The emergence of m commerce promises great benefits, but also poses significant regulatory concern
The Emergence of M-Commerce Promises Great Benefits, But Also Poses Significant Regulatory Concern<br />Presented to<br />Professor Andrea Johnson<br />Submitted By <br />Keith A. Adams<br />This Paper is Submitted for Scholarly Credit <br />Table of Contents TOC o "
h z u Introduction PAGEREF _Toc229053913 h 3M-Payments and M-Commerce PAGEREF _Toc229053914 h 3Money Laundering Concerns PAGEREF _Toc229053915 h 3The Storm Looming on the Horizon PAGEREF _Toc229053916 h 3Stored Communications Act PAGEREF _Toc229053917 h 3How To Resolve The Catch-22 Regarding BSA Reporting PAGEREF _Toc229053918 h 3An Additional Housekeeping Matter PAGEREF _Toc229053919 h 3How to Reign Invisible NFC Transfers PAGEREF _Toc229053920 h 3Digital Know Your Customer PAGEREF _Toc229053921 h 3Conclusion PAGEREF _Toc229053922 h 3Bibliography PAGEREF _Toc229053923 h 3<br />Introduction<br />Mobile Commerce (M-Commerce), and more specifically Mobile Payments (M-Pay) and Mobile Banking (M-Banking), are a developing trend in the United States. This new technology has the capability to make the consumer’s life more convenient through additional payment options and has the potential to bring lower income persons into the banking industry. It can allow them to transfer money and make payments through more efficient and lower cost means, e.g. as it has in other countries, most notably the Philippines, where it is more developed. <br />M-commerce is the ability to conduct financial transactions using a mobile device, such as a personal digital assistant (PDA) or more commonly, a cellular telephone (cell phone). M-commerce can be broken down further into mobile banking (M-banking) and mobile payments (M-Pay). M-banking “is a subset of e[lectronic]-banking in which customers access a range of banking products, such variety of savings and credit instruments… M-banking requires the customer to hold a deposit account to and from which payments or transfers may be made.” M-pay “is simply the transference of value from payer to payee, as in a remittance or bill payment.” M-pay and M-banking operate under two business models, the bank centric model and the telecom centric model. In the bank centric model, “all value transfer subscribers need to have accounts/access cards and also have customer due diligence preformed by [a bank].” The telecom-centric models allow users to transfer value peer-to-peer (P2P) through the telecom itself, without the use of any banking institution., <br />While this technology holds much promise, it also poses risks in the terms of money laundering and terrorist financing, especially with Radio Frequency Identification (RFID) transfers among telecommunications accounts. RFID transfers are a form of device-to-device transfer, such as person “A” transferring money to person “B” via cell phone. These transfers can be done outside the regulatory schemes of the banking system. Worse, these forms of transfer may be conducted transnationally, allowing large amounts of illicit money to flow out of country “A” to country “B,” where the criminal suspect may more easily launder the proceeds.<br />Under the USA PATRIOT Act, Congress sought to clamp down on loopholes in the anti-money laundering (AML) regulatory scheme. One of these endeavors included expanding the term financial institution to cover most business engaging in wealth transfers. This expanded definition included the Bank Secrecy Act, which requires uninitiated reporting of financial transactions that reach a threshold amount or appear suspicious. However, in the Stored Communications Act, Congress forbids the uninitiated disclosure of various information by the telecom to the government, creating a privacy right. This privacy right also includes financial reporting that is required under the Bank Secrecy Act, creating a conundrum for the telecoms and law enforcement, as one statute requires uninitiated financial reporting to the government, but on the other forbids such uninitiated reporting.<br />As the United States is a late comer to M-pay, it can look to the example of other countries to find ways to limit money laundering and terrorist financing, while balancing the needs to minimize regulation to promote the new technology. To accomplish this, the US needs: <br /><ul><li>to clearly identify the telecoms as potential financial institutions,
resolve the regulatory uncertainty created by the conflicting duties the Bank Secrecy Act, 31 USC § 5311-5330, and the Stored Communications Act, 18 U.S.C. §§ 2701-2711, imposes on them, and
work with the industry to enable financial monitoring of RFID transactions as well as develop appropriate Digital Know Your Customer (DKYC) protocols for the telecoms. </li></ul>This paper with first explain the emergence and development of M-pay in the world economy, its effects on the populace and issues related to anti-money laundering efforts and counter terrorist financing (AML). Next, America’s efforts in AML will be discussed, starting with the Bank Secrecy Act, to the outright criminalizing of money laundering, including the modifications made under the USA PATRIOT Act. Then the Stored Communications Act will be discussed, and how it relates to the cellular telephone industry, specifically focusing on the congressionally created privacy right which conflicts with the reporting requirement under the Bank Secrecy Act. Then the best remedial measure that should be taken to balance the goals of each act will be explained, namely to maintain a statutorily created reasonable expectation of privacy along with the financial reporting requirements that allow law enforcement to indentify and ameliorate money laundering. Finally, there are improvements that can be made under the traditional Know Your Customer protocols in a new digital environment that can be enhanced under a Digital Know Your Customer scheme, potentially using biometrics to satisfy requirements for establishing accounts and monitoring ongoing financial transactions for potential abuses. <br />M-Payments and M-Commerce<br />There are three main platforms to engage in M-pay: 1) via the internet, 2) short message service (SMS) (i.e. text messaging); and 3) near field communication (NFC), which is “a form of Radio-frequency identification (RFID) technology that allows for wireless data communication between two enabled devices.” M-pay can be further broken down into “proximity payments and are typically initiated using NFC technology” and “remote payments … [that] are not transmitted by NFC but rather require payments to be initiated and settled through the mobile cellular phone network in combination with an associated payment network.” Additionally, these transactions can be conducted entirely through a traditional financial institution, such as a bank or credit card company, or through the telecom provider directly, potentially bypassing the traditional financial communities., <br />The adoption of this technology has not been consistent throughout the world. Asia is leading the way, using both the bank-centric model and the telecom centric model. Worldwide, there were 1.2 trillion SMS messages sent, a third of which were international. That number is expected to rise to 1.8 trillion in 2010. Further, it was noted that “[n]ot only is more of the world’s population using mobile cellular phones to make traditional phone calls, people around the world are also increasingly using these devices for a range of nonvoice services” such as SMS, internet, banking and making payments.