MCC: MasterCard and Visa set a deadline of October 1 for U.S. financial card issuers to replace the familiar magnetic strips with EMV (chip) cards, and for merchants to start accepting them or face a shift in liability for fraudulent transactions to the party that has failed to adopt the new cards. How do you expect this transition to play out?
Peppard: First, it is important to note that the magnetic strip is not going away anytime soon. There will be a significant time period over which the transition takes place. The last I read, the expectation was that 70 percent to 75 percent of merchants were going to miss the transition date. This is going to be especially true for smaller merchants, who need to decide whether or when to incur the costs and/or disruption for new point-of-sale machines. It’s going to be several years before you get to anything like full compliance. Merchants who miss the transition period are going to face more of the cost of fraud inherent in the system. The system is going to move that fraud risk onto them for fraud that is caused by, or is relating to the failure to make the transition.
Also, the U.S. is switching generally to a chip-and-signature system. This will not be a sea change. Part of going to chip and signature is not to disrupt the use of cards – they’re going to work in much the same way, outside of how you swipe your card.
The one other thing to think about is the immediate impact on fraud. Fraud is not going away, and, certainly, this isn’t going to stop it. It’s going to help reduce certain types of fraud. For example, cloning magnetic strips is going to be much more difficult with this system. Certain kinds of capturing techniques won’t be possible because of the nature of the one-time code that goes out. Stolen cards are still going to be a risk because of the signature versus the PIN decision, and I do think the focus of fraud may switch slightly to online card-not-present transactions, where the chip process doesn’t provide the same level of protection.
MCC: You’ve been advising financial institutions and other players in the payment systems industry for many years. What are the opportunities? What should financial institutions be worrying about regarding the shift to EMV cards?
Peppard: The harmonization of the technology as far as the global standard will make it easier for U.S. cardholders to use cards overseas and for non-U.S. cardholders visiting the United States to do the same thing. Harmonization will increase the use of cashless payment systems, an area of tremendous growth, and this will just accelerate that.
On the risk side, as I said earlier, fraud will move toward the card-not-present system – online transactions. The experience in Europe has shown this. That could actually inhibit, on a relative basis, growth in the online universe. As we make point-of-sale devices safer, those who are looking to attack the system will just move to the next easiest space. That is probably going to be online card-not-present transactions. The potential for fraud is going to be a drag on growth for those transactions.
Still, I expect to see incredible growth in that area, and I think some of the players will move to aggressively address fraud in online transactions. There are a variety of technologies out there that make online transactions safer. As consumers and merchants see the benefits of those systems, especially if you see an uptick in online fraud, there are significant opportunities for those technologies to grow.
MCC: While various major Internet players seem to be out front on mobile payments, the banks are battling back. For example, Royal Bank of Canada recently became the first financial institution in North America to launch a host-card emulation mobile-payment service. Banks have long held a dominant position in consumer finance. Can the likes of Apple and Google dislodge them? Are the banks equipped to take on the Internet giants?
Peppard: The important thing to remember is that Apple and Google ultimately tie to a bank account or a credit card. I view them, at least for now, as being supplements to the system and not truly disruptive. Obviously, they’re moving into it, and they’re going to capture some of the income stream from these transactions, but the Apples, the Googles and the other Internet players are partnering with the banks. As long as the banks act as the primary stores of wealth, they’re going to continue to play a dominant role over all those transactions.
I think banks are going to move aggressively on the implementation of mobile wallets. A variety of companies are in the mobile wallet space because they don’t want to incur the additional cost of paying supplemental providers or added players in the system. They’d rather act as the mobile wallets themselves.
MCC: As a transactional lawyer focused on M&A and corporate finance, what do you expect as the rapidly evolving mobile payment sector matures? More innovation, to be sure, but what about cooperation and consolidation? Where do you see this going from a deal maker’s point of view?
Peppard: I do expect to see an uptick potentially in joint ventures between industry participants, as well as revenue-sharing agreements and partnerships between some of the traditional service providers in the industry and banks and financial institutions. I also expect traditional players to scoop up potential disruptors on the hardware and software side. Technological change has costs, and the wider you spread those costs across a customer base, the more efficient that’s going to be.
Of course, you can take that only so far. Consolidation is one option, but cooperation, even to the extent that it creates further competition or drives innovation, doesn’t necessarily pass muster under the U.S. and/or European antitrust laws. There’s going to be a bit of a dance here. There is certainly some logic in creating competition through, for example, alternatives to the traditional trio of Visa, MasterCard and American Express. But there’s real trouble with making those opportunities work for two reasons. First, participants who are otherwise competitors will need to cooperate, which is easier said than done. Second, there is risk that regulators will not view any cooperation benignly.
MCC: Data security and privacy are key issues in the mobile payment space. Many experts seem to have thrown up their hands and are advising clients that breaches are inevitable. Do you see any path forward beyond preparing for the worst and hoping for the best?
Peppard: I wish I had a better answer, but no. The simple fact is that data breaches are going to happen. There is just as much innovation by those seeking to gain illicit access to data as there is by those seeking to protect it. Data breach detection right now is measured in months, not hours or days, and that’s a key metric that you’re going to see everyone focusing on in the near future. How do we detect them sooner? How do we remediate the negative consequences of those breaches? How do we limit the damage?
