Summary and Impact
In an effort it describes as intended to help “level the playing field” between banks and nonbank consumer financial service providers that are sometimes characterized as “Big Tech”, the Consumer Financial Protection Bureau (“CFPB”) has issued a proposal to directly supervise large non-bank providers of digital consumer payment applications.[1] The CFPB announced the proposal on November 7. Comments must be submitted by January 8, 2024.[2]
The CFPB ‘s proposal targets non-banks that enable consumers to use digital applications to make funds transfers or to store payments credentials that they can use to purchase goods and services at the point-of-sale or in an ecommerce online environment. The proposal would draw these non-bank operators of digital funds transfers and wallet apps into its supervisory authority by defining a market for “general use digital consumer payment applications” and designate providers that exceed certain volume thresholds as “larger market participants” to be subject to the CFPB’s supervisory authority granted under the Dodd-Frank Act.[3] Under this Dodd-Frank authority, the CFPB has previously extended supervisory rights over larger participants in markets for consumer reporting (12 CFR §1090.104), consumer debt collection (12 CFR §1090.105), student loan servicing (12 CFR §1090.106), international money transfers (12 CFR §1090.107), and automobile financing (12 CFR §1090.108), though none of these markets have the same breadth of application as the current proposal.
While the specifics of any final rule and its implementation remain to be seen, and the CFPB indicates that entities will be allowed to present evidence to dispute their classification by the CFPB, the possible impact of the rule may be felt across a very broad range of businesses, many of which may not consider themselves to be primarily financial in nature. According to the CFPB, potential benefits of this supervision could be significant, as it might lead to the discovery of compliance issues and the mitigation of risks to consumers. The CFPB also notes that it would share findings with entities to help them address and rectify any uncovered problems. Though businesses that may become subject to supervision should be aware of potential costs associated with the supervisory process, and should also be cognizant of the CFPB’s history of the use of enforcement as a supervisory tool. And businesses in ecosystems impacted by the CFPB’s market definition, even if not directly subject to supervisory authority, are likely to experience indirect impacts of supervision.
Supervisory Authority and the Potential Impact of the Proposal
“Supervision” for this purpose entails an intensive form of regulation that is usually reserved for banks, bank holding companies and other depository financial institutions. Instead of regulating strictly on a reactive or periodic enforcement basis, the CFPB actively monitors a supervised entity’s operations on an ongoing basis. A supervised organization may be subject to examinations of operations, transactions and regulatory compliance performance, which are similar to audits. The CFPB may also require detailed reports on a regular and ad hoc basis.
Further, the CFPB would use the enhanced information obtained through the supervisory process to enforce other regulations that the CFPB administers that apply to conduct observed, such as unfair, deceptive and abusive acts and practices (“UDAAP”), privacy regulations, and Regulation E. The supervisory data would also be used to enable the CFPB to identify new risks as market conduct evolves. The CFPB expects these proposed supervisory activities to ensure that Federal consumer financial protection law is enforced consistently between banks and these Big Tech non-bank providers.[4]
“Larger Participants” under the Proposal
In order to become subject to the rule, larger participants would meet two tests: (1) They must provide general-use digital consumer payment applications with an annual volume of at least 5 million consumer payment transactions; and (2) must not be a “small business concern” as defined by the Small Business Administration. The CFPB estimates that approximately 17 entities would be covered by the proposed rule. These entities processed approximately 12.8 billion transactions with a total value of about $1.7 trillion, comprising 88% of the “known transactions” in the target market, based on data from 2021.[5]
Scope of Covered Market
The proposed regulation would apply to transfers of funds by or on behalf of a consumer physically located in a State to another person primarily for personal, family, or household purposes and would include both Reg E funds transfers and extensions of consumer credit.[6]
For purposes of the proposed regulation, a covered payment functionality includes two types of uses: (1) consumer funds transfer functionality, and (2) consumer wallet functionality. “Funds transfer functionality” means (A) receiving funds for the purpose of transmitting them, or (B) accepting and transmitting payment instructions. “Wallet functionality” means a product or service that (A) stores account or payment credentials, including in encrypted or tokenized form, or (B) transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.[7]
The covered functionality must be provided to the consumer through a digital application, defined as a software program accessible to a consumer through a personal computing device, accessible from a personal computing device via a website using an Internet browser, or “activated from a personal computing device using a consumer’s biometric identifier, such as a fingerprint, palmprint, face, eyes or voice.”[8]The CFPB specifically notes that the proposed rule would not apply to merchants’ POS terminals that accept cards.[9]
