Regulatory Landscape for Fintech, Electronic Commerce,
and Electronic Banking
Part 1: Electronic Commerce
This is the first part of a two-part article discussing the regulatory landscape for financial technology as applied to electronic commerce and electronic banking. This article focuses on electronic commerce.
Cloud computing and mobile apps have enabled the emergence of a new class of business models leveraging financial technology (fintech) across electronic commerce (e-commerce) and electronic banking (e-banking). More recently, blockchain has underpinned the rebooting of a variety of e-commerce and e-banking business models, together with new approaches to managing financial compliance.
As technology makes it easier for business-to-business (B2B) and business-to-consumer (B2C) companies to grow quickly, legal and regulatory compliance are becoming increasingly important at earlier corporate stages. For example, start-up companies involved in omnicommerce can quickly find themselves processing data that is subject to a variety of legal and regulatory obligations, such as PCI-DSS rules relating to payments data, Regulation E obligations relating to electronic fund transfers, and Bank Secrecy Act (BSA) and USA PATRIOT Act obligations relating to the management of funds and customer identities.
This paper provides an overview of the typical flow of e-commerce and e-banking transactions through the fintech stack. Next, it introduces a graphical overview of the regulatory landscape applicable to e-commerce and e-banking. From there, it summarizes the main legislative and regulatory frameworks applicable to e-commerce. The conclusion highlights a few specific business models and issues that may arise for entities operating in the e-commerce space.
Part two of this paper, which will be released subsequently, will provide an overview of the regulatory frameworks applicable to e-banking and will also discuss in more detail the interplay between e-commerce, e-banking, and blockchain technologies, including cryptocurrencies and cryptographic tokens deployed in the stream of commerce and banking. Other follow-up papers will explore in detail specific regulatory frameworks applicable to entities involved in the areas of e-commerce and e-banking, such as Regulation E, loyalty programs, prepaid cards, using gift cards, and automated clearing house (ACH) as complements or alternatives to the credit card payment rails, and SKU- and service-level data monetization.
B. Overview of E-Commerce and E-Banking
Figure 1 shows an overview of consumer transactions processed through electronic fintech channels in the financial space.
Financial Consumer Transactions Through Electronic Channels
A consumer transaction could be classified as either an e-commerce transaction or as an e-banking transaction depending on the flow and subject matter. The fundamental difference between the two transaction types can be reduced to whether the consumer is paying for a product or service designed for the consumer's consumption or use (which makes it an e-commerce transaction), or a transaction involving the storage, movement, or investment of money (which makes it an e-banking transaction). This terminology may vary in the industry, and some regulatory and transaction aspects may overlap between the two classifications, but this article adopts this terminology and follows the transaction flows shown in Figure 1 above and Figure 2 below.
1. E-Commerce Transactions
In an e-commerce transaction involving a product or service, the payment for the product or service could occur in a number of ways:
- a one-time purchase of a product (e.g., purchasing a USB cable online from amazon.com for home delivery, purchasing a cup of coffee through the starbucks.com mobile app for pickup in a Starbucks location, etc.);
- a one-time payment for a service (e.g., paying for a handyman through taskrabbit.com to perform home improvement work, paying for a car ride through the Uber or Lyft mobile app, ordering delivery of a meal through doordash.com, etc.);
- a subscription to a service (or membership) involving recurring payments (e.g., a subscription to Netflix through the netflix.com website, an ongoing wireless mobile account with AT&T or Verizon, etc.); or
- a freemium business model, under which a service provider stores an active consumer payment method, typically a credit card, and provides free services to the consumer with the option to also pay for specific premium products or services (e.g., Google Android or Gmail, which are typically free, and which enable consumers to pay for Android apps through the Google Play Store, purchase additional storage space on the Google Drive, etc.).
E-commerce transactions flow through the omnicommerce stack, and involve the movement of money and data across one or more omnicommerce layers. Examples of omnicommerce layers include technology and services providing the following functionality:
- payments, typically processed through a credit card or an ACH transaction;
- gift cards and gift accounts;
- store gift cards and gift accounts;
- prepaid cards or prepaid accounts;
- loyalty programs (including loyalty cards, award cards, and promotional gift cards);
- digital offers and electronic coupons;
- point-of-sale transactions;
- CRM functionality;
- sales tax computation;
- ERP functionality;
- inventory management functionality;
- financial reporting functionality; or
- data analytics.
2. E-Banking Transactions
In an e-banking transaction, a consumer uses a mobile app or a web browser to access traditional banking services. Many of those transactions rely on cloud technology, either for transaction processing via application programming interfaces (APIs) and cross-institution functionality, or for data storage and retrieval. More recently, blockchain business models have leveraged immutability, deep traceability of data, and smart contracts as novel mechanisms to perform banking services.
