Since the turn of the millennium, electronic transactions have grown in popularity from a specialized financial niche to one of the most common ways people exchange money. In 2010, non-cash transactions amounted to about $282 billion worldwide. E-commerce and the growing availability of electronic financial services has caused this figure to increase substantially. In 2015, non-cash transactions totaled over $430 billion, and this figure is expected to top $725 billion by 2020.[1] In response to the growth in electronic transactions over the past decade, federal and state lawmakers have worked alongside the electronic payment processing industry to develop laws, regulations, and best practices meant to ensure that online payments are verifiable and secure.
This module discusses the legal landscape of common e-commerce financial transactions. The analysis begins with a discussion of the Financial Services Modernization Act, a federal law that serves as the linchpin for further regulation of electronic transactions. Next, the focus shifts to federal rules requiring certain business practices regarding electronic payments and then to a discussion about the measures that the electronic payment processing industry has taken on its own initiative to make e-commerce transactions more secure. The module closes with a brief overview of special topics in online financial activities.
The Financial Services Modernization Act
Unlike analog transactions, electronic payments require payees and recipients to maintain sensitive financial information that is accessible online. While this lays the groundwork for the ease and convenience of sending money with a click, it also exposes people to a great deal of risk. Congress identified this risk early in the digital revolution and responded by passing the Financial Services Modernization Act, also known as the Gramm-Leach-Bliley Act, in 1999.[2]
The Act addresses privacy issues in digital and analog financial transactions. Specifically, it applies to anyone who obtains a financial product or service from any financial institution, either online or brick-and-mortar. However, it is particularly relevant to payments made in e-commerce because it addresses concerns related to consumer privacy in electronic financial transactions. This includes most online credit card transactions, which are also known as “card not present” payments.[3]
The Act requires financial institutions to protect consumers’ “nonpublic” personal information, which includes information consumers must provide to obtain financial products and services, such as their names, addresses, yearly incomes and Social Security numbers.[4] It also includes information the financial institution gathers from the financial transaction, such as consumers’ account numbers, payment histories, account balances and credit or debit card purchases.[5] Nonpublic personal information also includes information that others can derive from the underlying financial transaction, such as court records or consumer reports.[6]
To protect consumers from potential fraud and abuse, the Act limits a financial institutions’ ability to disclose nonpublic personal information and imposes mandatory disclosure and notice requirements when disclosures are made. When disseminating any nonpublic personal information, a financial institution must provide consumers with information on its privacy policies and practices. The consumer must also be provided with the chance to “opt out” of the disclosure if the information is going to a non-affiliated third party, such as an independent research organization or an online retailer, subject to limited exceptions. The Act further prohibits financial institutions from sharing nonpublic personal information with third parties for marketing purposes.[7]
Several agencies are responsible for administering the requirements of the Act, with the FDIC chief among them. The Federal Trade Commission has also issued a set of rules aimed at protecting customers and their personal financial information when they make online transactions.
Federal Rules Regulating Electronic Financial Transactions
Since the passage of the Financial Services Modernization Act, regulatory agencies have developed a suite of rules and policies designed to implement the law. In 2007, the Federal Trade Commission developed a set of regulations specifically designed to address security and consumer protection concerns created by online transactions. These regulations are commonly known as the “Red Flag Rules.”[8]
These rules impose requirements on businesses and other organizations that accept electronic payments. First, anyone who falls under FTC jurisdiction must implement an identity theft prevention program that can detect known ‘red flags’ of identity theft. These include any suspicious pattern, practice or activity that indicates possible identity theft.[9] Placing the responsibility on the organizations receiving online payments helps ensure that enforcement and deterrence of e-commerce crimes starts at the grass-roots level.
