5 minutes
Vendor relationships, Reg E and Reg Z all come into play.
Credit unions have been among the first financial institutions to offer the widely publicized Apple Pay. Because its access and security features are ahead of traditional plastic cards and different from those of EMV (“chip”) cards, Apple Pay should be reviewed by credit unions to determine if it fits within their strategic plans. However, the offering represents a significant change in how credit unions interact with their members and other participants in the payment processing industry, which makes a thorough analysis of the service a necessity before jumping in. A key aspect of this review includes considering compliance issues, such as third-party vendor relationship management, as well as Regulations E and Z.
Apple as Your Newest Vendor
If you’re thinking about signing with Apple, be sure to determine the structure of your relationship with the company. It’s unlikely that Apple’s financial viability will be an issue. But to withstand regulatory scrutiny and abide by internal due diligence policies, your CU needs to 1) demonstrate it fully understands the product it is signing up for, and 2) have counsel review the contractual responsibilities of both parties.
Note: Apple will charge a reported 15 basis-point fee on each transaction. This will be on top of new “tokenization” charges from the networks (in addition to traditional transaction fees). These additional costs make it imperative for a credit union to conduct a comprehensive cost-benefit analysis of its debit and credit portfolio. The margin will be less than CUs see on card processing, but they may move forward regardless because of member demand.
Liability: Regulations E and Z
While Apple Pay may be a new method to process a transaction, it follows the existing rules. A very important compliance concern is to determine how you account for liability associated with an unauthorized transaction when Apple Pay is used.
| How Apple Pay Works When a credit union signs on with Apple Pay, its members can “load a card” onto their iPhone or iPad. Then Apple encrypts the card information and sends it to the CU. Apple says this is the only time the member’s card information is used, and it will not be stored on the device or any Apple system. Once authorized, the card network will create a “device account number” (or token) and a key used to process the code sent for each transaction. The token is specific to each device and takes the place of the card number during payment. When buying an item, members activate Apple Pay by using their thumbprint to send the token and code to the network. This information is authenticated and sent to the credit union to complete the transaction. (Find detailed descriptions of the process here.) |
Nearly all credit and debit issues are governed by Regulation E (for electronic funds transfers/debit cards) or Regulation Z. (which implements the Truth in Lending Act and applies to credit cards). The scope and complexity of these regulations appear to be expanding (see the Consumer Financial Protection Bureau’s recent proposal to regulate prepaid debit products here). But despite the growth in mobile payment processing, there is no guidance for showing how this fits within existing laws—especially unauthorized transfers.
Regulations E and Z detail where a member is and isn’t liable for unauthorized or fraudulent transactions. But the discussion stops short of any mobile payment examples. The credit union remains the responsible financial institution, in part because the card that you issue creates the cryptogram that sends the transaction information.
The service also is too new to have any case law to go on. And, according to in Regulations E and Z, credit unions can’t contract away a member’s consumer protection rights. So how does your credit union offer Apple Pay and still maintain adequate liability protections?
The security features in Apple Pay—including thumbprint technology and the tokenization process—are a great start. But you also need to understand how your credit union gets usage information—that is, how it goes about obtaining information about the transaction--so it can conduct an investigation to determine whether or not that transaction was unauthorized.
Look at the absence of regulatory guidance in a positive light, not as a reason for pause. Take steps, such as issuing separate mobile payment disclosures requiring a member to 1) keep the “Find My iPhone” function active, and 2) immediately notify the credit union if the device is lost or stolen.
Additionally, you should educate members on the importance of security when using Apple Pay, and that a loss from an unauthorized transfer is a loss to the membership as a whole.
Look at Risk and Reward
A core function of credit unions is mitigating risk—not eliminating it. Apple Pay has risks just like any other product or service. Successfully limiting those risks comes through understanding Apple Pay: how it works, what it will cost, and how it fits with your current payment processes’ regulatory and operational structure.
After a complete analysis, if you decide that Apple Pay is an appropriate service for your credit union’s current situation and projected growth, take the opportunity as a sophisticated, well-managed financial institution to establish policies and procedures to effectively bring mobile payment processing to your members.
Brad R. Bergmooser is senior counsel, Freeborn & Peters LLP, Chicago.