As shown in Figure 1, an e-banking transaction initiated by a consumer could access one or more traditional banking services, including the following:
- deposits and withdrawals;
- checking account services;
- savings account services;
- initiating, conducting, closing, and managing lending transactions;
- remittances (i.e., money transfers), both within the U.S. and between the U.S. and other countries;
- vehicle leasing, including emerging variations of vehicle leasing that have attributes of SaaS subscription business models;
- fund settlement as part of other e-commerce or e-banking transactions; and
- foreign exchange (FOREX) transactions that involve the transmittal of large amounts of money internationally and conversion between different currencies. Fund settlement and FOREX transactions tend to be more commercial in nature, and there is definitely a growing overlap between business and consumer utilization of e-banking and e-commerce services.
3. Advertising, Data Analytics, and Data Monetization
Figure 1 shows advertising, data analytics, and data monetization as a common layer that intermediates between omnicommerce stack and e-banking services on one hand, and merchants and financial institutions on the other hand. As this diagram illustrates, advertising, data analytics, and data monetization are fundamental technologies and business models that permeate both e-commerce and e-banking.
During the past few years, some of the most successful business models and companies have been built on the analytical and economic value of data (e.g., Google, LinkedIn, etc.). As the margins in payment processing decreased over time, the value of commerce data analytics increased quickly as a basis for consumer profiling and consumer behavioral prediction. As a result, companies involved in both the e-commerce and e-banking spaces have devoted increasingly more attention and resources to collecting, analyzing, and monetizing commerce data.
The ultimate goal of data monetization is to collect SKU-level transaction data in the e-commerce space (e.g., what exactly was included in that total purchase price of $10.43 from Starbucks?) and transaction-level data in the e-banking space (what type of car did this consumer lease, and what other cars have been leased or purchased by that household recently?). That makes cloud-based point-of-sale and loyalty companies particularly valuable in the e-commerce space, and account holders and transaction processors especially valuable in the e-banking space. In other words, obtaining data that allows a merchant to optimize a digital offer for a consumer, or data that allows a bank to recommend a particular financial product to a consumer can be very valuable. And from a technology perspective, any integrated electronic platform that can collect, aggregate, and analyze detailed commerce data is of immediate interest to financial institutions.
Consequently, collecting transaction-level consumer data, analyzing that data, and then monetizing the data are common goals and major sources of potential revenue for both the e-commerce and e-banking industries. Data monetization, however, quickly bumps up against a regulatory environment that has grown more protective of consumers in the past few years, including a complex web of privacy laws promulgated by U.S. states and U.S. federal agencies, the Canadian Federal Government and Canadian provinces, the EU (e.g., GDPR), countries in APAC, and so on. In parallel with these privacy laws, there exists a complex web of regulations enforced by U.S. federal agencies (e.g., the FTC and CFPB), and consumer protection regulations enforced by the card networks through direct card processing rules and through standards (e.g., PCI DSS).
C. E-Commerce and E-Banking Regulatory Landscape
Figure 2 shows an overview of the regulatory landscape for the e-commerce and e-banking industries.
Regulatory Landscape for E-Commerce and E-Banking
As shown in Figure 2, extensive regulatory frameworks apply across both the omnicommerce stack and e-banking services stack. Additionally, there is significant overlap between the regulatory frameworks applicable to e-commerce and e-banking both at the supervisory level (e.g., the Federal Reserve plays fundamental regulatory roles for both e-commerce and e-banking) and at the functional level (e.g., the Dodd-Frank Act covers significant aspects of both e-commerce and e-banking).
D. E-Commerce Regulatory Landscape
As shown in Figure 2, the e-commerce ecosystem is overseen by a number of regulatory agencies, both in the U.S. and abroad, including the following:
||Activities in E-Commerce
|The Federal Reserve System (Fed)
- The Fed conducts U.S. monetary policy to promote maximum employment, stable prices, and moderate long-term interest rates in the U.S. economy
- The Fed promotes the stability of the financial system and seeks to minimize and contain systemic risks through active monitoring and engagement in the U.S. and abroad
- The Fed also promotes the safety and soundness of individual financial institutions and monitors their impact on the financial system as a whole
- The Fed is the lender of last resort to member banks (through discount window lending)
- In “unusual and exigent circumstances,” the Fed may extend credit beyond member banks, to provide liquidity to the financial system, but not to aid failing financial firms
- The Fed may initiate a resolution process to shut down firms that pose a grave threat to financial stability. The FDIC and the Treasury Secretary have similar powers
|Consumer Financial Protection Bureau (CFPB)
- Regulates non-bank mortgage-related firms, private student lenders, payday lenders, and larger consumer financial entities
- Does not supervise insurers, SEC and CFTC registrants, auto dealers, sellers of non-financial goods, real estate brokers and agents, and banks with assets less than $10 billion
- Writes rules to carry out federal consumer financial protection laws
|The Federal Trade Commission (FTC)
- Protects consumers from unfair and deceptive practices in the marketplace
- Maintains competition to promote a marketplace free from anticompetitive mergers, business practices, or public policy outcomes
|Various U.S. State Governments (e.g., Attorney Generals and Legislatures of various states define and enforce a wide range of regulations affecting e-commerce)
- Full range of regulatory coverage that parallels the U.S. federal regulatory system (to the extent not preempted by federal laws and regulations)
- Regulate most entities operating in the state
- Regulatory oversight often applies even to businesses that operate over the web or via mobile platforms and in the absence of a physical presence in the state, as long as such businesses transact with consumers and businesses in that state
|Various national Governments and regulatory agencies around the world (e.g., the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in the U.K.)
