Consumer use of "buy now, pay later" (BNPL) products and programs has proliferated over the last few years. While federal oversight has not been extensive to date, new guidance from the Office of the Comptroller of the Currency (OCC) likely signals heightened attention and may be the precursor to more enforcement or supervisory developments. In addition to the OCC, the CFPB has been examining BNPL products over the last few years and is continuing to examine the applicability of consumer financial laws to BNPL products.

The OCC does not criticize BNPL activities, noting that if BNPL products are used responsibly, they "can provide consumers with a low-cost, short-term, small-dollar financing alternative to manage cash flow." Rather, the guidance highlights the risks associated with providing BNPL products—for both banks and consumers—and offers guidance to mitigate them.

The guidance is directed to all banks, including community banks, under the OCC's supervision that offer BNPL products.

Covered BNPL Products

While BNPL products come in different forms, the guidance is focused on BNPL products that are payable in four or fewer installments and carry zero percent interest and no other finance charges.

Risks Associated with BNPL Products

Nevertheless, the OCC notes that BNPL products may carry risks for both banks and consumers.

• Credit reporting issues. BNPL may be used at higher rates by individuals with limited or no credit history, and BNPL loans are currently not routinely reported to credit bureaus. This may present challenges when evaluating individuals for BNPL loans during underwriting, which may present challenges to banks offering their own BNPL products or in a third-party BNPL partnership.
• Disclosures, UDAAP. The lack of clear, standardized disclosure language could obscure the true nature of the loan, result in consumer harm, or present potential risks of violating prohibitions on unfair, deceptive, or abusive acts or practices.
• TPRM. Third-party relationships may increase a bank's exposure to operational and compliance risks because the bank may not have direct control of the activity performed by the third party (e.g., vendors).
• Operational risk. The highly automated nature of BNPL products, with instantaneous credit decisioning and frequent strong reliance on third parties, may present elevated operational risk, including fraud risk.
• Default risk. BNPL structures may present elevated first payment default risk resulting from fraud or borrower oversight. With loan payments typically tied to a debit or credit card, overextension can also result in secondary fees charged to the borrower, such as overdraft, non-sufficient funds, and late fees.

Compliance and Risk Management Expectations

To combat these risks, the guidance outlines expectations for OCC-supervised banks and is broken down into five areas: credit risk management, credit bureau reporting, operational risk management, third-party risk management, and compliance risk management.

Credit Risk Management

• Banks should establish policies and procedures for BNPL products that address loan terms, underwriting criteria, methodologies to assess repayment capacity, fees, charge-offs, and credit loss allowance considerations. This is consistent with the OCC's concern for delinquencies and losses for banks more generally.
• Banks should develop underwriting criteria and repayment assessment methodologies that provide "reasonable assurance that the borrower can repay the debt" and use debt-to-income, debt-to-assets, residual income, deposit account information, and alternative data to make those decisions.
• In addition to ongoing monitoring and reporting processes that capture the unique characteristics of BNPL products, forecasting, analytics, and stress testing should consider BNPL products, their structures, risk characteristics, and revenue streams.
• The OCC also notes that methods of collecting BNPL debt may differ (e.g., shorter time frames) from practices for more traditional debt collection practices, as well as communicating with delinquent BNPL borrowers.
• Because traditional credit metrics (e.g., loans bucketed by delinquency over 30 days past due) tend to be lagging indicators that might not promptly identify trends and issues in loans of four installments or less, the OCC identifies specific charge-off and allowance for credit losses expectations:
  • Charge-off practices. The OCC notes that some banks classify unsecured loans as a loss once a certain past-due status is reached, such as at 120 or 180 days past due. However, a loan should be classified as loss if the full collection of principal and interest is not expected, notwithstanding the number of days past due. Charge-off policies should be commensurate with the shorter nature of the BNPL products.
  • Allowances for credit losses. BNPL products should be incorporated into a bank's allowances for credit losses method under ASC Topic 326. Bank management should consider the same factors for BNPL products as it does when estimating expected credit losses for longer-term loans—but the methods used may differ from those used for longer-term loans. For instance, historical losses may need to be adjusted because of the shorter terms of BNPL products.

Credit Bureau Reporting

The OCC states that banks offering BNPL products or working with third parties to offer BNPL products should submit information to credit bureaus in a timely manner, in compliance with the Fair Credit Reporting Act and its implementing regulations. The OCC believes that this would aid banks in identifying an applicant's total debt obligations when evaluating repayment ability and would avoid overextending borrowers through multiple concurrent BNPL products. According to the OCC, the three major credit bureaus have announced that they will begin to include BNPL transactions for credit reporting purposes. To the extent BNPL products are reported, banks must comply with the Fair Credit Reporting Act and Regulation V.

