Chapter 22 E-Money and Data Privacy
- International Monetary Fund
- Published Date:
- August 1999
I teach a graduate course in the evening at Georgetown University Law School called “21st Century Banking, Money, and Commerce.” The course is about moving information and money from the physical world into cyberspace; that is, the evolution of traditional payment systems into systems we do not yet understand in the electronic world. The course is 14 weeks long, but I will try to describe its essence in this short paper.
Just about everything I’m going to talk about is on a web page called the 21st Century Banking Alert at http://www.ffhsj.com/bancmail/bancpage.htm. It has about 200 or 300 articles on cyberspace, Internet banking, and electronic money. You can also subscribe to the page without charge and you will receive, by e-mail probably once a week, memoranda on what is occurring in the United States and globally with respect to electronic money, digital signatures, privacy, online banking, and bill presentment.
In the United States, between 1980 and 1995, consumer assets invested with banks—entrusted to banks—decreased to 17 percent from 34 percent. In effect, the U.S. consumer has found other places to put his or her money. At the same time, money market and mutual funds grew from a very small amount—something like $80 billion in 1980—to now being 40 percent larger than the entire commercial banking business in this country. In this 15-to-16 year period, there has been an enormous shift in the way the consumer looks at, invests, and deals with money.
It is important to note why and how people change their financial habits. In the United States, every financial services company is trying to navigate a very narrow river. Not only do large and medium-sized banks compete for customers, but also savings and loans, credit unions, Merrill Lynch, Prudential, Vanguard, Fidelity, and Charles Schwab. All functionally offer the same kind of service. This has all come about without many changes in the law because of changes in the marketplace and changes in consumer attitude about financial services.
In the banking business, there is a cultural distinction between the product and its delivery system. The people who create the products typically differ from those who deliver the products. Technology, however, has caused a convergence of the product and the product delivery system so that it is now hard to distinguish between the two. When banks have many different divisions handling electronic financial services, they are less capable of moving as quickly as the Charles Schwabs, the Vanguards, the Microsofts, and the First Datas of the world in response to events. Financial institutions will have to deal with this cultural problem if they are going to be competitive. Technology is underscoring the fact that financial institutions are intermediaries. But the Internet is eliminating the need for intermediaries by bringing the consumer face to face with information, and the investor face to face with investments. To the extent that financial institutions are intermediaries, they are going to have to change to cope with technology to remain relevant and bring value to transactions.
Mondex, begun by Midland Bank and Natwest Bank, unveiled a smart card on July 3, 1995, in Swindon, England. They picked Swindon because it was a discreet cultural and social environment 70 miles west of London that could be used as a laboratory to measure how this product would work. My wife was with me as we traveled around Swindon that day and used our smart cards. At one point, our guide put my wife in one public phone booth and me in the one next to her. She called me and, while we were talking, the guide asked her to transfer money from her card to my card. Her card was already in the phone paying for the phone call. She hit two buttons on the phone: “transfer value” and “value.” While we were talking, she transferred £5 from her card to my card without missing a beat.
The Mondex electronic wallet is interesting. The first question you must ask is why do you need a wallet? One reason is to make the electronic money function just like money. As a legal matter, it is probably not money. It is a stored obligation. But it certainly works like money.
Another kind of electronic money that is developing for Internet use is the credit card with secure electronic transaction (SET) technology. In effect, this product will enable us to use credit cards over the Internet safely and securely by simultaneously creating digital certificates and signatures that certify identities of users and the integrity of the messages.
In the United States, privacy is of great concern. The Clinton Administration recently put out a public policy statement on its view of privacy with respect to technology and the use of the Internet. I happen to be one of the early victims of information theft on the Internet. Last June, when the Chicago Bulls won the National Basketball Association Championship, my daughter, a Chicago Bulls fan, said, “Dad, I’d like the championship t-shirt and hat.” So, I figured that the easiest way to purchase them was on www.nba.com. I went to the NBA’s website and there was the hat and the shirt. I ordered them on a Sunday morning. The good news was that on Tuesday the hat and the t-shirt were delivered—almost instantaneous gratification. The bad news was that one week later, I went to my office and logged onto my computer, and the first message that came up on my e-mail was:
“Beware Mr. Vartanian. We have your name, address, phone number, credit card number, and all of the information which you supplied to www.nba.com.”