||Full range of regulatory coverage that parallels the U.S. federal and state regulatory systems
|Various regulatory bodies and administrative agencies operating at the regional level internationally
(e.g., the European Commission (EC), the European Data Protection Board (EDPB) established by the General Data Protection Regulation (GDPR), etc.)
||Specific regulatory segments, typically focused more narrowly on specific issues affecting international trade and commerce
|The PCI Security Standards Council (Visa, MasterCard, American Express, Discover, JCB)
||Defines and manages standards for security of the member credit card networks
|The National Automated Clearing House Association (NACHA) administers the ACH rules in the U.S.;
The European Commission, European Central Bank, and other European national and regional authorities, together with the European Payments Council (EPC) administer the SEPA rules in Europe
- NACHA and the EPC define, maintain, and enforce the operation of electronic fund transfers running through the automatic clearing house (ACH) network in the U.S., and respectively the Single Euro Payments Area (SEPA) network in Europe
- NACHA and the EPC perform parallel roles in the U.S. and Europe, and each of them also pursues additional initiatives beyond ACH and SEPA
|Various global Credit Card Networks/Schemes (Visa, MasterCard, AMEX, Discover, JCB, etc.)
||Define, maintain, and enforce the operation of the respective credit card networks
The regulatory frameworks that apply to the e-commerce ecosystem include the following:
||Scope of Coverage
|The unfair, deceptive, or abusive acts or practices framework (UDAAP) overseen by the CFPB
- Unfair, deceptive, or abusive acts and practices can cause significant financial injury to consumers, erode consumer confidence, and undermine the financial marketplace. Under the Dodd-Frank Act, it is unlawful for any provider of consumer financial products or services or a service provider to engage in any unfair, deceptive, or abusive act or practice
- The CFPB enforces UDAAP rules to prevent unfair, deceptive, or abusive acts or practices for consumer financial products and services. Consequently, the UDAAP regulations apply to any entity that markets or provides financial products and services to consumers
|The unfair or deceptive acts or practices framework (UDAP) overseen by the FTC
- Section 5(a) of the Federal Trade Commission Act (FTC Act) (15 USC §45) prohibits “unfair or deceptive acts or practices in or affecting commerce.” This prohibition applies to all persons engaged in commerce, including banks. The FTC has is authorized under Section 8 of the Federal Deposit Insurance Act (FDIA) to take appropriate action when unfair or deceptive acts or practices (UDAP) are discovered
- Given the overlap in terminology between UDAAP and UDAP, it is not surprising that the FTC and the CFPB could overlap in their regulatory activities. Indeed, the FTC's regulatory mandate requires the FTC to look for other violations of parallel laws and regulations when the FTC identifies UDAP violations in the course of its audits.
|The Electronic Fund Transfer Act (EFTA) - Regulation E
- The EFTA - Regulation E is the primary regulatory framework for e-commerce
- Regulation E protects consumers engaging in electronic fund transfers (EFTs) and remittance transfers, including:
- transfers through automated teller machines (ATMs);
- point-of-sale (POS) terminals;
- ACH systems;
- telephone bill-payment plans in which periodic or recurring transfers are contemplated;
- remote banking programs; and
- remittance transfers
- The Dodd-Frank Act transferred rulemaking authority under the EFTA from the Fed to the CFPB
|The Dodd-Frank Act and subsequent amendments
- The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank) is a comprehensive regulatory framework that restructured large areas of e-commerce and e-banking, including the creation of the Consumer Financial Protection Bureau (CFPB)
- Dodd-Frank covered a wide range of e-commerce and e-banking regulatory matters, and was implemented through material revisions to existing rules and legislation coupled with new legislation and reassignment of enforcement obligations among existing and newly created federal agencies. For example, Dodd-Frank covered issues such as the orderly liquidation authority of financial entities (Title II), reassignment of various agencies responsibilities (Title III), regulation of insurance (Title V), regulation of bank and savings associations (Title VI), regulation of payment and settlement activities (Title VIII), the establishment and assignment of duties to the CFPB (Title X), and more
- Dodd-Frank was subsequently rolled back in some e-banking and e-commerce areas by the Economic Growth, Regulatory Relief and Consumer Protection Act, which became effective in 2018
- A much broader bill designed to materially scale back Dodd-Frank (the Financial Choice Act) was passed in the House of Representatives in 2017, but failed in the Senate
|Truth in Lending Act (TILA) - Regulation Z
- The Truth in Lending Act (TILA) was enacted on May 29, 1968, as title I of the Consumer Credit Protection Act and has been amended extensively since then, including material changes made pursuant to the Dodd-Frank Act. TILA is implemented by Regulation Z
- TILA applies to both e-commerce and e-banking, and generally seeks to ensure that credit terms are disclosed in a meaningful way so consumers can compare credit terms more readily and knowledgeably. Creditors must use the same credit terminology and expressions of rates. In addition to providing a uniform system for disclosures, TILA regulates credit billing and credit card practices, provides consumers with rescission rights in certain lending transactions, establishes rate caps on certain dwelling-secured loans, regulates home equity lines of credit and certain closed-end home mortgages, and generally prohibits unfair or deceptive mortgage lending practices