<br />As of December 2007, there were 285.4 million cellular subscribers in the US, resulting in a penetration rate of 84%. While present M-pay adoption has been slow in the US, it can be expected to increase as the customer base becomes more and more familiar with SMS technology. One recent example is Amazon.com, which has a payment by text message function that operates through an individual’s banking institution. <br />There is also another payment option, NFC, which is a subset of RFID technology. RFID/NFC technology allows the payer to pay the payee through physical proximity. A common example is the toll-less pay tags that can be found throughout the US, such as EZPass, which allows users to pass through a tolling station and pay their fare as they pass through the toll lanes. A commercial example includes Exxon-Mobile’s Speedpass, which is linked to a credit card and allows for purchases by waving an adapter over a sensor at a gas pump.<br />The term RFID describes a family of technologies in which (1) a “tag” contains an integrated circuit storing data that identifies or describes the tag itself, or the item it is attached to, or the person carrying it, and (2) the data can be read, wirelessly, by a separate device called a “reader.” The reader, in turn, is part of a system of networked computers that can take action based on the tag data they receive. <br />RFID’s can also be found in payment cards, such as Master Card and Visa. <br />A primary technical difference between contactless payment cards and NFC-enabled mobile cellular phones resides in the RFID chip and whether it is passive or active. Contactless payment cards are primarily based on passive RFID technology, while NFC is an example of an active RFID technology. Active tags have their own power source, and both can send (or initiate) and receive data transfers. By being able to both send and receive data, the potential applications for NFC-enabled mobile cellular phones are more robust than applications such as contactless cards, which rely on passive RFID. For example, an NFC-enabled mobile cellular phone may be used in a similar way to a contactless payment card: It may be tapped in front of an RFID-enabled reader, or alternatively, it may be waved over a magazine or poster that has a passive RFID chip associated with an advertisement. In this case, the NFC chip in the mobile cellular phone would use its power source to initiate data transfer with the passive RFID chip in the poster or magazine[.] <br />Within the next three to five years, one third of all handsets will be NFC capable. While the telecom companies have not settled on a standard frequency for NFC chips, the credit card companies have, adopting ISO 14443. Essentially, this gives the telecoms the opportunity to adapt to the credit card standard and implement NFC payments in the near future. As noted earlier, while the US is still in its infancy of NFC, especially when it comes to the telecoms, more mature markets, such as the Philippines, see the telecom “industry  quickly moving in the direction of Peer-to-Peer NFC value exchange.” It makes sense that this technology will further expand and grow within the United States, as well as throughout the rest of the world. <br />A benefit to the transition of M-banking, is it has the potential to offer banking services to those who presently lack it. It is likely that “underserved populations in the United States, in developing countries, and around the world are likely to adopt to various other mobile financial services models.” It is noted that 10% of the US population are unbanked, i.e. lacking the resources to establish a traditional bank account. The “Transformative” approach to market development and regulation seeks to “reach out to markets beyond the existing banked groups, through a product offering which meets the known needs of the unbanked groups.”<br />As M-banking and M-pay is conducted electronically and wirelessly, overhead expenses included in the old ‘bricks and mortar’ costs can be minimized. M-commerce also has the potential to cut out the middle man in various financial transactions. These cost savings have the potential of being passed onto the customer through competition, allowing for greater penetration of the underserved groups. As M-commerce is conducted through cellular telephones, the need to access to a specific physical location disappear, allowing persons without adequate transportation or physical proximity to a financial institution access to its benefits. <br />A recent example includes a SMS payment service in Rwanda, “where cellphone-to-cellphone [sic] finance is emerging as an enormous business opportunity.” The service allows forty percent of Rwandans to purchase their prepaid electricity via text message, saving them the effort of mailing invoices or visiting the electric company office. <br />However, some unique circumstances can arise with telecom centric models. One such situation involves being able to conduct transactions solely through the cellular telephone. One example in Kenya, “a telecommunications company, a mobile operator, and sellers of air time manage and facilitate a payment network that allows people to load and withdraw cash or send money from their mobile cellular phone.” This could also lead to the development where a cellular phone user can entirely fund his cellular account through various transactions, and make withdrawals at various locations, such as a McDonalds or Burger King, an activity currently done in the Philippines. In the telecom centric model, traditional AML practices could prove ineffective, as banks are not informed of financial transactions, thereby bypassing reporting requirements. The US has attempted to minimize this threat through a broad definition of the term ‘financial institution’ under 31 U.S.C. 5312. This definition is used for the AML statute. However, privacy legislation under the Stored Communications Act forbids telecoms from being able to report information to the government, creating a dilemma for the telecoms and law enforcement.