This chapter looks at other issues raised by witnesses and submitters to this inquiry, including:
Platform provider fees charged to merchants and the transparency of fees associated with making a mobile payment;
least-cost routing (LCR);
cybersecurity and sovereign risk, including the control of strategic national assets and counter-terrorism financing and anti-money laundering (CTF/AML);
consumer protections, including privacy and data protection, and issues related to the buy-now-pay-later (BNPL) sector; and
cross-border payments and remittances.
Platform provider fees for mobile transactions
Payment platform providers, Apple and Google, receive two main types of revenue associated with processing mobile transactions: processing mobile point-of-sale (POS) transactions and processing in-app payments. This section looks at competition issues related to both of these types of payments and discusses concerns around the transparency of these fees.
Fees for mobile POS transactions
Interchange fees (the fee charged to merchants for processing a transaction) have traditionally been charged to merchants by acquirers. This revenue is typically shared between acquirers, card issuers, and scheme providers (see Chapter 2). However, some mobile transactions introduce another actor vying for a share of these interchange fees. Mobile payment platform providers, like Apple, take a proportion of the interchange fee in exchange for providing the technological architecture through which mobile payments are initiated on a mobile device.
Mobile payments initiated at a POS in Australia generally do not incur direct additional fees for merchants or consumers relative to physical card payments. Other participants within the payments system may nevertheless face additional costs associated with making or receiving a mobile payment, which may ultimately be passed on to merchants and consumers.
CMS Payments Intelligence (CMSPI) consequently highlighted that merchants accepting digital wallets ‘may incur fees that are significantly higher than they would face for traditional card payments’.
Fees and charges associated with mobile payments typically mirror those of regular contactless credit or debit card transaction at a POS. As contactless mobile payments are generally routed through the international card schemes as opposed to the (generally cheaper) EFTPOS network, merchants may be paying higher fees for accepting mobile payments than they would be for payments made using a physical debit card. As Dr Anthony Richards from the Reserve Bank of Australia (RBA) acknowledged, while merchants do not face direct costs from accepting mobile transactions, ‘there could be some difference in the interchange fees applying to different sorts of transactions’.
Apple told the committee its mobile devices now support transactions processed through EFTPOS.
Apple imposes fees on card issuers for processing mobile transactions through Apple Pay. Issuers, acquirers, and card schemes must therefore share the interchange fee with the mobile payment platform provider (in this case, Apple). As James Eyers from the Australian Financial Review summarised:
Apple charges banks a few cents for every $100 of transactions, meaning the banks are giving up some of their heavily regulated interchange fee revenue from issuing cards to Apple, which operates outside payment regulation.
As Apple and other mobile payment platforms typically do not have direct commercial relationships with merchants, merchants do not face additional direct costs.
Apple also told the committee, ‘all card issuers pay the same fees and are subject to the same terms and conditions in their territory’.
In contrast, payments made through Google Pay do not require interchange fees to be shared.
Google stated in its submission:
When a payment transaction is facilitated between a consumer and merchant in Australia using Google Pay, Google Pay does not charge the merchant a fee. In addition, we do not charge acquiring banks or payment service providers (PSPs) for processing a Google Pay transaction.
Google also told the committee it ‘does not charge users for the use of Google Pay in Australia, whether to shop online or contactlessly pay at stores.’ Google further claimed that ‘there are no commercial relationships in Australia directly related to the use of Google Pay’.
Dr Richards nevertheless cautioned that while some mobile payment platforms currently do not charge a fee or only demand a small proportion of the interchange fee paid by merchants to acquirers, banks may be concerned that these fees could grow as the platforms become more entrenched.
Mr Chay Fisher also told the committee that while Google does not presently charge fees for transactions made over Google Pay, ‘their terms and conditions may allow them to use information from transactions potentially for other purposes’.
Apple rejected criticisms of the business model underpinning Apple Pay, submitting:
Comparisons to Android [Google’s mobile operating system], which chose to not introduce fees associated with its payment infrastructure, are baseless due to Android’s wider business model of monetising the data obtained from monitoring their customers’ transactions and behaviour. Apple’s business is manufacturing hardware, software and services, not monetising our customers. Banks that prioritise and advocate for a fee-free model are condoning the tracking and monetising of their customers’ data.
Evidence suggests Australian banks may be incurring fees from mobile payment platform providers in excess of those paid in other jurisdictions. Financial services news outlet, Banking Day, claimed, ‘Australian banks are incurring significantly higher fees for offering Apple Pay to debit cardholders than their counterparts in the US.’ The trade publication claimed Australian banks pay Apple between 0.04 per cent and 0.06 per cent of the value of transactions made through Apple Pay. In contrast, Apple Pay transactions in the US are reported to incur a flat fee of half a cent—around a third of the fee paid by Australian card issuers. The committee understands the US rate is for over-the-counter transactions only and does not cover in-app or
card-not-present transactions (such as online or over-the-phone purchases), which often incur higher fees).
