How Apple Pay coincides with the Consumer Financial Protection Act: will Apple become a regulated entity?

• Author: Gray, Jessica M.

1. INTRODUCTION

   In today's world, it is almost a guarantee that from the time a person wakes up in the morning until the time a person goes to bed, he or she will see numerous people using their smartphones throughout the day. (1) Of all the smartphones captivating the public, Apple's iPhone has proven to be the most desirable. (2) When the original iPhone launched on June 29, 2007, people waited in line for hours in anticipation of something that had only been imagined in the mind of the late Steve Jobs, Apple's CEO at the time. (3) For the next seven years, Apple constantly challenged itself by inventing new iPhones that trumped the features of the previous generation of iPhones. (4) However, it was not until October of 2014 that Apple introduced a feature of its newest iPhone that has the potential to not only dramatically affect its consumers, but also the company itself--Apple Pay. (5)

   The digital wallet represents a future where consumers will no longer have to dig through purses or physical wallets in search of plastic credit cards or cash, but where they can simply scan or swipe their device at the register. (6) Apple Pay, available only on the iPhone 6, the iPhone 6 Plus, and the Apple Watch, turns the device into a digital wallet, allowing a person to use the feature to pay at one of 220,000 contactless payment locations across the nation, including McDonalds, Walgreens, and Macy's. (7) In 2011, Google attempted to launch its form of the digital wallet, but it ultimately failed to succeed in the market. (8) Despite past flops of the digital wallet, Apple Pay is the first to have a momentous global impact, particularly because Apple, as a company, has already successfully shown its ability to in crease consumer fanaticism over its products. (9) During Apple's quarterly conference for the first quarter of 2015, Apple CEO Tim Cook described the rapid growth in Apple Pay since it was unveiled. (10) Since retailers have eagerly adopted Apple Pay, the payment application "now accounts for two out of every three dollars processed through contactless payment systems." (11) However, a feeling of uncertainty over mobile payment systems is still abundant among customers due to the significant increase in security attacks and data breaches of major companies like Facebook, Twitter, Microsoft, and even Apple itself. (12)

   The introduction of Apple Pay may embody the future of mobile financial services for consumers, but Apple may have simultaneously and unknowingly entered a realm of federal regulation. (13) This Note will argue that Apple is a "service provider" under the Consumer Financial Protection Act, and thus it is subject to financial regulations. (14) This Note will also discuss the role of the Consumer Financial Protection Bureau and its responsibility in upholding the legal implications of the Consumer Financial Protection Act. This Note will then consider what it will mean for Apple to be regulated under this law and subsequently tie in how Apple may potentially be affected by Massachusetts General Laws chapter 93A. The analysis will provide hypotheticals of possible security issues with Apple Pay and how consumers can legally respond to such breaches, both federally and in Massachusetts. This Note will ultimately hypothesize Apple's future, if it becomes federally regulated under the Consumer Financial Protection Act, and how this future could consequently benefit consumers.

2. HISTORY

   1. The Consumer Financial Protection Act of 2010

      In 2007, the United States was beginning to enter the biggest financial storm since the Great Depression. (15) While jobs were lost and home values plummeted, lenders capitalized on the dire situation by luring tens of millions of American families into unaffordable loans by false promises of low payments. (16) In June 2009, President Obama urged Congress to address the lack of consumer protection by creating a new financial institution that would center its attention on protecting people from "unfair, deceptive, and abusive financial practices." (17) In July 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, in turn, created the Consumer Financial Protection Bureau to protect American consumers in the market for consumer financial products and services. (18) The Consumer Financial Protection Bureau, headed by an appointed director, has the power to "administer, enforce, and otherwise implement federal consumer financial laws." (19)

      Under the Consumer Financial Protection Act, the Bureau has authority over numerous consumer financial products and services, including mortgages, credit cards, and money transmissions. (20) The original version of the bill defined a service provider as those persons who have "direct interaction with a consumer, or facilitate, or make easier, the design or operation of a transaction." (21) The revised language now states that a service provider refers to "any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service." (22) The definition includes providers that design, operate, or maintain the product or service, as well as those that process transactions relating to the product or service. (23) Although historically the Consumer Financial Protection Act has dealt with the traditional financial institution of banks, the technological advances of mobile banking through a digital wallet have raised new questions concerning what federal or state banking and financial services laws and regulations would govern these mobile payment services. (24) Various interpretations of the statutory language leave the door open for litigation surrounding the definition of a service provider and the intent behind the legislature in how broadly to apply the definition. (25)

   2. Relationship between the Federal Law and Massachusetts General Law chapter 93A

      The Consumer Financial Protection Act does not preempt state consumer financial protection laws so long as the state laws do not conflict with federal laws or regulations. (26) Further, state statutes that afford consumers greater protection than federal laws do not conflict with federal laws. (27) The attorney general of any state can bring a civil action on behalf of a resident of the state or in the form of a class action in order to enforce provisions and remedies under the federal law. (28) In Massachusetts, the consumer protection law is known as Massachusetts General Law chapter 93A. (29) The Attorney General may investigate and take legal action against businesses that participate in unfair or deceptive conduct, and prosecute a consumer protection case in the public interest, as well as in a private lawsuit. (30) The Massachusetts law is an attractive outlet for wronged parties to seek justice under because a person may recover double or treble damages, as well as attorneys' fees and costs. (31) Under the federal Consumer Financial Protection Act, courts or the Bureau may award any appropriate legal or equitable relief. (32) However, exemplary or punitive damages are not to be awarded under the Act. (33) Essentially, if the Consumer Financial Protection Bureau opted not to pursue litigation over a particular matter, the Massachusetts Attorney General could bring a civil action under both the federal Consumer Financial Protection Act, as well as under 93A, and potentially recover a greater monetary sum. (34)

   3. Recent Surge in Data Breaches

      In 2013, United States consumers were the victims of a dramatic increase in the number of security attacks and data breaches. (35) Between July and October 2013, personal information from more than 1.1 million debit and credit cards was stolen from Neiman Marcus stores. (36) In January 2014, Snapchat, a photo and video-sharing application, suffered a data breach in which usernames and partial phone numbers of 4.6 million subscribers were exposed. (37) As different forms of electronic communication become more prevalent in today's world, especially e-commerce and e-banking, security protocol for various organizations, including TJX, Hannaford, and Sony Playstation, have come under intense scrutiny. (38) In a lawsuit filed by Massachusetts Attorney General Martha Coakley, several popular Boston bars and restaurants were forced to pay $110,000 under settlement due to a data breach that put the payment card information of tens of thousands of consumers at risk. (39) Under the terms of the settlement, all of the restaurants were required to create a stronger security system, including a security password management system. (40) Although this case proved to be successful for Massachusetts plaintiffs, its victory is not representative of the few other data-breach related cases in the state. (41)

      Many data breach plaintiffs often assert causes of action under state consumer protection statutes, which generally proscribe deceptive and unfair business practices, as described in Massachusetts General Law chapter 93A. (42) The First Circuit in In re TJX Companies Retail Security Breach Litigation (43) held that a court could find that the company's lack of security measures constitutes an unfair practice because such conduct is systematically reckless, "aggravated by [a] failure to give prompt notice when lapses were discovered internally, and causing very widespread and serious harm to other companies and to innumerable consumers." (44) Data breach victims may also seek to bring actions under other federal statutes, including sections of the Electronic Communications Privacy Act and the Stored Communications Act. (45) Although historically the litigation surrounding data breaches has not intersected with the Consumer Financial Protection Act, the technological development of mobile payment and the digital wallet may in fact spark cases that will require a fresh analysis of how these progressive companies should be...