Apple Pay and the CFPB
Apple Pay has been getting a lot of attention, and I hope to do a longer post on it, but for now let me highlight one possible issue that does not seem to have gotten any attention. I think Apple may have just become a regulated financial institution, unwittingly. Basically, I think Apple is now a "service provider" for purposes of the Consumer Financial Protection Act, which means Apple is subject to CFPB examination and UDAAP.
Here's the argument. Be warned: this is a romp through some legal definitions.
The CFPB has authority over two classes of people: "covered persons" and "service providers". The CFPB has authority over these classes to the extent they are offering a "financial product or service." Apple does not currently fit within the definition of "covered person" because it is not offering a "financial product or service". Apple Pay does not actually transmit funds (they way, say PayPal does); that's why Apple doesn't have a MSB license (as far as I'm aware).
But even if one isn't a "covered person," one can still be a "service provider" to a covered person. I think there's a reasonable case that Apple is a "service provider" by virtue of Apple Pay. A "service provider" must provide "a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service". Card issuers are covered persons, and Apple is providing a material service in connection with a consumer financial product--a credit card.
The "service provider" definition explicitly includes those anyone who "participates in designing, operating, or maintaining the consumer financial product or service". There's an argument that Apple participates in designing, operating, and maintaining the card payments that go through Apple Pay, especially as Apple has specific agreements with card networks about what data is transmitted, what format, etc. In other words, Apple isn't just being a common carrier transmitting data for anyone. It's involved in figuring out what to transmit.
The "service provider" definition also explicitly includes anyone who "processes transactions relating to the consumer financial product or service". That sure sounds like Apple's role in the Apple Pay environment. There is a carve-out to this particular illustrative inclusion for parties that "unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes". I don't think Apple meets that carve-out. Apple Pay isn't unknowing or incidental transmission or processing of data. What's more, it is not undifferentiated data--this is special data going through the iPhone's Secure Element, which is, by definition, differentiated data. But even if I'm wrong about the carve-out, the carve-out only applies to the second illustration of service provider, and not to the "participates in designing, operating, or maintaining the consumer financial product or service" illustration.
While there is a carve-out for merchants of non-financial goods and services, there is a claw-back from that carve-out for "service providers," which means that the carve-out doesn't do Apple any good if it is a "service provider."
There is also carve-out from the definition of "consumer financial product or service" for "electronic conduit services," but that doesn't affect whether Apple is a "service provider" to a credit card company, only whether it is a "service provider" to an "electronic conduit service". In any case, I don't think Apple's engaged in an "electronic conduit service" because Apple is selecting the data it transmits and that data is differentiated from other data transmitted.
Now perhaps there's something in the technical details of how Apple Pay works that undermines my analysis. But it sure looks to me like Apple's a "service provider" under a reasonable reading of the statute.
What's the Implication?
So what does this mean if I'm correct and Apple is now a "service provider" under the Consumer Financial Protection Act? First, it means that Apple is now subject to CFPB examination and enforcement authority. Second, it means Apple is subject to UDAAP, including CFPB rulemaking and enforcement and state enforcement of the federal UDAAP statute.
And note that the way the Consumer Financial Protection Act is drafted, UDAAP is not limited to unfair, deceptive, and abusive practices in connection with the offering of the consumer financial product or service. It is a simple prohibition on covered persons and service providers engaging in unfair, deceptive, and abusive acts and practices, period. There is no language saying that the unfair, deceptive, or abusive acts and practices has to have any relationship with the consumer finance business. Read literally, anything Apple does is therefore fair game for state AGs, and for private attorneys who use private rights of action under state UDAP statutes based on a predicate violation of the federal UDAAP statute (that does not contain a private right of action).
Now I don't know if the CFPB would agree with my reading of the statute, and even if it did, I don't think that the CFPB is about to start examining Apple any time soon (perhaps in the future, though); there are more urgent matters and limited resources. And I don't know if Apple would agree with my reading either. But if my reading is correct, Apple just walked into the very different world of being a regulated entity. (Securities law disclosure issue anyone?) Are Apple's lawyers aware of this? Tim Cook?