|Consumer Leasing Act - Regulation M
- The Consumer Leasing Act (CLA) was originally passed in 1976 and was part of TILA (implemented by Regulation Z). Subsequently, the CLA was restated as Regulation M and was amended further, eventually coming within the regulatory scope of the CFPB
- The CLA generally applies to consumer leases of personal property and requires accurate disclosure of lease terms to help consumers compare different leases, and to compare the cost of leasing with the cost of buying. In addition, the CLA puts limits on balloon payments sometimes due at the end of a lease and regulates advertising
|Prepaid Accounts Rule
- Implemented under the EFTA through Regulation E and Regulation Z
- The prepaid accounts rule is another fundamental framework for e-commerce given the recent popularity of prepaid accounts as alternative mechanisms to store, distribute, and spend funds by both employers and consumers
- Material amendments to Regulation E were recently finalized and will become effective on April 1, 2019
- Covers disclosures, limitations of consumer liability, error resolution, and periodic statements for certain types of prepaid cards
- Regulates overdraft credit features that may be offered in conjunction with prepaid accounts
|Expedited Funds Availability Act (EFA Act) - Regulation CC
- Regulation CC implements the Expedited Funds Availability Act (EFA Act) and the Check Clearing for the 21st Century Act (Check 21)
- Requires banks to make available funds deposited into transaction accounts according to specified time schedules and to disclose their funds availability policies to their consumers
- Expedites the collection and return of checks and electronic checks, and describes requirements that affect banks that create or receive substitute checks
|Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
- CAN-SPAM regulates commercial aspects of electronic communications
- Requires warning labels for commercial electronic mail that contains sexually oriented material
- Prohibits senders to charge a fee or imposing other requirements on recipients who wish to opt out
- Separate email violations can trigger penalties up to $41,484
|Telephone Consumer Protection Act (TCPA)
- The TCPA restricts telephone solicitations (i.e., telemarketing) and the use of automated telephone equipment
- Limits the use of automatic dialing systems, artificial, or prerecorded voice messages, SMS text messages, and fax machines
- Specifies several technical requirements for fax machines, autodialers, and voice messaging systems (e.g., requiring identification and contact information of the sender)
- The E-Sign Act provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce
- Allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent
- The E-Sign Act is invoked extensively throughout various other rules and regulations enforced by the FDIC, CFPB, FTC, and other government agencies as a framework for obtaining end consumer consents
|Fair Credit Reporting Act (FCRA) - Regulation V
- The FCRA (Regulation V) is a regulatory framework for the furnishing, use, and disclosure of information in reports associated with credit, insurance, employment, and other decisions made about consumers
- Imposes a number of obligations on entities that qualify as "consumer reporting agencies" and on persons who use consumer report information (users) or furnish information to consumer reporting agencies (furnishers)
- Requires that furnishers ensure the accuracy of the data placed in the consumer reporting system
- Prohibits the use of consumer reports for impermissible purposes, and requires users of consumer reports to provide certain disclosures to consumers
- Limits certain information sharing between affiliated companies
|Right to Financial Privacy Act (RFPA)
- The RFPA establishes specific procedures that federal government authorities must follow in order to obtain information from a financial institution about a customer's financial records. Generally, these requirements include obtaining subpoenas, notifying the customer of the request, and providing the customer with an opportunity to object. The RFPA imposes related limitations and duties on financial institutions prior to the release of information requested by federal authorities.
- The RFPA has been amended several times in recent years to permit greater access without customer notice to customer information requested for criminal law enforcement purposes and for certain intelligence activities.
|Children's Online Privacy Protection Act (COPPA)
- The primary goal of COPPA is to place parents in control over what information is collected from their young children online.
- COPPA protects children under age 13 and applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children.
- Also applies to operators of general audience websites or online services in some cases.
- Obligations include disclosures, opt-in rights for parents, etc. Parental rights under COPPA parallel aspects of GDPR (this reinforces the general guidance that compliance with GDPR is helpful to achieve universal privacy compliance within the U.S. and globally)
|Payment Card Industry Standards
- The payment card industry (PCI) establishes, monitors, and enforces a wide range of standards through the PCI Security Standards Council (PCI Council). These standards govern the processing of payment cards and cardholder data through the member credit card networks. It is important to note that enforcement of compliance with PCI DSS and determination of any non-compliance penalties are carried out by the individual payment networks and not by the PCI Council.