Comparing Apple’s share of interchange fees in Australia to other jurisdictions, Duong and colleagues submitted:
Apple’s cut comes from the banks’ interchange fees since Apple does not allow banks to recoup the costs from customers. The average interchange fees levied by banks on retailers for handling card transactions in Australia is lower compared to international standards, especially in the debit card payments, but they are still higher than the credit card interchange fees in Europe.
Dr Duong and colleagues attributed the higher fees imposed on card issuers by Apple in Australia to ‘the market power of Apple and the high demand of Australian Consumers for the Apple Pay service’ (see also Chapter 5).
Commonwealth Bank of Australia (CBA) CEO, Mr Matt Comyn, also noted, ‘Apple makes no contribution to the infrastructure investments that are made at an overall payments level’—which he estimated at around $2 billion over the past five or six years—and has ‘no liability in and around fraud’.
Apple responded to Mr Comyn’s criticism, pointing to a range of significant savings enjoyed by banks using Apple Pay resulting from ‘near-zero fraud’ on Apple Pay, as well as savings from managing fewer physical cards and the growth of more efficient digital channels for customer engagement.
Apple further claimed:
In addition to the significant innovation and investment Apple has made into eftpos… it’s important to understand that Australian banks benefit significantly from Apple’s innovations and investments, including iOS and the App Store which banks have used to dramatically accelerate digitisation of retail banking, while innovations such as Touch ID and Face ID have brought world class security to how consumers authenticate when signing into their banking services.
Fees for in-app purchases
As discussed in the previous chapter, app marketplace providers (or app store operators) often require developers that sell goods and services through apps distributed on these platforms to use an in-app payment (IAP) system run by the app store operator. Developers report paying up to 30 per cent commission for each transaction or in-app purchase. The committee understands that physical services and subscription-based purchases usually incur a lower commission.
In its submission, dating service developer, Match Group, described these fees as ‘substantially higher’ than third-party alternatives or in-house solutions, thereby impacting the returns app developers receive, reducing incentives to invest and innovate, and likely increasing costs to consumers.
Match Group alleged that fees for in-app purchases were driven up by ‘excessive commissions’ charged by app store operators.
Apple defended its App Store revenue model to the committee, arguing 84 per cent of apps distributed through the App Store did not earn Apple any income. The 16 per cent of App developers that chose to sell digital content and services through their apps pay Apple a commission on ‘each transaction as compensation for tools, technology and distribution’.
Apple also argued that the commission charged to developers on their sale of digital content and services through the App Store is not a payment processing fee, but rather covers the business the platform drives to developers, as well as the tools, services, intellectual property, and support Apple offers to create apps. Apple further argued the economic viability of the App Store is predicated on the company’s ability to mandate a commission from developers.
Apple nevertheless announced plans in August 2021 in response to a
class-action filed by US-based app developers to allow developers to tell users about alternative ways to purchase digital content and services, thereby enabling developers to bypass Apple’s commission.
Google also defended its Play Store business model, telling the committee:
We have a service fee structure that enables us to develop, innovate and maintain Google Play. Developers on Google Play are subject to a service fee only where the developer generates revenue on digital transactions with this applying to less than 3% of app developers. For those subject to the fee, we charge a 15% service fee on the first USD $1 million generated each year on Google Play with a 30% fee imposed on revenue above USD $1 million.
Google outlined the costs that fees charged to developers using the Google Play Store contributed to, including the development and operation of the app marketplace, the development of tools and services, app development and developer support, app hosting and distribution, app discovery, compliance on behalf of developers, and payments for developers that choose to charge customers.
Google further argued, ‘it is not appropriate to compare Google Play with payment processors. Google Play provides developers with much more than that and such a comparison ignores the breadth and nature of our business’.
On this issue, the ACCC Digital Platform Services Inquiry report noted:
Multiple app developers have raised concerns with the ACCC in relation to the commission rates charged by Apple and Google on payments made for digital goods through apps (in-app payments) and the associated terms.
The ACCC considers that the lack of competitive constraint in the distribution of mobile apps is likely to affect the terms on which Apple and Google make access to their respective app marketplaces available to app developers, including the commission rates and terms that prevent certain app developers from using alternative in-app payment systems and promoting alternative off-app payment systems.
The ACCC considers that the commission rates are highly likely to be inflated by the market power that Apple and Google are able to exercise in their dealings with app developers.
The ACCC nevertheless noted it is unclear how significant this mark-up is in practice for two main reasons. First, commissions paid by app developers are not primarily cost-based but are instead reflective of their access to, and integration into, the broader mobile ecosystem. This makes it difficult to identify fair and appropriate pricing and fees. Second, given the market dominance of Apple and Google, there are few benchmarks with which the commissions charged by each app store operator can be compared.
Transparency of fees
Evidence before the committee repeatedly raised the issue of a lack of transparency in fees related to mobile payments. For example, CBA submitted that ‘there is very little transparency to gauge the gap between the cost and the price of the service or the extent to which payment providers pass these fees onto their customers’.
Commercial agreements may prevent banks from disclosing the exact share of the interchange fee taken by mobile payments platforms. Some banks are reported to have negotiated bulk discounts on these fees, yet these agreements are understood to be subject to confidentiality agreements.