Does the same apply to Google (via Google Wallet)?
Or is that structured differently in some meaningful way (e.g. Google doesn't [or soon won't] make the devices or it's more standards-based or ...)?
Posted by: Ravi | September 11, 2014 at 07:15 AM
Yes, please do comment on whether Google Wallet (software) and it's Samsung, LG, etc. partners (hardware) are subject to the same concerns.
Posted by: Nick Byrd | September 11, 2014 at 12:48 PM
Apple Pay and Google Wallet are performing the same function as a physical plastic payments card, namely they are providing the authorization mechanism for a transaction. The reason that Apple and Google are subject to CFPB jurisdiction, but a card manufacturer is not is because the card manufacturer has sold the card (to the card issuer) and that's the end of its involvement. Apple Pay and Google Wallet are basically swiping the card for you, which is very different from what a card manufacturer does.
As long as Google is handling the Secure Element that transfers the payments data, I don't see anything that differentiates Google Wallet from Apple Pay in regards to applicability of CFPB regulation. A company like Samsung or LG that just makes hardware doesn't have an issue here, as far as I can tell.
If a comp
Posted by: Adam | September 11, 2014 at 08:47 PM
I see. So it's the service provider, not the hardware manufacturer that you have legal concerns about, smaking Apple and Google, but not Samsung, LG, etc. the subject of your concern. Thanks for clarifying!
Posted by: Nick Byrd | September 12, 2014 at 07:34 AM
Again, what about all the other players in this space like Google Wallet? Is the only reason you're commenting on Apple because they're Apple? Does Amazon provide services in the payments space as well?
Posted by: LL | September 12, 2014 at 10:02 AM
Because the data is encrypted and used only by the credit card companies, and technically never in Apple's possession (same probably for Google too) -- Tim Cook and the team have repeatedly said this is completely anonymous data that does not sit on Apple's servers -- the general arguments made here, or caution heeded, seems unwarranted. The "differentiation of data" argument is also a total reach, when you think about the fact that the same process (fingerprint verification) is used also for Apple iTunes purchases, unlocking the phone, etc.
But maybe I'm missing something...
Posted by: iheartWallStreet | September 15, 2014 at 12:29 PM
@iheartWallStreet: You are missing something.
The primary question is whether Apple "participates in designing, operating, or maintaining the consumer financial product or service". Apple participated in designing the service. It negotiated with the card networks about the data protocols, etc. Apple also operates/maintains the service. So Apple is a "service provider" and therefore subject to CFPB jurisdiction, unless it falls into an exception.
That's where the "differentiation of data" point comes in. There is an exception to the "service provider" definition for a party that "unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes". That exception is meant to cover telecomm firms that just transmit data without knowing what the data is. That's not Apple. Apple (1) knows what the data is, (2) isn't just doing so incidentially, and (3) the transmission/processing is done in a different matter from other types of data processed/transmitted by the iPhone because payments data is the only thing using NFC and the only thing using the Secure Element. The fingerprint verification is, frankly, irrelevant. The fact that Apple doesn't "own" the phone and that the data isn't on Apple's servers also shouldn't matter. Apple still "maintains" the phones--if there's a problem with the phone, Apple's the party involved.
I don't think this is even a close call.
Posted by: Adam | September 15, 2014 at 02:27 PM
Hi Adam,
Thanks for the thoughtful reply. Here's where I think we differ, other points aside, to which you make good points...
"participates in designing, operating, or maintaining the consumer financial product or service"
"There is also carve-out from the definition of "consumer financial product or service" for "electronic conduit services," but that doesn't affect whether Apple is a "service provider" to a credit card company, only whether it is a "service provider" to an "electronic conduit service". In any case, I don't think Apple's engaged in an "electronic conduit service" because Apple is selecting the data it transmits and that data is differentiated from other data transmitted."