The Red Flag Rules apply to banks, savings and loan associations, mutual savings banks and federal credit unions. They also cover businesses that qualify as “creditors” with “covered accounts.” The process of determining whether an organization is covered involves a close review of its business activities, particularly regarding accounts receivable and how accounts are accessed during business operations. These organizations must implement this identity theft prevention plan in their day-to-day operations and take other steps that may be necessary to prevent and mitigate online financial crimes.[10]
To comply with the Red Flag Rules, businesses must satisfy four key elements. First, businesses must identify potential red flags that could lead to identity theft during standard day-to-day operations. Second, businesses must create a system or program that detects identified potential red flags. Third, the business must detail actions that they will take to respond to detected red flags. Finally, the business must identify how it will remain current and up-to-date on identifying and addressing potential new threats.[11]
By way of example, imagine that an e-commerce company has identified changing IP addresses from payment accounts as a potential red flag for cyber theft. The rules require the company to design or purchase a system that can track IP addresses from payment accounts and alert the business when there is an unexpected change. Next, the company must have an official policy in place explaining what it will do to respond to the issue, such as by suspending the flagged account or sending notice of the change to the payee. As time goes on, the Red Flag Rules also require the company to regularly revisit its policy regarding changing IP addresses and revise it as necessary.
Self-Regulation and Industry Best Practices
Industries tend to push back against regulations that impose costly compliance requirements. However, this has not been the case with the financial services industry, at least regarding electronic transactions. While federal rules and laws impose requirements on companies processing electronic fund transfers, the industry players themselves have created best-practices paradigms that create an effective system of self-regulation. In fact, most of the major security measures that consumers rely on today were created and enforced by the Payment Card Industry Security Standards Council. The Council is not a government agency, but rather it’s a coalition of major players in the financial services market, including American Express, Discover, JCB International, and Visa.[12]
The Security Standards Council governs internationally, so the policies that it develops apply across jurisdictions. This is particularly important for online financial transactions, which are often performed in multiple jurisdictions. The Council’s role is to maintain payment security for any organization that stores, processes, or transmits data from credit card holders – which is by far the most common way consumers engage in e-commerce.
Even though it does not carry the force of law, the Security Standards Council has proven to be very effective in imposing standards for electronic payments. For example, its standards require retailers to accept chip-embedded credit and debit cards. To make sure retailers followed this new security protocol, the Council contractually shifted liability for non-chip-card fraud from the card company to the retailer. So, if a retailer processes a chip-enabled card but uses the magnetic stripe instead of the inserted chip, the retailer would be liable for any data fraud that occurred.[13] This poses enough of a deterrent to encourage widespread compliance with the chip-card policy.
Despite robust industry regulations, combating fraud in “card not present” transactions still has a long way to go.[14] These types of transactions, which are most common online, are not as easily remedied by the insertion of a special chip reader or similar technology. As card-not-present transaction fraud continues to pose a major issue in electronic payments and financial services, lawmakers and regulatory agencies are looking into the possibilities of creating special laws aimed at transactions performed online.
Specially-Regulated Online Financial Transactions
Electronic payments must be processed through financial services institutions, so laws regulating the banking and financial industry are the first line of defense against fraud and abuse. However, federal and state governments also have enacted laws that directly regulate the type and manner of allowable online financial transactions. At the forefront of this new legal movement regarding transactions is the legality of online gambling and the regulation of cryptocurrencies.
Internet Gambling
Outside of a few jurisdictions that allow gambling, anyone who is looking to gamble on casino games or wager on sports books must do so online. The internet is replete with every type of gambling website, ranging from eye-catching electronic slot machines to the increasingly popular fantasy league. A 2018 case, Murphy v. National Collegiate Athletic Association, forced the Supreme Court to grapple with the question of whether the federal government could prohibit sports betting in states that wanted to allow the practice.