<br />Money Laundering Concerns<br />In the US, Money Laundering (ML) was made illegal in 1986 by Title 18 U.S.C. § 1956. It has since been amended many times, most recently by the USA PATRIOT Act. It was the culmination of Congress’ attempt to identify the proceeds of criminal gains that started in 1970 under Title 31 U.S.C. § 5313, the Bank Secrecy Act (BSA) that required the reporting of all transactions of $5000 or more. This was following by the Title 31 U.S.C. § 5324, Anti-Structuring Act which made structuring transactions (Smurfing) to avoid the $10,000 threshold illegal. From here, the Congress finally made money-laundering illegal. In short, the AML statute forbids “[t]he process of taking the proceeds of criminal activity and making them appear legal.” <br />Money laundering is a multistage crime, consisting of placement, layering, and integration. Money laundering has also been noted to have specific choke points, namely entry in the financial system, transfers to and from financial system (or telecom in this case) and cross border flows of cash (which can also occur through the telecoms). These choke points also straddle the placement definition. The easiest way to detect money laundering is at the placement stage, and hence we have the Bank Secrecy Act reporting requirement. It seems that while the Bank Secrecy Act is a standalone offense, it is also an integral tool to the discovery of ML. <br />While there are numerous ways to engage in money laundering, limited only to the criminal’s imagination, there are certain methods which may provide for the greatest opportunity to engage in the activity. One example utilizes a wire service, which collects money at one point, and electronically tells a broker at another point to release funds to an identified party, i.e. Western Union. At the placement stage, the broker may collect money from several individuals, who are legally transmitting a remittance to their family in another country, such as Mexico. The broker also receives a sum from a criminal, such as a drug dealer, who needs to transfer money to Mexico, as well.<br />The broker will structure the transaction in such a way to avoid the statutorily required reporting requirement, also known as smurfing. Here, the broker will modify the amount of the unsuspecting workers, and add the drug dealers money, thereby failing to establish the $10,000 threshold, and avoiding the need to report a transaction to the government. The wealth is transferred to the destination, where the broker on the other side will separate the sums of money, giving the family their proper remittance and the money launderer in Mexico the drug proceeds. The next stage is layering. Here the money launderer will bury the money in a business, such as a tavern. The money launderer will report earnings that include the illicit gains from the drug dealer. The money launderer will then send the drug dealer the money as a return for his “investment.” The money has now been “integrated” into the economy and is clean and free to use.<br />In an effort to combat ML internationally, the G-7 created the Financial Action Task Force (FATF) in 1989. An important method the FATF developed, adopted by the US, was the Know Your Customer (KYC) protocols, also known as Customer Identification Program (CIP) and Due Diligence. “Due diligence” requires the financial institution to properly identify the customer seeking to establish an account, determine their address, while maintaining the veracity of such identification, obtain the purpose of the account, scrutinize transactions of the customer in order to identify suspicious activity or any other activity that is required to be reported and cross referencing lists of known of suspected terrorists or groups. Banks have the flexibility to decide how they will carry out the above tasks and to determine how much effort is needed to properly monitor in terms of the type of customer, account, business activity, etc. Typically, this is done in some type of face-to-face encounter with government documents presented, such as a passport, driver’s license, etc.<br />With the advent of electronic commerce, and online accounts, the concept of due diligence became difficult. Now, an individual could set up an account online and just mail off an initial deposit, and he would have an established account. For an example, E*Trade Banking allows you to set up a bank account online or via the mail. In order to address this change and adapt to a dynamic electronic environment, FATF determined that <br />if Internet payment service providers adequately monitor the financial transactions of their customers, monitoring for and acting on deviations from the customer transaction profile, the lack of face-to-face contact at the beginning of the relationship with the commercial website and the Internet payment service provider may not constitute a problem.<br />As the internet example applies to electronic and distant account formats, it can be easily applied to the telecommunications industry, which operates through a distant relationship electronically and over radio waves. The telecoms, through the cell phone, allow a customer to access the internet, browsing through various functions, just as if the user were sitting behind a computer monitor. The telecoms also have another feature, which allows the user to bypass the internet entirely, and conduct transactions through radio frequencies, via SMS messaging. In either case, the financial transactions are conducted remotely, with the potential of unverified users conducting transactions. This observance by FATF resolves the potential of denying services to those, especially in developing countries, who lack formal addresses, and so cannot be adequately identified according to the original due diligence standard. <br />The Storm Looming on the Horizon<br />While the above standards provide adequate tools for law enforcement to combat ML, there is a looming loophole in the regulatory system, peer-to-peer (P2P) transfers. P2P is an unmediated transfer between two parties, i.e. person A directly provides a monetary instrument to person B, without the aid of a payment website, like PayPal or a bank. FATF has determined this type of transaction to be vulnerable to ML activity in the context of e-commerce, as well as others. This vulnerability has been countered through the efforts of Internet Payment Service Providers (IPSP) to “put in place systems to detect, monitor and analyze suspicious transactions – even for small amounts.” <br />However, there is a significant difference between an online monetary transfer and a mobile NFC transfer. The online transfer still goes through the IPSP whereas the mobile NFC payment can potentially