This is a slippery one... what's the financial product or service? Are they creating the actual financial product, ie. credit card? No. Or are they simply streamlining the transaction itself to the use that credit card? Arguably yes --so then they're surely a conduit, right?
"In any case, I don't think Apple's engaged in an "electronic conduit service" because Apple is selecting the data it transmits and that data is differentiated from other data transmitted."
I guess I view this as a push vs. pull protocol issue. If the banks and card issuers ask for (dare I say demand) specific data formatting and security standards (which I'm almost sure they do/did) then Apple certainly isn't "in-charge" of what data is transmitted, nor are they in possession of the data; access differentiation arguments aside (fingerprints). In this vein, I think the conduit service exclusion almost certainly applies because Apple only made the existing process easier for the banks and card issuers to facilitate the transaction on their own networks, which are regulated. NFC will/could also be used for gift cards, airline tickets, etc -- which I also imagine Apple could/would/should argue.
So, it's not as clear to me still.
Again I really appreciate the discussion. Cheers.
Posted by: iheartwallstreet | September 15, 2014 at 05:07 PM
Also, Apple is not offering fraud protection, charging interest, billing, collecting payments, offering customer care or service to credit card customers... these are financial products & services that are, and should, be regulated. They are very much only acting as a conduit.
The phone itself is arguably not the conduit, the Apple Pay software is however. Which happens to be on an iPhone. But again, without possession of the data, or specific knowledge of when the actual transaction request is happening, and arguably an undifferentiated access point (fingerprints and NFC could be used for any number of applications) I'm growing more convinced that they are a conduit that should be exempt.
Posted by: iheartwallstreet | September 15, 2014 at 05:17 PM
@iheartwallstreet, one might reasonable argue as a policy matter that Apple ought to be exempt, but what matters right now is the application of the actual statutory language.
If Apple is a "service provider" that alone doesn't mean Apple has to do anything differently. It would mean that (1) Apple is subject to CFPB examination, and (2) Apple would be subject to UDAAP enforcement and rulemaking. None of the 18 ennumerated consumer laws that the CFPB assumed administration of apply to Apple at this point, as far as I can tell, so there wouldn't be any specific requirements or prohibitions, just sort of a "don't be evil" check of UDAAP.
Posted by: Adam | September 15, 2014 at 06:29 PM
@adam So, who wins?
Posted by: iheartwallstreet | September 16, 2014 at 03:30 PM
I'm pretty sure Google has done what is necessary. I do know that google wallet works in an interesting way in that each person is issued a rechargeable virtual pre-payed debit card that is used to process all transactions so it gets hit from the linking of that card to another card or bank account. The card is created for one and only one transaction for the specific amount. That way they never have to transmit your info in any way except on the back end between themselves and MasterCard.
They, like Apple, have assumed the risk and subsequent CFPB regulations in stopping unauthorized transfers so I would assume they are at least partially aware of their position.
BTW, you can also get a physical rechargeable card for use as well.
Posted by: Errorr | September 17, 2014 at 03:45 PM
Also, beyond UDAAP Google is almost certainly under EFTA although they may lay in the prepaid card exception based on the design. Apple may also be under EFTA but the system is still a little obfuscated as far as tokening and actually holding your card info on the device.
Posted by: Errorr | September 17, 2014 at 03:48 PM
I'm a little late to the party, but Google and Apple likely are exempt from the EFTA because they have written agreements with the account-holding institutions. Non-account holding service providers are subject to the EFTA only if they issue an access device AND do not have an agreement with the account holding institution. (12 CFR 1005.14)
If, on the other hand, the service is considered a "general use prepaid card", it would open them up to the disclosure requirements for such cards before each purchase (though I believe they would be exempt from most other EFTA requirements).
Hard to tell, but it looks as though the CFPB is trying to broaden their enforcement authority as much as possible, and would likely want to take a bite out of that Apple (couldn't resist).
Posted by: Paranoiod Android | October 06, 2014 at 12:12 PM