WELCOME

Added experience. Added clarity. Added value.

VANCOUVER CALGARY EDMONTON SASKATOON REGINA LONDON KITCHENER-WATERLOO GUELPH TORONTO MARKHAM MONTRÉAL

Mobile Banking

The Osgoode Certificate in Regulatory Compliance & Legal Risk Management for Financial institutions

April 21, 2015

Lisa Abe-Oldenburg

Miller Thomson LLP

3

Agenda – Mobile Banking

• General Overview General Overview

• Regulatory BackgroundRegulatory Background

• Risks and ChallengesRisks and Challenges

• Risk Mitigation Strategies and Risk Mitigation Strategies and ControlsControls

• Further Thoughts…Further Thoughts…

• General Overview General Overview

• Regulatory BackgroundRegulatory Background

• Risks and ChallengesRisks and Challenges

• Risk Mitigation Strategies and Risk Mitigation Strategies and ControlsControls

• Further Thoughts…Further Thoughts…

4

General Overview

• Mobile Payment via Cellphone – Visa’s First NFC Mobile Payments Trial - March 16, 2006

– Visa PayWave applet

• Mobile wallet wars - Apps (e.g. Google wallet, Apple Pay, Enstream's "Zoompass") – Store and access card credentials, e.g. prepaid, credit, debit,

loyalty, etc.

• Square - mobile POS/card reader

• Digital Retail Apps – patent for in-aisle payment for seamless customer experience

5

General Overview

• In November 2012, CIBC launched its Mobile Payment App (now available for Android and Blackberry), allowing contactless payment via Rogers smart phone and CIBC Credit Card

• In March 2013, Interac processed its first NFC mobile or contactless debit transaction in Canada, which was one of the first globally from a domestic debit network

• Banks and credit unions now offer their own remote cheque deposit image capture solutions

6

General Overview

• Mobile payments involve the storage, provisioning and management of card credentials

• NFC vs. QR Code vs. Cloud

• Credentials (ID) stored locally/physically (cards and chips) vs. centrally/online (software, servers, clouds and databases)

• Must be a “secure element” (SE)

7

General Overview

• Credentials could include not just Payment Credentials, but also Identification Credentials, Ticketing Credentials, Incentive/Reward Program Credentials, etc.

• Secure Elements can be: – integrated/embedded in device hardware or core/motherboard

– removable (iOS, USB, micro SD or SIM)

– wearable (EMV chips in tags, fobs, bracelets)

• SIM card vs. Hardware chip – Control and cost issues

8

General Overview

• New technologies may reduce risk

• Storage, provisioning and management of card credentials

• NFC vs. QR Code vs. Cloud

• Added security and user flexibility

• ID stored locally/physically (cards and chips) vs. centrally/online (software and databases)

• Issues not just about security - also convenience of issuance, consumer device capabilities, merchant acceptance, transaction characteristics

9

General Overview

• NFC: – Complex issuance: TSM and Secure Element

ecosystem

– Consumer device capabilities growing: 9 out of the top 10 OEMs support it

– Merchant acceptance: Standards based; Growing in select developed countries; US migration to EMV may speed adoption

– Transactions treated as "Card Present" – liability risk shifts to card issuer

10

General Overview

• QR Codes: – Simpler issuance: Cloud based mobile application

– Consumer device capabilities: Ubiquitous – Only requires data connection; may require camera

– Merchant acceptance: Fragmented – No standards; numerous solutions available; Security model not yet fully defined; may require wireless connection

– Transactions treated as "Card Not Present" – liability risk shifts to acquirer/merchant

11

General Overview

• Cloud – Simpler issuance: Cloud based mobile application

– Consumer device capabilities: Ubiquitous – Only requires data connection

– Merchant acceptance: Fragmented – No standards; Security model not yet fully defined; requires wireless connection

– Transactions treated as "Card Not Present" – liability risk shifts to acquirer/merchant

12

General Overview

• Transaction Characteristics – Convenience vs. high value/risk transactions

• Convenience transactions are low value/risk (e.g., under $50) and may be effected just by waving the mobile device at the POS terminal

• High value/risk (e.g., $50 and greater) tends to require a combination of a mobile device at the POS and a pass code to be entered

