The Consumer Financial Protection Bureau (CFPB) announced on November 7, 2023 that it proposes extending its supervision to larger nonbank companies providing digital wallets and payment apps. This move is prompted by the rapid growth of digital payment services, mainly driven by Big Tech, which currently escapes CFPB examinations. The proposed rule aims to hold nonbank financial companies, particularly those with over 5 million transactions annually, to the same regulatory standards applied to central banks, credit unions, and other institutions already under CFPB supervision. This expanded regulatory authority would cover digital wallets and peer-to-peer (P2P) payment platforms offered by major tech players, including giants like Google, Apple, Block, and PayPal.
The CFPB, established in 2010, has traditionally supervised specific types of nonbank consumer financial service providers, whereas the proposed rule expands this authority to include "general-use digital consumer payment applications.” According to the CFPB, a "general-use digital consumer payment application" refers to those platforms that provide funds transfer or wallet functionalities through a digital application for consumers' general use in making consumer payment transactions, as outlined in the proposed rule.
This definition sets the stage for examining various digital payment avenues:
Peer-to-Peer Payment Platforms:
Example: Venmo and Cash App
These platforms facilitate direct peer-to-peer transactions, allowing users to transfer funds seamlessly. The proposed rule will require businesses to scrutinize their operations in alignment with CFPB standards.
Example: Apple Pay and Google Pay
The inclusion of "general use" signifies the broad applicability of these digital wallets, extending beyond specific industries or use cases. Businesses must assess the functionalities of these digital wallets, considering how they enable consumers to make a range of payments, from retail purchases to online transactions.
Cryptocurrency Payment Platforms:
Example: Coinbase and BitPay
The proposed rule’s language extends its reach to innovative financial technologies, including cryptocurrency payment platforms. As cryptocurrencies become more integrated into mainstream financial transactions, the CFPB’s oversight aims to cover these digital assets.
Impact Analysis and Criteria for CFPB Supervision
According to the CFPB, the proposed rule is anticipated to cast its regulatory net over an estimated 17 non-bank payment platforms, collectively responsible for processing approximately 88% of all non-bank digital consumer payments in the U.S. This identification is not merely a statistical exercise but a strategic imperative, mandating executives assess where their platforms stand in the broader context.
To fall under the purview of CFPB supervision, these digital payment platforms must meet specific criteria. The proposed rule outlines two key parameters: an annual transaction volume exceeding 5 million consumer payment transactions and the platform not being considered a "small business concern" based on the applicable Small Business Administration (SBA) standards. The SBA standards for a small business vary based on the company’s North American Industry Classification System (NAICS) code. The criteria established by the SBA play a crucial role in determining whether a digital payment platform qualifies as a "small business concern" and, consequently, whether it falls within the regulatory scope of the CFPB.
Gramm-Leach-Bliley Act (GLBA) "Regulation P" Privacy Restrictions:
The rule imposes privacy restrictions under the Gramm-Leach-Bliley Act (GLBA) "Regulation P," impacting how nonbank payment platforms handle consumer information and requiring strict compliance. Executives must ensure their platforms align with evolving regulatory standards for how these platforms share, disclose, and use consumer data.
Electronic Funds Transfer Act (EFTA) "Regulation E" Implications:
The proposed rule places liability on digital wallet providers for fraud losses resulting from "unauthorized" funds transfers, shifting the burden to these platforms. This significantly changes how fraud-related financial liabilities are allocated in the digital payments landscape, placing the onus on providers. This will likely affect operational processes and influence nonbank payment platforms' overall risk management strategy.
Fraud Liability Shift and Consumer Reimbursement Dynamics:
Based on the current interpretation of these rules, this fraud liability shift has been honored by banks in the cases of true account takeover fraud. In other words, when a consumer has had their password compromised by a third party who transacts without their knowledge or consent. However, fraudsters have increasingly targeted P2P payment users with so-called “scam” attacks where consumers are socially engineered to log into their payment accounts and send money to fraudsters under false premises.
Consumers filing for reimbursement of these losses under Reg E have been informed that because they initiated the transaction themselves, these transactions were not “unauthorized.” Thus, the bank is not held liable based on a strict interpretation of the Reg E rules. This has been a point of contention with CFPB regulators, and the potential expansion of Reg E to include “scam” transactions initiated by the consumer is rumored to be under consideration.
Should the proposed CFPB rule bring non-bank payment platforms into this regulatory regime, any change to Reg E definitions will create additional fraud liabilities for these “scam” transactions. Further investment in technology to detect and pre-empt consumer attempts to send money to suspicious counterparties may be warranted to mitigate exposure to these potential new liabilities.