You are on page 1of 50

The launch of the iPad 2 last month underlines the increased use of

mobile devices for personal and business use. Most businesses want to
ensure that their employees are able to work efficiently when out of the
office. However, increased mobility brings with it certain management
and legal issues that need to be addressed.
What are the main issues from a management perspective?
By providing its workforce with mobile devices, an organisation can
improve productivity by allowing access to up-to-date data at any time in
any location. But, to an extent, in doing this an organisation is loosening
its control over its data. It may not be possible to know exactly where
any data is stored at any time, and data created on mobile devices may
not be backed up to a central location. This makes the data vulnerable.
Key information may be stored locally and may not be backed up
centrally. Critical data may be lost or out of date.

Another issue is security. It is a headache for the IT department to

ensure that the mobile devices are all properly protected, especially
where employees use their own laptops, smartphones or tablets. If an
organisation manages its virus protection centrally, mobile devices that
are not synchcronised with the central servers soon become out of date
and vulnerable.
Mobile devices can be lost and stolen. Apart from the inconvenience and
embarrassment of losing data, there can be legal implications.
What are the main legal risks?
We have all read the headlines about laptops left on trains or memory
sticks containing confidential information being sold on eBay. Apart from
the loss of business resulting from adverse publicity, there are three
main legal issues to consider.

Most organisations possess confidential information. Some confidential

information will be owned by the organisation and its disclosure will
cause commercial harm. Obvious examples include details of
customers, price lists, business models, new products and so on.
Equally, most businesses also hold confidential information belonging to
third parties under a contractual or fiduciary duty of confidentiality. If this
information is disclosed, the business may be liable in damages for the
losses suffered by the owners of the information as a result of the
The Data Protection Act 1998 imposes obligations on all organisations to
keep personal data secure. Companies must take appropriate technical
and organisational measures against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of
or damage to personal data. Failure to put in place appropriate security
measures in relation to mobile devices will breach this obligation, which
could lead to a fine imposed on companies and individuals. The
Information Commissioner now has enhanced powers to investigate and
punish breaches of the data protection legislation and has shown a clear
desire to use these new powers.
All companies are required to keep accurate accounts and records.
Directors are obliged to ensure that all the steps that ought to be taken
have been taken in order to ensure the accuracy of all relevant audit
information and to ensure that the companys auditors are aware of that
information. Relevant audit information is any information needed by
the companys auditors in preparing their report. This obviously includes
information on mobile devices used in the business.
Where a director has acted recklessly or in the knowledge that the
information was false, he or she is guilty of an offence punishable by fine
or imprisonment or both. This means that it is essential that appropriate

processes are in place to manage information generated, processed and

stored remotely.
Those businesses which are regulated, such as financial services
companies, law firms and accountants, will have further regulations
imposed on them either by statute or by their regulating bodies.
What should firms be doing?
An organisation cannot prevent mobile devices being lost or stolen. Nor
can it prevent its employees using their own devices. The ubiquitous
USB port makes this almost impossible. But an organisation can mitigate
its risks by having in place a well-thought-through policy on the
management of data and use of mobile devices. This policy should be
clearly communicated, be tied into the organisations disciplinary
procedures and apply to everyone in the organisation.
It is also important that the policy is enforced uniformly. Employees
should be made aware of the risks of mobile computing and careful
consideration should be given to the type of data that an organisation
permits to be stored on mobile devices.
Finally, an organisation should ensure that all its data while in transit and
while stored on mobile devices is encrypted. In this way, if the data is
intercepted during transmission or if a laptop or memory stick is lost or
stolen, at least the data will not be readable.

Legal Issues Arising from the Use of Mobile Devices in

Electronic Commerce

Chang-ho CHUNG
Judge, South Korea



Technological development of mobile devices and electronic commerce has

enabled mobile devices to be used for financial transaction purposes. Mobile
finance comprising both mobile banking and mobile payment may be a natural
evolution of electronic commerce. Furthermore, constantly increasing rate of
mobile subscription worldwide has made mobile devices an efficient tool to offer
safe and convenient financial services to subscribers. Especially as mobile finance
solutions allow customers to perform various financial transactions while on the
move, mobile finance in micro-transactions may fully replace computer-based
financial transactions in the near future by offering application integrating both
mobile banking and mobile payment solutions.

Mobile finance has created huge business opportunities for merchants, mobile
network operators, mobile device manufacturers, financial Institutions and
software providers. Those mobile finance participants have added new financial
transaction forms to make their services available through mobile devices. Mobile
finance business has been fairly successful especially in South Korea, Japan and
other Asian countries.

The continuous growth of mobile finance depends on not only user-friendliness of

services but also legal framework for mobile finance. To some extent, the
traditional legal framework of financial transaction could be applied to the mobile
finance as well. But distinctive features of mobile finance, especially the fact that
mobile finance is performed in a non-facing and automated manner without any
direct contact, require creation of a new legal environment complying with various
needs from those participants.

In order to better acquaint readers with development of mobile finance, chapter 2

of this article will outline the technologies and solutions of mobile finance. The
legal issues arising from mobile finance will then be discussed in chapter 3. Legal
issues relating to mobile banking, mobile credit card, mobile electronic money and
direct mobile billing service will be considered and South Koreas legal framework
will be looked at. Finally, some evaluations and suggestions will be given as
concluding remarks in chapter 4.


Development of Mobile Finance

A. Technologies for Mobile Finance
1. SMS-based Application

This is a Short Message Service (SMS) that mainly provides information about the
status of bank account. Short messages containing information about the bank
account are transmitted to customers mobile phone by SMS center server of
mobile network operator which is connected to the mobile banking server of bank.

As SMS-based application uses insecure encryption, SMS banking is not intended

to be used for high-risk transactions.