avoid going through the bank or telecom, and transfer wealth directly and avoid monitoring. This can be accomplished through a NFC transfer that allows active and passive RFID chips to communicate directly, rather than through cellular towers. This direct cell phone-to-cell phone communication can allow for financial transactions. While some type of activity will be reported to the bank, in terms of new balances, this can be completely avoided through the telecom centric model. <br />At this time, it is also worthy to note Digital Value Smurfing (DVS). DVS is merely the digital structuring of transactions in order to avoid tripping the reporting requirement of Bank Secrecy Act and AML statute. However, there are concerns inherent in DVS, particularly in terms of mobile transactions. If a smurf is caught, he may speed dial funds to a new location where law enforcement may not be able to respond in a timely manner or the smurf may destroy the Subscriber Identity Module (SIM) card or the entire cell phone, destroying any physical evidence linking him to a crime.<br /> <br />Stored Communications Act <br />In 1984, Congress passed the Electronic Communications Privacy Act, 18 U.S.C. § 2510, which included the Stored Communications Act, 18 U.S.C. §§ 2701-2711 (SCA). This Act sought to enhance the general Fourth Amendment protections to electronic and radio communications from seizure by the government by creating a duty on the telecoms to protect such information under a criminal penalty. The Act also regulates what kind of information the provider can release to the government and the processes by which it can voluntarily provide information to the government. A SIM card is a computing device, and as such, stores and sends electric signals covered by the act.<br />While this Act generally discusses email and electronic communications, a quick look to the definitions of the Act reveals that it also includes cellular communications. 18 USC § 2510 part 12 states an “‘electronic communication’ means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce…” This definition encompasses the radio waves used by SMS texting and NFC that would be engaged in by the cellular users. As a result, this Act can prevent the telecoms from reporting financial transactions of their customers to the government because the communications fall under the radio waves protection created by Stored Communications Act. This results in a conflict between this Act and the AML laws resulting in an interference in government criminal and anti-terror investigations.<br />This definition continues; however, to state specific exclusions, including “(D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds…” It does not provide a definition of a financial institution. This lack of clarity creates a conundrum of whether a financial institution one that primarily engages in financial transfers of payments, making it central to its business model, or whether it incorporates institutions that may engage in an electronic funds transfer (ETF) ancillary to its main business, similar to receiving cash back at the supermarket after writing a check or using a debit card for an amount over the balance. If the later, then many businesses would be caught within its web, if not, then the telecoms would not be included as their core business is communication. <br />Under Black’s Law Dictionary, a financial institution is a “business, organization, or other entity that manages money, credit, or capital, such as a bank, credit union, savings-and-loan association, securities broker or dealer, pawnbroker, or investment company.” “[W]hen the statute's language is plain, the sole function of the courts-at least where the disposition required by the text is not absurd-is to enforce it according to its terms.” This is especially true where the Congress has taken the effort to provide a specific definition to the term “financial institution,” as in 18 USC § 1956, which is “given [the] term in section 5312(a) (2) of title 31.” This tends to show that if the Congress had intended the more expansive definition under §5312, the Congress would have provided for it. A telecom may fall under the Black’s definition of a “money service business,” but the Congress chose not to use that specific term. Due to the different definitions of “financial institutions” and the convergence of telecommunications and ETF’s, it is quite possible the government would seek the more expansive definition under §5312. This can create ambiguity for the telecoms. <br />The Act has two primary functions: <br /><ul><li>Regulating a response to a government request for information, and
The uninitiated release of information to the government from the provider. </li></ul>While AML laws require financial institutions to report financial information to the government without a government request, under a telecom centric M-pay model, the Stored Communications Act forbids such uninitiated reporting. As the telecom centric model can work outside the purview of a bank, it creates the potential of the Stored Communications Act forbidding any uninitiated reporting of suspicious or routine financial transactions that otherwise would be reported. <br />“Under the private search doctrine, the Fourth Amendment is wholly inapplicable to a search or seizure, even an unreasonable one, effected by a private individual not acting as an agent of the Government or with the participation or knowledge of any governmental official.” Eighteen U.S.C. § 2702 creates privacy safeguards by providing that a provider of an “electronic communication service” shall not divulge the contents of a communication held by it and shall not divulge information it receives on behalf of the user via an electronic transmission provided the user does not authorize such a release. The Act goes further and states that the service provider shall not knowingly release a “record or other information” pertaining to the user to “any governmental entity.” In addition to creating the crime, this title also provides for a punishment for non-commercial benefit, which is generally a fine and/or imprisonment of not more than one year for a first offense, or more than five years and/or a fine for other convictions under the statute. The Act also includes exclusions for law enforcement, but they consist of specific government requests for information and emergencies, and not routine disclosures by the telecoms to satisfy Bank Secrecy Act requirements.