Certain financial technology (FinTech) firms will soon be subject to the Consumer Financial Protection Bureau’s (CFPB) supervisory authority under the Consumer Financial Protection Act, and should be prepared accordingly.

The CFPB’s proposed rule, published Nov. 17 in the Federal Register, would subject “larger participant” nonbank firms that offer ‘‘general-use digital consumer payment applications,” such as digital wallets and payment apps, to the same rules as large banks, credit unions, and other financial institutions that are already supervised by the CFPB.

Regarding the need for the rule, the CFPB expressed concern that Big Tech and other nonbank firms operating in consumer finance markets blur the lines that traditionally separated banking and payments from commercial activities, putting consumers at risk. The CFPB noted in the proposed rule that it has “has not previously had, inside many of these firms, examiners carefully scrutinizing their activities to ensure they are following the law and monitoring their executives.”

In a prepared statement, CFPB Director Rohit Chopra said the rule would ensure that “large technology firms and other nonbank payment companies are subject to appropriate oversight.”

Scope of proposed rule

The rule proposes to apply to nonbank firms that handle at least five million “covered consumer payment” transactions per calendar year, aggregated among affiliated companies. The proposed rule defines ‘‘consumer payment transaction’’ as the transfer of funds in the form of digital assets “by or on behalf of a consumer physically located in a state to another person primarily for personal, family, or household purposes.”

According to the CFPB, this definition would be satisfied when a consumer uses a general-use digital consumer payment application on a personal computing device or at a point of sale that is physically located in a state, within the jurisdiction of the United States. “By contrast, with this limitation, if a consumer is physically located outside of any state at the time of engaging in a payment transaction, then the payment transaction would not be a consumer payment transaction covered by the proposed rule,” the CFPB said.

The CFPB said it believes that the five million threshold is reasonable, in part, because it would enable the CFPB to cover in its nonbank supervision program both the very largest providers of general-use digital consumer payment applications, as well as a range of other providers of general-use digital consumer payment applications that play an important role in the marketplace.

The CFPB estimates that the proposed threshold would bring within the CFPB’s supervisory authority approximately 17 entities that constitute “larger participants.” The CFPB further estimated that these 17 entities collectively facilitated about 12.8 billion transactions in 2021, with a total dollar value of approximately $1.7 trillion, and are responsible for approximately 88 percent of known transactions in the nonbank market for general-use digital consumer payment applications.

Some legal experts believe the CFPB’s approximation of 17 entities that meet the proposed threshold is likely a significant underestimation, because of how it defines some of the terms in the proposed rule. For example, under proposed rule a “qualified payment” under the definition of “funds transfer functionality” means “receiving funds for the purpose of transmitting them,” or “accepting and transmitting payment instructions.”

Similarly, the proposed definition for “wallet functionality” is defined as a product or service that stores account or payment credentials, including in encrypted or tokenized form; and transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.

In practical terms, this means “you don’t even have to receive or transmit money if you are just merely directing traffic, which a lot of FinTechs do,” said Keith Barnett, a partner at law firm Troutman Pepper, speaking on a podcast discussing the proposed rule. Moreover, for small to mid-sized FinTechs, the five million transaction threshold will be “very easy to hit,” he added. “That is something that businesses need to look out for.”

Broad supervisory authority

The broader significance of the CFPB’s proposed rule cannot be overstated, “because being subject to CFPB supervision is an enormous sea change for an industry,” said Chris Willis, co-leader of Troutman Pepper’s Consumer Financial Services Regulatory Practice Group, who also spoke on the podcast.

As the CFPB explained in the proposed rule, generally CFPB examiners will “contact the entity for an initial conference with management and often request records and other information. CFPB examiners ordinarily also review the components of the supervised entity’s compliance management system.”

Based on these discussions and a preliminary review of the information received, examiners will then “determine the scope of an on-site or remote examination and then coordinate with the entity to initiate this portion of the examination,” the proposed rule states.

Whether on-site or working remotely, examiners spend some time on the following:

• Discussing the entity’s compliance policies, processes, and procedures;
• Reviewing documents and records;
• Testing transactions and accounts for compliance;
• Evaluating the entity’s compliance management system; and, in some cases,
• Conducting other supervisory activities, such as periodic monitoring.

CFPB examinations are a very intense undertaking, Willis explained, typically involving multiple CFPB examiners coming onsite “focusing their entire attention on the operations of a single company for six to eight weeks.” These examinations are accompanied by numerous initial information requests and potentially as many as 200 follow-up requests, he said.

Also, be prepared for the CFPB to “look at all kinds of internal reporting data” during an examination, including information protected by attorney-client privilege, Willis added. That level of access gives the CFPB the ability to uncover aspects of a company’s operations that never would have been discovered by looking at the company from the outside the walls of the company, he said.

Moreover, these intense supervisory examinations are just the first step in the process, because once the CFPB uncovers the information it needs, it can pressure the business to change its compliance practices, or bring forth an enforcement action. “There’s a lot of pressure for companies to agree to business practice changes that are suggested in a hard or soft way in supervision,” Willis said. “And, thereby, it gives the Bureau a lot of ability to affect change in a business through supervision.”

In practical terms, the CFPB will “know much more about what you’re doing, exert much greater pressure on you both with respect to your compliance efforts and your substantive business practices bearing a much, much greater risk of public enforcement activity,” Willis said. “And we would expect the same thing to occur in the payment’s industry once this rule is finalized.”

CFPB seeking comment

Considering the potentially broad scope of the rule, and the increased enforcement risk that it portends to bring, prudent companies will want to have their concerns heard through the CFPB’s comment process. The CFPB is seeking comments, for example, on the proposed definition of “funds transfer functionality” and “wallet functionality,” whether they should be modified, and if so, how and why.

Comments must be received on or before Jan. 8, 2024.

To learn more about this topic, and ACI 8th Annual Legal, Regulatory and Compliance Forum on FinTech & Emerging Payment Systems taking place April 9 – 10, please visit AameriCanconference.com/fintech-emerging-payment-systems