PANDORA'S DIGITAL BOX: THE PROMISE AND PERILS OF DIGITAL WALLETS.

• Author: Levitin, Adam J.
• Position: ARTICLE

INTRODUCTION 307 I. DIGITAL WALLETS AND MOBILE PAYMENTS 312 A. Flows of Funds and Data in Payment Card Transactions 312 B. Digital Wallets 315 1. Types of Digital Wallets 315 2. Mobile Wallets 318 C. What Digital Wallets Change 319 1. The Method of Transmission of Payment Authorization Data from Consumers to Merchants 320 2. The Nature of Payment Authorization Data 321 a. PCTDSS Mandated Encryption 322 b. EMV Chip Cards 323 c. Tokenization 328 3. The Economics of Payment Card Transactions 331 a. Fees 331 b. Monetizable Data 333 II. BENEFITS AND RISKS OF DIGITAL WALLETS 334 A. Consumer Benefits and Risks 335 1. Consumer Benefits from Digital Wallets 335 2. Consumer Risks from Digital Wallets 336 a. Varying Legal Regimes 336 b. Security Measures and Fraud Risk 338 c. Error Resolution 339 d. Wallet Provider Insolvency 339 e. Loss of Privacy 340 3. The Need for a CFPB Digital Wallet Rulemaking 343 B. Merchant Benefits and Risks from Digital Wallets 346 1. Merchant Benefits from Digital Wallets 346 2. Merchant Risks from Digital Wallets 348 a. Control Over Customer Data 348 b. Customer Relationship Management 351 c. Tender Choice and Payment Routing 352 d. Fraud and Data Security 355 e. Intellectual Property Liability 356 f. Cost of Accepting Payments 357 3. The Honor All Wallets Rules 358 a. The Honor All Wallets Rules 359 b. Problems Identifying Digital Wallets 363 c. Antitrust Implications of the Honor All Wallets Rules 364 d. From Honor All Cards to Honor All Wallets 364 e. Harms to Competition 366 f. Possible Antitrust Violations 370 i. Unreasonable Vertical Nonprice Restraint of Trade 370 ii. Unreasonable Restraint of Trade Through Tying 373 CONCLUSION 376 INTRODUCTION

Digital wallets are poised to transform the world of consumer payments and commerce. Digital wallets are computer software applications that store and transmit payment authorization data for one or more credit or deposit accounts. After a consumer loads her payment account data into a digital wallet, the digital wallet functions as a payment device for the selected account, transmitting the data to merchants to authorize payment. By storing payment authorization data, digital wallets function analogously to physical wallets that contain multiple payment cards used to transmit payment authorization data.

Digital wallets differ from traditional plastic cards in that they are (potentially) smart wallets. Traditional payment cards are "dumb" devices that are capable of doing a single thing and nothing more: transmitting payment authorization data to a merchant. In contrast, a digital wallet can provide two-way communication between a consumer and a merchant. That communication need not be limited to payment authorization data, but could include virtually any type of data. For example, a digital wallet can be used to transmit realtime geolocation data, coupons, and loyalty program information about the consumer to the merchant. It can also be used to transmit advertising, sales offers, shipping information, and receipts from the merchant to the consumer in real time. This means that a digital wallet can potentially integrate payments into a comprehensive digital retail services suite of advertising, search, payment, customer service, and loyalty program features.

Despite the basic functional similarity to traditional plastic payment cards, digital wallets can present materially different risks and costs for consumers and merchants. Critically, these risks and costs vary among digital wallets. Digital wallets involve a much broader range of form factors, technologies, and business models than traditional plastic cards, and the cost-benefit proposition of making or accepting digital wallet payments varies by product.

