CFPB Unveils Plan to Supervise Big Tech Digital Wallet and Payment App Providers

On Nov. 7, 2023, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would, if finalized in its present form, establish the CFPB’s supervisory authority over certain “larger participant” nonbank companies that provide digital wallets and payment applications. The proposed rule, called the “Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications” rule, again highlights the CFPB’s focus on the Big Tech and other non-bank payments companies that are now offering consumer financial products and services, and on the growing nexus between technology, commerce, and banking.

Indeed, in a press release announcing the proposed rule, CFPB Director Rohit Chopra highlighted the CFPB’s goal of supervising those Big Tech companies. “Payment systems are critical infrastructure for our economy. These activities used to be conducted almost exclusively by supervised banks,” said Chopra. “Today’s rule would crack down on one avenue for regulatory arbitrage by ensuring large technology firms and other nonbank payments companies are subjected to appropriate oversight.”

Background

In Section 1024 of the Consumer Financial Protection Act (CFPA), Congress gave the CFPB supervisory authority over any nonbank covered person, regardless of size, that offers or provides a financial product or service in certain markets: (1) the mortgages market (originators, brokers, and servicers, as well as providers of loan modification or foreclosure relief services); (2) the private education loan market; and (3) the payday loan market.[1]

In addition, Congress gave the CFPB authority to issue rules extending its supervisory authority over any nonbank covered person that (4) poses risks to consumers concerning the offering or providing of a consumer financial product or service or (5) is a “larger participant” within a market for any other consumer financial product or service.[2]

With its proposed Digital Consumer Payments Application Rule, the CFPB is attempting to identify “larger participants” in the market for digital consumer payment applications and thus extend its supervisory authority over those larger participants. It has already issued five other rules that identify larger participants in other markets—that is, in the markets for consumer reporting, consumer debt collection, student-loan servicing, international money transfers, and automobile financing.[3]

Under the leadership of Director Chopra, the CFPB has repeatedly focused its attention on Big Tech companies and the growing influence, and even dominance, that Director Chopra believes they now have in some financial product and service markets.

Director Chopra frequently cites competition and privacy-related concerns when discussing Big Tech companies, concerns that the CFPB echoed in the press release announcing the proposed Digital Consumer Payments Application Rule.

“Big Tech and other companies operating in consumer finance markets blur the traditional lines that have separated banking and payments from commercial activities,” the CFPB noted in its press release touting the proposed rule. “The CFPB would be able to supervise larger participants for compliance with applicable federal consumer financial protection laws, which includes applicable protections against unfair, deceptive, and abusive acts and practices, rights of consumers transferring money, and privacy rights. . . . [And] supervision of nonbanks in this market would ensure federal consumer financial protection law is enforced consistently between non-depository and depository institutions in order to promote fair competition.”

The Proposed Rule

If finalized in its present form, the proposed rule would enable the CFPB to exercise supervisory authority over certain Big Tech companies. The CFPB could then use that authority to monitor Big Tech’s competitive conduct and compliance with applicable laws and regulations, including the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Electronic Fund Transfer Act (EFTA) and Regulation E, and the Dodd-Frank Act’s prohibition against unfair, deceptive, and abusive acts and practices (UDAAP).

