[Federal Register Volume 89, Number 237 (Tuesday, December 10, 2024)]
[Rules and Regulations]
[Pages 99582-99654]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-27836]
[[Page 99581]]
Vol. 89
Tuesday,
No. 237
December 10, 2024
Part III
Consumer Financial Protection Bureau
-----------------------------------------------------------------------
12 CFR Part 1090
Defining Larger Participants of a Market for General-Use Digital
Consumer Payment Applications; Final Rule
��Federal Register / Vol. 89 , No. 237 / Tuesday, December 10, 2024 /
Rules and Regulations��
[[Page 99582]]
-----------------------------------------------------------------------
CONSUMER FINANCIAL PROTECTION BUREAU
12 CFR Part 1090
[Docket No. CFPB-2023-0053]
RIN 3170-AB17
Defining Larger Participants of a Market for General-Use Digital
Consumer Payment Applications
AGENCY: Consumer Financial Protection Bureau.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Consumer Financial Protection Bureau (CFPB) issues this
rule to define larger participants of a market for general-use digital
consumer payment applications. Larger participants of this market will
be subject to the CFPB's supervisory authority under the Consumer
Financial Protection Act (CFPA). A nonbank covered person qualifies as
a larger participant if it facilitates an annual covered consumer
payment transaction volume of at least 50 million transactions as
defined in the rule, and it is not a small business concern.
DATES: This rule is effective January 9, 2025.
FOR FURTHER INFORMATION CONTACT: George Karithanom, Regulatory
Implementation and Guidance Program Analyst, Office of Regulations, at
202-435-770. If you require this document in an alternative electronic
format, please contact [email protected].
SUPPLEMENTARY INFORMATION:
I. Overview
Section 1024 of the CFPA,\1\ codified at 12 U.S.C. 5514, gives the
CFPB supervisory authority over all nonbank covered persons \2\
offering or providing three enumerated types of consumer financial
products or services: (1) Origination, brokerage, or servicing of
consumer loans secured by real estate and related mortgage loan
modification or foreclosure relief services; (2) private education
loans; and (3) payday loans.\3\ The CFPB also has supervisory authority
over ``larger participant[s] of a market for other consumer financial
products or services, as defined by rule[s]'' the CFPB issues.\4\ In
addition, the CFPB has the authority to supervise any nonbank covered
person that it ``has reasonable cause to determine by order, after
notice to the covered person and a reasonable opportunity . . . to
respond . . . is engaging, or has engaged, in conduct that poses risks
to consumers with regard to the offering or provision of consumer
financial products or services.'' \5\
---------------------------------------------------------------------------
\1\ Consumer Financial Protection Act of 2010, title X of the
Dodd-Frank Wall Street Reform and Consumer Protection Act, Public
Law 111-203, 124 Stat. 1376, 1955 (2010) (hereinafter, ``CFPA'').
\2\ The provisions of 12 U.S.C. 5514 apply to certain categories
of covered persons, described in section (a)(1), and expressly
excludes from coverage persons described in 12 U.S.C. 5515(a) (very
large insured depository institutions and credit unions and their
affiliates) or 5516(a) (other insured depository institutions and
credit unions). The term ``covered person'' means ``(A) any person
that engages in offering or providing a consumer financial product
or service; and (B) any affiliate of a person described [in (A)] if
such affiliate acts as a service provider to such person.'' 12
U.S.C. 5481(6).
\3\ 12 U.S.C. 5514(a)(1)(A), (D), (E).
\4\ 12 U.S.C. 5514(a)(1)(B), (a)(2); see also 12 U.S.C. 5481(5)
(defining ``consumer financial product or service'').
\5\ 12 U.S.C. 5514(a)(1)(C); see also 12 CFR part 1091
(prescribing procedures for making determinations under 12 U.S.C.
5514(a)(1)(C)). In addition, the CFPB has supervisory authority over
very large depository institutions and credit unions and their
affiliates. 12 U.S.C. 5515(a). Furthermore, the CFPB has certain
authorities relating to the supervision of other depository
institutions and credit unions. 12 U.S.C. 5516(c)(1). One of the
CFPB's objectives under the CFPA is to ensure that ``Federal
consumer financial law is enforced consistently, without regard to
the status of a person as a depository institution, in order to
promote fair competition[.]'' 12 U.S.C. 5511(b)(4).
---------------------------------------------------------------------------
This rule (the Final Rule) is the sixth in a series of CFPB
rulemakings to define larger participants of markets for consumer
financial products and services for purposes of CFPA section
1024(a)(1)(B).\6\ The Final Rule establishes the CFPB's supervisory
authority over nonbank covered persons that are larger participants in
a market for ``general-use digital consumer payment applications.'' In
establishing the CFPB's supervisory authority over such persons, the
Final Rule does not impose new substantive consumer protection
requirements. In addition, some nonbank covered persons that would be
subject to the CFPB's supervisory authority under the Final Rule also
may be subject to other CFPB supervisory authorities, including for
example under CFPA section 1024 as a larger participant in another
market defined by a previous CFPB larger participant rule. Finally,
regardless of whether they are subject to the CFPB's supervisory
authority, nonbank covered persons generally are subject to the CFPB's
regulatory and enforcement authority and to applicable Federal consumer
financial law.
---------------------------------------------------------------------------
\6\ The first five rules defined larger participants of markets
for consumer reporting, 77 FR 42874 (July 20, 2012) (Consumer
Reporting Rule), consumer debt collection, 77 FR 65775 (Oct. 31,
2012) (Consumer Debt Collection Rule), student loan servicing, 78 FR
73383 (Dec. 6, 2013) (Student Loan Servicing Rule), international
money transfers, 79 FR 56631 (Sept. 23, 2014) (International Money
Transfer Rule), and automobile financing, 80 FR 37496 (June 30,
2015) (Automobile Financing Rule).
---------------------------------------------------------------------------
The market described in the Final Rule includes providers of funds
transfer and payment wallet functionalities through digital payment
applications for consumers' general use in making payments to other
persons for personal, family, or household purposes. Examples include
consumer financial products and services that are commonly described as
``digital wallets,'' ``payment apps,'' ``funds transfer apps,'' ``peer-
to-peer payment apps,'' ``person-to-person payment apps,'' ``P2P
apps,'' and the like. Providers of consumer financial products and
services delivered through these digital applications help consumers to
make a wide variety of consumer payment transactions, including
payments to friends and family and payments for purchases of
nonfinancial goods and services.
The CFPB is authorized to supervise nonbank covered persons that
are subject to CFPA section 1024(a) for purposes of (1) assessing
compliance with Federal consumer financial law; (2) obtaining
information about such persons' activities and compliance systems or
procedures; and (3) detecting and assessing risks to consumers and
consumer financial markets.\7\ The CFPB conducts examinations of
various scopes of supervised entities. In addition, the CFPB may, as
appropriate, request information from supervised entities prior to or
without conducting examinations.\8\ Section 1090.103(d) of the CFPB's
existing larger participant regulations also provides that the CFPB may
require submission of certain records, documents, and other information
for purposes of assessing whether a person qualifies as a larger
participant of a market as defined by a CFPB larger participant
rule.\9\
---------------------------------------------------------------------------
\7\ 12 U.S.C. 5514(b)(1). The CFPB's supervisory authority also
extends to service providers of those covered persons that are
subject to supervision under 12 U.S.C. 5514(a)(1). 12 U.S.C.
5514(e); see also 12 U.S.C. 5481(26) (defining ``service
provider'').
\8\ See, e.g., 12 U.S.C. 5514(b)(1) (authorizing the CFPB both
to ``require reports and conduct examinations on a periodic basis''
of nonbank covered persons subject to supervision).
\9\ 12 CFR 1090.103(d).
---------------------------------------------------------------------------
Consistent with CFPA section 1024(b)(2), the CFPB has established
and implemented a risk-based supervisory program that is designed to
prioritize supervisory activity among nonbank covered persons subject
to CFPA section 1024(a) on the basis of risk.\10\ The CFPB's
prioritization process
[[Page 99583]]
takes into account, among other factors, the size of each entity, the
volume of its transactions involving consumer financial products or
services, the size and risk presented by the market in which it is a
participant, the extent of relevant State oversight, and any field and
market information that the CFPB has on the entity. Specifically, as
the CFPB Supervision and Examination Manual explains in greater detail,
the CFPB evaluates risks to consumers at market-wide and the
institution product line levels. At the market-wide level, the CFPB
considers and compares risks to consumers across different types of
products (e.g., mortgage loans or debt collectors) along with the
relative product market size in the overall consumer finance
marketplace. At the institution product line level, the CFPB evaluates
and compares risks across entities that, regardless of status as a
nonbank or an insured depository institution or credit union, offer the
same or similar products (e.g., providers of mortgage loans). When
evaluating risks across entities in an institution product line, the
CFPB considers which entities have business models and market shares
that pose greater risk of harm to consumers. The CFPB also places
significant weight on ``field and market intelligence,'' which includes
findings from prior examinations and other information about the
strength of compliance management systems, metrics gathered from public
reports, and the number and severity of consumer complaints the CFPB
receives.\11\ Taken together, this approach of assessing risks at the
market-wide level and at the institutional level allows the CFPB to
focus on areas where consumers have the greatest potential to be
harmed, specifically, on relatively higher-risk institution product
lines within relatively higher-risk markets. Finally, as described in
CFPA section 1024(b)(3), the CFPB also coordinates its supervisory
activities at nonbank covered persons with the supervisory activities
conducted by Federal prudential regulators and State regulatory
authorities.\12\
---------------------------------------------------------------------------
\10\ 12 U.S.C. 5514(b)(2). The CFPB notes that its
prioritization process is not the subject of this rulemaking.
\11\ See id. For further description of the CFPB's supervisory
prioritization process, see CFPB Supervision and Examination Manual
(updated Sept. 2023), part I.A (pages 11-12 of Overview section),
https://files.consumerfinance.gov/f/documents/cfpb_supervision-and-examination-manual_2023-09.pdf (last visited Nov. 10, 2024).
\12\ 12 U.S.C. 5514(b)(3). The Final Rule further describes this
coordination in response to general comments about existing
oversight of the market below. As discussed there, the CFPB also
coordinates its supervisory activity with the Federal Trade
Commission. The CFPB notes that its coordination process is not the
subject of this rulemaking.
---------------------------------------------------------------------------
The specifics of how an examination takes place vary by market and
entity. However, the examination process generally proceeds as
follows.\13\ CFPB examiners contact the entity for an initial
conference with management and often request records and other
information. CFPB examiners may review the components of the supervised
entity's compliance management system. Based on these discussions and a
preliminary review of the information received, examiners determine the
scope of an on-site or remote examination and coordinate with the
entity to initiate this portion of the examination. While on-site or
working remotely, examiners discuss with management the entity's
compliance policies, processes, and procedures; review documents and
records; test transactions and accounts for compliance; and evaluate
the entity's compliance management system. At the conclusion of that
stage of an examination, examiners may review preliminary examination
findings at a closing meeting. After the closing meeting, if examiners
have identified potential violations of Federal consumer financial law,
they also may provide the entity an opportunity to respond in writing
to those potential findings.\14\ Finally, examinations may involve
issuing confidential examination reports, supervisory letters, and
compliance ratings. In addition to the process described above, the
CFPB also may conduct other supervisory activities, such as periodic
monitoring.\15\
---------------------------------------------------------------------------
\13\ For further description of the CFPB's examination process,
see CFPB Supervision and Examination Manual, part I.A.
\14\ See, e.g., CFPB, Supervisory Highlights Issue 8, Summer
2015, sec. 3.1.3 (describing supervision process of sending a
Potential Action and Request for Response (PARR) letter to a
supervised entity), https://files.consumerfinance.gov/f/201506_cfpb_supervisory-highlights.pdf (last visited Nov. 5, 2024).
\15\ CFPB Supervision and Examination Manual, part I.A (page 12
of Overview section describing supervisory monitoring).
---------------------------------------------------------------------------
II. Background
On November 17, 2023, the CFPB published a notice of proposed
rulemaking to define larger participants of a market for general-use
digital consumer payment applications (Proposed Rule).\16\ As described
in part V below, the Proposed Rule would have defined a larger
participant as any nonbank covered person that, in the previous
calendar year, both facilitated at least five million consumer payment
transactions by providing general-use digital consumer payment
applications and was not a small business concern as defined in the
Proposed Rule. The CFPB requested comment on the Proposed Rule. The
CFPB received 59 comments from consumer advocate organizations
(consumer groups), nonprofits, companies, industry associations, State
attorneys general, Members of Congress, and other individuals. The
comments are discussed in more detail below.
---------------------------------------------------------------------------
\16\ 88 FR 80197 (Nov. 17, 2023).
---------------------------------------------------------------------------
III. Summary of the Final Rule
The CFPB is authorized to issue rules to define larger participants
in markets for consumer financial products or services. Subpart A of
the CFPB's existing larger-participant regulation, 12 CFR part 1090,
prescribed procedures, definitions, standards, and protocols that apply
to the CFPB's supervision of larger participants.\17\ Those generally-
applicable provisions will apply to the CFPB's supervision of larger
participants in the general-use digital consumer payment application
market described by the Final Rule. The definitions in Sec. 1090.101
should be used to interpret terms in the Final Rule unless otherwise
specified.
---------------------------------------------------------------------------
\17\ 12 CFR 1090.100 through 103.
---------------------------------------------------------------------------
The CFPB includes relevant market descriptions and associated
larger-participant tests, as it develops them, in subpart B.\18\
Accordingly, the Final Rule defining larger participants of a market
for general-use digital consumer payment applications is codified in
Sec. 1090.109 in subpart B.
---------------------------------------------------------------------------
\18\ 12 CFR 1090.104 (consumer reporting market); 12 CFR
1090.105 (consumer debt collection market); 12 CFR 1090.106 (student
loan servicing market); 12 CFR 1090.107 (international money
transfer market); 12 CFR 1090.108 (automobile financing market).
---------------------------------------------------------------------------
The CFPB is finalizing the Proposed Rule largely as proposed, with
certain changes described below, including changes to increase the
transaction threshold that the CFPB will use as part of the test to
assess when a nonbank covered person is a larger participant of a
market for general-use digital consumer payment applications.
The Final Rule defines larger participants of a market for general-
use digital consumer payment applications. That market encompasses
specific activities. The market definition generally includes nonbank
covered persons that provide funds transfer or payment wallet
functionalities through a digital payment application for consumers'
general use in making consumer payments transactions as defined in the
Final Rule. The Final Rule defines ``consumer payment transactions'' to
include payments to
[[Page 99584]]
other persons for personal, household, or family purposes, excluding
certain transactions as described in more detail in the section-by-
section analysis in part V below. The Final Rule also identifies a
limited set of digital payment applications that do not fall within the
proposed market definition because they do not have general use for
purposes of the Final Rule.
The Final Rule sets forth a test to determine whether a nonbank
covered person is a larger participant of the general-use digital
consumer payment applications market. As further explained below, a
nonbank covered person is a larger participant if it satisfies two
criteria. First, the nonbank covered person (together with its
affiliated companies) must provide general-use digital consumer payment
applications with an annual volume of at least 50 million consumer
payment transactions denominated in U.S. dollars. Second, the nonbank
covered person must not be a small business concern based on the
applicable Small Business Administration (SBA) size standard. As
prescribed by subpart A of the CFPB's general larger participant
regulation, any nonbank covered person that qualifies as a larger
participant would remain a larger participant until two years from the
first day of the tax year in which the person last met the larger-
participant test.\19\
---------------------------------------------------------------------------
\19\ 12 CFR 1090.102.
---------------------------------------------------------------------------
As noted above, Sec. 1090.103(d) of the CFPB's existing larger
participant regulation provides that the CFPB may require submission of
certain records, documents, and other information for purposes of
assessing whether a person is a larger participant of a market as
defined by a CFPB larger participant rule.\20\ As with the CFPB's other
larger participant rules codified in subpart B, this authority will be
available to facilitate the CFPB's identification of larger
participants of the general-use digital consumer payment applications
market. In addition, pursuant to existing Sec. 1090.103(a), a person
will be able to dispute whether it qualifies as a larger participant in
the general-use digital payment applications market. The CFPB will
notify an entity when the CFPB intends to undertake supervisory
activity; if the entity claims not to be a larger participant, it will
then have an opportunity to submit documentary evidence and written
arguments in support of its claim.\21\
---------------------------------------------------------------------------
\20\ 12 CFR 1090.103(d).
\21\ 12 CFR 1090.103(a).
---------------------------------------------------------------------------
IV. Legal Authority and Procedural Matters
A. Rulemaking Authority
The CFPB is issuing the Final Rule pursuant to its authority under
the CFPA, as follows: (1) sections 1024(a)(1)(B) and (a)(2), which
authorize the CFPB to supervise nonbanks that are larger participants
of markets for consumers financial products or services, as the CFPB
defines by rule; \22\ (2) section 1024(b)(7), which, among other
things, authorizes the CFPB to prescribe rules to facilitate the
supervision of covered persons under section 1024; \23\ and (3) section
1022(b)(1), which grants the CFPB the authority to prescribe rules as
may be necessary or appropriate to enable the CFPB to administer and
carry out the purposes and objectives of Federal consumer financial
law, and to prevent evasions of such law.\24\
---------------------------------------------------------------------------
\22\ 12 U.S.C. 5514(a)(1)(B), (a)(2).
\23\ 12 U.S.C. 5514(b)(7).
\24\ 12 U.S.C. 5512(b)(1).
---------------------------------------------------------------------------
B. Consultation With Other Agencies
In developing the Final Rule and the Proposed Rule, the CFPB
consulted with the Federal Trade Commission (FTC), as well as with the
Board of Governors of the Federal Reserve System, the Commodity Futures
Trading Commission (CFTC), the Federal Deposit Insurance Corporation
(FDIC), the Financial Crimes Enforcement Network, the National Credit
Union Administration (NCUA), the Office of the Comptroller of the
Currency (OCC), and the Securities and Exchange Commission (SEC), on,
among other things, consistency with any prudential, market, or
systemic objectives administered by such agencies.\25\
---------------------------------------------------------------------------
\25\ Specifically, 12 U.S.C. 5514(a)(2) directs that the CFPB
consult with the FTC prior to issuing a final rule to define larger
participants of a market pursuant to CFPA section 1024(a)(1)(B). In
addition, 12 U.S.C. 5512(b)(2)(B) directs the CFPB to consult,
before and during the rulemaking, with appropriate prudential
regulators or other Federal agencies, regarding consistency with
objectives those agencies administer. The manner and extent to which
provisions of 12 U.S.C. 5512(b)(2) apply to a rulemaking of this
kind that does not establish standards of conduct are unclear.
Nevertheless, to inform this rulemaking more fully, the CFPB
performed the consultations described in that provision of the CFPA.
Some commenters questioned whether the CFPB met its consultation
obligations based on the statement in the proposal that it
``consulted with or provided an opportunity for consultation and
input to'' the FTC and certain other agencies. 88 FR 80197 at 80199.
The CFPB clarifies that it did meet during the rulemaking process
with the FTC and other agencies listed above to consult about the
rule. Some commenters also suggested that the CFPB is specifically
required to consult with the FTC's Bureau of Competition, in line
with those commenters' view that the CFPB must apply antitrust
principles when defining a market for a larger participant rule.
However, the relevant statutory provision, 12 U.S.C. 5514(a)(2), by
its terms requires the CFPB to consult with the FTC, and not with
specific divisions of the FTC. The CFPB addresses comments regarding
the applicability of antitrust principles in discussion of general
comments in part V further below.
---------------------------------------------------------------------------
V. Section-by-Section Analysis
Part 1090
Subpart B--Markets
Section 1090.109 General-Use Digital Consumer Payment Applications
Market
Proposed Rule
As described further below, the CFPB proposed to establish CFPB
authority to supervise nonbank covered persons that are larger
participants in this market because: (1) the market has grown
dramatically and become increasingly important to the everyday
financial lives of consumers; (2) CFPB supervisory authority over its
larger participants would help the CFPB to promote compliance with
Federal consumer financial law; (3) that authority would help the CPFB
to detect and assess risks to consumers and the market, including
emerging risks; and (4) that authority would help the CFPB to ensure
consistent enforcement of Federal consumer financial law between
nonbanks and insured banks and credit unions.
To accomplish these goals, the Proposed Rule would have added to
existing subpart B of part 1090 of the CFPB's rules a new Sec.
1090.109 establishing CFPB supervisory authority over nonbank covered
persons who are larger participants in a market for general-use digital
consumer payment applications.\26\
---------------------------------------------------------------------------
\26\ As explained in the Proposed Rule and discussed further
below, the general-use digital payment applications described in
this Final Rule are ``financial products or services'' under the
CFPA. 12 U.S.C. 5481(15)(A)(iv), (vii). Nonbanks that offer or
provide such financial products or services to consumers primarily
for personal, family, or household purposes are ``covered persons''
under the CFPA. 12 U.S.C. 5481(5)(A), (6).
---------------------------------------------------------------------------
As the Proposed Rule explained, many nonbanks provide consumer
financial products and services that allow consumers to use digital
applications accessible through personal computing devices, such as
mobile phones, tablets, smart watches, or computers, to transfer funds
to other persons. Some nonbanks also provide consumer financial
products and services that allow consumers to use digital applications
on their personal computing devices to store payment credentials they
can then use to purchase goods or services at a variety of stores,
whether by communicating with a checkout register or a self-
[[Page 99585]]
checkout machine, or by selecting the payment credential through a
checkout process at ecommerce websites. Subject to the definitions,
exclusions, limitations, and clarifications discussed in the Proposed
Rule, the proposed market definition generally would have covered these
consumer financial products and services.
The Proposed Rule explained that the CFPB proposed to establish
supervisory authority over nonbank covered persons who are larger
participants in this market because this market has large and
increasing significance to the everyday financial lives of
consumers.\27\ Consumers are growing increasingly reliant on general-
use digital consumer payment applications to initiate payments.\28\
Recent market research indicates that 76 percent of Americans have used
at least one of four well-known P2P payment apps, representing
substantial growth since the first of the four was established in
1998.\29\ Even among consumers with annual incomes lower than $30,000
who have more limited access to digital technology,\30\ 61 percent
reported using P2P payment apps.\31\ And higher rates of use by U.S.
adults in lower age brackets may drive further growth well into the
future.\32\ Across the United States, merchant acceptance of general-
use digital consumer payment applications also has rapidly expanded as
businesses seek to make it as easy as possible for consumers to make
purchases through whatever is their preferred payment method.\33\
---------------------------------------------------------------------------
\27\ The Proposed Rule explained that, in proposing a larger
participant rule for this market, the CFPB was not proposing to
determine the relative risk posed by this market as compared to
other markets. It noted that, as explained in its previous larger
participant rulemakings, ``[t]he Bureau need not conclude before
issuing a [larger participant rule] that the market identified in
the rule has a higher rate of non-compliance, poses a greater risk
to consumers, or is in some other sense more important to supervise
than other markets.'' 88 FR 80197 at 80200 (citing Consumer Debt
Collection Larger Participant Rule, 77 FR 65775 at 65779).
\28\ See CFPB, Issue Spotlight: Analysis of Deposit Insurance
Coverage Through Payment Apps (June 1, 2023) (CFPB Deposit Insurance
Spotlight), https://www.consumerfinance.gov/data-research/research-reports/issue-spotlight-analysis-of-deposit-insurance-coverage-on-funds-stored-through-payment-apps/full-report/ (last visited Oct.
23, 2023); see also McKinsey & Company, Consumer digital payments:
Already mainstream, increasingly embedded, still evolving (Oct. 20,
2023) (describing results of consulting firm's annual survey
reporting that for the first time, more than 90 percent of U.S.
consumers surveyed in August 2023 reported using some form of
digital payment over the course of a year), https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/consumer-digital-payments-already-mainstream-increasingly-embedded-still-evolving (last visited Oct. 30, 2023); J.D. Power,
Banking and Payments Intelligence Report (Jan. 2023) (reporting
results of a survey of Americans that found that from the first
quarter of 2021 to the third quarter of 2022, the number of
respondents who had used a mobile wallet in the past three months
rose from 38 percent to 49 percent), https://www.jdpower.com/business/resources/mobile-wallets-gain-popularity-growing-number-americans-still-prefer-convenience (last visited Oct. 23, 2023);
PULSE, PULSE Study Finds Debit Issuers Focused on Digital Payments,
Mobile Self-Service, Fraud Mitigation (Aug. 17, 2023) (reporting
that nearly 80 percent of debit card issuers reported increases in
consumers' use of mobile wallets in 2022), https://www.pulsenetwork.com/public/insights-and-news/news-release-2023-debit-issuer-study/ (last visited Oct. 30, 2023); FIS, The Global
Payments Report (2023) (FIS 2023 Global Payments Report) at 175
(industry study reporting that in 2022 digital wallets became the
leading payment preference of U.S. consumers shopping online),
https://www.fisglobal.com/-/media/fisglobal/files/campaigns/global-payments%20report/FIS_TheGlobalPaymentsReport_2023.pdf (last visited
Nov. 5, 2024); Digital Payment Industry in 2023: Payment methods,
trends, and tech processing payments electronically, eMarketer
(formerly known as Insider Intelligence) (Jan. 9, 2023) (projecting
2023 transaction volume by U.S. P2P mobile payment app providers to
reach over $1.1 trillion), https://www.emarketer.com/insights/digital-payment-services/ (last visited Nov. 5, 2024); Consumer
Reports Survey Group, Peer-to-Peer Payment Services (Jan. 10, 2023)
(Consumer Reports P2P Survey) at 1 (reporting results from a survey
finding that four in ten Americans use P2P services at least once a
month), https://advocacy.consumerreports.org/wp-content/uploads/2023/01/P2P-Report-4-Surveys-2022.pdf (last visited Oct. 23, 2023);
Kevin Foster, Claire Greene, and Joanna Stavins, 2022 Survey and
Diary of Consumer Payment Choice: Summary Results (Sept. 17, 2022)
at 8 (reporting results of survey conducted by Federal Reserve
System staff finding that, as of 2022, two thirds of consumers
reported adopting one or more online payment accounts in the
previous 12 months--a share that was nearly 20 percent higher than
five years earlier), https://www.atlantafed.org/-/media/documents/banking/consumer-payments/survey-diary-consumer-payment-choice/2022/sdcpc_2022_report.pdf (last visited Oct. 30, 2023); FDIC, FDIC
National Survey of Unbanked and Underbanked Households (2021) at 33
(Table 6.4 reporting finding that nearly half of all households
(46.4 percent) used a nonbank app in 2021), https://www.fdic.gov/analysis/household-survey/2021report.pdf (last visited Oct. 23,
2023).
\29\ See, e.g., Monica Anderson, Pew Research Center, Payment
apps like Venmo and Cash App bring convenience--and security
concerns--to some users (Sept. 8, 2022) (Pew 2022 Payment App
Article), https://www.pewresearch.org/short-reads/2022/09/08/payment-apps-like-venmo-and-cash-app-bring-convenience-and-security-concerns-to-some-users/ (last visited Oct. 23, 2023).
\30\ Emily A. Vogels, Pew Research Center, Digital divide
persists even as Americans with lower incomes make gains in tech
adoption (June 22, 2021) (reporting results of early 2021 survey by
Pew Research Center, finding 76 percent of adults with annual
household incomes less than $30,000 have a smartphone and 59 percent
have a desktop or laptop computer, compared with 87 percent and 84
percent respectively of adults with household incomes between
$30,000 and $99,999, and 97 percent and 92 percent respectively of
adults with household incomes of $100,000 or more), https://www.pewresearch.org/short-reads/2021/06/22/digital-divide-persists-even-as-americans-with-lower-incomes-make-gains-in-tech-adoption/
(last visited Oct. 23, 2023).
\31\ Consumer Reports P2P Survey at 2 (55 percent reported
ongoing use and six percent stated they used to use this kind of
service).
\32\ See id. (85 percent of surveyed consumers aged 18 to 29 and
85 percent of surveyed consumers aged 30 to 44 reported using a
digital payment application, compared with 67 percent of consumers
aged 45 to 59 and 46 percent of consumers aged 60 and over); see
also Ariana-Michele Moore, The U.S. P2P Payments Market: Surprising
Data Reveals Banks are Missing the Mark (AiteNovarica 2023 Impact
Report) at 6, 24 (Figure 13 reporting 94 percent and 86 percent
adoption of P2P accounts and digital wallets among the youngest
adult cohort born between 1996 and 2002, compared with 57 percent
and 40 percent among the oldest cohort born before 1995), https://aite-novarica.com/report/us-p2p-payments-market-surprising-data-reveals-banks-are-missing-mark (last visited Oct. 23, 2023) and
https://datos-insights.com/reports/us-p2p-payments-market-surprising-data-reveals-banks-are-missing-mark/ (last visited Nov.
5, 2024).
\33\ See Geoff Williams, Retailers are embracing alternative
payment methods, though cards are still king (Dec. 1, 2022)
(National Retail Federation article citing its 2022 report
describing a Forrester survey indicating that 80 percent of
merchants accept Apple Pay or plan to do so in the next 18 months,
65 percent of merchants accept Google Pay or plan to do so in the
next 18 months, and, online, 74 percent accept PayPal or plan to do
so), https://nrf.com/blog/retailers-are-embracing-alternative-payment-methods-though-cards-are-still-king (last visited Oct. 23,
2023); see also The Strawhecker Group (TSG), Merchants respond to
Consumer Demand by Offering P2P Payments (June 8, 2022) (TSG:
Merchants Offering P2P Payments) (reporting results of TSG and
Electronic Transactions Association survey of over 500 small
businesses merchants finding that 82 percent accept payment through
at least one digital P2P option), https://thestrawgroup.com/merchants-respond-to-consumer-demand-by-offering-p2p-payments/ (last
visited Oct. 23, 2023).
---------------------------------------------------------------------------
The Proposed Rule described how consumers rely on general-use
digital consumer payment applications for many aspects of their
everyday lives. In general, consumers make payments to other
individuals for a variety of reasons, including sending gifts or making
informal loans to friends and family and purchasing goods and services,
among many others.\34\ Consumers can use digital applications to make
payments to individuals for these purposes, as well as to make payments
to businesses, charities, and other organizations. According to one
recent market report, nonbank digital payment apps have rapidly grown
in the past few years to become the most popular way to send money to
other individuals other than cash,\35\ and are
[[Page 99586]]
used for a higher number of such transactions than cash.\36\ For many
consumers, general-use digital consumer payment applications offer an
alternative, technological replacement for non-digital payment
methods.\37\ Consumers increasingly have adopted general-use digital
consumer payment applications \38\ as part of a broader movement toward
noncash payments.\39\ Amid growing merchant acceptance of general-use
digital consumer payment applications, consumers with middle and lower
incomes use digital consumer payment applications for a share of their
overall retail spending that rivals or exceeds their use of cash.\40\
Such applications now have a share of ecommerce payments volume that is
similar to or greater than other traditional payment methods such as
credit cards and debit cards used outside of such applications.\41\
Such applications also have been gaining an increasing share of in-
person retail spending.\42\
---------------------------------------------------------------------------
\34\ AiteNovarica 2023 Impact Report at 8-9 (Figure 1 reporting
66 percent of 5,895 consumers surveyed reported making at least one
domestic P2P payment in 2022 whether via digital means or not, and
Figure 2 reporting that, of consumers who made P2P payments in 2022,
among other purposes, 70 percent did so for birthday gifts, 64
percent for holiday gifts, 49 percent for other gift occasions, 46
percent to lend money, 41 percent to make a charitable contribution,
39 percent paid for services, 39 percent purchased items, 31 percent
provided funds in an emergency situation, and 18 percent provided
financial support).
\35\ Id. at 25 (Figure 14 reporting that, among other payment
methods or sources, 74 percent of consumers made P2P payments in
cash, 69 percent used alternative digital P2P payment services,
defined as services offered by nonbank providers via mobile app, web
service, or digital wallet, and 27 percent used Zelle through a
bank's mobile application).
\36\ Id. at 27-28 (Figure 15 reporting that, compared with 20
percent of P2P transactions made in cash, 37 percent of P2P
transactions made through alternative P2P payment services).
\37\ See Marqueta, 2022 State of Consumer Money Movement Report
(May 26, 2022) at 1 (summary of report describing results of
industry survey finding that 56 percent of US consumers felt
comfortable leaving their non-digital wallet at home and taking
their phone with them to make payments), https://www.marqeta.com/resources/2022-state-of-consumer-money-movement (last visited Oct.
23, 2023).
\38\ AiteNovarica 2023 Impact Report at 24 (Figure 13 reporting
81 percent of U.S. adults surveyed held one or more P2P accounts and
69 percent had one or more digital wallets).
\39\ The Federal Reserve Payments Study: 2022 Triennial Initial
Data Release (indicating a rapid increase in core non-cash payments
between 2018 and 2021 and a rapid decline in ATM cash withdrawals
during the same period), https://www.federalreserve.gov/paymentsystems/fr-payments-study.htm (last visited Nov. 19, 2024).
\40\ PYMNTS, Digital Economy Payments: The Ascent of Digital
Wallets (Feb. 2023) at 16-17 (December 2022 survey finding 6.1
percent of overall consumer spending by consumers with lower incomes
made using digital consumer payment applications, compared with 9.9
percent of consumer spending by consumers with middle-level
incomes), https://www.pymnts.com/study/digital-economy-payments-ecommerce-shopping-retail-consumer-spending/ (last visited Oct. 23,
2023).
\41\ See FIS 2023 Global Payments Report at 176 (reporting 32
percent share of ecommerce transactions, by value, made using a
digital wallet, compared with 30 percent by credit card and 20
percent by debit card).
\42\ See, e.g., 2023 Pulse Debit Issuer Study (Aug. 17, 2023) at
11 (reporting that mobile wallet use at point of sale nearly doubled
in 2022, representing nearly 10 percent of total debit card purchase
transactions in 2022), https://content.pulsenetwork.com/2023-debit-issuer-study/2023-pulse-debit-issuer-study-white-paper (last visited
Nov. 5, 2024); Digital Economy Payments: The Ascent of Digital
Wallets at 12 (December 2022 survey finding 7.5 percent of in-person
consumer purchase volume made with a digital consumer payment
application). See also CFPB Issue Spotlight, Big Tech's Role in
Contactless Payments: Analysis of Mobile Devices Operating Systems
and Tap-to-Pay Practices (Sept. 7, 2023) (CFPB Contactless Payments
Spotlight) (describing market report by Juniper Research forecasting
that the value of digital wallet tap-to-pay transactions will grow
by over 150 percent by 2028), https://www.consumerfinance.gov/data-research/research-reports/big-techs-role-in-contactless-payments-analysis-of-mobile-device-operating-systems-and-tap-to-pay-practices/full-report/ (last visited Oct. 23, 2023).
---------------------------------------------------------------------------
The Proposed Rule would have brought nonbanks that qualified as
larger participants in a market for general-use digital consumer
payment applications under the CFPB's supervisory jurisdiction.\43\ The
Proposed Rule explained that supervision of larger participants, who
engage in a substantial portion of the overall activity in this market,
would help to ensure that they are complying with applicable
requirements of Federal consumer financial law, such as the CFPA's
prohibition against unfair, deceptive, and abusive acts and practices,
the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and its
implementing Regulation P,\44\ and the Electronic Fund Transfer Act
(EFTA) and its implementing Regulation E.\45\ The Proposed Rule also
explained that, as firms increasingly offer funds transfer and wallet
functionalities through general-use digital consumer payment
applications, the rule would enable the CFPB to detect and assess new
risks to both consumers and the market.\46\ As stated in the Proposed
Rule, the CFPB's ability to detect and assess emerging risks is
critical as new product offerings blur the traditional lines of banking
and commerce.\47\
---------------------------------------------------------------------------
\43\ 12 U.S.C. 5514(a)(1)(B).
\44\ See generally 12 CFR part 1016--Privacy of Consumer
Financial Information (CFPB's Regulation P implementing 15 U.S.C.
6804).
\45\ 15 U.S.C. 1693 et seq., implemented by Regulation E, 12 CFR
part 1005. See, e.g., 12 CFR 1005.11 (Procedures for financial
institutions to resolve errors).
\46\ 88 FR 80197 at 80201 & n.43 (citing CFPB, The Convergence
of Payments and Commerce: Implications for Consumers (Aug. 2022)
(CFPB Report on Convergence of Payments and Commerce) at sec. 4.1
(highlighting the potential that consumer financial data and
behavioral data are used together in increasingly novel ways),
https://files.consumerfinance.gov/f/documents/cfpb_convergence-payments-commerce-implications-consumers_report_2022-08.pdf (last
visited Oct. 27, 2023)).
\47\ See generally id.
---------------------------------------------------------------------------
The Proposed Rule explained that the CFPB regularly supervises
depository institutions that provide general-use digital consumer
payment applications.\48\ As the Proposed Rule noted, greater
supervision of nonbanks in this market therefore would further the
CFPB's statutory objective of ensuring that Federal consumer financial
law is enforced consistently between nonbanks and depository
institutions in order to promote fair competition.\49\
---------------------------------------------------------------------------
\48\ For example, as the Proposed Rule noted, some depository
institutions and credit unions provide general bill-payment services
and other types of electronic fund transfers through digital
applications for consumer deposit accounts. Id. at n.45.
\49\ 12 U.S.C. 5511(b)(4).
---------------------------------------------------------------------------
The Proposed Rule also recognized that States have been active in
regulation of money transmission by money services businesses and that
many States actively examine money transmitters.\50\ The Proposed Rule
stated that the CFPB would coordinate with appropriate State regulatory
authorities in examining larger participants.
---------------------------------------------------------------------------
\50\ 88 FR 80197 at 80198 n.12, 80214 n.108 (citing CSBS,
Reengineering Nonbank Supervision, Ch. 4: Overview of Money Services
Businesses (Oct. 2019) (CSBS Reengineering Nonbank Supervision MSB
Chapter), https://www.csbs.org/sites/default/files/other-files/Chapter%204%20-%20MSB%20Final%20FINAL_updated_0.pdf (last visited
Nov. 5, 2024)).
---------------------------------------------------------------------------
General Comments Received \51\
---------------------------------------------------------------------------
\51\ Some commenters provided additional recommendations that
are outside the scope of this rulemaking, such as increasing
education of consumers who use general-use digital consumer payment
applications, promulgating new consumer protections for these
consumers, or imposing information collection requirements such as
collecting the legal entity identifier (LEI) of larger participants.
The Final Rule does not address these comments, which are outside
the scope of a rulemaking under CFPA section 1024(a)(1)(B) to define
and establish supervisory authority over larger participants in a
market for consumer financial products and services. In addition, a
consumer group suggested that the CFPB the CFPB expressly clarify
that meeting the definition of a larger participant does not
automatically cause application of exclusions in State privacy laws
for GLBA compliance and that the CFPB coordinate with States to
avoid risk of preempting State privacy laws when the CFPB supervises
for compliance with the GLBA and its implementing Regulation P. This
rulemaking does not establish or interpret substantive consumer
protection requirements and thus does not interpret Regulation P
(including its provision describing its relationship with State laws
in 12 CFR 1016.17); it also does not itself govern State
coordination, which occurs separately when the CFPB carries out
nonbank supervision.
---------------------------------------------------------------------------
In this part of the section-by-section analysis, the Final Rule
summarizes and responds to comments about general aspects of the
proposal, including the rulemaking process, the CFPB's general reasons
for issuing the proposal, and certain other general topics.
