On November 7, 2023, the Consumer Financial Protection Bureau (“CFPB”) issued a proposed rule that would allow it to exercise its supervisory authority over larger nonbanks offering digital consumer payment applications, such as peer-to-peer (“P2P”) payment apps and digital wallets.
In the proposed rule, the Bureau points to the “large and increasing significance” of this market in the everyday financial lives of consumers, and cites to a number of studies regarding consumer reliance on these kinds of applications. “Supervision of larger participants, who engage in a substantial portion of the overall activity in this market, would help to ensure that they are complying with the applicable requirements of Federal consumer financial law,” including, the Bureau explains in the proposed rule, the Consumer Financial Protection Act’s (“CFPA”) prohibition against unfair, deceptive, or abusive acts and practices (“UDAAP”), privacy provisions under the Gramm-Leach-Bliley Act (“GLBA”), and the Electronic Fund Transfer Act (“EFTA”). Moreover, the Bureau asserts that the proposed rule will help to “level the playing field” between banks and nonbanks, as well as enable the Bureau to monitor new and emerging risks as new nonbanks develop new products. This proposal follows various prior Bureau releases regarding P2P payment apps, including FAQs governing application of Regulation E to P2P payments, analysis of deposit insurance coverage applicability to digital wallets, and concerns identified in service members’ use of digital payment applications.
Under the CFPA, the CFPB has supervisory authority over larger participants in nonbank markets that provide consumer financial products or services other than those that are statutorily enumerated.[1] In order to exercise its authority to supervise “larger participants of a market,” however, the Bureau must first propose a rule to define the larger participants of the market. This is the sixth such rule that the Bureau has proposed to define larger participants.[2]
Here, the Bureau’s proposed market for “general-use digital consumer payment applications” would include as larger participants a “nonbank covered person (together with its affiliated companies) [that provides] general-use digital consumer payment applications with an annual volume of at least five million consumer payment transactions” that is not a small business, as defined by the Small Business Administration. The CFPB estimates that this rule would bring 17 entities within its supervisory authority.
The proposed rule generally defines “consumer payment transactions” as payments to other persons for personal, household, or family purposes. It includes the transfer of consumer funds and transfers made by extending consumer credit, with certain exceptions.[3] The Bureau explains the four components of this definition:
- The payment transaction must result in a transfer of funds by or on behalf of the consumer. This component focuses on the sending of a payment (as opposed to the receipt of funds). This includes a consumer’s transfer of his or her own funds, such as funds held in a linked deposit account or stored value account, as well as a creditor’s transfer of funds to another person on behalf of the consumer as part of a consumer credit transaction. Notably, the CFPB interprets the term to include digital assets that have monetary value and are readily useable for financial purposes, such as cryptocurrency. However, it does not include the exchange of funds for a different form of funds (i.e., does not include the exchange of fiat currency for cryptocurrency). This is a significant development as it marks the Bureau’s first exertion of legal authority over cryptocurrency and signals that the Bureau may attempt to apply Regulation E (and associated error resolution provisions) to cryptocurrency transactions.
- The consumer must be physically located in the United States when making the transaction. This component is satisfied when the consumer uses a general-use digital consumer payment application on a device or point of sale physically located in territory of the United States, but does not apply to payments initiated by a consumer physically located in a foreign country.
- The funds transfer must be made to another person (consumer, business, or other entity) besides the consumer. This component excludes transfers between a consumer’s own deposit accounts, transfers between a consumer deposit account and the same consumer’s stored value account held at another financial institution, such as loading or redemptions, as well as a consumer’s withdrawals from their own deposit account such as by an automated teller machine (“ATM”).
- The funds transfer must be primarily for personal, family, or household purposes. Payment applications facilitating consumers to make funds transfers for other reasons (such as purely commercial or business-to-business payments) would not fall within the proposed definition.
The proposed rule would require providers of digital consumer payment applications to step up existing compliance infrastructure. Supervision entails on-site examinations, review of documentation, and extensive communication between the Bureau and supervised entities. Identified compliance failures may require remediation or, in extreme cases, trigger referral to the Bureau’s Enforcement Division. As a result, we strongly recommend that potentially affected parties review the proposed rule and consider commenting. Once the rule is finalized, interested parties may also consider performing a compliance gap analysis to identify potential areas for improvement in anticipation of a future examination.
Comments on the proposed rule are due by January 8, 2024, or 30 days after publication of the proposed rule in the Federal Register, whichever is later.
We expect that comments filed in the docket for this notice of proposed rulemaking will focus on how the Bureau has defined the relevant market(s) here. We further note that the Bureau is interested in regulating and supervising larger technology companies that offer consumer financial products. This stems from Director Rohit Chopra’s announcement regarding the Section 1022 market monitoring orders issued to large technology companies shortly after he became director in October 2021. This is one of the first steps in that effort.
[1] See 12 CFR § 5514(a)(1)(B). The CFPB also has supervisory authority over banks and credit unions with more than $10 billion in assets, as well as nonbanks that are engaged in certain statutorily enumerated industries: mortgage, payday lending, and private student lending. See 12 U.S.C. § 5514(a)(1)(A), (D), (E). The CFPB also may seek to supervise any covered person that the Bureau has “reasonable cause to determine” has engaged in conduct that poses risks to consumers in offering consumer financial products or services (also referred to as the “dormant authority provision.” See 12 U.S.C. § 5514(a)(1)(c).
[2] Previously, it has issued rules regarding the consumer reporting market (12 CFR § 1090.104); consumer debt collection market (12 CFR § 1090.105); student loan servicing market (12 CFR § 1090.106); international money transfer market (12 CFR § 1090.107); and automobile financing market (12 CFR § 1090.108).
[3] The following kinds of transactions are specifically excluded from the definition of “consumer payment transaction”: (i) an international money transfer; (ii) a transfer of funds by a consumer in exchange for a different form of funds or that is excluded from the definition of “electronic funds transfer”; (iii) a payment transaction conducted by a person for the sale or lease of goods or services that a consumer selected from an online or physical store or marketplace operated prominently in the name of such person or affiliated company; and (iv) an extension of consumer credit that is made using a digital application provided by the person who is extending the credit or that person’s affiliated company.
