How should one regulate the mobile payments marketplace? Does it even need more regulation, given that the banking, tech and card services companies that comprise it are already heavily regulated? It would not be surprising to find mobile payments ecosystem players asking these questions—since the future of their regulations is in many cases intimately tied to the future of their bottom line.
What might be more surprising is the degree to which regulators and examiners are unsure of the answers to those questions themselves. Market Platform Dynamics CEO Karen Webster caught up with Marianne Crowe, Vice President of Payment Strategies for The Federal Reserve Bank of Boston. Crowe is also a member of the mobile payments working group, which first and foremost help regulators stay on top of a mobile payments environment that is always changing, adding new players and shifting its terminology.
“The thing that keeps the regulators awake right now, particularly the banking regulators, it really has to do with what the needs are of their staff, the people who monitor the financial institutions and the people who will eventually be evaluating the non-bank providers of these mobile services,” Crowe said. “Their concern is really trying to figure out if these examiners and staff people have the tools and the knowledge to determine if the banks and non-banks that are engaging in mobile payments and mobile banking really have the effective and right kind of risk management programs and security tools in place to make sure that these mobile payments are secure and being protected, and customer account credentials are protected. I really think that’s their main focus.”
Crowe notes that it is not a forgone conclusion what, if any, regulations those mobile payments might need, but that regulators need to establish that. This is no easy feat given that EMV muddies the waters, as does the push for tokenization and the ever-expanding number of players entering the market.
The mobile payment working group helps the regulators stay focused and informed as well as keeping those regulators’ attention trained on emergent issues. For example, in its most recent report, the working group singled out the potential mobile payments has in serving the needs of the underbanked.
Crowe noted that the working group does see potential, but that at this phase the actual prognosis is not clear.
Without larger players in the game, there is no apparent one-size fits all to bridge the gap between the wonderful world of digital payments and the underbanked. “They are all being done in silos and not coordinated.”
And, according to Crowe, it is the fact that mobile payments are still in their early stages, just hovering below ignition, that there are more questions than answers about the future path of regulation. Webster mentioned that she was surprised that regulators were not more focused on the ownership of consumer data—particularly when it comes to its use for marketing purposes.
Crowe said that while the issue was interesting, the actual use of data by the various players who are all quite certain that they own it (telecoms, stores, search engines, social networks, etc) is still too limited to really make any kind of judgment about regulatory or otherwise.
“Until it’s more obvious and I really don’t’ think it is yet, it’s hard to say if there needs to be any potential regulatory action around the data protection in a broad sense. Individually looking at certain things that are probably being addressed as far as a customer being able to opt-in in terms of their data be shared for marketing purposes in a store. There’ nothing broad yet and I think it’s because there is not enough traction in this area. I still think it’s too soon to say where this is going until we see more volume and more traction.”
She did note that, right now, regulators are less focused on the use and access to data by those who have some claim on it (apart from the consumers who also have a primary claim on their data) and more focused on protecting those who are clearly not supposed to have any access at all—the cybercriminals who attempt to get at it illegally.