In its submission, the RBA acknowledged the ‘lack of transparency in relation to the fees and other arrangements associated with digital wallets’ and detailed a number of steps it was taking to address this issue. These included a requirement that card schemes provide the RBA with their fee schedules and scheme rules in an attempt to identify competition issues and reduce
While the RBA can request information on the payments system, Dr Richards acknowledged that because mobile payment platforms are not currently regulated as participants in the payment systems, the Reserve Bank cannot directly request from Apple or Google information such as the portion of transaction fees they receive for use of their technology platforms. Some of this information, Dr Richards suggested, could nevertheless be gathered indirectly from banks and card issuers.
Treasury Assistant Secretary, Ms Nghi Luu, acknowledged the RBA had raised with the department the Bank’s lack of powers to directly gather information related to fee structures within the payments system. She suggested the issue may fall within the remit of the Farrell review (see Chapter 4), which at the time of the hearing had yet to be released by the Treasurer. Ms Luu declined to provide the committee with further details.
Google Director of Government Affairs and Public Policy for Australia and New Zealand, Ms Lucinda Longcroft, refuted the alleged lack of transparency in relation to the Google Play store, telling the committee:
Our fee data is transparent. In fact, 90 per cent of app developers on Google pay no fee… Only three per cent of apps charge for digital content for which we charge a fee; the fee structure is based on a revenue model and is entirely transparent. Of the 2,500-odd developers in Australia that make their apps available for a charge on the Google Play store, 99 per cent are charged a 15 per cent fee structure; less than one per cent are charged a 30 per cent fee structure, and that is comparable to or less than all other competitors in a vigorously competitive marketplace.
Apple defended its confidentiality terms with partners (Apple’s use of the term ‘partners’ presumably refers to both app developers and Authorised Deposit-taking Institutions), submitting the following:
We consider our commercial terms and contracts with our partners to be confidential, a standard in nearly every industry. Confidentiality protects both parties and further promotes market competition so that our competitors are not privy to the details of our intellectual property, including how we operate with our partners.
Mr Marcus Bezzi, the ACCC’s Executive General Manager for Specialist Advice and Services, told the committee:
There’s no rule of law that requires fees charged by one business to another business to be made transparent or made public. In fact, the usual position is that they’re not publicised… there can be circumstances where promoting transparency can promote competition but, as I say, there’s no general rule requiring it that I’m aware of’.
Committee view on platform provider fees
The committee acknowledges the concerns raised by submitters around the perceived lack of transparency with the fees charged by payment platform providers. The committee nevertheless agrees with Mr Bezzi’s observation that no laws require platform providers to disclose their fees to competitors or to the public. However, the committee also understands the ACCC’s inquiry powers would allow it to request this information directly from payment platform providers, should it be considered necessary.
As detailed in Chapter 2, interchange fees have fallen in recent years, with transactions processed over EFTPOS generally incurring lower fees relative to the international card schemes. Several submitters attributed the reduction in costs to competition between eftpos and international card schemes, driven in part by the ability of merchants to route transactions made with a physical card at a POS over whichever network incurs the lowest fees; ‘least-cost routing’ (LCR) or ‘merchant-choice routing’.
LCR became available as an opt-in service to merchants in Australia from 2019. As of March 2020, around 5 per cent of merchant terminals supported LCR.
LCR in Australia has been credited with driving down interchange fees. As the RBA has noted:
Least-cost routing can help merchants reduce their payment costs and can also increase competitive pressure between the debit schemes, providing greater incentives for them to lower their fees.
However, the dual network functionality that underpins LCR is not available in Australia for transactions initiated by a mobile device. Mobile tap-and-go payments are instead routed through the default network assigned to each virtual card. CMS Payments Intelligence consequently warned that gains in the reduction of interchange fees ‘could be lost if contactless digital wallets are allowed to grow with default routing as the norm’.
As CMS Payments Intelligence explained:
When a consumer makes a payment with Apple Pay in Australia, it is often routed by default down Visa or Mastercard’s network even where an alternative network is available. To instead use the domestic Eftpos scheme, which is often the cost-efficient option for merchants, the consumer must follow a number of steps within the app to make Eftpos their default network. Customers only have an incentive to do so if there is an explicit cost associated with using the network that is more expensive for the merchant.
The Australian Retailers Association described the challenge that mobile payments present to LCR:
Multi-network debit cards are limited from operating in the same way when uploaded to a digital wallet such as ApplePay, GooglePay, or Samsung Pay, due to technological limitations and settings which prevent the operation of these competitive forces.
Currently, even if mobile wallets allow users to upload two versions of the same debit card (supporting both schemes on a multi-network debit card), users are required to choose a default card for transactions. Regardless of whether the consumer passively uses the default card or actively selects the alternative debit card in the mobile wallet, whichever card is presented by the wallet will be the scheme by which it is processed. This completely overrides the ability of retailers to apply least-cost routing to the point of sale on these transactions and potentially increases the cost of transactions.
Apple noted in its submission that it ‘does not restrict in any way least-cost routing by merchants’. Apple further stated:
The Apple Pay platform presents a payment credential to the terminal at point of sale; it has no involvement in nor does it restrict the routing of the transaction by a merchant. As such, there are no “technological limitations” or “settings” imposed by Apple Pay which prevent the operation of least-cost routing by a merchant.
