Over the past few years, the Digital Lab evaluated and test a number of products and services informed by criteria, indicators and testing processes from the Digital Standard. To bring more transparency to the Digital Standard, we are launching a series of case studies aimed to highlight examples that will help clarify:
- Problems & Context: What type(s) of problems with products and services does Consumer Reports look into for further testing and evaluation?
- Processes & Methods: What processes or methods does the team use to evaluate and investigate products and services?
- Impact: What type of impact do the product and service evaluations have on stakeholders like industry practitioners, manufacturers, and policymakers?
- Using The Digital Standard: How was the impact of this work informed by the Digital Standard?
Our next case study covers Consumer Reports’ work on Peer-to-Peer (P2P) Payment Apps
Project timeframe
Project begins: October 2016 (First memo sent)
Latest update on test scores: August 2018
Problem
Unclear legal agreements: Peer-to-peer payment app providers deserve credit for designing simple and easy-to-use applications that belie their underlying technological and financial sophistication. But that simplicity smooths over more than just technical wizardry. It also hides a thicket of overlapping and uncoordinated legal agreements, financial regulations, and consumer protections. It’s almost impossible for consumers — even the rare ones who read user agreements — to understand their rights and obligations in the event of error or financial fraud.
Misdirected payments: The CR study found it can be alarmingly easy to make the mistake of a misdirected payment, and that consumers may not know they can’t necessarily reverse such payments. Nor do they know that in most cases, providers won’t help if the recipient refuses to return the misdirected funds.
Fraud: Another issue is outright fraud. Thieves are increasingly exploiting consumer enthusiasm for — and trust in — P2P services. If you or a family member is tricked into sending money to a scammer via P2P, the law doesn’t require P2P services to return or help recover the funds.
Privacy: Payment apps typically have access to very detailed and illuminating information about our purchase habits, data that could be profitably used or sold. However, consumers have very little information about what app vendors are doing with this data, or which ones have the best practices.
[Excerpts gathered from CR Article: Peer-to-Peer Payments Are Generally Safe, But Consumers Must Be Aware of Risks]
Process
Full testing on 5 mobile P2P services: In light of the quick rise of P2P — and its potential financial and privacy risks — Consumer Reports tested five mobile P2P services to see how they stacked up for user protections. This included ratings that spanned privacy and security, usability, safety and convenience. Note: We originally had 6 (Snap Cash) but it was discontinued after the testing was done but before CR released its results
In our first-ever test-based ratings of P2P mobile services, CR rated Apple Pay the highest overall, with excellent or very good marks in the key consumer-protection measures of payment authentication and data privacy. Apple Pay is designed to limit how much data Apple collects about consumer spending, and its policies most clearly prohibited secondary use or sharing of personal information. Apple’s overall rating was significantly higher than for the other services we tested: Venmo, Square’s Cash App, Facebook P2P Payments in Messenger, and Zelle. We rated each of the five services good enough to use. The ratings are visualized below:
Output & Impact
Consumer Reports ratings article and in-depth review: Why Apple Pay Is the Highest-Rated Mobile P2P Payment Service. This article highlighted key problems and fixes to better protect themselves, urging immediate action on the part of policymakers and P2P service providers. The article also shared how app services responded to the investigation:
Zelle adopts practice to confirm recipients before transferring money: Zelle, a service used by about 150 U.S. banks and credit unions, was rated good overall. But it was the only service that ranked below average on data security and data privacy, which were weighted heavily in our ratings. The Zelle app lacks features that keep you from accidentally sending money to the wrong person. That could happen if you mistype a phone number.
Contacted by CR for this report, Zelle said it would soon adopt the practice of asking senders to confirm recipients before transferring the money, the current practice of some banks and credit unions that offer the Zelle service.
Zelle app makes changes for misdirected payments: In mid-September, the Zelle mobile peer-to-peer service was updated by its operator, Early Warning Services, to add measures to help prevent users from inadvertently sending money to the wrong person.
Consumer Reports tested the Zelle stand-alone app and found that it now includes a pop-up warning for users that send money to someone not in their contacts. When CR first tested the stand-alone Zelle app earlier this year, we found it lacked that security feature.
An Early Warning spokesperson said the new security pop-ups also are available on Zelle apps that are sponsored by individual banks. The spokesperson said participating banks are required to display a message that says, “Money should only be sent to people you trust.” It also says, “Once payments are sent, they cannot be reversed.”
Consumer Reports article: Peer-to-Peer Payments Are Generally Safe, But Consumers Must Be Aware of Risks outlining steps that users, providers and policymakers should take to alleviate privacy and security concerns: The article reported that most companies are investing significant resources in security and allow users to set up extra layers of security. But nearly all of them could do more to keep users safe.
In particular, they could design their apps to “default” to the highest security level, meaning users would have to actively chose to opt out. Instead, Venmo, Square’s Cash App, and Facebook Payments in Messenger require no password, PIN, or fingerprint for repeat access to the app or to initiate a transaction when their default security settings are in place. Only one provider, Apple, requires users to confirm a payment before it is sent.
Written Testimony: Consumer Reports’ Senior Policy Counsel, Christina Tetreault submits to U.S. House of Representatives Financial Services Committee Task force on Financial Technology. The recommendations include:
- Congress should create a strong federal floor of consumer payments protections.
- Congress should pass strong privacy legislation, including curbs on data collection.
In addition to submitting written testimony, CR testified in person. We also presented these results to the Federal Reserve Board Mobile Payments Working Group in Boston (June 2019), at the Clearinghouse’s annual meeting in Fall 2018, and in presentations to at least a half dozen more other industry and consumer organizations.
Consumer 101 video: Consumer Reports expert, Octavio Blanco shows how consumers can protect themselves when using peer-to-peer payment apps.
How was this work informed by the Digital Standard?
This work incorporated several specific elements from the larger Digital Standard framework. Specifically, the comparative analysis used elements from the Security, Privacy, Ownership and Governance & Compliance sections of the Standard:
A simplified version of the Digital Standard, highlighting how the peer-to-peer payment apps work was informed by this framework.
To see The Digital Standard in full, please visit: https://www.thedigitalstandard.org/