At the epicentre of mobile commerce, mobile payments are currently at an inflection point. Innovation in this area, where the four value chains of the payments, mobile, retail and technology industries intersect, is the object of significant investment by the smartphone industry; and new ecosystems of market participants – card schemes, mobile operators, retailers, device suppliers and service integrators – and new regulatory and contractual landscapes are fast developing

'Zap, tap and go', an analysis piece in the FT on 22 September, spoke of 'the allure of the smartphone as a central part of business explaining why companies are backing mobile payments'.  Fundamental to this analysis is that whilst m-payments are at the centre of mobile commerce, m-commerce is much more than mobile e-commerce.  This is because m-commerce brings supply closer to the demand creation point through use of the mobile phone's unique features – like LBS (location based services), voice control, camera, complete availability, constant Internet connectivity and QR (quick response).  E-commerce extended buying from the shop and mail order catalogue to the PC and laptop at home, enabling tickets and digital content to be fulfilled directly to the desk. M-commerce carries this evolution further still by making the smartphone the point where demand is created and supply fulfilled outside the home, workplace and shop.

The technology context

As ever in the technology space, there's a bit of terminology to become familiarised with before looking at the legal aspects.  Here, the key terms are digital wallet, 2D barcode QR display apps, online wallet and mobile wallet.

The digital wallet consists of databases and software resident on the smartphone.  The databases typically reside on a secure part of the SIM (subscriber identification module) known as the SIM secure element as the store of the user's shipping and billing addresses and identification, security and expiry date data for his or her credit cards and other payment methods.  The software, also on the SIM, connects the SIM secure element to the payment and related applications, of which three are the most important. 

First, 2D barcode (machine readable data representation) QR (quick response) display apps enable boarding cards, membership cards, tickets and coupons to be stored and read.  A good example of this application, which is not true m-payment, is Apple Passbook released with iOS 6 in September 2012.

Next is the online wallet, where the digital wallet is enabled for 'remote m-payments' - mobile internet transactions using the smartphone instead of the PC or laptop.  Here, the user accesses pages or apps downloaded to the smartphone to make payment where a credit or debit card is generally required (unless the user's mobile account is debited directly). At the time of the first transaction, the user inputs the phone number to register; receives from the provider the PIN (personal identification number), typically by way of SMS (short message service); enters the PIN to authenticate; and then completes the entry of the remaining credit card, etc data.  With later payments, the user re-enters his or her PIN to authenticate and validate payment.

Thirdly, the mobile wallet is the digital wallet enabled for 'proximity' or 'contactless' payments through NFC (near field communication) technology, a sets of standards for radio communication between the smartphone and the reader module nearby where the user waves the smartphone at the reader to complete the purchase, typically for buying in-store or transportation services.

Understanding the ecosystem

The ecosystem is complex because m-payments is where four value chains – payments, mobile retail, and technology – collide and each is currently vying for pole position for the race that is under way.  Broadly, there are six sets of market participants to consider:

  • card schemes (banks issuing credit/debit cards and card associations like Visa and MasterCard);
  • mobile operators (whether as network – MNO – or virtual network – MVNO – operators);
  • retailers (the businesses accepting payments by credit and debit cards, etc);
  • device suppliers (smartphone and PoS (point of sale) device manufacturers) and SIM suppliers;
  • service providers ('SPs', whether M[V]NO- or bank-centric) delivering the m-payment and related solutions; and
  • a growing 'overlay' category of TSMs (trusted service managers) which manages the range of contractual and technical connections between the participants that is necessary to enable m-payments to happen.

Looking at the ecosystem gives a framework for analysing both how regulation applies to m-payments and also how to get to the right balance of benefits and obligations, risks and rewards in contract structuring, preparation and negotiations.  In any particular case, regulatory and contract structuring will depend on where and how each of the participants fits into the ecosystem.

The regulatory landscape

The good news is that m-payments do not have a specific set of regulations.  The not so good news is that regulation is pervasive and deeply layered, broadly according to the 'payments – mobile – retail – technology' set of intersecting value chains mentioned above.