<br />The courts have drawn lines between a wealth transfer service that utilizes an electronic format and a communications provider providing the means for a wealth transfer. In Standefer, the court had the opposite issue, a financial institution using an ISP, in contrast to our dilemma, the telecom transferring wealth in its own right. In Standefer, Standefer, the defendant in a child pornography case, transferred a payment for access to a child pornography website using e-gold. E-gold had accepted a deposit from the defendant and allowed the defendant to fill out a form on e-gold’s website to transfer a sum to the child pornography website. In differentiating between the wealth transfer service and communications provider: <br />[t]he Court concludes that e-gold is not a service which provides users the ability to send or receive electronic communications, rather e-gold is a service which utilizes the ability to send or receive electronic communications to permit the instant transfer of gold ownership between its users.<br />(Emphasis in original). The court also cites a Senate report stating “Existing telephone companies and electronic mail companies are providers of electronic communication services,” which differentiates it from e-gold’s service. <br />Essentially, what has been created is a money laundering protection because the Stored Communications Act forbids the telecom from reporting on the electronic/radio messages. These messages fall clearly within the statute. Further, inside these messages contain the financial transaction activity. The irony is that the telecom centric M-pay enjoys greater privacy for transactions than their bank centric counterpart. This gives it a competitive advantage and opens the door for an unscrupulous telecom provider to assist in the laundering of funds. Even if the telecom wanted to report transaction information, the statute forbids it under a criminal penalty. Thus, the only way for the government to gather the information is through the subpoena or warrant process, but the concept of the Bank Secrecy Act is to provide the government the information that there is suspicious activity. We have a legislatively created Catch-22, as the telecoms have an affirmative duty to not report violations of the Bank Secrecy Act and anti-smurfing acts that were created to give the government the information needed to pursue AML activities. <br />How To Resolve The Catch-22 Regarding BSA Reporting<br />Before Congress looks into new regulatory mechanisms to combat ML, they first need to assess concerns about the market as a whole and the need to balance regulations with the need to keep the market open and free, to allow companies to experiment and innovate. “In any new market, enablement requires a blend of legal and regulatory openness, which creates the opportunity to startup and experiment, with sufficient legal and regulatory certainty that there will not be arbitrary or negative change to the regulatory framework, so that providers have the confidence to invest the resources necessary” to develop and expand their industry (emphasis in original). Thus far, the United States has not passed substantial legislation, allowing the States to take the lead. <br />Another consideration is the role of the Stored Communications Act in the first place. Its goal is to protect the privacy of individuals from dissemination of their communications, especially to the government. The Fourth Amendment offers weak protections from intrusion of a person’s expectation of privacy of electronic and mobile content. The Fourth Amendment applies to the government. Non-government actors are free to look over electronic communications placed within their control, such as an email sitting in one’s email inbox on a server. Further, many electronic companies are third parties. Once content is delivered to them for storage, it may be deemed that the customer had ceded control to them, destroying a reasonable expectation of privacy. Where a reasonable expectation of privacy was non-existent, Congress legislated one.<br />From these concerns, the goal is to balance the need to effect financial reporting while protecting a Statutorily created Reasonable Expectation of Privacy (SREP) while minimizing cumbersome regulation. First, Congress must decide where to insert a new of modified regulation, under Title 47, which governs telecommunications, under Title 31 which governs financial transactions, or under Title 18, which contains the criminal code. As the conflict of regulation exists outside of Title 47, it can easily be excluded. The question becomes whether Title 31 or Title 18 should give way to the other. <br />As stated earlier, the purpose of the Bank Secrecy Act under Title 31 is to require reporting information to the government that is suspicious or would be useful in a criminal investigation. In short, the Bank Secrecy Act assists in criminal investigations for crimes found under Title 18 as it prevents banks from being used, knowingly or not, as a conduit for money laundering activities and creates a paper trail that the government can later use for investigatory purposes. The Bank Secrecy Act also provides penalties of its own, and has been held to be a separate prosecutorial offense from money laundering. <br />The Stored Communications Act is a privacy act. It also is a standalone crime with punishment. The Act’s sole function is to create an SREP, which would naturally give way to a privacy invasion under reasonable circumstances. Further, it already contains exclusions, such as releasing information for law enforcement to respond to an emergency. The Stored Communications Act sits in Title 18, whereas Bank Secrecy Act is firmly rooted in Title 31, financial transactions. It seems that taking the Stored Communications Act statute and placing it into the financial services regulatory regime could cause unintended effects and potentially expose the telecoms to excess regulation. However, taking 31 U.S.C. § 5311-5330 and inserting them into the Stored Communications Act as an exception to the prohibition to uninitiated disclosures to the government would adequately address money-laundering concerns while still adhering to Congress’ goal of securing privacy through creation of an SREP.<br />Eighteen U.S.C. § 2702 (c) should be modified to create an exception commanding the telecom to monitor and report financial transactions in accordance with 31 U.S.C. § 5311-5330. This would firmly allow telecoms to report suspicious transactions as required under Bank Secrecy Act.