That was the first time in using the Internet that the hair on the back of my neck stood up. It was as if my house had been burglarized. The information I had sent, including all the confidential information that I had provided along with my credit card number, had been improperly accessed. That story was on the front page of the Wall Street Journal several days later. Somebody on the inside of www.nba.com had communicated a password to somebody outside who had used it to climb through a firewall and take information about 2,000 consumers who had bought something from the NBA that day. The NBA wrote and told me not to be concerned. The information wasn’t publicly available, it said; it was only an interior breach. That didn’t make me feel any better because the fact that the information was still secure from their point of view didn’t change the fact that somebody other than me had it. I had to cancel my Citibank credit card and watch for problems that might arise from improper use of the card or my identity.
CyberCash is an electronic money program in operation today. It started with an interesting idea. The consumer opens an account in an FDIC-insured bank, and CyberCash moves the money around virtually. It keeps records of the money in that account, how much belongs to the merchant, and how much belongs to the consumer. The money never leaves the bank, however. The key here is that the money always remains insured by the FDIC as opposed to a Mondex product where, once the money goes on the card, it’s out of the banking system, and it’s yours to use, to lose, or to abuse.
Digicash is a company that had its first incarnations in this country. It’s the brainchild of a famous encryption expert and is essentially a harddrive currency—that is, you load software on your computer. You then download money onto your hard drive. At that point, it’s yours to use, to lose, or to abuse. You can spend it anywhere on the Internet that will take Digicash dollars.
Lastly, the electronic check is an important commodity being developed by the Financial Services Technology Consortium (FSTC), a consortium of private companies and the Department of the Treasury. FSTC is trying to develop a system that uses the National Automated Clearing House Association (NACHA) to transfer money with the use of electronic checks. Instead of writing a check, you see a check on your screen, fill it out, click, and send it to pay for something.
Why do we need these electronic money products? Perhaps we do not, but there may be two reasons. First, the cash market in the world is huge. If you can capture a piece of the cash market through these products, there may be significant profits to be made. But even more important, if the Internet becomes the largest commercial marketplace this planet has ever known, and if, as the U.S. government claims by the year 2005 there will be a billion people on the Internet, you won’t need to get much of a percentage of each purchase on the Internet to make a lot of money. So the theory behind these products is that, if purchases and sales will take place over the Internet, there must be a way of paying for them.
Assume that the New York Times Company publishes its entire paper on the Internet. You may not subscribe to the paper, but you may want to read one article on a particular day. The New York Times may sell you that article, let’s say, for 10 cents. How do you transmit 10 cents? Certainly, you can’t take it out of your pocket and put it into your computer. You can’t use a credit card. A credit card costs 27 cents on average for each transaction because there’s so much back-end and front-end processing, and no one is going to allow you to spend 27 cents to charge 10 cents. Therein lies the key to these products. The average cost of swiping a smart card is less than a penny because all you are doing is transferring electrons from the chip in the card to a chip somewhere else through a phone line or a computer line. The systems are already there—no back-end processing, no front-end processing, and no middleware. If the Internet eventually becomes a large commercial marketplace, this form of money will find its best use there.
Let’s go one step further. If you take a Mondex wallet and imagine for a moment that you can merge it with a cellular phone, with a slot for a smart card, you have effectively created your own automated teller machine (ATM)—your own personal bank branch—that you can keep in your pocket. For example, you can be walking down the street and dial up your bank and just by pushing two buttons, as my wife did in Swindon, download $100 onto your smart card. You can then make another phone call to pay your utility bill, or call your daughter in college and transmit $50 to her so she can buy books. You have now personalized the bank branch concept, and it is now in your pocket or in your home.
Somewhere along the line, those marketing the smart card are going to figure out how to make these cards work from the point of view of loyalty, co-branding, discounts, and frequent flyer miles. I don’t think it’s going to be the banks or the technology companies. It’s going to be the marketers and the vendors who figure out how to marry the cost savings of this card with the marketing concepts of having a thinking chip in the card.