Payments regulation: electronic money and payment services.  The main sources of law and guidance in the UK on e-money are the Electronic Money Regulations 2011 (the 'EMRs')1, the FSA's approach document2 and the relevant perimeter guidance in the FSA Handbook at PERG 3A3.

Broadly, e-money is defined subject to exceptions as monetary value represented by a claim on the issuer that is (i) electronically stored; (ii) issued on receipt of funds for the purpose of making payment transactions; and (iii) accepted as payment by someone other than the issuer.

Exceptions apply where the value is used for purchases only on the premises of the issuer, within a 'limited network' of providers or for a 'limited range' of items.  A further important exception in the mobile space applies where the operator adds value beyond acting only as the payment pipe, so:

"... electronic money does not include ... monetary value that is used to make payment transactions executed by means of any telecommunication, digital or IT device, where the goods or services purchased are delivered to and are to be used through a telecommunication, digital or IT device, provided that the telecommunication, digital or IT operator does not act only as an intermediary between the payment service user and the supplier of the goods and services."4

The EMRs prescribe an authorisation/registration regime for e-money issuers ('EMIs').  Banks and building societies authorised through Part 4 permission under FSMA and are not EMIs for the purposes of the EMRs.  Authorised EMIs ('AEMIs') are subject to the full EMR regulatory regime, with its compliance requirements on Conduct of Business, capital, safeguarding, financial crime, complaint handling, supervision, reporting and enforcement.  AEMIs benefit from passporting to other parts of the EEA, as do EMIs authorised elsewhere in the EEA as regards the UK. Small EMIs ('SEMIs') – broadly whose average outstanding e-money is less than £5m – have a lighter, registration based regime but do not benefit from passporting.

Currently 27 AEMIs are authorised and 3 SEMIs are registered.  Google Payments Limited (GPL) was authorised as an EMI on 19.05.11 for (i) payment account cash placement & withdrawal; (ii) executing credit, non-credit & IT/Network Operator enabled payment transactions; (iii) issuing e-money; (iv) money remittance; (v) issuing payment instruments; and (vi) acquiring payment transactions. GPL also has extensive passporting

The main sources of law and guidance in the UK on payment services are the Payment Services Regulations 2009 (the 'PSRs')5, the FSA's approach document6 and the FSA's perimeter guidance at PERG 157. Payment services are defined broadly and PERG 15.1 provides that they include, among other things:

"services relating to the operation of payment accounts (for example, cash deposits and withdrawals from current accounts and flexible savings accounts), execution of payment transactions, card issuing, merchant acquiring, money remittance and certain mobile phone-based payment services."

Paragraph 2.18 of the FSA's approach document gives:

"mobile .. phone payments where the payment is made from the phone itself rather than the phone being used as an authentication tool to send a payment order to another payment services provider"

as an example of a covered payment service:

"execution of payment transactions where the consent of the payer to execute a payment transaction is given by means of any telecommunication, digital or IT device and the payment is made to the telecommunication, IT system or network operator, acting only as an intermediary between the payment service user and the supplier of the goods and services".

Like the EMRs, the PSRs prescribe a compliance regime for Payment Institutions ('PIs'), with Authorised PIs ('APIs') subject to the full weight of authorisation and Small PIs ('SPIs') subject to a lighter registration regime.  The following do not require requiring authorisation or registration under the PSRs:

  • banks and building societies permissioned under FSMA Part 4;
  • AEMIs authorised and SEMIs registered under the EMRs); and
  • PIs authorised elsewhere in the EEA who benefit from passporting (i.e. not SPIs).

In general terms in the m-payments space, the practical advice is to know what kind of digital wallet service is being provided (whether online or mobile using the above taxonomy); to 'follow the money' – i.e. understand the payment flows; and to seek informal guidance from the FSA at an early stage in assessing whether or not authorisation or registration under the EMRs or the PSRs is required.

