Making XML Pay: Revising Existing Electronic Payments Law to Accommodate Innovation
Forthcoming 53:4 SMU Law Review (Fall 2000) (reprinted with permission)

Jane K. Winn*

I. Introduction

II. The impact of XML on Internet commerce

III. Why are electronic payments problematic in Internet commerce?

IV. Business EFT and XML

V. Consumer EFT and XML

VI. Conclusion

I. Introduction

Many businesses today are rushing to embrace "e-Business" technologies in a mad scramble to remain competitive. Only a few years ago, simply using email instead of faxes or phone calls, converting a purchasing system to EDI technology, or building a corporate Web site might have seemed like important advances in the use of new information technologies. Businesses are now moving beyond such "electronic commerce" technologies and trying to integrate their disparate information systems and business processes into a comprehensive new "e-Business" structure.(1) At the heart of this new model for business organization is the idea that information and resources should be able to flow to where they are most needed at a moment's notice. Such fluidity in access and control over information and resources is very difficult to achieve in traditional hierarchical corporate organizations. By adopting new technologies, including XML, businesses can set up a more flexible, decentralized form of organization that can be more nimble in recognizing and responding to changing market conditions.

The technological innovations driving the transformation in business processes are too numerous to describe in depth in this article, and so can only be sketched out in general terms.(2) They include the falling cost of communication technologies including wireline and wireless telecommunications and data networks,(3) the growth of open, public computer networks such as the Internet,(4) the falling cost of computing processes and electronic data storage,(5) advances in information system security technologies,(6) and the development of integrated software programs that facilitate enterprise resource management and data warehousing.(7)

The assimilation of these and other electronic commerce technologies into established businesses permits those businesses to provide goods and services to existing customers more efficiently. For example, General Electric, one of the world's largest diversified manufacturing companies, has used electronic commerce technologies to reduce the amount of time required to process purchase orders and to reduce the cost paid for materials by using a secure Internet site to link customers and suppliers to manufacturing resource planning software.(8) Efficiencies of this type are generally referred to as a function of "supply chain" reengineering when they take place in traditional manufacturing industries between purchasers and vendors, or "value chain" reengineering when the same type of efficiencies are sought more generally throughout more diverse types of organization and industries.(9) eXtensible Markup Language (XML) is a new standard that governs the way information is organized and exchanged.(10) Use of the XML standard in organizing the information businesses need to conduct business would permit greater use of electronic searching technologies to identify potential trading partners, greater use of automated processes in negotiating the terms of transactions, and greater automation in tracking the execution and fulfillment of transactions after deals are struck.

A major stumbling block on the path to realizing the "e-Business" model is the difficulty most businesses face when trying to integrate electronic payment processes into other business processes. Financial transactions normally need to be controlled with more rigorous security procedures than other transactions. Financial markets were early adopters of electronic communications technologies, and as a result have a huge installed base of older technologies that are very reliable and stable. These legacy computer systems, however, integrate poorly with newer Internet based systems developed for other business processes. As a result, most businesses in the United States still rely heavily on paper checks as their primary payment device, even for transactions entered into electronically.(11)

Eliminating this segregation of payment functions from other business processes is one of the challenges facing businesses that wish to streamline their internal operations and relations with trading partners. Once businesses decide to reorganize their existing information systems in order to adopt XML standards, a window of opportunity is created within which it may also be possible to eliminate this segregation of contracting and payment functions. Although the law that governs business-to-business electronic funds transfers (EFT) was drafted over a decade ago,(12) its key provisions are sufficiently flexible that changes in the technological framework of electronic funds transfers are unlikely to require any revision in existing law. Where payments law places the risk of loss due to fraud or error on the bank's customer, however, businesses need to evaluate carefully opportunities to adopt new technologies to insure that their existing security procedures are not compromised by the change.

The adoption of XML standards by retail merchants and financial service providers will create new risks and opportunities for consumers using electronic funds transfers. In consumer markets, one challenge posed by the adoption of new technologies such as XML is designing appropriate human-computer interfaces rather than achieving interoperability among existing computer systems. In addition, new technologies will facilitate greater reliance by consumers on new automated contracting processes such as electronic agent software. Unlike the law that governs business-to-business electronic funds transfers, the law and regulations governing consumer electronic funds transfers often reflect anachronistic models of technology and consumer protection.(13) Since the mid-1990s, federal regulations governing consumer electronic funds transfers have been under review and are in the process of being updated. It is possible that even very recent revisions may soon appear anachronistic in light of the rapid pace of innovation in business processes. Regulators should not focus on preserving the form of existing consumer protection regulations, but on advancing their underlying objective of consumer empowerment in new environments. The development of new user interfaces for payments products should include information that helps consumers understand the functional differences between different forms of electronic payments, and the different risks that may be associated with each. Consumers, consumer advocates, and regulators will need to contribute to the standard-setting processes to make sure that the concerns and preferences of consumers are reflected in standards that gain widespread acceptance.

II.The impact of XML on Internet commerce

XML is a new standard being developed by a working group of the World Wide Web Consortium(14) (W3C). It will permit businesses to communicate with business trading partners more effectively by standardizing and automating more of the exchange of information contained in standard business documents. It will also permit businesses to communicate with consumers more effectively because consumers will be able to configure their Internet browsers or electronic agent software to look for certain information communicated within those standardized forms.