Apple told the committee:
If it is a regulatory requirement that merchants choose the debit network used to process a transaction, rather than the customer, then Apple will work with issuers and the payment networks on a solution to transition to a model that supports the presentment of two network credentials to the terminal.
In its submission to this inquiry, Restaurant and Catering Australia emphasised the impact on its members of mobile payments:
Given the dramatic drop in the use of cash across our member businesses… the role of LCR becomes increasingly important. Merchant fees often operate with little or no transparency and are difficult to understand. In many instances they are part of a broader service package that is linked to other key measures such as sales volumes, making it difficult for small business owner [sic] to understand, budget for and calculate.
eftpos and Beem It similarly noted:
The design of mobile solutions is such that the default priority of token [sic] is given to the International Credit Scheme, requiring either the customer to actively change the token order or the merchant to make terminal specific changes to search for a different token (which is not the norm in Australia).
eftpos pointed to the following impact:
Not only do merchants have no choice when a mobile device is presented for payment, often the consumer also has no choice or is unaware whether they have a choice and how to exercise it.
eftpos told the committee that the lack of support for LCR for mobile payments was ‘detrimental to small business’, costing Australian merchants close to $600 million each year.
eftpos CEO, Mr Stephen Benton, cited RBA data purportedly showing that up to 40 per cent of the transaction cost of a mobile payment could be saved through LCR.
Industry Analyst Mr Lance Blockley estimated that small merchants could save $30 to $40 per month through LCR. Larger merchants could make larger savings from LCR or could use LCR as leverage to negotiate lower fees with international schemes, he suggested.
Council of Small Business Organisations Australia (COSBOA) CEO, Ms Alexi Boyd, told the committee that many small business owners ‘are not able to unpack the complexity of the [interchange] fees that are offered to them by banks’.
EY (formerly Ernst & Young) noted in relation to the pandemic, ‘consumer empathy increased for the cost borne by merchants and vendors to accept payments, that in turn initiated a re-focus on least-cost routing to help reduce the overall cost to merchants’.
Ms Boyd, told the committee, ‘merchant fees continue to be one of the top three issues for industry segments with high volumes of debit transactions’. Ms Boyd also advocated ‘a clear pathway and time frame for mandating LCR on all payment methods, including online and mobile,’ arguing:
The ongoing pandemic induced crisis is pushing many previously successful small businesses into the brink of permanent closure. Creating a level playing field where the least-cost debit fee is the default would create an environment which is both equitable for the small business owner and would encourage competition between payment providers.
Ms Boyd and Mr Benton both drew the committee’s attention to examples from other jurisdictions in which LCR for mobile payments had been fully implemented, such as the dual-token approach used in Europe.
Mr Benton told the committee some authorised deposit-taking institutions (ADIs, financial institutions permitted by the Australian Prudential Regulation Authority, APRA, to accept deposits from the public) have begun moving away from providing customers with dual network cards towards single network cards, potentially reducing payments competition, innovation, and increasing fees for merchants and ultimately consumers.
Scheme card providers have argued elsewhere against mandating LCR, cautioning that merchant routing removes consumer choice and may reduce certain fraud protections offered by credit cards.
The Reserve Bank governor, Philip Lowe, described the position of the Payment System Board (the body tasked with setting the RBA’s payments system policy) with respect to LCR and mobile payments as follows:
The Board also expects that in the point-of-sale or ‘device present’ environment all acquirers should provide merchants with the ability to implement least-cost routing for contactless transactions, possibly on an ‘opt-out’ basis.
Dr Lowe nevertheless noted that ‘it is not yet clear how least-cost routing should operate and what expectations on its provision might be appropriate’.
The Reserve Bank also told the committee that not all debit transactions can be routed, including transactions initiated by a mobile device, online transactions, and transactions made by inserting a physical card into a POS terminal for which the consumer must select routing.
Beyond the technical aspects, the RBA noted that aggregate fees for Visa and Mastercard include transactions involving international cards that usually incur higher fees than domestic cards, leading to somewhat inflated average fees. Fees for transactions using Visa and Mastercard debit do remain higher on average than those made through eftpos. Yet, these averages do not account for the difference in the composition of transactions processed across each network for two key reasons.
First, eftpos only recently began processing online transactions and does not process transactions using foreign-issued cards—both of which tend to be more expensive than domestic POS transactions.
Second, average transaction prices for debit schemes do not account for merchants that use payment plans (around a quarter of Australian merchants), through which both credit and debit transactions may be bundled into a monthly fee. These factors may mean that the difference in average costs between card schemes may ‘overstate the cost difference for similar in-person transactions on domestic-issued cards’, according to the Reserve Bank.
Committee view on least-cost routing
The committee acknowledges the strongly held views on least-cost routing and that small businesses are likely to benefit from the ability to choose how they route mobile transactions.
However, the committee is not convinced of the scale of the purported benefits of least-cost routing advanced by some witnesses to this inquiry. For example, the case for adopting least-cost routing laid out by several submitters to this inquiry may not reflect all the available evidence. In this regard, the committee notes evidence from the Reserve Bank that factoring in international fee components and payment plans may mean the difference in average costs between like for like card schemes may be less than currently estimated.
