consumersinternational.org

Online and mobile payments & digital content products

Robin Simpson

Consumers International

Chiang Mai April 3rd 2014

meeting of minds

• ISO TC 68 financial services/SC7/WG10 on draft ISO 12812 mobile financial services;

• most members industry stakeholders; inc. US federal reserve bank, Kenya central bank, European Payments Council;

• OECD Consumer policy committee • mainly OECD CP agencies + CI + Business &

Industry Advisory Committee • Both working on mobile payments• CI the only common member

consumersinternational.org

Draft standard ISO 12812 Mobile financial services; 5 papers:

• General framework;

• Security & data protection;

• Financial application management;

• Mobile payments to a person (P2P)

• Mobile payments to a business (C2B)

• Great debate over titles- what is a person?

ISO: Key issues for CI

• POCP: plain old consumer protection: contract terms, transparency, complaints/dispute resolution;

• Liability for breaches of security- big debate across all papers: OECD work very helpful in support;

• principles of data protection: across all papers;• Financial inclusion; CI invited to draft;• Abandoned/dormant assets; CI raised & agreed;• Good practices: transaction logs, pop-ups for

billing notices, legal status of electronic receipts; facilities for visually handicapped;

• Difference between ‘could’ and ‘should’

ISO: Lessons (1)

• standards cannot legislate, but may become, or may support, legislation downstream;

• Standards tend to be positive: promote good practice; laws tend to be negative: suppress bad practice;

• Not possible to determine legal issue but to raise them, eg liability for security breaches;

• What is basic to us (eg CP) may be new to others;• What is basic to them may be new to us: eg

difference between mobile wallet and electronic purse? And in the cloud or in the phone?

Lessons (2)

• involve the members, they are the experts and give us legitimacy and real world experience;

• ask the naïve question; eg how can tapping 2 phones together be a remote payment?

• submit amendments in writing: makes it easier for the drafters; shows we are serious; forces us to be clear to ourselves and our members;

• Be open-minded but aware; • check, check + check again;

Next steps

• Committee draft ballot during next 2 months; CI members can lobby national standards bodies;

• WG 10 considers proposals for amendment;• Draft international standard in September;• CI members lobby NSBs again; (please!)• It still may fall due to widespread industry

preference for restriction to matters of interoperability;

• Standard published 2015;• Revision after 5 years;

OECD: Consumer Policy Committee

• Review of 1999 OECD e-commerce guidelines;• Future of Internet Economy:• Mobile/online payments common to both &

signed off• Digital content paper to be finally agreed next

week;• New & revised instruments: influence of policy

guidance indicates ‘soft power’ of OECD;• CI participated in drafting guidelines on e-

commerce, (1999); dispute resolution (2007); now m-commerce;

Draft policy guidance on mobile and online payments

1. Information disclosure

2. Privacy

3. Security

4. Confirmation process

5. Children

6. Varying levels of protection

7. Fraudulent, misleading, unfair commercial practices

8. Dispute resolution and redress

Definitive 2012 report - CP in online & mobile payments

Transaction information

• Accessibility and readability of payment-related information

• Complexity of payment terms and conditions • Clarity and transparency of billing statements

• Rather similar to ISO but much more detailed

Privacy

• Privacy protection features: great debate • Data collection limitations • Express consent for sensitive data • Standardized privacy disclosures and choice

mechanisms

OECD guidelines on privacy

Principles drafted 1980 updated in 2013:• Collection limitation;• Data quality;• Purpose specification;• Use limitation;• Security safeguards;• openness;• Individual participation;• Accountability;

Security

• Timely and effective redress mechanisms when data is compromised;

• liability policy: read across by ISO;• Development of minimum levels of protection;• Consumer education and awareness; • 2002 OECD security guidelines; emphasis on

shared responsibility of ‘participants’;

2002 OECD security guidelines

• Awareness;• Responsibility: • Response;• Ethics;• Democracy;• Risk assessment;• Security design & implementation;• Security management;• Reassessment;

children

• Great debate: children cannot enter contracts;• Tools for preventing or limiting charges;

limitations and caps;• Advice and help to parents;• Children’s access to mobile payment can

enhance their security in daily life; eg bus-fares, money for meals;

OECD: Guidance on Digital products

• Ongoing: agreement imminent;• Overlap with mobile & online payments: privacy,

security, protection of children, dispute resolution;

• Stronger elements on personal data protection;• Issue of technical locks; • Does not deal with intellectual property;

What does CI want? UN guidelines

• Data protection. OECD & ISO both helpful;• Technological neutrality of CP: both helpful;• Access to knowledge: technologically helpful in

sense of promotion but legally neutral; • Technical locks: OECD helpful; • Interoperability: ISO helpful;• Dispute resolution: both helpful;• Contract terms, transparency, security: both

helpful;• Liability: both very restrained but recognise the

issue;

Was it worth it?

• Not yet finished but probably yes in both cases;• Well yes I would say that wouldn’t I? You would if

you got to visit, Paris (several times), Boston, Barcelona, Bangkok, Chiang Mai. The ‘Paris was hell’ syndrome: the meeting was horrible and when and where is the next one? Of course I have to go.

• More to do on intellectual property, technical locks, liability policy; CP in cash transfers & remittances;

• Keep up the good work;

consumersinternational.org

rsimpson@consint.org