Murphy involved a challenge to the Professional and Amateur Sports Protection Act of 1992.[15] The Act banned the practice of sports betting on the national level, subject to limited exemptions for states with certain pre-existing policies allowing the practice. The State of New Jersey challenged the law, arguing that the statute violated the Tenth Amendment’s prohibition against the federal government commandeering states’ rights. After many years of litigation, the Supreme Court eventually held that the Act was unconstitutional. The Court threw out the law, permitting New Jersey, or any other state for that matter, to implement legal sports betting programs. [16]
The repeal of the national ban on sports betting is a landmark in U.S. legal history. However, the Supreme Court’s decision only has a tangential effect on the world of online gambling. That’s because online gambling is also subject to the federal Unlawful Internet Gambling Enforcement Act of 2006.[17] Under the Act, gambling businesses may not accept payments associated with a wager using the internet if the wager itself is unlawful under any federal or state law. The Murphy case does not de facto permit sports gambling nationwide, but rather, the decision opens the door for states to allow sports betting if they desire. So, state laws prohibiting gambling remain in effect unless the state chooses to repeal it. Thus, online gambling may have become permissible on the federal level, but not necessarily on the state level. Online sports betting may now be legal in some states and illegal in others. However, the Unlawful Internet Gambling Act may still prohibit domestic companies from accepting wagers online so long as the practice remains illegal in some states.
Cryptocurrency Regulation
Cryptocurrencies, also known as virtual currencies or digital coins, represent a new type of financial product that is built on blockchain technology. Electronic transactions performed using cryptocurrencies run on peer-to-peer networks and are in some ways more efficient than transactions run through third-party vendors, like the financial institutions. They are not subject to the Financial Services Modernization Act and its implementing regulations.[18]
Although cryptocurrency remains a fringe part of the online financial services industry, no discussion of e-commerce regulation in the United States would be complete without an overview of how this new technology is changing the regulatory landscape. Cryptocurrency popularity has increased dramatically over recent years. However, the future of cryptocurrency regulation is dubious because the United States has yet to legally characterize cryptocurrency within its existing set of financial laws.
Moreover, no single federal agency has declared jurisdiction over cryptocurrencies.[19] Rather, virtual currencies are regulated by a veritable alphabet soup of federal agencies. The SEC treats cryptocurrencies like securities and demands all digital coin issuers and exchanges comply with the SEC Acts of 1933 and 1934.[20] The Commodity Futures Trading Commission, on the other hand, has defined some virtual currency transactions as “commodities” subject to the Commodity Exchange Act.[21] The Internal Revenue Service takes yet another approach – labeling cryptocurrencies as property subject to the capital gains tax rules.[22] The Department of Treasury has thrown its hat into the ring as well, and it is more inclined to treat digital coins as money or currency.[23]
For now, these agencies are taking a cooperative approach to cryptocurrency regulation. Collectively, federal agencies are starting to engage in massive law enforcement measures to curb fraud and abuse in cryptocurrency markets. Much of this is in response to the widespread use of cryptocurrencies in online criminal activities, including money laundering, identity theft, fraud, drug sales, tax evasion, and even ransom.[24] However, it is still unclear whether digital coins will be directly regulated as a currency, commodity, security, software, or anything else.
Conclusion
Online purchases and electronic banking have become a standard part of our everyday lives. To ensure that digital transactions are performed in a safe and secure environment, lawmakers have developed a suite of policies prescribing proper practices for electronic financial activities. Electronic payment processors are primarily responsible for the ground-level enforcement of these laws and regulations and, in fact, they have developed a robust system of international self-regulation.
Despite the significant developments made in the legal structures that regulate electronic financial activities, new issues are constantly arising. For example, the landmark case of Murphy v. NCAA may have raised more questions than it answered regarding the legality of online sports betting in the United States. Further, cryptocurrencies have puzzled federal regulators across several jurisdictions, as this new financial technology does not squarely fit into the existing regulatory structure. As the law and technology continue to evolve, it appears that one will constantly be playing catch-up to the other, and we can be sure that advancements in technology will bring up novel questions of laws for the legislatures and courts to grapple with.
[1] Number of Worldwide Non-Cash Transactions for North America, Europe, Mature APAC, Latin America, Emerging Asia and CEMEA in 2010, 2011, 2012, 2013, 2014, 2015, 2016E, 2017E, 2018E, 2019E and 2020E, Capgemini, (2018) https://www.worldpaymentsreport.com/ (citing Capgemini Financial Services Analysis, 2017; Internal Estimates; Bank for International Settlements Red Book, 2015 figures released December 2016; Internal Estimates.)