We’ve talked about the concept of money. We’ve moved it from the real world to somewhere in cyberspace. So looking at these new systems, what are the issues? What are the issues for me as a bank, a lawyer, or a central bank? For example, should nongovernmental entities be issuing this electronic money? In the United States, private concerns may not mint coins or paper money. Do we want private entities minting electronic money? And, if so, where is the central bank and liquidity for this product? What happens if one morning we read that a distributor of electronic money has failed. If I have $200 on the card, and I read in the morning papers that the minting company is failing because of ineptitude, fraud, bad luck, or because the code was broken and somebody has replicated the card, what will I do? I’d go back to the bank whose name is on this card, or I’d go to the mint, and I’d say, “Give me my dollars—give me my green money.” Or, if I am a little bit more anxious, I might go to an off-line Coca-Cola machine and purchase $200 worth of Coca-Colas, load them up into my station wagon, and take off.
One very basic issue in examining the issues raised by electronic money is, where is the money? Where is the obligation? Who is responsible at any given time for it? What happens if one party in the chain of distribution fails? You have to know where the principal obligation is. Is it in the bank? Is it on the smart card? Does it move to somebody’s hard drive? Who is responsible for it there, how does it get there, and how does it move? Or, is it held by a third party?
I do a lot of speaking on electronic money at meetings, programs, etc., where vendors demonstrate their electronic and Internet products. You cannot fail to be impressed with the number of companies manufacturing smart card technology, including cards, chips, and point-of-sale terminals. An enormous amount of capital is being devoted to that business and, yet, not an entity in this country is using a smart card. Why is all this capital going into this industry? The answer lies in the enormous cost savings that they can eventually produce. The average teller transaction at a bank in the United States costs $1.07. A credit card transaction costs 27 cents, but, to swipe a smart card costs 1 cent. Somewhere between 1 cent and $1.07, there’s a lot of cost to be wrung out of the system as financial services move from the physical world into this more ethereal cyberspace world. At the same time, however, what is saved in cost may be acquired in new risks.
In a report that we recently completed, entitled “The Management of Risks Created by Internet-Initiated Value Transfers,” we identified three factors that will change the characteristics of money and the risks in the payment system as the movement of money and information in the form of electronic commerce increases. The volume of money that can move, the velocity at which it can move, and the time it takes to move. Those three factors can change the risk-reward ratio in the systems we know.
In thinking about moving money electronically, you may ask, “Where is the payment and settlement system?” Have we moved to a different form of finance? Is it real-time finance? What happens when you begin to move money this way with no batching, no clearing, and no settlement? Where is the float? Who enjoys the float? Who are the winners and the losers in these new systems? The rules are beginning to change because of technology.
A few points on smart cards. Stored value that can be put on a smart card is only one element of a smart card’s value. It is pretty universally agreed that this is not the element that is going to make the smart card work. Why? Because, right now, people have green money, and having it on a card is not necessarily enough to make them want to use that card. Interoperability is also critical.
Merchants are not going to have 15 different point-of-sale terminals on their premises. Systems will have to be compatible. Multifunctionality is also important. How many applications can be put on one card? How many different operations can it support, including security? Smart cards can be used for identification, credit and debit features, stored value, identification, access to buildings, documentation of health insurance information, digital certificates and signatures, airline ticketing, and related loyalty programs and discount features, among others. One airline is conducting an experiment with its best frequent flyer customers and smart cards, allowing them to do almost everything with the card except fly the plane. They can get a boarding pass, check their baggage, gain access to the lounge, obtain a seat assignment, record their frequent flyer miles, and check into hotels and rent cars with one card.
Mondex is preparing to announce a test with Burger King. The customer will be able to walk into Burger King and swipe his card and never see a human being. The machine says, “Good morning, Mr. Vartanian. Glad to see you back. We know you’ve been here three times this week. We’re going to give you a free Coca-Cola for being here the third time.” The customer orders on a keyboard, eliminating having to order through a human being. There’s a loyalty program involved. Burger King will know what I order most of the time and may ask, “Do you want your regular Whopper and a Coke?” The smart card, if it is to be successful, will help the customer deal with what I call the three “Cs” that make new products work: cost, convenience, and confidence. The consumer is going to want lower cost, enhanced convenience, and to enjoy a high degree of confidence that the system works.