The standards developed and maintained by the PCI Council include the following:
- The Payment Card Industry Data Security Standard for Merchants & Processors (PCI DSS) is a global data security standard that applies to entities involved in the processing of payment cards through the member credit card networks. PCI DSS covers a wide range of vendors, merchants, banks, and payment processors, and addresses 12 categories of security requirements
- The Payment Application Data Security Standard (PA-DSS) is a global standard that parallels PCI DSS and applies to software developers and integrators of applications that store, process, or transmit cardholder data as part of payment authorization or settlement. PA-DSS covers 14 categories of security requirements. It is important for e-commerce merchants and retailers to realize that use of a PA-DSS compliant application by itself does not make the merchant or retailer automatically PCI DSS-compliant because the PA-DSS application must be implemented into a PCI DSS compliant environment and must follow a PA-DSS Implementation Guide provided by the application vendor
- The PCI Point-to-Point Encryption (P2PE) Standard facilitates the development, approval, and deployment of PCI-approved P2PE solutions that increase the protection of cardholder data by encrypting data from the point of interaction within the encryption environment where account data is captured through to the point of decrypting that data inside the decryption environment. The P2PE Standard is directed at P2PE solution providers and other entities that provide P2PE components or P2PE applications for use in P2PE solutions
- The PCI PIN Security Standard establishes a set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. The PCI PIN Security requirements address seven control objectives that are directed at acquiring institutions and agents (e.g., key-injection facilities and certificate processors) responsible for PIN transaction processing on the cardholder accounts. The individual payment brands monitor and enforce compliance with this standard
- The Pin Transaction Security (PTS) Hardware Security Module (HSM) Standard establishes requirements for designing HSMs to meet the security needs of the payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs. The PTS HSM Standard provides vendors with a list of all security requirements against which their products will be evaluated in order to obtain PCI PTS HSM device approval
- The PCI PIN Security Requirements Standard establishes requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. These PIN Security Requirements include 33 requirements organized into seven control objectives. The PIN Security Requirements apply to acquiring institutions and agents responsible for PIN transaction processing on cardholder accounts, but do not apply to issuers. The PIN Security Requirements identify minimum security requirements for PIN-based interchange transactions, outline the minimum acceptable requirements for securing PINs and encryption keys, and protect cardholder PIN numbers
- The PIN Transaction Security (PTS) Point of Interaction (POI) Standard provides vendors with a list of all the security requirements against which their product will be evaluated in order to obtain PCI PTS POI device approval. The PTS POI Standard applies to products in the following categories:
- PED or UPT POI devices: Complete terminals that can be provided to a merchant “as-is” to undertake PIN-related transactions. This includes attended and unattended POS PIN-acceptance devices
- Non-PIN acceptance POI devices evaluated for account data protection
- Encrypting PIN pads that require integration into POS terminals or ATMs. Overall requirements for unattended PIN-acceptance devices currently apply only to POS devices and not to ATMs
- Secure components for POS terminals: These products also require integration into a final solution to provide PIN transactions. Examples are OEM PIN entry devices and secure (encrypting) card readers
- The Card Production and Provisioning (CPP) Standard applies to the security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution. The CPP Standard applies to entities that: a) perform cloud-based or secure element (SE) provisioning services; b) manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or c) manage associated cryptographic keys. The CPP Standard does not apply to vendors who are only performing the distribution of secure elements
- The PCI Card Production and Provisioning Physical Security (CPPPS) Requirements Standard applies to entities involved in payment card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The CPPPS Standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes: card manufacturing, chip embedding, personalization, storage, packaging, mailing, shipping or delivery, and fulfillment
- The PCI Three-Domain Secure (3-D Secure, or 3DS) Standard defines a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from exposure to CNP fraud. This standard is intended to support app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions. The three domains consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (for example, payment systems). The PCI 3DS Security Requirements applies to EMV 3-D Secure Core Components (ACS, DS, and 3DS Server) and perform certain functions defined in the EMV 3-D Secure Protocol and Core Functions Specification. The PCI Council maintains a set of related standards documents specifying the compliance requirements for entities involved with 3DS transactions, products, or services
- Additional security requirements and assessment procedures for token service providers (EMV payment tokens). This standard establishes physical and logical security requirements and assessment procedures for token service providers that generate and issue EMV payment tokens. A token service provider is an entity that provides a token service comprised of the token vault and related processing, and has the ability to set aside licensed ISO BINS as token BINs to issue payment tokens for PANs
|Payment Card Networks Rules
- Visa, MasterCard, and other credit card network operators have established extensive rules that govern the processing, authorization, settlement, and other aspects of payment card processing. These rules apply to e-commerce merchants and retailers that accept payment cards online, via mobile apps, or in physical brick-and-mortar stores
- These rules become more relevant for e-commerce business models that include recurring payment plans and/or aggressive card processing rules. For example, merchants using more sophisticated and aggressive card processing methods or working with vendors that specialize in card fund collection may see their chargeback rate increase towards 1 percent, in which case they may start to come under particular scrutiny from the card network brands, and may eventually even incur fines. Nevertheless, balancing more aggressive card processing programs with good business procedures and fair-but-firm collection practices can significantly increase the next profit margin for e-commerce merchants. It is important to consider other applicable laws and regulations for programs like these, however, including the UDAAP and UDAP frameworks overseen by the CFPB and FTC (see discussion above)
|National Automated Clearing House Association (NACHA) Operating Rules in the U.S.