Comments on Rulemaking Process
Some comments addressed the rulemaking process. First, some
commenters suggested that the CFPB should not have issued, and should
not finalize, the Proposed Rule during the
[[Page 99587]]
pendency of a Supreme Court case concerning the constitutionality of
the CFPB's funding structure under the Appropriations Clause.\52\
Second, some industry commenters, a nonprofit commenter, an individual
commenter, and some Members of Congress asked the CFPB to extend the
comment period, such as by an additional 30 or 45 days. These
commenters cited various reasons for their request, including the
number of holidays during the comment period, the complexity of the
proposed market including coverage of digital assets, the complexity of
the proposed larger-participant test that included multiple steps, a
need for more specifics regarding which products and services were
encompassed in the market and the risks the CPFB believed they pose
that justify the need for the Proposed Rule, and overlap between the
comment period for the Proposed Rule, the comment period for the CFPB's
proposal regarding personal financial data rights, and the CFPB's new
market-monitoring orders covering some of the same entities. One
industry commenter added that the decision not to extend the comment
period formed part of the basis for their view that the CFPB should
withdraw the Proposed Rule.
---------------------------------------------------------------------------
\52\ See CFPB v. Cmty. Fin. Servs. Ass'n of Am., Ltd., 601 U.S.
416 (2024) (U.S. argued Oct. 3, 2023).
---------------------------------------------------------------------------
Comments on the Large and Growing Market
Commenters agreed that the market for general-use digital consumer
payment applications has grown substantially in recent years. For
example, consumer groups, several nonprofits, a payment network, an
industry association, two banking industry associations, and a credit
union association agreed (and an industry provider acknowledged \53\)
that there has been rapid growth and widespread consumer adoption of
general-use digital consumer payment applications. In support of their
view, these commenters cited data in the Proposed Rule as well as other
public information. An industry association stated that digital
consumer payment applications have helped millions of U.S. consumers to
send money to friends and family and make retail payments more
efficient. A group of State attorneys general noted that a significant
portion of consumers with lower incomes frequently rely upon general-
use digital consumer payment applications. Two nonprofit commenters
also agreed that adoption by younger individuals may drive further
growth.\54\ An industry association observed that the proposed market
has experienced rapid increases in consumer adoption that likely will
continue. As a consequence, this commenter described this market as
still in what industry lifecycle literature describes as a stage of
market growth as opposed to market maturity.
---------------------------------------------------------------------------
\53\ As discussed further below, this commenter stated that
growth alone was insufficient to justify the Proposed Rule, and that
the CFPB must make certain specific findings regarding market risk.
The Final Rule responds to those comments further below in the
discussion of general comments about the relevance of risks to
consumers to the rulemaking.
\54\ While not disputing the rapid growth in the market, some
other industry commenters suggested that the broader consumer
payments sector should be considered, including when defining the
market and setting the threshold for the larger-participant test, as
discussed in the section-by-section analysis of those provisions
further below.
---------------------------------------------------------------------------
Several of these commenters stated that these general-use digital
consumer payment applications increasingly are accepted by retailers
and embedded into in-person and online commerce, which is itself
growing. They pointed to this as one trend driving existing growth and
future growth in the market. A comment from several consumer groups
stated that as merchants seek to avoid interchange fees, they will
increasingly rely upon digital payment applications as a payment method
at the point of sale. A banking association and consumer group stated
that they also expected the lines between banking, commerce, and
technology to further converge and blur.\55\ A comment from several
consumer groups stated that nonbank providers of consumer financial
products and services have greater latitude under U.S. law to integrate
those products into commercial platforms, and that large technology
firms' business models depend on data collection.\56\
---------------------------------------------------------------------------
\55\ One of these commenters pointed to an industry white paper
describing a trend in the market toward ``embedding financial
services into nonfinancial apps and other digital experiences.''
Google LLC White Paper, Embedded finance: The new gold rush in
financial services (2021) (Google LLC Embedded Finance White Paper)
at 4 (``These embedded experiences will soon permeate all aspects of
our lives that involve money--and they'll feel so frictionless that
users won't be aware of the underlying work financial institutions
are doing to support these transactions.''), at 6 (``Embedded
finance means, simply, embedding your financial services in the non-
financial products, services or technologies consumers already use
and love. Since they spend much of their time in non-financial
applications in their everyday lives--but only a fractional amount
of time in financial applications--the growth opportunity for
financial services companies is considerable.''), https://cloud.google.com/resources/financial-services-embedded-finance-whitepaper (last visited Nov. 5, 2024).
\56\ One consumer group commenter added that in its view, Big
Tech firms have a business model that seeks to maximize data
collection based on different goals from publicly-chartered and
regulated financial institutions.
---------------------------------------------------------------------------
Another nonprofit commenter suggested in general terms that CFPB
supervision of larger participants in the general-use digital consumer
payment applications market could help the CFPB to detect and assess
risks to the U.S. financial system. It stated that the market may
present such risk, given how general-use digital consumer payment
applications facilitate a high volume of transactions, including flows
of funds through stored value accounts that are not FDIC-insured.
However, some industry and nonprofit commenters stated that the
rapid growth in the market and widespread consumer adoption merely
indicates that the market is successful and popular among consumers. In
their view, as discussed further below, the fact that the market is
large and growing market is not an adequate basis for subjecting its
larger participants to supervision, absent findings of risks to
consumers or markets or market failures.\57\
---------------------------------------------------------------------------
\57\ The Final Rule further summarizes and responds to those
comments in the discussion below of general comments on detecting
and assessing risks (including emerging risks) to consumers and
markets.
---------------------------------------------------------------------------
Comments on Promoting Compliance With Federal Consumer Financial Law
The Proposed Rule stated that CFPB supervision of larger
participants would promote compliance with applicable requirements of
Federal consumer financial law. A group of State attorneys general,
consumer groups, some nonprofit and individual commenters, a banking
association, and a comment from a payment network and an industry
association generally agreed that the proposal would serve this
purpose, as described below. However, as described further below, some
industry and nonprofit and other commenters disagreed or stated that
the proposal did not provide sufficient support for the claim that it
would serve this purpose.\58\
---------------------------------------------------------------------------
\58\ Some commenters also suggested that existing State and
Federal oversight of some market activities, including for
compliance with Federal consumer financial law, was adequate. The
Final Rule separately addresses comments on those general topics
further below.
---------------------------------------------------------------------------
Several commenters expressed concern that larger participants may
be violating or inadequately incentivized to comply with one or more of
the Federal consumer financial laws cited in the Proposed Rule. A joint
comment from consumer groups stated that consumers are exposed to
unfair, deceptive and abusive practices in the payments area, and
stated that oversight of this market is needed to ensure market
participants comply with the prohibition against
[[Page 99588]]
unfair, deceptive, and abusive acts and practices.\59\ This comment
assessed the risk of abusive practices as high due to what the comment
described as lack of competition and consumer choice with respect to
the larger participants defined in the Proposed Rule. A comment from a
group of State attorneys general stated that the Proposed Rule, coupled
with existing State consumer protection statutes, would allow the
Federal and State governments to work together to prevent and abate
unfair, deceptive, and abusive acts and practices in the market. A
consumer group and a nonprofit commenter stated that the Proposed Rule
would be especially useful in promoting compliance with the prohibition
against unfair, deceptive, and abusive acts and practices by companies
that provide financial services to incarcerated and recently
incarcerated persons. And a consumer group and nonprofit commenter
stated that it was common sense that unfair, deceptive, and abusive
acts and practices protections be applied to new entrants and
technologies like those described in the Proposed Rule.
---------------------------------------------------------------------------
\59\ See 12 U.S.C. 5531, 5536 (prohibiting unfair, deceptive,
and abusive acts and practices in connection with the offering or
provision of consumer financial products and services).
---------------------------------------------------------------------------
As an example of how supervision of larger participants would
promote compliance, a banking association noted that the CFPB's
publication Supervisory Highlights \60\ communicates CFPB expectations
of compliance to the overall market and encouraged its use in this
market, and stated that the proposal should enable the CFPB to publish
Supervisory Highlights identifying problematic conduct in this market.
A comment from several consumer groups pointed to findings in
Supervisory Highlights related to violations of Regulation E and other
provisions of Federal consumer financial law violations at banks. The
comment stated that the CFPB also should supervise larger nonbank
companies handling consumer payments, including payment apps, because
such violations at nonbanks are just as likely if not more so.
---------------------------------------------------------------------------
\60\ The CFPB periodically publishes Supervisory Highlights to
share key examination findings in order to help industry limit risks
to consumers and comply with Federal consumer financial law. Each
Supervisory Highlights publication shares recent examination
findings, including information about recent enforcement actions
that resulted, at least in part, from the CFPB's supervisory
activities. These reports also communicate operational changes to
the CFPB's supervision program and provide a convenient and easily-
accessible resource for information on the CFPB's recent guidance
documents. Supervisory Highlights does not refer to any specific
institution in order to maintain the confidentiality of supervised
entities. See https://www.consumerfinance.gov/compliance/supervisory-highlights/ (last visited Nov. 5, 2024).
---------------------------------------------------------------------------
Regarding EFTA and Regulation E, a comment from consumer groups
stated that oversight is needed to ensure payment app and digital
wallet providers comply with the EFTA's consumer protections for
electronic fund transfers, highlighted payment fraud as a significant
risk, and stated that violations of the EFTA related to digital
payments are extremely common, even among banks that are closely
supervised by regulators. The commenter cited to several findings of
EFTA violations from CFPB examinations in this area that the CFPB has
published in Supervisory Highlights. A credit union association
commenter stated that nonbanks that offer consumer payment services
have error resolution responsibilities under Regulation E which the
CFPB cannot effectively assess without exercising supervisory
authority.
Commenters also addressed risks posed to consumers associated with
potential violations of the GLBA and Regulation P.\61\ A comment from a
group of State attorneys general supported the Proposed Rule in part
because it would allow the CFPB to examine digital payment applications
for compliance with the privacy provisions of the GLBA. The comment
stated the Proposed Rule would permit the CFPB to address the critical
data privacy issues posed by digital payment applications by allowing
the CFPB to assess how applications are storing, using, and sharing
their collections of sensitive consumer data as well as changes to
larger participants' privacy policies. A consumer group commenter
stated that its review had identified multiple risks associated with
peer-to-peer payment application companies. The commenter stated that
more than 25,000 consumers had signed a petition urging the CFPB to
take action with respect to various risks posed by payments
applications, including risks associated with fraud and collection and
storage of consumer information.\62\
---------------------------------------------------------------------------
\61\ Title V, subtitle A of the GLBA and its implementing
regulation, Regulation P, govern the treatment of nonpublic personal
information about consumers by financial institutions.
\62\ Similarly, other commenters emphasized potential risks with
respect to use of consumer data and risks to consumer privacy that
may be associated with payment application and digital wallet
providers, including the risk of losing money through fraud or
mistakes or having personal data collected and shared.
---------------------------------------------------------------------------
Other commenters such as a company, nonprofits, and an industry
association stated that the Proposed Rule did not adequately assess the
degree of existing compliance or otherwise explain how it would promote
compliance. For example, one commenter criticized the statement in the
proposal that CFPB supervision would incentivize compliance as
circular, given what it viewed as inadequate discussion in the Proposed
Rule of the level of existing non-compliance or risks of non-
compliance.\63\ In addition, several industry comments suggested that
EFTA/Regulation E, GLBA/Regulation P, or both do not apply to certain
market participants, which they viewed as undermining the notion that
the Proposed Rule would promote compliance with Federal consumer
financial law. A company commenter added that the proposal did not
explain how the prohibition against unfair, deceptive, or abusive acts
or practices applied to market participants, or why supervision is the
appropriate mechanism to identify and prevent any anticipated
violations of Federal consumer financial law more broadly. Further, an
industry commenter stated that State supervision by itself is more
effective and better at enforcing the law than CFPB supervision.
---------------------------------------------------------------------------
\63\ Further below, the Final Rule summarizes and responds to
comments more broadly addressing the general topic of risks to
consumers in the market.
---------------------------------------------------------------------------
Comments on Detecting and Assessing Risks to Consumers and Markets,
Including Emerging Risks
Comments from a group of State attorneys general, a payment
network, a banking association, consumer groups, and nonprofits agreed
that CFPB supervision of larger participants in this market would help
the CFPB to detect and assess risks to consumers and markets, including
emerging risks, in this rapidly growing and evolving market. For
example, an industry association generally described the potential for
CFPB supervision to promote maturity in the market, which it described
as immature and rapidly evolving.\64\ In addition, these comments
pointed to several reasons why the CFPB supervision and examination
process is well suited to this goal. A consumer group stated that
supervisory authority is one of the most basic tools regulators have to
identify new risks in the market as early as possible, before market
failures with wide-ranging implications occur. Several consumer groups
added that CFPB should not rely only on third-party sources of
[[Page 99589]]
information to assess market activity, which would lead to delayed
responses to problems, compared with supervision.\65\ A nonprofit
commenter stated that because supervision occurs outside of the
adversarial legal process, it is an especially effective tool for
rapidly gathering information that can prevent dubious practices before
they develop.
---------------------------------------------------------------------------
\64\ In its view, the Proposed Rule may result in development of
a robust, consumer-protected market, given how previous larger
participant rules had helped to ensure consumer protection remains a
prominent concern among participants in those markets.
\65\ These commenters also stated supervision of larger
participants would allow the CFPB to respond more quickly to
emerging problems affecting servicemembers who are especially
vulnerable to identity theft and fraud in the market.
---------------------------------------------------------------------------
Several comments also identified various existing and emerging
risks in the market that the commenters believed the CFPB would be able
to effectively detect and assess though supervision, including risks
with respect to consumers' loss of funds and loss and misuse or abuse
of data. The Final Rule summarizes these comments below. In addition, a
group of State attorneys general stated that the rule will allow the
CFPB to detect and assess risks that emerge not only from the existing
products and services, but also as a result of future technological
advancements in the market.
With respect to the potential for consumers to lose funds or access
to funds, a group of State attorneys general noted that research cited
in the proposal indicated that almost a third of digital payment
application users with lower incomes reported one or more problems
related to funds being sent to the wrong person or not receiving funds
that were sent to them.\66\ These commenters stated that a lack of
regulatory oversight has significantly contributed to those problems. A
nonprofit commenter stated that larger participants pose unique risks
to consumers related to what the commenter characterized as the lack of
consumer protections associated with these applications, as well as the
possible systemic risks they may present to the financial markets. The
commenter raised specific concerns about the risk of consumer loss of
funds from uninsured entities and lack of consumer awareness of such
matters. The commenter also stated that CFPB supervision of these
nonbank payment applications would, among other things, help to
identify and mitigate systemic financial risk and enhance consumer
protection. An individual commenter stated that the market had diverse
participants but that there are common areas of risk with payment apps
linked to a stored value product, including a risk of losing access to
funds to pay for food or bills due to a technical glitch. Additional
commenters raised various concerns about what they often described as
fraud in the market and lack of related consumer protections, and a
nonprofit commenter cited complaints submitted to the FTC regarding
peer-to-peer payment fraud. At the same time, several industry
commenters suggested that certain consumer protections such as EFTA/
Regulation E or GLBA/Regulation P do not apply to some market
participants, as described further above, and that consumers often are
adequately protected by other parties to the transaction such as banks
and credit unions, as described in the discussion of general comments
about existing oversight of the market further below.
---------------------------------------------------------------------------
\66\ Consumer Reports P2P Survey at 7 (also indicating that of
all respondents who have used a P2P service, 22 percent reported one
or more such problems). See also 88 FR 80197 at 80200 n.25
(proposal's discussion of other data in this report, noted above).
---------------------------------------------------------------------------
With regard to uses of consumer payments data, a banking
association, a payment network, a nonprofit commenter, and several
consumer groups stated that the way in which nonbanks can exploit the
convergence of payments and commerce poses risk to consumers with
respect to this market, such as through aggregation and monetization of
consumer financial data. A group of State attorneys general added that
supervision of larger participants would help the CFPB to detect and
assess emerging risks in the use of consumer financial data as
technology continues to evolve. And an individual commenter and several
industry comments stated that consumer payments data is often used for
purposes beyond initiation of the consumer payment transaction.\67\
Several consumer groups described the level and use of consumer data
collected by large technology firms as unreasonable and potentially
dangerous. Several other commenters including individuals noted that
the collection of such data also raises data security risks, including
what a nonprofit commenter described as novel security risks raised by
digital wallets. At the same time, other comments from industry
suggested that data security risks to consumers were particularly low
given the security and anti-fraud enhancements from market
participants' reliance on features such as tokenization.\68\ And a
nonprofit commenter stated that government regulators generally are not
effective at preventing data breaches as some of the largest have
occurred at heavily-regulated institutions.
---------------------------------------------------------------------------
\67\ The Final Rule discusses and responds to these comments in
more detail in the section-by-section analysis of the exclusion for
certain marketplace activities described further below.
\68\ In addition, digital assets industry comments described
what they viewed as additional security that digital assets provide.
As discussed in the section-by-section analysis of the larger-
participant test further below, the Final Rule does not count those
transactions toward the larger-participant test.
---------------------------------------------------------------------------
Some commenters disagreed that the goal of detecting and assessing
risks including emerging risks warrants the proposed expansion of
CFPB's supervisory authority in this market. For example, two nonprofit
commenters stated that the rationale of detecting and assessing
emerging risks was not supported by evidence, and instead only by the
theoretical possibility of harm in an innovative, successfully-growing
and popular market. Another nonprofit commenter stated that the
proposal did not examine the nature of the emerging risks, whether by
mentioning novel security risks posed by digital wallets or other
harms. Another nonprofit commenter stated its belief that market
participants' responses to the CFPB's previous market-monitoring orders
generated adequate information for the CFPB to determine the level of
risks posed by this emerging market.\69\ Two industry associations
stated that they agreed in principle that regulation needed to evolve
along with new technology, but they stated that the CFPB first must
identify harms it perceives in the market before proposing to supervise
its larger participants. Another industry association agreed, stating
that the Proposed Rule merely described the possibility of ``new
risks'' from ``new product offerings'' and did not state what the ``new
risks'' might be. It pointed to market reports that, in its view,
indicated that nonbanks' multi-sided business models in the digital
economy provide new benefits to consumers and promote competition.\70\
A nonprofit commenter characterized the proposal as referring to
hypothetical risks that may occur in the future, and described this
reference as a mere pretext to support an agenda to target large
technology firms. An industry commenter added that the goal of
detecting and assessing new and emerging risks is inadequate as a
[[Page 99590]]
foundation for a larger participant rule. In its view, the CFPB can
only engage in larger participant rulemakings when it identifies risks
that supervision would mitigate. The commenter also asserted that,
because the CFPB must consider risks to consumers in exercising its
supervisory authority under section 1024(b)(2), the CFPA also requires
that the CFPB establish the existence of specific risks to consumers
that would be mitigated by supervision when issuing a larger
participant rule under section 1024(a)(1)(B) and (2). The industry
commenter also claimed that principles of administrative law likewise
require the rule to target identified risks.\71\
---------------------------------------------------------------------------
\69\ However, this commenter also recommended that the CFPB
continue to gather information on the market before expanding its
supervisory authority as proposed.
\70\ Separately, this commenter observed that the financial
technology sector that encompasses the proposed market often uses
advanced technologies including artificial intelligence, block chain
technology, and data mapping to create new financial products and
services that are beneficial in various ways. This commenter did not
state that such products posed any risk or could pose any emerging
or new risks.
\71\ The commenter also stated in a footnote that if the rule
does not need to identify meaningful risks to consumers then the
CFPA would violate the non-delegation doctrine in constitutional
law. The commenter did not explain the basis for that view, and the
CFPB disagrees with that view. Through the CFPA, Congress has
provided guidance to the CFPB on how to exercise its rulemaking
authority under 12 U.S.C. 5514(a)(1)(B) and has imposed limits on
that authority, including rules of construction for defining larger
participants and policy considerations, which the CFPB has addressed
in this Final Rule.
---------------------------------------------------------------------------
More broadly, many of the industry commenters and other commenters
stated that the Proposed Rule did not adequately consider whether
market activity currently poses risks to consumers and if so how and to
what degree. Other commenters similarly stated that the proposal failed
to establish that certain provisions of Federal consumer financial law
apply to market participants; that the proposal failed to identify
potential violations of law or other specific harms that the Proposed
Rule would seek to address, or any relevant market failures; and that
the CFPB should first issue a report articulating the risks it sees in
the proposed market or otherwise identify such risks prior to issuing a
final rule.\72\ Certain commenters also stated that the CFPB should
evaluate risk separately with respect to various subcomponents of the
market described in the Proposed Rule, and argued for the exclusion of
various market participants, as discussed in more detail in the
section-by-section analysis of the corresponding component of the
market definition further below.\73\ Finally, a nonprofit commenter
stated that the CFPB should provide greater clarity to market
participants as to how the CFPB would assess risk in its prioritization
process in this market, including what risks it would consider.
---------------------------------------------------------------------------
\72\ A nonprofit commenter stated that the unique data security
risks that digital wallets pose should be addressed through public
education rather than regulation. As noted above, consumer education
is outside the scope of this rule and, for the reasons explained in
the response to general comments, education is not a substitute for
supervision.
\73\ Some commenters suggested that CFPB supervision itself
would increase risk such as by reducing examinees' resources
available for fraud prevention, or exposing the supervised entity's
data to breaches. For the reasons explained in the impacts analysis
in part VII, the CFPB has not determined the Final Rule will reduce
fraud prevention. With regard to the risk of data breaches, the
CFPB's information security system mitigates those risks as further
discussed in part VII.
---------------------------------------------------------------------------
Comments on Ensuring Consistent Enforcement of Federal Consumer
Financial Law Between Banks and Nonbanks
Some comments addressed the Proposed Rule's statement that the rule
would further the CFPB's statutory mandate to ensure consistent
enforcement of Federal consumer financial law between nonbanks and
banks and credit unions, in order to promote fair competition. Several
consumer groups, banking and credit union industry associations, a
payment network, some nonprofits, and an industry provider generally
agreed that the Proposed Rule would have that benefit. For example, a
community banking association stated that community banks have long
expressed concerns that financial technology and large technology firms
are offering financial products and services traditionally provided by
banks, without the same level of regulatory oversight. A banking
association stated that consumers are best protected when banks and
nonbanks offering similar financial products and services are subject
to the same oversight, which mitigates the potential for consumer harm
and improves consumer trust and confidence. This commenter and another
banking association added that establishing parity in supervision will
help to ensure that nonbanks provide the same consumer protections when
they provide the same services as banks. A payment network and a
nonprofit commenter agreed that the proposal would help to ensure that
entities engaged in the same functional activities are subject to the
same functional regulation. Some comments described nonbanks as
deriving a competitive advantage due to their lesser supervisory
oversight, and banks and credit unions as disadvantaged. For example,
the credit union industry association commenter stated that the lesser
supervisory oversight of nonbank peer-to-peer payment apps increases
burdens on credit unions responding to consumer disputes of
transactions conducted in those apps due to the app providers'
underinvestment in compliance and customer service and consumer
preferences for contacting the credit union. The community banking
association also stated that this gap in oversight erodes consumer
trust. One of the banking industry associations agreed, noting that its
2022 survey found that an overwhelming majority of consumers were
concerned about a gap in regulatory oversight between fintech firms
(including cryptocurrency firms) and banks, and believed that the CFPB
and Congress should do more to protect consumers from harm and abuse in
these areas.\74\
---------------------------------------------------------------------------
\74\ Consumer Bankers Ass'n, Press Release, NEW POLL: Nearly
Ninety Percent Of Americans Concerned That Fintech & Crypto Firms Do
Not Have Appropriate Level of Federal Regulation (Dec. 12, 2022)
(describing 56 percent of respondents that want greater oversight
compared to 24 percent who are satisfied with existing oversight),
https://consumerbankers.com/press-release/new-poll-nearly-ninety-percent-of-americans-concerned-that-fintech-crypto-firms-do-not-have-appropriate-level-of-federal-regulations/ (last visited Nov.
18, 2024).
---------------------------------------------------------------------------
At the same time, some industry and nonprofit commenters challenged
the potential for Proposed Rule to promote consistent enforcement of
Federal consumer financial law as between nonbanks and depository
institutions, and thereby promote fair competition, as well as the
appropriateness of that consideration in the rulemaking. For example,
some of these commenters described the proposed objective as an
illegitimate form of ``mission creep . . . outside of [the CFPB's] core
jurisdiction'' or further suggested that the Proposed Rule would place
the CFPB in the role of market gatekeeper for nonbanks, which would
frustrate competition and innovation (which one of these commenters
described as the effect that banking regulation already has on banks).
Some industry commenters also suggested the objective failed to account
for the structure of nonbank market activity vis-[agrave]-vis banks and
credit unions. For example, an industry association stated that many
nonbank market participants either complement banks and credit unions
by making it easier for consumers to use payment methods provided by
those financial institutions, or partner directly with the banks and
credit unions. Some banking associations also expressed concern that
the rule would increase indirect burden on banks and may create
confusion about differences between banks and nonbanks. As another
example, an industry provider stated that banks provide deposit
accounts (and associated funds transfer functionalities), not pass-
through payment wallets allowing consumers to access payment methods
issued by
[[Page 99591]]
third-party financial institutions.\75\ And for that reason, in its
view, increased oversight of those activities would not serve the
CFPB's stated purpose. However, another industry association stated
that banks have been introducing their own digital wallets, both
directly and through affiliates, in an effort to compete with nonbank
incumbents that have embedded their digital wallets into merchant
checkout processes.
---------------------------------------------------------------------------
\75\ As discussed below in the section-by-section analysis of
the definition of ``covered payment functionality,'' the preamble
uses the phrase pass-through payment wallet to describe this type of
functionality discussed by commenters.
---------------------------------------------------------------------------
Finally, an industry association also suggested that in some ways
the Final Rule may not promote consistent enforcement of Federal
consumer financial law. It stated that the CFPB should explain why
larger participants in the proposed market should be subject to what it
viewed as significantly more CFPB supervisory authority than exists
over other persons that facilitate consumer payment transactions, such
as banks and credit unions providing physical payment cards and
providers of payment applications that do not have ``general use'' as
defined in the Proposed Rule such as automobile purchase applications
and food delivery applications.\76\
---------------------------------------------------------------------------
\76\ The commenter also stated the Proposed Rule excluded from
``general use'' bill-payment applications and applications used to
purchase financial assets including securities. However, the
Proposed Rule specifically acknowledged the existence in the market
of ``a general-use bill-payment function.'' 88 FR 80197 at 80206. In
addition, the Proposed Rule did not list applications for purchase
of securities among the examples of activities that do not have
``general use'' because it already excluded those transaction from
the proposed definition of ``consumer payment transaction'' as
discussed in the section-by-section analysis of that term further
below.
---------------------------------------------------------------------------
Comments on Other Regulators' Existing Oversight Authority
Some commenters suggested the rule would help existing regulatory
oversight efforts in the market, while others stated that the Proposed
Rule did not adequately consider whether the CFPB supervisory authority
was needed in light of existing regulatory oversight mechanisms of
other regulators.
A group of State attorneys general stated that the Proposed Rule
would allow Federal and State authorities to coordinate to prevent and
abate unfair, deceptive, and abusive acts and practices in the market.
They indicated that violations of Federal law detected through CFPB's
supervisory examinations could assist State enforcement, including in
States such as California, New Jersey, and New York, where a commercial
practice that violates Federal law is deemed or presumed to violate the
State's consumer protection laws.
On the other hand, some other commenters stated that the Proposed
Rule did not adequately consider the degree to which the market already
is overseen by other regulators, including State oversight of nonbank
market participants that are money transmitters, Federal prudential
regulators' oversight with respect to banks and credit unions that
provide accounts, hold funds, and process payments facilitated by
nonbank market participants, and FTC enforcement of consumer protection
laws including competition laws.\77\ Several industry associations
stated that the rulemaking generally must better account for the
potential for CFPB supervision to duplicate the oversight by those
other regulators, and the unnecessary burdens and diverging regulatory
expectations that such duplicative supervision can create.\78\ One of
these commenters stated that the CFPB should clarify the scope and
requirements of the rule to prevent these outcomes, and stated that
close coordination by the CFPB with other regulators is needed before
the CFPB pursues oversight of larger participants.
---------------------------------------------------------------------------
\77\ A few industry comments also mentioned Federal oversight of
money transmitters by FinCEN in the U.S. Treasury. These commenters
did not describe any nexus between that oversight and compliance
with Federal consumer financial law, or otherwise suggest that
supervisory activity by FinCEN and the CFPB would have overlapping
subject matter related to compliance with Federal consumer financial
law.
\78\ Some commenters also discussed Federal prudential
regulators' existing oversight of banks and credit unions as
relevant due to the inclusion in the market of nonbanks that partner
with banks and credit unions, and of pass-through payment wallets
that facilitate the use of accounts provided by banks and credit
unions. The Final Rule summarizes and responds to those comments in
more detail in the section-by-section analysis of ``covered payment
functionality'' below.
---------------------------------------------------------------------------
With respect to existing State oversight, an industry association
stated that State financial regulators supervise various aspects of the
market and the CFPA requires the CFPB to account for oversight by State
authority when exercising its supervisory authority. Two other industry
associations indicated that in their view the Proposed Rule did not
consider how the CFPB would address overlap in scope with State
examinations on the same subject matter particularly at money
transmitters. A nonprofit commenter suggested that State oversight is
sufficient because States are better at enforcing the law because they
have a better understanding of local conditions.\79\
---------------------------------------------------------------------------
\79\ This commenter also stated that States generally occupy the
field of consumer protection law, that Federal supervisory oversight
by the CFPB would ``preempt'' State law, and that the proposal did
not provide compelling evidence for doing so. The CFPB disagrees
that a larger participant rule, which establishes CFPB supervisory
authority and does not impose substantive consumer protection
obligations, preempts such State consumer protection laws.
---------------------------------------------------------------------------
Comments on CFPB Enforcement and Market-Monitoring Authorities
An industry association stated that the Proposed Rule did not
explain how supervisory authority would promote additional compliance
with Federal consumer financial law beyond compliance the CFPB ensures
through its enforcement function and aided by its market-monitoring
function. A nonprofit suggested that CFPB enforcement is sufficient to
address risks to consumers, and that supervision would only impose
unnecessary burden.
Comments Raising ``Major Questions'' Doctrine
Another area of comment related to the ``major questions
doctrine.'' Those commenters who addressed the doctrine generally were
critical of the Proposed Rule and took an expansive view of the
circumstances in which the doctrine applies. First, one nonprofit
commenter stated that the major question doctrine precludes the CFPB
from defining larger participants in a digital wallet market generally.
This commenter stated that, despite the existence of digital wallets at
the time of adoption of the CFPA, Congress did not expressly include
them within the scope of CFPB supervisory authority and therefore chose
to foster innovation free from the CFPB's supervisory oversight.
Further, in its view, the market has vast economic and political
significance given both the aggregate dollar value of transactions on
digital wallets (nearly $1 trillion) and references by the CFPB to
payment systems as ``critical infrastructure'' and to ``Big Tech''
companies.\80\ Second, some commenters stated that the CFPB's
interpretation of the merchant payment processing exclusion in CFPA
section 1002(15)(A)(vii)(I) also is impermissible under the major
questions doctrine.\81\
[[Page 99592]]
Third, some commenters stated that the major questions doctrine voids
the CFPB's interpretation of CFPA section 1024(b) as authorizing
supervision of all consumer financial products and services provided by
a larger participant for compliance with Federal consumer financial law
and related risks.\82\
---------------------------------------------------------------------------
\80\ CFPB Press Release (Nov. 7, 2023) (announcing Proposed
Rule), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/ (last visited Nov. 8,
2024).
\81\ In addition, some commenters stated that the inclusion of
certain digital assets transfers in the proposed definition of
consumer payment transactions raised a ``major question.'' As
discussed further below, the CFPB has decided, for purposes of this
Final Rule, not to define larger participants in the general-use
digital consumer payment applications market by reference to
activity involving digital assets. This Final Rule therefore does
not address these major questions comments further.
\82\ As discussed further above in the general comments on how
the rule would enable the CFPB through its supervisory activity to
detect and assess risks to consumers and markets, a nonbank
commenter claimed that the larger participant rule itself must
identify meaningful risk, or it would violate the major questions
doctrine. For the reasons described below in the response to these
general comments above, the CFPB disagrees with both claims. The
CFPB also disagrees that this rule implicates the major questions
doctrine for reasons discussed below.
---------------------------------------------------------------------------
Comments on Potential Scope of CFPB Examinations of Larger Participants
Relatedly, the CFPB received several other comments on the
proposal's statement that the CFPB's supervisory authority is not
limited to the products or services that qualified a person for
supervision, but also includes other activities of such a person that
involve other consumer financial products or services or are subject to
Federal consumer financial law.\83\ Four commenters (representing the
banking industry) expressed agreement with the CFPB's description of
its supervisory authority over larger participants. They stated that
the CFPB's position is consistent with how the CFPB supervises large
banks, where every consumer financial activity that the bank engages in
is subject to CFPB jurisdiction. Several other commenters (several
industry trade groups, an individual company, and a law firm) disagreed
with the CFPB's description of its supervisory authority. These
commenters generally interpreted CFPA section 1024 to limit the scope
of nonbank supervisory authority over larger participants to specific
consumer financial products and services included in the market covered
by the corresponding larger participant rule. One of these commenters
asserted that the rule could not be used by the CFPB to scrutinize the
digital assets business lines of entities, including those already
subject to supervision. One commenter also suggested that even if the
CFPA's view of its authority is correct, it would be unreasonable for
the CFPB to actually exercise that authority because the costs of such
supervision would exceed the benefits. Another said the exercise of
such authority would discourage innovation and competition.
---------------------------------------------------------------------------
\83\ 88 FR 80197 at 80198 n.7 (quoting 77 FR 42874 at 42880).
---------------------------------------------------------------------------
Response to General Comments Received
After first responding to comments on rulemaking process issues,
the Final Rule provides a response below to other general comments. For
the reasons described below, the CFPB continues to believe that
issuance of this larger participant rule is warranted because: (1) the
market has grown dramatically and become increasingly important to the
everyday financial lives of consumers; (2) CFPB supervisory authority
over its larger participants would help the CFPB to promote compliance
with Federal consumer financial law; (3) that authority would help the
CPFB to detect and assess risks to consumers and the market, including
emerging risks; and (4) that authority would help the CFPB to ensure
consistent enforcement of Federal consumer financial law between banks
and nonbanks.
Rulemaking Process
While the CFPB was considering comments on the Proposed Rule, the
Supreme Court issued a decision ruling that the CFPB funding mechanism
is constitutional under the Appropriations Clause.\84\ The CFPB
disagrees with commenters' suggestion that it should have forgone
larger participant rulemaking activity during such a challenge.
---------------------------------------------------------------------------
\84\ CFPB v. Cmty. Fin. Servs. Ass'n of Am., Ltd., 601 U.S. 416
(2024).
---------------------------------------------------------------------------
The CFPB also disagrees with those commenters suggesting that an
extension of the comment period was necessary to allow for meaningful
input on the Proposed Rule. The Proposed Rule would have a narrow
impact, establishing CFPB supervisory authority over a group of nonbank
covered persons who already are subject to CFPB enforcement and market-
monitoring authority, and at least some of whom already are subject to
CFPB supervisory authority on other grounds. Despite this, the CFPB
received timely comments from a wide array of commenters, as described
above, and all but one of the commenters described here filed timely
comments after requesting more time. The CFPB disagrees that an
extension of the comment period is warranted based on the proposal of a
market definition that commenters viewed as complex or a larger-
participant test with more than one criterion. As discussed below,
commenters provided numerous useful comments about the proposed market
definition and the CFPB is making several adjustments to the market
definition in the Final Rule in response including to improve clarity.
With regard to the larger-participant test, the CFPB proposed a test
that was based on two criteria (consumer payment transaction volume and
the entity's size by reference to SBA size standards) that were
explained in the proposal and are not especially complicated. Proposed
rules often include small entity exclusions, and many commenters
provided substantive comments on the proposed exclusion, as discussed
further below.\85\ Further, it was unnecessary to extend the comment
period with an accompanying notice of the risks the CFPB believes
market participants pose to consumers because, as explained in the
Proposed Rule and discussed below, the CFPB is not required to make
findings about relative risks in a market to justify issuing (or
proposing) a larger participant rule. Finally, the CFPB notes that the
Proposed Rule set a January 8, 2024, deadline for filing of comments,
about two months after the rule was issued on November 7, 2023, and 52
calendar days after its November 17, 2023, publication in the Federal
Register. Commenters had well over 30 days to prepare comments even
accounting for the end-of-year holiday season.\86\ Indeed, several of
the requests for an extension cited their own substantive comments on
the Proposed Rule as the reasons for requesting an extension. For these
reasons, the CFPB also disagrees with the industry comment suggesting
that the lack of extension of the comment period supports a conclusion
that the CFPB should withdraw the Proposed Rule.
---------------------------------------------------------------------------
\85\ With respect to the proposed coverage of digital assets,
commenters from the digital asset sector provided extensive and
detailed comments, demonstrating that those commenters were able to
provide meaningful input on the Proposed Rule during the comment
period. In any event, as discussed below, the CFPB has decided, for
purposes of this Final Rule, not to define larger participants in
the general-use digital consumer payment applications market by
reference to activity involving digital assets.
\86\ The extensive comments in the rulemaking record demonstrate
that the presence of Federal holidays (Veteran's Day after issuance
of the proposal and Thanksgiving, Christmas, and New Years after
publication in the Federal Register) and a concurrent proposal and
ongoing market monitoring in this market did not preclude commenters
from offering detailed substantive comments. In any event, the CFPB
sent the market-monitoring inquiries to a limited number of firms
and issued the parallel proposal (which, unlike this rulemaking,
proposed substantive consumer protections) almost three weeks
earlier with a 60-day comment period.
---------------------------------------------------------------------------
[[Page 99593]]
Establishing CFPB Supervisory Authority Over the Large and Growing
Market
As described above, commenters agreed with the findings in the
Proposed Rule that the market has grown rapidly to achieve a
significant size with high levels of adoption and broad reliance by
consumers on general-use digital consumer payment applications. As the
proposal explained in detail, the market for general-use digital
consumer payment applications has large and increasing significance to
the everyday financial lives of consumers, who are growing increasingly
reliant on such applications to initiate payments.\87\ Further growth
can be anticipated.\88\ For example, as the proposal stated, nonbank
digital payment applications have rapidly grown in the past few years
to become the most popular way to send money to other individuals other
than cash, and are used for a higher number of such transactions than
cash.\89\ The proposal also cited various market research publications
indicating that most merchants in the United States accept general-use
digital consumer payment applications as a means or method of payment.
Given the extent of consumer adoption and reliance, the extent of the
consumer payment transaction volume (approximately 13.5 billion
annually) and value (approximately $1.2 trillion annually), and the
breadth of associated consumer data collected, it is important for the
CFPB to establish Federal supervisory oversight of larger participants.
---------------------------------------------------------------------------
\87\ See 88 FR 80197 at 80200-80201.
\88\ Id.
\89\ Id.
---------------------------------------------------------------------------
The CFPB also has considered the industry association commenter's
observation that the market for general-use digital consumer payment
applications as defined in the Proposed Rule may not have reached the
maturity stage in the industry lifecycle. The CFPB acknowledges that,
compared to the markets covered by previous larger participant
rulemakings,\90\ this market has developed more recently, fueled by
technological change. In the years after a large nonbank financial
technology firm developed the first well-known digital payment app in
the late 1990s,\91\ other large fintech firms including BigTech firms
\92\ entered and expanded the market by leveraging new digital consumer
technologies, such as smartphones that support digital applications
(which proliferated starting in the late 2000s) \93\ and smartphone
near-field communication (NFC) technologies that support in-store
payments (which proliferated in the 2010s).\94\ More recently, well-
known market participants have been bundling consumer financial
products and services to help consumers to make payments to friends and
family and payments to merchants together in the same digital
application. Although the market is newer than some other consumer
finance markets, consumer adoption for these types of consumer payment
transactions already has reached very high levels. As described in the
Proposed Rule and explained above, general-use digital consumer payment
applications already play a fundamental role in facilitating the
payments that many consumers in the United States make every day.