Operational Risk Management

Banks offering BNPL products or working with third parties to offer BNPL products should ensure to assess fraud risk controls to mitigate the risk posed by the highly automated nature of BNPL products. The OCC has stated that BNPL products may carry heightened operational risk, including fraud risk, because BNPL products use automatic credit decisioning and there is typically a reliance on third parties. Furthermore, because of the brief term of the loans, merchandise returns and merchant disputes may be problematic for BNPL borrowers and lenders, and BNPL providers should ensure any BNPL program has returns and disputes policies that take into account the short-term nature of BNPL loans.

The guidance cautions that BNPL loan structures may present elevated first payment default risk resulting from intentional fraud or borrower oversight. Because checking account transactions are not settled in real time, the first payment (usually 25 percent of the loan amount required at purchase) could fail because of insufficient funds when the transaction settles. The guidance explains that banks should have controls to identify the potentially fraudulent activity in a timely manner, take steps to mitigate loss, and recognize charge-offs in a timely manner.

The OCC also notes that a bank's models used for the BNPL products—be they related to marketing, credit decisioning, customer service, or fraud risk—should be subject to sound model risk management and incorporated into the bank's model risk management processes, including any third-party models that the bank uses.

Third-Party Risk Management

Consistent with the interagency TPRM guidance, banks using a third-party service provider in their BNPL programs are expected to effectively manage the risks arising from the relationship, incorporate the relationship into their third-party risk management programs, perform the necessary due diligence, and meet the other expectations concerning third-party service providers. While banks can outsource various functions, they cannot outsource the legal risk or ultimate responsibility for compliance with applicable laws and regulations. Notably, the OCC guidance identifies merchants themselves as third parties for banks to manage within the bank's third-party risk management framework.

Compliance Risk Management

The guidance provides that bank management should give close attention to the delivery method, timing, and appropriateness of marketing, advertising, and consumer disclosures to ensure that they all clearly state the borrower's obligations under the contract, as well as any fees that apply. The guidance also notes that management should consider billing dispute and error resolution rights and practices relating to automatic payments, multiple representments, and late fees.

Consumer Financial Protection Concerns

The guidance is a salient reminder of the consumer financial protection compliance risks that banks face when offering BNPL products themselves or with a third party. The OCC enumerates important consumer financial protection laws and requirements that banks should consider when implementing a BNPL program, such as the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Electronic Funds Transfer Act, and the prohibition on unfair, deceptive, or abusive acts and practices.

In addition to banks, these requirements may apply directly or indirectly to non-bank BNPL providers. With banks and others on notice, OCC enforcement actions and supervisory criticisms may follow in this space. The guidance may also be helpful for entities that are not supervised by the OCC and likely aligns with the CFPB's attention to BNPL's credit-like features.

To date, the CFPB has not taken a public enforcement action against a BNPL provider. However, the CFPB has signaled increased scrutiny of BNPL products and providers, including in a 2023 report and a 2022 report and in various speeches. Together with the OCC guidance, BNPL is a likely area for supervisory oversight and enforcement in the near term.

While the CFPB has not released anything new in conjunction with the OCC's guidance, two aspects of the OCC guidance could be the focus of subsequent CFPB or interagency scrutiny: ability to repay and disclosures.

• Ability to Repay. The guidance's discussion of ability-to-repay requirements may be an area the CFPB incorporates into its own future guidance or potential rulemaking. The CFPB sought to incorporate express ability-to-repay requirements into its Payday Lending Rule, but received significant pushback and later rescinded the requirements. Such a requirement would likely be the subject of extensive industry comment.
• Disclosures. The lack of standardized disclosures is identified by the CFPB's reports as an area of focus. Currently, BNPL providers are not required to comply with consumer credit disclosure statutes, like the Truth in Lending Act (TILA), though some providers do provide TILA-like disclosures. The CFPB, and other agencies, may ultimately interpret BNPL products as falling under TILA requirements.

Bank and non-bank BNPL providers should review the guidance and consider where there may be gaps in their own compliance management systems. Non-bank service providers to banks that offer BNPL products should also review the guidance to understand how the supervisory expectations for banks may affect contractual expectations, program requirements, and possible supervisory criticisms and enforcement actions.