Only “general use” functionality is covered. “General use” refers to absence of significant limitations on the purpose of consumer payment transactions facilitated by the digital application. The explanatory material does not use the common definition that applies to payments cards, i.e., acceptance by unaffiliated merchants, since the functionality extends to P2P payments, but the concept is similar. The term does not exclude P2P systems that require participants to register for participation or is limited to prison inmates, for example.[10] The proposed rule also provides a non-exhaustive list of use case limitations that would not be considered wide enough usage to qualify as general use:
- For purchase or lease of a specific type of services, goods, etc., such as automobiles, transportation, lodging, food, a dwelling or real property or certain financial products or services;
- Prepaid accounts for certain tax-advantaged health care, dependents care, transit, closed loop spending on military facilities, and store and LAP cards as excluded from the Reg E definition of accounts;
- To pay a specific debt; or
- To split a charge for specific type of goods or services, e. g., at restaurants.[11]
To be a covered transaction under the proposed regulation, the consumer would need to be physically located within the U.S., its territories and possessions at the time of the transaction.[12]The CFPB points out that providers that are exempt from supervision under the proposed regulation remain subject to other applicable CFPB regulatory authority.
Exclusions from the Scope of Covered Offerings
Four types of transactions would be excluded from the definition of “consumer payment transaction.” A provider would be exempt from coverage if all of its functionalities fall within the excluded transaction types. For providers that also provide covered transfer or wallet services outside of the excluded transactions, these excluded transaction types would not be counted in determining whether the provider meets the size threshold for coverage purposes. Excluded transaction types include:
- International money transfers as covered under the CFPB’s existing regulation covering that “market”;[13]
- Funds transfers that are linked (a) linked to the customer’s receipt of a different form of funds, such as for foreign exchange transactions, or (b) are excluded from Reg E under the exclusion for the purpose of sales of securities or commodities;[14]
- A payment to a merchant for purchase or lease of goods or services; or
- An extension of consumer credit that is made through an app provided by the person extending the credit.[15]
The CFPB clarifies coverage of credit card wallet transactions:
“For example, a nonbank’s wallet functionality may hold a credit card account or payment credential that a consumer uses to obtain extensions of credit from an unaffiliated depository institution. If the consumer uses the digital wallet functionality to purchase nonfinancial goods or services using such credit card, the credit card issuing bank may settle the transaction by transferring funds to the merchant’s bank for further transfer to the merchant, and a charge may appear on the consumer’s credit card account. That transfer of funds may constitute a part of a consumer payment transaction under the Proposed Rule regardless of whether it is an electronic fund transfer subject to Regulation E.”[16]
The CFPB clarifies that the reference to “funds,” although not defined in the proposed regulation, would include digital assets that “have monetary value and are readily usable for financial purposes.[17]The exclusion for “receipt of a different form of funds” would exclude a purchase of a crypto asset using a fiat currency, the sale of a crypto asset for a fiat currency or the exchange of a crypto asset for another type of crypto asset.[18]
Special Considerations for Marketplace Providers and Transactions
The CFPB draws a difficult distinction between payment transactions on marketplace websites that would be considered a covered payment functionality and those that would qualify for the exclusion for merchant payments. The Notice of Proposed Rulemaking seems to say that a wallet or payment functionality provided by a marketplace operator does not result in covered consumer payment transactions when used to pay the merchants for goods or services purchased on the operator’s marketplace website, but are not excluded from the definition or from counting toward the threshold transaction count when used in payment transactions on unaffiliated websites. The CFPB provides this interesting clarification (but doesn’t name names):
“This exclusion also would clarify that when a consumer selects goods or services in an online marketplace and pays using account or payment credentials stored by the online marketplace operator or its affiliated company[fn]such a transfer of funds generally is not a consumer payment transaction covered by the Proposed Rule. For such transaction to qualify for this exclusion, the funds transfer must be for the sale or lease of a good or service the consumer selected from a digital platform operated prominently in the name (whether entity or trade name) of an online marketplace operator or their affiliated company.[fn]However, this exclusion does not apply when a consumer uses a payment or account credential stored by a general-use digital consumer payment application provided by an unaffiliated person to pay for goods or services on the merchant’s website or an online marketplace. For example, when a consumer selects goods or services for purchase or lease on a website of a merchant, and then from within that website chooses an unaffiliated person’s general-use digital consumer payment application as a payment method, the subparagraph (iii) would not exclude the resulting payment transaction.