SMS-based banking service is operated using both push and pull messages. Push
messages are those that banks choose to send out to a customer's mobile phone
without the customers request for the information. Typically push messages could
be either mobile marketing messages or messages alerting an event which happens
in the customer's bank account. Pull messages are those that are initiated by
customers using a mobile phone to obtain information about the bank account.
Examples of pull messages include an account balance inquiry, currency exchange
rates and deposit interest rates.

2. WAP Browser-based Application

Wireless Application Protocol (WAP) browser and Mobile Explorer (ME) browser
are commonly used standard web browser for mobile devices which allow
conversational data exchange between the client and the server. Similar to a PC
requiring an internet browser installed in order to access content online, a mobile
device requires a WAP browser installed in order to access information on WAP

By adopting WAP browser, mobile network operators and banks could offer not
only information-based banking service but also transaction-based banking service
including payments, deposits, withdrawals and transfers. The disadvantage of WAP
browser is that WAP browser implementation is not consistent across mobile
devices manufacturers.

3. IC Chip-based Application
Integrated Circuit (IC) Chip is a miniaturized electronic circuit that has been
manufactured in the surface of a thin substrate of semiconductor material. Mobile
network operators partnered with banks to launch IC Chip-based mobile banking
service. Customers could get access to mobile banking service by inserting IC
Chip, which is controlled by banks, into a mobile device.1

Furthermore, mobile network operators collaborated with credit card companies to

operate IC Chip-based credit card service. A SIM-sized credit card certified by
credit card companies can be inserted into a mobile device to enable credit card
payments. However, because each IC Chip should be issued by each bank or credit
card company, customers have to change IC Chip whenever they use IC Chip from
a different issuer.

4. USIM-based Application
A Universal Subscriber Identity Module (USIM) is an application running on a
UICC (Universal Integrated Circuit Card) smartcard which is inserted in a
WCDMA 3G mobile phone. The equivalent of USIM on GSM 2G mobile network
is SIM. Like SIM, USIM stores subscriber information, authentication information
and provides storage space. Furthermore USIM enables its subscribers to download
various mobile banking applications, credit card applications and public

1 In South Korea, the third-largest mobile network provider LG Telecom with the
largest bank Kookmin Bank launched the first IC-Chip based mobile banking service
in 2003. IC-Chips were issued and controlled by Kookmin Bank and LG Telecom
provided the mobile network service. Available from

transportation applications onto USIM through OTA (over the air) technology.
Customers do not need to change chips each time they use different applications.2

5. NFC-based Application
Near Field Communication (NFC) is the most recently developed technology for
mobile finance. NFC is a short-range high-frequency wireless communication
technology which enables the exchange of data between devices over about 10cm
distance by combining the interface of a smartcard and a reader into a single
device. NFC device is also compatible with existing contactless infrastructure
already in use for public transportation and payment.

There are three specific features for NFC: NFC device behaves like an existing
contactless card (Card emulation), NFC device is active and reads a passive RFID
tag (Reader mode) and two NFC devices are communicating together and
exchanging information (P2P mode). These features of NFC make mobile devices
even more suitable for financial transaction purpose.

Standardization of NFC has been achieved mainly by GSMA (GSM Association)

and Mobey Forum, and Both GSMA and Mobey Forum have recently emphasized
the important role of Trusted Service Manager (TSM).3 TSM works behind the
scenes to make the entire process of downloading mobile finance applications onto
mobile device efficient and secure. As TSM clearly understands security systems

2 In South Korea, the largest mobile network provider SK Telecom launched USIM
and OTA based mobile finance service in 2007 which enabled its subscribers to
download various mobile banking service applications, credit card applications and
public transportation applications over the air onto a USIM card. Available from

of both banks and mobile network operators, TSM could bridge multiple banks and
operators ensuring complete security of customer information.4

B. Solutions of Mobile Finance

1. Mobile Banking
Mobile banking service is performing balance checks, account transactions,
payments, credit applications etc. through mobile devices. The earliest mobile
banking service was based on SMS and limited to information-based service. Since
the introduction of WAP browser, banks started to offer transaction-based mobile
banking services to their customers such as payments, deposits, withdrawals,
transfers and investments.

2. mobile
Bank &
3Available from
4 In South Korea, mobile network operators, mobile device manufacturers, banks
and credit card companies have been collaborating to launch NFC-based application
in 2010. Available from

Mobile network

1. purchase

3. make

2. Mobile Payment
Mobile payment is a new and rapidly-adopting alternative payment method.
Instead of paying with cash, check or credit cards, customers can use a mobile
phone to pay for a wide range of services and digital or hard goods. Mobile
payment solutions could be categorized in many ways according to the type of
payment method or the technology adopted to implement the solution. There are

three different categories for mobile payment solutions on the basis of payment

(1)Mobile Credit Card

Since the appearance of IC Chip-based application, customers have been making
payments with their SIM-sized credit card inserted in mobile phones or credit card
downloaded over the air onto mobile phones. When the customer makes a payment
transaction with a merchant (merchants can read credit card information through
IrFM technology, RFID technology or NFC technology), the credit card is charged
and the value is credited to the merchant account.

3. pay the bill

Credit card
company &

1. purchase by
mobile credit

Mobile network

2. make

(2)Mobile Electronic Money

Mobile electronic money means any certificate of transferable monetary value
issued and stored in electronic form and installed in mobile device. Issuers of
mobile electronic money issue mobile electronic money in exchange for the same
value of cash or deposit by downloading mobile electronic money over the air onto
mobile devices and have duty to exchange mobile electronic money for cash or

deposit. Mobile electronic money has been used mainly for the payment of public
transportation system and other micro-payment.5

1. purchase
mobile e-money
Issuer of

2. purchase and

Mobile network
3. exchange
mobile e-money

5 In South Korea, T-money has been used for this purpose. It started with pre-paid
RF smartcard embedded with CPU to enable self-calculation for the payment at
public transportation such as bus, subway and taxi. T-money has enlarged its
services to all parking fees, tunnel fees and payment at convenient stores and has
also introduced new payment media enabling download T-money onto mobile
phone. Available from

(3)Direct Mobile Billing Service

Direct mobile billing service allows customers to purchase goods and services
online by charging their regular mobile phone bills. This does not require the use
of credit/debit cards or pre-registration at an online payment solution. This service
is suitable for online micro-payment.

