Analysis of a potential game-changer: In the fall of 2021 the Consumer Financial Protection Bureau asked big tech companies including Amazon, Apple, Google, Meta, PayPal and Block for numerous details about their payment activities. After extensive study it published a proposed rule in late 2023 that could subject large digital payment companies to federal examinations for the first time.A pending proposal at the Consumer Financial Protection Bureau could pull the largest nonbank digital payments players under a direct federal examination process, something they’ve not experienced up until now. That may level the competitive playing field somewhat. However, the financial institutions that some of the nonbanks work with should familiarize themselves with the proposed rule.
The proposed rule we’re going to cover is expected to be finalized before fall 2024. If implementation of the proposed rule is not slowed down or stopped by legal challenges — or a change in the executive branch of government — the supervisory examinations will likely begin during the summer or fall of 2025.
What activities will be covered? Broadly, payment apps, person-to-person apps, digital wallets and other such products offered by nonbanks. However, the proposal includes several critical details concerning the types of firms that will be covered.
How the CFPB Proposes to Take on Large Fintech Payments Players
On Nov. 7, 2023, the CFPB issued a proposed rule titled “Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications.” The proposed market will cover “providers of funds transfer and wallet functionalities through digital applications for consumers’ general use in making payments to other persons for personal, family, or household purposes.”
The period for comments on the proposed rule closed on Jan. 8.
Larger participants will be non-banks and their affiliated companies that:
- Provide general-use digital consumer payment applications,
- with an annual volume of at least five million consumer payment transactions (combined) in the preceding calendar year,
- by or on behalf of a consumer physically located in a state,
- to another person, and
- primarily for personal, family or household purposes.
If passed in its current form, the new category of larger participants will be a game changer because payments companies and other fintechs that are not currently supervised by the CFPB will be subject to supervisory examinations.
Before the supervisory examinations begin, the CFPB will send the companies a letter detailing the documents that the bureau wants the company to upload to the CFPB’s portal before on-site examinations.
During the supervisory examinations, the CFPB will review, analyze and scrutinize all of the company’s information while determining whether the company is in compliance with federal consumer financial protection laws the CFPB enforces. This process can take several months. While the CFPB has not stated which consumer financial protection laws will be reviewed, expect Regulation E, data sharing, privacy and unfair, deceptive, or abusive acts or practices (UDAAP) to be a significant focus.
The CFPB believes that only 17 companies will be “larger participants” under these standards. While the bureau does not list the names of the 17 companies that it expects to be regulated, the general assumption is that it will focus first on the large tech players to whom it sent requests for information several years ago, such as Apple.
Any nonbank covered person that qualifies as a larger participant will remain a larger participant until two years from the first day of the tax year in which the person last met the larger-participant test.
Read more: Consumers Have Embraced Digital Wallets. But They Also Want Them to Be Better
How the Proposed Rule Would be Applied
Through the proposed rule, the CFPB seeks to “level the playing field between nonbanks and depository institutions.”
Since its inception, the CFPB has supervised depository institutions that hold at least $10 billion in assets, and some of these depository institutions already provide general-use digital consumer payment applications.
Presumably referring to the states that require money transmitters to obtain state money transmitter licenses, the bureau notes that “there is no Federal program for supervision of nonbank covered persons in the market for general-use digital consumer payment applications with respect to Federal consumer financial law compliance.”
Notwithstanding that point, many fintechs that have been partnering with the large financial institutions, who would be covered under the proposed rule, are already subject to examinations by the CFPB or the financial institutions’ prudential regulators under the Bank Service Company Act.
The proposed rule will firmly place the tech firms in the supervised entity category instead of their being considered simply a service provider of a supervised institution.
Read more: P2P Apps Now Dominate Payments Between Individuals, Eclipsing Cash
Key Definitions in the CFPB Proposed Rule
The proposed rule lays out some key definitions concerning what activities are covered:
A. General Use
The CFPB broadly defines the term “general use” as the “absence of significant limitations on the purpose of consumer payment transactions facilitated by the covered payment functionality provided through the digital consumer payment application.”