Therefore, the CFPB believes it is an appropriate time for it to issue
a rule to establish the authority of the CFPB to supervise larger
participants in this market. The CFPB reaches that conclusion in the
Final Rule not solely due to the size of the market and its growth, but
in conjunction with its goals described below of promoting compliance
with Federal consumer financial law, detecting and assessing risks to
consumers and markets, and ensuring consistent enforcement of Federal
consumer financial law.
---------------------------------------------------------------------------
\90\ Following significant growth in the 1980s, by 1990,
personal remittances from the United States had reached over US$10
billion. See World Bank Group, Personal remittances, paid (current
US$)--United States, https://data.worldbank.org/indicator/BM.TRF.PWKR.CD.DT?locations=US (last visited Nov. 5, 2024). Nearly
two decades earlier, consumer reporting agencies and consumer debt
collection markets had already grown to the point that Congress
adopted substantive consumer protection legislation to regulate
them. See Public Law 91-508 (Oct. 26, 1970) (title VI adopting Fair
Credit Reporting Act); Public Law 95-109 (Sept. 20, 1977) (Title
VIII adopting Fair Debt Collection Practices Act). By that time,
following adoption of the Higher Education Act of 1965, Public Law
89-329 (Nov. 8, 1965), student lending and student loan servicing
had already been expanding. And largescale consumer automobile
financing dates back to at least the 1920s. See Buy Now Pay Later: A
History of Personal Credit, Harv. Bus. School Library (section
titled ``Cards on time'' noting that ``[i]n the 1920s, auto
financing took a giant leap forward when the car manufacturers
entered the game''), https://www.library.hbs.edu/hc/credit/credit4d.html (last visited Nov. 5, 2024).
\91\ PayPal Editorial Staff, Alternative and digital payment
methods: Shaping the payment industry and preparing for the future
(Dec. 18, 2023) (stating that ``[t]he first digital solution in the
alternative payment industry was PayPal, developed in 1998 to enable
people to make payments via an email address''), https://www.paypal.com/us/brc/article/alternative-payment-method-trends
(last visited Nov. 5, 2024).
\92\ Consistent with its use by the Financial Stability Board,
the Final Rule uses the term ``BigTech'' to refer to large
technology companies with extensive customer networks. See, e.g.,
Financial Stability Board Report P091219-1, BigTech in finance--
Market developments and potential financial stability implications
(Dec. 9, 2019) at 3 (``BigTech firms are large technology companies
with extensive established customer networks. Some BigTech firms use
their platforms to facilitate provision of financial services. Those
that do so can be seen as a subset of FinTech firms--a broader class
of technology firms (many of which are smaller than BigTech firms)
that offer financial services.''), https://www.fsb.org/wp-content/uploads/P091219-1.pdf (last visited Nov. 5, 2024).
\93\ Apple Press Release, Apple Reinvents the Phone with iPhone
(Jan. 9, 2007), https://www.apple.com/newsroom/2007/01/09Apple-Reinvents-the-Phone-with-iPhone/ (last visited Nov. 5, 2024);
Michael DeGusta, Are Smart Phones Spreading Faster than Any
Technology in Human History? MIT Technology Review (May 9, 2012)
(citing data that smart phones, which represented only six percent
of U.S. mobile phone sales as of 2006, had grown to a two-thirds
share as of 2012, with use by nearly 40 percent of the U.S.
population), https://www.technologyreview.com/2012/05/09/186160/are-smart-phones-spreading-faster-than-any-technology-in-human-history/
(last visited Nov. 5, 2024).
\94\ CFPB Contactless Payments Spotlight, supra.
---------------------------------------------------------------------------
Promoting Compliance With Federal Consumer Financial Law
As described in the proposal, supervision of larger participants in
a market for general-use digital consumer payment applications will
help ensure those companies are complying with applicable requirements
of Federal consumer financial law.\95\ One of the primary purposes of
supervision under CFPA section 1024(b)(1) is ``assessing compliance
with the requirements of Federal consumer financial law,'' and the
Final Rule will further the CFPB's ability to assess compliance by
larger participants with the requirements of those laws.\96\
---------------------------------------------------------------------------
\95\ 88 FR 80197 at 80201, 80212.
\96\ See 12 U.S.C. 5514(b)(1)(A).
---------------------------------------------------------------------------
As identified by several commenters and described further above,
the larger participants defined in the Rule engage in activities that
are subject to applicable Federal consumer financial law such as the
prohibition against unfair, deceptive, and abusive acts and practices
set forth in the CFPA; the EFTA and its implementing Regulation E; and
the data privacy protections of the GLBA and its implementing
Regulation P. The CFPB disagrees with the comments suggesting that
certain larger participants would not be subject to any Federal
consumer financial laws.\97\ The larger participants defined by the
rule are covered persons under the CFPA and would at a minimum be
subject to the CFPA's prohibition against unfair, deceptive, and
abusive acts and practices.\98\ Assessing
[[Page 99594]]
compliance with the prohibition against unfair, deceptive, and abusive
acts and practices is itself important, because such practices can
cause significant harm to consumers.\99\ Many of these commenters also
acknowledged that some of the other Federal consumer financial laws
would apply to at least a subset of the larger participants defined by
the Proposed Rule.\100\
---------------------------------------------------------------------------
\97\ As discussed further below, the CFPB disagrees with
industry commenter suggestions that pass-through payment wallets are
excluded from the scope of the CFPA as ``electronic conduit
services.''
\98\ See 12 U.S.C. 5481(5) (defining the term ``covered
person''), 5531 (applying prohibition against unfair, deceptive, and
abusive acts and practices to all ``covered persons'' as well as
other persons), 5536 (same). The CFPB also can supervise larger
participants for other Federal consumer financial laws that apply,
including laws that take effect or for which compliance is mandatory
in the future. For example, the CFPB recently finalized a personal
financial data rights rule under its CFPA authority that is part of
Federal consumer financial law and that generally applies to market
participants. CFPB, Final Rule, Required Rulemaking on Personal
Financial Data Rights, 89 FR 90838 (Nov. 18, 2024) (CFPB Personal
Financial Data Rights Rule). As another example, the CFPB's nonbank
registration regulation imposes requirements on covered nonbanks
related to the registration of covered orders including, for covered
nonbanks that are supervised registered entities, written-statement
requirements. See 12 CFR 1092.201(q), 1092.204.
\99\ For example, under the CFPA, an unfair act or practice must
cause or be likely to cause ``substantial injury'' to consumers. 12
U.S.C. 5531(c)(1); see also, e.g., Supervisory Highlights Issue 18,
Winter 2019 at 13-14 sec. 3.1.2, https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-18_032019.pdf (last
visited Nov. 13, 2024) (noting that CFPB supervisory activities
resulted in or supported the public enforcement action resolved in
2019 by consent order In re: Enova International, Inc., Admin. Proc.
File No. 2019-BCFP-0003 (Jan. 25, 2019) ]] 9-33 (describing unfair
acts and practices including repeat debiting of consumer accounts
without valid authorization), https://files.consumerfinance.gov/f/documents/cfpb_enova-international_consent-order_2019-01.pdf (last
visited Nov. 13, 2024); Supervisory Highlights Issue 21, Winter 2020
at 16 sec. 4.1 (noting that CFPB supervisory activities resulted in
or supported the public enforcement action resolved in 2019 against
Maxitransfers Corporation including deceptive acts and practices in
statements in terms and conditions regarding company's
responsibility for errors by their agents), https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-21_2020-02.pdf (last visited Nov. 13, 2024); Issue
32, Spring 2024, supra, at 14 sec. 4.1 (noting that CFPB supervisory
activities resulted in or supported the public enforcement action
resolved in 2023 against Toyota Motor Credit Corporation finding
several unfair acts and practices).
\100\ For a discussion of comments suggesting that the market
should be confined to entities that receive or hold the funds being
transferred in consumer payment transactions, or that the market
should cover consumer payment transactions that transfer funds from
nonbank accounts but not from bank accounts, see the section-by-
section discussion below of Final Rule Sec. 1090.109(a)(2)
regarding the term ``consumer payment functionality.''
---------------------------------------------------------------------------
The CFPB agrees with the commenters that stated that this rule will
help the CFPB to ensure compliance with Federal consumer financial
laws, and disagrees with those that stated that it would not. The
CFPB's supervisory authority will promote compliance with applicable
legal requirements in multiple ways. As described in the proposal,
under the CFPA, the CFPB shall use its supervisory authority to
``assess[ ] compliance with the requirements'' of Federal consumer
financial laws \101\ and to ``obtain[ ] information about the
activities and compliance systems of procedures'' of market
participants.\102\ The CFPB may review the entity's activities and
compliance systems or procedures and issue supervisory findings or
criticisms as appropriate.\103\
---------------------------------------------------------------------------
\101\ See 12 U.S.C. 5514(b)(1)(A).
\102\ See 12 U.S.C. 5514(b)(1)(B).
\103\ See also discussion below regarding 12 U.S.C.
5514(b)(1)(C) in connection with the use of CFPB supervisory
authority for the purpose of ``detecting and assessing risks to
consumers and markets for consumer financial products and
services,'' including the CFPB's use of its authority under the
Final Rule to better understand how the Federal consumer financial
laws apply to larger participants defined by the rule and the
products and services they offer and to review and mitigate risks
related to noncompliance.
---------------------------------------------------------------------------
Supervision is one of the CFPB's most important and powerful tools
to protect consumers by promoting compliance with Federal consumer
financial law. As discussed in the proposal and as a nonprofit
commenter emphasized, the prospect of the CFPB exercising supervisory
authority over such firms may cause them to allocate additional
resources and attention to compliance and to take steps to mitigate any
noncompliance.\104\ In addition, based on the CFPB's supervisory
experience in other markets, the CFPB's supervisory activities
authorized under the Final Rule are likely to help entities to identify
issues before they become systemic or cause significant harm. Through
its supervisory activity, the CFPB detects and addresses legal
violations. In some instances, the CFPB uses enforcement actions to
address violations that it originally identified through supervision.
The CFPB also uses supervision to help ensure that supervised entities
develop and maintain systems and procedures to prevent and remedy
violations. CFPB supervisory reviews and related compliance ratings
promote the development of compliance risk management practices
designed to manage consumer compliance risk, support compliance, and
prevent consumer harm.\105\ Through supervision, CFPB examiners may
articulate supervisory expectations to supervised larger participants
in connection with supervisory events.\106\ The CFPB also notes that,
following the issuance of its five prior larger participant rules, it
has successfully used its supervisory authority to detect violations
and promote compliance in each of the markets covered by those rules,
as the CFPB has documented in its periodic publication Supervisory
Highlights.\107\ Thus, the CFPB disagrees with comments criticizing the
proposal's statement that CFPB supervision will help to ensure that
larger participants are complying with applicable requirements of
Federal consumer financial law.\108\ Moreover, by authorizing the CFPB
to supervise larger participants, the Rule will promote strong
compliance risk management practices in this market.\109\ The CFPB also
disagrees with commenters stating that CFPB supervision generally harms
[[Page 99595]]
consumers by reducing the resources available to those companies.
Instead, CFPB supervision as provided under the rule will, as intended
by Congress, promote compliance with Federal consumer financial law and
otherwise facilitate the CFPB's statutory objectives. For the reasons
discussed above, the CFPB concludes that the rule will help the CFPB to
promote compliance with Federal consumer financial law in the market.
That, in turn, will reduce risks of harm to consumers, as also
discussed in the impacts analysis in part VII below.
---------------------------------------------------------------------------
\104\ See 88 FR 80197 at 80211-12.
\105\ See, e.g., Federal Financial Institutions Examination
Council, Uniform Interagency Consumer Compliance Rating System, 81
FR 79473, 79474 (Nov. 14, 2016) (discussing assessment by agency
examiners of consumer compliance), https://www.ffiec.gov/press/pr110716.htm (last visited Nov. 5, 2024).
\106\ See CFPB, Bulletin 2021-01: Changes to Types of
Supervisory Communications (Mar. 31, 2021), https://files.consumerfinance.gov/f/documents/cfpb_bulletin_2021-01_changes-to-types-of-supervisory-communications_2021-03.pdf (last visited
Nov. 5, 2024).
\107\ The CFPB publishes Supervisory Highlights on its website
several times each year at https://www.consumerfinance.gov/compliance/supervisory-highlights/ (last visited Nov. 5, 2024).
Since its first larger participant rules took effect in late 2012
and early 2013, these publications have highlighted findings of
violations of Federal consumer financial law and compliance
management weaknesses from examinations in markets subject to its
larger participant rules. See, e.g., Issue 4, Spring 2014 at 8-10
(consumer reporting market), at 11-14 (consumer debt collection
market); Issue 10, Winter 2016 at 11-14 (international money
transfer market). For the most recent examples, see, e.g., Issue 35,
Fall 2024 (automobile finance market); Issue 34, Summer 2024
(consumer debt collection market); Issue 32, Spring 2024 at 4-7
(consumer reporting market); Issue 31, Fall 2023 at 13-14
(international money transfer market); Issue 30, Summer 2023 at 4-8
(automobile financing market), at 8-9 (consumer reporting market),
at 12-13 (consumer debt collection market), at 29-30 (international
money transfer market); Issue 29, Winter 2023 at 14-15 (student loan
servicing market); Issue 28, Fall 2022 at 4-7 (automobile financing
market), at 7-8 (consumer reporting market), at 16-17 (consumer debt
collection market); Issue 27, Fall 2022 at 14-25 (student loan
servicing market); Issue 26, Spring 2022 at 5-11 (consumer reporting
market), at 14-16 (consumer debt collection market), at 22-25
(international money transfer market), at 25-27 (student loan
servicing market).
\108\ See 88 FR 80197 at 80201. Further, the CFPB disagrees that
it is required to make findings of noncompliance in the market in
order to issue this rule, for generally the same reasons (discussed
below) that it is not required to make findings regarding the level
of risk in the market or market failure.
\109\ For example, as discussed in the impacts analysis further
below in part VII, entities may improve their compliance management
either in response to the possibility of an examination or in
response to an examination finding regarding compliance management
weaknesses. See also CFPB Supervision and Examination Manual, part
II.A (describing how CFPB examinations conduct compliance management
reviews).
---------------------------------------------------------------------------
Detecting and Assessing Risks to Consumers and Markets, Including
Emerging Risks
The CFPB concludes that this rule will help the CFPB to detect and
assess risks to consumers and markets from the provision of general-use
digital consumer payment applications. As explained in the Proposed
Rule and for the reasons elaborated further below, the CFPB agrees with
comments suggesting that CFPB supervision of larger participants in
this rapidly-growing and evolving market will be especially useful to
the detection and assessment of emerging risks. As discussed below, the
CFPB disagrees with the commenters that stated that the CFPB must first
make a risk determination before establishing supervisory authority
over larger participants by rule.
The CFPB concludes that establishing its supervisory authority over
larger participants in this market would help it to detect and assess
emerging risks for several reasons.
First, the CFPB shares the view of the group of State attorneys
general and other commenters that this highly-concentrated market will
continue to grow and evolve rapidly as the technology that has fueled
its rapid growth also continues to evolve. As with other markets the
CFPB now supervises, it is important for the CFPB to be able to closely
assess whether pressure to sustain high growth in this market will
drive nonbank firms to develop new and increasingly risky
products.\110\
---------------------------------------------------------------------------
\110\ Cf. Financial Crisis Inquiry Commission Report (Feb. 25,
2011) at 104 (``The refinancing boom was over, but originators still
needed mortgages to sell to the Street. They needed new products
that, as prices kept rising, could make expensive homes more
affordable to still-eager borrowers. The solution was risker, more
aggressive, mortgage products that brought higher yields for
investors but correspondingly greater risks for borrowers.''), at
414 (also noting that ``high-risk, nontraditional mortgage lending
by nonbank lenders flourished in the 2000s and did tremendous damage
in an ineffectively regulated environment, contributing to the
financial crisis''), https://www.govinfo.gov/content/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf (last visited Nov. 6, 2024).
---------------------------------------------------------------------------
In addition, the CFPB agrees with the comments expecting that the
market will continue to grow, including by expanding how general-use
digital consumer payment applications help consumers to make payments
in other ways. As the proposal explained, it is critical for the CFPB
to be able to detect and assess emerging risks as new product offerings
blur the traditional lines of banking and commerce.\111\ This blurring
was noted by several commenters that described a trend toward
``embedded finance'' described above and is illustrated in industry
comments discussed below describing various ways that nonbanks'
general-use digital payment applications serve as intermediaries
between consumers and merchants.\112\ Such applications also can
facilitate payments from many different types of accounts consumers
hold across multiple financial institutions. Supervision can detect and
assess risks that may arise from a single application establishing
connections that can cause payments to be made from many different
consumer accounts.\113\ In addition, as noted in the industry report
cited by a consumer group commenter, consumers also can use payment
functionalities embedded in digital applications, such as text
messages, to make payments, including peer-to-peer payments.\114\
---------------------------------------------------------------------------
\111\ For example, the proposal noted how in its 2022 market-
monitoring report on the convergence of payments and commerce, the
CFPB described the potential for consumer financial data and
behavioral data to be used together in increasingly novel ways. 88
FR 80197 at 80201 and n.43.
\112\ See section-by-section analysis of Sec. 1090.109(a)(1)
and of ``covered payment functionality'' in 1090.109(a)(2). See also
Google LLC Embedded Finance White Paper at 7 (``Embedded finance
also offers a bonus for financial services companies: The data you
collect from each transaction can help enhance customer service
experience and innovate new products and experiences. The
possibilities are endless for these kinds of partnerships, with high
revenue and business growth potential. Before embarking on the
embedded finance journey, however, you'll need to prepare'' by,
among other steps, ``[p]lan[ning] to manage and analyze the vast
trove of data you'll be collecting.''); CFPB Report on Convergence
of Payments and Commerce, supra, at sec. 3.3 (``Embedded
commerce'').
\113\ Today, a general-use digital consumer payment application
can initiate payments from multiple credit cards, prepaid accounts,
and checking accounts. A general-use digital consumer payment
application can facilitate payments from accounts that the provider
offers through depository institution partners, or from linked
accounts issued by other institutions (sometimes referred to as
pass-through payments).
\114\ Google LLC Embedded Finance White Paper at 3; Apple Cash
website (``Send and Receive Money in Messages. With Apple Cash, you
can send and receive money with just a text, in Messages. So it's
easy to tip your dog walker, request funds from your roommate, or
chip in for a coworker's gift.''), https://www.apple.com/apple-cash/
(last visited Nov. 6, 2024).
---------------------------------------------------------------------------
The CFPB also agrees with the group of State attorneys general that
new risks may emerge as the relevant technologies in this market
evolve. In this market, by using its supervisory activity as general-
use digital consumer payment applications incorporate new technology,
the CFPB can inform its assessment of risks to consumers and to
markets.\115\
---------------------------------------------------------------------------
\115\ In the CFPB's experience, for some financial institutions,
even the rollout of relatively conventional digital technologies can
pose significant risks to consumers, including in the area of
digital payments. Cf. CFPB, In re: VyStar Credit Union, Admin Proc.
File No. 2024-CFPB-0013 (Oct. 31, 2024), ] 20 (describing how outage
in the establishment of a new online banking platform of large
credit union left consumers unable to engage in certain banking
activities, and that ``[s]ome members' previously scheduled
recurring payments were delayed or even deleted.''), https://files.consumerfinance.gov/f/documents/cfpb-vystar-credit-union-consent-order_2024-10.pdf (last visited Nov. 16, 2024).
---------------------------------------------------------------------------
Supervision can be effective at detecting and assessing such risks.
As a nonprofit commenter noted, supervision allows for rapid exchange
of information outside of the adversarial legal process. The
supervisory process also generally is confidential, which also
facilitates the exchange of information.\116\ For example, when
examiners conduct a compliance management review, they can assess the
strength of larger participants' compliance management as applied to
the development and marketing of new products.\117\ In addition, as
illustrated by its work during the COVID-19 pandemic, examiners who are
familiar with supervised entities can review activities across a market
to identify emerging risks of consumer harm in a time of macroeconomic
stress or
[[Page 99596]]
shock.\118\ As another example, through its supervisory tool, the CFPB
can respond rapidly to reports of any widespread outages at larger
participants by gathering information through an established
supervisory relationship.\119\
---------------------------------------------------------------------------
\116\ The CFPB treats CFPB confidential supervisory information
consistent with applicable regulation; see 12 CFR part 1070. As
noted above, even when Supervision highlights its findings to the
public through Supervisory Highlights, it generally does not
identify individual firms (outside of highlighting any associated
enforcement actions).
\117\ See, e.g., CFPB Supervision and Examination Manual, part
I.A (page 6 of compliance management review section explaining how
examiners' compliance management review includes a review of the
``processes for development and implementation of new consumer
financial products or services and distribution channels or
strategies, to determine degree of compliance function
participation.''); see also id. at 4-5 (describing how examiners
review product development as a component of the review of board and
management oversight of compliance); id. at 9 (review of training of
staff responsible for product development); id. at UDAAP Examination
Procedures at 2 (review of product development documentation in
connection with examiner's assessment of compliance with the
prohibition against unfair, deceptive, and abusive practices).
\118\ See, e.g., CFPB, Prioritized Assessment FAQs (July 20,
2020) at 1 (``The Bureau is adapting its supervision program to meet
the needs of the current national emergency . . . . Through
Prioritized Assessments, the Bureau will expand its supervisory
oversight to cover a greater number of institutions than our typical
examination schedule allows, gain a greater understanding of
industry responses to pandemic-related challenges, and help ensure
that entities are attentive to practices that may result in consumer
harm.''), https://files.consumerfinance.gov/f/documents/cfpb_prioritized-assessment_frequently-asked-questions.pdf (last
visited Nov. 7, 2024); Supervisory Highlights Issue 23, Jan. 2021
(secs. 3.3, 3.5, and 3.6 of COVID-19 special edition describing
supervisory observations in prioritized assessments in student loan
servicing, consumer reporting, and consumer debt collection markets
subject to larger participant rules), https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-23_2021-01.pdf (last visited Nov. 7, 2024).
\119\ See CFPB, What happens if my payment app has an outage and
I can't access my account? (Dec. 21, 2023) (describing consumer
complaints as one way the CFPB collects information about outages at
payment apps), https://www.consumerfinance.gov/ask-cfpb/what-happens-if-my-payment-app-has-an-outage-and-i-cant-access-my-account-en-2145/ (last visited Nov. 8, 2024); FEDS Notes, Offline
Payments: Implications for Reliability and Resiliency in Digital
Payment Systems (Aug. 16, 2024) (describing how ``several recent
high-profile outages have highlighted the need for building more
reliability and resiliency in digital payment systems''), https://www.federalreserve.gov/econres/notes/feds-notes/offline-payments-implications-for-reliability-and-resiliency-in-digital-payment-systems-20240816.html (last visited Nov. 8, 2024).
---------------------------------------------------------------------------
Supervision of larger participants in this market also can identify
new and emerging risks to consumers relating to the applicability of
existing requirements of Federal consumer financial law to new
products. For example, comments from consumer groups and State
attorneys general suggested that non-compliance with EFTA/Regulation E
and GLBA/Regulation P is common in this market, while some industry
commenters stated that neither EFTA/Regulation E nor GLBA/Regulation P
apply to at least some market participants. Other commenters described
how some consumers may be confused about the legal protections afforded
through certain payment apps. The CFPB does not define the application
of those laws in this rulemaking. Through its supervisory activity, the
CFPB can gather information to assess the applicability of those laws
to the specific consumer financial products and services that a larger
participant provides. Where the law applies and is violated, examiners
can address the situation through supervisory action and where
appropriate the CFPB can consider enforcement activity. In addition,
such findings can help to inform what the CFPB communicates to the
broader market, including through its Supervisory Highlights
publication.
The CFPB disagrees with certain comments, summarized further above,
that suggested that in a larger participant rule the CFPB is required
to assess the degree or prevalence of risks to consumers, potential
violations of law, or other specific harms occurring in the described
market. The relevant provisions of the CFPA do not impose such
requirements. While some comments did not identify any legal basis for
this alleged obligation, others asserted that the obligation arises
from section 1024(b)(2), which concerns the CFPB's operation of a
``risk-based supervision program.'' The CFPB believes that these
comments misinterpret the scope and purpose of section 1024(b)(2). As
the CFPB has previously explained,\120\ that provision describes the
manner in which the CFPB must ``exercise its authority under paragraph
[(b)](1)'' \121\ which in turn authorizes the CFPB to supervise
``persons described in subsection (a)(1).'' The Final Rule does not
exercise authority provided by section 1024(b)(1). Rather, it
``describe[s],'' in part, a set of persons falling within section
1024(a)(1), by defining a category of ``larger participant[s].'' The
CFPB only exercises the authority set forth in section 1024(b)(1) when
it actually requires reports or conducts examinations of such persons.
In exercising authority under section 1024(b)(1), the CFPB considers
(and for larger participants under this Final Rule will consider) the
factors set forth in section 1024(b)(2), including risks to consumers,
as further described above in part I's discussion of the CFPB's
prioritization process. However, the CFPA does not mandate
consideration of those factors when issuing a rule that defines a
category of larger participants under paragraph (a)(1).\122\
---------------------------------------------------------------------------
\120\ See 77 FR 42874 at 42883; 77 FR 65775 at 65779.
\121\ 12 U.S.C. 5514(b)(2).
\122\ This conclusion is reinforced by the immediately following
subsection of the CFPA, 1024(a)(1)(C), which expressly references
the consideration of risk. Under that provision, the CFPB has the
authority to supervise any nonbank covered person that the CFPB
``has reasonable cause to determine, by order, after notice . . .
and a reasonable opportunity . . . to respond . . . is engaging, or
has engaged, in conduct that poses risks to consumers with regard to
the offering or provision of consumer financial products or
services.'' 12 U.S.C. 5514(a)(1)(C) (emphasis added).
---------------------------------------------------------------------------
As noted above, one industry comment further argued that general
principles of administrative law require the CFPB to identify concrete
risks to consumers that will be mitigated by supervision in order to
issue this rule. The commenter suggested that the Proposed Rule should
have specified in detail what kind of compliance improvements the CFPB
envisions, what activities of particular entities are currently non-
compliant, why compliance will prevent particular risks to consumers,
the likelihood of such risks occurring, the resulting harm to
consumers, and how all of these issues compare to related markets.
Elsewhere this Final Rule discusses the CFPB's statutory authority,
reasons, and supporting evidence for issuing this Final Rule and
explains how this Final Rule will help the CFPB to effectuate the
statutory purposes of the CFPA. The CFPB disagrees that it was
additionally required to consider in this rulemaking the kinds of
detailed information about mitigation of concrete risks contemplated by
the commenter. As explained above, there is no indication in the text
of the CFPA that the CFPB is required to consider such information in
issuing a larger participant rule.\123\ Because the CFPB's risk-based
prioritization process considers the type of information about risks
described in part I above, the CFPB's supervision of larger
participants ultimately may assist the CFPB in detecting and assessing
risks to consumers and to markets.\124\ But sections 1024(a)(1)(B) and
(2) do not require the CFPB to reach conclusions regarding such matters
before it can even initiate risk-based prioritization for a category of
larger participants.
---------------------------------------------------------------------------
\123\ With respect to cross-market comparisons of risk, as
explained in the Proposed Rule and in its previous larger
participant rulemakings, ``[t]he Bureau need not conclude before
issuing a [larger participant rule] that the market identified in
the rule has a higher rate of non-compliance, poses a greater risk
to consumers, or is in some other sense more important to supervise
than other markets.'' 88 FR 80197 at 80200 n.24; 77 FR 65775 at
65779.
\124\ See 12 U.S.C. 5514(b)(1)(C).
---------------------------------------------------------------------------
To the extent the industry commenter suggests the CFPB should
consider such information because it asserts its own type of digital
wallet product is ``low risk'' and should therefore be excluded from
the market and ineligible for CFPB supervision, the CFPB does not
believe that it is required to categorically exempt allegedly ``low-
risk'' products within a market when issuing a rule to define larger
participants of a market.\125\
[[Page 99597]]
The CFPB likewise disagrees with other commenters who suggested that
the CFPB is obligated to undertake a separate risk assessment of
various subcomponents or sectors of the described market, or to include
only the riskiest subcomponents or sectors within the larger
participant definition. CFPA section 1024(a)(1)(B) provides for the
issuance of rules defining ``larger participant[s] of a market'' for
consumer financial products or services, and contains no language
requiring exemptions for allegedly ``low-risk'' subcomponents of a
market. Consistent with CFPA section 1024(b)(2), the CFPB considers
whether products are lower risk, and thus less of a priority for
supervisory attention, when choosing particular entities and consumer
financial products and services for supervisory examinations as part of
its operation of its risk-based supervision program.\126\ The CFPB's
operation of that risk-based supervision program is designed to prevent
CFPB's supervision program from placing undue burdens on larger
participants whose activities are genuinely lower risk. The CFPB also
provides below further justification for the scope of the market
described in this Final Rule, including regarding the inclusion of
pass-through payment wallets in the market.\127\
---------------------------------------------------------------------------
\125\ Nor has the CFPB determined in this rulemaking exercising
CFPA section 1024(a)(1)(B) authority that any specific market
participant or larger participant poses any particular type or level
of risk, low or otherwise, to consumers. Thus, although this
commenter made claims regarding its product having low risk
including low risk of violation of the prohibition against unfair,
deceptive, and abusive acts and practices, the CFPB does not
adjudicate such claims in this legislative rulemaking, for the
reasons described above. In any event, the CFPB disagrees that the
commenter was prevented from presenting evidence regarding the risks
posed by its products. It had notice of the CFPB's reasons for the
proposal and commented on them.
\126\ As described above, the CFPB Supervision and Examination
Manual describes the CFPB's established process for conducting risk-
based prioritization of nonbank covered persons subject to its
supervisory authority under CFPA section 1024(a).
\127\ See section-by-section analysis of Sec. 1090.109(a)(2)
(definition of ``wallet functionality'').
---------------------------------------------------------------------------
The CFPB disagrees with the industry commenter suggesting that the
CFPB may issue a rule to define larger participants of a market for
consumer products or services only in cases of ``market failure.''
There is no support for this view in the text or legislative history of
the CFPA. Moreover, while concerns about market failure often underlie
laws and regulations imposing substantive consumer protection
requirements,\128\ this Final Rule does not impose substantive
requirements and instead concerns the scope of the CFPB's supervisory
authority, which is an authority designed to accomplish the statutory
purposes established under CFPA section 1024(b)(1)(A)-(C). In that
context, there is little reason to read section 1024(a)(1)(B) to
impliedly bar the issuance of a larger participant rule in the absence
of a demonstrated market failure.
---------------------------------------------------------------------------
\128\ See, e.g., 12 U.S.C. 4301(a) (Congressional finding in
Truth in Savings Act that ``competition between depository
institutions would be improved . . . if there was uniformity in the
disclosure of terms and conditions on which interest is paid and
fees are assessed in connection with such accounts.''); 15 U.S.C.
1601(a) (Congressional finding in Truth in Lending Act that
``competition among the various financial institutions and other
firms engaged in the extension of consumer credit would be
strengthened by the informed use of credit.'').
---------------------------------------------------------------------------
Although the CFPB disagrees with the comments suggesting that it
must make findings regarding risk to issue this larger participant rule
and it does not do so here, as discussed above other commenters
described various existing and emerging risks to consumers that may be
associated with products and services provided by larger participants.
Those comments raise legitimate concerns regarding potential risks to
consumers in the market and thus provide further support for the CFPB's
conclusion that this rule will help the CFPB to use its supervisory
tool to detect and assess risks to consumers and the market. It is not
necessary for this rule to adjudicate the nature, extent, or source of
such risks, or for the CFPB to publish market-wide findings about such
risks as a predicate for larger participant rulemakings. As discussed
above, the CFPB incorporates information available to it about such
risks (including from its market-monitoring function, among others)
when prioritizing which nonbank covered persons subject to CFPA section
1024(a) it will examine.\129\ In response to the nonprofit calling on
the CFPB to describe in more detail the risks it would consider in
prioritizing larger participants for examination in this market, part I
of the Final Rule above explains in further detail the CFPB's
prioritization process and the factors the CFPB considers as part of
that process, consistent with the CFPA and as described in its
Supervision and Examination Manual. The CFPB also expects that it will
continue to periodically publish Supervisory Highlights to communicate
key examination findings and risks identified over time on a market-by-
market basis.
---------------------------------------------------------------------------
\129\ The CFPB also provides additional responses further below
to the comments suggesting it must publish the results of its market
monitoring, or establish why its supervisory tool is superior to its
market-monitoring tool. In any event, the CFPB has used data from
its market-monitoring orders to inform the estimates published in
this Final Rule, as discussed in the section-by-section analysis of
the larger-participant test further below.
---------------------------------------------------------------------------
Ensuring Consistent Enforcement of Federal Consumer Financial Law
With regard to comments on whether the Proposed Rule would further
the CFPB's statutory objective of ensuring that Federal consumer
financial law is enforced consistently between nonbanks and depository
institutions in order to promote fair competition,\130\ the CFPB agrees
with commenters who stated that the Proposed Rule would further that
objective by permitting the CFPB to supervise both banks and nonbanks
operating in the general-use digital consumer payment application
market and by reducing the competitive advantage nonbanks may derive
from being subject to less supervisory oversight. The CFPB disagrees
with the commenter that characterized the Proposed Rule as a form of
``mission creep . . . outside [the CFPB's] core jurisdiction.'' The
commenter did not address the CFPA's statutory objective of consistent
enforcement of Federal consumer financial law without regard to an
entity's status as a depository institution. In addition, the CFPB
already has enforcement and rulemaking authority with respect to
participants in the market; thus, those entities already fall within
the CFPB's ``jurisdiction'' in significant ways.\131\ The CFPB also
disagrees with a related comment that described the larger participant
rule as placing the CFPB in a market gatekeeper role. That comment
appeared to misunderstand the function of larger participant rules,
which do not regulate who enters a market but instead identify ``larger
participants'' for purposes of section 1024(a)(1)(B). In addition, the
CFPB disagrees with some commenters' suggestion that the rule should
not be issued because of their concerns about the rule potentially
making nonbanks less competitive and frustrating their innovation. As
discussed below, the Final Rule adopts a significantly higher
threshold, resulting in fewer market participants qualifying as larger
participants. Even
[[Page 99598]]
with respect to larger participants, the CFPB does not have evidence to
indicate that the Final Rule is likely to significantly affect
innovation.
---------------------------------------------------------------------------
\130\ 12 U.S.C. 5511(b)(4).
\131\ The CFPB also disagrees with the industry comment
suggesting that the Proposed Rule failed to account for the role of
the FTC in promoting competition. As the Proposed Rule explained, it
is focused on the statutory objective (codified in 12 U.S.C.
5511(b)(4)) of ensuring Federal consumer financial law ``is enforced
consistently, without regard to the status of a person as a
depository institution, in order to promote fair competition[.]'' 88
FR 80197 at 80198 n.5. The CFPB can promote consistent enforcement
of Federal consumer financial law without impeding the FTC's
mission; the two are compatible, and the CFPB coordinates with the
FTC regarding its supervision activities more broadly.
---------------------------------------------------------------------------
The CFPB also disagrees with those industry comments stating that
the Proposed Rule would not promote consistent enforcement of Federal
consumer financial law and fair competition because the proposed market
definition included pass-through payment wallets that banks do not
provide. Banks and credit unions can and do provide payment wallet
functionalities. For example, very large depository institutions offer
payment wallet functionalities that facilitate consumers' payments from
accounts at the depository institution to make purchases online and in
stores.\132\ In addition, these comments appear to presuppose that the
CFPB can only further the statutory objective of consistent enforcement
in this rule if banks and nonbanks compete to offer precisely the same
products in precisely the same manner to consumers. But the objective
of consistent enforcement can also be furthered where the CFPB has the
ability to supervise both nonbanks and depository institutions that
play complementary roles in payment transactions. For example, when a
depository institution subject to the CFPB's supervisory authority
makes its accounts accessible to the consumer through a general-use
digital consumer payment application provided by an unaffiliated
nonbank, supervision of both the depository institution and the nonbank
serves the statutory objective described above. Nonbanks may initiate
payments from consumer accounts held at banks and credit unions and
engage in a number of related activities that can implicate Federal
consumer financial law compliance obligations.\133\ In addition, the
CFPB agrees with the credit union association commenter that
unaffiliated payment applications can cause burdens on credit unions
related to error resolution and customer service. Where the CFPB can
supervise both a nonbank pass-through payment wallet and a depository
institution involved in payments transactions, it is better positioned
to consistently enforce applicable legal obligations with respect to
the two entities. Below in the section-by-section analysis of ``wallet
functionality,'' this Final Rule further discusses the reasons why
pass-through payment wallets are appropriately included in the market
definition.
---------------------------------------------------------------------------
\132\ For example, an industry association commenter pointed to
a new digital wallet called Paze and a click-to-pay product offered
by banks. See also, e,g., Early Warning Services, LLC, Press
Release, Paze Hits Major Milestone: 125 million Credit and Debit
Cardholders Can Check out Online (Oct. 1, 2024) (describing ``Paze,
a reimagined digital wallet offered by banks and credit unions,'' as
available for use with 125 million payment card accounts issued by
seven very large banks), https://www.paze.com/paze-hits-major-milestone-125-million-credit-and-debit-cardholders-can-check-out-online (last visited Nov. 7, 2024); Click to Pay with American
Express (describing how depository institution offers an ecommerce
payment wallet), https://network.americanexpress.com/globalnetwork/v4/products/click-to-pay-with-american-express (last visited Nov. 7,
2024). See also CFPB Contactless Payments Spotlight, supra (n.59
describing how JPMorgan previously provided the Chase Pay app to
facilitate consumer payments for retail purchases).
\133\ See, e.g., Board of Gov. of Fed. Rsv. System, FDIC, OCC,
Joint Statement on Banks' Arrangements with Third Parties to Deliver
Bank Deposit Products and Services (July 25, 2024) at 1 (noting how
under certain bank/fintech arrangements, ``banks rely on one or
multiple third parties to . . . process payments (sometimes with the
ability to directly submit payment instructions to payment
networks); perform regulatory compliance functions; provide end-user
facing technology applications; service accounts; perform customer
service; and perform complaint and dispute resolution functions''),
https://www.occ.gov/news-issuances/news-releases/2024/nr-ia-2024-85a.pdf (last visited Nov. 7, 2024). See id. at 1-3 (describing how
deployment of new digital payment technologies create a potential
for insufficient risk management to meet consumer protection
obligations such as requirements under Regulation E to investigate
and resolve certain payment disputes within required timeframes).
---------------------------------------------------------------------------
Finally, the CFPB disagrees with the industry association commenter
to the extent it was suggesting that larger participant rules cannot
promote fair competition between banks and nonbanks unless they apply
antitrust principles to define the market. For the reasons discussed
below in the section-by-section analysis of the market definition in
Sec. 1090.109(a)(1), the purpose of antitrust law is different from
the purpose of larger participant rules and the CFPB does not apply
antitrust law in this rule. Nonetheless, as explained above, banks,
credit unions, and their affiliates can offer and provide covered
payment functionalities with general use through digital applications.