In direct mobile billing service process, a payment gateway usually facilitates the
transfer of information between an online merchant and a mobile network
operator.6 If a customer purchase goods or uses services from a payment gatewayenabled merchant, the payment gateway transmits or receives transaction
information in electronic form between the customer and the mobile network
operator and then the mobile network operator charges the customers mobile
phone bill and executes the payment of the bill as proxy or mediate for the

Unlike the credit card company, the mobile network operator does not execute the
payment for the merchant until the customer pays the mobile phone bill, and even
if the customer does not pay the bill, the mobile network operator is not bound to
pay the bill for the merchant.

2. pay the bill


6 South Korean company Danal Co., Ltd. is credited with being the first provider of
direct mobile billing service globally. The amount of bill charged through the direct
mobile billing service in South Korea in 2010 was about 2 billion USD. Danal has
established a company named BilltoMobile in the US to offer customers the ability
to safely charge online purchases to their mobile phone bill. BilltoMobile signed a
contract for direct mobile billing service with Verizon Wireless in May 2009 and with
AT&T in October 2010. Available from

1. purchase

3. make


Legal Issues Arising from Mobile Finance

A. Participants
Mobile finance has enabled companies from different industries to collaborate and
has been provided by various participants. Customers, merchants, mobile network
operators, financial institutions, issuers of mobile electronic money, payment
gateways and TSMs are main participants in the process of mobile finance. As
these participants have different interests, these participants may face conflicts
each other that require legal solutions. Especially regulating liabilities of
participants in case of unauthorized financial transaction is important.

Since the appearance of USIM-based application system, TSM has offered secure
delivery and activation of the mobile banking and payment applications by
establishing highly secure, encrypted connection between bank and TSM and
between TSM and mobile network operator. Considering the important role of
TSM, liability of TSM also needs to be discussed.

Electronic Financial Transaction Act entered into force in South Korea on

January 1 2007. One of the main purposes of this Act is to ensure the reliability of
electronic financial transactions by clarifying their legal relations.7

This Act defines Electronic Financial Transaction as any transaction whereby a

financial institution or an electronic financial business operator provides financial
products and services through electronic apparatuses and the users use them in a
non-facing and automated manner without any direct contact with employees of
the financial institution or electronic financial business operator,8 and it has been
interpreted that the application of this Act could be extended to newly appeared
mobile finance solutions as well.

This Act categorizes issuers of electronic money, electronic funds transfer agency
and electronic payment settlement agency, that are not financial institutions, as
Electronic Financial Business Operator9 and imposes almost the same liability of
financial institution.

7 Electronic Financial Transaction Act of South Korea, article 1. South Korea also
enacted Information Technology Network Act which provides details on direct
mobile billing service.
8 Ibid., article 2.1.
9 Ibid., articles 2.4., 28.

This Act categorizes any operator of a payment gateway system and any person
who assists a financial institution or electronic financial business operator in
conducting electronic financial transactions or performs as proxy part of such
transactions for the sake of financial institutions or electronic financial business
operator as Subsidiary Electronic Financial Business Operator10 and imposes
indirect and exceptional liability.

B. Electronic Communications Used for Mobile Finance

Electronic communications made by means of data messages are used for
electronic financial transactions as well. Definition, legal recognition, form, error,
time and place of dispatch and receipt regarding electronic communications could
be regulated by laws governing electronic communications. UNCITRAL
Convention on the Use of Electronic Communications in International Contracts11
and UNCITRAL Model Law on Electronic Commerce12 are the most important
international instruments covering those issues.

South Korea also enacted the Framework Act on Electronic Commerce on July 1
1999 implementing provisions of the UNCITRAL Model Law on Electronic
commerce, and Electronic Financial Transaction Act of South Korea provides that

10 Ibid., article 2.5.

11 Available from
12 Available from

relevant provisions of the Framework Act on Electronic Commerce shall apply to

electronic communications used for electronic financial transactions.13

South Koreas Electronic Financial Transaction Act also provides provisions on

confirmation of transaction details and correction of errors.
Any financial institution or electronic financial business operator shall ensure
that a user can confirm the transaction details through an electronic apparatus
used for electronic financial transactions.14
When a user recognizes the existence of any error in the electronic financial
transaction, he/she may request the relevant financial institution or electronic
financial business operator to correct such error.15

C. Electronic Credit Transfer

Many types of electronic credit transfer, such as transfer from bank, credit card
company, issuer of mobile electronic money or mobile network operator to
merchant and transfer from customer to bank, credit card company, issuer of
mobile electronic money or mobile network operator need to be executed to fulfill
mobile financial transactions.

To facilitate electronic financial transaction, such legal issues as definition of

electronic credit transfer, time to execute credit transfer, revocation and completion
13 Electronic Financial Transaction Act of South Korea, article 5.
14 Ibid., article 7(1).
15 Ibid., article 8(1).

of credit transfer need to be discussed. UNCITRAL Model Law on International

Credit Transfers16 covers these issues.

