roundtables in 2009-2010, followed by a preliminary and final report setting forth a framework for addressing privacy in today’s marketplace.” This framework includes: (1) privacy by design; (2) consumer choice at “key decision-making moments”; and (3) transparency. These principles are technology-neutral, and the FTC will continue to apply them to all products and services that use, store, and share personal information. In short, even in the mobile space, just as with traditional web browsing, companies should provide clear disclosures about their collection, use, and sharing of consumer information so that consumers can make informed decisions about the apps they download and use.
The FTC commented that “technological advances in the mobile payment marketplace actually offer the potential for increased data security for financial information,” such as by deploying encryption throughout the entire payment process. The FTC’s concern in this regard is that companies may not be appropriately leveraging the available security features that mobile technologies provide. As such, the FTC has, in addition to bringing a number of enforcement actions, provided guidance to app developers on how to approach mobile security. This guidance, as the comments indicate, encourages developers to know and understand what data their apps will collect and store, and advises that developers use encryption for the transmission of all types of important data, especially because these devices are often connected to the Internet in public spaces that may provide opportunity for intercepting communications.
Finally, the FTC also sees the issue of “big data” in play in the mobile financial products and services space. Specifically, the FTC noted that its concern about the practices of data brokers generally applies with renewed force in the mobile space, because of the “potential for new companies operating in this environment to violate traditional laws governing collection and use of consumer data, such as the [Fair Credit Reporting Act].” That said, mobile financial services also raise concerns about the potential for data brokers to collect and sell large volumes of sensitive data, which the FTC suggests could be used to discriminate against certain consumers. The FTC explained that the Commission has examined these concerns in depth in its recent report on data brokers (Data Brokers: A Call for Transparency and Accountability) and in a public workshop that took place just after the FTC submitted its comment letter to the CFPB (Big Data: A Tool for Inclusion or Exclusion?). Notably, the FTC’s comments offer no recommendations or guidance on how to mitigate or address the concerns raised by data brokers and “big data” in the mobile space, which suggests that the FTC is still considering how it will address the issue.
* * *
The FTC’s comments make clear that the Commission, particularly the FTC’s Bureau of Consumer Protection, sees itself as a key player in the enforcement and oversight of providers of mobile financial services technologies such as apps. Furthermore, the FTC has begun to identify consumer protection issues specific to mobile apps that offer financial services such as “wallets” for smaller purchases. Nevertheless, the FTC’s general regulatory principles—transparency and choice for consumers regarding the collection and use of their personal information—also apply seamlessly in the mobile space. As the CFPB turns its attention to this area as well, companies will need to make sure that they take into consideration not only the FTC’s expectations, but also those of the CFPB.