As a technical standard, XML is related to Standard Generalized Markup Language (SGML)(15) and Hypertext Markup Language (HTML).(16) SGML is a standard for developing document markup languages that permits information to be organized and processed automatically. SGML is not itself a document language, but a metalanguage which describes how a document language can be created.(17) SGML is based on identifying the common structural elements of documents so that documents can be coded or "tagged" in a standard format. Once documents have been tagged using a document markup language based on SGML, the documents then can be displayed or processed in many different ways. HTML is the document markup language derived from SGML that is used to display content on the World Wide Web.

HTML was designed to facilitate the exchange of documents over the Internet at a time when Internet communications were dominated by research scientists.(18) The standards governing HTML have evolved continuously since 1991.(19) Prior to the development of XML, however, HTML provided very limited flexibility in describing the content of documents or displaying it in different platforms such as mobile phones or hand held information appliances such as the Palm Pilot. HTML might have been adequate for the simple display of text in a browser running on a personal computer, but over the last decade, Internet communications have become much more complex. Furthermore, HTML alone cannot adapt to accommodate that greater complexity. XML, as a new standard for coding documents for Internet commerce, is designed to preserve the ease of access characteristic of Internet communications while permitting more automated processing of greater amounts and more varied types of information than is currently possible using HTML.

Businesses of all types are looking for ways to exploit the ubiquitousness of the Internet as a communications medium. Part of the promise of Internet commerce is that it will permit larger numbers of businesses and consumers to be drawn into electronic commerce than was true with earlier generations of electronic commerce. In the 1980s, "electronic data interchange" (EDI) was the new business communications medium that promised to revolutionize how business is done. After more than twenty years of experience with EDI, it is clear that the revolution never arrived, at least not in the format that EDI evangelists expected. The total number of businesses adopting EDI for the bulk of their business communications remains small, and many businesses use EDI only when required to do so for a major trading partner.(20) For a variety of reasons, the costs of implementing an EDI trading partner relationship may be prohibitively high compared to the value of the transactions to be executed using EDI communications. By contrast, the costs of accessing the Internet may seem tiny: browser software comes preinstalled on personal computers, and Internet access may even be available without charge from some online service providers.(21) Of course, setting up an Internet commerce site involves considerably more expense than accessing the Internet as a consumer. But the cost of having an Internet commerce site hosted may be considerably less than the cost of establishing an EDI trading partner relationship, while also providing access to a much larger potential audience of business partners or consumers.

XML will provide a valuable foundation for the expansion of Internet commerce if it can help to overcome the high transaction costs of earlier generations of older electronic commerce technologies. In order to accomplish this, different businesses operating within the same markets will need to collaborate on the definition of XML standards. If XML standards can be developed for specific markets, then within those markets, businesses will be able to automate more of their Internet communications with each other. They will also be able to communicate with other businesses even in the absence of a formal trading partner relationship, something which is difficult if not impossible to accomplish in business-to-business Internet commerce today. XML standards currently under development should also be able to accommodate the integration of transaction data with payment data in a way that was not possible using earlier electronic commerce technologies.(22)

Businesses engaged in Internet retail commerce seem to invite spontaneous transactions with customers, but can execute them only if the customer is willing to provide the vendor with all the information needed to process the transaction, including a credit card with which to pay. The development of XML standards for Internet retail commerce would permit greater automation in the processing of consumer information and thus greater actual spontaneity for individuals shopping on the Internet. Such standardization of information about consumer financial accounts and preferences might open the door to greater competition in consumer markets. If the revision of existing consumer protection regulations focuses too narrowly on updating anachronistic provisions and focuses too little on the potential of XML-enabled interfaces to empower consumers through greater competition, then developers of XML standards may not have the necessary incentives to uncover consumer preferences and incorporate them into XML standards.

III. Why are electronic payments problematic in Internet commerce?

Payment systems were among the first commercial transaction systems to embrace electronic commerce technologies, and as a result, have suffered the fate of many early adopters of technology, such as lock-in and path dependence.(23) In the late 1960s, financial institutions began to offer their customers the option of using "automated teller machines" (ATMs). In the early 1970s, FedWire, a national system for electronic wholesale funds transfers, was launched by the Federal Reserve banks. Around the same time, the Federal Reserve banks established an "automated clearing house" (ACH) system to permit electronic funds transfers to be made using the same information that computers used to process checks sent for collection. By the 1980s, payment systems such as credit cards and checks that were developed with paper-based processes were relying more heavily on electronic communications, and electronic payment systems such as ATM networks merged to achieve national and international scope.