South Koreas Electronic Financial Transaction Act provides provisions on making

payment, time when payment takes effect and withdrawal of transaction request.
Any financial institution or electronic financial business operator shall ensure
payment is made by transmitting the amount requested by a payer of payee on a
transaction request to the payee or his/her financial institution or electronic
financial business operator, pursuant to an agreement made with the payer or
payee to facilitate electronic payment transaction.17
Any financial institution or electronic financial business operator shall, when it
is impossible to transmit the amount requested pursuant to previous paragraph,
return to the payer the amount received for electronic payment transaction. In such
cases, when the failure to transmit the amount is caused due to the negligence of
the payer, the expenses disbursed for such transmission may be deducted.18
In the case of making payment by means of an electronic payment instrument,
such payment shall take effect at the time set forth in any of the following
1. For electronic funds transfer: When the information on the amount
transferred on a transaction request is completely recorded on the ledger of
the account of a financial institution or electronic financial business
operator with which the payees account is opened;
2. For withdrawal of cash directly from an electronic apparatus: When the
payee receives such cash;
3. For payment made by electronic prepayment means or electronic currency:
16 Available from
17 Electronic Financial Transaction Act of South Korea, article 12(1).
18 Ibid., article 12(2).

When the information on the amount requested on a transaction request gets

to the electronic apparatus designated by the payee;
4. For payment made by other electronic payment means: When the
information on the amount requested on a transaction request is completely
inputted in the electronic apparatus of a financial institution or electronic
financial business operator with which the payees account is opened. 19
Any user may withdraw his/her transaction request before the payment takes
effect. Notwithstanding the provisions of previous paragraph, with respect to any
batch transaction or reserved transaction, etc., a financial institution or an
electronic financial business operator and a user may, pursuant to a prior
agreement, determine differently the time when a transaction request is

D. Unauthorized Financial Transaction

1. Liability Issues
Customers may suffer any loss as a result of an accident arising out of forgery or
alteration of the information used to conclude a transaction in mobile finance or in
the course of electronically transmitting or processing the conclusion of a

In this case, liability issues could be raised such as whether financial institutions
should bear all the risk from the loss, whether financial institutions are still liable
for the loss even in such cases where accidents were caused by the intention or
gross negligence of the customers, whether independent TSM, mobile network
19 Ibid., article 13.
20 Ibid., article 14(1)(2).

operator and issuers of mobile electronic money, that are not financial institutions,
are liable for the loss.

2. Liability of Financial Institution

Considering the point that mobile financial transactions are concluded in a nonfacing and automated manner, the point that its almost impossible for customers to
prove intention or negligence of financial institutions, and the point that financial
institutions determine the authentication procedures they have prepared to
implement, it would be desirable to make financial institutions bear all the risk of
an unauthorized mobile financial transactions, except that financial institutions
prove intention or gross negligence of customers.

3. Liability of Mobile Network Operator

As mobile financial transactions are concluded through mobile network installed
by mobile network operator, in case of transaction errors arising in the course of
electronically transmitting or processing the conclusion of a transaction, there may
be cases where not financial institution but mobile network operator shall be liable
for the loss.

However, in reality, its almost impossible for customers to clarify whether error
was caused by financial institution or mobile network operator. It would be
desirable to make financial institution compensate customer for damage caused by
transaction errors arising in the course of electronically transmitting or processing
the conclusion of a transaction, and then allow financial institution to exercise right

of indemnify over the mobile network operator by proving the intention or

negligence of the mobile network operator.

4. Liability of TSM
Independent TSM, that is not financial institution, may be perceived as performing
finance-related business in accordance with the extent of involvement in mobile
banking service and mobile credit card service. Even though it would not be proper
to impose the same liability of financial institution to TSM, it would be desirable to
categorize TSM as subsidiary mobile financial business operator and impose duty
to indemnify to financial institution for loss caused by intention or negligence of
TSM, duty of good faith to ensure safe processing and duty to keep confidentiality.

5. In Case of Mobile Electronic Money and Direct Mobile

Billing Service
Unlike mobile banking service or mobile credit card service where financial
institutions mainly play a finance-related role, in case of mobile electronic money
and direct mobile billing service, issuer of mobile electronic money and mobile
network operator or payment gateway of direct mobile billing service are deeply
involved in finance-related role by performing business relating to the settlement
of accounts and execution of payments.

Considering deep involvement of issuer of mobile electronic money and mobile

network operator or payment gateway of direct mobile billing service that are not
financial institution, it would be desirable to categorize them as mobile financial

business operator and impose them the same liability of financial institution in case
of unauthorized transaction.

South Koreas Electronic Financial Transaction Act provides provisions on liability

of financial institutions, liability of electronic financial business operator and status
of subsidiary electronic financial business operator.
When a user suffers any loss as a result of an accident arising out of forgery or
alteration of the means of access or in the course of electronically transmitting or
processing the conclusion of a contract or a transaction request, the financial
institution or electronic financial business operator concerned shall be liable for
indemnifying him/her for the loss.21
Notwithstanding the provisions of previous paragraph, any financial institution
or electronic financial business operator may have the user bear the liability for
any damage in whole or part in any case falling under any of the following
1. Where, with respect to any accident caused by the intention or gross
negligence of the user, a prior agreement is made with the user to the effect
that all or part of the loss may be borne by the user,
2. Where the user, who is a juristic person, suffers any loss though the
financial institution or electronic financial business operator fulfills the duty
of due care reasonably requested to prevent accidents from occurring, such
as the establishment and full observance of security procedures, etc. 22
The intention or negligence of a subsidiary electronic financial business
operator in relation to electronic financial transactions shall be deemed the
intention or negligence of the financial institution or electronic financial
business operator concerned.23

21 Ibid., article 9(1).

22 Ibid., article 9(2).
23 Ibid., article 11(1).

When any financial institution or electronic financial business operator

compensates the user for any damage caused by the intention or negligence of
its or his/her subsidiary electronic financial business operator, it or he/she may
exercise the right of indemnity over the subsidiary electronic financial business

6. Loss or Theft
In case of loss or theft of mobile devices equipped with mobile finance solutions, it
would be desirable to provide clearly when financial institutions become liable for
loss incurred due to the use of such mobile finance solutions by a third party. And
it would also be desirable to decide whether mobile electronic money needs to be
treated separately.

