The “tag” is in the app, it is generates a unique token every time it is used, based on a unique private key in the app, just like ApplePay and normal debit and credit cards. The bank has the public key and can therefore decipher the transaction. The app is called using a URI, similar to http(s) for web, ftp for file transfer, mailto for mail etc. The URI say “open the payment app and give it this transaction information”, all the OS has to do is open the default payment app (if one isn’t active). It is a standard and open protocol that every payment terminal has to understand (I think retailers have another couple of months to get their terminals changed to NFC compatible, but I only know of 1 hairdresser who doesn’t have an NFC capable terminal around here).
As above, it is standard URI based, using an open standard. One of the beauties of the thing is that it is fairly anonymous, only the banking app and the bank know about the transaction - and then the bank only knows what the amount is and who the recipient is, there is no transfer of individual items on the bill, just the total. Machine learning to decide which app to open would break this trust.
They only have a small percentage of the smartphone market, worldwide, so it can’t be seen as anti-trust. The best that can be hoped for is that it is anti-competitive, but they have managed to weedle out of that so far - just look at the browser situation on iOS, you can install other web browsers, but click on a link in another application, your web browser doesn’t open, Safari opens.
With the law being ratified at the moment, Apple would have to comply, at least in the area of NFC payment transactions.
Not really, banks and other smartphone manufacturers have several years of proof that the system is secure - heck ApplePay uses the same system. The only possible problem is if Apple doesn’t let the apps store their private keys in the secure enclave, they would have to take care of ensuring it is properly encrypted at rest on the device.
Likewise, if the iPhone has been rooted with CheckRa1n, there is a possibility that another app could read the key, but the banking apps are generally secure and won’t install on rooted Android devices by default.