The technological foundations of these high volume, low cost, extremely large scale electronic payment systems often antedate the World Wide Web by two decades or more. Mainframe computers running applications written in legacy programming languages such as COBOL still provide the backbone of electronic payment services.(24) Both traditional businesses and new economy businesses continue to rely on these legacy systems because of their security, stability, low cost, and the lack of viable alternatives. Given the growing mismatch between the rapid innovation now taking place in Internet commerce and the glacial pace of change in the world of legacy electronic payment systems, there would appear to be ample opportunities for newer and more nimble competitors to move in and gain market share. In fact, the Internet marketplace is already littered with failed attempts to move beyond these old systems.(25)

The difficulty of integrating the operation of these old electronic payment systems into new electronic commerce systems has caused many businesses to continue to rely on paper checks as their primary payment device. The difficulty of integrating consumer electronic funds transfer systems such as the automated clearing house or the automated teller machine networks into Internet retail interfaces has permitted credit cards, or credit-card formatted debit cards, to dominate the market for Internet retail payments. In addition, consumer electronic payment systems are often subject to operating system rules or legal requirements that make them slow and inflexible in accommodating the new demands created by Internet commerce.(26)

In the business payments environment, the two primary electronic payment systems are the wholesale funds transfer networks and the automated clearinghouses. The wholesale funds transfer networks, such as the FedWire or the Clearing House for Interbank Payment Systems (CHIPS), provide the benefit of same-day settlement, but are relatively expensive to use. Automated clearinghouses provide much less expensive electronic funds transfers, but are not set up to process transactions in real time. The inflexibility of ACH networks makes them best suited to recurring payments such as direct deposit of payroll or direct debit of monthly payments in fixed amounts such as mortgage or insurance premium payments, rather than spontaneous, non-recurring transactions.

In the consumer payment environment, there are three electronic funds transfer systems in use in addition to the credit card system. Like businesses, consumers may use the wholesale funds transfer networks, but rarely choose to do so. Consumers may use the ACH system, although because the system is difficult for consumers to understand or access, few consumers attempt to do so except for recurring payments to businesses, such as monthly utility bill payments. Consumers may use the ATM networks for transactions with their financial service providers using ATM machines, or as a point-of-sale payment device. The use of ATM cards as a payment device by consumers has never achieved much market share in the United States, due in part to the unwillingness of consumers to lose the value of the float they enjoy if they pay by check instead. Consumers may also pay by credit card, although this is not technically an electronic funds transfer because both merchant and cardholder actually settle their accounts in separate transactions. Because credit card payments may be originated electronically, however, they provide the functional equivalent of an electronic payment system even if an electronic credit card transaction does not itself actually transfer funds directly into and out of financial institution accounts.

Payment systems process transactions involving a simple, fungible asset: money.(27) In order to offset the risk of large losses due to fraud or error, payment systems of any type must operate with a high degree of security and predictability. Even electronic payment systems do not consist exclusively of electronic communications networks or sophisticated computer technology, but rely in substantial part on human input in order to function. Any successful business must follow procedures designed to minimize the risk of fraud or error losses that may occur as an incident to executing payment transactions. Businesses may have elaborate procedures to control financial flows into and out of the organization, the effectiveness of which is monitored by outside auditors on a regular basis. Many consumers follow simpler procedures designed to safeguard their personal assets in a similar manner. Switching from existing payment systems to new payment systems may entail substantial costs not simply because new software or hardware or communications equipment may be required. If employees have been trained to follow specific procedures, new procedures will have to be established and they will have to be retrained. Individual habits for managing personal finances may have to be substantially modified. If the total switching costs associated with moving away from an existing payment system (which may be very secure and reliable) to a new payment system (for which the security and reliability may be unknown variables) are added up for financial institutions, merchants and consumers, it becomes clear why there has been so much resistance to innovation in this area.

XML standards may not directly affect how funds are transferred, but rather are designed to affect how information about funds transfers is organized and shared. Businesses will not be able to take advantage of the benefits of XML standards without undertaking a considerable reorganization of their existing processes, and it is possible that reorganization may be broad enough to accomplish the integration of order processing and payment systems. Such a reorganization would be no trivial accomplishment, however, due to the complexity of current systems for managing a business's payment obligations. In business environments, it is common for purchasers to make adjustments to the amount paid to vendors if there are discrepancies between what the vendor believes it shipped and what the purchaser believes it received, or if the purchaser does not agree with the vendor's calculation of the price after allowing for discounts, credit terms, or other negotiated variations in the vendor's standard prices. For a vendor to be able to receive a payment after the purchaser has made adjustments in the amount billed and to apply the payment automatically to the purchaser's account without human intervention will require a great deal of standardization in business processes. If that standardization takes place, and it is accurately reflected in XML standards, then transacting parties may finally be able to move toward the "e-Business" model of seamless integration of all business processes within an organization and among trading partners.

In the consumer context, XML standards should support the development of interfaces for electronic commerce that are more intuitive and closer to consumer preferences than electronic payment services available today. In addition, businesses that do business with consumers, and that succeed in adopting XML standards for their own internal business processes, will want to integrate the interface they display to consumers with their back office operations. If the primary driver for the development of consumer interfaces based on XML standards is integration of consumer front-end technology with corporate back-end technology, it is unlikely the interfaces will be a significant improvement over what are available to consumers today in Internet commerce or through point-of-sale terminals. If the primary driver for the development of consumer interfaces is competition among vendors to offer consumers more engaging and responsive interfaces, however, consumers may find themselves genuinely empowered by the implementation of XML technologies.