...
“For example, some online marketplace operators may provide general-use digital consumer payment applications for consumers to use for the purchase or lease of goods or services the consumer selects on websites of unaffiliated merchants. Absent the exclusion in subparagraph (iii), the providing of such a general-use digital consumer payment application could result in counting all transactions through such an application, including for goods and services the consumer selects from the online marketplace, toward the larger-participant test threshold in proposed § 1090.109(b). Yet the CFPB is not seeking to define a market or determine larger-participant status in this rulemaking by reference to payment transactions conducted by merchants through their own payment functionalities for their own sales transactions. How a merchant or online marketplace conducts payments to itself for sales though its own platform raises distinct consumer protection concerns from the concerns raised by general-use digital consumer payment applications that facilitate payments to third parties."[19]
The CFPB goes on to point out that the exclusion would not apply to a merchant or online marketplace that uses the stored financial or transaction data for other purposes, such as targeted marketing, data monetization, or research purposes.[20]
Conclusion
While we expect significant dialogue around the specific boundaries of coverage under the rule (and of the CFPB’s authority under Section 1024 of the Dodd-Frank Act in this particular context), providers of covered consumer financial transactions that become subject to any final rule will need to gear up for the intensified monitoring and information gathering that CFPB supervision entails. This may require staff dedicated to interfacing with examiners and other supervisory personnel as well as gathering requested data. Systems may need to be built or enhanced to provide reports with the data types and in the forms that may be requested. The CFPB does not discuss the extent of its expected regulatory activities or the information to be gathered pursuant to this supervisory authority, but if prior examples of CFPB supervision are to be a guide, covered business should expect the process to be rigorous. Potentially covered providers should internally review their compliance monitoring practices and procedures in anticipation of the CFPB’s supervisory activities. Smaller competitors who may not be covered directly by the proposed rule will also be impacted if the CFPB observes conduct that it believes should be regulated or prosecuted more broadly across the consumer payments transaction industry, and may also be impacted by changes to contractual norms or pass-through requirements that are applied by their commercial counterparties to meet their new regulatory requirements.
[1] Docket No. CFPB-2023-0053; https://files.consumerfinance.gov/f/documents/cfpb_nprm-digital-payment-apps-lp-rule_2023-11.pdf (November 7, 2023); See id. at p. 15.
[2] The deadline for submitting comments may be postponed to a date that is 30 days after the Notice of Proposed Rulemaking is published in the Federal Register, if later.
[3] Consumer Financial Protection Act of 2010, Title X, Sec. 1024 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L., 111-203, 124 Stat. 1376, 1955, (2010); 12 U.S.C. 5514(a)(1)(B)..
[4] Notice of Proposed Rulemaking, pp. 14-15.
[5] Notice of Proposed Rulemaking, pp. 46-47; See also fn 88.
[6] 12 CFR §1090.109(a)(2).
[7] Ibid; Notice of Proposed Rulemaking, p. 27.
[8] 12 CFR §1090.109(a)(2); Notice of Proposed Rulemaking, p. 31.
[9] Notice of Proposed Rulemaking, p. 33.
[10] Notice of Proposed Rulemaking, pp. 34-35.
[11] 12 CFR §1090.109(a)(2).
[12]Notice of Proposed Rulemaking, p. 27.
[13]12 CFR §1090.107(a).
[14] See 12 CFR §1005(c)(4).
[15] 12 CFR §1090.109(a)(2)(i)-(iv). Notice of Proposed Rulemaking, p. 24. The use of a credit card issued by a third party in a wallet would subject the wallet provider to the regulation if the provider otherwise falls within the definitions of coverage.
[16] Notice of Proposed Rulemaking, pp. 18, 26.
[17] Id. at pp.18-19.
[18] Notice of Proposed Rulemaking, p. 22.
[19] Notice of Proposed Rulemaking, pp. 23-25.
[20] Id. at pp. 25-26.
[View source.]