Mobile regulation.   Again, m-payments are not currently specifically addressed by mobile regulation but Ofcom has intervened in relation to (voice) call termination charges and (voice and data) international roaming charges and will no doubt be watching this emerging space with interest. In the area of vanilla competition law, and as mentioned above, the European Commission unconditionally approved the Project Oscar m-commerce JV under the EU Merger Regulation on 5 September 20128.

Retail regulation: consumer protection and data privacy.  Here the usual patchwork of statute based law familiar to e-commerce lawyers applies so as to closely regulate and protects the end-consumer at the B2C level.  The most important sources of law in the UK are:

  • the Consumer Credit Act 19749;
  • the Unfair Terms in Consumer Contracts Regulations 199910;
  • the E-Commerce Regulations 200211;
  • the Financial Services (Distance Marketing) Regulations 200412; and
  • the Consumer Protection from Unfair Trading Regulations 200813.

In addition, of particular and growing importance for m-payments is the data protection aspects – compliance with the Data Protection Act14 at each level of the ecosystem will continue to exercise participants' legal counsel, perhaps nowhere more so than in companies seeking to map their US e- and m- payment products to Europe.

Technology regulation – standards and interoperability.  The European Commission in its Green Paper of 11 January 2012 'towards an integrated European market for card, internet and mobile payments'15 is actively encouraging common standards and interoperability to reduce fragmentation and enhance m-payments adoption.

The contractual landscape

Contract structures are currently at an early stage but already market practice at each level of the ecosystem (card schemes - MNOs/MVNOs – retailers- device/SIM suppliers – SPs/TSMs) is starting to evolve around commonly encountered issues of risk and reward. These issues are perhaps best articulated as a series of questions around four themes:

  • Structural – identify the deal:
    • Who are the parties involved?
    • Where and how does the contract fit into the ecosystem? 
    • What technology are you dealing with?
  • Payment flows:
    • Are you crossing the regulatory banking boundary?
    • How do you get paid?
  • IPR and data:
    • What is the IPR position?
    • How will customer data be used? 
  • Risk and liability:
    • What happens if the smartphone is stolen?
    • What happens if the consumer product offering is changed?
    • What happens if there are changes outside the parties' control?

Although what market practice for all these issues will become is not yet visible, what is certain is that m-payments, m-commerce, the ecosystem and the regulatory and contractual landscape will all develop at a fast clip over the next couple of years or so.

Footnotes

1.SI 2011 No. 99 - http://www.legislation.gov.uk/uksi/2011/99/made  - implementing the second EU Directive (Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:267:0007:01:EN:HTML. The Explanatory Memorandum to the EMRs is at   http://www.legislation.gov.uk/uksi/2011/99/pdfs/uksiem_20110099_en.pdf

2.The FSA's role under the Electronic Money Regulations 2011 (March 2011) at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:267:0007:01:EN:HTML

3.http://fsahandbook.info/FSA/html/handbook/PERG/3A

4.Regulation 3(b)

5.SI 2009 No. 99 http://www.legislation.gov.uk/uksi/2009/209/contents/made (as amended) - implementing Directive 2007/64/EC on payment services in the internal market at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:319:0001:0036:EN:PDF.  The Explanatory Memorandum to the PSRs is at http://www.legislation.gov.uk/uksi/2009/209/pdfs/uksiem_20090209_en.pdf 

6.The FSA's role under the Payment Services Regulations (May 2010) at http://www.fsa.gov.uk/pubs/other/psd_approach.pdf

7.http://fsahandbook.info/FSA/html/handbook/PERG/15

8.http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/938&format=HTML&aged=0&language=EN&guiLanguage=en

9.http://www.legislation.gov.uk/ukpga/1974/39/contents

10.http://www.legislation.gov.uk/uksi/1999/2083/contents/made

11.http://www.legislation.gov.uk/uksi/2002/2013/contents/made

12.http://www.legislation.gov.uk/uksi/2004/2095/contents/made

13.http://www.legislation.gov.uk/uksi/2008/1277/contents/made

14. http://www.legislation.gov.uk/ukpga/1998/29/contents

15. (COM(2011) 941 final of 11.1.2012) at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2011:0941:FIN:EN:PDF

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.