The whitepaper lays out a detailed argument for increased oversight and regulation of alternate payment providers (APPs) in order to ensure greater privacy and data security for consumers. APPs noted in the paper include: Apple, CurrentC, Facebook, Google, LevelUp, PayPal, Square, Starbucks, Stripe, Twitter and Venmo.
TCH argues that both banks and APPs collect and transfer sensitive account and personal data, but that banks are encumbered by privacy and data security regulations much more stringent than those required of APPs. While banks and APPs are subject to regulations established by the Gramm-Leach-Bliley Act, those regulations are administered by two different groups: the Federal Trade Commission for APPs (because those companies are considered technology companies) and myriad financial regulatory agencies (CFPB, FinCEN, FFIEC, and others) for banks.
TCH’s conclusion is that APPs receive a regulatory light touch, which leads to an unfair competitive playing field for banks, because:
• APPs are able to use the rails of the banks, but don’t carry the equivalent privacy and data security overhead
• Potential breach penalties for banks are harsher than for APPs; the compliance examinations that banks must undertake are far more rigorous than those for APPs; and so on
• Even the industry requirements to which APPs must adhere, such as PCI-DSS, are weaker than similar bank requirements
• The final indignity, according to TCH, is that banks have to bear most of the customer service and fraud expenses resulting from breaches, even breaches that might stem from APP data security lapses
TCH then suggests many remedies, which would subject both parties to similar regulatory regimes. The paper doesn’t call for any additional measures to be taken by banks, but suggests many legislative and non-legislative measures to be applied to the APPs.
* * *
On reading the paper, I’m reminded that TCH fulfills two functions: first, as a payments company competing for business against the Federal Reserve and other entities, and second, as a trade association that lobbies on behalf of its owners, 24 of the world’s largest banks. Seen through that lens, the paper reads as propaganda, primarily insisting that it’s not fair that the APPs don’t have the same costly and burdensome privacy and data security obligations as the depositories.
It is understandable that the TCH banks are aggravated that the APPs cherry-pick higher margin services and customers, and that APPs are increasingly disintermediating relationships between bank and consumer. Those banks now want the APPs to share the same heavy regulatory and compliance examination burdens. But simply insisting that the APPs suffer in equal measure to the banks isn’t a compelling argument.
It’s hard to argue against more rigorous consumer privacy and data security. Customers of non-banks deserve the same protections as those offered by banks.
The real question is, how might the regulatory authorities respond to this argument? It’s highly likely that the regulators will react as they have with other mature and highly regulated markets – by monitoring developments, allowing the free market to work, and keeping their hands off the regulatory tiller for as long as possible.
Established market incumbents, regardless of industry, often argue against business-model-disrupting innovators. We see it on a daily basis across media (Spotify), automobile manufacturing and sales (Tesla), transportation (Uber), and in other markets. Through their legislation, regulatory agencies must walk a fine line between protecting markets for fair competition, and restricting innovation.
We should expect APP innovation – and disruption – to continue status quo until the APPs reach a higher level of volume and velocity. After years of skirmishes between government regulators and big banks, how quickly should we expect those regulators to come to the aid of the banks?
In the meanwhile, the TCH has fulfilled an obligation to its 24 big bank owners by making a highly visible, public case against the APPs.