IV. Business EFT and XML

Uniform Commercial Code (UCC) Article 4A is a primary source of law governing business electronic funds transfers, whether made over the wholesale funds transfer networks or ACH networks.(28) UCC Article 4A was promulgated by the Uniform Law Commission in 1989 and adopted in the states shortly thereafter. Although the Article 4A drafting process produced many innovations in the law of wholesale funds transfers, it drew heavily on the practices that had developed among banks and their customers during the fifteen years before the drafting committee was established. Although a consensus was not easy to achieve, the common interests shared by both the banks and their customers permitted the drafting process to find workable compromises on many thorny issues. A major element of the consensus that emerged from the drafting process is that the primary objective of rules governing business-to-business electronic funds transfers should be efficiency.(29) This efficiency is achieved through high-speed processing of transactions, low transaction charges for users of the system, and highly secure communication and information processing systems. UCC Article 4A seeks to achieve this efficiency goal by forcing each participant in the system, whether a bank or a bank customer, to bear the consequences of fraud or error by their own employees, and to limit the liability of the banks providing wholesale electronic funds transfer services to the amount of the funds transfer, even if the bank's customer suffers consequential damages due to an error by the bank.

One of the key liability rules in UCC Article 4A governs the use of commercially reasonable security procedures to authorize funds transfers. In the absence of a commercially reasonable security procedure in use between a bank and its customer, the customer may avoid liability for a funds transfer by claiming it was not authorized unless the bank can prove that it was.(30) In most cases, a bank would be unable to meet this burden of proof, either because the customer would be in control of all the relevant information or because there may be no permanent record of how an electronic funds transfer instruction was originated. If the bank and its customer have put in place a commercially reasonable security procedure,(31) however, and the bank has followed that procedure, then the funds transfer instruction will be treated as having been authorized by the customer whether or not it in fact was.(32) A bank can also avoid liability for unauthorized electronic funds transfers if it can show it offered its customer a commercially reasonable security procedure, but the customer turned that down and instead chose something that was not commercially reasonable.

Because XML standards influence how information is described, the adoption of XML standards by banks and their customers executing electronic funds transfers is unlikely to have any major impact on the liability system established by UCC Article 4A. XML standards may refer to technologies used to control the risk of fraud or error in the execution of electronic funds transfer, such as digital signatures, but XML standards themselves do not control the risk of fraud or error. Businesses today that use automated systems to send and receive electronic funds transfers have in place security procedures, and the applications required to make those security procedures function will have to be integrated in the applications that permit the exchange of information formatted according to XML standards. It is possible that some inadvertent weaknesses in existing security procedures may be created if existing security technology and new XML-based electronic commerce applications cannot be integrated successfully. If such a defective security procedure is adopted by a bank's customer based on a recommendation from the bank, and a loss occurs because someone exploits the weakness and manages to send an unauthorized funds transfer from the customer's account, then the customer should be able to shift the loss to the bank for having recommended a security procedure that was not commercially reasonable.

Although UCC Article 4A sets up the requirement that a security procedure agreed upon by the bank and its customer be commercially reasonable as a precondition to the bank's ability to shift the loss for unauthorized funds transfer to the customer, a bank may nevertheless ask its customer to sign an agreement that on its face assigns all liability for unauthorized electronic funds transfers to the customer without regard to the commercial reasonableness of the security procedure. If the customer has signed such an agreement, then it is possible that the customer will be forced to bear the cost of an unauthorized payment order made possible by a weakness introduced in security procedures through the adoption of XML-based electronic payment applications. If the bank's customer agreement provides that the customer is liable whenever a security procedure is used, whether or not the payment order is actually authorized, this might be taken by a court to establish that the security procedure is the one the customer chose, notwithstanding a recommendation of a commercially reasonable alternative on the part of the bank. In the alternative, a court might find that the contractual provision was an unenforceable attempt by the bank to evade either its responsibility to help the customer identify a commercially reasonable security procedure or its responsibility for interloper fraud.(33) The customer's legal counsel would have to know that the assignment of liability for unauthorized funds transfers in the contract that appears absolute on its face may be challenged by reference to the provisions of UCC Article 4A and an offer of proof of appropriate facts, but that would be true even if XML technology was not involved.

In the business-to-business electronic payments arena, the risks associated with poor integration of established security procedures and new XML based applications are likely to be addressed through a combination of competition among technology developers and cooperation among banks and their customers through standards-setting efforts. For example, the IFX Forum is a standard-setting organization working on the Interactive Financial Exchange standard, which is an XML standard.(34) IFX is an open standard, and if it achieves widespread acceptance among technology developers, businesses, and financial institutions, competitive markets for XML-based electronic payment applications should develop, and interoperability among applications should be achieved. If businesses and their banks each have a range of options to consider in choosing an XML-based electronic payment application, and businesses do not abandon their current security procedures for making electronic funds transfers without careful consideration of newer alternatives, then the migration of current systems to new XML-based systems should not result in any increased likelihood that fraud and error losses will occur as a result of making payments electronically.

V. Consumer EFT and XML

The regulation of consumer electronic funds transfers is based on quite different premises than business electronic funds transfers. While the paramount objectives of business EFT law are efficiency and low cost to participants, consumer EFT law protects consumers from many of the risks associated with EFT systems by forcing institutions that provide consumer EFT services to assume liability for those risks. As a result, the prices charged for consumer EFT services may be relatively higher than the prices charged for business EFT services. In addition, consumer markets are often characterized by a lack of competition in many areas due to unequal bargaining power, information asymmetries, and collective action problems faced by consumers in their dealings with organizations such as banks.(35) Consumer EFT regulations designed to offset the effect of such a market failure include either mandatory terms to prevent possible overreaching by providers of EFT services, or mandatory disclosures in order to encourage the growth of competition by giving consumers the information they need to make comparisons among the terms offered by EFT providers.