[2] Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338 (Nov. 12, 1999), codified as amended at 15 U.S.C. § 6801 et seq (also known as the Financial Services Modernization Act).
[3]What Are Card Not Present Transactions?, Laws.com, (2017) https://fraud.laws.com/credit-card-fraud/card-not-present (last visited July 19, 2018).
[4] Gramm-Leach-Bliley Act, Federal Trade Commission, (2018) https://www.ftc.gov/enforcement/statutes/gramm-leach-bliley-act.
[5] Id.
[6] Id.; FDIC Compliance Examination Manual, Federal Deposit Insurance Corporation (June 2016), https://www.fdic.gov/regulations/compliance/manual/8/viii-1.1.pdf.
[7] FDIC Compliance Examination Manual, Federal Deposit Insurance Corporation (June 2016), https://www.fdic.gov/regulations/compliance/manual/8/viii-1.1.pdf
[8] 16 C.F.R. 681.1.
[9] Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business, Federal Trade Commission (2013) https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business#edn1.
[10] Id.
[11] Id.
[12] PCI Security, PCI Security Standards Council, (2018), https://www.pcisecuritystandards.org/pci_security/ (last visited July 26, 2018)
[13] EMV Liability Shift: Why it Pays to Adopt New Technology, Visa (2018)https://www.visa.com/chip/merchants/grow-your-business/payment-technologies/credit-card-chip/liability-shift.jsp.
[14] What Are Card Not Present Transactions?, Laws.com, (2017) https://fraud.laws.com/credit-card-fraud/card-not-present (last visited July 19, 2018).
[15] Professional and Amateur Sports Protection Act, Pub. L. 102-559, 106 Stat. 4227 (Oct. 28, 1992).
[16]Murphy v. National Collegiate Athletic Association, 138 S. Ct. 1461, 1478 (2018)
[17]Unlawful Internet Gambling Enforcement Act, Pub. L. No. 109-347, 120 Stat. 1952 (2006), codified as amended at 31 U.S.C. § 5361 et seq.
[18] See generally Jerry Brito & Andrea Castillo, Bitcoin: A Primer for Policymakers 1, 5 (2016) https://www.mercatus.org/system/files/gmu_bitcoin_042516_webv2_0.pdf.
[19] Jay Clayton, SEC Chairman, Statement on Cryptocurrencies and Initial Coin Offerings, U.S. Securities and Exchange Commission, https://www.sec.gov/news/public-statement/statement-clayton-2017-12-11 (last visited July 26, 2018); Riley McDermid, No One Federal Agency Has Jurisdiction Over Bitcoin Trading, Causing Concern, San Francisco Business Times, (Dec. 27, 2017), https://www.bizjournals.com/sanfrancisco/news/2017/12/27/no-federal-agency-has-jurisdiction-over-bitcoin.html.
[20]United States Security and ExchangeCommission, Report of Investigation Pursuant to Section 21(a) of the Securitiesand Exchange Act of 1934: The DAO, Release No. 81207 1, 1 (July 25, 2017).
[21] Testimony of CFTC Chairman Timothy Massad before the U.S. Senate Committee on Agriculture, Nutrition and Forestry, U.S. Commodity Futures Trading Commission, (Dec. 10, 2014), http://www.cftc.gov/PressRoom/SpeechesTestimony/opamassad-6.
[22] Internal Revenue Service, Notice 2014-21 at 1-2.
[23] U.S. Department of Treasury, Financial Crimes Enforcement Network, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, Guidance FIN-2013-G001 at 2 (Mar. 18, 2013), https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf.
[24] Selva Ozelli. Illicit Uses of Cryptocurrency Gaining Attention Around the World, CoinTelegraph (Feb. 20, 2018) https://cointelegraph.com/news/illicit-uses-of-cryptocurrency-gaining-attention-around-the-world-expert-take.