The chart on the screen represents a schematic of the way the retail payments systems in the United States work. For example, once a month, the utility sends a meter reader to read my meter and, if the meter reader can get past my dog, she reads the meter on the side of the house and records how much electricity I’ve used. She returns to the home office, loads the information onto the computer, and then produces an electronic message in the computer. The manual information that was received is now in digital form. Then, the utility de-digitizes the information by reducing it to a paper invoice, sticking it in an envelope, putting a stamp on it, and sending it through the post office to me. I then write a check, put it in an envelope, put a stamp on it, and send it through the mail to a lock box where the payment enters the clearing and settling process.
It is very clear from this example that the information can start digitally, and it’s very clear that it can end digitally. I can put the information onto my computer and pay the utility through my electronic bill payment system. But, if the information starts digitally and it can end digitally, why do you need everything in between? We may not! With electronic bill presentment, the system will see changes that will affect primary customer relationships and the need for payments systems.
At least for the foreseeable future, however, electronic data interchange and business-to-business commerce is where the first real changes in electronic commerce will happen. The retail consumer will be slow to move toward electronic commerce because of inertia. But businesses see the cost savings. A Silicon Valley client recently claimed that moving sales of his products onto the Internet would save 30 percent of overhead. The benefit of electronic commerce comes when business orders and payments can move at the speed of light in one electronic packet.
Should electronic money be treated like money? Is it money? In the United States, there is a law called the Stamp Payments Act of 1862 mandating that no entity circulate any coin, token, or obligation meant to be used as or circulated as money in a denomination of less than $1. It is a felony to violate this statute. But, is this statute applicable to electronic money products? Every country has statutes dealing with the creation and flow of money, and many will have to determine the applicability of laws such as these to electronic money.
Money-laundering enforcement agencies throughout the world are very concerned about electronic money. In the United States, the Financial Crimes Enforcement Network (FinCEN), which is a part of the Treasury Department, shares these concerns. Why? If you can move money across borders electronically at the speed of light, you have changed the dynamics of money laundering dramatically and have obviously made it harder for law enforcement.
What about consumer protection? In the United States, Regulation E deals with the movement of money electronically. But, it is not clear how or to what extent Regulation E applies to electronic money products. What kind of consumer laws do we want? What kind of protections do we need?
How do the central banks’ reserve requirements apply to electronic money? Does electronic money affect the money supply?
In this country, we have insurance for every deposit in a financial institution. How does deposit insurance apply to electronic money? In any new system, consumers will want to know when their money is insured and when is it not.
The 50 states all have escheat or abandoned property laws. Money in an account that has not been used for some time escheats to the state. If money is floating around on a smart card, how do we determine when and if it’s escheated? The bank will not necessarily know when the money has been used. How should escheat laws apply to electronic money?
In whose jurisdiction are you doing business when you do business in cyberspace? When you put something on the Internet, you are in a world without geographic boundaries. Where do you want to do business? How do you limit the business you are doing? I ask my clients the question a different way, “Where do you want to be sued?” This formulation makes them understand the question of jurisdiction a little bit better!
How will we understand who is on either side of cyberspace transactions? Cyberspace is an amorphous system, an unknown borderless area where one computer links up with another computer through wiring, routers, and servers. When X talks to Y, X does not know it is actually Y, and Y does not know it is actually X. Authentication is important in commerce. We cannot fully engage in commerce in cyberspace unless we know with whom we are dealing since a fundamental threat to any commerce is the ability to repudiate a transaction.
The application of laws in this borderless world of cyberspace also requires legal uniformity. In the United States, numerous states are writing their own digital signature statutes. Each one is different. It is going to be very difficult to do business in a country where every state has a different digital signature statute. The National Conference of Commissioners on Uniform State Laws is developing a uniform electronic commerce law, but it will take a long time and, meanwhile, the states and other countries around the world will create patchwork electronic commerce laws, rules, and conventions.
Privacy is an absolutely critical question for financial institutions in this rapidly changing world. Yesterday, the Administration issued a document (accessible on the White House’s website) concerning privacy. First, the Administration wants legislation to protect medical records. Second, it wants a universal website for people to opt out of the collection of information about them. Third, it wants rules established to protect privacy. The President has called for a privacy summit on how technology and privacy clash, and how we can protect the consumer.