<br />An Additional Housekeeping Matter<br />To alleviate any ambiguities in regards to the telecoms and financial reporting, Congress should also modify the definition of a financial institution. Eighteen U.S.C. § 1956 uses the definition found under 31 U.S.C. § 5312 which defines a financial institution in very broad terms that includes a telegraph company and the general catch all that stipulates any business that the Secretary of the Treasury may deem as a financial institution as falling within the confines of the expansive definition found in 31 U.S.C. § 5312. , Congress should amend 31 U.S.C. §5312 to specifically identify the telecoms to put them on notice, which could most easily be accomplished under 31 U.S.C. §5312 (2) (S), modifying “telegraph” to the more expansive “telecommunications company.” This would serve as a clear and fair notice to the telecoms that they can be financial institutions and avoid the generic snare through a catchall phrase. <br />How to Reign Invisible NFC Transfers<br />Congress should work with the telecom providers to develop a system that will achieve the goals of law enforcement and regulators to detect and prevent money laundering while being inexpensive and convenient enough to avoid dissuading investment and innovation. Congress could seek to establish a financial monitoring and reporting requirement for the telecoms to adhere. This duty should not prove overly burdensome, as telecoms already monitor much information about the cell while it is on, creating an already established electronic infrastructure for Congress and the telecoms to exploit. Additionally, Congress and the telecoms can look to successful programs adopted in the Philippines, which includes transactions limits, transactions caps and a paper trail, i.e. deposit and withdrawal forms.<br />NFC transfers occur P2P, bypassing the cell phone tower, thereby avoiding scrutiny by cellular telecommunications companies, i.e. making the transaction invisible. This essentially creates the problem of allowing electronic transfers of money without anyone learning about the movement until the ultimate receiver of funds chooses to enter it into the system. It can be presumed that this end receiver would have put forth the effort into properly having had laundered the money, thereby using only clean money. <br />While these transactions are invisible, the cell phone is not. The cell phone is “always” in communication with cell towers, regardless of calling status, to provide its location and identify itself on the network. The reason for these “check-ins” is so the telecom can bill their clients according to use, allow service, and provide location finding/GPS services and comply with Wireless E911. Further, cell phones are individually identifiable. To further understanding, a brief explanation of what happens when a user turns a cell phone on follows:<br />All cell phones have special codes associated with them. These codes are used to identify the phone, the phone's owner and the service provider. <br />Let's say you have a cell phone, you turn it on and someone tries to call you. Here is what happens to the call: <br />When you first power up the phone, it listens for an [System Identification Code] SID … on the control channel. The control channel is a special frequency that the phone and base station use to talk to one another about things like call set-up and channel changing. If the phone cannot find any control channels to listen to, it knows it is out of range and displays a "
message. <br />When it receives the SID, the phone compares it to the SID programmed into the phone. If the SIDs match, the phone knows that the cell it is communicating with is part of its home system. <br />Along with the SID, the phone also transmits a registration request, and the [Mobile Telephone Switching Office] MTSO keeps track of your phone's location in a database -- this way, the MTSO knows which cell you are in when it wants to ring your phone. <br />The MTSO gets the call, and it tries to find you. It looks in its database to see which cell you are in. <br />The MTSO picks a frequency pair that your phone will use in that cell to take the call. <br />The MTSO communicates with your phone over the control channel to tell it which frequencies to use, and once your phone and the tower switch on those frequencies, the call is connected. Now, you are talking by two-way radio to a friend. <br />As you move toward the edge of your cell, your cell's base station notes that your signal strength is diminishing. Meanwhile, the base station in the cell you are moving toward (which is listening and measuring signal strength on all frequencies, not just its own one-seventh) sees your phone's signal strength increasing. The two base stations coordinate with each other through the MTSO, and at some point, your phone gets a signal on a control channel telling it to change frequencies. This hand off switches your phone to the new cell <br />(emphasis in original). Let's say you're on the phone and you move from one cell to another -- but the cell you move into is covered by another service provider, not yours. Instead of dropping the call, it'll actually be handed off to the other service provider. <br />If the SID [System Identification Code] on the control channel does not match the SID programmed into your phone, then the phone knows it is roaming. The MTSO [Mobile Telephone Switching Office] of the cell that you are roaming in contacts the MTSO of your home system, which then checks its database to confirm that the SID of the phone you are using is valid. Your home system verifies your phone to the local MTSO, which then tracks your phone as you move through its cells. And the amazing thing is that all of this happens within seconds ... <br /> <br />As can be seen, many things are going on while the cell phone is engaged in communications, regardless of calling status. This constant communication could provide the missing link to ensure adequate reporting of NFC transfers. Congress may seek to prod the telecoms to develop the technology, software, or just initiative to develop a way for the telecom to monitor for NFC transactions that have occurred and their amounts while the cell phone is transmitting its System Identification Code for network registration. In essence, Congress would create a duty for the telecoms to monitor for financial transactions occurring on their networks. <br />The result of these monitored and recorded NFC transactions would allow for compliance of Bank Secrecy Act reporting and recording standards. It would also provide a way for law enforcement to gather evidence if this technology were to develop to allow regular NFC transactions between people engaged in an illegal business, such as narcotics sales or prostitution. The suspects’ ability to hide or destroy evidence would be greatly hindered by a monitored network. Further, as these are electronic communications, they would also be protected by the Stored Communications Act, preventing unauthorized disclosure to government or private parties. This approach, if feasible, could satisfy Congress’ goals of privacy under Stored Communications Act with law enforcement and regulatory needs under Bank Secrecy Act and AML. However, as with many things, this is easier said than done, and the proper course of action would be for the Congress and telecoms to work together to formulate a satisfactory mutual solution.