• Scope – New Market Definition. The proposed rule would define a new market—providing a general-use digital consumer application—under which “larger participant” nonbank covered persons that would be subject to the CFPB’s existing larger participant rule.[4] Under the proposed rule, “providing a general-use digital consumer application” means “providing a covered payment functionality through a digital application for consumers’ general use in making consumer payment transaction(s) as defined [in the proposed rule].”
• Scope – Consumer Payment Transaction(s). The proposed rule would create obligations with respect to “consumer payment transaction(s),” which means “the transfer of funds by or on behalf of a consumer physically located in a State to another person primarily for personal, family, or household purposes.” The term excludes (1) an international money transfer (as defined in 12 CFR § 1090.107(a)); (2) a transfer of funds by a consumer that (a) is linked to the consumer’s receipt of a different form of funds (e.g., a transaction for foreign exchange) or (b) is excluded from the definition of “electronic fund transfer” under Regulation E; (3) a payment transaction conducted by a person for the sale or lease of goods or services that a consumer selected from an online or physical store or marketplace operated prominently in the name of such person or its affiliated company; and (4) an extension of consumer credit that is made using a digital application provided by the person who is extending the credit or that person’s affiliated company.
• Scope – General-Use Digital Consumer Application. The proposed rule would create obligations with respect to “general-use digital consumer applications,” which is a combination of two concepts under the proposed rule — “general use” and “digital application.” “General use” will, under the proposed rule, refer to “the absence of significant limitations on the purpose of consumer payment transactions facilitated by the covered payment functionality provided through the digital consumer payment application.” “Digital application” will, under the proposed rule, include “a software program a consumer may access through a personal computing device, including but not limited to a mobile phone, smart watch, tablet, laptop computer, desktop computer.” For example, P2P applications that permit consumers to send funds to family, friends, or other persons would qualify as general use, as well as digital consumer payment applications with a more limited universe of potential recipients for funds transfers, such as those to individuals in secured facilities.
• Scope – Covered Payment Functionality. The proposed rule would create obligations with respect to a “covered payment functionality,” a concept that encompasses “funds transfer functionality” and/or “wallet functionality.” Under the proposed rule, “funds transfer functionality” means either (1) receiving funds for the purpose of transmitting them in connection with a consumer payment transaction, or (2) accepting and transmitting payment instructions in connection with a consumer payment transaction. “Wallet functionality” means a product or service that (1) stores account or payment credentials, including in encrypted or tokenized form and (2) transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.
• Scope – Test to Define Larger Participants. The proposed rule would create a test to determine whether a nonbank covered person is a larger participant of the newly defined general-use digital consumer payment application market. Such an entity will be considered a larger participant if: (1) it, together with its affiliated companies, facilitated at least five million transactions by providing general-use digital consumer payment applications in preceding calendar year, and (2) was not a “small business concern” as defined by the Small Business Administration.
• Impact of the Proposed Rule. Nonbank covered persons who satisfy both parts of the larger participant test would be subject to the CFPB’s existing larger participant regulation and, therefore, to the possibility of CFPB supervision. The CFPB’s existing larger participant regulation gives the CFPB the authority to require submission of records, documents, and information as the CFPB deems appropriate to assess whether an entity qualifies as a “larger participant,”[5] a determination that remains in place until at least two years after the person last met the larger-participant test.[6] When exercising its supervisory authority, the CFPB may require reports and conduct examination to assess compliance with federal consumer financial law, to obtain information about the person’s activities and compliance systems or procedures, and to detect and assess the risks to consumers and to markets for consumer financial products and services.[7]

A covered larger participant would be able to dispute its categorization with the Bureau at the time the Bureau notices its intent to exercise supervisory oversight, but once categorized would remain subject to the rule for two years.

Takeaways

The proposed rule would establish the CFPB’s supervisory authority over “larger participant” nonbanks that provide services like P2P digital payment applications and digital wallets. If finalized in its present form, the rule is expected to directly impact about 17 companies that together facilitate approximately 88% of transactions in the payments space.[8] Those companies would be subject to the CFPB’s supervisory authority.

These companies should review transaction volumes to confirm they meet the threshold for CFPB oversight and prepare, through mock simulations and otherwise, for supervisory examinations. This enhanced supervision would entail elevated compliance responsibilities, including potentially increased staffing, comprehensive employee training, and possibly overhauling operational processes to meet new regulatory requirements.

Beyond the direct implications, the CFPB has indicated that the proposed rule is intended to indirectly influence the broader market for digital wallets and payment applications. The CFPB’s focus on increasing competition by breaking up Big Tech’s seeming competitive advantages could result in significant new compliance risks to covered businesses, such as operational disruptions during examinations and financial penalties in the event of non-compliance.

Companies that could be classified as larger participants under the proposed rule should review their current compliance management programs and establish roadmaps to ensure compliance with the proposed regulatory regime.

Additionally, stakeholders should engage with regulators by commenting on the proposed rule. The CFPB will receive comments on the proposed rule through Jan. 8, 2024, or 30 days after the proposed rule is published in the Federal Register, whichever is later.

---

*Special thanks to Resident Attorney Zeba Pirani for her valuable contributions to this GT Alert.

[1] 12 U.S.C. § 5514(a)(1)(A), (D), & (E).

[2] 12 U.S.C. § 5514(a)(1)(B), (a)(2).

[3] See 77 FR 42874 (July 20, 2012) (Consumer Reporting Rule); 77 FR 65775 (Oct. 31, 2012) (Consumer Debt Collection Rule); 78 FR 73383 (Dec. 6, 2013) (Student Loan Servicing Rule); 79 FR 56631 (Sept. 23, 2014) (International Money Transfer Rule); and 80 FR 37496 (June 30, 2015) (Automobile Financing Rule).

[4] See 12 CFR Part 1090.

[5] 12 CFR § 1090.103(d).

[6] See 12 CFR § 1090.102.

[7] See 12 U.S.C. § 5514(b)(1).

[8] See Defining Larger Participants of a Market for General-Use Digital Consumer Payment Rule, n. 86-91, Fed. Red. _ (proposed November 7, 2023) (to be codified at 12 CFR Part 1090).