Single Euro Payments Area (SEPA) Regulation in Europe, implemented by Regulation (EU) No 260/2012 of the European Parliament dated March 14, 2012 and European Payments Council Rulebooks
- The National Automated Clearing House Association (NACHA) administers the Automatic Clearing House (ACH) rules in the U.S.
- The ACH Network connects U.S. banks, financial institutions, and a variety of IT vendors, and enables the movement of money and ACH data between them.
- NACHA administers a set of operating rules for ACH payments, which define the roles and responsibilities of ACH network participants. These operating rules address issues similar to those covered by the card networks rules, including consumer disclosures, consents, payment processing rules, etc.
- ACH transactions can include debit or credit payments, direct deposit of payroll, deposit of government and Social Security benefits, electronic mortgage and bill payments, online banking payments, person-to-person (P2P) and business-to-business (B2B) payments, etc.
- NACHA transaction flows can involve the following:
- An originator (e.g., a consumer or business), which initiates either a direct deposit or direct payment transaction using the ACH Network
- ACH entries are entered and transmitted electronically
- An originating depository financial institution (ODFI), which enters the ACH entry at the request of the originator
- The ODFI may aggregate payments from customers and then transmit them in batches at regular, predetermined intervals to an ACH operator
- ACH operators receive batches of ACH entries from the ODFI. The two current ACH operators are two central clearing facilities operated by the Federal Reserve and the NACHA
- ACH transactions are sorted and made available by the ACH operator to the Receiving Depository Financial Institution (RDFI)
- A receiver's account is debited or credited by the RDFI, according to the type of ACH entry. Receivers may include consumers and businesses
- ACH credit transactions normally settle in one to two business days
- ACH debit transactions normally settle in one business day
- The European Payments Council (EPC), working with the European Commission, European Central Bank, and other European national and regional authorities, manages the Single Euro Payments Area (SEPA) electronic payments network in Europe.
- The EPC focuses on four main SEPA regulatory frameworks, which cover electronic payment transactions across 34 European countries (both within individual countries and between countries):
- SEPA Credit Transfer scheme
- SEPA Instant Credit Transfer scheme
- SEPA Direct Debit Core scheme
- SEPA Direct Debit Business-to-Business scheme
- In additional to managing SEPA, the EPC is also currently active in other areas of e-commerce in Europe, and therefore ongoing regulatory activity should be expected to occur in areas such as mobile payments, person-to-person remittances, e-invoicing, payment security, and card standardization.
|Uniform Electronic Transaction Act (UETA - States)
- UETA provides uniform rules at the state-level governing electronic commerce transactions. UETA parallels the E-Sign Act at the state level and establishes a legal foundation for the use of electronic communications in transactions where the parties have agreed to deal electronically. UETA validates and supports the use of electronic communications and records and places electronic commerce and paper-based commerce on the same legal footing
- UETA rules are primarily for “electronic records and electronic signatures relating to transactions” that are not subject to the Uniform Commercial Code (UCC). But UETA rules do affect sale transactions under Articles 2 and 2A of the UCC. UETA 1) creates a uniform standard for validating online contracts; 2) provides for the validity of transferable records executed on line; and 3) creates consumer protections and safeguards.
- In general, for a typical company involved in e-commerce or e-banking, complying with the E-Sign Act will inherently also achieve UETA compliance. But some subtle differences do exist and can become relevant in some less-common applications
|Data privacy and security laws
- E-commerce companies must also comply with extensive data privacy and data security legislation in the U.S. and around the world, which may be defined at the provincial level (e.g., Canadian provinces), national level (e.g., U.K., Germany, France), Federal level (e.g., HIPAA, RFPA), state level (e.g., California, New York), regional or common market level (e.g., GDPR within the European Community), or international level (e.g., U.S.-EU Privacy Shield)
- It is also important to understand that a particular e-commerce transaction may be subject to multiple laws and regulations that relate to privacy or data security, and that some of those may establish conflicting requirements (e.g., data retention obligations under PCI DSS regulations v. California or GDPR privacy laws v. tax retention guidelines)
- Companies operating in the telecommunications industry, both wired and wireless, are subject to additional legal and regulatory requirements in the U.S. and in other countries, which address such companies' fundamental role in acting as communication conduits both domestically and internationally.
The regulatory landscape outlined above shows that data privacy and security is a complex topic that affects e-commerce from multiple directions, particularly with respect to data analytics and data monetization, and these issues will be addressed in more detail in a future paper.