<br />A second option, one that is used in the Philippines is also available. In the Philippines, a company, Globe Telecom, offers P2P wealth transfers under the telecom centric model. It operates under a closed system, where the user can only transfer wealth to other Globe Telecom customers. In order to establish an account, the user must open the account in person, allowing Globe Telecom to perform traditional due diligence. Further, all withdrawals require a form to be filled out before funds are given. Probably most importantly, there are strict limits to the amounts of daily and monthly amounts that can be transferred, which are quite low. The financial caps, in effect, prices out ML activity, as the amounts are too small to launder money. Globe Telecom also monitors transactions.<br />While this can serve as a potential model for implementation in the US, it also has drawbacks. Namely, being a closed payment system could severally limit the telecoms and merchants ability to allow for transfers of wealth due to problems with service compatibility. Further, if one telecom becomes the dominant provider of m-commerce, it could monopolize the industry, as users and merchants may be reluctant to having to sign up for multiple cellular agreements to effect trade, and would naturally use only the most popular one. This restraint on trade would ultimately hurt the consumer, as their choice would be limited, and limited opportunities could result in limited innovation and certainly limited competition. Additionally, the SIM may be hacked and reprogrammed, thereby defeating built in NFC controls.<br />While Global Telecom’s solution may not be a perfect match for the expansive US telecommunications industry, it is worthy to note that Global Telecom has taken proactive measures to monitor financial transactions for irregular and suspicious activities. This monitoring occurs outside the NFC context, it does show that telecoms can efficiently monitor for illegal activities and seek to take counter measures to prevent or disrupt them. Another valuable tool that Globe uses is the withdrawal caps. These caps can be analogized to the ATM withdrawal caps in the United States, especially in response to suspicious activities. In short, there are opportunities and examples that Congress and the telecoms can look to develop appropriate safeguards to allow m-pay and m-banking to flourish.<br />Digital Know Your Customer<br />Another area that the Congress and telecoms can work to prevent and detect money laundering and enforcement of the Bank Secrecy Act is through proper due diligence, or Know Your Customer. KYC is a set of principals laid out by FATF that instruct banks how to prevent ML and Bank Secrecy Act violations by properly identifying customers, learning their habits, purposes for accounts, etc. As the digital world has expanded, it would be worthwhile to explore and recommend Digital Know Your Customer (DKYC) protocols that telecoms, regardless of whether they follow the bank or telecom centric m-pay or m-banking model, should enact, as physical distance will increase between customers and their accounts as they opt for more convenient methods of wealth transfers. <br />An interesting recommendation was made in a working paper of the Asian Development Bank, which discussed biometrics in the cell phone handset. Currently, there are wide variety of biometric handset security features available, including voice, facial and fingerprint recognition. However, the potential of hacking of the SIM was still possible, potentially allowing for defeating these countermeasures. Notwithstanding the caution, biometrics in other areas has helped prevent fraud. Research in the use of biometrics for visa application in Canada found:<br />Field trial enrolments [sic] for visa applications totalled [sic] 14,854. Of those 14,854 enrolments [sic], 394 matches were made because of multiple enrolments [sic]. Those match results show that biometric technology is a highly effective way to manage client identity:<br />97% of the fingerprint and facial biometrics enrolled were of high quality.<br />When facial and fingerprint recognition were combined, the system made matches in 100% of cases.<br />Verification was accurate in 96% of cases …<br /> While not completely alleviating concerns about SIM hacking, this study seems to support that biometrics can help prevent fraud. Fraud can allow cell phone users to swap accounts, establish false accounts, etc, so that they may be able to avoid financial transfer caps or to be able to structure transactions to avoid Bank Secrecy Act reporting requirements. <br />Another concern is whether biometrics can be cost effective or if imposing a new standard for m-commerce would cost too much. This maybe a red herring; however, as this technology already exists in other countries:<br />Japan’s leading cell phone provider, NTT DoCoMo, has recently launched the P930i, a new handset with the ability to recognize its owner’s face, and automatically lock down if anyone else tries to use it.<br />Simply storing three simple snapshots of your face on this cool new camera phone allows this innovative security feature to take effect, and protect your data from thieves and other prying eyes.<br />The feature is currently limited to the Japanese market, but with the help of new facial recognition applications, other countries aren’t far behind. Face Tracker, for example, a clever new piece of software from FotoNation makes it possible to follow a person’s face and auto-detect the best camera settings to take their picture.<br />While this example is not dispositive, it does show that the market is adapting to the new realities in the m-commerce world, so imposing heightened standards, such as biometrics as a form of DKYC would not impose an undue burden on the telecom industry.