The primary sources of law governing consumer electronic payments are the Electronic Funds Transfer Act(36) and Regulation E(37) governing electronic funds transfers over the ATM and ACH networks, and the Truth in Lending Act(38) and Regulation Z(39) governing credit card payments. In addition, rules governing the actual network providing clearing and settlement services, such as the credit card system rules, ATM network rules, or the ACH Rules may also provide some consumer protections.

The adoption of XML standards in consumer markets would be likely to have an impact on remote access to financial services and on online shopping. Certain disclosure requirements of Regulation E may be triggered if the consumer is using a home banking product to communicate with the bank online, or if the consumer wishes to make an electronic funds transfer to pay for a purchase from an online merchant. In the home banking context, a consumer must be provided with certain mandatory Regulation E disclosures when an account is opened, or when there is a change in the terms on which EFT services are offered.(40) Although Regulation E generally requires that a receipt be made available whenever a consumer uses an electronic terminal,(41) this requirement does not apply to transfers initiated by a telephone operated by a consumer, which has been interpreted to cover personal computers and modems as well.(42) In addition, preauthorized transfers from a customer's account must be authorized by a writing signed or similarly authenticated by the customer.(43) Similar disclosures are required whenever consumers are solicited to apply for credit cards online.(44) Disclosures must be provided clearly and conspicuously in writing and in a form that the consumer may keep, although some disclosures are exempted from this requirement.(45) If a consumer agrees, however, the consumer may receive periodic statements electronically.(46)

In March 1998, the Federal Reserve Board published an interim rule under Regulation E and proposed rules under Regulation Z permitting electronic disclosures if the consumer agreed.(47) The March 1998 interim rule provided little concrete guidance on how consumer agreement should be obtained, which proved unsatisfactory to both consumer advocates and banking industry representatives. Consumer advocates were concerned that promises of lower costs would induce consumers to agree to receive disclosures electronically without a full understanding of the implications. Consumers might agree to receive electronic disclosures even though they lack the technical capacity to retrieve information electronically, but only discover later that they are unable to do so. Consumers might also agree to receive disclosures electronically, then later realize that accessing and retaining electronic disclosures is much less convenient than dealing with the information in paper form, but have no way to reverse their consent. Consumer advocates were especially concerned about the use of electronic disclosures in transactions that are normally conducted face-to-face with consumers, and feared that the conversion to electronic formats might in effect deprive consumers of the benefits of mandatory disclosures. Consumer advocates also argued that trusted third parties should be used to guarantee the integrity and security of electronic disclosures, since consumers are unlikely to be able to prove how unauthorized alterations in documents could have taken place if a consumer believes that such alterations have in fact been made. Industry representatives were concerned that the rules did not specify a method for establishing that an agreement was reached. In addition, state law would apply, thus raising complex jurisdiction and choice of law problems on top of the uncertain and underdeveloped state of the law in many jurisdictions.

In September 1999, the Federal Reserve Board proposed new rules governing the use of electronic disclosures in consumer transactions.(48) Unlike the "minimalist" approach taken in the 1996 interim rule and proposals, the new proposals provide extensive and detailed rules that must be followed in order to provide consumers with electronic disclosures. The proposal creates a new disclosure that must state precisely which disclosures would be given electronically and whether a particular EFT service would be made available only with electronic disclosures; identify the location where information will be provided electronically (if not sent to the consumer directly by email) and the period of time the information will remain available; describe the technical requirements for receiving and retaining information sent electronically and provide a means for the consumer to confirm the availability of equipment meeting those requirements; and provide the consumer with a toll-free number for updating the consumer's email address and for seeking technical or other assistance.(49) Before electronic disclosures can be provided, the consumer must respond affirmatively to confirm that they agree to receive the disclosures electronically and that their equipment meets the technical requirements described in the "consent to electronic disclosures" disclosure. Electronic disclosures could be provided either by email or by posting to a Web site so long as the consumer was given a separate notice by postal mail or email.

The 1999 proposals are considerably more complex and less flexible than the 1996 proposals. The new "consent to electronic disclosures" disclosure adds one more layer of dense text to the consumer contracting process. The use of XML standards in organizing mandatory disclosures may make it easier for consumers to read and understand the terms of those disclosures, or even to automate parts of the process of affirmatively assenting to the use of electronic disclosures by specifying their preferences in advance. The structure of the proposed revisions to Regulations E and Z tends to preserve the mandatory terms and disclosures model of consumer protection law that evolved decades ago when printed paper forms were all that were available for communicating with consumers. Consumer advocates were concerned that consumers would be railroaded by financial institutions into accepting electronic disclosures when it would not be sensible for them to do so. Consumer advocates were apparently less concerned with realizing the potential of new electronic communications technologies to empower, rather than inconvenience, consumers.

