In this second article in the series, we shift our focus to the legal and regulatory aspects of mobile payments in New Zealand, including:
- Consumer law
- Contractual issues
- Financial regulation
- Banking regulation, including co-regulation via Payments NZ
- Competition law
- Privacy and data protection
A few areas – competition law, privacy, and cybersecurity, in particular – merit more discussion, and we’ll be devoting entire articles to these topics later in the series. In the first article of the series, How does Apple make money from Apple Pay?, we used the example of Apple Pay to introduce mobile payments technology.
Mobile payments are a good fit for New Zealand. Kiwis love smartphones, and most are already accustomed to using innovative alternatives to cash (such as EFTPOS, transport cards like Snapper, and, more recently, paywave-style NFC credit cards).
The market is developing quickly – Semble’s NFC-based mobile payment app launched in March 2015 and is available on the latest Android devices. Similarly, Westpac and ANZ have trialled cloud-based Host Card Emulation (HCE) payment apps, and both are due to be officially released later this year.
In How does Apple make money from Apple Pay? we noted that the range of participants in the mobile payments industry permits a variety of innovative commercial ventures and relationships. By carefully addressing legal issues from the outset, these opportunities need not be dampened by the regulatory and legal complexities of several major industries (banking, telco, IT, marketing, etc) coming together.
Below, we introduce some of the key legal and regulatory issues for mobile payments in NZ.
There are multiple relevant statutes such as the Consumer Guarantees Act and, possibly in some instances, the CCCFA.
The Fair Trading Act 1986 prevents mobile payments providers and other traders from, among other things, engaging in misleading or deceptive conduct, as we outlined here.
We’ve also written extensively about dealing with FTA risk, complaints, and regulatory oversight, such as in this article here.
One of the general challenges that mobile payment participants have is how they describe themselves to consumers. This overlaps with other regulatory obligations. For example, in their Ts and Cs they may try and show that their part of the mobile payments service does not mean they are a payment provider under financial legislation, when in fact they are, and when in fact that is how they present themselves.
This can be quite a dilemma.
For example, Apple won’t want Apple Pay to be captured within the obligations of a financial provider, but the way Apple Pay is promoted (eg as “Apple Pay”) may mean that the reality is that they are caught. Under US law, one academic believes Apple is currently in this situation with its Apple Pay service.1
NZ providers may also face these issues, in differing ways, in light of the relevant financial regulation we address below.
In March 2015, the unfair contract provisions of the FTA came into force. This new regime applies to “unfair terms” in standard form consumer contracts, and can result in court orders preventing suppliers from enforcing the contract. For more details, see Unfair contract terms regime starts 17 March: a summary of key issues.
Also relevant to mobile payments are wider B2C contract law issues, such as the incorporation of onerous contract terms (discussed in the context of Air NZ’s opt-out insurance charge, here), and the enforceability of “click accept” Terms and Conditions (explored here).
As to B2B contracts between mobile payments participants (including banks, telcos, card schemes, TSMs, IT providers, loyalty programmes), there are a multitude of drafting issues to consider. We can’t summarise all the points to watch out for, but areas which are often contentious include Limitation of Liability provisions, priority clauses, and the specific details of partnership / service level agreements. These issues, plus others, are discussed in our recent six-part series from the NZ Law Society’s 2015 IT and Online Law Conference. Of particular concern to mobile player participants will be the allocation of liability between them.
Even the most core aspects of the B2B and B2C relationships involve multiple contractual relationships, as this diagram of a typical payments scenario shows: it outlines the Semble type of platform where the mobile network operators are parties as well.
Click here to view image.
But generally many more players are involved, the more so as other stakeholders become involved such as loyalty schemes, etc.
Most provisions of the Financial Markets Conduct Act 2013, which made a major overhaul of financial regulation, relate to securities law and do not apply to mobile payments. To the extent that a mobile payment participant provides a “financial service”, however, limited provisions of the FMC Act apply.
“Financial service” is defined as follows:
financial service means any of the following financial services:
(c) being a registered bank;
(g) issuing and managing means of payment (for example, credit and debit cards, cheques, travellers’ cheques, money orders, bankers’ drafts, and electronic money);
Therefore parties other than banks that are involved in mobile payments, such as the Trusted Service Managers, will need to address if they are providing a “financial service” (and they might structure their role so they are not). As we outlined above, some participants, such as Apple Pay or TSMs, may be at risk of having obligations under the FMC Act even though they want to avoid that position. All that depends on the facts and the structure of the platform.
If a party is providing a “financial service” as defined in the FMC Act, then:
- It has obligations under the fair dealing provisions of the FMC Act. These are similar to the misleading and deceptive conduct provisions that apply to all traders under the FTA.
- The Financial Service Providers (Registration and Dispute Resolution) Act 2008 requires the party to:
- Register as an official financial services provider; and
- Be a member of an approved dispute resolution scheme.
- Given the relevant definition is similar, it may also have reporting entity obligations under the Anti- Money Laundering and Countering Financing of Terrorism Act 2009, such as:
- Assessing the money laundering and terrorism financing risks of the business;
- Appointing a compliance officer; and
- Implementing procedures to report suspicious transactions, train staff, maintain records, monitor accounts, and undertake due diligence as to customer identity.
Reserve Bank Act
Some entities participating in mobile payments, in addition to the trading banks, may be within certain provisions of this Act.
Under comparable legislation in Australia, involving the Reserve Bank not the ACCC (the equivalent of the Commerce Commission), interchange rates have been capped in Australia, but that may not be an option here under our Reserve Bank, although the Commerce Commission implies otherwise.
Co-regulation via Payments NZ
Payments NZ is an industry body that, among other things, sets rules and standards to promote facilitation of four NZ clearing systems.
Earlier this year, it produced a revision to support mobile payments. These Mobile Device Rules and Standards were devised by a committee made up of Payments NZ’s Consumer Electronic Clearing System (CECS) participants, including all of NZ’s major banks, to promote a range of objectives, including innovation, compatibility, and interoperability. The CECS participants are legally bound to comply with the Mobile Device Rules, and ensure that any third party providers do the same.
Payments NZ say that the new rules provide a level playing field and can readily be amended to respond to innovation and marketplace developments.
Privacy and data protection
Mobile payments can involve transmitting highly personal information, including credit/debit card details, purchase details, and private data routinely collated on mobile devices, such as the user’s location. If personal information is stored, shared (between partners in consumer loyalty programmes, for example), or utilised to identify specific consumer behaviours, this can raise privacy law and data protection issues under the Privacy Act 1993.
Our forthcoming article Mobile payments and the slippery slope of privacy loss… discusses relevant privacy principles and provides recommendations for mobile payments providers as to legal compliance.
An area closely related to privacy is that of cybersecurity risk. As we noted in Harvard Business Review: Cyber security is a bigger GC, board, CEO, and CFO issue, these risks are routinely underestimated, or inadequately dealt with, by New Zealand companies.
In our forthcoming article, Cybersecurity risk and mobile payments we outline how best to limit cybersecurity exposure, with reference to specific guidelines, including the Payment Card Industry’s Data Security Standard (PCI DSS).