QR code payments require new consumer rights protection

By LI SIQI / 12-20-2018 / (Chinese Social Sciences Today)

A customer scans a QR code for payment at a market in Hohhot, Inner Mongolia, on Oct. 18, 2018. Photo: IC


QR code, also known as Quick Response code, is a comprehensive electronic tag technology that integrates information coding, image processing, information transmission and data encryption into a two-dimensional barcode. Today it serves as an important medium for information collection and transmission.


Impact on monetary law
The card-free and cashless scan payment facilitated by QR codes not only challenges traditional monetary law, but also has a revolutionary impact on the effective functioning of China’s central bank.

First, scan payment has challenged the concept of traditional currency. The digitization of monetary funds, including scan payment, has exerted an aggressive and subversive effect on traditional currencies, affecting everything from the form of traditional currency to the entity itself. The form and issuance of money is the cornerstone of monetary law.

Though the third-party mobile payment service providers are not intentionally trying to erode and challenge the central bank’s right to monopolize currency issuance, in practice that is precisely what is happening.

Second, QR code payment has impacted the effectiveness of the central bank’s monetary policy. Digital money may eventually form its own supply-chain mechanism. Without proper prudence and guidance, it will not only change the monetary supply channel, supply mechanism and multiplier, but also directly affect the central bank’s monetary control and monetary policy effectiveness.

Nowadays, no electronic payment, including QR code payment, has yet derailed the current operating monetary ecology and normative system. Rather they have altered the payment methods. In the discussion of electronic currency, the establishment of its issuance right is an urgent issue.

In reality, the established role of the central bank is the product of the development of cash and credit in the commodity economy and the necessary result of a society that enjoys economic security, political stability and social harmony.

It would be legally retrogressive to recklessly grant the issuance right of currency to commercial banks and third-party payment institutions. If that is the case, it is likely that we will face the risk of systematic financial crisis due to failures in the issuance market. Therefore, scan payment only refers to the electronic payment method and currency, not a takeover of the monetary function of the central bank.

Nonetheless, to make effective monetary policy, the central bank must have an internet mindset. Though electronic money prevails, its existence cannot be separated from the real economy, nor from the concept of traditional paper money issuance and regulation.

Therefore, the electronic currency operation of third-party payment institutions must abide by the following principles. First, the total amount shall not exceed the balance in the mobile payment account. Second, payment institutions should not issue vouchers that exceed their net assets but rather in proportion to them. At the same time, these institutions shall not violate the prohibitive or restrictive provisions of the Law of the People’s Bank of China. Third, the institutions’ capital cycle must submit itself to the central bank’s cyclical dynamic management. Fourth, electronic money data must be subject to on-site and off-site inspection and supervision by the central bank.


Unauthorized payment
QR code payment is a non-direct contact transaction chain involving the participation of consumers, merchants, third-party payment service providers, wireless communication operators and other parties. In this circular chain, the two-dimensional code serves as an information locus. The fundamental source of transaction risk is that the generation stage of the two-dimensional code is not properly monitored.

In QR code payment, the major risks that it bears are Trojan horse implantation, malicious URLs, fraudulent QR codes and information hijacking.

It is the responsibility of consumers to guard their transactions, but in the asymmetric relationship of technology, information and human resources, it is also the responsibility of payment service providers to ensure non-risk transactions. As of today, payment password is the user’s first and last defense. In scan payments, if this line of defense is broken by outsiders due to the incompetence or marketing strategy of payment institutions, and then the resulting losses are borne by vulnerable consumers due to the legal preparations of payment institutions, that obviously violates the fairness and justice of the law.

Though payment institutions have avoided unauthorized transaction risks through format clauses in their online and offline agreements, there is uncertainty about how the court will rule legal disputes. In order to realize the fair protection of interests and provide necessary support for the new financial form of scan payment, China’s laws can be developed in the following aspects.

To start with, there should be a reconfiguration of the burden of proof. From the perspective of legal procedure and the distribution of litigation rights, the he-who-sues- provides-evidence principle is relatively reasonable. However, in internet finance, where the transaction data is all under the service provider’s control, it doesn’t seem reasonable to require consumers to provide strong evidence against  service providers. Legislators should view matters as they are and establish the principle of inversion of burden of proof for payment institutions, so as to overcome the rigidity of traditional rules of proof provision that are fair in form but unfair in substance.

As such, this would not only force payment institutions to develop and upgrade their anti-virus software and regulate merchants’ payment collection behavior, but also promote the timely ongoing revision of evidence rules in the context of big data.

In order to control risks, the central bank has set a daily limit of 500 yuan for static barcode payments. However, the shortage of domestic demand is a major bottleneck in China’s economic development. Such a ceiling is not only harmful for the development of businesses, but also not conducive to the creation of jobs in China. A better approach is that we should focus more on regulating third-party payment institutions rather than users.

Knowledge is a disinfectant to prevent and eliminate the risk of unauthorized transactions. Financial literacy education is necessary. Users should be told about the technology behind QR codes, their potential risks, Trojan virus prevention, system update procedures, financial information privacy, and additional official apps and software that can be downloaded.

In order to guide the healthy development of China’s third-party payment industry and encourage payment institutions to develop reliable customer identification technologies, such as fingerprint identification and iris identification, it is necessary to establish a limited liability system for users to bear losses for unauthorized transactions, such as 5 percent or 10 percent of the losses.


Safeguarding users’ information
The awareness of personal information protection in China has improved, but it still lags far behind the demand for big data development, which is mainly reflected in the following aspects.
First, the absence of the basic concept of privacy directly leads to difficulty in the legislation and practice of financial privacy and the protection of information rights.

Second, the status of payment institutions cannot meet the requirements of information protection. In fact, third-party payment institutions can no longer be defined as traditional financial institutions such as commercial banks and securities companies. If current laws fail to interpret financial institutions in a timely manner, it is not only detrimental to the innovative development of the economy and financial industry, but also to the protection of the rights and interests of financial consumers, including the right to privacy.

Third, financial privacy is a human right and has great value. It is directly related to the core interests of consumers. To some extent, to protect such interests is to protect and regulate the market, guaranteeing financial security.

Fourth, there is an imbalance of discourse power. For the disclosure and use of information, when consumers can only make a yes or no choice between format agreement and scan payment, they do not have much right of choice.

In this light, it is advised to keep pace with the times to disseminate the concept of information rights and clarify the relationship between information rights and traditional privacy rights.

It is also necessary to restore the regulatory financial status of third-party payment institutions. Under the current normative system, third-party payment institutions are still excluded from the category of financial institutions. This should be done not just out of the pursuit of authenticity, but out of the protection of consumer’s already weak position in the power-dynamic.

Finally, we must strengthen the professionalism and accountability of information rights protection. The cost of violating the right to information in terms of civil, administrative and criminal liability should be increased, especially the amount of civil compensation.


Li Siqi is a professor from the School of Law at Hunan University.

(edited by YANG XUE)