In this rulemaking, the CFPB shares the goals expressed by the banking
association and payment network commenters of applying consistent
functional oversight to similar functional activities in this market.
And as explained below in the section-by-section analysis of the market
definition, the activities encompassed by the market definition are
similar in how they support, digitally, a common set of payment
activities that consumers engage in, such as making everyday payments
to friends and family and for purchases. Relatedly, the CFPB disagrees
with the industry association commenter to the extent it was suggesting
that, by not including physical payment cards in the market, the Final
Rule will not promote consistent enforcement of Federal consumer
financial law. For the reasons discussed in the section-by-section
analysis further below, the CFPB concludes the ``digital application''
component of the market definition is appropriate. The CFPB already has
broad supervisory oversight of the use of physical payment cards issued
by the very large banks and credit unions that it supervises. However,
there is a supervisory gap over the significant role that nonbank
larger participants play in facilitating the use of payment cards
through general-use digital consumer payment applications. As described
above, consumer adoption of general-use digital consumer payment
applications is very high, indicating that consumers often prefer them
to physical cards. Indeed, in some cases, such as at the time of
origination or card replacement, a nonbank's general-use digital
consumer payment application may be the only way for the consumer to
use the payment card.\134\ The Final Rule will fill this gap, which
will promote consistent enforcement of Federal consumer financial
law.\135\
---------------------------------------------------------------------------
\134\ PULSE, PULSE Debit Issuer Study (Aug. 8, 2024) at 9-10
(reporting that all surveyed issuers report provisioning debit cards
to digital wallets, that 38 percent of debit cards are loaded into
digital wallets, and that digital issuance of debit cards directly
to such wallets is the top new capability that debit card issuers
plan to introduce with 50 percent of issuers planning to add this
service), https://content.pulsenetwork.com/2024-debit-issuer-study/2024-pulse-debit-issuer-study (last visited Nov. 7, 2024).
\135\ With respect to what the commenter referred to as food
delivery applications and automobile purchase applications, for the
reasons discussed in the section-by-section analysis of the
exclusion for certain merchant and marketplace payment activities in
paragraph (C) of the definition of ``consumer payment transaction,''
the CFPB believes those are part of a distinct market.
---------------------------------------------------------------------------
Other Regulators' Existing Oversight Authority
With regard to comments on existing oversight of market
participants, the CFPB agrees with the comment from the group of State
attorneys general that stated that the rule would help existing
regulatory oversight efforts in the market and would allow for
increased coordination between Federal and State authorities to prevent
unlawful conduct. The Bureau agrees that the existing regulatory
oversight framework governing general-use digital consumer payment
applications is important, but the Bureau believes that establishing
its supervisory authority as part of this framework would better
promote compliance with and consistent enforcement of Federal consumer
[[Page 99599]]
financial law and help it to detect risks to consumers and the market.
The CFPB disagrees with the industry association comment suggesting
that the CFPB must determine whether the market covered by the rule is
inadequately supervised before issuing a larger participant rule; no
such requirement appears in the text of the CFPA.\136\ The CFPB
accounts for existing oversight when evaluating how to exercise its
supervisory authority pursuant to CFPA section 1024(b)(2).
Specifically, the CFPB takes seriously its inter-governmental
coordination obligations, described below, and believes that they will
promote coordination and minimize regulatory burden in connection with
the CFPB's exercise of its supervisory authority over larger
participants in this market and the existing regulatory oversight
structure at the Federal and State levels.
---------------------------------------------------------------------------
\136\ See, e.g., 12 U.S.C. 5514(a)(1)(B), (a)(2).
---------------------------------------------------------------------------
For example, as required by the CFPA and explained in the Proposed
Rule, the CFPB coordinates its examination activity, including at
nonbanks, with State regulators.\137\ One purpose of this coordination
is to prevent duplication and unnecessary regulatory burden. That
coordination will address commenter concerns regarding CFPB oversight
of larger participants that may engage in market activity that is
subject to State money transmitter laws. In addition, industry comments
often recognized that providers of pass-through payment wallets that do
not hold or receive funds generally are not engaged in money
transmission under State laws, and thus are not subject to State-level
supervision.
---------------------------------------------------------------------------
\137\ 88 FR 80197 at 80198 n.12. See also 12 U.S.C.
5514(b)(2)(D) (CFPB shall exercise its supervisory authority under
12 U.S.C. 5514(b)(1) in a manner designed to ensure that such
exercise takes into consideration, among other things, the extent to
which supervised nonbanks are subject to oversight by State
authorities for consumer protection); 12 U.S.C. 5514(b)(3) (CFPB
coordination of supervisory activities with States); Int'l Money
Transfer Larger Participant Rule, 79 FR 56631 at 56632, 56638, 56643
(explaining how the Bureau will coordinate with appropriate State
regulatory authorities and will consider the extent of State
supervisory activity when prioritizing individual examinations.);
2013 CFPB-State Supervisory Coordination Framework (May 7, 2013)
(describing process for CFPB-State coordination under information-
sharing memorandum of understanding), https://files.consumerfinance.gov/f/201305_cfpb_state-supervisory-coordination-framework.pdf (last visited Nov. 8, 2024).
---------------------------------------------------------------------------
The CFPB also disagrees with industry comments suggesting that this
rule establishing CFPB authority to supervise larger participants in
this market will create CFPB supervisory activities that are
unnecessarily duplicative or burdensome vis-[agrave]-vis oversight
activities by the FTC and prudential regulators. Congress has adopted
mechanisms to prevent unnecessarily duplicative or burdensome CFPB
supervisory activities in cases where the FTC may exercise enforcement
authority or prudential regulators may exercise supervisory authority
over larger participants.\138\ Among other things, the CFPB coordinates
across its functions with the FTC, which does not have a supervisory
tool.\139\ In addition, the CFPA provides that the CFPB has exclusive
authority with respect to the prudential regulators to supervise larger
participants for purposes of assuring compliance with Federal consumer
financial law.\140\ Also, consistent with the requirements of CFPA
section 1024(b)(3), the CFPB coordinates with prudential regulators to
minimize the duplication and regulatory burden of supervisory activity
pursuant to memoranda of understanding, including where appropriate at
nonbank larger participants.\141\ Moreover, as discussed above, nonbank
larger participants engage in substantial volumes of market activity
with interconnection across the U.S. financial system. CFPB supervision
of nonbank larger participants can assess compliance with the
requirements of Federal consumer financial law across their various
market activities, which involve interactions with banks and credit
unions overseen by various Federal prudential regulators. Thus, CFPB
oversight of larger participants can ensure consistent enforcement of
Federal consumer financial law and complement the oversight of the
Federal prudential regulators.
---------------------------------------------------------------------------
\138\ Such supervisory authority may exist, for example, where
(as noted by the industry commenter) prudential regulators may
examine certain nonbank service providers to banks under authorities
such as the Bank Service Company Act. See generally 12 U.S.C. 1861-
67.
\139\ The CFPB coordinates with the FTC consistent with its
obligations under the CFPA, including 12 U.S.C. 5514(c)(3) and
5581(b)(5). See CFPB-FTC Memorandum of Understanding (Feb. 25, 2019)
(section VII describing how CFPB coordinates its supervision and
examination activities with the FTC), https://files.consumerfinance.gov/f/documents/cfpb_ftc_memo-of-understanding_2019-02.pdf (last visited Nov. 8, 2024).
\140\ 12 U.S.C. 5514(c), (d) (describing the extent to which
CFPB supervisory and enforcement authorities are exclusive with
respect to nonbank covered persons described in CFPA section
1024(a)(1)). See also CFPA section 1025(b)(1) (similarly providing
that the CFPB has exclusive authority to supervise very large
depository institutions and their affiliates for the purposes listed
therein, including assessing compliance with the requirements of
Federal consumer financial laws).
\141\ See 12 U.S.C. 5514(b)(3) (``To minimize regulatory burden,
the Bureau shall coordinate its supervisory activities with the
supervisory activities conducted by prudential regulators . . .
including establishing their respective schedules for examining
persons described in subsection (a)(1) [of CFPA section 1024] and
requirements regarding reports to be submitted by such persons.'').
See, e.g., CFPB, Board of Gov. of Fed. Rsv. System, FDIC, NCUA, and
OCC Memorandum of Understanding (MOU) on Supervisory Coordination
(May 16, 2012) at 2 (noting how CFPA sections 1024(b)(3)-(4) and
1025(b)(2) require the CFPB to ``coordinate its supervisory
activities with the supervisory activities conducted by the
Prudential Regulators, including consultation regarding their
respective schedules for examining Covered Institutions and
requirements regarding reports to be submitted by Covered
Institutions.''), https://files.consumerfinance.gov/f/201206_CFPB_MOU_Supervisory_Coordination.pdf (last visited Nov. 7,
2024); see also id. (listing objectives of the MOU, including
``[a]void[ing] unnecessary duplication of effort'' and
``[m]inimiz[ing] unnecessary regulatory burden''); id. at 8 (``The
CFPB and Prudential Regulators will coordinate in connection with
examinations that relate to Covered Supervisory Activities of
Covered Institutions' Service providers'').
---------------------------------------------------------------------------
CFPB's Existing Enforcement and Market-Monitoring Authorities
The CFPB disagrees with those industry commenters suggesting that
it cannot use its larger participant rulemaking authority to establish
supervisory authority in this market due to the existence of the CFPB's
enforcement and market-monitoring authorities. The CFPA identifies
supervision of nonbank covered persons under CFPA section 1024 as a
primary function of the CFPB.\142\ Sections 1024(a)(1)(B) and (2) of
the CFPA specifically empower the CFPB to prescribe larger participant
rules for the purpose of authorizing CFPB supervision, and those
provisions contain no requirement that a larger participant rule
consider the adequacy of the CFPB's other authorities or
functions.\143\ Given the statutory scheme in the CFPA, any larger
participant rule will generally apply to nonbank covered persons that
also are subject to the CFPB's market-monitoring and enforcement
authorities. These comments thus appear to reflect, in large part, a
policy disagreement with Congress's decision to give the CFPB the
ability to supervise nonbank larger participants of markets for
consumer financial products and services it defines by rule in addition
to its other authorities.
---------------------------------------------------------------------------
\142\ See 12 U.S.C. 5511(c)(4) (listing supervision of covered
persons, including nonbank covered persons, as one of the CFPB's
``primary functions'').
\143\ By contrast, in allocating its supervisory resources under
CFPA section 1024(b)(2) the CFPB considers, among other things,
``the extent to which such institutions are subject to oversight by
State authorities for consumer protection.'' 12 U.S.C.
5514(b)(2)(D).
---------------------------------------------------------------------------
Further, as the Proposed Rule noted and as also discussed above,
supervision can serve an important function that is distinct from and
complementary to enforcement and
[[Page 99600]]
market monitoring.\144\ For example, supervision can benefit consumers
and providers by detecting compliance problems early, at a point when
correcting the problems would be relatively inexpensive and before many
(or many more) consumers have been harmed.\145\ In addition, the CFPB
conducts its supervisory activities not only for the purposes of
assessing compliance with the requirements of Federal consumer
financial law, but also for purposes of obtaining information about the
person's activities and compliance systems or procedures and detecting
and assessing risks to consumers and markets. These latter two purposes
of its supervisory activities generally are distinct from its
enforcement activities, which focus on addressing violations of Federal
consumer financial law.\146\ In addition to promoting compliance in
their own right, those activities also help to inform CFPB decisions
regarding when to initiate enforcement activity. Similarly, CFPB
supervisory and examination activity at individual firms can inform how
the CFPB conducts market-wide monitoring. The CFPB's market monitoring
function also can support decisions about when to initiate supervisory
activity. For example, under CFPA section 1022(c)(1), the CFPB may use
its market monitoring to support its functions, including to inform its
prioritization of its nonbank supervision examination activities at
larger participants.\147\
---------------------------------------------------------------------------
\144\ 88 FR 80197 at 80212-13.
\145\ See also CFPB Supervision Director, What new supervised
institutions need to know about working with the CFPB (Jan. 9, 2023)
(``Supervisory activities may help entities identify issues before
they become systemic or cause significant harm.''), https://www.consumerfinance.gov/about-us/blog/what-new-supervised-institutions-need-to-know-about-working-with-the-cfpb/ (last visited
Nov. 7, 2024).
\146\ 12 U.S.C. 5511(c)(4).
\147\ See 12 U.S.C. 5512(c)(1).
---------------------------------------------------------------------------
The Final Rule Does Not Implicate the ``Major Questions'' Doctrine
The CFPB disagrees with comments stating that the Rule implicates
the ``major questions'' doctrine, which is reserved for ``extraordinary
cases'' in which the ``history and the breadth of the authority that
the agency has asserted'' and the vast ``economic and political
significance'' of the assertion of authority by the agency ``provide a
reason to hesitate before concluding that Congress meant to confer such
authority.'' \148\ As noted above, the Final Rule does not impose any
new substantive consumer protection requirements on larger
participants. Because general-use digital consumer payment applications
are consumer financial products and services as defined in the
CFPA,\149\ the CFPB already has enforcement authority, market-
monitoring authority, and rulemaking authority with respect to nonbank
covered persons participating in the market for general-use digital
consumer payment applications. Whether or not the CFPB may exercise one
additional form of authority--supervision--over a group of larger
participants in that market is not a question of vast economic and
political significance in the sense recognized by courts.\150\ In this
regard, the CFPB notes that one nonprofit commenter confuses the
overall dollar value of transactions through digital wallets (which the
commentator estimates at almost $1 trillion) with the economic impact
of this larger participant rulemaking, which is of course vastly
smaller.\151\
---------------------------------------------------------------------------
\148\ W. Virginia v. EPA, 597 U.S. 697, 721 (2022) (cleaned up).
\149\ See nn.241-42 infra (noting explanation in Proposed Rule,
88 FR 80197 at 80205 nn.64-65).
\150\ Cf., e.g., Biden v. Nebraska, 143 S. Ct. 2355, 2373-74
(2023) (citing an estimate that the agency's action would ``cost
taxpayers between `$469 billion and $519 billion' '' and that it
implicated a ``matter of earnest and profound debate across the
country'').
\151\ Similarly, the CFPB's statements in press materials cited
by the commenter do not suggest that this rulemaking would have a
vast economic impact. The costs and benefits of this rulemaking are
further discussed below. The CFPB also disagrees with the commenter
that section 1024(a)(1)(B) would need to refer specifically to
``digital wallets'' to authorize this rulemaking. By that logic,
there could be no larger participant rulemakings because section
1024(a)(1)(B) refers to markets for ``other consumer financial
products or services'' without expressly identifying particular
consumer financial products and services.
---------------------------------------------------------------------------
CFPB Examinations of Larger Participants
With respect to comments on the statement in the Proposed Rule
noting that the CFPB's supervisory authority is not limited to the
consumer financial products or services that qualified a person for
supervision, the CFPB clarifies it is not relying on that position as a
rationale for the Final Rule or as authority for issuing the Final
Rule, and that the CFPB would finalize the market definition, market-
related definitions, and larger-participant test as currently
formulated in this Final Rule irrespective of the existence of that
position.\152\
---------------------------------------------------------------------------
\152\ Nonetheless, the CFPB notes that it explained the basis
for this interpretation in its first larger participant rulemaking,
for the consumer reporting market, where it noted that the ``Dodd-
Frank Act authorizes the Bureau to supervise `covered person[s]'
described in 12 U.S.C. 5514(a)(1)(A) through (E)[ ]'' and that
supervision of certain other activities of such persons ``is
consistent with the purposes that the Dodd-Frank Act sets out for
the Bureau's supervisory activities'' set forth in 12 U.S.C.
5514(b)(1). See 77 FR 42874 at 42880; see also 12 U.S.C.
5514(a)(1)(B) (providing that ``this section shall apply to any
covered person'' that is a nonbank ``larger participant of a market
for other consumer financial products or services'' as defined by
rule); 12 U.S.C. 5514(b)(1) (providing that ``[t]he Bureau shall
require reports and conduct examinations on a periodic basis of
persons described in [12 U.S.C. 5514(a)(1)] for'' certain listed
purposes). The CFPB disagrees with certain commenters' suggestion
that the reference to ``relevant product markets and geographic
markets'' in the provision describing the operation of the CFPB's
risk-based supervision program (12 U.S.C. 5514(b)(2)) was intended
to impliedly limit the scope of the CFPB's supervisory authority
under 12 U.S.C. 5514(a)(1) and (b)(1) to only the consumer financial
products and services described in the larger participant rule. The
CFPB also disagrees that this interpretation implicates the major
questions doctrine for reasons discussed above in the CFPB's
response to other comments about that doctrine.
---------------------------------------------------------------------------
109(a)(1) Market Definition--Providing a General-Use Digital Consumer
Payment Application
Proposed Rule
Proposed Sec. 1090.109(a)(1) would have described the market for
consumer financial products or services covered by the Proposed Rule as
encompassing ``providing a general-use digital consumer payment
application.'' The term would have been defined as providing a covered
payment functionality through a digital application for consumers'
general use in making consumer payment transaction(s). This term
incorporated other terms defined in proposed Sec. 1090.109(a)(2):
``consumer payment transaction(s),'' ``covered payment functionality,''
``digital application,'' and ``general use.'' The term ``covered
payment functionality'' would have included a ``funds transfer
functionality'' and a ``wallet functionality,'' terms which proposed
Sec. 1090.109(a)(2) also would have defined.\153\ The Proposed Rule
sought comment on all aspects of the proposed market definition,
including whether the market definition in proposed Sec.
1090.109(a)(1) or the market-related definitions in proposed Sec.
1090.109(a)(2), discussed in the section-by-section analysis below,
should be expanded, narrowed, or otherwise modified.
---------------------------------------------------------------------------
\153\ The term ``consumer payment transaction(s)'' also would
have incorporated another term--``State,'' which proposed Sec.
1090.109(a)(2) would have defined.
---------------------------------------------------------------------------
Comments Received
Several commenters addressed the proposed market definition
overall. The Final Rule summarizes those comments in this section-by-
section analysis of the market definition in Sec. 1090.109(a)(1). In
addition, some comments addressed certain specific defined terms used
in the market definition or called for
[[Page 99601]]
certain exclusions or additions to the market by modifying those
defined terms. The Final Rule summarizes and responds to those comments
in the section-by-section analysis of the market-related definitions in
Sec. 1090.109(a)(2) below.
As discussed above, some commenters expressed support for the
Proposed Rule to establish supervisory authority over the market that
includes funds transfer apps and wallet functionalities with general
use that nonbank covered persons provide to consumers through digital
applications. For example, as described above, a group of State
attorneys general stated that the CFPB's supervisory oversight of
larger participants in this market would help to promote compliance
with Federal consumer financial law and to detect and assess risks
posed by this emerging financial market and market participants.
Banking and credit union associations, as well as a payment network and
nonprofit, also supported CFPB supervisory oversight of larger
participants in the proposed market, as described in the summary of
general comments above. As also described above, consumer group
comments also were supportive of the scope of the market activities
defined in the Proposed Rule, while calling for certain scope
expansions, as discussed further below. In addition, an industry
association expressed general support for the proposal to define a
market that allows the CFPB to oversee entities with varied business
models.
Other commenters disagreed with the approach to market definition
in the Proposed Rule. For example, some industry commenters stated that
larger participant rules must apply antitrust law market definition
principles because, in their view, the statutory provision in CFPA
section 1024(a)(1)(B) authorizing CFPB rules to define larger
participants of ``a market'' incorporates those principles. Some of
these commenters did not provide a legal basis for this view. Others,
such as three industry trade associations, cited Congress' use of the
phrase ``relevant product markets'' in an adjacent provision, CFPA
section 1024(b)(2), and suggested that the term ``market'' in section
1024(a)(1)(B) is implicitly limited by the phrase ``relevant product
market.'' \154\ They further suggested that the terms ``market'' and
``relevant product market'' should be understood to incorporate
antitrust case law discussing the boundaries of a market for purposes
of evaluating the viability of an antitrust claim, including cases
holding that a group of products are in the same market under antitrust
law if they are reasonably interchangeable by consumers for the same
purposes.\155\ Two of these industry associations also stated that
Congress included the requirement in CFPA section 1024(a)(2) that the
CFPB consult with the FTC prior to issuing a larger participant rule
because of the FTC's role in enforcing Federal antitrust laws.\156\
These commenters therefore concluded that a larger participant rule
must define ``a market'' that qualifies as a ``relevant product
market'' within the meaning of antitrust law.\157\
---------------------------------------------------------------------------
\154\ Section 1024(b)(2) calls for the CFPB to exercise its
authority in CFPA section 1024(b)(1) to require reports and
examinations of nonbank covered persons described in CFPA section
1024(a)(1) ``in a manner designed to ensure that such exercise . . .
is based on the assessment by the Bureau of the risks posed to
consumers in the relevant product markets and geographic markets,''
and taking into consideration certain factors further specified in
CFPA section 1024(b)(2).
\155\ See, e.g., United States v. E.I. du Pont de Nemours & Co.,
351 U.S. 377, 395 (1956). One commenter also cited a European
regulation in support of its position.
\156\ The summary and response to comments regarding the FTC
consultation process is included in part IV above.
\157\ Two of the industry associations also indicated that the
Proposed Rule did not do so because antitrust law market definition
requires examining the factors that influence consumer choices, and
the Proposed Rule did not discuss those factors.
---------------------------------------------------------------------------
Those commenters and several other comments from industry,
nonprofits, and Members of Congress also disagreed with the proposed
market on the grounds that it was overbroad, conflating several markets
into one. For example, a comment from Members of Congress stated that
in their view, the proposal sought to cover different markets such as
peer-to-peer services, stored value accounts, neobanking, merchant
payment processing, and payment credential management.\158\ In
addition, some industry associations stated that the proposed market
would not qualify as a valid market because it groups together four
different types of activities that, in their view, are not economic
substitutes. They stated that these activities function in different
ways and meet different needs and use cases. They described four of
these activities as follows: (1) drawing from a stored balance held by
the company; (2) routing funds held in a third-party bank account for
transmission to a recipient; (3) charging or offering a payment method
for consumer purchases in a manner that is excluded from State money
transmitter regulations; \159\ and (4) storing and transmitting payment
credentials without participating in the flow of funds from the
consumer to the recipient. They also stated that digital applications
for person-to-person transfers and digital applications for processing
payments for merchants are different and present different risks of
consumer harm. Because these activities in their view constitute
separate markets, they stated that the Proposed Rule deviated without
justification from previous larger participant rules that did not
encompass multiple markets.\160\
---------------------------------------------------------------------------
\158\ However, as discussed above, the market is not based on
providing a stored value account. And as discussed below under
``covered payment functionality,'' the market definition generally
does not apply to merchant payment processors.
\159\ They added that State money transmitter regulation
excludes this activity because, in their view, the activity poses
low risks.
\160\ As an example, they cited the international money transfer
larger participant rule in which the CFPB declined to include the
domestic money transfer market.
---------------------------------------------------------------------------
More broadly, an industry association also stated that the market
includes ``P2P'' and digital wallet functionalities that, in their
view, are not reasonably interchangeable because they provide
``similar'' but ``differentiated'' services to consumers. Another
industry association stated that consumers rely on funds transfer
functionalities and wallet functionalities in different ways, and that
these functionalities sometimes, but not always, may be interrelated.
They stated that the CFPB should do a ``piecewise analysis'' of these
functionalities, separately analyzing how consumers rely upon them.
They stated that wallet functionalities initiate funds transfers but
are subject to Regulation E only when they store funds. They suggested
that the Proposed Rule did not establish a purpose for including wallet
functionalities in the market when they do not store funds. An industry
firm and two nonprofits suggested that wallet functionalities that do
not store funds instead facilitate consumers' payments for purchases
from merchants by storing and transmitting payment credentials for
accounts held at third-party financial institutions the CFPB already
supervises. They described that activity as part of a separate market
from the other payment functionalities included in the proposed market.
They stated that the CFPB's proposal to include such wallet
functionalities in the proposed market does not reflect the sensitivity
the CFPB has shown to differences among other consumer financial
products and services, such as consumer reporting, consumer debt
collection, and student loan servicing, by covering them in separate
larger
[[Page 99602]]
participant rulemakings defining separate markets.\161\
---------------------------------------------------------------------------
\161\ This commenter and another industry association suggested
this approach was inconsistent with how a previous larger
participant rule engaged in ``tailor[ing]'' of the rule. 78 FR 73383
at 73397. However, the quoted portion of the previous rule addressed
the tailoring of the larger-participant test to the market at hand,
which was not the subject of the comments described here.
---------------------------------------------------------------------------
A nonprofit commenter described the proposed market as being
composed of multiple sectors, including the first three groups of
activities listed by the industry association comments described above,
as well as what they described as fully online fintech firms such as
``neobanks'' and money transmitters. In its view, consumers interact
with these products differently and rely on them for different
purposes, and each presents different consumer harms.
Response to Comments Received
As an initial matter, the CFPB disagrees with some industry
commenters' novel suggestion that larger participant rules must define
a market that would qualify as a market under antitrust law. In the
CFPB's international money transfer larger participant rulemaking,
large providers of international money transfers urged the CFPB to take
the opposite position--i.e., to state that larger participant rules do
not define ``markets'' for purposes of antitrust law. In response, the
CFPB so clarified.\162\
---------------------------------------------------------------------------
\162\ See Comment on proposed international money transfer
larger participant rule by Dolex Dollar Express, Inc., MoneyGram
Payment Systems, Inc., RIA Financial Services, Sigue Corporation,
and Western Union Financial Services, Inc. (April 1, 2014) (2014
Industry Comment Letter) at 5 (``[T]he term `market' for purposes of
defining a larger participant should not be used in the absence of
cautionary language to make clear that the term is not reflective of
a Bureau determination of `market' for antitrust purposes.''),
https://www.regulations.gov/comment/CFPB-2014-0003-0014 (last
visited Nov. 7, 2024); CFPB, Final International Money Transfer
Larger Participant Rule, 79 FR 56631 at 56635 n.43 (stating in
response to comment that in its larger participant rulemakings
``[t]he Bureau neither defines markets for purposes of antitrust
law, nor intends the market definition in this Final Rule to be used
for any purpose other than determining larger-participant status'').
---------------------------------------------------------------------------
Having carefully considered commenters' arguments, the Final Rule
maintains the position announced in the international money transfer
larger participant rule for several reasons. As explained below, the
market definition in the Final Rule fits within a more general
understanding of the term ``market'' reflected in CFPA section 1024(a),
which does not require application of antitrust law. First, commenters
have not identified any language in CFPA section 1024, or any
legislative history, that expressly refers to antitrust statutes,
antitrust caselaw, or antitrust concepts of a market such as
substitutability and reasonable interchangeability. Instead, the
commenters' argument depends on an attenuated and unpersuasive argument
that (1) reads the term ``market'' in section 1024(a)(1)(B) as being
implicitly limited by the phrase ``relevant product market'' in a
separate provision, section 1024(b)(2); and then (2) further suggests
that the phrase ``relevant product market'' in section 1024(b)(2) was
meant to implicitly import antitrust concepts of substitutability and
reasonable interchangeability into the CFPB's larger participant
rulemakings under section 1024(a)(1)(B). Second, section 1024(a)(1)(B)
gives authority to the CFPB to define by rule a larger participant of
``a market for other consumer financial products or services[.]'' \163\
That phrasing is meaningful because CFPA section 1024(a) enumerates, in
paragraphs (A), (D), and (E) three categories of consumer financial
products and services over which the CFPB has supervisory authority.
Legislative history suggests that Congress understood each to be a
separate ``market'' in a general sense.\164\ The first category
encompasses an array of different services that broadly relate to
mortgage loans (the ``origination, brokerage, or servicing of
[mortgage] loans'' and also ``loan modification and foreclosures relief
services in connection with such loans'').\165\ Another category is
``private education loans,'' which are generally understood to be part
of a broader market for educational financing that also includes
Federal student loans.\166\ The third category is ``payday loans,''
which are understood to compete with other types of higher-cost credit
such as title loans and installment loans.\167\ These categories thus
do not describe consumer financial products and services that
correspond to the strict antitrust conception of a market, which
undercuts the suggestion that the term ``market'' in section
1024(a)(1)(B) should be understood to implicitly incorporate antitrust
concepts.\168\ Third, the purpose of defining a ``relevant product
market'' under antitrust law is to determine whether a firm can exert
monopoly power in a market and thereby profit from supra-competitive
pricing.\169\ Market power and the analysis of it generally is the
domain of antitrust law, not the Federal consumer financial law over
which the CFPB has authority. Commenters have not presented any
persuasive reason why Congress would have wanted the terms
[[Page 99603]]
``market'' and ``relevant product market'' in section 1024 to be
limited by reference to antitrust laws that the CFPB does not enforce
and that do not concern the CFPB's supervisory function.
---------------------------------------------------------------------------
\163\ 12 U.S.C. 5514(a)(1)(B).
\164\ The Senate Report to the CFPA describes the ``mortgage
market'' that is the subject of CFPA section 1024(a)(1)(A) as
``consist[ing] of more than 25,000 lenders, servicers, brokers, and
loan modification firms that would be subject to Bureau supervision
and enforcement.'' S. Rep. 111-176 (Apr. 30, 2010) at 163.
\165\ 12 U.S.C. 5514(a)(1)(A); see, e.g., CPFB, Final Rule,
Mortgage Servicing Rules Under the Real Estate Settlement Procedures
Act (Regulation X), 78 FR 10696, 10699 (Feb. 14, 2013) (providing an
overview of the ``mortgage servicing market'' within the context of
the ``mortgage market'' that is ``broader'').
\166\ 12 U.S.C. 5514(a)(1)(D); see, e.g., CFPB, Final Rule,
Defining Larger Participants of the Student Loan Servicing Market,
78 FR 73383, 73385 (Dec. 6, 2013) (``[t]he student loan servicing
market is comprised of entities that service Federal and private
student loans that have been disbursed to pay for post-secondary
education expenses''); Kelly D. Edmiston, Lara Brooks, and Steven
Shepelwich, Fed. Rsv. Bk. of Kansas City Research Working Paper 12-
05, ``Student Loans: Overview and Issues (Update)'' (Aug. 2012 rv.
Apr. 2013) at 4 (``The student loan market is made up of federal and
`private' student loans. Federal student loans are those that are
listed under Title IV of the Higher Education Act. Private student
loans are those made by depository and non-depository financial
institutions (banks) and non-profit lenders (states).''), https://www.kansascityfed.org/documents/5428/rwp12-05edmistonbrooksshepelwich.pdf (last visited Nov. 7, 2024).
\167\ 12 U.S.C. 5514(a)(1)(E); see, e.g., CFPB, Final Rule,
Payday, Vehicle Title, and Certain High-Cost Installment Loans, 82
FR 54472, 54475 (Nov. 17, 2017) (referring to payday loans as part
of a ``broader set of liquidity loan products that also includes
certain higher-cost longer-term installment loans'' that are
sometimes referred to as ``payday installment loans''); NCUA, Final
Rule, Payday Alternative Loans, 84 FR 51942 (Oct. 1, 2019)
(authorizing credit unions to originate certain higher-cost
installment loans with a term of up to 12 months to compete with
payday loans).
\168\ Similarly, larger participant rulemakings only apply to
nonbank covered persons, and not to insured depository institutions,
insured credit unions, and certain of their affiliates that may
compete with nonbanks (and that may be subject to CFPB supervision
under section 1025 or certain CFPB supervisory activities described
under section 1026). See 12 U.S.C. 5514(a)(3)(A). If Congress had
intended larger participant rulemakings to define a market for
antitrust purposes, it presumably would have expressly accounted for
how insured depository institutions, insured credit unions, and
certain of their affiliates participate in such markets too.
\169\ See, e.g., Thomas G. Krattenmaker, Robert H. Lande, Steven
C. Salop, Monopoly Power and Market Power in Antitrust Law, 76 Geo.
L.J. 241, 255 (1987) (noting that ``antitrust law now requires proof
of actual or likely market power or monopoly power to establish most
types of antitrust violations'' and ``market power and market
definition are closely related, because a relevant market is that
group of firms that significantly constrains each other's pricing
and output decisions.''), https://www.justice.gov/archives/atr/monopoly-power-and-market-power-antitrust-law (last visited Nov. 7,
2024); Louis Kaplow, On the Relevance of Market Power, 130 Harv. L.
Rev. 1303, 1304 n.1 & 1366 (2017) (noting that ``[i]t is familiar
that market power is a prerequisite for most types of competition
law violations[,]'' listing different violations that depend on
establishing market power, and noting how the ``relevant market'' is
the frame of reference for assessing whether a firm has monopoly
power for purposes of a Sherman Act violation).
---------------------------------------------------------------------------
In addition, the CFPB disagrees with comments suggesting that the
FTC consultation requirement in section 1024(a)(2) compels the
conclusion that the term ``market'' should be interpreted by reference
to antitrust law.\170\ The commenters cite no legislative history or
other evidence supporting their position, and the provision itself does
not reference the FTC's competition mission or its Bureau of
Competition. The FTC also has a consumer protection mission \171\ and
it has certain overlapping authority with the CFPB over nonbanks that
provide consumer financial products and services, which generally would
include nonbanks that qualify for supervision as a larger
participant.\172\ Given that overlap, the CFPA includes various
provisions requiring the CFPB to coordinate or consult with the
FTC.\173\ In that context, there is little reason to interpret the
consultation requirement in section 1024(a)(2) as reflecting an
unstated Congressional intention that the term ``market'' be
interpreted by reference to antitrust law.\174\
---------------------------------------------------------------------------
\170\ See 12 U.S.C. 5514(a)(2).
\171\ See, e.g., What the FTC Does, https://www.ftc.gov/news-events/media-resources/what-ftc-does (last visited Nov. 7, 2024)
(noting ``the Agency's two primary missions: protecting competition
and protecting consumers'').
\172\ 12 U.S.C. 5581(b)(5)(A) (transferring FTC's authority to
prescribe rules under an enumerated consumer law to the CFPB, but
not its enforcement authority).
\173\ See, e.g., 12 U.S.C. 5514(c)(3) (requiring CFPB and FTC
agreement for coordinating on enforcement actions regarding nonbanks
subject to its supervisory authority); 12 U.S.C. 5581(b)(5)(D)
(requiring coordination between CFPB and FTC in certain rulemakings
``that apply to a covered person or service provider with respect to
the offering or provision of consumer financial products and
services[.]'').
\174\ In addition, it is not necessary to define an antitrust
market for the rule to help the CFPB to ensure consistent
enforcement of Federal consumer financial law between nonbanks and
depository institutions in order to promote fair competition. For
the reasons discussed in the response to general comments above, the
CFPB concludes the Final Rule would serve that purpose based on the
market it defines.
---------------------------------------------------------------------------
More generally, the CFPB agrees with the comments that expressed
support for the proposed market definition as describing a set of
activities that most consumers in the United States regularly rely upon
to conduct a significant portion of their everyday payments. These
everyday financial transactions involve making payments to multiple
unaffiliated persons, as described further below in the section-by-
section analysis of the revised definition of ``general use'' adopted
in the Final Rule. The universe of potential recipients for consumer
payment transactions can vary from one general-use digital consumer
payment application to another. Some peer-to-peer payment applications
facilitate payments to multiple consumers. Others facilitate payments
to multiple unaffiliated merchants. As discussed further below, the
general trend in the market is to facilitate payments to some
combination of both. That is, many of the well-known market
participants bundle together different payment methods for consumers to
make payments to friends, family, and merchants.
Depending on the market participant and which payment method the
consumer selects, the general-use digital consumer payment application
provider may hold the funds used to make a payment or they may be held
by a third-party financial institution. Regardless of who holds the
funds used for a payment, market participants share the common activity
of facilitating consumer payments transactions by providing payments
data processing products and services to consumers through digital
applications.\175\ In light of these considerations, and as further
discussed below, the Final Rule reasonably defines a market that
comfortably fits within the parameters Congress set for markets in CFPA
section 1024(a)(a)(1)(B).\176\
---------------------------------------------------------------------------
\175\ See also discussion under ``covered payment
functionality'' of comments seeking exclusion of nonbanks providing
payment services in partnership with banks. Some market activity
such as that of P2P payment apps often consists of consumer
financial products and services that rely upon both funds
transmitting and payments data processing, while other types of
market activity, such as pass-through payment wallets, may be more
limited to payments data processing. As the CFPB recently explained
in another rulemaking, CFPA section 1002(15)(A)(vii) encompasses
activity that ``extends beyond payment processing to broadly include
other forms of financial data processing, including where the
financial data are processed in connection with other financial or
non-financial products and services.'' 88 FR 74796, 74842 (Oct. 31,
2023) (proposed rule); see also 89 FR 90838 at 90955 (same point in
final rule). Providing payments data processing in connection with
funds transmitting is simply one example of this. See also CFPA
section 1002(5)(A) (defining a ``consumer financial product or
service'' as including a financial product or service that is
described in ``one or more categories under'' CFPA section
1002(15)).
\176\ Contrary to the suggestion of some commenters, grouping
activities that are in some ways different into a single market is
not a departure from previous larger participant rulemakings. See 77
FR 42874 at 42886 (consumer reporting larger participant rule
concluding that ``resellers, national credit repositories, specialty
consumer reporting agencies, analyzers, and others engaged in
consumer reporting activities as defined in the final rule are
properly included in a single market'' because ``[t]hese different
types of firms all participate in the process of preparing consumer
financial information for use in decisions regarding consumer
financial products or services''); 77 FR 9592 at 9598 (Feb. 17,
2012) (discussing difficulty separating business models of third-
party debt collectors, debt buyers, and collection attorneys because
``[s]ome third-party debt collectors also buy debt, and debt buyers
may utilize in-house or third-party collectors. Similarly,
collection attorneys and law firms may, in addition to representing
debt owners, buy debt and collect on their own behalf.'').
---------------------------------------------------------------------------
The CFPB disagrees with the conclusions by some industry and
nonprofit commenters that the proposed market does not describe a valid
``market'' for purposes of CFPA section 1024(a)(1)(B).\177\ That
includes industry comments suggesting that the CFPB cannot reasonably
define a single market that encompasses consumer financial products and
services that facilitate digital payments with different purposes, such
as payments to friends and family and payments for purchases.
Similarly, the CFPB disagrees with comments suggesting that it cannot
reasonably define a market that encompasses the facilitation of
consumer payments using different payment methods or accounts, such as
stored value accounts held with the market participant, third-party
banak accounts, and payment cards issued by third party financial
institutions such as debit cards and credit cards. These comments
appear to rely on an unduly narrow view of the meaning of the term
``market'' in the CFPA, which as discussed above in response to
antitrust-related comments Congress used in a more general sense. To
that end, the Final Rule reasonably defines a market that comports with
the range of ``markets'' in subsections (A), (D), and (E) of section
1024(a)(1) that Congress appears to have referenced in using the term
``other markets'' in section 1024(a)(1)(B).
---------------------------------------------------------------------------
\177\ To the extent commenters criticized the proposed market as
invalid based on its limitation to payment functionalities provided
through ``digital applications'' with ``general use,'' the Final
Rule discusses those comments in the section-by-section analysis of
those defined terms below.