South Koreas Electronic Financial Transaction Act provides provisions on

notification to financial institution or electronic financial business operator and
notification to subsidiary electronic financial business operator.
Any financial institution or electronic financial business operator shall, upon
receipt of a users notification of the loss or theft of the means of access,
compensate the user for any loss he/she might incur due to the use of such means
of access by a third party from the time when such notification is received:
Provided, That the same shall not apply to any damage caused by the loss or theft
of electronic prepayment means or electronic currency as prescribed by
Presidential Decree.25

24 Ibid., article 11(2).

25 Ibid., article 10(1).

Any user may make various notifications to be given to a financial institution or

an electronic financial business operator to its or his/her subsidiary electronic
financial business operator pursuant to an agreement made with the financial
institution or electronic financial business operator. In such cases, a notification
made to the subsidiary electronic financial business operator shall be deemed to
have given to the financial institution or electronic financial business operator

E. Exchange of Mobile Electronic Money

In case of making payment by means of mobile electronic money, such payment
may take effect when the information of transferable monetary value on the
amount requested on a transaction gets to the electronic apparatus designated by
the merchant. Since then, customers duty to fulfill the payment is completed and
issuer becomes bound to exchange such merchants electronic money for cash.

South Koreas Electronic Financial Transaction Act provides provisions on

fulfillment of payment by mobile electronic money and exchange of mobile
electronic money.
When the holder of electronic currency pays the prices of goods or services by
electronic currency pursuant to an agreement with the payee, the duty to pay such
prices shall be deemed to be fulfilled.27
The issuer of electronic currency shall, upon a request by its holder, have the
duty to exchange such electronic currency for cash or deposits.28
26 Ibid., article 11(3).
27 Ibid., article 17.
28 Ibid., article 16(4).

F. Duty to Secure Safety and Keep Confidentiality

Ensuring the security and reliability of mobile financial transaction is one of the
most important factors to achieve sound development of mobile finance. It would
be desirable to consider imposing such duties to secure safety and keep
confidentiality to financial institution, electronic financial business operator and
subsidiary electronic financial business operator.

South Koreas Electronic Financial Transaction Act provides provisions on duty to

secure safety and keep confidentiality.
Any financial institution or electronic financial business operator and its or
his/her subsidiary electronic financial operator shall fulfill the duty of good
manager to ensure the safe processing of electronic financial transactions.29
A financial institution or electronic financial business operator and its or
his/her subsidiary electronic financial operator shall abide by the standards set by
the Financial Services Commission for the information technology fields of
manpower, facilities, electronic apparatuses necessary for electronic transmission
or processing and electronic financial business by type of electronic financial
transactions to secure the safety and reliability of electronic financial
A financial institution or electronic financial business operator and its or
his/her subsidiary electronic financial operator shall create any records necessary
to trace and search the details of electronic financial transactions or to verify or

29 Ibid., article 21(1).

30 Ibid., article 21(2).

correct any error in such details and preserve them for the period determined by
Presidential Decree within the limit of five years.31
Any person who recognizes the existence of the matters falling under any of the
following subparagraphs in the course of conducting the business affairs relating
to electronic financial transactions shall neither provide or disclose such
information to any third party nor use it for any purpose other than his/her
business without consent of the user concerned.
1. The matters relating to the identity of the user;
2. The information or materials relating to the accounts, the means of access,
and the details and results of electronic financial transactions of the user.32

G. Qualification and Supervision

Even though mobile network operator, issuer of mobile electronic money, payment
gateway and TSM are not financial institutions, they play a role as a mobile
financial business operator or subsidiary mobile financial business operator in
some mobile finance solutions. As traditional regulations on financial institutions
could not be applied to them, its necessary to consider setting up any qualification
to start such business and supervision over their business.

South Koreas Electronic Financial Transaction Act provides provisions on

qualification and supervision.
Any person who intends to perform the business of issuing and managing
electronic currency shall obtain permission thereof from the Financial Services

31 Ibid., article 22(1).

32 Ibid., article 26.

Any person who intends to perform the services referred to in each of the
following subparagraphs shall register himself/herself with the Financial Services
1. Electronic funds transfer services;
2. Issuance and management of electronic debit payment means;
3. Issuance and management of electronic prepayment means;
4. Electronic payment settlement agency services;
5. Other electronic financial services determined by Presidential Decree.34
The Financial Supervisory Service shall supervise whether financial institutions
and electronic financial business operators abide by this Act or an order issued by
this Act, under the direction of the Financial Services Commission.35



Many mobile finance technologies and solutions had failed and discontinued and
only in Asia especially in South Korea, Japan, Singapore and Hong Kong mobile
finance has been fairly successful. This may have been the reason why until
recently there had been little interest in unifying the laws regulating the mobile

However the situation began to change when the USIM-based application came
into service. Immense potential to serve as a platform for various financial
transactions has enabled mobile devices to play an important role in the financial
33 Ibid., article 28(1).
34 Ibid., article 28(2).
35 Ibid., article 39(1).

industry. Concurrently mobile finance solutions such as mobile banking, mobile

credit card, mobile electronic money and direct mobile billing service were
beginning to appear in a number of countries and widely spread globally.

Since its not clear whether the rules governing traditional financial transactions
would be applied to mobile finance in whole or in part, its right time for
UNCITRAL to make effort to prepare the legal guide on mobile finance exploring
all possible legal issues that would have to be faced in moving from traditional or
computer-based financial transaction to mobile financial transaction.