MCC: Some say that despite all the hoopla about EMV and so-called tokenization, it is not likely to eliminate or even put a serious dent in the rampant fraud plaguing point-of-sale payment systems. Mike Cook, Wal-Mart’s payments chief, has ridiculed the transition to EMV because the card brands insist on the chip-and-signature method to verify transactions, rather than the more secure chip-and-PIN method that is standard in most countries. “Signature is worthless as a form of authentication,” he said. “As far as security goes, is this shift much ado about very little?”
Peppard: There’s no doubt that the chip-and-signature system is less robust than chip and PIN, but “worthless” is an overstatement. EMV is going to reduce certain kinds of fraud, and it will make the hackers respond to it, which is a good thing. The best example is in some of the recent high-profile breaches, including Target. The PIN debit cards were not replaced generally, because the credit card information by itself was worthless without the PIN. For some high-profile breaches, a chip-and-PIN system may have reduced the negative consequences. The kind of fraud that you have when somebody comes into possession of a card number will still exist, because it’s so easy to enter into transactions where the authentication is based on a signature, but the EMV shift will have some positive effects – although not nearly as much as there would have been with chip and PIN.
MCC: The regulations surrounding mobile payments and the number of agencies involved are staggering. When it comes to compliance, where should clients, particularly financial institutions, be focusing?
Peppard: The universe of how a mobile transaction takes place, what your role in the system is, and how you’ll be regulated based on that role is fairly well known. The area where the regulatory environment is shifting under people’s feet relates to data privacy and cybersecurity.
In the Wyndham case that came out of the Third Circuit recently, the FTC sued Wyndham, charging that they engaged in unfair acts or practices in violation of the Federal Trade Commission Act because of their cybersecurity policies. It was a broad victory for the FTC, and I think it’s part of a consolidated effort at all levels of government, whether you’re talking about the Consumer Finance Protection Board (CFPB) or the FTC, to force companies to focus on data privacy and cybersecurity. That focus on the part of the regulators is only going to increase. The FTC appears to have a broad mandate to regulate the space. The CFPB has been very active in all things touching mobile payments and credit cards. Those regulatory bodies are going to be front and center.
If you want to think about it from the perspective of compliance, it’s about constant engagement. The lesson of Wyndham is that you have to constantly review your security measures and ask: “Are we using industry best practices? What’s changed?” As the industry develops, and as innovation occurs, what might be reasonable now might not be reasonable at the time of a breach.
It’s expensive, but at the end of the day boards have to consider what their risk is from a supervisory position. If you’re an industry participant and you have this constantly evolving technological and legal environment, how do you stay abreast of it and make sure that you’re fulfilling your duties to your institution? In 2015, cybersecurity and data privacy are not just compliance- or IT-level issues. They are major, board-level issues.
MCC: If you’re the general counsel of a major financial institution, what should you be telling your CEO and board of directors to focus on when it comes to payment systems? How can companies strike a healthy balance between innovation and risk management?
Peppard: I don’t think there is a balance. You must innovate or you’re going to fall behind in the marketplace. The payment universe requires single-minded focus and commitment to risk management. The general counsel has to tell the CEO and board of directors that we need to be committed to compliance, and that means that the institution has to focus on creating reporting systems so information gets from all the way down to the IT group and all the way up to the board of directors.
MCC: As new payment systems evolve, so does the legal plumbing in and around them, such as license and service agreements used in connection with processing platforms. What are the emerging legal and business issues?
Peppard: Where I see people get tripped up is with money transmission. Forty-eight states have money transfer laws. The Financial Crimes Enforcement Network regulates it, and early-stage companies especially get tripped up. That’s because it’s a state-by-state process and, therefore, it’s expensive to comply.
One of the emerging issues is the recent decision from the European Union’s highest court nullifying the U.S.-EU safe harbor for the transmission of information from Europe to the United States. The ruling is throwing a bit of chaos into how information is going to move between the United States and Europe. Thousands of companies are operating under the safe harbor. Some bigger companies are going to have an easier time moving information because they have major European subsidiaries and could stop the flow of information there or could more easily use one of the other methods of complying with the EU law. Small and midsize companies, however, could struggle. There are two ways to comply with the EU directive other than the safe harbor. But those are more burdensome, more time-sensitive and potentially more expensive to implement. The laws concerning the movement of data between jurisdictions are going to require constant grappling with compliance.
MCC: How concerned should banks and others be over emerging cross-border issues, including litigation, anti-corruption, anti-money-laundering, internal investigations and the like?
Peppard: Any time a U.S. company is purchasing a non-U.S. business or assets, the anti-corruption/anti-money-laundering laws are incredibly important and need to be considered from the very beginning of the transaction. Financial institutions are well versed in AML compliance, but anti-corruption is a completely different matter. Companies can get blind-sided in international transactions, where the level of diligence on their acquisition targets may not be sufficient to capture ongoing compliance issues and/or to satisfy the regulators that the buyer was reasonable in doing its diligence and making sure they weren’t buying a problem. The more you do – whether it is getting contractual protection, sniffing out problems and/or self-reporting immediately upon finding a problem (whether before a transaction closes or as soon as possible thereafter) – makes a difference in the consequences for being in violation of any of these laws. Most companies have a good handle on AML, but the Foreign Corrupt Practices Act and its equivalents outside the U.S. require well-thought-out policies. In the acquisition context, it can be invaluable.
Published October 20, 2015.