The committee is also concerned that some implementations of LCR for mobile payments would in effect remove routing choice from customers. Some consumers may consequently face additional costs or inconvenience associated with managing their finances if they are unable to control the route through which their payments are processed. In this respect, the committee is disappointed no consumer groups made submissions to the inquiry on consumer perspectives around payment routing or merchant fees, among other issues.
The committee considers that, prior to any move to implement LCR, it would be prudent to assess the merits of retaining the current ability of customers to route transactions over their preferred network, if they so choose.
For these reasons, the committee considers an in-depth examination of the merits of different regulatory and technological approaches to enabling
least-cost routing on mobile transactions is warranted.
The committee recommends the Treasurer direct the Australian Competition and Consumer Commission to conduct an in-depth examination of the merits of different regulatory and technological approaches to enabling least-cost routing on mobile transactions, including the merits of consumers retaining the ability to route transactions over their preferred network if they choose to do so.
Merchants are permitted to pass on to consumers the cost of accepting a transaction made with a physical card at a POS terminal. This is known as ‘merchant surcharging’.
CPA Australia pointed to the benefits of merchant surcharging for small businesses, claiming it promotes competition within the payments system, keeps downward pressure on payment costs, assists merchants to maintain profitability, and puts downward pressure on the total price of goods and services where merchants build surcharging costs into their pricing.
In contrast to regular card payments, however, most BNPL providers impose rules that prevent merchants from passing on interchange fees to consumers, prompting some concerns from regulators and industry related to the competitive neutrality of payments regulation.
Some merchants are reported to face fees from BNPL providers of up to six per cent or more of the value of a transaction.
Some BNPL providers also reportedly require merchants to pay additional fees on top of the interchange fee that can amount to multiple times the regulated interchange rate.
The costs of accepting BNPL payments were also highlighted in several submissions. Unlike mobile payment platform providers like Apple and Google, BNPL services do have direct relationships with merchants that may require merchants to pay additional fees for accepting BNPL transactions. CPA Australia described costs associated with BNPL transactions as ‘significantly higher’ than other electronic payment methods, and noted that most BNPL providers did not disclose their merchant fees, resulting in a lack of transparency.
Co-founder of BNPL provider, Zip Co, Mr Peter Gray told the committee that merchant service fees for its product, Zip Pay, amounted to between 1.5 to 5 per cent of the transaction cost. However, he argued that BNPL providers typically offer additional services to merchants, such as referral traffic, integrated online transactions, or fraud guarantees.
The Australian Securities and Investments Commission (ASIC) warned that despite agreements to the contrary, some merchants use deceptive techniques to pass on ‘hidden’ surcharges to customers. ASIC described such practices as amounting to misleading or deceiving consumers, and therefore illegal under Australian Consumer Law and the ASIC Act.
As part of its ongoing Review of Retail Payments Regulation, the RBA is considering policy issues related to BNPL no-surcharge rules. The longstanding view of the RBA with respect to surcharging is as follows:
The right of merchants to apply a surcharge promotes payments system competition and keeps downward pressure on payment costs for businesses. If a business chooses to apply a surcharge to recover the cost of accepting more expensive payment methods, it may encourage customers to make the payment using a cheaper option. In addition, the possibility that a consumer may choose to use a lower-cost payment method when presented with a surcharge helps put competitive pressure on payment schemes to lower their pricing policies, indirectly lowering merchants’ payments costs. The possibility of surcharging may also help merchants to negotiate lower prices directly with their payments service provider. By helping keep merchants’ costs down, the right to apply a surcharge means that businesses can offer a lower total price for goods and services to all of their customer.
The RBA nevertheless acknowledged that under certain conditions,
no-surcharging rules can facilitate innovation by helping emerging service providers to compete with incumbents.
The Reserve Bank governor, Dr Phillip Lowe, summarised the current position of the Payment System Board with respect to BNPL surcharging as follows:
BNPL operators in Australia have not yet reached the point where it is clear that the costs arising from the no-surcharge rule outweigh the potential benefits in terms of innovation… The Board expects that over time a public policy case is likely to emerge for the removal of the no-surcharge rules in at least some BNPL arrangements.
Committee view on merchant surcharging
The committee acknowledges the arguments for giving greater freedoms to pass on fees to consumers for all payment types to promote competition, innovation, and put downward pressure on payment processing costs. Nevertheless, the committee is reluctant to recommend regulation to this effect, noting no-surcharging rules can protect new entrants and allow new products to become commercially viable. In the interim, the committee prefers industry take steps to become more transparent and remove no-surcharging rules as soon as it is viable to do so. That said, the committee recognises merchant surcharging may become a matter for public policy if industry fails to take appropriate steps in a reasonable timeframe.
The committee recommends payment systems make their fee structures more transparent to consumers, merchants, and regulators.