E. Conclusion: Some Thoughts About E-Commerce Business Models
As can be seen from Figure 2, the regulatory landscapes for both e-commerce and e-banking are extensive, and while they overlap to a large extent, each of them also includes material areas of specialized regulations that are independent. This paper identified a number of major regulatory frameworks applicable to e-commerce, and Part two of this paper will discuss e-banking regulations, and the interplay among blockchain, e-commerce, and e-banking. Here are some concluding remarks:
1. Earlier-Stage Companies and Compliance Obligations
For earlier-stage companies, a business model that covers both e-banking and e-commerce is likely to trigger significant compliance obligations in both areas. Not only would such compliance obligations be expensive and require significant resource allocation, but they could also negatively impact the growth of the business if compliance is not implemented thoughtfully, progressively, and in parallel with the business expansion.
For example, an e-commerce platform that allows consumers to purchase products or services via mobile apps or websites may also look like an excellent platform for enabling money transfer features among consumers or businesses. The new remittance functionality, however, would likely trigger new and significant compliance obligations, such as obligations under money remittance laws (both federal and state), and compliance with the Bank Secrecy Act and the USA Patriot Act (e.g., KYC/CIP compliance and customer due diligence, suspicious activity reporting, currency transaction reporting, and information sharing with FinCen). If the product and market support expansion, the company should definitely pursue the growth and expand in the new e-banking areas, but it must be cognizant of its new regulatory obligations and should plan accordingly. Also, the company should ensure at the design stage that its technology platform can support the requisite data collection and feature management prescribed by applicable laws. Changing a technology platform after wide consumer adoption to reactively implement regulatory requirements could be time consuming and expensive and could negatively impact operational reliability and customer satisfaction. As a general rule, when it comes to federal and state laws, doing first and asking for forgiveness later is a risky practice.
2. E-Banking v. E-Commerce Regulatory Burden
Overall, e-banking regulations tend to be more complicated and harder to implement than e-commerce regulations. Additionally, some financial services and products require an institution to obtain an operational bank charter, which may include authorization from a federal or state authority to operate as a bank, deposit insurance from the FDIC, minimum capital requirements, and other regulatory and compliance obligations. Consequently, from a regulatory compliance standpoint, it is generally easier for banks to expand into e-commerce than for commerce companies to add e-banking services. On the other hand, banks do not typically develop complex technology in-house, and therefore are generally cautious about developing e-commerce capabilities.
The net result is that business relationships between banks and e-commerce companies tend to be the fastest and most efficient way to grow into new areas for both types of entities. Such business relationships can be implemented as cross-referral relationships, joint ventures, strategic alliances, and complementary technology development and integration projects.
Implementing effective collaboration frameworks between omnicommerce companies and banks is not trivial, however, given fundamental differences between their business models and operating principles. For example:
- Commerce companies tend to operate with short horizons, and expect frequent and ongoing technology and business model iterations and repositioning; in contrast, banks tend do plan for longer timeframes and are not set up to easily accommodate ongoing changes.
- Omnicommerce companies are not used to significant regulation and they target light OPEX loading of their P&Ls for any activities that are not strictly involved in revenue generation, including for compliance; financial institutions, on the other hand, are used to heavy regulatory burden, plan accordingly, and expect that all of their vendors and business affiliates will operate within those regulatory frameworks.
- Earlier stage companies are focused on growth and market expansion, and tend to look at each bank relationship as just another step in their drive towards wide industry penetration and market share leadership; in contrast, banks are risk averse and often favor corporate stability and management team maturity over pure technology capabilities when they evaluate their tech vendors and business affiliates.
- Technology companies are understandably concerned about high liability and seek meaningful liability limitations in legal agreements with financial institutions; banks, on the other hand, are cognizant of their own high financial exposure to regulatory actions and consumer-level litigation, and therefore expect to divest much of their risk exposure to their suppliers and business affiliates.
As a result, business, operational, and legal teams working on engagements that bridge e-commerce and e-banking have to thoughtfully consider each other's expectations, needs and concerns, and must be creative to design win-win relationships that can achieve mutual goals over two-to-five-year timeframes while thoughtfully addressing relative liability and risks.
3. Data Analytics and Monetization
As shown in Figures 1 and 2, data is a fundamental operational block for both the e-commerce and e-banking. Both e-commerce and e-banking entities realized in the past few years that SKU-level and service-level transaction data is a key to increased customer satisfaction, revenue and customer stability, and improved economics.
The continuing erosion in traditional payment processing profit margins has led to a drive towards volume and consolidation in e-commerce, while looking at e-banking services as potential add-on revenue streams. In parallel, limited growth opportunities in the traditional banking space are leading banks to innovate and try to expand into e-commerce, either directly or through business relationships. A common factor for all of these entities is an increased drive towards deep data analytics that relies on SKU-level data in e-commerce and consumer-transaction records in e-banking. For example, accurate and detailed consumer-level data can enable behavioral profiling and improved digital offers and advertising in e-commerce, and can help financial institutions and banks individualize insurance risk assessment and lending offers, and effectively advertise other financial products and services.
The emergence of platforms that connect mobile apps to the cloud has meant that commerce companies and banks can find a common technology denominator capable of generating data immediately relevant to both e-commerce and e-banking. Consequently, technology is now offering an unprecedented opportunity for commerce companies and banks to work together, and the quest for SKU-level and service-level data and complementary revenue growth opportunities are powerful incentives to make those relationships work.