13

General Overview

• Which model will win? – Balance between security and convenience;

consumers demand both

• Requirements for global scale adoption of mobile payments: – Development of industry standards

– Overcoming barriers to acceptance

– Device and reader terminal availability

– Secure provisioning of card credentials

14

Regulatory Background

• Federal and Provincial Regulation

• Not all payments are regulated

• 2010 - Federally appointed Payments Systems Task Force to review the payments system, assess safety, competition, innovation and identify public policy objectives in operation and regulation

• 2012 - Report entitled Moving Canada into the Digital Age – Recommendations to Government to partner with private sector to

create a mobile ecosystem, to build a digital identification and authentication regime, to protect Canadians’ privacy, to pass legislation to define a discrete payments industry and require payments service providers to become members, to create new public oversight, to create self-governance of providers to develop standards, protection of consumers, strengthen AML rules and to review the CPA

•

15

Federal Regulation

• Bank Act

• Federal Act respecting the Canadian Payments Association and the regulation of Systems and arrangements for the making of payments (Canadian "Payments Act")

• Federal Act respecting payment card networks ("Payment Card Networks Act") and regulations

• Federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act

• Federal Payment Clearing and Settlement Act

• Federal Bills of Exchange Act

• Federal Competition Act

16

Federal Regulation

• In March of 2012, OSFI issued clarification letter that Guideline B-10 (for outsourcing) applies to “cloud computing” implementations by federally regulated financial institutions

• OSFI Guideline E-5 concerning Retention/Destruction of Records

• OSFI Guidelines E-4A and E-4B concerning Record Keeping Requirements

17

Federal Regulation

• Privacy laws - Patchwork of Federal and provincial public sector and private sector privacy laws

• Federal Personal Information Protection and Electronic Documents Act ("PIPEDA")

• Big Data issues – reform is coming

18

Federal Guidance

• Canadian Bankers Association (CBA) mobile payment guidelines

• CPA rules and standards

• Code of Conduct for the Debit and Credit Industry

• EMV and ISO standards provide security, reliability and interoperability; align with existing card terminal technology

19

Provincial Regulation

• Consumer protection laws – provincial statutes and regulations

• Most Canadian provinces have enacted laws that govern gift/prepaid and credit cards

• Money Services Business regulations (e.g. Quebec)

20

Risks and Challenges

• The changing range of stakeholders – Smartphone/device/hardware manufacturers (OEMs)

– Mobile OS providers (e.g. Blackberry, MS Windows, Android, Apple)

– Wireless/mobile telecom network operators (MNOs, e.g. Bell, Rogers, Telus)

– SIM card manufacturers (e.g. G&D, Gemalto)

21

Risks and Challenges

• The changing range of stakeholders , cont’d – Cloud service providers (e.g. Google, Amazon)

– Financial institutions, card and credential issuers and acquirers

– Payment network operators (credit and debit), e.g. Visa, MC, Interac

– Terminal (POS reader) manufacturers

– Payment Processors (e.g. Moneris)

22

Risks and Challenges

– Trusted third parties (TSMs) for credential provisioning and management (authentication, certification), e.g. G&D, EnStream

– Mobile payment and wallet App developers and providers (e.g. Google, Apple)

– App stores, e.g. Apple

– Regulators, law enforcement, policy makers, industry associations

– Merchants, retailers, transportation, municipalities, governments, schools, hospitals, etc.

– Loyalty points service providers

– Consumers or end users

23

Risks and Challenges

• Effects of competition in evolving mobile market

• Risks of e-commerce e.g. data integrity, reliability, authenticity, authority (source)

• Liability risk, e.g. for errors, malfunctions, loss of data, security breach, delays

• Fraud risk, e.g. stolen cards, passwords, mobile devices, readers – reduced by adoption of chip cards (Canada, Europe, Japan, Hong Kong – not complete in U.S., so fraud moving south)

24

Risks and Challenges

• Legal compliance risk - How will the mobile payments provider meet FI's regulatory compliance requirements?

• Reputational and Security Risk - asset/data loss, security and privacy breaches, inability to retrieve or use data, failure to properly retain records

• Credential storage is a target for criminals – lots of information in one place

25

Risks and Challenges

• Liability Risk - Access and retrieval of software and data for the purposes of audit, compliance, litigation/eDiscovery, correction, deletion, end of service/termination, breach/failure, disaster or insolvency of payments provider

• Operational Risk - insufficient backups, disaster recovery and business continuity plans of mobile payments providers – often obligations and costs are pushed onto the FI

26

Risks and Challenges

• Operational and Legal Risk - Where is the data and which jurisdictions laws apply?