---------------------------------------------------------------------------
In addition, these comments ignored or did not adequately account
for how often companies provide a single general-use digital payment
application with covered payment functionalities that facilitate
consumer payment transactions with either purpose (to pay friends and
family and to make purchases), often offering multiple payment methods
for transactions with either purpose. In the CFPB's experience and
expertise, informed by its market monitoring and other activities,
well-known market participants increasingly provide
[[Page 99604]]
general-use digital consumer payment applications that bundle together
options to make payments for these different purposes and payment
methods, often in a manner that appears seamless to the consumer as
described below. This assessment, focusing on the commonality across
market participants' activities, also is consistent with market
research described in the Proposed Rule and discussed further below,
and even some industry associations' own presentation of these
activities in other settings.\178\
---------------------------------------------------------------------------
\178\ This trend predates 2024. See, e.g., Testimony of Scott
Talbott, Sr. Vice President of Government Affairs, Electronic
Transactions Association (ETA), House Cmttee. on Fin. Servs, Serial
No. 117-82 (Apr. 28, 2022) at 52 (``Digital wallets can be defined
broadly to include mobile and other online applications that allow
users to process payments, access account information, and pay for
services. Digital wallets provide users with access to stored
payment credentials, which may include a credit or debit card, bank
account, or, less commonly, a prepaid or gift card linked to the
phone or app. This technology has gained popularity with consumers
as a safe and convenient way to transmit funds in multiple settings,
including for online purchases, payments at brick-and-mortar
retailers, and person-to-business (i.e., bill pay) and P2P
transfers. The concept of the digital wallet has been swiftly
embraced by the public due to its ease of use. The user just has to
download and register a mobile wallet on his or her phone.''),
https://www.congress.gov/117/chrg/CHRG-117hhrg47649/CHRG-117hhrg47649.pdf (last visited Nov. 7, 2024).
---------------------------------------------------------------------------
Many well-known market participants bundle offerings of both peer-
to-peer (P2P) and payments for purchases--sometimes in a formal and
explicit manner, other times less so. Comments from several Members of
Congress highlighted the degree to which sole proprietors and other
small businesses rely on market participants to accept payments. While
larger merchants may accept these payments by entering into formal
merchant acceptance agreements, small businesses such as sole
proprietors may simply enroll their bank account in a P2P payment
service to receive funds from consumers.\179\ As the Proposed Rule
noted, by 2022, an industry report found that 82 percent of small
business merchants surveyed accepted at least one P2P payment
option.\180\ Research by a major payment network similarly describes
how small and medium businesses are paid not only through ``mobile
wallets'' but also through ``mobile payment apps.'' \181\ Moreover,
recent market research found that nearly half of U.S. consumers
surveyed reported using a P2P app for purposes such as making purchases
with payment cards and bill pay functions. The report concluded that
``P2P apps are at an inflection point, transitioning from single-
purpose apps to additional, more robust, and often-bundled product
features.'' \182\
---------------------------------------------------------------------------
\179\ One government report estimated that in tax year 2017,
three P2P apps alone filed U.S. tax reports (at a reporting
threshold of $20,000) disclosing nearly $200 billion in payments to
businesses through those platforms. Treasury Inspector General For
Tax Administration, The Internal Revenue Service Faces Challenges in
Addressing the Growth of Peer-to-Peer Payment Application Use,
Report No. 2021-30-022 (Apr. 22, 2021) at 6 (Figure 3), https://www.tigta.gov/sites/default/files/reports/2022-07/202130022fr_4.pdf
(last visited Nov. 7, 2024). In some contexts, the bundling of the
two types of payments has been so seamless that the payment apps
themselves have not been able to effectively disentangle personal
payments from purchases. See 26 U.S.C. 6050W (``Returns relating to
payments made in settlement of payment card and third party network
transactions''); IR-2023-221 (Nov. 21, 2023) (describing phase-in
transition years where reporting not required unless payees receive
over $20,000 for more than 200 transactions in tax year 2023, and
more than $5,000 for tax year 2024), https://www.irs.gov/newsroom/irs-announces-delay-in-form-1099-k-reporting-threshold-for-third-party-platform-payments-in-2023-plans-for-a-threshold-of-5000-for-2024-to-phase-in-implementation (last visited Oct. 24, 2024).
\180\ TSG: Merchants Offering P2P Payments (reporting results of
TSG and Electronic Transactions Association survey of over 500 small
businesses merchants), cited in Proposed Rule at n.30. For example,
some of these apps began by offering only P2P payments focused on
paying friends and family, but then leveraged that feature to gain
formal merchant acceptance. See, e.g., eBay, eBay Launches Venmo as
a Payment Option, a Continued Push to Expand Ways to Pay and Invest
in Digital Natives (June 13, 2024), https://www.ebayinc.com/stories/news/ebay-launches-venmo-as-a-payment-option-a-continued-push-to-expand-ways-to-pay-and-invest-in-digital-natives (last visited Nov.
7, 2024); James Pothen, Cash App exec hints at Square integration
(June 3, 2024), https://www.paymentsdive.com/news/square-cash-app-pos-p2p-block-jack-dorsey-retail-point-of-sale-strategy/717753/
(last visited Nov. 7, 2024).
\181\ VISA Global Back to Business Study (7th ed. 2023)
(describing multinational survey of plans for digital payment option
acceptance by small and micro businesses (SMBs) including in the
United States indicating 55 percent of SMBs planned to accept
``mobile payment apps'' in 2023 and 50 percent planned to accept
``mobile wallets''), https://usa.visa.com/content/dam/VCOM/blogs/visa-back-to-business-7-one-pager-september-2023.pdf (last visited
Nov. 7, 2024). A recent Forbes survey similarly described how both
``digital wallet apps'' and ``[p]eer-to-peer apps'' are popular ways
for consumers to make retail purchases. Amanda Claypool, 53% Of
Americans Use Digital Wallets More Than Traditional Payment Methods:
Poll (updated Aug. 25, 2023), https://www.forbes.com/advisor/banking/digital-wallets-payment-apps/ (last visited Nov. 7, 2024).
For example, Amazon, which provides Amazon Pay, also had a brief
partnership with Venmo. See PYMNTS.COM, Venmo No Longer Accepted on
Amazon in January (Dec. 7, 2023), https://www.pymnts.com/amazon-payments/2023/amazon-will-discontinue-venmo-payments-in-january/
(last visited Nov. 7, 2024).
\182\ Marqueta, 2024 State of Payments Report at 39, https://www.marqeta.com/state-of-payments (last visited Aug. 1, 2024). See
also Press Release, Venmo Introduces the Ability to Schedule Payment
Requests (Oct. 9, 2024) (reporting that ``more than 84% of consumers
have used a peer-to-peer service with common payments including
monthly rent, utilities, and other regular living expenses[]'' as
found in a 2022 survey by Lending Tree at https://www.lendingtree.com/personal/peer-to-peer-services-survey/ (last
visited Nov. 7, 2024)), https://newsroom.paypal-corp.com/2024-10-09-Venmo-Introduces-the-Ability-to-Schedule-Payments-and-Requests (last
visited Nov. 7, 2024).
---------------------------------------------------------------------------
Meanwhile, as suggested by comments from consumer groups, other
digital wallets gained market share by offering formal merchant
acceptance but then began to promote a P2P payment feature.\183\ For
example, as consumer group commenters pointed out, PayPal, which
initially grew as a payment functionality for merchants selling goods
and services through an affiliated company's online marketplace, has
long since graduated to offering a broader range of services including
peer-to-peer payments.\184\
---------------------------------------------------------------------------
\183\ Apple, New features come to Apple services this fall (June
11, 2024) (describing new ``Tap to Cash'' feature that can be used
with existing Apple Cash stored value product), https://www.apple.com/newsroom/2024/06/new-features-come-to-apple-services-this-fall/ (last visited Nov. 7, 2024); Business Wire, VISA
Reinvents the Card, Unveils New Products for Digital Age (May 15,
2024) (provider of Click-to-Pay ecommerce wallet describing new
mobile device app-based feature for VISA cards ``Tap to P2P (person-
to-person): Allows money to be sent between family and friends''),
https://www.businesswire.com/news/home/20240515563838/en/ (last
visited Nov. 7, 2024).
\184\ Compare PayPal, Inc. Form S-1 (Sept. 28, 2001) at 5 (``We
depend on online auction transactions for a significant percentage
of our payment volume.''), https://www.sec.gov/Archives/edgar/data/1103415/000091205701533855/a2059025zs-1.htm, with eBay Press
Release, eBay Inc. Board Approves Completion of eBay and PayPal
Separation (June 26, 2015), https://www.ebayinc.com/stories/news/ebay-inc-board-approves-completion-of-ebay-and-paypal-separation/
(last visited Nov. 7, 2024) & PayPal, Send money to just about
anyone, anywhere (website FAQ describing how consumers can use the
PayPal app to ``[s]end money online to friends and family in the
US''), https://www.paypal.com/us/digital-wallet/send-receive-money/send-money (last visited Nov. 7, 2024). See also PayPal Holdings,
Inc. Form 10-K (Feb. 2, 2024) (PayPal 2023 10-K) at 8 (``Our Venmo
digital wallet in the U.S. is a leading mobile application used to
move money between our customers and to make purchases at select
merchants.''), https://www.sec.gov/Archives/edgar/data/1633917/000163391724000024/pypl-20231231.htm.
---------------------------------------------------------------------------
In addition, the most recent Federal Government diary and survey on
consumer payment choice results continue to illustrate how mobile app/
online payment accounts generally are understood as supporting both
``purchases and person-to-person payments[.]'' \185\ That project
groups together nonbank payment apps such as PayPal, Venmo, Apple Pay,
Google Pay, Cash App, and Samsung Pay under the
[[Page 99605]]
common heading ``online payment accounts.'' \186\ Other surveys, market
research, and even a foreign regulator similarly refer collectively to
both uses--payments to other consumers and payments for purchases.\187\
---------------------------------------------------------------------------
\185\ Berhan Bayeh, Emily Cubides & Shaun O'Brien, Fed. Rsv.
Fin. Svcs. FedCash Services, 2024 Findings from the Diary of
Consumer Payment Choice (May 2024) (2024 Diary Findings) at 5-6
(Figure 3 grouping together ``purchases and P2P payments'' and
describing growth in proportion made ``online or remotely'' versus
``in-person''), https://www.frbservices.org/binaries/content/assets/crsocms/news/research/2024-diary-of-consumer-payment-choice.pdf
(last visited Nov. 7, 2024). The Proposed Rule noted how the Federal
Government publishes the results of an annual diary and survey on
consumer payment choice. 88 FR 80197 at 80200 n.25 (citing report on
2022 diary and survey by Federal Reserve System staff).
\186\ 2023 Survey and Diary of Consumer Payment Choice Tables
(table 1 reporting survey results indicating that 71.8 percent of
U.S. consumers adopted online payment accounts as of 2023), https://www.atlantafed.org/-/media/documents/banking/consumer-payments/survey-diary-consumer-payment-choice/2023/tables_dcpc2023.pdf (last
visited Nov. 7, 2024). That survey also reported that ``[s]even in
10 consumers made at least one payment using a phone or tablet in
the 12 months ending October 2023.'' Kevin Foster, Claire Greene &
Joanna Stavins, Fed. Rsv. Bk. of Atlanta Research Data Report No.
24-1, 2023 Survey and Diary of Consumer Payment Choice: Summary
Results (June 3, 2024) at 16-17 (``On average, 13 mobile payments
per consumer were reported'' for October 2023, of which ``10 were
for purchases, two for bills, and one to pay another person''),
https://www.atlantafed.org/-/media/documents/banking/consumer-payments/survey-diary-consumer-payment-choice/2023/sdcpc_2023_report.pdf (last visited Nov. 7, 2024).
\187\ See, e.g., Claire Greene, Fumiko Hayashi, Alicia Lloro, Oz
Shy, Joanna Stavins & Ying Lei Toh, Defining Households That Are
Underserved in Digital Payment Services, Fed. Rsv. Bk. of Atlanta
Research Data Report No. 24-3 (Sept. 9, 2024), sec. 3.1 (describing
a ``(sub)component of financial inclusion relating to digital
payments (a subset of payments), which we term digital payments
inclusion. Digital payments are payments made through a digital
device or channel, such as electronic fund transfer (for example,
automated clearing house [ACH] and instant payments); debit,
prepaid, or credit card; closed-loop online payment services offered
by online payment service providers (for example, PayPal and Cash
App); and cryptocurrency transfer.''), table 1 (describing examples
of digital payments with wide acceptance by merchants, billers, and
individuals), https://www.atlantafed.org/-/media/documents/banking/
consumer-payments/research-data-reports/2024/10/10/03_defining-
households-that-are-underserved-in-digital-payment-services.pdf
(last visited Nov. 7, 2024); Pengfei Han & Zhu Wang, Technology
Adoption and Leapfrogging: Racing for Mobile Payments, Fed. Rsv. Bk.
of Richmond Working Paper No. 21-05R (Mar. 2021 rev. May 1, 2024)
(Racing for Mobile Payments) at 6 (``Following Crowe et al. (2010),
we define a mobile payment to be a money payment made for a product
or service through a mobile phone, regardless of whether the phone
actually accesses the mobile network to make the payment. Mobile
payment technology can also be used to send money from person to
person.''), https://www.richmondfed.org/-/media/RichmondFedOrg/publications/research/working_papers/2021/wp21-05r.pdf (last visited
Nov. 7, 2024); U.S. Dept. of Treasury, Assessing the Impact of New
Entrant Non-bank Firms on Competition in Consumer Finance Markets
(Nov. 2022) at 13 (``New entrant non-bank firms offer digital
applications to make payments online and through mobile devices that
have expanded accessibility for consumers. These payments firms
generally provide a front-end digital user interface for consumers
to make payments to other parties (other consumers or, increasingly,
businesses) on the same platform.''), https://home.treasury.gov/system/files/136/Assessing-the-Impact-of-New-Entrant-Nonbank-Firms.pdf (last visited Nov. 7, 2024); Pew Research Center, Who Uses
Mobile Payments? (May 26, 2016) at 1 (defining ``[m]obile payment
users'' as ``consumers who have made an online or point-of-sale
purchase, paid a bill, or sent or received money using a Web
browser, text message, or app on a smartphone''), https://www.pewtrusts.org/-/media/assets/2016/05/who_uses_mobile_payments.pdf (last visited Nov. 7, 2024); Pew
Research Center, Are Americans Embracing Mobile Payments? (Oct. 3,
2019) at 3 (defining ``mobile payment'' and ``mobile payment apps''
in similarly broad manner), https://www.pewtrusts.org/-/media/assets/2019/10/mobilepayments_brief_final.pdf (last visited Nov. 7,
2024); U.K. Payment Systems Regulator & Financial Conduct Authority,
Call for Information: Big tech and digital wallets, Doc. CP24/9
(July 2024), sec. 2.1-2.3 (``Digital wallets can be defined as apps,
software or online services that allow consumers to make payments,
quickly and conveniently, using mobile phones or other electronic
devices . . . . Some digital wallets facilitate retail transactions,
others allow peer-to-peer payments, and others do both . . . .
Digital wallets can be either `staged' [by holding funds] or `pass-
through' [because they do not hold funds themselves but instead
allow users to make payments from a payment card] . . . . While the
features and functionality of digital wallets vary, in general
terms, they offer consumers a quick and convenient way to make
payments.''), https://psr.org.uk/media/yqinyhhn/cp24-9-cfi-digital-wallets-july-2024-v2.pdf (last visited Nov. 7, 2024).
---------------------------------------------------------------------------
In addition, commenters claiming that the rule encompassed multiple
markets rather than a single market did not provide evidence regarding
consumer understanding to support their claims. By contrast, through
its experience and expertise developed through its market monitoring
and other activities, the CFPB has seen that several well-known
general-use digital consumer payment applications engage in many of the
activities industry commenters characterized as distinct markets. For
example, when consumers open what some describe as a peer-to-peer
payment app, now they often may access a screen to send money to other
persons they identify, whether consumers or businesses.\188\ In
addition, market participants often design their general-use digital
consumer payment application so that a single screen can display all
available methods for making a given payment, including prepaid
accounts, debit cards linked to deposit accounts, and credit cards,
whether issued by the digital application provider or by third-party
financial institutions.\189\ The CFPB therefore declines to
differentiate the market in ways suggested by industry commenters that
do not align with the more seamless, undifferentiated common user
experience that well-known market participants themselves create for
consumers.
---------------------------------------------------------------------------
\188\ See, e.g., Venmo, Show some local love: Pay businesses--
like your favorite neighborhood spots--the same easy way you pay
friends on Venmo (describing how consumer can use a merchant's Venmo
QR code to identify the merchant as a payment recipient), https://venmo.com/pay/businesses/ (last visited Nov. 7, 2024); Venmo, Adding
& Removing Friends (describing how consumers can use QR codes from
other consumers to identify them as recipients), https://help.venmo.com/hc/en-us/articles/217532217-Adding-Removing-Friends
(last visited Nov. 7, 2024); Block Investor Day 2022, Cash App at 8
(stating that Cash App ``started with peer-to-peer payments'') & at
71 (showing screenshot of how a consumer can add a business account
to receive payments), https://s29.q4cdn.com/628966176/files/doc_presentations/2022/05/Cash-App-Block-Investor-Day-2022.pdf (last
visited Nov. 7, 2024). Other payment apps also bundle money
transfers to individual consumers and bill pay functionalities. See,
e.g., Western Union, Send and Track Money Online (U.S. consumer home
page describing how a consumer can use the Western Union app to
``[s]end money, pay bills, check exchange rates, or start a transfer
in the app and pay in-store-all on the go.''), https://www.westernunion.com/us/en/home.html (last visited Nov. 7, 2024).
\189\ See, e.g., Apple, Wallet Carry one thing. Everything
(consumer-facing website showing screenshot of Apple Wallet
displaying payment methods including a Discover credit card, an
Apple Cash prepaid account card, and an Apple MasterCard), https://www.apple.com/wallet/ (last visited Nov. 7, 2024); PayPal, Add. Pay.
Earn. Smile (consumer-facing website showing screenshot of PayPal
payment method screen where consumer can ``[u]se your bank or cards
to pay or send money''), https://www.paypal.com/us/digital-wallet/ways-to-pay/add-payment-method (last visited Nov. 7, 2024).
---------------------------------------------------------------------------
Even when firms choose to discontinue offering payments to other
consumers,\190\ or have not yet enabled that capability in the United
States,\191\ their general-use digital payment applications still
comprise part of the overall market described in the Final Rule, which
includes but is not limited to digitally facilitating consumer payment
transactions for purchases.
---------------------------------------------------------------------------
\190\ See, e.g., Google, Simplifying our payment apps in the
U.S. (Feb. 22, 2024) (announcing that effective June 4, 2024, the
U.S. version of the Goole Pay app will no longer be available to
send money to other consumers but that consumers can continue to use
Google Pay to check out online and to tap-to-pay in stores), https://blog.google/products/google-pay/payment-apps-update/?sjid=232731559998132243-NA (last visited Nov. 7, 2024).
\191\ See Amazon, Unified Payment Interface (UPI) FAQs
(describing how consumers in India can use the Amazon Pay Unified
Payment Interface to send money to other consumers), https://www.amazon.in/gp/help/customer/display.html?nodeId=202212990 (last
visited Nov. 7, 2024).
---------------------------------------------------------------------------
Final Rule
For the reasons described in this Final Rule, including the CFPB's
consideration of and responses to the comments on the Proposed Rule,
the CFPB concludes that the set of activities covered by the market
definition in the Final Rule, all of which digitally facilitate
consumer payment transactions to multiple unaffiliated persons,
regardless of the payment method, source, or account used to fund the
payment, reasonably describes a market for purposes of CFPA section
1024(a)(1)(B). In addition, the Final Rule makes several revisions to
market-related definitions as described in the section-by-section
analysis of Sec. 1090.109(a)(2) below. Because the
[[Page 99606]]
market definition incorporates those defined terms, those revisions
also affect the scope of the market the Final Rule defines.
109(a)(2) Market-Related Definitions
Proposed Sec. 1090.109(a)(2) would have defined several terms that
are relevant to the proposed market definition described above. Below
the CPFB summarizes and responds to comments on each proposed
definition and describes changes to these definitions in the Final
Rule, which also numbers each definition for clarity.
Consumer Payment Transaction(s)
Proposed Rule
The proposed market definition would have encompassed providing
covered payment functionalities through a digital application for a
consumer's general use in making consumer payment transactions.
Proposed Sec. 1090.109(a)(2) would have defined the term ``consumer
payment transactions'' to mean the transfer of funds by or on behalf of
a consumer physically located in a State to another person primarily
for personal, family, or household purposes.\192\ The proposed
definition would have clarified that, except for transactions excluded
under paragraphs (A) through (D), the term applies to transfers of
consumer funds and transfers made by extending consumer credit.
Paragraphs (A) through (D) of the proposed definition would have
excluded the following four types of transactions: (A) An international
money transfer as defined in Sec. 1090.107(a) of this part; (B) A
transfer of funds that is (1) linked to the consumer's receipt of a
different form of funds, such as a transaction for foreign exchange as
defined in 12 U.S.C. 5481(16), or (2) that is excluded from the
definition of ``electronic fund transfer'' under Sec. 1005.3(c)(4) of
this chapter; (C) A payment transaction conducted by a person for the
sale or lease of goods or services that a consumer selected from an
online or physical store or marketplace operated prominently in the
name or such person or its affiliated company; and (D) An extension of
consumer credit that is made using a digital application provided by
the person who is extending the credit or that person's affiliated
company.\193\
---------------------------------------------------------------------------
\192\ The Proposed Rule would have defined the term ``consumer
payment transaction'' for purposes of the Proposed Rule. Payment
transactions that are excluded from, or otherwise do not meet, the
definition of ``consumer payment transaction'' in the Proposed Rule
would not have been covered by the market definition in the Proposed
Rule. However, persons facilitating those transactions may still
have been subject to other aspects of the CFPB's authorities besides
its larger participant supervisory authority established by the
Proposed Rule.
\193\ Subpart A of the CFPB's existing larger-participant rule
includes a definition of ``affiliated company'' that would have
applied to the use of that term in the Proposed Rule. See 12 CFR
1090.101.
---------------------------------------------------------------------------
The first component of the proposed definition of ``consumer
payment transaction'' was that the payment transaction must result in a
transfer of funds by or on behalf of the consumer. This component
therefore would have focused on the sending of a payment, and not on
the receipt. The proposed definition would have encompassed a
consumer's transfer of their own funds--such as funds held in a linked
deposit account or in a stored value account. It also would have
encompassed a creditor's transfer of funds to another person on behalf
of the consumer as part of a consumer credit transaction.\194\ For
example, a nonbank's wallet functionality may hold a credit card
account or payment credential that a consumer uses to obtain an
extension of credit from an unaffiliated depository institution. If the
consumer uses the digital wallet functionality to purchase nonfinancial
goods or services using such a credit card, the credit card issuing
bank may settle the transaction by transferring funds to the merchant's
bank for further transfer to the merchant, and a charge may appear on
the consumer's credit card account. That transfer of funds may have
constituted part of a consumer payment transaction under the Proposed
Rule regardless of whether it is an electronic fund transfer subject to
Regulation E.\195\
---------------------------------------------------------------------------
\194\ In certain circumstances, consumer credit transactions
would have been excluded from the proposed definition of ``consumer
payment transaction,'' for example as described in the exclusion in
proposed paragraph (D) discussed below.
\195\ See also generally Sec. 1005.12(a) (describing
relationship between Regulation E and other laws including the Truth
in Lending Act and its implementing regulation, Regulation Z).
---------------------------------------------------------------------------
The CFPA did not include a specific definition for the term
``funds'' used in the Proposed Rule. As the Proposed Rule explained,
that term is used in various provisions of the CFPA, including in
section 1002(15)(A)(iv), which defines the term ``financial product or
service'' to include ``engaging in deposit-taking activities,
transmitting or exchanging funds, or otherwise acting as a custodian of
funds or any financial instrument for use by or on behalf of a
consumer.'' \196\ Without fully addressing the scope of that term, the
Proposed Rule interpreted the term ``funds'' in the CFPA to not be
limited to fiat currency or legal tender, and to include digital assets
that have monetary value and are readily useable for financial
purposes, including as a medium of exchange, such as crypto-assets,
which are sometimes referred to as virtual currency.\197\
---------------------------------------------------------------------------
\196\ 12 U.S.C. 5481(15)(A)(iv).
\197\ See generally U.S. Treas. Fin. Stability Oversight
Council, Report on Digital Asset Financial Stability Risks and
Regulation (Oct. 3, 2022) at 7 (``For this report, the term `digital
assets' refers to two categories of products: `central bank digital
currencies' (CBDCs) and `crypto-assets.' This report largely focuses
on crypto-assets. Crypto-assets are a private sector digital asset
that depends primarily on cryptography and distributed ledger or
similar technology. For this report, the term crypto-assets
encompasses many assets commonly referred to as `coins' or `tokens'
by market participants.''), https://home.treasury.gov/system/files/261/FSOC-Digital-Assets-Report-2022.pdf (last visited Oct. 23,
2023).
---------------------------------------------------------------------------
The second component of the proposed definition of ``consumer
payment transaction'' was that the consumer must be physically located
in a State, a term the proposal would have defined by reference to
jurisdictions that are part of the United States as discussed in the
section-by-section analysis below. The CFPB requested comment on this
limitation.
The third component of the proposed definition of ``consumer
payment transaction'' was that the funds transfer must be made to
another person besides the consumer. For example, the other person
could be another consumer, a business, or some other type of entity.
This component would have distinguished the proposed market for
general-use digital payment applications that facilitate payments
consumers make to other persons from adjacent but distinct markets that
include other consumer financial products and services, including the
activities of taking deposits; selling, providing, or issuing of stored
value; and extending consumer credit by transferring funds directly to
the consumer. For example, this component of the proposed definition
would have excluded transfers between a consumer's own deposit
accounts, transfers between a consumer deposit account and the same
consumer's stored value account held at another financial institution,
such as loading or redemptions, as well as a consumer's withdrawals
from their own deposit account such as by an automated teller machine
(ATM).
The fourth component of the proposed definition of ``consumer
payment transaction'' is that the funds transfer must be primarily for
personal, family, or household purposes.\198\ As a
[[Page 99607]]
result, the Proposed Rule would have defined the relevant market
activity (providing a general-use digital consumer payments
application) by reference to its use with respect to consumer payment
transactions. Although a general-use digital consumer payment
application also could help individuals to make payments that are not
for personal, family, or household purposes, such as purely commercial
(or business-to-business) payments, those payments would not have
fallen within the proposed definition of ``consumer payment
transaction.''
---------------------------------------------------------------------------
\198\ Under a relevant definition of consumer financial products
and services in CFPA section 1002(5)(A), a financial product or
service is a consumer financial product or service when it is
offered or provided for use by consumers primarily for personal,
family, or household purposes. 12 U.S.C. 5481(5)(A).
---------------------------------------------------------------------------
In addition, the proposed definition of ``consumer payment
transaction'' would have excluded four types of transfers. First,
paragraph (A) of the proposed definition would have excluded
international money transfers as defined in Sec. 1090.107(a). The CFPB
defined larger participants in a market for international money
transfers in its 2014 rule.\199\ In proposing this larger participant
rule, the CFPB did not propose to alter the international money
transfer larger participant rule. Rather, the CFPB proposed this larger
participant rule to define a separate market, focused on the use of
digital payment technologies to help consumers make payment
transactions that are not international money transfers as defined in
the international money transfer larger participant rule. Accordingly,
the proposed definition of ``consumer payment transaction'' would have
excluded an international money transfer as defined in Sec.
1090.107(a). As the Proposed Rule explained, to the extent that nonbank
international money transfer providers facilitate those transactions,
whether through a digital application or otherwise,\200\ that activity
remains part of the international money transfer market, and the CFPB
may be able to supervise such a nonbank if it meets the larger-
participant test in the international money transfer larger participant
rule.
---------------------------------------------------------------------------
\199\ 79 FR 56631.
\200\ See CFPB, Remittance Rule Assessment Report (Oct. 2018,
rv. April 2019) at 143 (describing trends including ``widespread use
of mobile phones to transfer remittances and the growth of online-
only providers[]''), https://files.consumerfinance.gov/f/documents/bcfp_remittance-rule-assessment_report.pdf (last visited Oct. 25,
2023).
---------------------------------------------------------------------------
Second, for clarity, paragraph (B) of the proposed definition of
``consumer payment transaction'' would have excluded a transfer of
funds by a consumer (1) that is linked to the consumer's receipt of a
different form of funds, such as a transaction for foreign exchange as
defined in 12 U.S.C. 5481(16), or (2) that is excluded from the
definition of ``electronic fund transfer'' under Sec. 1005.3(c)(4) of
this chapter. Paragraph (1) of this proposed exclusion would have
clarified, for example, that the market as defined in the Proposed Rule
does not include transactions consumers conduct for the purpose of
exchanging one type of funds for another, such as exchanges of fiat
currencies (i.e., the exchange of currency issued by the United States
or of a foreign government for the currency of a different government).
Paragraph (2) would have clarified that transfers of funds the primary
purpose of which is the purchase or sale of a security or commodity in
circumstances described in Regulation E section 3(c)(4) and its
associated commentary also would not have qualified as consumer payment
transactions for purposes of the Proposed Rule.\201\
---------------------------------------------------------------------------
\201\ 12 CFR 1005.3(c)(4).
---------------------------------------------------------------------------
Third, proposed paragraph (C) would have excluded a payment
transaction conducted by a person for the sale or lease of goods or
services that a consumer selected from an online or physical store or
marketplace operated prominently in the name of such person or its
affiliated company.\202\ This exclusion would have clarified that, when
a consumer selects goods or services in a store or website operated in
the merchant's name and the consumer pays using account or payment
credentials stored by the merchant who conducts the payment
transaction, such a transfer of funds generally is not a consumer
payment transaction included within the market defined by the Proposed
Rule.
---------------------------------------------------------------------------
\202\ See 12 CFR 1090.101 (definition of ``affiliated
company'').
---------------------------------------------------------------------------
This exclusion also would have clarified that when a consumer
selects goods or services in an online marketplace and pays using
account or payment credentials stored by the online marketplace
operator or its affiliated company,\203\ such a transfer of funds
generally is not a consumer payment transaction included within the
market defined by the Proposed Rule. For such transactions to qualify
for this exclusion, the funds transfer must have been for the sale or
lease of a good or service the consumer selected from a digital
platform operated prominently in the name (whether entity or trade
name) of an online marketplace operator or their affiliated
company.\204\ However, this proposed exclusion would not have applied
when a consumer uses a payment or account credential stored by a
general-use digital consumer payment application provided by an
unaffiliated person to pay for goods or services on the merchant's
website or an online marketplace. For example, when a consumer selects
goods or services for purchase or lease on a website of a merchant, and
then from within that website chooses an unaffiliated person's general-
use digital consumer payment application as a payment method, then
proposed paragraph (C) would not have excluded the resulting consumer
payment transaction.
---------------------------------------------------------------------------
\203\ The Proposed Rule noted that a common industry definition
of an online marketplace operator is an entity that engages in
certain activities, including ``[b]ring[ing] together [consumer
payment card holders] and retailers on an electronic commerce
website or mobile application'' where ``[i]ts name or brand is:
[]Displayed prominently on the website or mobile application[; ]
Displayed more prominently than the name and brands of retailers
using the Marketplace[; and is p]art of the mobile application name
or [uniform resource locator.]'' 88 FR 80197 at 80203 n.59 (citing
VISA, Visa Core Rules and Visa Product and Service Rules (Apr. 15,
2023) (``VISA Rules''), Rule 5.3.4.1 (defining the criteria for an
entity to qualify as a ``Marketplace'' for purposes of the VISA
Rules), Oct. 2024 edition last updated Apr. 2023, https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf
(last visited Nov. 7, 2024)).
\204\ The Proposed Rule noted that this aspect of the example is
consistent with what some significant payments industry standards
consider to be a digital marketplace. See id.
---------------------------------------------------------------------------
The Proposed Rule explained that the CFPB proposed this exclusion
to the definition of ``consumer payment transaction'' to clarify the
scope of the proposed market and to clarify which transactions count
toward the proposed threshold in the larger-participant test in
proposed Sec. 1090.109(b). For example, some online marketplace
operators may provide general-use digital consumer payment applications
for consumers to use for the purchase or lease of goods or services the
consumer selects on websites of unaffiliated merchants. Absent the
proposed exclusion in paragraph (C), the providing of such a general-
use digital consumer payment application could result in counting all
transactions through such an application, including for goods and
services the consumer selects from the online marketplace, toward the
larger-participant test threshold in proposed Sec. 1090.109(b). Yet
the Proposed Rule noted that the CFPB was not seeking to define a
market or determine larger-participant status in this rulemaking by
reference to payment transactions conducted by merchants or online
marketplaces through their own payment functionalities for their own
sales transactions. The CFPB therefore believed it was appropriate to
propose excluding the former type of payment
[[Page 99608]]
transactions from the market defined in the Proposed Rule.
The Proposed Rule explained how, in this regard, the scope of the
proposed term ``consumer payment transaction'' is narrower than the
CFPB's authority under the CFPA, which can extend to payment
transactions conducted by merchants or online marketplaces for sales
through their own platforms under certain circumstances. The CFPA
defines a consumer financial product or service to include ``providing
payments or other financial data processing products or services to a
consumer by any technological means, including processing or storing
financial or banking data for any payment instrument . . .'' \205\ The
Proposed Rule explained that such activities generally are consumer
financial products or services under the CFPA unless a narrow exclusion
for financial data processing in the context of the direct sale of
nonfinancial goods or services applies.\206\ The Proposed Rule
explained that exclusion would not apply if a merchant or online
marketplace's digital consumer application stores, transmits, or
otherwise processes payments or financial data for any purpose other
than initiating a payments transaction by the consumer to pay the
merchant or online marketplace operator for the purchase of a
nonfinancial good or service sold directly by that merchant or online
marketplace operator. Other purposes beyond payments for direct sales
could include using or sharing such data for targeted marketing, data
monetization, or research purposes. The Proposed Rule explained that
the exclusion also would not apply if an online marketplace operator's
digital consumer application processes payments or other financial data
associated with the consumer's purchase of goods or services at
unaffiliated online or physical stores or third-party goods or services
on the operator's online marketplace.
---------------------------------------------------------------------------
\205\ 12 U.S.C. 5481(15)(A)(vii).
\206\ ``[A] person shall not be deemed to be a covered person
with respect to financial data processing solely because the person
. . . is a merchant, retailer, or seller of any nonfinancial good or
service who engages in financial data processing by transmitting or
storing payments data about a consumer exclusively for purpose of
initiating payments instructions by the consumer to pay such person
for the purchase of, or to complete a commercial transaction for,
such nonfinancial good or service sold directly by such person to
the consumer[.]'' 12 U.S.C. 5481(15)(A)(vii)(I). The Proposed Rule
stated that this narrow exclusion is descriptive of the limited role
that many merchants play in processing consumer payments or
financial data. 88 FR 80197 at 80204 n.62.
---------------------------------------------------------------------------
Finally, proposed paragraph (D) would have excluded an extension of
consumer credit that is made using a digital application provided by
the person who is extending the credit or that person's affiliated
company. As the Proposed Rule explained, the CFPB proposed this
exclusion so that the market definition does not encompass consumer
lending activities by lenders through their own digital applications.
In this rulemaking, the CFPB did not propose to define a market for
extending consumer credit, as it did, for example, in the larger
participant rule for the automobile financing market.\207\ As a result
of this proposed exclusion, for example, a nonbank would not have been
participating in the proposed market simply by providing a digital
application through which it lends money to consumers to buy goods or
services.\208\
---------------------------------------------------------------------------
\207\ 12 CFR 1090.108.
\208\ Thus, to the extent consumer credit transactions would
have fallen within the proposed definition of consumer payment
transactions, this would have been because the relevant market
participant engaged in covered payment-related activities beyond
extending credit to the consumer. For example, a nonbank may provide
a wallet functionality through a digital application that stores
payment credentials for a credit card through which an unaffiliated
depository institution or credit union extends consumer credit. The
CFPB proposed a market definition that would have reached that
nonbank covered person's activities because their role in the
transaction is to help the consumer to make a payment, not to
themselves extend credit to the consumer.
---------------------------------------------------------------------------
Comments Received
Some commenters addressed certain terms in the proposed definition
of ``consumer payment transaction'' including, in relation to its
reference to the ``transfer of funds,'' how the Proposed Rule stated
that the CFPB interprets ``funds'' to include digital assets in certain
circumstances, as described above. A few commenters also commented on
how the Proposed Rule sought to define covered transactions based on
the location of the consumer in a State. Finally, some commenters
addressed certain proposed exclusions from the definition, including
specifically paragraphs (C) and (D).
Many of the comments on the proposed definition of ``consumer
payment transaction'' related to the proposed inclusion of certain
transfers of digital assets in this definition, when they transfer
``funds'' under the CFPA. Several consumer groups and a nonprofit
expressed general support for including digital assets within the
market definition. The nonprofit stated that the firms providing
cryptocurrency products and services have been marked by a wide
assortment of investor and consumer abuses. Consumer groups agreed,
noting that reports coming out of the late 2022 downturn in the sector
illustrated that that consumers would benefit from broader oversight,
including CFPB supervision of digital assets activities involved in
consumer payment transactions. They stated that such oversight could
address risks consumers have faced, such as improper restrictions that
distressed digital asset platforms have placed on consumers' access to
hosted digital asset wallets. The consumer groups also stated that
consumers increasingly are relying on cryptocurrencies for consumer
payment transactions, as industry emphasizes a long-term strategy of
promoting such activity. They cited examples of a long-time, well-known
market participant introducing a stablecoin expressly to facilitate
consumer purchases, and another digital asset firm contracting with
merchants for acceptance of crypto assets the firm holds for consumers.
A banking industry association also supported the coverage of virtual
currency and crypto assets, which it stated consumers use for personal,
family, and household purposes, and should be regulated on par with
fiat currency consistent with the ``same activity, same risk, same
regulation'' principle. An individual commenter agreed that crypto
asset users face significant risks, and called for the Final Rule to
clarify how it applies to digital assets.
On the other hand, for several reasons described below, several
nonprofits, providers of digital asset products and services, and
digital asset industry associations, banking industry associations, and
other industry associations opposed inclusion of digital assets in the
market definition. They called for exclusion of these transactions from
the rule and, if warranted, a re-proposal based on addressing the
various issues they described; a payment network and nonprofit added
that, to facilitate regulatory certainty and transparency and avoid
unintended consequences, the Final Rule should only apply to fiat
currency and legal tender. They stated that the rule should accomplish
that goal by limiting the interpretation of ``funds.'' \209\
---------------------------------------------------------------------------
\209\ As discussed at the outset of the section-by-section
analysis above, an industry association commenter also stated that
if the CFPB excludes digital assets from the Final Rule, then the
CFPB precludes its examination of that activity by larger
participants under the Final Rule. The CFPB summarizes and responds
to that comment separately above.
---------------------------------------------------------------------------
First, some industry commenters stated that the CFPB should not
adopt this aspect of the Proposed Rule because, in their view, the CFPB
has not
[[Page 99609]]
conducted adequate market monitoring of digital assets activities and
does not in general have data, experience, or expertise in this area
sufficient to assess risk to consumers and finalize a regulation
covering them. One industry commenter added that the CFPB would have
benefited from issuing market-monitoring orders to larger digital asset
firms as the CFPB had done to Big Tech firms offering consumer payment
applications that transfer U.S. dollars. One commenter stated that the
Proposed Rule did not rely on public blockchain data from industry
sources such as Elliptic, Chain Analysis, and TRM, as well as trends
data published by Circle, and insufficiently disclosed any data on
which it did rely.
Second, several comments from industry, nonprofits, and some
Members of Congress stated that the Proposed Rule did not consider the
impact of covering digital assets. For example, some industry
commenters stated that the Proposed Rule underestimated the number of
larger participants, citing uncertainty over the rule's application to
digital assets and ineligibility for the proposed small business
exclusion by small businesses in the digital assets sector that are
based abroad, organized as nonprofits, or dominant in their field.