<br />Conclusion<br />Today, the United States is experiencing a new wave in the way business is conducted in the form of being able to use one’s cellular telephone to conduct business and banking transactions, i.e. engage in M-commerce. M-commerce has the ability to bring a new class of people who are traditionally underserved into the banking industry. Further, this development also will bring a new level of convenience to the consumer in the purchasing of various goods and services. This convenience also poses some regulatory concerns, especially in areas where various regulatory schemes seem to contradict each other. These contradictions can create uncertainty in the marketplace, potentially limiting investment, or worse, being exploited by unscrupulous telecom players to contravene various reporting and AML regulations, allowing for a black market to flourish, resulting in a greater reward for criminal behavior and potentially assisting terrorists in their nefarious schemes. <br />These uncertainties and risks can be adequately dealt with though, through modifying the current regulations, namely the Bank Secrecy Act and Stored Communications Act. Further, the goals of these acts, financial reporting and individual privacy, respectively, can be accommodated through a modification that adopts the Bank Secrecy Act under an exception of the Stored Communications Act. This adoption would allow the telecom to legally report financial transactions conducted through their communications without having to worry about violating the criminal code forbidding such disclosures. <br />The nature of banking is changing. Customers no longer need to go to the bank and meet with a teller in order to conduct a financial transaction. People no longer need to meet their banker before establishing an account with them. These personal contacts were at the heart of the traditional due diligence that a banker performed before establishing an account. With these changes in mind, it is important for Congress to work with the telecommunications industry in order to develop a Digital Know Your Customer protocol, possibly even utilizing biometrics to ensure financial transactions are properly conducted and reported.<br />Bibliography<br />Articles<br />Geoff Duncan, Cell Phones to Gain Face Recognition?, October 20, 2005, available at http://news.digitaltrends.com/news-article/8580/cell-phones-to-gain-face-recognition<br />Kerry Burke and Larry Mcshane, Citibank limits ATM cash in city, January 3rd 2008, available at http://www.nydailynews.com/money/2008/01/03/2008-01-03_citibank_limits_atm_cash_in_city-2.html<br />Marshall Brain et al., How Cell Phones Work, available at http://www.howstuffworks.com/cell-phone.htm/printable (last visited April 14, 2009)<br />Mary Catherine O'Connor, Chase Offers Contactless Cards in a Blink, May 24, 2005, available at http://www.rfidjournal.com/article/articleview/1615/1/1/<br />Matthew Clark Matthew Clark, A texting entrepreneur embodies spirit of a new Rwanda, April 9, 2009, available at http://news.yahoo.com/s/csm/20090409/wl_csm/orwanda3<br />Telecommunication Industry News, New Cell Phone Features Facial-Recognition Security, October 30, 2006, available at http://www.teleclick.ca/2006/10/new-cell-phone-feature-facial-recognition-security-feature/<br />Cases<br />Dodd v. United States, 545 U.S. 353 (2005)<br />Rivera-Mercado v. Scotiabank De Puerto Rico-Int’l, 571 F. Supp.2d 279 (D.Puerto Rico, 2008)<br />United States v. Ortiz, 738 F. Supp. 1394 (S.D.Fla.,1990)<br />United States v. Standefer, No. 06-CR-2674-H, 2007 WL 2301760 (S.D. Cal . Aug. 8, 2007)<br />Warshak v. United States, 532 F.3d 521 (6th Cir. 2008)<br />Dictionaries<br />Black’s Law Dictionary, Financial Institution, (8th ed. 2004) <br />Black's Law Dictionary, money service business (8th ed. 2004)<br />The Free Dictionary, Legal Dictionary, Money Laundering, available at http://legal-dictionary.thefreedictionary.com/money+laundering, (last visited April 14, 2009)<br />Law Review Articles<br />Jonathan Weinberg, Tracking RFID, 3 I/S: J. L. & Pol'y for Info. Soc'y 777 (2008)<br />Orin S. Kerr, A User's Guide To The Stored Communications Act, And A Legislator's Guide To Amending It, 72 Geo. Wash. L. Rev. 1208 (2004)<br />Ross Panko, Banking on the USA PATRIOT Act: An Endorsement of the Acts Use of Banks to Combat Terrorist Financing and a Response to its Critics, 122 Banking L.J. 99 (2005)<br />Reports<br />David Porteus, The Enabling Environment for Mobile Banking in Africa, 2006, http://www.bankablefrontier.com/assets/ee.mobil.banking.report.v3.1.pdf (last visited April 14, 2009)<br />Financial Crimes Enforcement Network, Money Laundering Prevention, A Money Services Business Guide, available at http://www.msb.gov/materials/en/prevention_guide.html#Background%20on%20Money%20Laundering (last visited April 14, 2009)<br />International Money Laundering Information Bureau, Money Laundering - Some Measures To Prevent It, http://www.imlib.org/page7_wcwdo.html (last visited April 14, 2009)<br />James C. McGrath, Micropayments: The Final Frontier for Electronic Consumer Payments, 2006, available at http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2006/D2006JuneMicropaymentsCover.pdf (last visited April 14, 2009)<br />John Forbes, Effects of Cell phones on Anit-Money Laundering/Combating Financial Terrorism (AML/CFT) Wire Remittance Operations, 2007, http://www.adb.org/Documents/Others/OGC-Toolkits/Anti-Money-Laundering/documents/AML-Cell-Phone-Effects.pdf (last visited April 14, 2009)<br />Julia Cheney, An Examination of Mobile Banking and Mobile Payments: Building Adoption as Experience Goods?, 2008, http://www.philadelphiafed.org/payment-cards-center/publications/discussion-papers/2008/D2008MobileBanking.pdf (last visited April 14, 2009)<br />Financial Action ask T Force, The 40 Recommendations, http://www.fatf-gafi.org/document/28/0,3343,en_32250379_32236930_33658140_1_1_1_1,00.html#r4 (last visited 28 March 2009)<br />Statutes<br />18 U.S.C. § 1956<br />18 U.S.C. § 2510<br />18 U.S.C. §§ 2701-2711 <br />31 U.S.C. § 5311-5330<br />Websites<br />Amazon.com Corporate Website, Amazon Payments, available at <br />https://payments.amazon.com/sdui/sdui/index.htm (last visited March 22, 2009).<br />E*Trade Corporate Website, Complete Savings, available at https://us.etrade.com/e/t/welcome/completesavings, (last visited March 28, 2009).<br />EZPass Website, About EZPass FAQs, available at http://www.ezpass.com/static/faq/index.shtml (last visited March 22, 2009).<br />Government Printing Office, GPO Access, available at http://www.gpoaccess.gov/uscode/browse.html (last visited April 14, 2009).<br />Financial Action Task Force, About the FATF, http://www.fatf-gafi.org/pages/0,3417,en_32250379_32236836_1_1_1_1_1,00.html (last visited April 14, 2009).<br />Speedpass Commercial Website, Questions & Answers: Getting Started, available at<br />https://www.speedpass.com/forms/frmFaqs.aspx?pPg=faqStarted (last visited March 22, 2009).<br />United States Treasury, Money Laundering: A Banker’s Guide to Avoiding Problems, 2002, available at http://www.occ.treas.gov/moneylaundering2002.pdf (last visited April 14, 2009).<br />Wikipedia, e-gold, available at http://en.wikipedia.org/wiki/E-gold, (last visited April 10, 2009).<br />Wikipedia, Mobile Phone Tracking, available at http://en.wikipedia.org/wiki/Mobile_phone_tracking (last visited April 14, 2009).<br />Wikipedia, Subscriber Identity Module, available at http://en.wikipedia.org/wiki/Subscriber_Identity_Module (last visited April 5, 2009).<br />Wikipedia, Wireless Enhanced 911, available at http://en.wikipedia.org/wiki/E911#Wireless_Enhanced_911 (last visited April 14, 2009).<br />