Security and risk
Mobile transactions may be secured through device authentication (such as a pin or biometric sensor), payment tokenisation (a digitised credit card number), machine learning, and fraud detection platforms. Digital wallets are also generally encrypted and usually require some form of authentication by the user for a transaction to be made—usually a passcode, password, or a biometric identifier like a fingerprint or facial recognition. As such, mobile payments and digital wallets offer enhanced security features relative to their physical counterparts and are generally considered less prone to abuse than cash or card. For example, Apple submitted ‘Australian banks and the payments industry have consistently confirmed that incidences of fraud are near zero on Apple Pay’.
CBA similarly confirmed:
[Internal fraud data] shows volumes are <0.01 per cent of total spend by CBA customers across all third party digital wallets enabled by the bank. That is, the occurrence of fraud is extremely low.
Despite their enhanced security features, mobile payments and digital wallets may present several unique risks. These relate particularly to:
the control of strategic national assets; and
counter-terrorism financing and anti-money laundering (CTF/AML).
Evidence suggests an increasing share of the devices and platforms used to make mobile payments are subject to foreign ownership and foreign control. For example, CPA Australia submitted that seven of the world’s largest ten companies by market capitalisation are digital platforms, of which five are based in the United States and two in China.
eftpos CEO, Mr Stephen Benton, cautioned:
We don’t have the ability to control foreign governments and how they control the companies within those countries. So, therefore, it would really be at the risk of them choosing how that data can be used and how those servers are provided rather than purely being Australian controlled.
Mr Naffah told the committee that Apple’s market dominance may pose a ‘significant systemic risk’ to Australia given that the company is not subject to APRA regulation.
Treasurer the Hon Josh Frydenberg MP pointed to similar concerns, stating:
Ultimately, if we do nothing to reform the current framework, it will be Silicon Valley alone that determines the future of our payments system, a critical piece of our economic infrastructure.
The committee was also told of possible risks related to the storage of Australian consumer data and transaction information.
Mr Peter Gray told the committee that Zip Co did not share data with external parties other than the transaction amount. He further stated that the company’s data was stored in local jurisdictions and not overseas.
Google stated that most data related to payments made through Google Pay is stored within the United States, while other data held by the company is distributed on servers around the world.
Google further clarified:
Our collection and storage of data comes with the highest levels of security to protect this information with full encryption in place. We have designed and custom-built our servers and data centres, never selling or distributing them externally and we have an industry-leading security team available globally making our facilities one of the safest places for data to be stored.
In seeking to allay the committee’s concerns about the impacts on data privacy if there was a takeover or divestiture of Google’s payments business, Ms Layfield expressed confidence that legal protections would protect customer data.
Dr Richards noted, ‘the Bank hasn’t felt a need to regulate to try to bring infrastructure onshore’.
Witnesses also discussed the possibility of risks related to the use of transaction data. As discussed in Chapter 5, the different security solutions adopted by Apple and Google for their respective payment platforms are generally considered highly secure. Apple devices offer a hardware-based solution in which payment credentials are stored on a dedicated ‘secure element’ chip. Android devices use a software approach called Host Card Emulation (HCE), in which payment credentials are stored in the cloud.
Mr Blockley told the committee:
Apple claims that they hold no data, they hold no card information, because of the architecture of their system. So the card token sits inside the secure element of the handset and the transactions are just passed through their system without ever being stored anywhere… That’s not necessarily the case in the Android system, although I personally have seen no evidence of Google Pay actually using data. But clearly transaction data is very powerful.
Google similarly claimed, ‘we do not believe there is any form of security compromise in the host card emulation situation’ (Google’s alternative technological solution to Apple’s that enables secure mobile payments), ‘our payments apps are immensely secure’.
CBA told the committee:
CBA has not identified any material difference in the fraud experience between the closed operating environment of Apple devices and the open access operating system of Android devices.
Apple nevertheless described the HCE approach as ‘a less secure implementation’.
Mr Blockley told the committee that ‘for many years some of Australians’ payment data has been held overseas’. He also cautioned that ‘foreign governments can interfere with payment systems by edict’.
Mobile payments and digital wallets may also be particularly vulnerable to AML/CTF risks. AUSTRAC in 2017 estimated the overall ML/TF risks associated with SVFs to be ‘medium,’ determining that SVFs nevertheless carried ‘high’ levels of vulnerabilities related specifically to the ease of moving funds outside traditional banking channels, as well as other factors. The level of risk posed by SVFs was also found to vary considerably based on the features of each product.
The Australian Banking Association advocated addressing ‘gaps in the detection and prevention of financial crime,’ noting that doing so may ‘become difficult to achieve where a single entity does not have visibility of the entire transaction path’—as is the case for mobile payments.
EY submitted that regulator support is necessary to ensure Australia maintains a robust security framework and standards for the payments industry.
Committee view on security and risk
In the committee’s view, evidence did not point to a significant problem with security and risk. On the contrary, some of the developments in mobile payments and digital wallets have enhanced security and reduced risks faced by both consumers and industry, such as fraud mitigation measures and biometric security.
Moreover, the committee notes the two different models used by mobile payment platform providers, Apple and Google, alternatively rely on a hardware solution and a cloud-based solution. These differences add to diversity within the payments system and may make the overall system more robust.