Consumers may be less interested in knowing how to assent and how to revoke their assent to receiving electronic copies of Regulation E or Regulation Z disclosures than in knowing the difference in practical consequences between making an online purchase by credit card or by debit card. If a consumer makes an online purchase by credit card, Regulation Z provides not merely a billing error resolution procedure and protection from liability for unauthorized use of the credit card, but it also provides a simple and effective alternative dispute resolution process in the event the consumer is unhappy with the transaction itself. In addition, if the consumer contests a charge, either because of a problem with the transaction or because the consumer believes the charge is unauthorized, then while the credit card issuer is researching the matter, the consumer is under no obligation to pay the charge. If a consumer makes an online purchase by debit card, Regulation E provides only a billing error resolution procedure and protection from liability for unauthorized use of the debit card, not a dispute resolution procedure. In addition, if the consumer believes an unauthorized funds transfer has been made using a debit card, the bank is permitted at least ten business days to research the question before recrediting the consumer's account.(50) Given that the account from which the unauthorized funds transfer was made may be the consumer's primary bank account, the delay between reporting the problem and the recrediting of the money to the consumer's account may result in a serious hardship for the consumer. This basic difference in the way credit and debit card transactions are processed is one that is of vital interest to consumers, especially consumers that use Visa or MasterCard branded debit cards in the mistaken belief that such a debit card comes with the same package of consumer rights as a credit card with the same logo. Nothing in any of the proposed revisions to Regulation E or Regulation Z addresses this concern of consumers, which could be communicated in a fairly clear and succinct way through the use of XML tags to organize the information.

In order for the information consumers genuinely care about to be disclosed in a manner that consumers can actually understand, consumer concerns and preferences should be taken into account when the standards are being developed.(51) The proposed revisions of Federal Reserve Board regulations governing consumer payments create incentives for industry standard-setting efforts to find ways to automate and streamline the mandatory disclosures described in the regulations to be made available to consumers. The proposed revisions do not, however, create any incentives for industry standard-setting bodies to conduct research to discover consumer concerns and preferences and find ways to organize that information within new standards. The migration of existing business processes to new electronic alternatives creates an opportunity to rethink the nature of transactions and the objectives of the transacting parties. The proposed revisions seem more focused on preserving the form of existing consumer protection law than on finding ways to use new electronic commerce technologies to empower consumers to make better choices.

One promise of electronic commerce technologies is that they will help markets to function more efficiently. Financial institutions that process consumer electronic payments are highly motivated to replace paper disclosures with electronic disclosures because electronic disclosures can be provided at a much lower cost. Consumer advocates have resisted too rapid or complete a migration to electronic disclosures out of fear that such a change would not result in more efficient markets, but would lower the cost of doing business of financial institutions by merely shifting those costs onto consumers. This fear of overreaching by financial institutions and reliance on old models of consumer protection regulations has produced revised regulations that in effect set a ceiling, rather than a floor, on what benefits consumers can hope to get when new technologies such as XML are adopted. Consumers can look forward to more traditional style disclosures, formatted according to new XML standards. It is unclear whether this standardization will permit electronic agent software to compare the terms of mandatory disclosures. It is also unclear whether financial institutions or online merchants will find it worthwhile to learn about consumer preferences and concerns not reflected in the mandatory disclosures, and whether they will develop XML standards that reflect those additional variables.

If regulators attempt to mandate the content of disclosures or the process for providing disclosures, they risk writing regulations that will quickly become outdated and that will only distort markets, not make them more efficient. In order to work with industry to promote the development of standards that reflect current consumer preferences and concerns rather than those captured in consumer protection laws, regulators will have to focus on ensuring that consumer interests are taken into account in formal standard-setting processes and de facto standard-setting processes. Given that consumers are unlikely to participate directly in standard-setting processes, what may be required are strategies to encourage consumer interests to be discovered and taken seriously in the absence of direct consumer involvement. Regulators could promote the adoption of "best practices" and voluntary self regulation in lieu of issuing formal regulatory mandates. This strategy has been tried, with mixed results, in the online privacy arena.(52) In addition, in June 2000, a newly formed industry association announced new "Guidelines for Merchant-to-Consumer Transactions and Commentary" in an effort to develop more effective industry self regulation of online consumer transactions.(53) The Better Business Bureau Online is offering a similar set of guidelines.(54) While industry self-regulation efforts have the advantage of greater flexibility than traditional agency regulations, they may fall short in terms of enforcement mechanisms, or in their objectivity in identifying consumer issues. Some coordination between traditional regulatory agencies and industry groups may therefore be necessary before the benefits of a more decentralized, flexible approach can be realized for consumers.

VI. Conclusion

While XML may have the power to transform many types of commercial transactions, it is unclear what impact it will have on electronic payment systems. It may be more difficult to fully incorporate XML standards into electronic payment systems than some other commercial process because payments processes remain a complex patchwork of human processes, legacy computer systems, and new information technologies. Because the need for security in electronic payment systems is paramount, merely realizing greater efficiency in the exchange of information about payments is less crucial. With regard to business-to-business electronic payments, the migration of existing systems to systems that incorporate XML standards is unlikely to produce any need for changes in the law that now applies to those transactions.

With regard to consumer electronic payments, however, XML might play a much larger role. Consumer markets are often highly regulated, due in large part to concerns that consumers do not enjoy the benefits of competition due to unequal bargaining power, information asymmetries, and collective action problems. The migration of existing technologies to new processes based on XML standards may create a window of opportunity to make consumer markets more competitive. If XML standards can be developed to make the terms of transaction more transparent to consumers, and consumers can take advantage of electronic agent software to lower their costs of searching for information about competing services, then consumers may not need to rely so heavily on mandatory consumer protection regulations to get a fair deal. Conversely, if regulators and consumer advocates only focus on updating old regulations and mandating terms, they are unlikely to create the incentives necessary to develop standards that promote competition around the terms and conditions consumers actually care about. Regulators will need new tools to intervene in standard-setting processes on behalf of consumers to make sure industry has incentives to discover and act upon consumer preferences and concerns.