For consumers, digital wallets can unfavorably shift the legal regime that governs the transactions, expose individual consumers to additional fraud risk, sow confusion regarding error resolution, expose consumers to non-FDIC-insured accounts, and substantially erode transactional privacy For merchants, the risks from digital wallets include losing valuable customer information, poaching of customers by competitors, and impairing customer relationship management, as well as increases in fraud risk, patent infringement liability, and the cost of accepting payments. (1)

Unfortunately, neither consumers nor merchants can effectively protect their interests with respect to digital wallets, albeit for different reasons. Although consumers have a largely unconstrained ability to pick and choose which digital wallet(s) to use, this ability affords little market-based protection for two reasons. First, the types of risks digital wallets pose to consumers are unlikely to be salient in their decisionmaking. Second, even if these risks were salient, consumers lack the ability to distinguish between digital wallets with regard to these risks. Consumers' lack of understanding of the material risks involved with digital wallets and their inability to protect their interests when selecting digital wallets points to the need for regulatory intervention to mandate minimum consumer protections for digital wallets. The Consumer Financial Protection Bureau (CFPB) has authority to undertake such regulation.

Merchants face a different problem. Merchants have only limited ability to refuse or condition acceptance of payments from particular digital wallets. The three major payment card networks--American Express, MasterCard, and Visa (collectively, the Card Networks)--have network rules applicable to merchants that accept their cards. The Card Networks' rules require merchants to "Honor All Wallets" without discrimination. Specifically, the Honor All Wallets rules require merchants that choose to accept a Card Network's payments using a particular type of communications technology to accept the Card Network's payments without discrimination from all devices that utilize that communications technology. These rules force merchants to take various types of digital wallets if they accept regular credit and debit payments--which is a sine qua non of participating in modern retail markets.

For example, a merchant that accepts traditional MasterCard magnetic stripe devices must accept MasterCard payments from all devices using magnetic stripe data, including mobile devices such as SamsungPay that utilize magnetic stripe emulation technology to mimic the electromagnetic field created by a magnetic stripe card. Likewise, if a merchant accepts Visa contactless payments from credit cards with Near Field Communications (NFC) "contactless" chips, the merchant must also accept Visa contactless payments from all mobile devices that use NFC.2 The merchant could not accept NFC payments only from mobile devices that make payments through lower-cost systems like PIN-debit and automated clearing houses (ACH).3

Under the Honor All Wallets rules, then, a merchant must accept payments from all payment devices that utilize a technology if the merchant accepts any payments using that technology. As a result, merchants cannot refuse to accept payments from payment devices that impose greater risks and costs upon them. Merchants cannot price for the risks created by particular payment devices, nor can they contractually reallocate those risks to the digital wallet provider. Indeed, absent direct physical observation, merchants are presently unable to identify what form factor was used to make a payment, so merchants cannot even distinguish which digital wallet is being used.

In sum, the Honor All Wallets rules mean that merchants lose control over what risks they accept and on what terms. When accepting payment from any particular digital wallet, a merchant is forced to open a digital Pandora's Box of an unknown set of risks.

This Article considers the potential legal and business issues digital wallets raise for both consumers and merchants, and proposes a pair of necessary interventions in the digital wallet marketplace. First, it argues the CFPB should issue regulations under its power to regulate "abusive" practices and services to require minimum standards for default payment options, security, deposit insurance coverage, and privacy. Second, it argues the Honor All Wallet rules are likely antitrust violations that inhibit the development of digital wallet technology by making merchants reluctant to accept digital wallets and by making it difficult for the digital wallets with the most attractive value propositions for merchants to gain market share. In particular, the Honor All Wallets rules foreclose entry into the digital wallet market for digital wallets that use lower cost payment systems than the Card Networks--namely PIN-debit and ACH--and thereby help the Card Networks maintain their market power in the face of a technological transition from plastic cards to digital wallets. Ironically, then, the Honor All Wallets rules may well be inhibiting rather than encouraging adoption of digital wallets because the rules enable bad wallets to preserve market access such that the bad can crowd out the good.

This Article contributes to the consumer protection, antitrust, and payment systems literatures. Consumer protection literature is only just starting to address the tremendous and ongoing technological changes in payments. (4) This Article lays out the rationale and authority for CFPB intervention to require minimum product standards in the digital wallet market.

The payments industry has been beset with antitrust litigation in the United States for the past two decades, focusing on the Card Networks' system for setting interbank fees on payments (which get passed through to merchants and consumers), including various Card Network rules that prohibit merchants from taking actions to steer consumers to cheaper payment methods. This litigation has resulted in two of the largest private settlements in history--a $3 billion class action settlement in 2003 (5) and a $7...