Mobile finance is usually performed in a non-facing and automated manner

without any direct contact, and this feature requires consideration on strengthening
the liability of not only financial institutions such as banks or credit card
companies but also mobile financial business operators or subsidiary mobile
financial business operators such as mobile network operators, issuers of mobile
electronic money, TSMs and payment gateways.

Its also necessary to set up a unified regulation on mobile finance defining the
various solutions of mobile finance to clarify which regulatory framework applies
to them. Furthermore, since mobile financial business operators or subsidiary
mobile financial business operators are not regulated by traditional regimes
applying to financial institutions, its desirable to consider setting up provisions on
qualification and supervision to treat them separately.

Legal Issues and the Internet

There are many issues and questions regarding laws and the internet.
Because the internet is still fairly new, there are many unanswered
questions and precedence that have yet to be set. But I'd like to clear up
some common questions that I'm often asked.
If you'd like to read a brief overview about our Court System, click here.
What You Need to Know About Copyrights
Copyright laws protect original works, but not ideas or facts. The
Copyright Act of 1976 grants exclusive rights to the copyright holder. A
copyright protects original works such as: literary works, musical works,
dramatic works, pantomimes & choreographed works, pictorial, graphic,
and sculptural works, motion pictures and other audiovisual works,

sound recordings, architectural works, compilations (databases for

example), written words on a website, and software programs on a
website. The copyright holder has exclusive rights such as reproduction,
derivative works (being allowed to alter it), distribution, performance,
display, audio & video transmission.
Copyright is automatically created on original works. You do not need to
file to create a copyright. But it may be a good idea to file a copyright to
establish a public record of it and if you ever want to pursue an
infringement suit, it will need to have been filed. You can
visit to download a copyright form. A common-law
copyright is created automatically on publication, so registration is not
required to use the symbol. The proper way to state that something is
copyrighted is to use the symbol, the copyright or abbreviated version
(Copr.), the year of first publication, and the name of the copyright
owner. For example: Copyright 2007 Off the Page Creations.
Copyrights that were created after January 1, 1978 have protection
during the life of the author plus 70 years. In the case of more than one
author, the period of protection is the term of 70 years after the death of
the last surviving member. In a case of 'Work-Made-For-Hire', the
protection term is 95 years from first publication or 120 years from the

year of creation (whichever comes first). Once copyrights expire they

become part of the public domain and are free to use by anyone. But
don't assume just because something doesn't have a copyright symbol,
that it is free to use.
In a 'Work-Made-For-Hire' the person that hires someone to create
(design a logo for example) something for them, the person hiring is the
person who holds the copyright, not the designer or author. If the work
was prepared by an employee within his job duties as requested by
his/her boss and not for a customer, the employer holds the copyright
because the employee was hired to do it for the employer and it was part
of his/her job duties.
An odd variation to the 'Work-Made-For-Hire' rule is websites
(including the 'look & feel', the software, scripts, graphics & the text). If
someone hires a web designer to create their website, the website
designer holds the copyright, unless it is specified otherwise in the
contract. Most companies state that the hiring party holds the contract
(as we state in our contract), but it's a good idea to verify who will hold
copyright to the website before signing anything.
Fair Use

'Fair Use' allows limited use of a copyrighted work. Some examples of

what are considered 'fair use' are: teaching, criticism, comment, news
reporting, and research. Only a court can decide if a copyrighted works
use was considered 'fair use'.
What You Can't Do
Copy pictures to use on your brochure or website that you found on the
internet (even if you put up the copyright line of who holds the
copyright, this is considered infringement)
Purchase a license to use a photo on your brochure, then continue to
use it on your website, flyers, and postcards unless it is stated in the
Copy text out of a book or off from a website and use it verbatim
Put music on your website without permission
Post an article without permission, even if it's about you
Use an image by linking to it rather than copying it (This is still
copyright infringement)
What You Should Do
Purchase photos to use that are 'copyright free' and follow the license
for the uses

Or get permission from the copyright holder to use photos

Purchase 'copyright free' music and follow the license for the uses
Get permission to use articles from the writer & publisher
You should ask permission to link to someone's website
Copyright infringers may face civil liability and also criminal liability
for felony copyright infringement if it is willful, and for financial gain,
or by reproducing and distributing a large amount.
If you are looking for a Copyright Attorney, I recommend Lexero Law
Brief Overview About Trademarks
A trademark is a word, name, symbol, device, or combination of, used
by someone to identify his product. Trademarks arise from 'use' and do
not have to be registered to be considered trademarked. There are good
reasons to register a trademark though. One reason, like copyrights, it
establishes a public record. The second reason is that it needs to be
registered in order to file for trademark infringement. It also helps to
establish trademark in other countries and to stop imports of infringing
foreign goods from entering the country. A trademark is valid
indefinitely, but if not maintained it can be lost and fall into public

domain. For instance, if a trademark becomes a common phrase, then it

will be deemed lost and the trademarked term considered common usage
(Aspirin, Allen Wrench, Granola, and Yo-Yo are just a few examples).
Trademark registration begins with the U.S. Patent and Trademark
Office (P.T.O.). Registering a trademark can take more than a year after
the application is filed. There is an extensive research involved to ensure
that a similar trademark does not already exist.
Once the trademark goes through, the symbol identifies a trademark
as registered with the U.S. P.T.O. The proper way to write this is - "
Registered in the U.S. Patent and Trademark Office", or the abbreviation
- "Reg. U.S. Pat. and Tm. Off." If it is not yet officially registered with
the P.T.O., the symbol should be used instead.
Trademarks are protected from infringement and also dilution.
Infringement of a trademark means that there is another that is too
similar and it is confusing. Dilution of a mark would be because the
public has a strong association with the original trademark and the other
would take away from that association.
It is not considered infringement to make fun of a copyrighted or
trademarked work as long as it is apparent that it is not the original, but