* Professor of Law, Southern Methodist University School of Law, Dallas, Texas. Professor Winn is author of The Law of Electronic Commerce (4th ed., 2000 forthcoming). Copies of her other publications on electronic commerce topics are available at <>.

1. See, e.g., Ravi Kalakota & Marcia Robinson, e-Business: Roadmap for Success 4 (1999).

2.  For a more detailed overview of new technologies and their relationship to current business practices aimed at managers and generalists, see PriceWaterhouseCoopers, E-Business Technology Forecast (1999).

3. See PriceWaterhouseCoopers, Technology Forecast: 1999 Summary at 20.

4. See id. at 14.

5. See id. at 10.

6. See id. at 14.

7. See id. at 23.

8. See Robert B. Handfield & Ernest L. Nichols, Jr., Introduction to Supply Chain Management 30 (1999).

9. See Mark Prigg, Putting Zip into Supply Chain, Times (London), May 23, 1999, available in LEXIS, News Library.

10. See infra text accompanying notes 12-20 for a more complete explanation of XML; see also Winchel "Todd" Vincent, III, Legal XML and Standards for the Legal Industry, 53 SMU L. Rev. ___, ___ (2000).

11.  For example, Intel sells one billion dollars a month of chips over its Internet site, but still receives payments from most of its customers by check. See Gina Fraone, Don't Worry, Be Happy, Electronic Bus., Mar. 1, 1999, at 28, available in LEXIS, News Library; Mitch Wagner, Intel Sets Commerce Record, InternetWeek, Nov. 23, 1998, available in LEXIS News Library).

12. See U.C.C. art. 4A (1999).

13. See Electronic Funds Transfer Act, 15 U.S.C. 1693-1693r (1999); Regulation E, 12 C.F.R. pt. 205 (2000).

14. See W3C World Wide Web Consortium (visited Sept. 25, 2000) <>.

15.  This standard was promulgated by the International Organization for Standards (ISO). See Welcome to ISO Online (visited Sept. 25, 2000) <>.

16.  HTML is a stardard of the WC3. See Hypertext Markup Language (visited Sept. 25, 2000) <>.

17. See Standard Generalized Markup Language (visited Sept. 25, 2000) <,4152,214201,00.html>.

18.  The basic idea for HTML was developed in 1989 by Tim Berners-Lee and Robert Caillau, who were researchers working at CERN (Conseil Europeen pour la Recherche Nucleaire, or the European Organization for Nuclear Research). The World Wide Web was launched in 1991 by CERN. See Some Early Ideas for HTML (visited Sept. 25, 2000) <>.

19.  The first HTML standard was published in 1992; in 1994, HTML 2.0 was published; in 1996, HTML 3.2 was published; HTML 4.0 was published in 1997, and in 2000, XHTML 1.0 was published, representing a synthesis of XML and the then most recent official version of HTML, HTML 4.01. See Previous Versions of HTML (visited Sept. 25, 2000) <>.

20. EDI has been around for more than 20 years. But compared to its potential market, adoption has been limited: Perhaps 1 percent of companies with more than 10 employees use EDT today. Everyone talks about the advantages of supply chain automation, but nearly nobody's doing it effectively. There are some exceptions, generally in industries dominated by a few large players.

David Ritter, What to do About EDI, Intelligent Enterprise, Dec. 1998, at 74, available in LEXIS, News Library).

21.  See, e.g., Welcome to the Free World, the Net Zero World (visited Sept. 25, 2000) <>.

22.  Past efforts, such as Financial EDI (FEDI), to set standards that bridge the gap between electronic transaction processing and electronic funds transfers have not been successful. Banks were unwilling to pay to upgrade their own systems to support FEDI in the face of negligible customer demand, and customers were unwilling to upgrade their owns systems when they knew most banks could not support FEDI. See, e.g., Fed, Treasury Hunts EDI Lure, Corp. EFT Rep., Sept. 3, 1997, available in LEXIS, News Library; Steven Marjanovic, Survey Suggest EDI Can Fly if Banks Buy In, Am. Banker, Feb. 8, 1995, at 16, available in LEXIS, News Library).

23.  The problem of path dependence and lock-in arises when a technological standard that has obtained a foothold, based on fortuity or favorable conditions that no longer apply, possesses certain characteristics that inhibit displacement by demonstrably superior technologies. One of these characteristics is the production, counter to traditional economic principles, of increasing rather than decreasing returns. Under such circumstances, the more prevalent the technology, the more difficult it is for users to adopt substitutes. As a result, paths that have initially been established dictate the course of future paths. Rather than systematic competition generating an efficient equilibrium solution among various technologies, path dependence permits a technology that obtained an accidental advantage to become locked-in to an inefficient equilibrium.

Clayton P. Gillette, The Path of the Law Today: Lock-in Effects in Law and Norms, 78 B.U. L. Rev. 813, 817 (1998).

24.  See Stephen C. Franco & Timothy M. Klein, 1999 Online Banking Report, (Piper Jaffray), Feb. 1999, at 12.

25.  See Jane K. Winn, Clash of the Titans: Regulating the Competition Between Established and Emerging Electronic Payment Systems, 14 Berkeley Tech. L.J. 675 (1999).