With respect to financial institutions, the issue could not be more germane because these institutions have some of the most private financial information about consumers. How they collect, use, control, correct, or abuse that information is becoming a critical issue with consumers. The disclosure document of one big bank on the east coast says that it will not give out any information about its customers unless it is provided to an affiliate, or a subpoena is issued under due process, in which event it will notify the customer that it has been asked to provide that information. Another big bank in California discloses, in a very legalistic disclosure document, that it retains the discretion to give any information about a depositor to anyone that it sees fit to give it to. Those are vast differences in the concept of privacy. There is no substantive federal grant of financial privacy and no regulation of disclosures regarding privacy. That is for better or worse, a situation that may change.
The Federal Trade Commission (FTC) has surfed the websites of 100 banks to search for privacy principles and determine how those banks purport to handle the information they gather about consumers. Initial reports suggest that the FTC is dissatisfied with what it has seen.
How much privacy do we want and how does the government play a role in achieving that level? We all want a high level of privacy, but we also trade our privacy away every day. We sell privacy about ourselves—free software in return for information about you. You may provide the information because you want $19 worth of free software.
Everyone claims that they want strict privacy laws and complete control of information about themselves. But, if I said that someone in this room is a murderer, would you want this fact kept private? You would begin to balance your individual need for privacy against the protection of the greater good. No one would want a murderer to have the same right of privacy. Balancing is always going on. But, who should control that balancing? The government? The consumer? The government is proposing that institutions engage in self-regulation, a phrase you are going to hear very often, especially when it comes to privacy. A central group within an industry may produce a code of conduct with respect to privacy, and each member of that group may be expected to adopt it. The real issue, however, in such a system is whether there is an underlying enforcement mechanism with teeth that subjects violators to enforcement.
There is no central source of privacy protection in this country. No part of the U.S. Constitution talks about privacy. No federal law creates a substantive right of privacy. An interesting issue arises in Europe, particularly with respect to EU Directive 95/46, which became effective as of October 1998. EU Directive 95/46 effectively says that, subject to certain exceptions, personal data about any individual cannot be transmitted from the EU if it is moving to a country that does not have “adequate privacy protection.” In the United States, the Fourth Amendment prevents unlawful searches and seizures, but does not deal directly with privacy. Many of the 50 states, however, do have affirmative privacy laws. On the federal level, there is a patchwork of statutes in this country that have some bearing on the protection of privacy. I will just briefly summarize some of them.
The Fair Credit Reporting Act of 1970 prevents reporting agencies from reporting credit about individuals, unless it is done under the guidelines set forth in the Act.1
The Privacy Act of 1974 prevents the government from providing certain information about individuals.2
The Right to Financial Privacy Act of 1978 prohibits the government from obtaining information from banks about their customers without giving proper notification.3
The Electronic Fund Transfer Act of 1978 and a host of other laws essentially say that it is illegal to steal electronic information.4
In the United States, the American Bankers Association, the Consumer Bankers Association, and the Bankers Roundtable, among others, have adopted principles of privacy obtainable on their websites. They expect their constituents to adopt these principles, but they cannot enforce them.
When may we, as individuals, expect that information that we put into cyberspace is private? Who owns it? This area is yet to be developed, and the American Bar Association is exploring and evaluating many of these issues. Employees use employers’ computers to send personal e-mails every day. Are they private? The law generally suggests that if an employee is using company hardware, company software, and company lines, the message belongs to the employer. A survey done recently by Fortune magazine found that 21 percent of corporations in the United States routinely search employee computer files to determine what employees are doing in cyberspace. The principle of privacy must be redefined over time simply because technology has changed the format in which the information moves, the speed at which it moves, the way it is collected, and who has access to it.
15 U.S.C. §§ 1681–1681u (1994 & Supp. III 1997).
5 U.S.C. § 552a (1994 & Supp. III 1997).
12 U.S.C. §§ 3401–3422 (1994 & Supp. III 1997).
15 U.S.C. §§ 1693–1693r (1994 & Supp. III 1997).