a parody. You can not create a domain name similar to another and make
fun of it, because it would not be evident that it was a joke until the user
actually reached the website.
Trademarks should not be used in meta-tags (the hidden keyword tags
on a web page), or in a pay-per click ad campaign. There have been
cases where this was considered infringement.
If you are looking for a Trademark Attorney, I recommend Lexero Law
Domain Name Issues
Typosquatting - where a person registers a domain name similar to a real
domain name, but with a typo, in hopes that web surfers reach it by
accident. These sites are usually filled with paid advertising links that
generate revenue for the typosquatter, not to mention the web surfer has
been tricked into believing he is on the correct site. This diverts traffic
away from the intended site. Sometimes they are routed to a competitors
site or a pornographic site.
Cybersquatting - is when someone registers a domain name, in bad faith,
violating the rights of the trademark owner. They usually intend to extort

payment from the trademark owner, and they keep the names to sell later
to the highest bidder.
Pagejacking is when the offender copies part of an existing website, and
then puts it up on a different website to make it look like the original.
Pagejacking is used in phishing schemes, where the fake page gathers
account numbers, passwords, and personal information from the
unsuspecting user.
The Uniform Domain Name Dispute Resolution Policy (UDRP) is a
cost-effective and faster alternative to a lawsuit, when there is a domain
name dispute that needs to be resolved. This was set up by the Internet
Corporation for Assigned Names and Numbers (ICANN), the group
responsible for domain name registration.
If you are looking for a Domain Name Attorney, I recommend Lexero
Law Firm.
SPAM - and how to avoid it
Spam is accounted for around 80% of all U.S. email. 20% of U.S.
residents actually buy products from spammers, and this makes it
worthwhile for them to continue to harass us with unsolicited emails.
There are no laws to prohibit spamming, but there are laws to regulate

spam. There are also laws that prevent email harvesting (programs that
read through websites looking for email address to add to their
database). Many states require opt-in or opt-out options in the email.
There are laws that prohibit false headings and laws against spammers
that identify their message as coming from someone else. Trademark
and unfair competition laws have been used against a spammer whos
message reads that it is coming from someone else, and in one case a
man was sentenced to 3 years in prison and $16 million in fines.
Unfortunately it is very difficult to enforce the statewide spam laws
because a sender really has no way of knowing all the states he is
sending his spam to by the list of email addresses he has.
There are some things you can do to limit the spam you are getting.
Do Not Reply to Spam! Most times it just confirms they have reached a
valid email address and they'll continue to send junk to you.
Do not post your email address on your website - use a form that
doesn't display the email, or turn the email address into an image rather
then displayed as text.
Use a different email address if you must use one in news groups or

Read Terms of Use and Privacy Statements. Don't randomly give out
your email address unless you know how it will be used.
Use a spam filter
Never, ever buy from a spammer - this encourages them
Cyber Crimes
Email Spoofing is changing the email header so it looks like its coming
from someone else. This is sadly easy to do. This is also used to try to
trick people into giving out personal information. This is illegal under
the CAN-SPAM Act. Click here to see examples.
Phishing is a scam where an official-looking email is sent to an
unsuspecting user to try to trick them out of their username, password,
or other information. They are usually directed to click onto a link that
goes to a fake (spoofed) version of a real organizations website. This is
called Pagejacking. The address bar can even be altered so it appears to
be the official website. If you ever get an email requesting that you
verify information by clicking on a link, you should insteadGO
LINK, to verify it. Lately phishing is even occurring in instant message

programs that appear to be coming from a friends IM signature. Always

be cautious in this situation.
Vishing is short for 'Voice phishing' and is the latest scam. It may start
with an email or it may start with a phone call. These calls can be very
believable because often the caller already has your credit card number
and just needs you to verify the 3 digit security code on the back of your
card. Or it could be an automated system asking you to type in your
credit card or account number to verify who you are, which sounds
realistic enough.
Keystroke Phishing is when a Trojan program is unknowingly
downloaded onto your computer that tracks the keystrokes you enter
into the computer, and sends it back to the scammer, who hopes to get a
username and password from it.
Identity Theft is where a person gathers your personal information and
poses as you to get credit, merchandise, services, or to use the identity to
commit other crimes. They obtain this personal information by phishing,
database cracking, or survey. Survey is seemingly innocent questions
about mother's maiden name, children and pet names, and birth dates
that can give access to a surprising amount of passwords and usernames.
Once a phisher has your credit card number it can be sold to someone

who then creates a credit card to use on an ATM machine. Identity theft
is spreading on the internet, but surprisingly it is still safer to give out
your credit card number on the internet then to give it to an unknown
salesperson or waiter. 97% of all identity theft crimes are caused from
offline instances, not online. For instance, two places that identity
thieves get your information from are your mailbox, and your trash can.
Protect Yourself from Identity Theft
Cross-shed documents
Review your credit report twice a year
Be aware of billing cycles and put vacation holds on mail
Never reveal your Social Security number unless absolutely necessary
Don't carry seldom used credit cards or unnecessary id's
Be aware that identity stealers are not always strangers
Don't give out personal information over the phone, mail or posts on
the internet
Take out the hard drive from a computer and destroy it before
discarding. Even if deleted, personal information can still be recovered
from a computer's hard drive
For more information on identity theft:

Cookie Poisoning is the modification of cookies that are put on your

computer by an attacker to gain information about a user.
Spyware is software that is downloaded onto a users computer without
his knowledge and used for malevolent purposes. It can be downloaded
simply by going to a website (called Drive-by Downloads), or it can be
downloaded unknowingly while installing another program. Spyware
can crash computers, slow performance, track emails and visited
websites, and track keystrokes that capture the users personal
information. Programs such as Spybot, Spy Sweeper, and Ad-Aware can
be good for checking and removing these unwanted harmful programs
from your computer.
Malware is the malicious software that is developed for the purpose of
doing harm. Malware examples are Computer Viruses, Worms, and
Trojan horses. A Worm is a self-replicating virus that continues to
duplicate itself taking up memory and resources. A Trojan horse is a
hidden program that later gains control and causes damage to your
Wardriving is the practice of driving around in a vehicle with a Wi-Fi
enabled laptop looking for available signals to use. Wardriving steals
internet access and is considered a crime of telecommunications theft.

