A new digital era for financial institutions like banks and building societies is in play. Not only do the majority of international and national banks now provide mobile banking and payment services, other players such as major mobile phone operators are also keeping up by developing mobile banking solutions.
With the growing popularity of mobile banking in retail banking, and a rise in customer understanding and use of mobile phones, building societies have started developing mobile solutions to remain competitive and benefit their customers and members.
In recent years, European and UK authorities and regulators have been playing catch-up with these innovative products and services by introducing new guidance and regulations on various aspects of mobile banking, including:
- the European Payments Council’s (EPC’s) implementation guidelines on mobile contactless SEPA card payments’ interoperability (16 November 2011), which focused on the interoperability of processes in the contactless mobile payment application lifecycle management;
- the European Commission’s (EC’s) green paper towards an integrated European market for card, internet and mobile payments (11 January 2012), which assessed the then current landscape of card, internet and mobile payments in Europe and identified the gaps between the then current situation and the vision of a fully integrated payments market and the barriers which created those gaps;
- the EPC’s white paper on mobile payments (18 October 2012), which addressed both mobile contactless and mobile remote payments through a high-level overview;
- the EC’s revised draft Payment Services Directive (PSD2), which will play an important part in the regulation of this area; and
- more recently, the Financial Conduct Authority’s (FCA’s) report on the findings from its thematic review on mobile banking and payment products in the UK (11 September 2014).
Points to note for building societies developing mobile banking solutions
Societies looking to offer mobile banking are encouraged to consider the key areas set out in the FCA’s report. The FCA confirms that all FCA-regulated firms should strive to deliver good outcomes for their mobile banking consumers by, amongst other things, focusing on:
- consumer understanding of their legal rights and obligations when using mobile banking products and services and doing things to aid consumer education; and
- the security of consumers' sensitive personal data and funds, and the robustness of technology to cope with changes in consumer behaviour when making payments.
Contractual considerations and unfair terms
In addition to the specific regulatory requirements referred to above, a society will also need to consider the way in which it structures its contractual agreements with its customers, to ensure that all relevant mobile banking service terms are properly incorporated into the contract and to avoid falling foul of the unfair terms regime.
The present unfair terms requirements are set out in the Unfair Terms in Consumer Contract Regulations 1999. Under these, a term will be regarded as unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations arising under the contract, to the detriment of the consumer. An assessment of fairness will take account of the nature of the services and will refer to all of the circumstances relating to the conclusion of the contract. It is also a requirement that all written terms must be expressed in “plain and intelligible” language. An unfair term will not be binding on the consumer, so it is important that terms are expressed plainly and intelligibly.
Helpfully, there is a “core term” exemption i.e. terms that relate to the main subject matter of the contract and/or relate to the adequacy of the price payable. These core terms will not be subject to an assessment of fairness provided they are expressed in plain and intelligible language. Note, however, this exemption is due to be changed in the new Consumer Rights Bill that is presently progressing through Parliament.
The key change we are anticipating under the Consumer Rights Bill is that the “plain and intelligible” test for the core term exclusion will change to a requirement to provide those terms in a “transparent and prominent” manner. The practical ways in which this could be achieved on small mobile devices will be one of the most significant challenges of the new Consumer Rights Bill for all financial institutions looking to utilise mobile banking solutions when contracting with its customers.
Once we have greater clarity as to the final content of the Consumer Rights Bill, societies should review any mobile banking user terms they use or intend using to ensure that the changes presented by this new piece of legislation are adequately captured. We anticipate that these changes will be implemented in late 2015 or early 2016.
Societies will also need to ensure that fair notice is given of how personal data will be used for the purpose of providing mobile banking solutions and they will need to collect appropriate consents to ensure lawful processing of that personal data. In practice, this could be addressed by privacy notices incorporated into or in addition to customer terms and, for example, tick boxes or other consent collection mechanisms which are used when the customer signs up to the service.
Some other privacy compliance issues to consider include disclosures of personal data (relevant if, for example, you use vendors or affiliates to store or otherwise process mobile banking details) and transfers outside the European Economic Area (for example, if firms export the details to vendors or affiliates overseas they will need to ensure mechanisms are in place, such as EU Model Clauses, to ensure those exports are compliant with privacy laws). In addition, if cloud storage of data is part of your mobile banking solution, appropriate due diligence on the cloud vendor should be undertaken (in particular around its security protections at its cloud facility) and contractual mechanisms must be in place.
The FCA and ICO have enforcement powers in the event of security breaches involving personal data. At present the ICO may fine up to £500,000 per breach. This is set to rise to a percentage or worldwide annual turnover once the new EU Data Protection Regulation comes into force (expected in the next few years). The firm as “data controller” would be on the hook for security breaches by any of its “data processor” vendors/affiliates. The FCA may impose unlimited fines in the event that a security breach involving customer data (not limited to personal data as that term is defined for privacy law purposes) contravenes its rules.