The GSMA - EPC White Paper: making the right connections | Fieldfisher
Skip to main content

The GSMA - EPC White Paper: making the right connections

John Worthy


United Kingdom

Collaboration models in mobile payments across the mobile and banking sector are evolving rapidly, as the markets develop.

This article was first published in E-finance & Payments Law and Policy in December 2010.

Collaboration models in mobile payments across the mobile and banking sector are evolving rapidly, as the markets develop.  Finding the right structure for co-operation can be a vital component of a successful venture.  John Worthy, Partner at Fieldfisher, examines the impact of the recent GSMA/EPC White Paper and the potential models for collaboration that exist.

Since mobile banking started to take off, the major players have been striving for the best methods of combining the strengths of the mobile network operators (MNOs) and the financial institutions.  Various models have been tried, some led by banks, others by MNOs.  The challenge has been particularly apparent in the field of mobile contactless payments (MCP).

After a slow start, MCP services on both sides of the Atlantic are now gaining momentum.   A consortium of the largest Dutch banks and mobile operators (Rabobank, ING and ABN Amro, and KPN, Vodafone and T-Mobile) recently announced a joint venture to deliver MCP services across the Netherlands; while in the US, AT&T, Verizon Wireless, and T-Mobile are joining forces to develop their own MCP service, under the brand “ISIS”.

Both ventures will be based on near field communication (NFC) technology but neither has revealed where the “Secure Element” will sit in its solution.  For example, the Secure Element could be stored:

  • On the Universal Integrated Circuit Card (“UICC”), like in the largest European MCP trial to date, currently taking place in Sitges in Spain; 

  • On a secure Micro SD card that can be inserted into the handset memorycard slot.  An ongoing trial in New York by Visa, Wells Fargo, Bank of America and US Bancorp uses this technology; or

  • On an NFC “sticker” that can be affixed to a phone handset, turning it instantly into a contactless payment device (in use by amongst others, Citi and Facebook).

Delivering MCP services via an NFC sticker requires minimal stakeholder co-operation. A bank will depend on willing merchants, but need not involve a mobile network operator (MNO) or handset manufacturer. At the other end of the spectrum is the UICC model. This requires close collaboration between financial institutions and MNOs, handset and chip manufacturers and potentially intermediary “Trusted Service Managers” (TSMs). Many commentators believe that one reason that MCP services have not taken off as quickly as expected is that potential stakeholders have struggled to find mutually beneficial business models. 

The GSMA/EPC White Paper

It is against this background that the GSM Association (GSMA) and the European Payments Council (EPC) issued a joint White Paper: “Mobile Contactless Payments Service Management Roles, Requirements and Specifications” ("White Paper") in October 2010.  The White Paper defines the operational interfaces required to deliver NFC-based MCP services based on the UICC model. 

The White Paper highlights the roles of MNOs and financial institutions in relation to the UICC and the payment application.   As owner of the UICC, the MNO is responsible for managing UICC security, lifecycle and for issuing the UICC to the customer, while the financial institution is responsible for delivering and operating the MCP application.  Each is separately responsible for managing the customer lifecycle within its own domain.

One of the most interesting areas of the White Paper is the focus on the TSM as an independent third party with access to and relationships with numerous MNOs, issuers and other service providers.  There are several strands to the TSM role:

  • Technical:  A TSM could contract with an MNO and/or a financial institution to provide technical services such as end-to-end security, downloading the payment application onto the UICC over-the-air via the MNO’s network, and ongoing application management services.  A separate contract between the MNO and financial institution would govern their collaboration on the mobile payments service;

  • Commercial:  In addition, a TSM could act as a commercial intermediary between MNOs and financial institutions.  Each would contract with the TSM, but would not have a direct contractual relationship with the other;

  • B2B broker:  The White Paper envisages that a broad wholesale market will develop, with MNOs and financial institutions offering up their services for mobile payments.   In this scenario, a TSM could act as a broker, buying and packaging wholesale services for resale.

In a developed market, the TSM’s value would lie in its extensive network of relationships. Through a TSM, a financial institution would be able to offer its MCP service to a much wider customer base than if it were to depend on establishing its own relationships with MNOs.  In this way, the TSM would play a key role in facilitating an open market in MCP services.  Similar opportunities may arise for a TSM in other forms of mobile payment and m-banking, such as the trusted third party service operated by NTT DoCoMo in Japan.

A number of businesses (for example, Venyon and Gemalto) already provide “technical” TSM services.   However, it is the intermediary aspects of the role that are likely to offer the most interesting potential for new market entrants.

Beyond the White Paper

The purpose of the White Paper - as a reference for implementations of MCP systems – is clear.  As such, it is a valuable operational tool.  However, if MCP services (with or without TSMs) are to become ubiquitous, then financial institutions and MNOs will have to reach agreement on some important commercial issues not addressed in the White Paper.

Who owns the customer?

The question of customer ownership is likely to be a matter of intense negotiation, given its crucial role in cross-selling and marketing and, equally importantly, the continuity of relationships with the customer once the collaboration between the MNO and the financial institution comes to an end. The mobile payments customer base will be made up of existing customers of the financial institution, or of the MNO, or of both, and relationships with new mobile payments customers will need to be attributed appropriately.  Finding the right structure for customer ownership, which affects the commercial stakeholders’ and the customers’ expectations, will be a critical part of the contract negotiations.

One option for defusing the tension over customer ownership is for the financial institution and MNO to set up a special purpose vehicle (SPV) to deliver the service, as used by Standard Bank and MTN in their MTN Banking joint venture.  Each party would permit the SPV to use that party’s customer databases (whether through a licence, the shareholders agreement or a joint venture agreement).  Should the collaboration end, one or other of the stakeholders would have the option to acquire the SPV, at which point the value of the customer database would be recognised in any buy-out valuation.

How to share revenue?

Stakeholders also need to be clear about how they will share the potential revenue streams from MCP services.   The core service elements will generate merchant transaction fees and network subscriptions.  In addition, MCP systems have the potential to generate revenues from other NFC-based services.  For example, “smart posters” can be pushed direct to the user’s handset giving access to product information, special offers or loyalty points, generating valuable data for retailers.

Managing exit smoothly

Whatever the contract structure, exit arrangements should be addressed at the outset through a jointly developed exit plan that will be triggered on notice of termination. Continuity of service will be essential if one party is to continue provide the MCP service to the customer base post-termination.  If the parties have established an SPV, then termination may trigger buy-out rights for one or both parties, depending on the circumstances of termination. 


In addition to addressing the financial regulatory compliance issues, banks, MNOs and other NFC service providers will need to take account of varying data protection laws in applicable jurisdictions, such as the differences in the national requirements regarding the type of information that must be given to data subjects.  MNOs and banks will also need to bear in mind that the financial services and communications sectors are subject to specific and different rules about the period over which certain types of data must be retained.


For collaborative ventures in mobile payments, choosing the best structure will continue to be a key decision point.  Despite a faltering start, there are signs that recent MCP initiatives are gathering pace.  The current dearth of NFC-enabled handsets looks set to be resolved (take Google’s recent showcasing of its Android handset with integrated NFC, and Nokia’s C7 smart-phone with NFC technology due to be enabled in early 2011).   The participants in the MCP field which find the best co-operation model will be well-positioned to exploit this exciting market.

John Worthy, Partner inf our Technology and outsourcing Law Group at Field Fisher Waterhouse LLP.

Sign up to our email digest

Click to subscribe or manage your email preferences.