Wireless signals can be transmitted 500 feet or more and should be

protected with passwords.
Pod Slurping is stealing data by use of iPods, or downloading malicious
software via iPods.
Cyberstalking is a crime where the attacker harasses the victim using
electronic communication such as email, IM's, chat rooms, discussion
groups. Cyberstalkers rely on the anonymity of the Internet thinking
they can not be caught. This may continue to actual physical stalking.
Federal law imposes a $1,000 fine or 5 years imprisonment for anyone
transmitting in interstate commerce a threat to injure or kidnap someone.
If you are looking for a Cyber Crime Attorney, I recommend Lexero
Law Firm.
Federal Statutes
Securities Fraud is where someone uses the internet message boards to
hype up a stock to drive up the market so he can then sell and make
money. It's called the 'Pump and Dump' scheme and is illegal under
federal and state laws.

The Fair Housing Act states that you can not discriminate on the basis of
race, gender, family status, religion, and national origin. Now that there
are many internet postings for rentals by third parties, the question is
being raised if the same rules apply to internet postings and who should
be held responsible. The safe harbor provisions of 230 have protected
these types of websites from libel or copyright infringement liability
provided they remove offending posts when they are notified of the
posts. The few times it has been brought up, it was settled out of court
and it was agreed to comply with the Fair Housing Act Policy and
remove the offending posts.
The USA PATRIOT Act was enacted in response to the September 11th
attack in 2001. This act allows electronic messages to be intercepted if it
is believed to be of terrorist or criminal activity. It also allows for the
retrieval of Internet Service Providers information without going
through a court order.
Online Gambling is prohibited or regulated in most states. Many
gambling websites originate outside of the country though, and are
impossible to shut down. The big worry with online gambling is that
minors have access and it enables the pathological gamblers. To try to
control this spreading problem, the Unlawful Internet Gambling

Enforcement Act was signed into law and makes it illegal for credit card
companies, online payment systems, and banks to process payment to
online gambling companies. There have also been instances where
online casinos and gambling websites owners have been caught in the
U.S. and charged with racketeering and mail fraud.
Free Speech and the Internet
The first amendment to the U.S. Constitution guarantees the right to free
speech. But there are instances when that can provoke a lawsuit. The
four main causes of action against speech on the internet is:
Defamation: "A published intentional false communication that injures a
person or company's reputation"
Breach of Contract: If an employee signs a confidentiality agreement
and then posts information about products, sales, management, other
employees, or rumors, than he may have breached his confidence and
trust to the company and be held in Breach of Contract.
Tortious Interference with Business: To file tortious interference there
must be an existing contract or business relationship, intentional
interference between the company and the business relationship, an
effect caused by the action, and damage as a result to the action

Securities Fraud: Attempts to manipulate the price of stock by giving

false information or talking it up, so that the stock price goes up, and
then selling it (Pump and Dump Schemes), is illegal
If you are looking for a Free Speech Attorney, I recommend Lexero Law
Children and the Internet
The Child Online Protection Act (COPA) makes it a crime to publish
"any communication for commercial purposes that includes sexual
material that is harmful to minors, without restricting access to such
material by minors."
Online Harrassment
When a harasser uses the internet to cause substantial emotional distress
to his or her victim, this is considered Online Harrassment. It can take
the form of email, chat rooms, instant messaging, newsgroup posts, or
message board posts. The largest amount of online harrassment occurs
by teenagers who often do not yet understand the impact of their actions
and are not yet able to control their emotions.

Online harassment is a crime in some states. If you are harrassed online,

you should archive the conversation and report them to the ISP and local
law enforcement.
When writing in a blog or posting to a message board, keep in mind that
you can not write things about people that are not true. You can write
something bad about a person, but you can't write something that is
untrue and may affect his or her reputation. Truth is a defense to a
charge of libel (written) or slander (spoken), if it can be proven true.
Blogs can feel like a personal diary, but one should keep in mind when
writing in it, that it's not just a way to vent feelings. The world can read
it. There have been many instances of employees getting fired because
the boss didn't like being embarrassed in the blog, even if it is on the
employees personal computer in their own time. Courts weigh freedom
of speech with the right to protect the company's public image.
Companies should add blogging policies to clarify this to employees on
hiring and avoid the confusion.
Hate Speech

Hate speech is protected under the first amendment in the U.S. except
when hate speech crosses into threats and intimidation, racial slurs, or
racial hostility. Hate speech is prohibited in most other countries.
Unfortunately the U.S. has become a safe harbor for hate group
websites. Civil lawsuits are a powerful remedy that can financially
cripple a hate group organization.
Communism and the Internet
Web speech under Communism is difficult to control. Communist China
government has 11 agencies overseeing Internet use. They have taken
actions to block certain keyword searches and websites, they keep
records of users and the web pages they visit. There is video cameras
and high tech software in the internet cafs and bars to prevent
customers from viewing the 'forbidden' sites. A user must enter an id
number in order to use an internet cafe computer. A blogger is required
to sign up under his or her real name, although they can write under a
pseudonym. Examples of banned websites are: a pornographic site, a
superstitious site, or websites that criticize government or the
Communist Party. Dozens of people have been sent to prison for posting
or downloading from such sites.