26.  For example, the Automated Clearing House Rules provide that in the case of debit entries to a consumer account, the originating depository financial institution must have a signed or "similarly authenticated" authorization from the customer. See SouthWestern Automated Clearing House Association, 2000 ACH Rules Rule 2.1.2 (2000). The rules go on to provide that "similarly authenticated" includes the use of digital signature or other code, but the question of just what security procedure is required in an Internet context where digital signatures are not yet widely in use remains unsettled. Until this and several other similar issues can be resolved, Internet ACH payments will not become widely available.

27.  When asked why he robbed banks, Willie Sutton is reported to have replied, "that is where the money is." Quoted in, e.g., Jed Graham, Online Robbery Raises Concerns About E-Banks Security, Investor's Bus. Daily, Aug. 24, 2000, at 6, available in LEXIS, News Library).

28.  In addition, Federal Reserve Board Regulation J governs electronic funds transfers that make use of FedWire. See Regulation J. 12 C.F.R. pt. 210 (2000). Regulation J incorporates UCC Article 4A as the law governing payments made using the FedWire. There are a small number of provisions in Regulation J which vary the provisions of UCC Article 4A, none of which are relevant here. See Ernest T. Patrikis, et al., Wire Transfers 10 (1993).

29.  See Patrikis, supra note 28, at 10.

30.  See U.C.C. 4A-202(a) (1999).

31.  See U.C.C. 4A-201; see id. 4A-202(b), (c).

32.  There is a minor exception to this rule, in the unlikely event that the bank's customer can prove the unauthorized funds transfer instruction was caused by an interloper and not anyone under the control of customer. See id. 4A-203(a)(2).

33.  See generally, Working Group on Electronic Financial Services, American Bar Association, Model Funds Transfer Services Agreement and Commentary 47 (1994).

34.  See Interactive Financial Exchange (visited July 10, 2000) <>. IFX is a merger of the Integrion Gold standard developed by IBM and the Open Financial Exchange (OFX) standard developed by Microsoft, CheckFree and Intuit.

35.  See generally Robert D. Cooter & Edward P. Rubin, A Theory of Loss Allocation for Consumer Payments, 66 Texas L. Rev. 63 (1987).

36.  15 U.S.C. 1693 (1997).

37.  12 C.F.R. pt. 205. (2000).

38.  15 U.S.C. 1601 (1997).

39.  12 C.F.R. pt. 226 (2000).

40.  See 12 C.F.R. 205.7, 205.8 (2000).

41.  See 12 C.F.R. 205.9(a) (2000).

42.  See 12 C.F.R. 205.2(h) Official Staff Interpretations, 12 C.F.R. pt. 205, Supp. 1, 205.2(h)-1 (2000).

43.  See 12 C.F.R. 205.10(b)(1) (2000). The Official Staff Interpretation specifically permits authentication through a home banking system, although there must be some means to identify the consumer (such as a security code) and to make available a paper copy of the authorization (either automatically or upon request). See Official Staff Interpretations, 12 C.F.R. pt. 205, Supp. 1, 205.10(b)-5 (2000).

44.  See 12 C.F.R. 226.5(a)-(b)(3) (2000).

45.  See 12 C.F.R. 226.5(a)(1), n.8 (2000).

46.  See Official Staff Commentary, 12 C.F.R. pt. 226, Supp. 1, 226.5(b)(2)(ii)-3 (2000).

47.  The following discussion is based on the memo dated August 11, 1999 to the Board of Governors of the Federal Reserve System from the Division of Consumer and Community Affairs, available at < > (visited July 10, 2000).

48. See Regulation B, 64 Fed. Reg. 49688 (1999) (to be codified at 12 C.F.R. pt. 202) (proposed Sept. 14, 1999); Regulation E, 64 Fed. Reg. 49699 (1999); Regulation M. 64 Fed. Reg. 49713 (1999) (to be codified at 12 C.F.R. pt. 213) (proposed Sept. 14, 1999); Regulation Z, 64 Fed. Reg. 49722 (1999) (to be codified at 12 C.F.R. pt. 226) (proposed Sept. 14, 1999); Regulation DD, 64 Fed Reg. 49740 (1999) (to be codified at 12 C.F.R. pt. 230) (proposed Sept. 14, 1999). The proposed rules are also available at <> (visited July 10, 2000).

49. See Regulation E, 64 Fed. Reg. 49699, 49703 (1999) (to be codified at 12 C.F.R. 205.4(c)(3)(I)) (proposed Sept. 14, 1999).

50. See 12 C.F.R. 205.11(c) (2000).

51. For a discussion of research now taking place in connection with XML standards for consumer privacy preferences, see Lorrie Faith Cranor et al., Beyond Concern: Understanding Net Users' Attitudes About Online Privacy (last modified Apr. 12, 1999) <>.

52.  Information about FTC privacy efforts is available from the FTC Web site at <http//> (visited July 10, 2000). In May 2000, the FTC recommended to Congress online privacy legislation in lieu of continued reliance on industry self-regulation after monitoring industry practices for several years and concluding that industry self-regulation was not providing a meaningful level of online privacy protection to individuals.

53.  The draft guidelines are available from the Electronic Commerce and Consumer Protection Group Web site at <> (visited July 10, 2000).

54.  <>.