Section 1 - Purpose
Mobile financial services (“MFS”), such as mobile banking, mobile payments and mobile commerce, represent a growing and promising class of mobile services for consumers. CTIA, in association with the leading U.S. wireless carriers, has developed these Best Practices and Guidelines (“Guidelines”) to promote clear and rewarding consumer experiences, to establish an environment where MFS transactions are authorized, secure, and compliant with applicable laws and industry guidelines, and to protect user privacy and financial data.
Section 2 - Applicability
These Guidelines apply to MFS Providers. MFS Providers are the parties that provide MFS to mobile users or provide back-end services supporting MFS transactions. Wireless carriers can be MFS Providers in certain circumstances, but do not constitute MFS Providers for purposes of these Guidelines merely because they provide wireless data services, application provisioning services, or similar standard functions to mobile users and MFS Providers.
Section 3 – Guidelines
A. Guidelines Specific to Mobile Banking and Mobile Payments
1. Authentication and Authorization
MFS Providers should use methods consistent with industry best practices to authenticate user identity and obtain user authorization for mobile banking and mobile payment transactions.
2. Banking and Payment Alerts; Transaction Records
MFS Providers should provide controls that allow users the ability to receive banking and payment alerts and notices in accordance with user preference. MFS Providers should also provide systems tha
3. Limiting Liability for Unauthorized Transactions
MFS Providers of mobile payment systems should disclose all material information regarding the liability, if any, that the user may have for unauthorized transactions or fraudulent use. MFS Providers of mobile payment systems should create policies that cap liability for unauthorized transactions. Such policies should, at a minimum, comply with liability caps required under existing legal requirements (e.g., $50 or other applicable liability cap for unauthorized credit card transactions or electronic funds transfers). MFS Providers should consider incorporating into the MFS controls that limit financial risk to the consumer, such as usage caps and spending limits.
B. Guidelines Specific to Mobile Commerce
1. Disclosure of Material Terms of Purchase
MFS Providers should disclose, in a clear and conspicuous manner, the material terms of each purchase, including a description of the product or service being purchased, taxes, surcharges, and other fees, and refund policies. This may include disclosures off of the mobile device.
2. Obtaining User Authorization
MFS Providers should obtain user authorization for purchases, consistent with industry best practices.
3. Receipts, Order Status and Account Information
MFS Providers should make receipts or proofs of purchase available for mobile purchases. MFS Providers should also provide systems that allow users to access order status and other information about their accounts. The appropriate methods of presenting such information (e.g., via an SMS message, email, on a website, on the mobile service bill, paper receipt, etc.) and the level of information available will vary depending upon the type of service.
4. Mobile Coupons, Rebates, Loyalty Programs, etc.
MFS Providers should disclose, in a clear and conspicuous manner, the material terms of mobile coupons, rebates, loyalty programs and similar products. Such terms include redemption values, expiration dates, fees, limitations on use and other restrictions.
MFS Providers of age-restricted products, services or applications must include clear and conspicuous warnings and use appropriate methods of age-screening or verification before allowing purchase.
C. General Guidelines
1. Disclosure of Terms; Disclaimers
The identity of the MFS Provider and all material terms relevant to an MFS should be disclosed in a clear and conspicuous manner to users prior to their use of the service. Such disclosures should include applicable disclaimers.
2. Consent to Enrollment in MFS
MFS Providers should obtain affirmative consent from the user for the enrollment of the user in an MFS. Notice should be given to the user that will allow the user to make an informed decision prior to taking any action that will result in the user incurring a charge (e.g., a charge for text message that contains confirmation of a transaction, for data plan usage after enrollment, or to a wireless or payment account).
3. Compliance with Laws and Regulations
It is the responsibility of each MFS Provider to provide the products, services, software, and/or hardware provided by that MFS Provider in accordance with all applicable local, state, and federal laws, payment network rules, and mobile industry best practices guidelines.
4. Security of Data Transmissions
MFS Providers should utilize industry best practices when providing security of data during transmission. MFS Providers should not rely solely on GSM, CDMA or other wireless network security.
5. Security on the Mobile Device or in Storage
MFS Providers should use industry best practices to protect against unauthorized access to MFS data on a mobile device or in other storage locations. Such protections may include mechanisms for keeping software applications separate, keeping MFS data and MFS communications secure, and protecting memory from unauthorized access or modification.
6. Access Controls and Security of Sensitive Information
MFS Providers should offer access control options and tools that enable users to protect their data and to limit unauthorized party access to sensitive information on the device. MFS Providers should educate users on the importance of protecting their personal information, and how to use application security features and capabilities.
7. Fraud and Identity Theft Protection
MFS Providers should incorporate into their MFS fraud-prevention techniques and offer tools to protect users’ information, funds, credit, and identities.
Collection, Use, and Disclosure of Information
(a) Information Use. MFS Providers should provide clear disclosures about their access, collection, use, storage and disclosure of personally identifiable information. The MFS Provider should not access, collect, use, store or disclose the personally identifiable information for any purpose other than provision of the MFS, unless it provides appropriate notice and obtains consent from users. Such notice should explain, for example, the other intended uses (e.g., the use of the information for advertising) of the information. MFS Providers that use the information collected to create aggregate data should remove or permanently obscure the consumer’s identity and provide clear notice of such aggregation and use.
(b) SecurityIncident.Intheeventofasecuritybreach,MFSProvidersshould notify consumers of such breach in accordance with relevant breach notification laws. MFS Providers should respond to the breach as the responsible party. Although wireless carriers are not responsible for providing notice, the MFS Provider should coordinate and collaborate with wireless carriers to ensure the wireless carriers are prepared for inquiries related to the incident. The MFS Provider should be the user’s main point of contact regarding the breach, and the wireless carriers should not be referenced in any breach notice.
Dispute Resolution Processes and Customer Service
MFS Providers should develop reasonable dispute resolution processes for handling disputed payments and transactions. MFS Providers also should have processes in place to address general customer complaints related to the use of the MFS. MFS Providers should provide customer service via an appropriate method (phone, online, SMS, etc.) and at commercially reasonable times. Responses to inquiries should be made in a reasonably expedient manner and as appropriate for that MFS. MFS Providers should make customer service contact information readily available so that customer service requests can be properly directed.