In the payments world the term “general use” typically refers to a card or digital wallet that can be used to make a payment for any reason to any retailer or wholesaler. However, the proposed rule’s definition of “general use” includes “closed-loop” transactions, which are transactions that can only be made to a certain retailer or group of retailers.
Sending funds to friends and family through a mobile application requiring all parties to sign up for that mobile application, for example, is considered to be “general use” and will count towards the five million transaction threshold. The CFPB also notes that a payment application may still have general use if the application is used by a limited group of consumers, such as individuals in jail or prison, because it may be used for a wide range of purposes, albeit within a closed environment (e.g., the prison where the person is incarcerated while the person is incarcerated).
Read more: When Will Mobile Banking Finally Kill the Plastic Credit Card?
B. Covered Payment Functionality
The definition of “funds transfer functionality” is one of the components that falls within a covered payment functionality.
In turn, funds transfer functionality falls within two sub-categories.
First, a transaction counts toward the five million transaction threshold when the company receives funds and transmits the funds to another party — which is money transmission under state laws. A company does not have to “physically” receive and send funds, however, for activity to count toward the five million transaction threshold.
A transaction will count toward the threshold if a company simply receives and sends payment instructions without actually touching the funds. This will include, for example, companies that partner with a financial institution for a for-the-benefit-of (FBO) account.
Many payments companies enter into relationships with financial institutions whereby the financial institution holds an account in its name and tax identification number, and a payments or fintech company has an agreement with the financial institution to send payment instructions to the FBO account. The payments or fintech company never holds, transmits or receives any funds.
Digital wallets also count toward the five million transaction threshold, which the CFPB calls “wallet functionality.”
Wallet functionality is “a product or service that: (1) stores account or payment credentials, including in encrypted or tokenized form; and (2) transmits, routes or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.”
Therefore, like funds transfer functionality, wallet transfer functionality counts toward the threshold if the company is either moving funds to and from a digital wallet, or if the company is merely keeping a record of the underlying provider’s account.
Read more: Affirm Goes Big: How It Intends to Go Beyond BNPL to Own Payments
C. Consumer Payment Transactions
Not every payment counts toward the five million transaction threshold.
The definition of “consumer payment transaction” excludes “[a]n extension of consumer credit that is made using a digital application provided by the person who is extending the credit or that person’s affiliated company.” As presently written, this exclusion from the proposed rule does not include fintechs that partner with a financial institution.
The section-by-section analysis of the proposed rule recognizes “that the payment transaction must result in a transfer of funds by or on behalf of the consumer,” which “focuses on the sending of a payment, and not on the receipt.”
Notwithstanding, a fintech may assist with transfers of funds on behalf of the consumer or process payments made by the consumer. In these situations, the financial institutions issue the credit extended to consumers and the fintech is typically not involved in the receipt, storage or transmission of funds related to the issuance of the credit.
This appears to be excluded from the coverage of the proposed rule, as it is the financial institution that is extending consumer credit by transferring funds directly to the consumer. However, the fintech may provide a mobile application whereby the consumer can make a payment. While the fintech may be involved in the receipt of funds, which is excluded from the proposed rule, it may also provide the mobile application to facilitate the consumer’s sending of payment to a financial institution. This appears to be included and count toward the five million transaction threshold.
Moreover, the exclusions from the definition of “consumer payment transaction” do not consider fintechs that partner with financial institutions to offer deposit products. These fintechs may have digital applications that fall within the definition of covered payment functionality. The analysis states that taking deposits is not covered by the proposed rule, but at this writing it remains unclear whether this statement applies to fintechs.
Financial institutions’ regulators examine relationships with fintechs as part of financial institutions’ engagement in these partnerships.
The financial institutions are responsible for monitoring their service providers and properly managing third-party risk. Moreover, many of the fintechs are also regulated under other state regimes such as money transmission, brokering, lending, servicing, and collection laws. As such, bringing fintechs partnering with financial institutions within the scope of the proposed rule may duplicate oversight and enforcement.
Read more: Some Top Fintechs Value This Function as Much as They Do Innovators and Engineers
Keith Barnett is a partner and Carlin McCrory is an associate at the Troutman Pepper law firm.