• Data (and payments) can move easily across borders if network is big enough - moved around to where storage or processing is more cost effective, efficient or available

• FI could be unwillingly subjecting itself to the laws of a foreign jurisdiction

• Contracts or services in foreign jurisdictions could have conflicts with local laws, storage, handling of disputes, export controls, etc.

27

Risks and Challenges

• Risk of privacy breach with "BIG DATA"

• Security and Reputational Risk - Aggregation of vast amounts of personal information is possible especially when using mobile payment technologies

• Operational and Compliance Risk of suspension of services and no access to data upon termination or breach under mobile payment provider’s contract – data could be deleted (hijacked until fees paid or dispute resolved)

28

Contract Risks

• Limits on provider's liability may be too low - disclaimers, exclusions, short limitation periods; risk of liability shifts to FI

• What is your recourse if provider is in breach? If there is a service interruption/outage, errors, damages, loss, disclosure ?

29

Contract Risks

• Payment solutions providers often will not give indemnities, will have disclaimers of liability and will ask for broad indemnities from the customer – must renegotiate!

• Watch out for terms that could be unilaterally amended by service provider, deemed accepted by use, or cross-referenced in other documents or hyperlinks – FI needs to know in advance what it is agreeing to

30

Risk Mitigation Strategies

• Review and train your personnel with respect to mobile payments technology, policies and supplier engagement processes

• Establish a Mobile Payments Executive Steering Committee that reports to the Board of Directors

• Proactive planning with all necessary stakeholders, e.g. chief information officer (CIO), Board of Directors, general and external counsels and auditors, supplier engagement/procurement process, privacy officers, records managers and compliance officers, is essential when evaluating and procuring mobile payment solutions

31

Risk Mitigation Strategies

• Continuous monitoring of mobile payment operations, products and services

• Conduct proper due diligence of service providers, the security of the technologies and facilities, and do proper legal contract review and negotiations

• Cutting corners can result in large losses later

32

Risk Mitigation Strategies

• Undertake thorough assessment of compliance requirements under applicable laws and regulations, e.g. federal and provincial regulations, standards and guidelines and other archiving/e-discovery/e-records obligations

33

Risk Mitigation Strategies

• Establish baselines for security, confidentiality, data integrity, access and retention

• Incorporate e-discovery tools and information management processes

• Create policy requiring segregation of data and control and access by FI and its regulators

34

Further Thoughts…

• Can FI manage mobile payments through its own resources or only through third party providers’ solutions?

• What is the service provider’s escrow program for encrypted data?

• What happens when data is stored or transported to other environments or devices, especially if they also contain other data?

35

Further Thoughts…

• How are upgrades, refreshes and maintenance handled? CASL compliance?

• What responsibilities does mobile payment solutions provider have for assuring proper patching and versioning control?

• What are acceptable outage and response times should an emergency take the system off line?

36

Further Thoughts…

• How will provider continue to maintain or otherwise support FI's data in a designated format to ensure that the data remains accessible/readable over the life of the data?

• Availability, compatibility, interoperability and scalability of provider's mobile payments solution?

• Discuss how is FI data destroyed? Methodology used? Can it be halted for litigation/discovery purposes?

37

Further Thoughts…

• Will the mobile payment solutions provider provide additional services that may be required, for example e-discovery tools?

• Is the provider familiar with FI information security, confidentiality, record keeping, privacy and other regulatory requirements?

38

Questions?

Lisa Abe-Oldenburg

labeoldenburg@millerthomson.com

905-415-6484

www.millerthomson.com

Added experience. Added clarity. Added value.

Follow us...

© Miller Thomson LLP, 2015. All Rights Reserved. All Intellectual Property Rights including copyright in this presentation are owned by Miller Thomson LLP. This presentation may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested from the presenter(s).

This presentation is provided as an information service and is a summary of current legal issues. This information is not meant as legal opinion and viewers are cautioned not to act on information provided in this publication without seeking specific legal advice with respect to their unique circumstances.

13594800.2