Further, some industry associations, digital assets firms, and a
nonprofit stated that it was uncertain which digital assets
transactions would be covered because it is uncertain which are for
personal, family, or household purposes. In addition, some commenters
suggested that the Proposed Rule would impose significant burdens on
the digital asset sector, whether due to the proposed interpretation of
``funds'' in the CFPA as including digital assets which they viewed as
a change in substantive consumer protections, or to what they
anticipated would be exposure to potentially arbitrary and shifting
CFPB interpretations as to whether Regulation E covers digital
assets.\210\ Finally, an industry firm stated that the Proposed Rule
did not adequately consider the potential for digital asset firms to
pass through costs of this rule to consumers. Some Members of Congress
and an industry association added that covering digital assets would
discourage competition and innovation in payments.
---------------------------------------------------------------------------
\210\ One industry association stated that the Final Rule should
clarify that it does not serve as a basis for subjecting virtual
currencies or other digital assets to Regulation E. Another trade
association called for the CFPB to consult with stakeholders in
industry, other agencies, and Congress to understand the potential
implications of applying Regulation E in this context.
---------------------------------------------------------------------------
In addition, many of these commenters emphasized potential impacts
of what they described as the proposal's apparent coverage of so-called
``unhosted'' or ``self-hosted'' digital asset wallets. They stated that
providers of these products and services must be excluded from the rule
because they are merely providing software with no ongoing customer
relationship or intermediary role, no access to information about the
existence, nature, or use of any digital asset held in the wallet, and
no control over the use of the wallet for any purpose including to make
payments.\211\ They added that unhosted digital asset wallets cannot
block transactions, reverse transactions to correct unauthorized
transfers, close accounts, or track or monetize consumer data. As such,
they stated that they also do not know whether the wallet holds funds
at all (even under the CFPB's interpretation) versus other uses of
distributed ledger technology including an estimated 1.8 million types
of crypto assets, nonfungible tokens (NFTs), and loyalty points among
others. They stated they do not know where the consumer is located for
the purposes of the proposed definition of ``consumer payment
transaction.'' They also stated they do not know when a transaction
occurs at all much less whether it is a consumer payment transaction.
They stated that the lack of provider collection of such data is a
critical feature of their product from the perspective of the consumer,
and that this feature reduces risk to consumers.
---------------------------------------------------------------------------
\211\ One commenter stated that an exclusion for what it called
``unhosted'' digital asset wallets would be consistent with FinCEN
2019 guidance that they described as excluding software providers of
unhosted digital asset wallets from the scope of Federal money
transmitter regulation. Another commenter stated that the First
Amendment of the U.S. Constitution protects software code writing as
speech, and that the proposed small business concern exclusion
discriminated between speakers based on the size of their business,
constituting speaker and viewpoint discrimination that it did not
believe would survive strict constitutional scrutiny.
---------------------------------------------------------------------------
Third, some commenters raised legal objections to including digital
assets in the rulemaking or certain digital asset products and
services. For example, some industry commenters disagreed generally
with the proposal's interpretation of ``funds'' as including digital
assets. These commenters stated that the CFPB did not provide
sufficient reasoning or evidence to support what they viewed as a
change in its legal position, that the interpretation ran contrary to
the statute, Congress' understanding at the time of its enactment,\212\
relevant case law, and the ``major questions'' doctrine,\213\ that
digital asset products and services are not part of a consumer
financial products or services market because they are not provided for
use by consumers primarily for personal, family, or household purposes,
and that the CFPA precludes CFPB oversight over such activities
overseen by the SEC or CFTC.\214\ Some commenters stated more
specifically that the CFPB lacks authority over unhosted digital asset
wallets because, for example, they function similarly to a web browser
or password manager with a variety of uses beyond payments,\215\ they
have no more power to intervene in a consumer payment transaction than
an internet service provider, and these activities are eligible for the
``electronic conduit services'' exception in CFPA section
1002(15)(C)(ii).
---------------------------------------------------------------------------
\212\ Some commenters noted that very few cryptocurrencies
existed as of 2010, and noted that stablecoins were not introduced
until several years later.
\213\ These commenters pointed to the size of digital asset
activity, including an estimated $130 billion U.S. stablecoin
market, as well as varied uses of digital assets and efforts in
Congress to enact a legislative oversight framework.
\214\ In addition, a nonprofit commenter and other industry
commenters stated that the CFPB should not finalize this aspect of
the Proposed Rule because, in their view, it reflects inadequate
coordination by the CFPB across government as called for under an
executive order relating to digital assets and reflects inadequate
CFPB consultation with the SEC and CFTC, which have asserted
regulatory authority over digital assets.
\215\ This commenter added that, although the Proposed Rule did
not specifically address covering unhosted digital asset wallets and
thus such coverage may not have been intended, based on the
interpretation of ``funds'' in the Proposed Rule, its proposed
definition of ``covered payment functionality'' could be viewed as
reaching them, which, as noted, would be legally impermissible in
its view.
---------------------------------------------------------------------------
With respect to other aspects of the proposed definition of
``consumer payment transaction'' beyond the context of digital assets,
two commenters addressed the part of the proposed definition of
``consumer payment transaction'' that limited the term to payments by
or on behalf of a consumer ``located in a State'' in the United States
as described above. A nonprofit stated that a survey indicated that the
majority of its members (59 percent) did not believe that larger
participants would be able to determine whether the consumer is located
within a State, such as based on the consumer's internet Protocol
address at the time of a transaction. An industry association stated
that this part of the proposed definition was overbroad because it
extended beyond Federal consumer financial laws that the Proposed Rule
identified as applicable in the market. Specifically, the commenter
stated that basing market scope on the location of
[[Page 99610]]
the consumer leads the market to include electronic fund transfers that
are not covered by Regulation E, such as payments that foreign firms
facilitate for foreign nationals who do not reside in the United
States, including while traveling within the United States.\216\ They
suggested that, in order to avoid being subject to a U.S. supervisory
regime, foreign providers may abandon support of such foreign national
customers when traveling in the United States. They also pointed to
foreign providers' provision of payment accounts located outside the
United States as another example that they believed generally falls
outside of Regulation E. As a result, they called for narrowing the
transactions included in the market. In addition to the proposed
limitation requiring that the consumer be located in a State in the
United States, in their view, the definition of ``consumer payment
transaction'' also should be limited to U.S. residents making payments
from payment cards or stored value accounts issued by U.S. financial
institutions. In their view, those additional limitations would better
align the scope of the market with the scope of regulations the CFPB
proposes to apply in its examination of larger participants, including
Regulation E, whose scope with respect to transnational activity is
described in its comment 3(a)-3.
---------------------------------------------------------------------------
\216\ They also suggested that Regulation P may not apply to
those transactions.
---------------------------------------------------------------------------
Commenters presented a range of views on the exclusion in paragraph
(C) of the proposed definition of ``consumer payment transaction'' for
payment transactions conducted by merchants or marketplaces for the
sale or lease of goods or services the consumer selected from a store
or marketplace the merchant or marketplace operates prominently in its
name or the name of an affiliated company. Some commenters also
addressed the statement in the Proposed Rule describing circumstances
in which merchant or marketplace payment processing activities that
fall outside the proposed market definition because they are excluded
by paragraph (C) nonetheless may qualify as a consumer financial
product or service under the CFPA.
Consumer group commenters generally opposed the proposed exclusion
in paragraph (C). One consumer group noted stated that certain nonbank
payments companies sell consumers' payments data, including information
about how much people spend, where, and on what, as described in a 2023
report the commenter published and linked to in its comment.\217\ In
their view, to the extent a marketplace collects payments data and uses
it for purposes beyond completing the payment transaction, the
marketplace should be brought under supervisory authority, including
when ``its transactions fall within its own marketplace[.]'' Meanwhile,
other consumer groups stated that marketplace payment functions can
comprise a significant portion of the marketplace's revenues, can
expand into or spin off as general-use digital consumer payment apps,
and also can engage in practices that the FTC has alleged to violate
competition laws.
---------------------------------------------------------------------------
\217\ R.J. Cross, How Mastercard sells its `gold mine' of
transaction data (Sept. 30, 2023, updated June 17, 2024), https://pirg.org/edfund/resources/how-mastercard-sells-data (last visited
Nov. 7, 2024).
---------------------------------------------------------------------------
A law firm commenter agreed that the rule should exclude payment
transactions conducted by online marketplaces for sales through their
own platforms. This commenter stated that consumers seek out online
marketplace platforms for their ability to sell goods and services
including primarily from third-party retailers hosted on the
marketplace. It called for clarifying the definition of marketplace in
proposed paragraph (C) to better achieve the CFPB's stated goal of
excluding payment transactions conducted by merchants for their own
sales and payment transactions conducted by online marketplaces for
sales made through their platform. As noted, the scope of the exclusion
in proposed paragraph (C) would apply to marketplaces operated
prominently in the name of the person that conducts the payment
transaction. This commenter described this aspect of the exclusion as
unduly focused on branding. It stated that different online marketplace
operators have different levels of branding and name display,
suggesting uncertainty about which marketplaces would have qualified
under the ``prominently'' standard. To the extent that a platform did
not meet the ``prominently'' standard in the Proposed Rule, in the view
of this commenter, the exclusion would be arbitrary because a platform
would be ineligible despite being a marketplace as defined in a Federal
law administered by the FTC, despite consumers still plainly
understanding it to be a marketplace, and despite the platform
presenting different consumer protection concerns as the Proposed Rule
recognized was the case for excluded marketplaces. For all of these
reasons, it stated that the Final Rule should adopt the definition of
``online marketplace'' Congress adopted in the Integrity, Notification,
and Fairness in Online Retail Marketplaces for Consumers Act (INFORM
Act).\218\ That statute defined a marketplace based on its function,
and not its level of name branding. The commenter added that, by
incorporating the INFORM Act definition, the exclusion would apply both
when the marketplace is paid and when a third-party seller selling
through the marketplace is paid.
---------------------------------------------------------------------------
\218\ 15 U.S.C. 45f(f)(4).
---------------------------------------------------------------------------
Some industry commenters addressed whether the Rule should include
consumer payment transactions consumers initiate through ``buttons'' on
merchant websites. One industry association indicated that it was
important for the rule to provide for universal coverage of digital
wallets, including those a consumer uses by pressing a payment button a
checkout screen on a merchant website. It suggested that broad coverage
was important to achieve consistent supervision across providers, which
promotes competition. On the other hand, some industry commenters
called for adding an exclusion for what they described as express
checkout options that nonbanks facilitate for third-party merchant
websites and apps, including ``buy buttons.'' \219\ One industry
association called for the rule to clarify that payment checkout
buttons are excluded from the market because they do not function
generally across merchants but instead require individual merchant
acceptance agreements.\220\ Another industry association cited research
indicating that many online merchants including small businesses
facilitate consumers' purchases by offering these buttons, and
suggested that the Proposed Rule was unnecessarily directing its
coverage to merchant payment processing.\221\
---------------------------------------------------------------------------
\219\ A few industry commenters suggested that the integration
of general-use digital consumer payment applications into merchant
websites through payment buttons does not pose any risk to
consumers, and that this type of activity should not be included in
the market definition. The CFPB considers and responds to comments
related to risks to consumers separately in the response to general
comments above.
\220\ This commenter cited this fact as supporting its view that
such checkout buttons do not have ``general use''--which the Final
Rule discusses in the section-by-section analysis of that term
further below. To ensure full consideration of all related comments,
the CFPB also describes that comment here in the context of other
comments regarding checkout buttons associated with general-use
digital consumer payment applications provided by nonbank covered
persons.
\221\ As discussed in the impacts analysis in parts VII and
VIII, a comment from certain Members of Congress also stated that
providers of general-use digital consumer payment apps could pass
the cost of the rule onto merchants, including small merchants, that
accept the apps as a payment method. For the reasons explained in
the impacts analysis, the CFPB does not have information to indicate
that larger participants are likely to pass through a significant
portion of these costs to merchants. As the impacts analyses further
explain, the costs of the Final Rule are not high and, even if they
were passed through, that would be spread across the very high
number of merchants that accept one or more of these apps as a
method of payment.
---------------------------------------------------------------------------
[[Page 99611]]
Some industry and nonprofit commenters appeared to have interpreted
the statement in the preamble regarding the scope of the CFPB's
authority under CFPA section 1002(15)(A)(vii) as potentially intended
to narrow or alter the scope of the exclusion in paragraph (C). For
example, several Members of Congress, stated that the scope of the
market definition was ambiguous because, on the one hand, the Proposed
Rule excluded merchant and marketplace payment functions in
circumstances described in paragraph (C), but on the other hand, the
preamble of the Proposed Rule stated that the statutory exclusion in
CFPA section 1002(15)(A)(vii)(I) does not apply to these functions when
they use payments data for purposes beyond processing a payments
transaction. Similarly, an industry association commenter suggested
that, due to the proposal's interpretation of 1002(15)(A)(vii)(I), the
Proposed Rule would apply to merchants processing payments on their own
behalf because retailers widely use financial data for purposes beyond
processing transactions. Because it did not understand the CFPB to be
seeking to cover merchants' payment processing in this rule, it called
for the CFPB to remove this interpretation from the Final Rule to
ensure that its scope is focused on the general-use digital consumer
payment applications that create risks to consumers that the CFPB has
identified. Another industry association suggested that the
interpretation appeared designed to increase CFPB scrutiny of merchants
through supervision. In their view, if the CFPB exercises jurisdiction
over merchants on the basis described in the interpretation above, that
could make it more difficult for merchants to combat fraud, cause
merchants to raise prices or reduce discounts, and cause merchants to
decrease reliance on newer, competitive forms of payment. Finally, a
law firm also indicated it was unclear whether the interpretation of
the CFPA was intended to narrow the scope of paragraph (C).
In addition to expressing uncertainty regarding its impact on the
scope of paragraph (C), some industry commenters disagreed with the
Proposed Rule's interpretation of the CFPB's payments processing
authority in CFPA section 1002(15)(A)(vii). In particular, they
asserted that the proposal's interpretation of the exclusion in CFPA
section 1002(15)(A)(vii)(I) was invalid because it would have the
result that many merchants would not satisfy the exclusion. In addition
to the comments described above, comments from two industry
associations stated that merchants use payments data for a variety of
purposes that they described as beneficial to consumers, such as
research, fraud prevention, targeted marketing of discounts, and even
routing of transactions consistent with Federal Reserve Regulation II
to reduce the cost of payment acceptance. Because they viewed those
uses as potentially for purposes other than initiating the payment
transaction, these commenters believed that merchants would almost
never be eligible for the exclusion in 1002(15)(A)(vii)(I) under the
CFPB's interpretation of it. One of these commenters added that that
result would contravene general intent of Congress to exclude merchants
from the CFPA, including pursuant to CFPA section 1027(a). Relatedly,
they stated that the proposed interpretation would harm consumers by
disincentivizing merchants from engaging in all of these uses of
consumer payments data. On the other hand, a consumer group supported
the proposal's interpretation of the exclusion in CFPA section
1002(15)(A)(vii)(I). This commenter stated that digital wallets collect
and monetize high amounts of consumer data, including through
transactions that occur on marketplaces, without oversight.
Some commenters addressed the inclusion of consumer credit
transactions in the proposed definition of ``consumer payment
transactions'' in general, as well as the related exclusion in
paragraph (D) for extensions of credit made using a digital application
provided by the person extending credit or its affiliated company.
With respect to the inclusion of consumer credit transactions
generally, several commenters including an industry provider and two
nonprofits generally recognized that pass-through payment wallets
facilitate both debit card and credit card transactions (among other
types of transactions). However, a nonprofit commenter disagreed with
the proposal's inclusion of a creditor's transfer of funds in the
definition of ``consumer payment transaction.'' In its view, expanding
the scope of CFPB supervisory authority beyond electronic funds
transfers subject to Regulation E could lead companies to invest less
in tokenization and anti-fraud technologies and could disincentivize
allocation or use of credit for consumers who prefer general-use
digital consumer payment applications.
With respect to the proposed exclusion in paragraph (D), an
industry association stated that the Final Rule should clarify that
this exclusion applies to nonbanks that partner with other financial
institutions to offer consumer credit products that fund consumer
payment transactions. The commenter stated that in these arrangements,
the nonbank may provide a consumer-facing digital application through
which the consumer accesses an extension of credit made and issued by a
third-party financial institution. It stated that the third-party
financial institution extends credit by transferring funds directly to
the consumer (which the commenter stated would not qualify as a payment
by the consumer to another person). Through its mobile application, the
nonbank then may facilitate the consumer's use of those funds to make a
payment.
A banking trade association and a payment network stated that it
was uncertain whether the proposed market included the extension of
credit through what it referred to as buy-now-pay-later (BNPL)
applications. It stated that the rule should provide illustrative
examples of covered consumer credit products and clarify whether BNPL
applications are eligible for the proposed exclusion in paragraph (D)
in light of uncertainty as to whether BNPL providers are extending
credit. They also stated that it was unclear why the CFPB would exclude
BNPL applications, since they function similarly to other activities
described in the Proposed Rule and also have grown rapidly as a means
for consumers to pay for the purchase of goods and services. They
stated that the CFPB should include participants in what they referred
to as the BNPL market within the scope of this rule, or in a separate
larger participant rulemaking.
Finally, several consumer groups called for the rule to clarify
whether proposed paragraph (D) applies to funds transfers by earned
wage advance products and services, given that some nonbanks that
provide those products and services claim not to be extending consumer
credit.
Response to Comments Received
After considering comments on the inclusion of certain digital
assets transactions in the proposed definition of ``consumer payment
transaction,'' the CFPB has decided, for purposes of this
[[Page 99612]]
Final Rule, to exclude such transactions from coverage under the Rule.
The CFPB intends to continue to gather data and information regarding
the nature of such transactions and the impact of digital assets
transactions on consumers, and to take further action as appropriate.
For example, the CFPB has considered comments from industry and others
stating that some digital asset products and services, such as so-
called unhosted or self-hosted wallets, may not currently be able to
collect the data necessary to administer the larger-participant test
that would be applied to establish supervisory authority. Based on the
limited data and information these commenters provided in their
comments, the CFPB is not prepared in this Final Rule to determine
whether and how to distinguish between hosted and unhosted wallets. As
further discussed below, the CFPB is implementing this change by
updating the larger participant threshold to only consider U.S. dollar
transactions (see section-by-section analysis of ``threshold'' below).
In addition, for purposes of defining what qualifies as a
``consumer payment transaction'' covered by the Final Rule, the CFPB
has considered the industry association and nonprofit comments,
including the survey described above, which indicate that most market
participants may be more familiar with assessing where a consumer
resides \222\ than where the consumer is located at the time of any
given consumer payment transaction (which can change from transaction
to transaction, especially when consumers make payments using mobile
phones). Thus, to facilitate administration of the larger-participant
test, rather than adopting the proposal to base coverage of consumer
payment transactions on whether the consumer is physically located in a
State at the time of the transaction, the Final Rule defines ``consumer
payment transactions'' as subject to the rule based on whether the
consumer is a U.S. resident, as described further below.\223\
---------------------------------------------------------------------------
\222\ See Reg. E, cmt. 3(a)-3 (stating that regulation E applies
to all persons providing EFT services to U.S. residents through
U.S.-located accounts). Regulation Z, which governs consumer credit
card transactions, also links its scope to residency in a State. See
Reg. Z, cmt. 1(c)-1.
\223\ The CFPB declines the industry association suggestion to
further narrow ``consumer payment transactions'' to those that U.S.
residents make (1) from a location in a State (2) using a payment
card issued by a U.S. bank or a stored value account provided by a
U.S. financial institution. The CFPB believes that limiting
``consumer payment transactions'' to U.S. residents will address the
commenter's concerns regarding the inadvertent coverage of foreign
residents' transactions using accounts issued by foreign
institutions while traveling to the United States. The additional
changes the commenter suggests are not necessary or appropriate in
the context of this rule. This rulemaking is not defining a market
for payment cards or stored value accounts. The market activity is
not providing an ``account''; rather, it is facilitating consumer
payment transactions through a general-use digital consumer payment
application. Such activity can facilitate payments from accounts
held by third-party financial institutions. Therefore, the
nationality of the provider of the underlying account is not
necessarily relevant.
---------------------------------------------------------------------------
With regard to comments on the proposed exclusion in paragraph (C)
of the definition of ``consumer payment transaction,'' the CFPB agrees
with the consumer group comments that online marketplaces can pose
risks to consumers when they sell payments data. Nonetheless, as
discussed above, the market definition does not include or exclude
activities based on the level of risk they pose. In addition, the law
firm commenter reasonably notes that consumers seek out marketplace
platforms for the goods and services they offer, including from third-
party marketplace sellers.\224\ In that way, consumers seek out a
marketplace platform for purposes that differ from the payment-focused
purposes for which they seek out a general-use digital consumer payment
application. Therefore, the Final Rule treats a merchant or marketplace
conducting payment transactions for sales through its own platform as
distinct from the activity included in the market defined in this
rule.\225\ The CFPB believes that it is therefore appropriate to
exclude such transactions from this Final Rule in paragraph (C).
Finally, with regard to the consumer group comment that marketplace
operators can grow into general-use consumer payment applications, the
Rule accounts for that. If those operators do expand into general-use
consumer payment applications and qualify as larger participants under
this rule, they will be subject to the CFPB's supervisory authority.
---------------------------------------------------------------------------
\224\ See also FTC, Buying From an Online Marketplace (Sept.
2022) (``In general, online marketplaces connect buyers and
sellers.''), https://consumer.ftc.gov/articles/buying-online-marketplace (last visited Nov. 7, 2024).
\225\ Relatedly, the CFPB also disagrees with the law firm
commenter to the extent it was suggesting that the proposed
exclusion in paragraph (C) would not apply to a payment transaction
conducted by an online marketplace on behalf of a third-party
seller. Under the terms of the proposed exclusion, when a consumer
selects goods or services from an online marketplace and the
marketplace operator conducts the consumer payment transaction, that
would have been excluded by paragraph (C) even if a third-party
seller was involved in the sale.
---------------------------------------------------------------------------
Regarding the definition of ``marketplace'' in proposed paragraph
(C), the CFPB agrees that in some circumstances it may be complex to
evaluate the level of prominence of an entity's branding on a
marketplace platform. As the proposal noted, major payment network
rules include that standard to define a marketplace. However, it is
unclear to the CFPB how administrable that standard is in that context.
Accordingly, as discussed further below, the Final Rule does not adopt
the proposed limitation on the exclusion related to the prominence of
branding.
The CFPB declines the commenter's further suggestion that the rule
expressly incorporate a definition of ``marketplace'' in the INFORM
Act.\226\ While the CFPB believes that platforms that qualify as
``online marketplaces'' under the INFORM Act generally would qualify as
marketplaces for purposes of the exclusion in paragraph (C), the INFORM
Act definition is limited to online marketplaces for third party
sellers of a ``consumer product,'' defined by reference to certain
``tangible personal property[.]'' \227\ The Proposed Rule referred more
broadly to a marketplace for sale of goods or services. And, as noted
above, incorporating the INFORM Act is not necessary to ensure
exclusion of marketplace platform payments to third-party sellers. For
these reasons, the CFPB believes the language in the Proposed Rule is
more appropriate in this context and expressly incorporating the
definition in the INFORM Act is unnecessary.
---------------------------------------------------------------------------
\226\ 15 U.S.C. 45f(f)(4).
\227\ 15 U.S.C. 45f(f)(2) (incorporating definition of
``consumer product'' in 15 U.S.C. 2301(1) and associated
implementing regulations).
---------------------------------------------------------------------------
The CFPB agrees with the industry association commenter that stated
that the rule should apply to general-use digital consumer payment
applications on a consistent basis, including when consumers click on
buttons on merchant or online marketplace websites to access general-
use digital consumer payment applications provided by third parties. As
the commenter suggested, covering these consumer financial products and
services serves the CFPB's statutory objective of ensuring consistent
enforcement of Federal consumer financial law to promote fair
competition, as discussed further above. However, in response to
comments about coverage of consumer payment transactions initiated
through online merchant checkout processes that rely on payment
buttons, the CFPB seeks to clarify the scope of the market definition.
The market consists of providing, through a digital payment
application, a general-use covered payment functionality. As discussed
above, some market participants have
[[Page 99613]]
pursued a deliberate strategy of ``embedded finance,'' through which
nonbank providers of general-use digital consumer payment applications
embed them into nonfinancial digital applications. Given the market
reliance upon ``embedded finance'' as a way of promoting general-use
digital consumer payment applications, it is reasonable for the Rule
not to exclude that activity merely because it is embedded. However,
that does not mean the Rule covers the merchant that embeds a payment
button on its ecommerce website. When a merchant displays on its
ecommerce website a payment button for an unaffiliated third-party's
general-use digital consumer payment application, the merchant is not
itself providing a covered payment functionality as defined in the
Rule. The CFPB understands that these buttons operate as application
programming interfaces (APIs) or redirects to launch the general-use
digital consumer payment application provided by the third party.\228\
In these circumstances, for purposes of the market definition in this
Rule, the third party is providing the general-use digital consumer
payment application, not the merchant. For these reasons, the CFPB
disagrees with industry commenters' suggestions that the Rule needs an
exclusion for ecommerce checkout processes. Further, the CFPB does not
agree that, because merchants individually agree to offer payment
buttons linking to digital consumer payment applications provided by
unaffiliated nonbanks, this indicates that the third party's digital
consumer payment application does not have general use. Under the Final
Rule, as discussed further below, ``general use'' is based on whether
the consumer can use the digital consumer payment application to pay
more than one unaffiliated person. For example, the same payment button
may appear on the websites of thousands of different merchants, each of
which may have its own acceptance agreement with the provider of the
associated general-use digital consumer payment application.\229\ The
app associated with the payment button can have general use for the
consumer, who can use it to make online purchases virtually anywhere
that payment button appears on an ecommerce site on the internet.\230\
---------------------------------------------------------------------------
\228\ See, e.g., Lotus Lin, E-commerce APIs Introduction,
Medium.com (Mar. 24, 2023) (describing how some providers of
general-use digital consumer payment applications provide payment
gateway APIs), https://medium.com/@lotus.lin/e-commerce-apis-
introduction-29664558a3b0 (last visited Nov. 7, 2024); PYMNTS, Buy
Buttons (``Branded buy buttons are usually placed underneath the
standard `buy' or `pay' button on the merchant's checkout page and
make it possible for consumers to pay for something without
establishing an account with that merchant. Branded buy buttons use
payment credentials that consumers have stored with the buy button
brands. PayPal is the most widely accepted buy button, with Amazon
Pay, Google Pay and Apple Pay also gaining acceptance in apps and
online.''), https://www.pymnts.com/tag/buy-buttons/ (last visited
Nov. 7, 2024).
\229\ Merchants often accept consumers' payments through well-
known digital payment applications by agreeing to the terms and
conditions imposed by the provider. One-way digital consumer payment
applications gain general use is through acceptance across multiple
unaffiliated merchants. See, e.g., Apple, Tap to Pay on iPhone
(``Before your app can enable Tap to Pay on iPhone and configure a
merchant's device, the merchant must accept the relevant terms and
conditions.''), https://developer.apple.com/design/human-interface-guidelines/tap-to-pay-on-iphone (last visited Nov. 7, 2024); Apple
Pay Platform Web Merchant Terms at https://developer.apple.com/apple-pay/terms/apple-pay-web/ (last visited Nov. 7, 2024); Amazon
Pay, Getting started for merchants at https://pay.amazon.com/business/getting-started (last visited Nov. 7, 2024); Google Pay API
Terms of Service at https://payments.developers.google.com/terms/sellertos (last visited Nov. 7, 2024); Meta Pay onboarding contract
described at https://developers.facebook.com/docs/meta-pay/overview#onboarding (last visited Nov. 7, 2024); PayPal Developer
Agreement (Mar. 21, 2022) (describing how holders of business
accounts can use APIs and a PayPal Button) at https://www.paypal.com/us/legalhub/xdeveloper-full?locale.x=en_US (last
visited Nov. 7, 2024); Samsung Pay, Web Payments Integration Guide
at https://developer.samsung.com/internet/android/web-payments-integration-guide.html (last visited Nov. 7, 2024); Venmo Approved
Business Account Addendum (effective date Jan. 24, 2019) at https://venmo.com/legal/us-business-addendum/ (last visited Nov. 7, 2024).
In addition, a payment processor that online merchants use describes
examples of digital wallets that merchants can accept through its
software. See Stripe, Wallets: Learn about wallet payments with
Stripe (stating that the payment processor has ``created a single
integration for all wallets that works across [its] products'' and
identifying numerous such payment methods it enables), https://stripe.com/docs/payments/wallets (last visited Nov. 7, 2024).
\230\ With regard to industry comments that payment buttons do
not pose risks to consumers, the CFPB considers the comments about
risks to consumers from various types of market activity in the
response to general comments above. For the reasons discussed above,
this rulemaking is not the vehicle in which the CFPB must assess
such risks. Rather, the CFPB takes risk into account when
prioritizing entities for examination and scoping examinations. As a
result, to the extent that any given larger participant's general-
use digital consumer payment application does in fact pose low risks
to consumers, then the CFPB supervision program is designed to
ensure they are at low risk for examination.
---------------------------------------------------------------------------
The CFPB also seeks to clarify that the CFPB's statement regarding
the scope of its authority under CFPA section 1002(15)(A)(vii) was not
intended to narrow or otherwise alter the scope of the exclusion in
paragraph (C). Paragraph (C) generally excludes transactions in which a
merchant or online marketplace conducts payments to itself for sales
through its platform. The Proposed Rule discussed the scope of CFPA
section 1002(15)(A)(vii) to clarify that the CFPA describes a broader
set of activities including in some circumstances those that may be
excluded by paragraph (C). In other words, certain payment transactions
may fall within the CFPA's authority under the CFPA but not qualify as
``consumer payment transactions'' for purposes of this larger
participant rule. In summary, the CFPB proposed the exclusion in
paragraph (C) for the purpose of defining the scope of the market and
not the scope of its statutory authority under CFPA section
1002(15)(A)(vii). That said, the CFPB does not share the view expressed
by some industry commenters that the proposal's discussion of the
exclusion in CFPA section 1002(15)(A)(vii) was contrary to the
provision's language or would lead to results that Congress did not
intend. However, the validity of this Final Rule does not depend on the
correctness of the proposal's interpretation of CFPA section
1002(15)(A)(vii) because, as noted above, the market definition does
not encompass the full extent of the CFPB's authority under that
provision. Therefore, it is not necessary for the CFPB to further
address comments regarding that interpretation in this Final Rule.
With regard to the proposed coverage of consumer credit
transactions in the definition of ``consumer payment transaction,'' as
several commenters acknowledged, pass-through payment wallets commonly
facilitate transactions using both debit cards and credit cards.
Because market participants commonly provide digital applications that
facilitate consumer payment transactions using both debit card and
credit cards (among other payment methods), the Final Rule
appropriately includes consumer payment transactions that use both
types of payment cards in the market. The CFPB disagrees with the
nonprofit commenter to the extent it was suggesting that paragraph (D)
should have excluded all consumer credit transactions or that the
definition of ``consumer payment transaction'' should only apply to
payments made from a consumer's asset accounts.\231\ Excluding all
consumer credit transactions from the market would not be consistent
with the way nonbanks often provide these consumer
[[Page 99614]]
financial product and services in the market.\232\
---------------------------------------------------------------------------
\231\ Contrary to the commenter's suggestion, by including
consumer credit transactions in the definition of ``consumer payment
transactions,'' the Proposed Rule would not have expanded the scope
of substantive consumer protections including Regulation E. This
rulemaking does not amend or modify Regulation E. As the Proposed
Rule explained, a larger participant rule merely establishes
supervisory authority and does not impose any new substantive
consumer protection regulation.
\232\ The Final Rule discusses other comments seeking exclusion
of pass-through payment wallets in the discussion of ``covered
payment functionality'' further below.
---------------------------------------------------------------------------
In addition, the commenter did not provide support for its view
that including consumer credit transactions in the definition of
``consumer payment transactions'' could create economic incentives for
firms to reduce credit card lines or fraud protections. For several
reasons, the CFPB disagrees with the commenter, to the extent it was
suggesting that its general concerns over potential incentives
warranted excluding general-use digital consumer payment applications'
facilitation of consumer credit transactions. First, the commenter did
not offer a persuasive rationale for the Rule to treat consumer credit
transactions that nonbanks facilitate through digital payment
applications differently from payments from asset accounts, when
general-use digital consumer payment applications facilitate both, as
noted above. Second, the commenter did not explain why it believed that
the supervisory authority the rule would establish over nonbank larger
participants could disincentivize allocation or usage of revolving
lines of consumer credit through general-use digital consumer payment
application. Such an impact is unlikely, given that the lender's own
app-based lending activity can be excluded by paragraph (D) and the
CFPB already supervises much of the lending activity in the credit card
market.\233\ Finally, with regard to market participants' investments
in tokenization and anti-fraud protections, the commenter did not
explain why larger participants would seek to offset the costs of CFPB
examination by specifically reducing investment in anti-fraud
protections or provide evidence or otherwise show that the rule would
create a meaningful disincentive to engage in these activities. The
CFPB believes that it is also possible that, after the Final Rule takes
effect, larger participants will continue investing in such
technologies as part of their efforts to avoid risks to consumers and
non-compliance with Federal consumer financial law. As with the
commenters' other concerns, the CFPB does not believe that this general
concern regarding potential incentives warrants excluding the
facilitation of consumer credit transactions from the Final Rule.
---------------------------------------------------------------------------
\233\ Proposed paragraph (D) already clarified that the market
definition is not based on the activity of extending credit.
Moreover, the CFPB already supervises very large insured depository
institutions and insured credit unions, which issue the bulk of
consumer credit cards in the United States, as well as their service
providers. CFPB, The Consumer Credit Card Market (Oct. 2023), sec.
2.21 (annual CARD Act report discussing concentration in the credit
card issuance market, with the top 30 issuers representing 95
percent of credit card loans in 2022, and 3,800 smaller banks and
credit unions accounting for five to six percent of the market).
With regard to the potential for larger participants to pass through
costs of the Rule to others, the Final Rule discusses this issue in
part VII below.
---------------------------------------------------------------------------
However, as the Proposed Rule explained,\234\ by including consumer
credit transactions in the definition of ``consumer payment
transaction,'' the CFPB does not seek to define this payments market in
a manner that encompasses ``consumer lending activities by lenders
through their own digital applications.'' In particular, the CFPB is
not seeking to define a market for extending consumer credit, such as
the market it defined in the larger participant rule for automobile
financing originations. The CFPB therefore proposed the exclusion in
paragraph (D) to maintain a distinction between payments-focused
activity (included in the market) and consumer credit originations
(excluded by paragraph (D)). The CFPB declines the suggestion by the
industry comment to expand the scope of this market to include what it
described as the buy-now-pay-later market.\235\ For the same reason,
the CFPB agrees with the industry association commenter that a nonbank
should be eligible for the exclusion in paragraph (D) when it provides
a digital application to initiate a consumer credit transaction and
also engages in a set of activities directed at originating the
extension of consumer credit, regardless of who is extending the credit
(and even if a third-party financial institution such as a bank or
credit union is extending the credit). Accordingly, the CFPB is
clarifying paragraph (D) in the Final Rule as described below to
describe additional activities integral to consumer credit originations
that would be part of the eligibility criteria for the exclusion,
including brokering, purchasing, or acquiring the extension of
credit.\236\ If a nonbank provides a digital application to initiate
consumer credit transactions and engages in those other activities in
connection with those consumer credit transactions, then the CFPB
believes it generally is engaged in consumer credit origination
activity, which is not the focus of this rulemaking. By excluding
extensions of consumer credit in the circumstances described in
paragraph (D), the Final Rule excludes the transfer of funds resulting
from that extension of credit, such as a consumer's payment to a
merchant for goods and services from the funds provided by a credit
card issuer. In light of the distinguishing characteristics of loan
origination activities and the other reasons set forth above, the
Bureau declines to include such loan origination activity in the market
for which this Final Rule defines larger participants. As the Bureau
has explained, this larger-participant rulemaking is only one in a
series. Nothing in this Final Rule precludes the Bureau from
considering in future larger-participant rulemakings other markets for
consumer financial products or services that might include certain
types of consumer credit origination activity.
---------------------------------------------------------------------------
\234\ 88 FR 80197 at 80204.
\235\ See also CFPB, Interpretive Rule, Truth in Lending
(Regulation Z); Use of Digital User Accounts to Access Buy Now, Pay
Later Loans, 89 FR 47068, 47071 (May 31, 2024) (BNPL Interpretive
Rule) (discussing how BNPL providers facilitate extension of
consumer credit marketed as BNPL loans). The CFPB also notes that
the exclusion in paragraph (D) is not limited to extension of
consumer credit by ``creditors'' as defined in TILA.
\236\ See, e.g., CFPB section 1002(15)(A)(i) (describing
activities associated with consumer credit origination ``including
acquiring, purchasing, selling, brokering, or other extensions of
credit[]''); CFPB Automobile Financing Larger Participant Rule, 12
CFR 1090.108(a)(i)(4) (defining automobile financing
``originations'' as including ``[p]urchases or acquisitions'' of
automobile purchase loans, their refinancings, and leases).
---------------------------------------------------------------------------
However, as revised, paragraph (D) does not exclude pass-through
payment wallet functionalities that facilitate consumer payments from
accounts issued by third-party financial institutions that the pass-
through payment wallet functionality provider did not originate by
engaging in the activities described above (such as extending,
brokering, acquiring, or purchasing the extension of credit). As a
result, the definition of ``consumer payment transaction'' adopted in
the Final Rule still captures the general activities of pass-through
payment wallets, which often facilitate consumer payment transactions,
whether through funds they hold, funds they receive, or debit cards or
credit cards provided by third-party financial institutions.\237\
---------------------------------------------------------------------------
\237\ This approach is consistent with other Federal consumer
financial laws and their implementing regulations, which treat that
activity as part of a consumer payments market. See e.g., Regulation
Z, cmt. 13(a)(3)-2 (describing a ``third-party payment intermediary,
such as a person-to-person internet payment service, funded through
the use of a consumer's open-end credit plan[ ]''). In light of the
examples discussed in this paragraph, the CFPB does not believe
changes to paragraph (D) or specification of illustrative examples
in that paragraph are needed. It also is not the purpose of this
Final Rule to define who is extending credit, which will depend on
facts and circumstances that are beyond the scope of this rulemaking
or the comments received.
---------------------------------------------------------------------------
The CFPB also seeks to provide clarification about the scope of
[[Page 99615]]
``consumer payment transactions'' in light of the consumer groups'
comment noting that some providers of earned wage products do not treat
their transactions as extensions of consumer credit, and seeking
clarification of whether they qualify as ``consumer payment
transactions'' included in the market. Specifically, the CFPB seeks to
clarify how the proposed definition of ``consumer payment transaction''
applied to a payment by or on behalf of a consumer to another person.
As explained above, ``consumer payment transaction'' for purposes of
the proposed market definition did not include ``transfers between a
consumer's own deposit accounts[ or] transfers between a consumer
deposit account and the same consumer's stored value account held at
another financial institution, such as loading or redemptions[.]''
\238\ Consistent with that approach, the CFPB also did not intend and
does not believe that earned wage products generally would be included
in the market because they transfer wages belonging to or advanced on
behalf of a consumer to that same consumer.\239\ Similarly, for clarity
and administrability, the CFPB does not interpret the market definition
as including payments by or on behalf of a consumer to other accounts
the consumer owns or controls in which another person, such as a spouse
co-owner or minor child, also holds an interest.\240\
---------------------------------------------------------------------------
\238\ 88 FR 80197 at 80203.
