On November 7, 2023, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking (proposed rule) that would allow it to supervise digital wallet and payment app providers deemed "larger participants." The proposed rule would apply to nonbank payments companies that offer digital wallets or person-to-person payments through mobile and web applications, process more than five million covered payment transactions per year and are not a "small business concern," as defined under the Small Business Act (SBA). Citing the need for such companies to "adhere to the same rules as large banks, credit unions, and other financial institutions already supervised by the CFPB," the bureau suggests that subjecting such nonbanks to the rule will ensure continued monitoring and scrutiny on a regular basis.

According to the CFPB, the nonbank payments market has a "large and increasing significance to the everyday financial lives of consumers." The CFPB believes that gaining supervisory authority over these types of payments companies will ensure compliance with federal consumer financial laws, including the Consumer Financial Protection Act (CFPA) and its prohibition against unfair, deceptive, or abusive acts or practices, as well as the Electronic Fund Transfer Act. This supervisory authority would "further the CFPB's statutory objective of ensuring that federal consumer financial law is enforced consistently between nonbanks and depository institutions in order to promote fair competition."

The CFPB estimates that this expanded supervisory authority would apply to 17 nonbanks that in 2021, according to the bureau, collectively facilitated almost $13 billion in transactions and are responsible for about 88% of known transactions in the defined market.

Comments on the proposed rule are due on or before January 8, 2024 – or 30 days after publication of the proposed rule in the Federal Register, whichever is later.

Proposed supervisory authority

Section 1024 of the CFPA gives the CFPB the authority to examine nonbank entities it defines as "larger participant[s] of a market" for consumer financial products or services.1

The CFPB's nonbank supervisory authority allows it to conduct exams to:

  • Assess compliance with federal consumer financial law.
  • Obtain information about an entity's activities and compliance systems.
  • Detect and assess risks to consumers and consumer financial markets.2

Such nonbank exams include the collection of documents, information, records and data from a company; on-site and off-site meetings and interviews; and meetings with company leadership and management. An exam concludes with issuance of a supervisory letter or examination report, which may include matters requiring attention (MRA), a memorandum of understanding (MOU), and other findings or potential violations of law. Exams also may result in the identification of violations of law, including through the Potential Action and Request for Response (PARR) process and/or a referral to the CFPB's enforcement arm (and in the case of fair lending matters, the Department of Justice), resulting in the start of an investigation – including on issues broader in scope and time frame than those examined. Touting the value of such supervisory authority in addition to existing enforcement authority, the CFPB's press release commented that "[w]hile the CFPB has enforcement authority over these companies, the CFPB has not previously had, inside many of these firms, examiners carefully scrutinizing their activities to ensure they are following the law and monitoring their executives."

Who is covered by the proposed rule?

Under the proposed rule, a nonbank covered person would be classified as a larger participant of the general-use digital payment market and subject to CFPB supervision if it provides general-use digital consumer payment applications with an annual volume of at least five million consumer payment transactions and is not a "small business concern," as defined under the SBA.

Defining the market for general-use digital consumer payment applications

Under the proposed rule, "providing a general-use digital consumer payment application" means "providing a covered payment functionality through a digital application for consumers' general use in making consumer payment transaction(s)" (emphasis added). Below, we summarize how the proposed rule defines these concepts.

Covered payment functionality

The term "covered payment functionality" includes a "funds transfer functionality" and a "wallet functionality." A "funds transfer functionality" means – in connection with a consumer payment transaction – receiving funds for the purpose of transmitting them, or accepting and transmitting payment instructions. The first aspect of this definition would generally cover payments services provided by money transmission companies licensed under state money transmission laws. (The CFPB notes that it is "aware that States have been active in regulation of money transmission ... and that many States actively examine money transmitters.")

The second element would, notably, encompass companies that are generally not subject to state money transmission laws – and that historically may not have considered themselves as covered persons under the CFPA in the first instance. The proposed rule indicates that companies that accept and transmit payment instructions may include, for example, a nonbank that accepts a consumer's instruction to send money from the consumer's banking deposit account to another person by processing the transaction through the automated clearing house (ACH) network, or by transmitting the instructions to a partner depository institution.

"Wallet functionality" means "a product or service that stores account or payment credentials, including in encrypted or tokenized form; and transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction." This can include storing credit card or other payment credentials for purchases on ecommerce websites or from brick-and-mortar merchants, or to fund person-to-person/peer-to-peer (P2P) or other types of funds transfers. In other words, even if a platform does not receive or transmit money, but only holds credentials that are processed to facilitate purchase transactions or P2P funds transfers, its activity would still likely be within the scope of "wallet functionality."

Digital application

The proposed rule would define the term "digital application" as a "software program a consumer may access through a personal computing device, including ... a mobile phone, smart watch, tablet, laptop computer, or desktop computer." Examples include applications, websites or programs activated from a personal computing device using a biometric identifier, such as a fingerprint.

General use

The proposed rule would define "general use" as "the absence of significant limitations on the purpose of consumer payment transactions facilitated by the covered payment functionality provided through the digital consumer payment application." Notably, the proposed rule would establish that a digital consumer payment application that is limited solely to facilitating P2P funds transfers (e.g., cannot be used for purchase transactions) would still qualify as having general use.