Nevertheless, noting the rapid changes in this space, the committee welcomes ongoing attention to these issues.
This section outlines two key areas in which evidence before this committee suggested mobile payments and digital wallets may impact consumer protections, including data privacy and the BNPL sector.
CPA Australia pointed out that payment platforms have ‘possibly unparalleled access to data’—much of which may be highly sensitive—and emphasised the need to ensure consumers are protected from the potential for ‘invasive tracking’ by apps and data exploitation by large digital platforms, including digital wallets.
CPA Australia also noted the OECD has previously highlighted the need for consumers to be provided with better protections from tracking.
The Australian Banking Association raised similar concerns similar around data privacy and customer profiling associated with mobile payments and digital wallets.
And as the RBA noted, ‘some digital wallet providers may seek to commercialise customers’ data’.
The Australian Finance Industry Association (AFIA) raised concerns that some developers and service providers are required to share data with mobile device manufacturers, ‘raising concerns about consumer data privacy and security’.
Google claimed that ‘Google Pay will protect the privacy and security of the personal information of our users and offer them transparency, choice and control over their data’. Google told the committee this is ensured by never selling personal information to third parties and never sharing transaction histories with other Google services.
Ms Layfield also told the committee, ‘Google does not monetise data from Google Pay in Australia’. She conceded there were ‘non-transaction data aspects’, but insisted, ‘we do not monetise transaction data or payments data from within the app in Australia’.
Ms Layfield detailed the specifics of how Google uses Google Pay transaction data:
If you were to make a payments transaction and you were to buy a pair of shoes, that transaction data that might give us that information does not leave the Google Pay environment. We don’t use transaction data for ads, for example. Our ads monetisation, which is… our primary monetisation route, does not receive that data from Google Pay.
Dr Lien Duong, Dr Duc-Son Pham, Professor Grantley Taylor, and Dr Baban Eulaiwi questioned Ms Layfield’s assertion, pointing to Google Pay’s terms of service, in which users reportedly ‘permit Google to share your personal information with merchants, payment processors, and other third parties’. They told the committee:
It is widely believed that Google make use of the users’ data for research purposes and for marketing other Google services to users. In the case of Google Pay, the marketing information presented to users is currently in the form of relevant offers that are reportedly based on sensitive transaction data, such as merchants and location.
Dr Duong and colleagues further claimed:
It is widely viewed that Google currently does not monetise its Google Pay because it aims to increase the market share. However, it is expected that the business model of Google Pay, like Google Maps, could change in the future should opportunities arise.
Ms Layfield gave evidence that Google has no access to data on
non-Google-run app stores.
Ms Lucinda Longcroft provided details on how the company uses data from app-based transactions on the Google Play store:
Apple claimed in its submission that it does not manage or access customer accounts, nor does it have access to card or payment details for mobile transactions made on its devices.
Mr Gavan Ord told the committee, ‘it’s not just the Apples and the Googles that are collecting this data. Many businesses have access to a whole range of data on their consumers, and that has to be protected’.
Committee view on data privacy
While the committee heard high-level concerns about large payment platforms, the committee did not receive evidence of significant specific data privacy issues related to mobile payments and digital wallets. The committee nevertheless has concerns that such issues could arise in the future. Moreover, the committee notes the heavily qualified language used by Google throughout its evidence and is not convinced about its claims regarding the commercial use of data related to purchases and customers using its payment platform. The committee therefore considers that questions remain related to consumer privacy and the commercialisation of data related to Google Pay transactions. The committee understands the Privacy Act 1988 prescribes how agencies and organisations with an annual turnover of more than $3 million handle personal information, including those operating in the payments system. The committee also notes payment processing platforms may be brought under existing regulations in the future, including the ePayments Code currently under review by ASIC. The committee therefore encourages ASIC to ensure attention is paid to the privacy aspects of the Code to help industry better interpret the national privacy principles.
Buy Now Pay Later
Evidence before the committee pointed to significant risks to consumers related to the BNPL sector. Digital wallets and mobile payments have reduced the friction that may otherwise be associated with deferred payment models for goods and services, potentially exacerbating the scale and impact of risky behaviour. Several submitters pointed to the BNPL sector as having increased indebtedness among some consumers.
As with mobile payment platforms, the BNPL sector has largely fallen outside the scope of regulators in Australia.
Journalist Jack Derwin claimed:
Despite the reality of what buy now, pay later companies are doing — that is, issuing-point of-sale loans — none are being policed by the same laws other lenders face. In fact, some appear to be actively fighting attempts by regulators and the government to lay down the law.
EY described the BNPL industry as one in which ‘innovation moved faster than regulation, resulting in a self-regulated ecosystem’.
Payments consultant Brad Kelly warned:
The BNPL market is saturated and two things are happening. One, a higher level of risk appetite is entering the market — that is regulatory risk and customer risk, where the customers [sic] profile is becoming riskier… The other is that at the bigger end of town, Afterpay and Zip are going on spending sprees buying up as many other BNPL companies as they can because they don’t have a road to profitability and they are instead just growing revenue.