\239\ See, e.g., CFPB, Data Spotlight: Developments in the
Paycheck Advance Market (July 18, 2024) (``Earned wage products
provide workers access, before their payday, to a portion of their
earned but unpaid wages or to funds that purport to equal or
approximate a portion of their unpaid wages.''), https://www.consumerfinance.gov/data-research/research-reports/data-spotlight-developments-in-the-paycheck-advance-market/ (last visited
Nov. 7, 2024).
\240\ For example, a payment functionality usable for an adult
to transfer funds to K-12 school lunch accounts for the benefit of
two or more minor children would not be included in the market
because the adult transferor typically owns or controls the
recipient account.
---------------------------------------------------------------------------
Final Rule
For the reasons described above, the CFPB adopts the proposed
definition of ``consumer payment transaction'' with four changes, as
described below.
First, for the reasons discussed above in the responses to
comments, the Final Rule covers consumer payment transactions made by
or on behalf of a consumer ``who resides in'' a State, rather than a
consumer ``physically located'' in a State as stated in the Proposed
Rule. As a result, when a nonbank provides a general-use digital
consumer payment application to a person who does not reside in a
State, the transactions it facilitates for that person would not be
included in the market. The CFPB believes that this change will make
the larger-participant test for this Final Rule more administrable
because, unlike a consumer's physical location, a consumer's country of
residence does not constantly change. Since the comments indicate that
some companies may not currently collect data on consumer location at
the time of making a payment, this change in the Final Rule also will
avoid inadvertently creating a potential incentive for market
participants to collect such data to determine larger participant
status.
Second, for reasons discussed above in the responses to comments,
the Final Rule clarifies the exclusion in paragraph (C) for payment
transactions conducted by certain merchants and marketplace operators.
Specifically, the Final Rule does not adopt the proposed requirement
that the marketplace be operated ``prominently in the name of'' the
excluded person or its affiliated company. This change will make the
larger-participant test more administrable by avoiding the need to
evaluate the form or extent of name branding when evaluating which
entities qualify for the exclusion, as discussed above.
Third, the Final Rule modifies paragraph (C) to confirm that the
Final Rule excludes a payment transaction conducted by a person for a
donation to a fundraiser that a consumer selected from the person or
its affiliated company's platform. In the Proposed Rule, the CFPB did
not intend to include payment platforms provided solely to facilitate
donations to fundraisers. Such donation platforms would not have had
``general use'' under the proposal and therefore transactions would not
have been within the scope of the proposed market. Because the Final
Rule revises the definition of ``general use'' as described below to
generally apply to payment functionalities that are usable to
facilitate consumer payment transactions to more than one unaffiliated
person, a platform that facilitates donations to multiple unaffiliated
persons could be part of the market in some circumstances in the
absence of another exclusion. Thus, consistent with the scope of the
Proposed Rule, the Final Rule modifies the definition of ``consumer
payment transaction'' to clarify that those transactions would not be
in the market.
Fourth, for the reasons discussed above in responses to comments,
the Final Rule clarifies paragraph (D) to exclude extensions of
consumer credit initiated through a digital application that is
provided by a person who is extending, brokering, acquiring, or
purchasing the credit or that person's affiliated company. As explained
above, by referring to digital application-based initiations of
consumer credit transactions by persons engaged in these additional
activities of brokering, acquiring, or purchasing the extension of
credit, the exclusion in paragraph (D) better defines a payments market
in this Rule by excluding activities that are distinguishable as being
part of a market for consumer credit originations.
Covered Payment Functionality
Proposed Rule
The proposed market definition would have applied to providing
covered payment functionalities through a digital application for a
consumer's general use in making payment transactions. Proposed Sec.
1090.109(a)(2) would have defined two types of payment functionalities
as covered payment functionalities: a funds transfer functionality and
a wallet functionality. Proposed Sec. 1090.109(a)(2) would have
defined each of those two functionalities as described below. The CFPB
requested common on each proposed definition, and whether it should be
modified, and if so, how and why.
A nonbank covered person would have been participating in the
proposed market if its market activity includes only one of the two
functionalities, or both functionalities. Similarly, a particular
digital application may provide one or both functionalities. A
nonbank's level of participation in the proposed market would not have
been based on which functionality is involved; rather, it would have
been based on the annual covered payment transaction volume as defined
in proposed Sec. 1090.109(b).
The CFPB proposed to treat these two covered payment
functionalities as part of a single market for general-use digital
consumer payment applications. As the Proposed Rule noted, the
technological and commercial processes these two payment
functionalities use to facilitate consumer payments may differ in some
ways. However, consumers can use both types of covered payment
functionalities for the same common purposes, such as to make payments
for retail spending and sending money to friends and family. For
example, a funds transfer functionality may transfer a consumer's funds
in a linked stored value account to a merchant to pay for goods or
services, or to friends or
[[Page 99616]]
family. Similarly, a wallet functionality may transmit a stored payment
credential to facilitate a consumer's payment to a merchant or to
friends and family. Indeed, the same nonbank covered person may provide
a digital application that encompasses both functionalities depending
on the payment method a consumer chooses. For example, a nonbank
covered person's digital application may allow the consumer to access a
wallet functionality to make a payment using a credit card for which a
third party extends credit, or a funds transfer functionality to make a
payment from a stored value account the nonbank provides. The role
these two functionalities play in a single market therefore was driven
by their common uses, not their specific technological and commercial
processes.
(A) Funds Transfer Functionality
The first payment functionality included in the definition in
covered payment functionality in proposed Sec. 1090.109(a)(2) was a
funds transfer functionality. Paragraph (A) would have defined the term
``funds transfer functionality'' for the purpose of this rule to mean,
in connection with a consumer payment transaction: (1) receiving funds
for the purpose of transmitting them; or (2) accepting and transmitting
payment instructions.\241\ These two types of funds transfer
functionalities generally described how nonbanks help to transfer a
consumer's funds to other persons, sometimes referred to as P2P
transfers. The nonbank either already holds or receives the consumer's
funds for the purpose of transferring them, or it transmits the
consumers payment instructions to another person who does so. Paragraph
(1), for example, would have applied to a nonbank transferring funds it
holds for the consumer, such as in a stored value account, to another
person for personal, family, or household purposes. Even if the nonbank
providing the funds transfer functionality does not hold or receive the
funds to be transferred, it generally would have qualified under
paragraph (2) by transmitting the consumer's payment instructions to
the person that does hold or receive the funds for transfer. Paragraph
(2), for example, would have applied to a nonbank that accepts a
consumer's instruction to send money from the consumer's banking
deposit account to another person for personal, family, or household
purposes, and then transmits that instruction to other persons to
accomplish the fund transfer. As the Proposed Rule noted, a common way
a nonbank may engage in such activities is by acting as a third-party
intermediary to initiate an electronic fund transfer through the
automated clearinghouse (ACH) network. Another common way to do so
noted in the Proposed Rule is to transmit the payment instructions to a
partner depository institution. However, in some circumstances, a
nonbank may be able to execute a consumer's payment instructions on its
own, such as by debiting the consumer's account and crediting the
account of the friend or family member, without transmitting the
payment instructions to another person. In those circumstances, the
nonbank generally would have been covered by paragraph (1) because, to
conduct the transaction in this manner, the nonbank typically would be
holding or receiving the funds being transferred.
---------------------------------------------------------------------------
\241\ As stated in the Proposed Rule, 88 FR 80197 at 80205 n.64,
such funds transfer services are consumer financial products or
services under the CFPA. See 12 U.S.C. 5481(5)(A) (defining
``consumer financial product or service'' to mean a financial
product or service ``offered or provided for use by consumers
primarily for personal, family, or household purposes[ ]''). The
CFPA defines a ``financial product or service'' to include
``engaging in deposit-taking activities, transmitting or exchanging
funds, or otherwise acting as a custodian of funds or any financial
instrument for use by or on behalf of a consumer[.]'' 12 U.S.C.
5481(15)(A)(iv); see also 12 U.S.C. 5481(29) (defining
``transmitting or exchanging funds''). The CFPA also defines a
``financial product or service'' to include generally ``providing
payments or other financial data processing products or services to
a consumer by any technological means, including processing or
storing financial or banking data for any payment instrument,''
subject to certain exceptions. 12 U.S.C. 5481(15)(A)(vii).
---------------------------------------------------------------------------
(B) Wallet Functionality
The other payment functionality included in the definition in
covered payment functionality in proposed Sec. 1090.109(a)(1) was a
wallet functionality. Paragraph (B) would have defined the term wallet
functionality as a product or service that: (1) stores account or
payment credentials, including in encrypted or tokenized form; and (2)
transmits, routes, or otherwise processes such stored account or
payment credentials to facilitate a consumer payment transaction.\242\
Through this proposed definition, the proposed market would have
included payment functionalities that work together first to store
account or payment credentials and second, to process such data to
facilitate a consumer payment transaction.
---------------------------------------------------------------------------
\242\ As stated in the Proposed Rule, 88 FR 80197 at 80205 n.65,
the wallet functionality as described above is a consumer financial
product or service under the CFPA. See 12 U.S.C. 5481(15)(A)(vii)
(defining ``financial product or service'' to include ``providing
payments or other financial data processing products or services to
a consumer by any technological means, including processing or
storing financial or banking data for any payment instrument, or
through any payments systems or network used for processing payments
data, including payments made through an online banking system or
mobile telecommunications network,'' subject to certain exceptions);
see also 12 U.S.C. 5481(5)(A) (defining ``consumer financial product
or service'' to mean a financial product or service ``offered or
provided for use by consumers primarily for personal, family, or
household purposes'').
---------------------------------------------------------------------------
As indicated above, paragraph (B)(1) of the proposed definition of
``wallet functionality'' would have clarified that ``account or payment
credentials'' can take the form of encrypted or tokenized data. Storage
of account or payment credentials in these forms would have satisfied
the first prong of the ``wallet functionality'' definition. For
example, the first prong would have been satisfied by storing an
encrypted version of a payment account number or a token \243\ that is
specifically derived from or otherwise associated with a consumer's
payment account number.
---------------------------------------------------------------------------
\243\ As the Proposed Rule noted, tokens now are often used for
wallets to store a variety of payment credentials including network-
branded payment cards. See, e.g., Manya Saini, Visa tokens overtake
payments giant's physical cards in circulation, Reuters.com (Aug.
24, 2022) (describing how VISA's token service ``replaces 16-digital
Visa account numbers with a token that only Visa can unlock,
protecting the underlying account information.''), https://www.reuters.com/business/finance/visa-tokens-overtake-payments-giants-physical-cards-circulation-2022-08-24/ (last visited Oct. 23,
2023); In re Mastercard Inc., FTC Docket No. C-4795 (Complaint dated
May 13, 2023) ]] 24-32 (describing how payment cards are
``tokenized'' for use digital wallets by ``replacing the
cardholder's primary account number (`PAN') [ ] with a different
number to protect the PAN during certain stages of the [ ]
transaction.''), https://www.ftc.gov/system/files/ftc_gov/pdf/2010011C4795MastercardDurbinComplaint.pdf (last visited Oct. 23,
2023); American Express, American Express Tokenization Service,
https://network.americanexpress.com/globalnetwork/products-and-services/security/tokenization-service/ (last visited Oct. 23,
2023); Discover Digital Exchange, Powering digital payment
experiences, https://www.discoverglobalnetwork.com/solutions/technology-payment-platforms/discover-digital-exchange-ddx/ (last
visited Oct. 23, 2023).
---------------------------------------------------------------------------
Paragraph (B)(2) of the proposed definition of ``wallet
functionality'' described the types of processing of stored account or
payment credentials that would have fallen within this definition. For
example, consumers commonly use wallet functionalities provided through
digital applications to pay for purchases of goods or services on
merchant websites. To facilitate such a consumer payment transaction, a
consumer financial product or service may transmit a stored payment
credential to a merchant, its payment processor, or its website
designed to accept payment credentials provided by the wallet
functionality. This type of product or service would have been covered
by paragraph (B)(2).
[[Page 99617]]
Comments Received
Some commenters supported the inclusion of the range of payment
functionalities described in the proposed definition of ``covered
payment functionality.'' For example, one nonprofit stated that its
members surveyed generally supported the proposed definitions of
``funds transfer functionality'' and ``wallet functionality'' and that
the latter adequately described digital wallets in use today. A
merchant trade association stated that the market should include
digital wallet offerings from nonbanks, including when offered by
nonbanks through joint ventures or partnerships with banks or payment
networks. In their view, if a nonbank develops and determines how the
service operates, then regardless of the involvement by a bank or
payment network, the CFPB should supervise the nonbank to ensure fair
competition. In addition, as described at the outset of the section-by-
section analysis above, other commenters including consumer groups and
banking industry associations generally supported the Proposed Rule
without raising concerns regarding the proposed definition of ``covered
payment functionality.''
On the other hand, as discussed in the section-by-section analysis
of general comments on the proposed market definition in Sec.
1090.109(a)(1) above, several industry and nonprofit commenters stated
that the Proposed Rule inappropriately grouped what they described as
different markets, including funds transfer functionalities and wallet
functionalities, as well as a number of subtypes of each, into a single
market. The Final Rule responds to those comments above. In addition,
as described below, some commenters stated that the rule should exclude
certain activities from the proposed definition of ``covered payment
functionality.'' These comments either sought to remove entire
components of the proposed definition of ``covered payment
functionality,'' to limit the scope of the term in the context of
nonbank/bank partnerships, or to clarify that the term did not include
what they described as business-to-business services.
Some comments stated that the market definition should not include
what they called payment-method or pass-through wallets captured by the
proposed definition of ``wallet functionality.'' For consistency, the
Final Rule refers to these products and services as pass-through
payment wallets. A nonbank firm stated that the rule should exclude
from the definition of ``wallet functionality'' the storage and
transmission of payment credentials for accounts held at or issued by
third-party financial institutions (which it called a ``payment method
wallet''). In its view, payment method wallets do not provide consumers
access to their funds because they do not store the funds.\244\ It
stated that supervising the nonbank provider of the payment method
wallet would provide no benefit beyond existing supervision by CFPB and
other Federal agencies of these third-party financial institutions,
which includes supervision for compliance with protections under
Regulation Z against billing errors in credit card transactions and
Regulation E in debit card transactions. In support of that conclusion,
it outlined its position that payment method wallets are not subject to
EFTA or Regulation E because they do not issue an asset account used to
make the payment and they do not provide an ``access device'' for an
asset account because any stored debit card is the access device for
purposes of Regulation E.\245\ Some industry association commenters
also stated that some market participants were not financial
institutions under either Regulation E or under Regulation P
implementing the GLBA, and that the Proposed Rule therefore did not
articulate why CFPB supervision of those firms would be beneficial or
overstated its benefits.\246\
---------------------------------------------------------------------------
\244\ In its view, they also do not receive funds for purpose of
transmitting them on behalf of the consumer because they generally
agree to accept payments as an agent of the merchant.
\245\ Another industry association suggested that the Final Rule
clarify whether the CFPB considers a mobile phone to be an access
device for purposes of Regulation E. The commenter also stated that
entities may face competing obligations or burdens under this larger
participant rule and a personal financial data rights rule the CFPB
may adopt. It stated that both rules would apply to ``digital
wallets'' but, in its view, define them differently. It called for
the CFPB to establish a regulatory safe harbor under which
compliance with a personal financial data rights rule does not
determine application of the larger participant rule, and vice-
versa.
\246\ The nonbank firm mentioned above generally stated that
payment method wallets generally posed low if any risk to consumers
and stated that the Proposed Rule did not establish that payment
method wallets pose any special or heightened risk to consumers'
data related to GLBA/Regulation P compliance compared with other
products and services not included within the market definition. In
response to general comments further above, the Final Rule responds
to comments about the consideration of risk in larger participant
rules.
---------------------------------------------------------------------------
A law firm commenter also stated that the term ``wallet
functionality'' should be removed from the market definition. It stated
that, because the proposal defined ``consumer payment transaction'' as
involving a transfer of funds, all such transactions will involve a
``funds transfer functionality'' that will always be subject to
supervision. It also viewed providers of a ``wallet functionality''
that does not hold and move funds as excluded from the scope of EFTA
and Regulation E. As a result, in its view, supervision of persons
providing a ``wallet functionality'' would be unnecessary, duplicative,
and not responsive to the same level of risk to consumers.\247\
Alternatively, this commenter and another industry trade association
stated that the rule should address uncertainty over potential coverage
of internet browsers; the Final Rule describes and responds to those
comments in more detail in the section-by-section analysis of ``digital
application'' further below.
---------------------------------------------------------------------------
\247\ Again, as noted above, the Final Rule summarizes and
responds to comments regarding the consideration of risk to
consumers at the outset of the section-by-section analysis above.
---------------------------------------------------------------------------
An industry association stated that the rule should narrow the
proposed definition of ``wallet functionality'' by dropping the
reference to storage and transmission of payment credentials that are
in ``tokenized form.'' It noted that consumers' personal identification
information, such as a driver's license, can be tokenized to create
digital ``identity credentials'' that consumers can use for what it
described as non-financial purposes such as identity verification and
``commerce purposes.'' It stated that if the rule does not remove the
reference to ``tokenized form'' form, then it should clarify that term
only applies to tokenization of what it called ``existing'' payment
credentials. It stated that the clarification was necessary to ensure
that the market definition does not cover non-financial applications of
tokenization that the CFPB lacks the authority to regulate.
Finally, two industry associations stated that the proposed term
``wallet functionality'' includes ``pass-through digital wallets'' that
cannot legally be included in the market definition because they
qualify as ``electronic conduit services'' defined in CFPA section
1002(15). They described pass-through payment wallets as holding and
passing on payment information, such as card numbers, and as
maintaining a record of such information. They stated that ``pass-
through digital wallets'' are electronic conduit services because only
data, not funds, flow through the wallet.\248\
---------------------------------------------------------------------------
\248\ One of these commenters noted that certain pass-through
payment wallets may participate in the flow of funds when they act
as a third-party payment processor, but even in those circumstances,
pass-through payment wallets should not be covered either because
they, in the commenter's view, pose low risk as evidenced by their
being excluded from money transmitter laws.
---------------------------------------------------------------------------
[[Page 99618]]
Other industry comments called for removing part of the definition
of ``funds transfer functionality.'' A few industry trade associations
stated that the rule should remove accepting and transmitting payment
instructions from the definition of ``funds transfer functionality.''
They stated that many firms transmit payment instructions, and State
money transmitter laws generally exclude this type of payment
processing because, in their view, that is a lower-risk activity due
the payment processor not holding or receiving funds, which instead are
held at Federally-regulated financial institutions.
Other industry comments called for excluding activities that do not
involve the holding or receipt of funds in certain circumstances, which
they generally described as posing lower risk than other market
participants. An industry association and a nonbank firm stated that
the rule should exclude nonbanks providing payment services in
partnership with or as service providers to depository institutions.
According to their description, these nonbanks typically develop,
market, and provide a digital application to consumers on behalf of as
and a service provider to a bank or credit union. They described the
nonbank as serving solely as a service provider, regardless of whether
the digital application is branded in the name of the nonbank. They
stated that the nonbank provides these services solely to establish the
consumer as a customer of the bank or credit union and to facilitate
consumer payment transactions from accounts held by the bank or credit
union either in the name of or ``for benefit of'' the consumer. They
stated that the bank or credit union processes the consumer payment
transactions. For example, the nonbank may receive and transmit the
consumer's payment instructions to the partner bank to transmit funds.
The nonbank commenter acknowledged that covering nonbank activities
that facilitate payments from accounts held by nonbanks would help
align supervision of nonbanks and banks. However, in the view of these
commenters, facilitating payments of funds held in accounts at partner
banks or credit unions is a different activity that should not be
included in the market. For example, compared to what they described as
``stand-alone'' nonbank payment applications, they stated the digital
applications that nonbanks provide as partners with banks and credit
unions pose lower risk to consumers due to existing Federal prudential
regulators' oversight of the banks and credit unions and their third-
party relationships.\249\ These commenters also stated that, in their
view, excluding this type of activity from the market definition (or
otherwise from the larger-participant test) would prevent duplicative
Federal supervision between the CFPB and prudential banking regulators.
One of these commenters also stated the exclusion would be consistent
with the rule's goal of defining the market to exclude taking of
deposits.\250\ For example, this commenter stated that this type of
activity is subject not only to the prohibition against unfair,
deceptive, and abusive practices, but also to consumer protections
governing deposit accounts. They also stated that, to meet the
expectations of Federal prudential banking regulators, banks have
extensive mechanisms for overseeing the third-party nonbanks that
provide the consumer-facing or ``front end'' digital application, and
that these mechanisms further reduce risks posed by these activities.
Another industry association called for CFPB to make unspecified
clarifications to the scope and requirements of the Proposed Rule to
ensure close coordination between the CFPB and other regulators to
prevent duplicative or diverging regulatory requirements of nonbanks
that partner with depository institutions and credit unions.
---------------------------------------------------------------------------
\249\ These commenters also asserted that existing oversight of
the depository institutions provides sufficient oversight of this
type of activity; the Final Rule addresses comments regarding
existing oversight above. One commenter also suggested that
establishing oversight in this rulemaking would violate a memorandum
of understanding between the CFPB and prudential regulators that
called for the CFPB to prevent unnecessary duplication of effort.
However, the comment misconstrued that memorandum of understanding.
As explained further above in the discussion of comments on existing
oversight, that memorandum of understanding does not seek to prevent
overlapping authority; instead, where overlapping authority exists,
it provides mechanisms for coordinating across agencies to minimize
the types of duplication these commenters mentioned.
\250\ The nonbank firm also suggested that the Proposed Rule
appeared to purport to establish supervisory authority over a
nonbank that acts as a service provider to a bank with assets of $10
billion or less and not to a substantial number of such banks. In
its view, such a service provider is subject to the exclusive
supervision of a Federal banking agency, and assertion of CFPB
supervisory authority over the service provider would conflict with
CFPA section 1026(e), which only establishes authority over service
providers to a substantial number of such banks. It stated that the
CFPB may not take supervisory or enforcement action directly against
such a service provider, and instead may only take certain actions
specified in the CFPA related to the service provider, such as
accessing the Federal prudential regulators' reports of examination
of the service provider under CFPA section 1022(c)(6)(B).
---------------------------------------------------------------------------
In addition, a few industry associations requested that the rule
clarify that the market definition does not include activities that
they described in four different ways as business-to-business services
that nonbanks provide in connection with consumer payment transactions
for the purchase of goods and services. First, both commenters stated
that the market definition should exclude any portions of the process
or lifecycle associated with a consumer payment transaction that
involve exclusively business-to-business transactions and do not
directly involve the consumer. Second, both commenters stated that
companies that provide merchant payment processing would fall within
the market definition (and, as noted above, disagreed with that
result). However, one of the commenters pointed to what it viewed as
significant uncertainty over whether the market definition included
what it described as traditional third-party payment processing by
entities that enable merchants to accept payments. Third, both
commenters also referred to what they called covered payment
functionalities provided by a nonbank that its merchant customer offers
to consumers, who use the end product. Although the consumer is an end
user, they described such nonbank activities as facilitating
application functionalities between businesses that should be excluded
from the market definition.\251\ Fourth, one of these commenters stated
that, to avoid what it described as an unintended expansion of the
scope of the proposal, the CFPB should clarify that the rule does not
include what it described as ``back-office service providers or other
vendors.''
---------------------------------------------------------------------------
\251\ This commenter suggested this exclusion appear in the
definition of ``digital application.'' However, the Final Rule
considers the comment more broadly in relation to other comments
seeking exclusion of what they described as business-to-business
offerings.
---------------------------------------------------------------------------
Response to Comments Received
As discussed above in the Final Rule's response to comments on the
market definition in proposed Sec. 1090.109(a)(1), the CFPB disagrees
with comments suggesting that the market should be confined to entities
that receive or hold the funds being transferred in consumer payment
transactions, or that the market should cover consumer payment
transactions that transfer funds from nonbank accounts but not from
accounts provided by banks or credit unions. As the Proposed Rule
explained, the CFPB is seeking to define a market for general-use
digital consumer payment applications that facilitate consumer payment
transactions that transfer funds by or on behalf of the consumer,
[[Page 99619]]
regardless of where those funds may be held. As some industry
association comments regarding bank/fintech partnerships acknowledged,
the CPFB is not seeking to define a market for taking deposits in this
rule. Consistent with that purpose, nothing in the proposed definition
of ``covered payment functionality'' referred to engaging in the
``taking of deposits.'' Relatedly, holding or receiving funds is not a
requirement for facilitating consumer payment transactions and
participating in the market. Specifically, neither the form of ``funds
transfer functionality'' described in paragraph (2) of the definition
of that term nor the proposed ``wallet functionality'' definition were
based on receiving or holding funds.\252\ Excluding nonbanks that do
not hold or receive funds (or that only facilitate payment of funds
held at partner depository institutions) would result in an unduly
narrow market definition that essentially is limited to money
transmission, ignoring the role that other nonbank activities play in
initiating other very common consumer payment transactions through
general-use digital consumer payment applications. For example,
consumers have significantly increased their use of digital wallets to
make payments using network-branded payment cards issued by third-party
financial institutions.\253\ These include consumer credit card
transactions in which the lender transfers funds on behalf of the
consumer as part of an extension of credit. In these transactions and
in debit card transactions, the nonbank may not hold or receive funds
but it does initiate the consumer payment transaction at the consumer's
request by receiving and transmitting payment instructions or storing
and transmitting payment credentials.\254\ And in this way, it also
facilitates consumers' access to their funds, contrary to the
suggestion by an industry commenter.
---------------------------------------------------------------------------
\252\ In addition, while the first prong of ``funds transfer
functionality'' refers to receiving funds, that prong requires that
the funds be received for the purpose of transmitting them.
\253\ See, e.g., Worldpay, 2024 Global Payments Report, at 6
(describing ``key insight[ ]'' that ``[c]onsumer attraction to
digital wallets isn't a turn away from cards. In card-dominated
markets, card spend is simply shifting to digital wallets like Apple
Pay, Google Pay and PayPal. Viewed in total, card transaction values
are at an all-time high and continue to rise.''), at 148 (reporting
use of payment cards through digital wallets under the heading
``digital wallets'' and separately reporting ``direct card use'' for
debit cards and credit cards), https://worldpay.globalpaymentsreport.com/ (last downloaded Aug. 22, 2024);
Worldpay, Press Release, Worldpay Global Payments Report 2024:
Digital Wallet Maturity Ushers in a Golden Age of Payments (Mar. 21,
2024) (finding that ``in the U.S., credit and debit cards fund 65
percent of digital wallets in the market.''), https://www.businesswire.com/news/home/20240321666428/en/Worldpay-Global-Payments-Report-2024-Digital-Wallet-Maturity-Ushers-in-a-Golden-Age-of-Payments (last visited Nov. 7, 2024); How Are Consumers Funding
Mobile Wallets? PaymentsJournal (Apr. 1, 2024) (reporting that most
consumers use a debit card or credit card to fund a mobile wallet,
versus 36 percent who use the balance within the app, based on
Christopher Miller, 2023 North American PaymentInsights: U.S.:
Financial Services and Emerging Technologies Exhibit, Javelin
Research (July 21, 2023)), https://javelinstrategy.com/research/2023-north-american-paymentinsights-us-financial-services-and-emerging-technologies (last visited Nov. 7, 2024)), https://www.paymentsjournal.com/how-are-consumers-funding-mobile-wallets/
(last visited Nov. 7, 2024); Steve Cocheo, Consumers Have Embraced
Digital Wallets. But They Also Want Them to Be Better, The Financial
Brand (Mar. 28, 2024) (discussing the ``overlap between digital
wallets and cards.''), https://thefinancialbrand.com/news/payments-trends/digital-wallets-absorb-credit-cards-as-they-boom-worldwide-176418/ (last visited Oct. 24, 2024); J.D. Power, Debit Cards Still
Lead in Customer Satisfaction and Utilization, Even as Use of
Digital Wallets Grows (May 23, 2024) (survey projecting ``slow
deterioration'' in share of customers using physical version of
debit cards as they opt instead to use the debit cards as a payment
method stored in digital wallets), https://www.jdpower.com/business/resources/debit-cards-still-lead-customer-satisfaction-and-utilization-even-use-digital (last visited Nov. 7, 2024): Nicole
Murgia & Lily Varon, Digital Payments Have Surpassed Traditional
Payments In The US, Forrester Research (Feb. 29, 2024) (reporting
survey data finding that ``69% of U[.]S[.] online adults said that
they had used a digital payment method over the past three months to
make a purchase. That's well ahead of the just over half of online
adults who used a credit card or who used cash. That said, it's
important to remember that cards often are the underlying payment
instrument in growing digital payment scenarios.''), https://www.forrester.com/blogs/digital-payments-have-surpassed-traditional-payments-in-the-us/ (last visited Nov. 7, 2024); Mastercard,
Mastercard reimagines online checkout; commits to reaching 100% e-
commerce tokenization by 2030 in Europe (June 11, 2024), https://www.mastercard.com/news/press/2024/june/mastercard-reimagines-online-checkout-commits-to-reaching-100-e-commerce-tokenization-by-2030-in-europe/ (last visited Nov. 7, 2024).
\254\ The Final Rule responds to general comments about the
applicability of Regulation E and Regulation P in the section-by-
section analysis of the market definition further above.
---------------------------------------------------------------------------
Excluding these activities from the market would result in a gap in
the CFPB's supervisory oversight at the very start of the chain of
activities that lead a consumer payment transaction to occur. Yet
consumers naturally may look to the provider of that consumer financial
product or service for help resolving problems. And a credit union
trade association commenter stated that credit union customers can find
it difficult to obtain prompt resolution of errors that involve a
nonbank platform. A group of State attorneys general also cited a
survey indicating that more 77 percent of consumers encountered
difficulty obtaining resolution from the nonbank's customer
service.\255\
---------------------------------------------------------------------------
\255\ Consumer Reports P2P Survey at 9 (reporting results of
questions about services provided by payment apps such as PayPal,
Venmo, Apple Pay, Google Pay, or Zelle). The Proposed Rule, 88 FR
80197 at 80200 n.25, also identified this survey.
---------------------------------------------------------------------------
As to industry commenter claims that nonbank market participants
pose lower risk because the funds consumers use to make payments are
held by other regulated and supervised financial institutions such as
banks, credit unions, or money transmitters, this rulemaking does not
define who is included or excluded in the market based on findings of
relative risk. More specifically, the CFPB does not assess in this
rulemaking the relative risk of activities to initiate payments from
funds held or received by others; rather, as explained further above,
the CFPB considers the risks that a market and its larger participants
pose to consumers when determining how to exercise its authority to
conduct examinations of such persons.
The CFPB also disagrees that the market should exclude nonbanks
with a service-providing or partnership relationship with the
depository institution that holds the funds used to make the payment.
As discussed in the response to general comments above, covering these
activities furthers the CFPB's statutory objective of ensuring
consistent compliance with Federal consumer financial law without
regard to the status of a person as a depository institution to promote
fair competition. The CFPB similarly disagrees with the law firm
commenter's claim that, when a consumer initiates a consumer payment
transaction in reliance on a general-use wallet functionality a nonbank
provides through a digital application, there is no need to include
that activity in the market because another supervised institution,
such as a depository institution, may be providing a funds transfer
functionality. Two institutions, including a depository institution and
a nonbank, may work together to provide a covered payment
functionality. For example, a depository institution may accept payment
instructions from a nonbank general-use digital consumer payment
application provider. A supervisory review that only considers how the
depository institution processes those instructions would presume that
there is no significance to the role of the nonbank in relaying those
instructions to the depository institution. Yet by design, the conduct
of both institutions can affect the degree to which consumers' payments
data is protected, legitimate transactions proceed without error or
delay, and unauthorized transactions do not occur. The nonbank may even
assume primary responsibility for providing the consumer interface,
such
[[Page 99620]]
as a digital application, and making representation to consumers about
the speed, cost, and other aspects of payments it facilitates. As
noted, it is not the purpose of this rule to enumerate, quantify, and
weigh such risks because the rule does not seek to define a market that
includes only high-risk activity. Rather, the purpose of this rule is
to establish authority to examine larger participants in this market.
Through operation of that program the CFPB can detect, assess, and as
needed, address risks to consumers and markets, and otherwise conduct
its risk-based supervision program for the purposes established in CFPA
section 1024(b)(1).
In addition, for the reasons explained above in response to general
comments about existing Federal and State oversight of some aspects of
market activity, the CFPB does not define the market based on the
degree to which another regulator oversees certain persons, such as a
partner bank, its nonbank partner, or any other nonbank that
facilitates a given consumer payment transaction. The CFPB also does
not define the market based on whether market participants also may act
as a service provider to another financial institution.\256\
---------------------------------------------------------------------------
\256\ The CFPB disagrees with the nonbank firm's comment to the
extent it was suggesting that in general a service provider to
financial institutions cannot also be a nonbank covered person, or,
more specifically that provisions in CFPA sections 1025(d) or
1026(e) describing the CFPB's supervisory authority over service
providers to banks and credit unions displace the CFPB's authority
under section 1024(a) over nonbank covered persons. Under the CFPA,
a firm can act both as a service provider and as a provider of a
consumer financial product or service. See 12 U.S.C. 5481(26)(C)
(``A person that is a service provider shall be deemed to be a
covered person to the extent that such person engages in the
offering or provision of its own consumer financial product or
service.''). And with respect to the CFPB's supervisory authority,
no provision in CFPA sections 1024, 1025(d), or 1026(e) states that
1024(a) is displaced by 1025(d) or 1026(e). By contrast, CFPA
section 1024(a)(3)(A) expressly provides that CFPA section 1024,
which includes the larger participant rulemaking authority in CFPA
section 1024(a)(1)(B), shall not apply to persons described in
section 1025(a) and 1026(a), which refer to insured depository
institutions, insured credit unions, and certain of their
affiliates. It does not refer to 1025(d) or 1026(e). Accordingly, if
a nonbank is a covered person because it provides a consumer
financial product or service, then the CFPB may establish
supervisory authority over the nonbank covered person via a larger
participant rulemaking under section 1024(a)(1)(B) even if in the
course of its activity the nonbank also acts as a service provider
to a bank or credit union.
---------------------------------------------------------------------------
The CFPB also disagrees with the two industry associations that
argued that certain pass-through digital wallets are subject to the
CFPA's exclusion for ``electronic conduit services'' because they only
store and transmit card information, and not funds.\257\ The commenters
did not meaningfully analyze the language of the CFPA's definition of
``electronic conduit services,'' which undermines their argument in at
least two ways.\258\ First, the definition applies to the
``intermediate or transient storage'' of electronic data--i.e., to data
storage for a limited time.\259\ However, as the commenters appear to
acknowledge, pass-through digital wallets generally store payment
credential or account information on a persistent or indefinite basis
(so that it can be used to make payments as needed). Because they do
so, pass-through digital wallets do not qualify for the exclusion for
electronic conduit services. Second, the commenters incorrectly
conclude that the electronic conduit service exclusion necessarily
applies where a provider only handles data (and not funds). For
example, by its terms, that exclusion does not apply to a provider who
``selects . . . the content of the electronic data'' being stored or
transmitted.\260\ Pass-through digital wallets generally are designed
to store and transmit specific data regarding a payment card (the card
number, expiration date, and CVV) provided by the consumer. Providers
of such wallets thus ``select[ ] . . . the content of the electronic
data'' that the wallets store and transmit, and therefore do not
qualify for the electronic conduit services exclusion.\261\
---------------------------------------------------------------------------
\257\ The CFPA excludes ``electronic conduit services'' from the
definition of ``financial product or service.'' 12 U.S.C.
5481(15)(C)(ii). The term ``electronic conduit services'' ``(A)
means the provision, by a person, of electronic data transmission,
routing, intermediate or transient storage, or connections to a
telecommunications system or network; and (B) does not include a
person that provides electronic conduit services if, when providing
such services, the person--(i) selects or modifies the content of
the electronic data; (ii) transmits, routes, stores, or provides
connections for electronic data, including financial data, in a
manner that such financial data is differentiated from other types
of data of the same form that such person transmits, routes, or
stores, or with respect to which, provides connections; or (iii) is
a payee, payor, correspondent, or similar party to a payment
transaction with a consumer.'' 12 U.S.C. 5481(11).
\258\ Because the commenters do not provide any information
regarding how the pass-through digital wallets they describe operate
on a technological level, there may be additional reasons, beyond
those discussed in this Final Rule, why such wallets do not qualify
as electronic conduit services. For example, providers of such
wallets may transmit financial data ``in a manner that such
financial data is differentiated from other types of data of the
same form'' that the providers transmit. 12 U.S.C. 5481(11)(B)(ii).
\259\ 12 U.S.C. 5481(11)(A); cf. Hately v. Watts, 917 F.3d 770,
785 (4th Cir. 2019) (construing similar phrase ``temporary,
intermediate storage'' in Stored Communications Act to refer to
electronic communications ``while they are stored `for a limited
time' `in the middle' of transmission'' (quoting In re DoubleClick
Inc. Privacy Litig., 154 F. Supp. 2d 497, 512 (S.D.N.Y. 2001)).
\260\ See id. 5481(11)(B)(i). Similarly, the exception for
differentiated electronic data in subsection 1002(11)(B)(ii) could
apply where a provider only handles data, and not funds. See id.
5481(11)(B)(ii).
\261\ In addition, as discussed above, some digital wallets
``tokenize'' payment information, which involves replacing the
cardholder's account number with a different number at certain
stages of the transaction, in order to protect the account number.
That activity of creating new payment information to facilitate a
payment goes beyond the role of a mere conduit, which is limited to
providing ``electronic data transmission, routing, intermediate or
transient storage, or connections to a telecommunications system or
network[.]'' 12 U.S.C. 5481(11)(A).
---------------------------------------------------------------------------
With regard to the industry association commenters that sought
exclusion of business-to-business services that nonbanks provide in
connection with consumer payment transactions for the purchase of goods
and services, the CFPB disagrees that a new exclusion is needed. With
regard to ecommerce websites where the consumer can use a payment
button, as explained above in the discussion of comments on the
definition of ``consumer payment transaction,'' the market does not
include a merchant on the basis of it placing a payment button on its
website that launches a general-use digital consumer payment
application provided by an unaffiliated third party (rather, the market
simply includes the third-party app that the payment button launches).
With regard to other examples that the industry association commenter
cited--service providers or other vendors, including those that may act
as traditional payment processors and participate in facilitating
business-to-business transactions during the lifecycle of a consumer
payment transaction--the Final Rule clarifies that the market generally
does not cover that activity. For purposes of this Final Rule, the term
``covered payment functionality'' would not cover a nonbank that
operates in a consumer payment transaction process solely as an
intermediary between two businesses, such as where the consumer does
not ``access'' a ``digital application'' to make a payment.\262\ In
addition, when consumers provide their payment credential through the
website of a single merchant solely for use at that merchant and its
affiliated companies, the merchant payment processor processing that
payment credential (whether for a single transaction or by storing the
card on file for repeat use) is not providing covered payment
functionality that has ``general
[[Page 99621]]
use'' based on how the Final Rule defines that term as usable for
making payments to multiple unaffiliated persons as discussed
below.\263\
---------------------------------------------------------------------------
\262\ In any event, the Final Rule also adopts a revised
definition of the term ``covered payment functionality'' that
focuses on receiving funds ``from'' the consumer or storing account
or payment credentials ``for'' a consumer.
\263\ Similarly, a consumer may use a general-use digital
consumer payment application to make a payment in a physical store
by ``tapping'' their mobile phone that contains the app on a gateway
payment terminal at the checkout counter. As the proposed Rule
explained, a gateway terminal, which is a computing device merchants
acquire, is not a ``digital application'' as defined in the Proposed
Rule because it is not a personal computing device of the consumer.