Data analytics and monetization, however, run quickly against a regulatory ecosystem that has grown more protective of consumers in the past few years, including a complex web of privacy laws promulgated by U.S. States and U.S. federal agencies, the Canadian Federal Government and Canadian provinces, the EU (e.g., GDPR), countries in APAC, and so on. In parallel with these privacy laws, we have a complex web of regulations enforced by U.S. federal agencies (e.g., FTC and CFPB), regulations enforced by the large payment card networks through direct card processing rules and through standards (e.g., PCI DSS), regulations enforced by NACHA for the ACH network, and so on. Further, banks and commerce companies remain subject to their underlying regulatory and compliance obligations, as outlined in Figure 2 above.
Consequently, joint business alliances must be designed and then managed to allow the parties to achieve a number of goals, both individually and together, including:
- discharge each party's regulatory and compliance obligations;
- allocate intelligently between the parties the obligation to obtain consumer consents based on current and projected direct nexus with the consumers;
- allow each party to thoughtfully share data with the other party;
- impose appropriate cross-party compliance responsibilities;
- implement a level of operational separation for each party, both in terms of regulatory compliance and in terms of business growth and market segmentation;
- protect core IP for each party while incentivizing joint innovation and technical collaboration;
- address liability and risk allocation carefully; and
- plan in advance for an eventual relationship wind-down.
4. E-Commerce Platforms
A small- and medium-sized business or enterprise merchant deploying an e-commerce platform that allows consumers or other businesses to purchase products or services is usually concerned with payment processing as a fundamental step in efficiently collecting revenue. That is certainly a critical concern at the initial stage. Choosing the right payment processor in terms of capabilities and geographic reach, pricing, and integration into the merchant's omnichannel platform are often the primary drivers of the selection and initial deployment of payment processing within e-commerce platforms. Those are, however, just the starting considerations that need to be addressed as merchants develop more sophisticated omnichannel stacks capable of acquiring customers with high conversion rates, dynamically optimize pricing, extend personalized digital offers, implement and manage effective loyalty programs, drive customers towards subscription models with recurring payments, collect actionable SKU-level data, analyze data to reduce revenue and customer churn, and eventually monetize data to generate additional direct and indirect revenue streams.
As companies implement more complex omnichannel layers in their e-commerce platforms, API integrations with external vendors and business affiliates increase in numbers and transaction volumes, and both issues of technical compatibility and regulatory compliance start to arise. A typical merchant has legal compliance obligations towards governmental authorities in multiple jurisdictions, contractual obligations towards both vendors and customers, and regulatory obligations towards industry organizations. A compliance program should include thoughtful propagation of regulatory obligations across the merchant's whole commercial chain, from suppliers to customers and back, coupled with effective deflection and reallocation of liability to avoid liability pooling within the merchant's organization. Additionally, optimization of contractual provisions with payment processors and other payment-related vendors (e.g., reserve accounts, settlement times, liability reallocation, etc.), implementation of complex cross-referral programs with other omnicommerce entities (e.g., residuals and cross-referral fees), and augmentation of insurance policies to cover regulatory risks and other contingencies on a global basis become important tools that allow merchants to increase their net profit margins while decreasing their risk profiles.
For merchants that rely on credit card payments for revenue generation, the regulatory obligations relating to PCI DSS compliance are well-known and can be largely divested to payment processors and other payment-related vendors. But the large body of regulatory provisions (e.g., Regulation E) and the comprehensive set of card processing rules enforced by the payment card networks (e.g., rules managing payment authorizations via APIs, aggressive management of revenue churn and card payment collections, increased chargeback rates, and other issues that arise for merchants that deploy sophisticated e-commerce platforms) are less known, and require careful thought on an ongoing basis.
The rules managed by the payment card networks become more relevant for e-commerce business models that include recurring payment plans and/or aggressive card processing rules. For example, merchants using more sophisticated and aggressive card processing methods or working with vendors that specialize in credit card fund collection may see their chargeback rate increase towards 1 percent, in which case they may start to come under increased scrutiny from the payment card network brands, and may eventually even incur fines and additional oversight. Nevertheless, balancing more aggressive card processing programs with good business procedures and fair-but-firm collection practices can significantly increase the net profit margin for e-commerce merchants. It is important to also consider other applicable laws and regulations for programs like these, including the UDAAP and UDAP frameworks overseen by the CFPB and FTC.
If you would like to discuss any aspect of this paper, please do not hesitate to contact any attorney in WSGR's technology transactions or fintech practices, or please feel free to reach out to Marius Domokos at firstname.lastname@example.org.
Note: The opinions in this article are limited to the scope of this article and to the dataset used for this analysis, and do not necessarily reflect the author's opinions in general, the opinions of Wilson Sonsini Goodrich & Rosati (WSGR), or of any attorneys or other personnel affiliated with WSGR, or the opinions of any WSGR clients or business affiliates.
[back to top]
© 2019 Wilson Sonsini Goodrich & Rosati, Professional Corporation