Some digital applications with limited payments functionalities would not be considered "general use," such as functionality that is solely for purchase or lease of a specific type of goods – including transportation, lodging, food, etc. These limitations would appear to potentially exclude platforms on which payments have a specifically defined, limited purpose – such as ridesharing or vacation rentals.

Consumer payment transactions

The most significant part of the proposed rule is what does and does not constitute a "consumer payment transaction." The proposed definition is straightforward: "the transfer of funds by or on behalf of a consumer physically located in a State to another person primarily for personal, family, or household purposes." But there are some significant inclusions and exclusions.

The proposed rule states that a "transfer of funds" would encompass not just a consumer's transfer of their own funds (e.g., from a linked bank account or stored value account) but also a creditor's transfer of funds. Hence, even though a credit card payment is not an electronic fund transfer subject to Regulation E, the proposed rule would cover the use of digital wallet functionality to purchase nonfinancial goods or services using stored credit card credentials.

Additionally, the CFPB states that it believes that "funds" for purposes of the CFPA include "digital assets that have monetary value and are readily useable for financial purposes, including as a medium of exchange." So, a transfer of funds in the form of digital assets that otherwise meets the criteria for the proposed market definition would be within scope of the proposed rule.

Additionally, the proposed rule would exclude four types of transfers from the scope of the proposed definition of a consumer payment transaction:

  1. International money transfers.
  2. Transactions for the purpose of exchanging one type of funds for another – such as foreign currency purchases or purchases and sales of digital assets.
  3. Payment transactions for sale or lease of goods or services conducted with a consumer by an online or physical store or marketplace "operated prominently" in the name of the store or marketplace.3
  4. An extension of consumer credit made using a digital application provided by the person who is extending the credit or that person's affiliated company.

The fourth exclusion focuses on payments and is not intended to encompass lending. As the CFPB explains, as a result of this proposed exclusion, for example, a nonbank that provides a digital application through which consumers can borrow money to purchase goods or services would not be participating in the proposed market.

Defining a larger participant in the general-use digital consumer payment application market

The proposed rule would define a "larger participant" of the general-use digital consumer payment application market as a nonbank covered person that provides general-use digital consumer payment applications with an annual volume of at least five million consumer payment transactions. This five million annual transactions threshold would be aggregated across affiliated companies and would include "the aggregate annual volume of both consumer-to-consumer or consumer-to-business transactions facilitated by all general-use digital consumer payment applications" in the preceding year.4

However, in order to be a larger participant, the nonbank covered person also must not be a "small business concern," as defined by the SBA.5 An entity would be a small business concern, and therefore not a larger participant (if the criteria were otherwise met), if its size was at or below the threshold for its primary industry as set forth in the rules implementing the SBA.

Looking ahead

The proposed rule is the latest action by the CFPB to curtail risks it perceives in the payments space and Big Tech – including through interpretive guidance and public inquiries of some of the nation's largest tech companies. It also hits many of the themes emerging from the CFPB, including a focus on fair and competitive business practices, which the bureau believes benefits consumers, including by driving down product costs. Also of note is the bureau's statement within its commentary to the proposed rule that the CFPB's proposed supervisory authority would not only ensure companies are monitoring their compliance with consumer protection laws, but also confirm they are "monitoring their executives" – highlighting the risks of noncompliance not just for entities but also for individuals, another CFPB theme.

Entities engaged in payments-related activities, including ACH processing services and bank partnership activities, will need to carefully review their services to evaluate whether the proposed rule might apply to their business.

Entities outside the scope of the proposed rule's reach may want to evaluate how the existence of this larger participant rule could impact longer-term growth and related strategy.

The proposed rule has significant implications – not just for the way in which companies comply with federal consumer protection and other applicable laws, but how they do so, including the effectiveness of their compliance management systems. Exam management is more than just showing compliance; issues such as record retention, change management and privilege all come into play when considering how to prepare for a potential exam. For examined entities, building the right regulatory relationship may be as important as demonstrating compliance with the laws at issue.

Footnotes

1. This proposed rule would be the sixth CFPB rulemaking to define larger participants of markets for consumer financial products or services for purposes of the CFPA, adding to existing rules covering participants in the following markets – consumer reporting, consumer debt collection, student loan servicing, international money transfers and automobile financing.

2. The CFPB also has authority to require submission of certain information for purposes of assessing whether a person is a larger participant of a covered market. See 12 CFR 1090.103(d).

3. Under the proposed rule, a transfer of funds in connection with a consumer purchase on an online marketplace using account or payment credentials stored by the marketplace would not be considered a consumer payment transaction. If, however, the online marketplace operator also provides a general-use digital consumer payments application (e.g., the ability to use credentials stored with the online marketplace platform for purchases on third-party websites), such activity would be covered and counted toward the larger participant test thresholds.

4. Note that the CFPB is "considering one major alternative" to the proposed rule: a different transaction volume threshold set, for example, at 10 million aggregate annual consumer-to-consumer or consumer-to-business transactions. Changing this transaction volume could bring additional nonbank entities under the CFPB's supervisory authority.

5. 15 USC 632(a).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.