Recently, The Clearing House released a White Paper that analyzes the alternative payment provider (APP) industry, identifies regulatory and enforcement gaps between banks’ payment operations and APPs, and makes recommendations on how to close those gaps in order to ensure that consumers receive a consistent level of protection.

Growth of the Alternative Payment Provider Industry

The APP industry includes many nonbank companies that offer alternative payment solutions. These solutions range from ones offered by large tech companies (e.g.,  Apple Pay, Google Wallet and Facebook Messenger) to successful payment-focused companies offering payment systems as the core of their business (e.g., Square, LevelUp and Kash, PayPal and Venmo).

This industry has seen substantial growth over the last few years reflecting an increase in consumer funds and consumer data entrusted to APPs. For example, in 2010 $16 billion in transactions were processed as mobile payments, which increased to $46 billion in 2011 and $81 billion in 2012. These numbers are expected to increase with some estimates indicating that mobile payments will grow 60.8% annually through 2015.

Along with this increase in APP usage, a series of data security and privacy lapses have arisen including notable incidents with Google Wallet, Venmo and Starbucks. APPs collect a significant amount of customer data, which is at risk of being stolen by hackers if insufficient security protocols are used to protect the data.

APPs Are Subject to Dramatically Lighter Regulatory Requirements than  Banks

Banks have long been subject to extensive regulatory, supervisory, and enforcement scrutiny by their regulators, which has naturally evolved to include oversight of their data security measures. Under the Gramm-Leach-Bliley Act (GLBA), banks are required to comply with the prudential regulators’ Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Interagency Guidelines). The guidelines explicitly outline what banks’ security programs must include as they relate to the handling of consumer’s payment-related data.

APPs, to the extent they are regulated at all, are predominately subject to the jurisdiction of the Federal Trade Commission (FTC), an agency with less authority and resources than financial regulators. While APPs are likely subject to the GLBA’s data security requirements, as nonbank institutions they do not have to follow the prudential regulators’ Interagency Guidelines. Instead, they are subject to the more general requirements of the FTC’s GLBA Safeguards Rule. The Rule’s requirements are significantly weaker and do not come with the additional detailed expectations set out by prudential regulators in the interagency guidelines.

APPs Are Not Subject to Meaningful Oversight or Enforcement to Prevent Breaches

Unlike banks, APPs are not subject to meaningful data security examinations in which a regulator scrutinizes an APP’s data security practices in order to identify and correct weaknesses before they are exploited by an attacker. In addition, APPs are not subject to CFPB examination authority. By statute, the CFPB has examination authority over  three enumerated categories of nonbanks, as well as  “larger participant[s]” in a market for other consumer financial products or services as the Bureau defines by regulation. The CFPB has not issued a rule designating “larger participants” in the payments market for supervision, and even if they did, most APPs may not be covered by it due to their size.  

Additionally, while banks and APPs may be subject to injunctive relief from GLBA violations, only banks face the possiblity of civil money penalties. By contrast, the FTC cannot assess civil penalties if an APP violates their Safeguards Rule.

Finally, banks also face safety and soundness regulation under which regulators can hold them accountable for substandard data security programs even if no breach or harm occurs.

Costs Remain with the Banks for APPs’ Security Lapses

The uneven data security playing field between banks and APPs not only has real consequences with respect to the potential for consumer harm, it also places an uneven burden on financial institutions with respect to regulatory compliance. This uneven playing field manifests itself with respect to which entities bear the brunt of costs in the wake of an APP data security incident, which includes refunding unauthorized transactions, the cost of replacing cards or closing accounts, and the administrative costs of identifying relevant accounts and enhanced fraud detection and monitoring. APPs can engage in substandard data security practices knowing the financial consequences of those practices will be borne by banks. 

Recommendations

The Clearing House believes that entities that are engaged in functionally equivalent activities should be regulated in functionally similar ways in order to ensure a consistent level of consumer protection. The White Paper outlines both Non-Legislative and Legislative Recommendations to close the regulatory, enforcement and examination gaps that exist today between banks and APPs.

Non-Legislative

1. The FTC should adopt enhanced GLBA Safeguards Rules, either limited to APPs or applicable more broadly to all companies subject to its jurisdiction.
2. The CFPB should issue rules defining larger participants of the APP industry, which would give the agency examination authority over  those entities. Additionaly, the the CFPB and other regulators should also exercise any available examination authority they already have over APPs.
3. The FTC should enforce the GLBA Safeguards Rule more frequently for APPs.
4. The Financial Crimes and Enforcement Network (FinCEN) should enforce existing guidance that would require those  APPs that are registered as money services businesses to report actual or attempted data breaches to the government in the form of suspicious activity reports (SARs), just as it does for banks.

Legislative

1. Legislation should be enacted to close the regulatory and enforcement gap by establishing comprehensive and cross-industry data security requirements. For example, the passage of the Data Security Act of 2015 (S.961 and H.R. 2205) would help minimize the differences between bank and non-bank regulatory requirements while still providing the necessary flexibility for companies of various sizes and levels of sophistication to enter and compete in the payments marketplace.
2. Legislation should also be enacted to close the regulatory examination and enforcement gaps by giving financial regulators authority over the data security practices of APPs. For example, legislation could make it clear that APPs are subject to the same type of scrutiny with respect to data security as the  banks’ payment services, such as by directly giving the FTC or CFPB examination authority, or by directly requiring the CFPB to enact rules defining large participants in the APP industry.

The TCH White Paper on Ensuring Consistent Consumer Protection for Data Security: Banks vs. Alternative Payment Providers can be found at www.theclearinghouse.org.

The Clearing House, established in 1853 to bring order to clearing and settlement between banks, is the nation’s oldest banking association and payments company. Past issues of the Banking Brief are available here. For additional information please contact:  Jill Hershey (Jill.Hershey@theclearinghouse.org, 202-649-4601), John Van Etten (John.VanEtten@theclearinghouse.org, 202-649-4617) or Kristin Richardson (Kristin.Richardson@theclearinghouse.org, 202-649-4616).