BNPL providers have nevertheless taken steps to self-regulate. Some of the biggest providers agreed to a binding ‘world-first’ Code of Practice earlier this year under AFIA.
Mr Gray told the committee Zip Co conducts credit checks, unlike some BNPL providers, and freezes the ability of customers to make additional payments when repayments are overdue. He claimed Zip Co had around 1000 customers deemed to be facing financial hardship out of around 2.5 million customers in Australia.
Mr Gray stated before the committee that Zip Co’s financial viability was not reliant on customer late fees.
Committee view on Buy Now Pay Later
The committee notes the open and collaborative approach to this inquiry adopted by Zip Co and the steps taken by BNPL providers to self-regulate, including the industry-first Code of Practice which came into effect in March 2021. Nevertheless, the committee is concerned that the BNPL industry—like the broader payments system—is changing rapidly, with new entrants and new products being regularly launched in Australia.
Moreover, the committee believes industry self-regulation is likely to be most effective for more mature industries characterised by an abundance of
well-established players. This is not the case with the Buy Now Pay Later sector.
For these reasons, the committee believes a parliamentary inquiry into this space is warranted early in the next parliament, starting not later than
18 months after the Code of Practice came into effect, to investigate issues related to consumer protections, the impact of BNPL services on other sectors, and fees and transparency related to the provision of BNPL products, among other issues.
The committee recommends the committee consider an inquiry into the Buy Now Pay Later industry 18 months after the industry Code of Practice came into effect.
Financial inclusion and accessibility
While mobile payments and digital wallets have seen rapid uptake among Australians over recent years, some individuals and groups have either chosen not to—or have been unable to—adopt these new technologies. Some submitters raised concerns that these developments could disadvantage the minority of Australians that do not own a smartphone and therefore cannot leverage the benefits of digital wallets and mobile payments. AFIA submitted this may disproportionately include those living in rural and regional Australia, as well as culturally and linguistically diverse communities.
In its 2019 strategic agenda, the strategic coordination body for the payments industry, the Australian Payments Council (APC), noted:
The Australian payments system touches everybody, everyday. Australians need access to appropriate payment options as a core component of their daily lives. As such, the accessibility of the payments system is a core characteristic of its effectiveness.
In its strategic plan, the APC announced plans to develop guiding principles for its members regarding financial inclusion.
Uptake of mobile payments and digital wallets among individuals who are less financially literate may also present concerns—particularly related to indebtedness from BNPL and other lightly regulated credit products. AFIA pointed to steps taken to address these gaps through industry self-regulation that sought to enhance financial literacy and reduce risky behaviour among consumers. AFIA CEO, Ms Diane Tate, also recommended a more equitable rollout of the national broadband and 5G networks, as well as ensuring venues provide mobile charging stations to ensure customer devices function when needed.
Committee view on financial inclusion
The committee considers developments in the payments space should not come at the cost of access and inclusion for a minority of Australians who are unable to fully participate. The committee notes industry’s own efforts as well as ASIC’s strong history of promoting digital and financial literacy, such as the ASIC-run Moneysmart website. The committee would welcome ongoing attention to this space, noting the sector is transforming rapidly and such initiatives may require regular and ongoing attention.
The committee recommends the Australian Securities and Investments Commission regularly update its Moneysmart website to ensure it appropriately captures changes in the payments sector.
Cross-border payments and remittances
Digital wallets offer new avenues for reducing the friction faced by consumers making cross-border payments and transfers. However, regulations in Australia have reportedly stifled innovation and services in this space.
Australian Fintech, mHITs, which offers international mobile remittance services, submitted that it has faced ‘ongoing discrimination and
anti-competitive behaviour by Australian banks’, allegedly on the basis of risk compliance and AML concerns.
mHITs further claimed the broader remittance sector in Australia has been severely impacted by ‘bank de-risking policies’, leading to repeated
de-banking of remittance companies and ‘the collapse of the Australian remittance industry sending a significant proportion of financial intelligence information and transaction monitoring and reporting underground’.
Similar concerns were raised by fintech ‘unicorn’ (a fintech valued at over a billion US dollars) Nium, which provides cross-border remittance and other payments services. Singapore-based Nium claimed to have been regularly
de-banked in Australia over AML concerns, with few avenues to negotiate or appeal the decision by banks.
EY pointed to Singapore and Thailand, which have linked their fast payment networks to enable cross-border transfers via a digital wallet. EY further submitted, ‘Australian regulatory bodies need to consider how and what roll [sic] digital wallets play in overseas payments’.
The ACCC investigated in 2019 the de-banking of fintechs. Mr Marcus Bezzi told the Senate Select Committee on Australia as a Technology and Financial Centre, ‘[the Commission] formed the view there weren’t matters that needed to be progressed from a competition enforcement perspective’.
Committee view on cross-border payments
The committee notes the constant threat of de-banking faced by the remittance sector and the likely impact on Australian consumers looking to transfer their money overseas. While the committee has no wish to influence which companies or sectors banks choose to work with, it would welcome ongoing scrutiny by the ACCC and any other relevant regulators to ensure Australian consumers and businesses are not disadvantaged by a lack of regulatory clarity.
Mr Andrew Wallace MP