88 FR 80197 at 80206. Thus a merchant payment processor would not be
engaged in market activity solely based on operating or accepting
payments data through such a terminal.
---------------------------------------------------------------------------
In light of these clarifications and changes adopted in the Final
Rule, the CFPB disagrees that a broader, general ``business-to-
business'' exclusion is warranted.\264\ Such an exclusion would not be
consistent with the structure of nonbank provider's market activities,
which involve intermediation between consumers and payment recipients.
When consumers sign up as a customer for a nonbank's general-use
digital consumer payment application, they do so in order to use the
app to make payments to multiple unaffiliated persons. The consumer
payment transactions they make by accessing that digital application
fall within the market, even though the app provider also may conduct
those transactions under the umbrella of a business-to-business
contract such as a merchant acceptance agreement.\265\
---------------------------------------------------------------------------
\264\ These clarifications relate to the scope of the market.
Some entities may be acting as a service provider to a market
participant. The Final Rule does not alter the scope of CFPB
authority over service providers conferred by the CFPA. As the
Proposed Rule explained, CFPA section 1024(e) expressly authorizes
the supervision of service providers to nonbank covered persons
encompassed by CFPA section 1024(a)(1), which includes larger
participants. Adding an express exclusion for service providers in
the Final Rule could cause confusion over the CFPB's authority to
supervise such entities.
\265\ As discussed above, many businesses provide general-use
digital consumer payment applications to consumers and facilitate
their payments through business-to-business acceptance agreements
with merchants. At the same time, as also discussed above, the
market definition adopted in the Final Rule does not cover the
merchant, even when it provides a payment button that launches the
third-party's general-use digital consumer payment application.
---------------------------------------------------------------------------
Final Rule
For the reasons described above, the CFPB adopts the proposed
definition of ``covered payment functionality'' with certain minor
clarifying changes.
First, the Final Rule changes ``wallet functionality'' to ``payment
wallet functionality.'' As discussed above, some commenters raised
questions about whether the Proposed Rule would have applied to digital
wallets (or the part of their functionalities) that store and transmit
data unrelated to consumer payments. Because the terms ``digital
wallet'' and ``wallet'' have varied uses, this revision provides
greater precision and prevents confusion.\266\
---------------------------------------------------------------------------
\266\ The CFPB declines to adopt the industry commenter's
suggestion that the Final Rule include a safe harbor under which
compliance with the CFPB's personal financial data rights rule does
not determine application of this larger participant rule, and
coverage under the larger participant rule does not determine
application of the personal financial data rights rule. The comment
did not identify any specific differences between the two proposals'
approach to covering digital wallets that it found to be
significant, or explain how application of one rule could affect
application of the other. In fact, application of one rule does not
determine application of the other. The text of each rule governs
its scope. Further, because this Final Rule does not impose
substantive consumer protection obligations, it does not modify the
scope of the personal financial data rights rule. In any event, as
noted above, to the extent an entity is a larger participant under
this rule and also is subject to the personal financial data rights
rule when compliance is required in the future, CFPB examinations of
that entity may review compliance with the personal financial data
rights rule. Further, this treatment is consistent with CFPB
examinations of depository institutions with more than $10 billion
in assets; i.e., the CFPB currently examines these institutions'
compliance with applicable requirements of Federal consumer
financial law (e.g., the EFTA and its implementing Regulation E) and
may examine their compliance with the personal financial data rights
rule after compliance is required.
---------------------------------------------------------------------------
Second, the definition of ``funds transfer functionality'' is
revised to clarify that the funds received or instructions accepted
must be ``from a consumer'' to qualify as market activity. Similarly,
the definition of ``payment wallet functionality'' is revised to
clarify that account or payment credentials must be stored ``for a
consumer'' to satisfy the first prong of that that definition. As
discussed above, nonbanks are not participating in the market when
providing a payment functionality that a consumer does not access
through a digital application. Consistent with that approach, these
clarifications to the definition of ``covered payment functionality''
similarly confirm that nonbank firms that do not engage with consumers
through digital applications would not be providing a ``covered payment
functionality.'' For example, for purposes of this Final Rule that term
would not cover a nonbank that operates in a consumer payment
transaction process solely as an intermediary between two businesses.
The CFPB does not believe this is a significant change from the
Proposed Rule, since the proposed market definition only would have
applied to providing a payment functionality ``for consumers' general
use'' in the first place. But for the avoidance of doubt, the Final
Rule includes this additional clarification on this point.
Digital Application
Proposed Rule
The proposed market definition would have applied to providing
covered payment functionalities through a digital application for a
consumer's general use in making consumer payment transactions.
Proposed Sec. 1090.109(a)(2) would have defined the term ``digital
application'' as a software program accessible to a consumer through a
personal computing device, including but not limited to a mobile phone,
smart watch, tablet, laptop computer, or desktop computer.\267\ The
proposed definition would have specified that the term includes a
software program, whether downloaded to a personal computing device,
accessible from a personal computing device via a website using an
internet browser, or activated from a personal computing device using a
consumer's biometric identifier, such as a fingerprint, palmprint,
face, eyes, or voice.\268\
---------------------------------------------------------------------------
\267\ The Proposed Rule noted that the definition considers
whether the digital application is accessible through a personal
computing device, not whether a particular payment is made using a
computing device that a consumer personally owns. For example, if a
consumer logs into a digital application through a website using a
work or library computer and makes a consumer payment transaction,
the transfer would be subject to the Proposed Rule if that digital
application is one a consumer also may access through a personal
computing device.
\268\ The Proposed Rule noted for example that some nonbanks
allow consumers to use interactive voice technology to operate the
nonbank's application that resides on the phone itself. See, e.g.,
Lory Seraydarian, Voice Payments: The Future of Payment Technology?,
PlatAI Blog (Mar. 7, 2022) (software firm analysis reporting that
major P2P participants ``allow their customers to use voice commands
for peer-to-peer transfers.''), https://plat.ai/blog/voice-payments/
(last visited Oct. 23, 2023).
---------------------------------------------------------------------------
The Proposed Rule explained how market participants may provide
covered payment functionalities through digital applications in many
ways. For example, a consumer may access a nonbank covered person's
covered payment functionality through a digital application provided by
that nonbank covered person. Or, a consumer may access a nonbank
covered person's covered payment functionality through a digital
application provided by an unaffiliated third-party such as another
nonbank, a bank, or a credit union.\269\ In either case,
[[Page 99622]]
a consumer typically first opens the digital application on a personal
computing device and follows instructions for associating their deposit
account, stored value account, or other payment account information
with the covered payment functionality for use in a future consumer
payment transaction. Then, when the consumer is ready to initiate a
payment, the consumer may access the digital application again to
authorize the payment.
---------------------------------------------------------------------------
\269\ As the Proposed Rule noted, if a nonbank covered person
provides a covered payment functionality a consumer may access
through a digital application provided by a bank or credit union,
the Proposed Rule would have only applied to the nonbank. Insured
depository institutions, insured credit unions, and certain of their
affiliates are not subject to the CFPB's larger participant rules,
which rely upon authority in CFPA section 1024 that applies to
nonbanks. 12 U.S.C. 5514(a)(3)(A).
---------------------------------------------------------------------------
The Proposed Rule also explained how consumers have many ways to
access covered payment functionalities through digital applications to
initiate consumer payment transactions. To make a P2P payment, a
consumer may use an internet browser or other app on a mobile phone or
computer to access a nonbank covered person's funds transfer
functionality, such as a feature to initiate a payment to friends or
family or to access a general-use bill-payment function. The consumer
then may direct the nonbank covered person to transmit funds to the
recipient or the consumer may provide payment instructions for the
nonbank covered person to relay to the person holding the funds to be
transferred. Or, in an online retail purchase transaction, a consumer
may access a wallet functionality by clicking on or pressing a payment
button on a checkout screen on a merchant website. The consumer then
may log into the digital application or display a biometric identifier
to their personal computing device to authorize the use of a
previously-stored payment credential. Or, in an in-person retail
purchase transaction, a consumer may activate a covered payment
functionality by placing their personal computing device next to a
merchant's retail payment terminal. The digital application then may
transmit payment instructions or payment credentials to a merchant
payment processor. For example, a mobile phone may transmit such data
by using near-field communication (NFC) technology built into the
mobile phone,\270\ by generating a payment-specific quick response (QR)
code on the mobile phone screen that the consumer displays to the
merchant payment terminal, or by using the internet, a text messaging
system, or other communications network accessible through the mobile
phone.
---------------------------------------------------------------------------
\270\ See generally CFPB Contactless Payments Spotlight, supra.
---------------------------------------------------------------------------
Through the proposed definition of digital application, the
Proposed Rule would have excluded from the proposed market payment
transactions that do not rely upon use of a digital applications. For
example, gateway terminals merchants obtain to process the consumer's
personal card information are not personal computing devices of the
consumer. Merchants generally select these types of payment processing
services, which are provided to consumers at the point of sale to pay
for the merchant's goods or services. Their providers may be
participating in a market that is distinct in certain ways from a
market for general-use digital consumer payment applications. In
addition, the proposed definition of ``digital application'' would not
have covered the consumer's presentment of a debit card, a prepaid
card, or a credit card in plastic, metallic, or similar form at the
point of sale. In using physical payment cards at the point of sale, a
consumer generally is not relying upon a ``digital application''
because the consumer is not engaging with software through a personal
computing device to complete the transaction. However, when a consumer
uses the same payment card account in a wallet functionality provided
through a digital application, then those transactions would have
fallen within the market definition.
The Proposed Rule requested comment on the proposed definition of
``digital application,'' and whether it should be modified, and if so,
how and why. For example, the Proposed Rule requested comment regarding
whether defining the term ``digital application'' by reference to
software accessible through a personal computing device is appropriate,
and if so, why, and if not, why not and what alternative approach
should be used and why.
Comments Received
A consumer group supported the proposal's definition of a market
based on use of a ``digital application.'' It cited a 2021 industry
white paper observing that most financial transactions happen via
mobile apps, websites, email, text messages, and other digital
communications.\271\ In addition, as discussed above, many commenters
agreed that the market for general-use digital consumer payment
applications has grown rapidly and expressed support for the proposal
to supervise larger participants providing general-use digital consumer
payment applications. These commenters generally did not take issue
with or appeared to agree with the proposal's defining the market as a
digital market.
---------------------------------------------------------------------------
\271\ Google LLC Embedded Finance White Paper, supra, at 3.
---------------------------------------------------------------------------
Some consumer group commenters urged the CFPB to expand the market
definition beyond payments facilitated through digital applications, to
cover in-person domestic money transfers as well as payments consumers
make via telephone call to transfer funds to persons while incarcerated
and prepaid cards issued to such persons upon their release from
incarceration. They indicated this approach would be consistent with
the market definition in the international money transfer larger
participant rule, which was not limited to app-based payments. They
stated that some consumers that send funds to friends and family who
are incarcerated have incomes that are too low to afford easy access to
digital applications. They also described a risk of abusive practices
with release cards due to consumers' lack of choice among card issuers.
They further noted that the proposed market definition would not
encompass consumers' use of release cards outside of digital
applications, which they often do because they likely do not have
smartphones when they are released and need to use the funds
immediately.
Meanwhile, an industry association suggested that the ``digital
application'' limitation invalidates the market definition because it
does not satisfy principles of antitrust law due to excluding
reasonably interchangeable non-products with the same use case, such as
network-branded payment cards when used outside of a digital
application, whether by swiping a plastic card in-person or inputting
the card information manually to make a digital payment. This commenter
cited data that in its view indicated that those cards are still
preferred by consumers. Thus, in its view, general-use digital consumer
payment applications compete with physical payment methods as part of a
broader payment industry. In addition, a nonprofit commenter disagreed
with the ``digital application'' limitation because, in its view, it
incorrectly ascribes a special status to payments undertaken
digitally.\272\
---------------------------------------------------------------------------
\272\ A few industry associations also described the proposed
definition of ``digital application'' as vague. Their comments
appeared principally concerned not with what is a digital
application, but with who is providing a covered payment
functionality through a digital payment application. The Final Rule
responds to their comments in the section-by-section analysis of
``covered payment functionality'' above.
---------------------------------------------------------------------------
[[Page 99623]]
Other consumer groups and a nonprofit commenter called for
clarification of the definition of ``digital application'' including
its reference to use of a ``personal computing device.'' For example,
one consumer group suggested that the rule include additional examples
of a ``personal computing device'' because computer chips are versatile
and industry can use everyday items to facilitate payments and collect
consumers' payments data. They stated that some automobiles already
have ``smart dashboards'' that consumers may use to make purchases.
They added that home appliances, such as televisions and refrigerators,
also could be designed to facilitate purchases. They stated that some
smart appliances already allow consumers to use a digital wallet
provided by a third-party that is dominant in the market. They stated
that these devices should be included as examples of personal computing
devices that may facilitate market activity. On the other hand, a
nonprofit commenter stated that some of its members believed the
definition of ``personal computing device'' is vague and the rule needs
to expressly exclude public computers from that definition. This
commenter also stated some of its members believed that the definition
of ``digital application'' should be clarified to provide additional
examples of how a consumer ``may access'' the underlying software
program. They stated that the use of PINs and passwords should be added
to the examples in the definition.
Finally, two commenters raised questions about the applicability of
the Proposed Rule to internet browsers and functionalities they
provide. An industry association stated that the rule should clarify
whether internet browsers that store credit card information would be
considered to facilitate a consumer payment within the meaning of the
definition of ``covered payment functionality.'' In addition, a law
firm commenter stated that it did not understand the goal of the
Proposed Rule to cover generic web browser activity, but a
clarification would be necessary to avoid inadvertent coverage of that
activity because of what it described as ``payment-autofill functions''
provided by online platforms and applications. It cited specific
popular internet browsers as examples. It described payment autofill
functions as prepopulating a consumer's stored payment credential
information into checkout forms on a merchant website within the
platform's browser.\273\
---------------------------------------------------------------------------
\273\ Although it stated that it did not understand that the
goal of the Proposed Rule was to cover autofill functions of generic
web browsers, it stated that the autofill functionality could be
viewed as transmitting or otherwise processing a stored payment
credential under a broad reading of the proposed definition of
``wallet functionality'' discussed further above. However, in its
view, such a broad reading would be incorrect because transmission
of the payment credential for processing does not occur until the
consumer clicks the merchant's payment button and because it is the
merchant and their payment service providers that process the
payment.
---------------------------------------------------------------------------
Response to Comments Received
The CFPB agrees with the consumer group commenter that it is
appropriate to define the market at issue in this Final Rule as one
involving ``digital applications.'' As discussed above, such digital
applications have grown dramatically and become increasingly important
to the everyday financial lives of consumers.
With respect to the industry associations' comments suggesting that
the limitation of the market to ``digital application'' would be
inappropriate from the perspective of antitrust law because it excludes
consumers' use of physical network-branded payment cards, as discussed
above this Final Rule does not define a market for purposes of
antitrust law. As a consequence, CFPA section 1024(a)(1) does not
require a larger participant rule to define a market to include all
reasonably-interchangeable substitutes for a given consumer financial
product or service whether provided by nonbanks or insured banks or
credit unions.\274\
---------------------------------------------------------------------------
\274\ In any event, the CFPB notes that loading the card into a
third-party app for app-based use may be an indicator that the app
is a compliment rather than a substitute for the card. See Racing
for Mobile Payments, supra, sec. 2.1.2 (describing ``card-
complementing mobile payment systems'' like those provided by Apple,
Google, and Samsung in the United States).
---------------------------------------------------------------------------
In addition, the CFPB disagrees with the industry association's
comments because general-use digital consumer payment applications
often function in ways that are distinct from network-branded payment
cards, making it appropriate for the market defined in this Rule to be
limited to such digital applications. For example, as the most recent
Federal Reserve annual report on consumer payment preferences
indicates, consumers generally cannot or do not use network-branded
payment cards for making payments to friends and family outside of the
nonbank general-use digital consumer payment applications.\275\
Similarly, well-known general-use digital consumer payment applications
often provide a functionality that physical payment cards generally do
not have--the ability to load payment credentials for accounts held at
multiple unaffiliated financial institutions.\276\ This functionality
can be a significant one. According to one recent report, the average
consumer may have as many as eight network-branded payment cards.\277\
---------------------------------------------------------------------------
\275\ See 2024 Diary Findings, supra at 16 (indicating that when
used by themselves and not through payment apps, ``[d]ebit and
credit cards . . . typically are impractical or costly for P2P
transactions''). For example, American Express National Bank has
used PayPal and Venmo to facilitate credit card holders' P2P
transactions, as described at https://help.venmo.com/hc/en-us/articles/360058686993-Amex-Send-Split (last visited Nov. 7, 2024).
\276\ Some banks and credit unions offer an app-based wallet
functionality that facilitates payments using cards issued by
multiple unaffiliated card issuers. See Paze FAQs (describing how
consumers can add participating cards into the wallet from the Paze
website or through the bank or credit union's digital application),
https://www.paze.com/faqs (last visited Nov. 17, 2024); see also
VISA Blog, One card to rule them all (May 16, 2024) (describing VISA
plans to launch a new service in the United States allowing
consumers to use their card issuer's app to ``swap funding sources''
between different accounts the consumer holds with that same
issuer), https://usa.visa.com/visa-everywhere/blog/bdp/2024/05/14/one-card-to-1715696707658.html (last visited Nov. 7, 2024).
\277\ Jack Caporal, Credit and Debit Card Market Share by
Network and Issuer (Jan. 24, 2024) (citing Nilson Report data for
2022), https://www.fool.com/the-ascent/research/credit-debit-card-market-share-network-issuer/ (last visited Nov. 7, 2024).
---------------------------------------------------------------------------
The CFPB disagrees with the consumer group and nonprofit comments
to the extent they were suggesting that the ``digital application''
component of the proposed market definition would leave a significant
gap in the CFPB's supervisory authority with respect to the use of
network-branded payment cards including prison release cards. CFPA
section 1025(a) already grants the CFPB supervisory authority over very
large insured depository institutions and insured credit unions that
are among the largest issuers of network-branded payment cards. While
some insured depository institutions and insured credit unions with
assets of $10 billion or less also issue payment cards, including
prepaid cards, CFPA section 1024(a)(3)(A) specifically excludes all
insured depository institutions and insured credit unions from the
scope of a larger participant rule under CFPA section 1024(a)(1)(B).
Therefore, the CFPB does not have authority to use this rule to define
insured depository institutions or insured credit unions as larger
participants in this market. In any event, when a nonbank prepaid card
program manager facilitates consumers' use of these cards through the
card's proprietary digital application, such as to make payments to
friends and family, this activity may qualify as a consumer financial
product or service of the nonbank that already is included in the
[[Page 99624]]
market definition. And when consumers load these cards into a third-
party general-use digital consumer payment applications, the use of the
cards through those apps also would be included in the market
definition.
The CFPB also declines the suggestion by consumer group and
nonprofit commenters that the CFPB adopt in this Final Rule a market
that includes all domestic money transfers including those facilitated
by telephone call and through in-person transfers not mediated by a
digital application. As discussed above, a trend in the consumer
payments area has been the rapid growth in general-use digital consumer
payment applications including their payment wallet functionalities
that do not necessarily involve domestic money transmitting. The CFPB
adopts this Final Rule in response to that growth in an effort to
promote compliance with Federal consumer financial law and detect and
assess risks to consumers and the market, including emerging risks, and
to ensure consistent enforcement of Federal consumer financial law in
this area. When consumers make telephone- or in-person-based domestic
payments, the CFPB has other means of assessing risks they may pose to
consumers. For example, if a nonbank covered person has significant
involvement in that activity through the provision of a consumer
financial product or service, the CFPB can evaluate whether that poses
a risk to consumers sufficient to warrant a supervisory designation
under CFPA section 1024(a)(1)(C).
Further, consistent with its approach in the international money
transfer larger participant rule,\278\ the CFPB notes that it does not
seek in this rule to define a market that covers the entire universe of
consumer payment transactions that fall within the scope of the CFPB's
authority under the CFPA. This larger-participant rulemaking is only
one in a series, and nothing in this Final Rule precludes the Bureau
from considering in future larger-participant rulemakings other markets
for consumer financial products or services that might include non-
digital payment activities not included in the market defined by this
rule.
---------------------------------------------------------------------------
\278\ 79 FR 56631 at 56635-56636.
---------------------------------------------------------------------------
With regard to comments on specific aspects of the ``digital
application'' definition, the CFPB agrees with the members of the
nonprofit commenter that PINs and passwords may be common ways that
consumers use to access general-use digital consumer payment
applications. Device-specific codes called passkeys also are an
increasingly common way for digital applications, including general-use
digital consumer payment applications, to authenticate a consumer's
identity.\279\ The Final Rule therefore accounts for these examples, as
described below.\280\ The CFPB does not agree with the consumer group
commenter to the extent it was suggesting that the prospect of future
participation in the market by manufacturers of automobiles and smart
appliances such as televisions and refrigerators warranted adding those
types of devices to the list of example of personal computing devices
in the definition of ``digital application.'' Because the proposed
definition did not state that the list of examples of personal
computing devices was exhaustive, other devices may qualify as personal
computing devices. However, the research described in the Proposed Rule
indicates that general-use digital consumer payment applications are
predominantly distributed via mobile phones and computers. For that
reason, it is not necessary for the regulation text to identify
automobiles and smart appliances such as televisions and refrigerators
as additional examples of personal computing devices. The proposed
definition already was flexible enough to capture this activity if it
were to become common in the future. To the extent existing market
participants make their general-use digital consumer applications
accessible to consumers not only via mobile phones or computers, but
also via automobiles or smart home appliances manufactured by others,
that activity already would fall within the market definition
regardless of whether automobiles or smart home appliances qualify as
personal computing devices. As the Proposed Rule noted,\281\ if a
consumer may access a digital application through a personal computing
device, then consumers' use of the application would be included in the
market regardless of whether they access the application through other
means, such as a work or library computer. For that reason, the CFPB
also disagrees with the members of the nonprofit commenter that
suggested the rule needs to further differentiate between a personal
and a public computing device. They did not point to any examples that
should be classified in one category or the other.\282\
---------------------------------------------------------------------------
\279\ See, e.g., PayPal, PayPal Introduces More Secure Payments
with Passkeys (Oct. 24, 2022), https://newsroom.paypal-corp.com/2022-10-24-PayPal-Introduces-More-Secure-Payments-with-Passkeys
(last visited Nov. 8, 2024); Apple iPhone User Guide iOS 17, Use
passkeys to sign in to apps and websites on iPhone, https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios (last visited Nov. 8, 2024); Google,
Passkey support on Android and Chrome, https://developers.google.com/identity/passkeys/supported-environments (last
visited Nov. 8, 2024).
\280\ However, the inclusion of these examples does not
necessarily mean that a nonbank is participating in the market by
providing a product or service to manage a consumer's passwords.
Whether or not that activity falls within the market definition will
depend on whether it is conducted by a nonbank covered person as
part of providing a ``covered payment functionality'' with ``general
use.''
\281\ 88 FR 80197 at 80206 n.67.
\282\ In addition, as explained in the discussion of general
comments further above, through supervisory activity at larger
participants defined in this Final Rule, the CFPB can detect and
assess emerging risks to consumers, including as a result of
developments in the software or personal computing devices involved
in the delivery of general-use digital consumer payment
applications.
---------------------------------------------------------------------------
Finally, with regard to comments seeking clarification or exclusion
of internet browser activities including payment autofill functions,
the CFPB clarifies that the Proposed Rule was not intended to treat the
operation of a web browser itself as a form of market activity.\283\ As
noted above, the proposed definition of ``digital application''
included several examples of software programs accessed by a personal
computing device, including ``a website a consumer accesses by using an
internet browser on a personal computing device.'' As that example
indicates, the relevant ``digital application'' that the consumer
accesses using a web browser is the website, and not the web browser
itself. Excluding web browsers from the definition of ``digital
application'' is consistent with the CFPB's goal of covering payment
applications in the rule. While some web browsers may store and
automatically populate payment forms on merchant websites with consumer
payment account information, that activity alone does not convert a web
browser into a payments-focused digital application that is
participating in this market. Nor is the CFPB aware of market research
studies or surveys on consumer payment applications that identify web
browsers as competing with larger participants in the market.
---------------------------------------------------------------------------
\283\ See, e.g., United States v. Microsoft Corporation, Case
No. 98cv1232, D.D.C. (Complaint filed May 18, 1998) ] 6 (defining an
``internet browser'' as ``specialized software programs that allow
PC users to locate, access, display, and manipulate content and
applications located on the internet's World Wide Web''), https://www.justice.gov/sites/default/files/atr/legacy/2012/08/09/1763.pdf
(last visited Nov. 8, 2024).
---------------------------------------------------------------------------
Final Rule
For the reasons described above, the CFPB adopts the proposed
definition of ``digital application'' with certain clarifying changes
described below, including changing the term to ``digital payment
application.''
[[Page 99625]]
First, consistent with the Final Rule changing ``wallet
functionality'' to ``payment wallet functionality'' for the sake of
precision and clarity, the Final Rule also adopts the term ``digital
payment application'' instead of the more generic term ``digital
application.'' Based on how the CFPB proposed the market definition for
a ``general-use digital consumer payment application,'' the concept of
a ``digital payment application'' already was incorporated into the
market definition itself. This conforming change to the component
definition of ``digital application'' therefore aligns that term more
clearly with the general market definition. Relatedly, for the reasons
discussed above in the CFPB's response to comments regarding web
browsers, the Final Rule clarifies that operating a web browser is not
an example of providing a digital payment application.
Second, in response to a nonprofit commenter, the Final Rule adds
to the list of examples of how a consumer may access a personal
computing device to include other common means, such as using a
personal identifier, such as a passkey, password, or PIN.
General Use
Proposed Rule
The proposed market definition would have applied to providing
covered payment functionalities through a digital application for a
consumer's general use in making consumer payment transactions.
Proposed Sec. 1090.109(a)(2) would have defined the term ``general
use'' as the absence of significant limitations on the purpose of
consumer payment transactions facilitated by the covered payment
functionality provided through the digital consumer payment
application. The Proposed Rule explained that the CFPB sought to
confine the market definition to those digital payment applications
that consumers can use for a wide range of purposes. The Proposed Rule
noted how digital payment applications with general use can serve broad
functions for consumers, such as sending funds to friends and family,
buying a wide range of goods or services at different stores, or both.
As reflected in the non-exhaustive list of examples in the Proposed
Rule discussed below, other consumer financial products and services
provide payment functionalities for more limited purposes. While those
other products and services also serve important functions for
consumers, they do not have the same broad use cases for consumers. As
a result, in the Proposed Rule, the CFPB viewed those products as
participating in a market or markets distinguishable from a market from
general-use digital consumer payment applications.
The proposed definition of general use would have clarified that a
digital consumer payment application that would facilitate person-to-
person, or peer-to-peer (P2P), transfers of funds would have qualified
as having general use under the Proposed Rule. Even if a payment
functionality provided through a digital application is limited to P2P
payments, and that constitutes a limitation on the purpose of payments,
that limitation would not have been a significant limitation for
purposes of the proposed market definition. For example, a P2P
application that permits a consumer to send funds to any family member,
friend, or other person would have qualified as having general use,
even if that P2P application could not be used as a payment method at
checkout with merchants, retailers, or other sellers of goods or
services. A P2P application also would have qualified as having general
use even if it can only transfer funds to recipients who also register
with the application provider, or otherwise participate in a certain
network (which the Proposed Rule noted some refer to as ``closed loop''
P2P systems). As the Proposed Rule noted, although the network of
potential recipients in such a system may be limited in certain
respects, often any potential recipient may have the option of joining
such a system (and many consumers already may have joined such
systems), so the universe of potential recipients for such payments
often is still broad. The Proposed Rule also stated that a digital
consumer payment application still may have qualified as having general
use even when the universe of potential recipients for a funds transfer
is fixed, such as when a consumer can only make a transfer of funds to
friends or family located in a prison, jail, or other secure
facility.\284\
---------------------------------------------------------------------------
\284\ Such funds may be available to the recipient for a variety
of purposes, including to purchase food, toiletries, medical
supplies, or phone credits while incarcerated, and, if not used by
the recipient while incarcerated, may revert upon release to an
unrestricted account. See, e.g., CFPB Report, Justice-Involved
Individuals and the Consumer Financial Marketplace (Jan. 2022), sec.
3.1 (n.87 describing uses of these types of funds transfers) and
sec. 4.1 (describing how, as observed in a CFPB enforcement action
and an investigative report on prison release cards, ``[w]hen
released, people exiting jail receive the money they had when
arrested, and prisons disburse the balance of a person's commissary
account, including wages from prison jobs, public benefits, and
money sent by friends and family.''), https://files.consumerfinance.gov/f/documents/cfpb_jic_report_2022-01.pdf
(last visited Oct. 23, 2023).
---------------------------------------------------------------------------
To provide clarity as to the proposed market definition, the
proposed definition of general use would have included examples of
limitations that would be significant for purposes of the proposal,
such that a covered payment functionality offered through a digital
consumer payment application with such limitations would not have had
general use.\285\ The examples would have illustrated some types of
digital consumer payment applications that would not have had general
use. The list of examples was not exhaustive, and other types of
digital consumer payment applications would not have had general use to
the extent they cannot be used for a wide range of purposes.
---------------------------------------------------------------------------
\285\ The Proposed Rule includes these examples to illustrate
the scope of the term ``general use'' in the Proposed Rule, and thus
the scope of the proposed market definition. The examples are not a
statement of the CFPB's views regarding the scope of its authority
over consumer financial products and services under the CFPA.
---------------------------------------------------------------------------
In addition, the Proposed Rule noted that some payment
functionalities may be provided through two different digital consumer
applications. For example, from a merchant's ecommerce digital
application, a consumer may click on a payment button that links to a
third-party general-use digital consumer payment application, where the
consumer authenticates their identity and provides payment instructions
or otherwise authorizes the payment. Even if the merchant's digital
application itself would not have qualified as having general use, the
consumer's use of the third-party general-use digital consumer payment
application still would have constituted covered market activity with
respect to the third-party provider.
The first example of a payment functionality with a significant
limitation such that it would not have general use would have been a
digital consumer payment application whose payment functionality is
used solely to purchase or lease a specific type of services, goods, or
property, such as transportation, lodging, food, an automobile, a
dwelling or real property, or a consumer financial products and
service.\286\ The Proposed Rule listed this
[[Page 99626]]
example in paragraph (A) of the proposed definition of general use.
---------------------------------------------------------------------------
\286\ For example, when a consumer uses a payment functionality
in a digital application for a consumer financial product or service
to pay for that consumer financial product or service, such as by
providing payment card information to a credit-monitoring app to pay
for credit-monitoring services, this limited purpose for that
payment functionality would not have had general use under the
Proposed Rule. The term ``consumer financial product or service'' is
defined in CFPA section 1002(5) and includes a range of consumer
financial products and services including those in markets that the
CFPB supervises, described in the Proposed Rule, as well as other
consumer financial products and services outside of supervised
markets over which the CFPB generally has enforcement and market-
monitoring authority. See generally 12 U.S.C. 5481(5) (definition of
``consumer financial product or service'') and 12 U.S.C. 5481(15)
(definition of ``financial product or service'').
---------------------------------------------------------------------------
Second, as indicated in paragraph (B), accounts that are expressly
excluded from the definition of ``prepaid account'' in paragraphs (A),
(C), and (D) of Sec. 1005.2(b)(3)(ii) of Regulation E \287\ also would
not have had general use for purposes of the Proposed Rule. Those
provisions in Regulation E exclude certain tax-advantaged health
medical spending accounts, dependent care spending accounts, transit or
parking reimbursement arrangements, closed-loop accounts for spending
at certain military facilities, and many types of gift certificates and
gift cards. The Proposed Rule explained that, while these types of
accounts may support payments through digital applications with varied
purposes to different types of recipients, the accounts remain
sufficiently restricted as to the purpose to warrant exclusion from the
proposed market.
---------------------------------------------------------------------------
\287\ 12 CFR 1005.2(b)(3)(ii).
---------------------------------------------------------------------------
Third, as indicated in proposed paragraph (C), a payment
functionality provided through a digital consumer payment application
that solely supports payments to pay a specific debt or type of debt or
repayment of an extension of consumer credit would not have qualified
as having general use. For example, a consumer mortgage lender's mobile
app or website may provide a functionality that allows a consumer to
pay a loan. Or a debt collector's website may provide a means for a
consumer to pay a debt. These digital consumer payment applications
have a use that is significantly limited, to only pay a specific debt
or type of debt. In general, digital applications that solely support
payments to specific lenders, loan servicers, and debt collectors would
not have fallen within the proposed market definition.\288\ The
Proposed Rule noted that the CFPB considers such digital applications
generally to be more part of the markets for consumer lending, loan
servicing, and debt collection. The CFPB has issued separate larger
participant rules for such markets and CFPA section 1024(a) also grants
the CFPB supervisory authority over participants in certain lending
markets, including mortgage lending, private student lending, and
payday lending. In addition, other digital applications may only help a
consumer to pay certain other types of debts, such as taxes or other
amounts owed to the government, including fines. Under this proposed
example, those payment functionalities provided through those
applications also would not have qualified as having general use.
---------------------------------------------------------------------------
\288\ By contrast, as noted in the section-by-section analysis
of the proposed exclusion in paragraph (C) of the definition of a
``consumer payment transaction,'' if a consumer uses a general-use
digital consumer payment application as a method of making a payment
to such a payee, that general-use digital consumer payment
application would have been participating in the market for those
consumer payment transactions.
---------------------------------------------------------------------------
Fourth, as indicated in proposed paragraph (D), a payment
functionality provided through a digital application that solely helps
consumers to divide up charges and payments for a specific type of
goods or services would have been excluded. Some payment applications,
for example, may be focused solely on helping consumers to split a
restaurant bill. This example is a corollary of the example in
paragraph (A). Since a payment functionality limited to paying for food
would not have qualified as having general use under paragraph (A),
paragraph (D) would have clarified that a payment functionality that
enables splitting a bill for food have also would not have qualified as
having general use.
The CFPB requested comment on the proposed definition of general
use and examples of significant limitations that take a payment
functionality provided through a digital consumer application out of
the general use category. The CFPB also requested comment on whether
the examples of significant limitations should be changed or clarified,
and whether additional examples of significant limitations should be
included, and if so, what examples and why.
Comments Received
Some commenters stated that the proposed ``general use'' limitation
was excessively ambiguous or uncertain, though they did not agree on
how to clarify the definition. For example, two industry associations
criticized defining ``general use'' as the ``absence of significant
limitations on the purpose of consumer payment transactions facilitated
by the covered payment functionality'' on the ground that that standard
was ambiguous and that the associated examples in the proposed
definition did not provide sufficient guidance to ascertain the scope
of ``general use.'' These commenters stated that additional
clarification or limitations on the definition were necessary, and that
if the Final Rule did not clarify this term, then firms would incur
unnecessary costs and confusion as to whether they need to prepare
their compliance management systems for CFPB supervision. Similarly,
another industry association criticized the definition of ``general
use'' as ambiguous, and suggested that such ambiguity would generate
confusion for providers. The commenter suggested clarifying how the
definition applies to diverse features and functionalities within
payment applications. An individual commenter stated that the proposal
did not clearly define ``general use'' and suggested that the rule
instead adopt a bright-line test, providing that general use means use
with more than 100 merchants, 10 platforms, or 5 different purposes. A
nonprofit commenter stated that while a vast majority of its members
approved of the proposed definition of ``general use,'' a majority also
recommended adding examples to the definition. A payments industry firm
stated that the rule should clarify the example described in proposed
paragraph (B) related to certain gift cards and other products and
services that do not have general use.\289\ Finally, a comment from
consumer groups stated that the Rule should clarify that online
marketplace payment functions meet the definition of ``general use''
(and not exclude them from the definition of ``consumer payment
transactions'' included in the market as discussed above). These
commenters also stated that the Final Rule should clarify that if a
payment app aimed at servicemembers is not eligible for the narrow
Regulation E exclusion cited in paragraph (B) of the proposed
definition of ``general use,'' then it would meet the definition of
``general use.'' \290\
---------------------------------------------------------------------------
\289\ Specifically, this commenter requested that the CFPB
clarify that the definition of ``general use'' also excludes certain
types of cards, codes, and other devices described in Regulation E
section 1005.20(b). It stated that the Proposed Rule was unclear on
this point because it referred only to an account described in
Regulation E section 1005.2(b)(3)(ii)(D). Regulation E section
1005.20(b) describes cards, codes, and other devices that are
excluded from Regulation E section 1005.20(a), which defines the
accounts identified in 1005.2(b)(3)(ii)(D). As a result, in its view
there is uncertainty over whether the CFPB views those cards, codes,
and devices has having general use. In its view, section 1005.20(b)
refers to certain types of cards, codes, and other devices with
limited uses and the CFPB should confirm those types of cards,
codes, and other devices to do not have general use.
\290\ The comment did not provide an example or state whether
such consumer financial products or services currently exist.
---------------------------------------------------------------------------
In addition, commenters had differing views regarding the
appropriateness of the breadth of the proposed definition of ``general
use.'' Some commenters agreed with the breadth of ``general use'' or
suggested it should be expanded. For example, the comment from consumer
groups expressed general support for the
[[Page 99627]]
definition, which they characterized as appropriately broad. Several
consumer group and nonprofit comments expressed support for the
definition of ``general use'' based on how the proposed term reflected
what they described as the broad functions of services to transfer
funds to people who are incarcerated. Some of these commenters added
that some large companies provide app-based money transfers both to
people who are incarcerated and to people who are not.\291\ In
addition, without directly addressing the exclusion in paragraph (D) of
the definition of ``general use'' for payment functionalities solely to
split a charge for a specific type of goods or services, an industry
association stated that consumers use general-use digital consumer
payment applications for, among other purposes, paying expenses
informally split between consumers. An industry association suggested
that at least in certain ways, the proposed definition of ``general
use'' unduly narrowed the market because it excluded digital
applications that help consumers to make payment for the same types of
purchases, such as food and automobiles, using the same underlying
payment methods as applications that meet the proposed definition of
``general use.''
---------------------------------------------------------------------------
\291\ In addition, they stated that the ``general use'' of these
payment systems is reflected in the significant number of people who
are incarcerated (nearly two million at any one time with one
estimate that people were incarcerated nearly seven million times in
2021), broad available uses those people have for transferring the
funds while they are incarcerated, and the universal acceptance of
release cards loaded with funds remaining at the time of release. As
discussed in the section-by-section analysis of the comments on the
proposed definition of ``digital application,'' these commenters
also called for expansion of the market to include the full range of
payment services that support payments to people while incarcerated,
payments by people while incarcerated, and payments by people who
are recently released from incarceration using payment cards issued
upon release. They added that these products and services pose large
risks to consumers, due to, among other features, high fees and the
lack of competition for such products and services.
---------------------------------------------------------------------------
On the other hand, several industry commenters stated that the
proposed definition of ``general use'' was too broad and that it should
be narrowed in various ways. These comments generally stated that the
``general use'' limitation on the proposed market definition did not
adequately limit the scope of the market definition in the context of
payments for consumer purchases, in the context of peer-to-peer
payments, or both.
In the context of digital payments for purchases, two industry
associations stated that the rule should exclude from ``general use''
what it called ``closed-loop transactions'' which it described as
transactions that can only occur at a ``finite'' group of merchants.
These comments stated that the exclusion should be consistent with the
CFPB's understanding of ``closed-loop transactions'' in the context of
its prepaid account rule under Regulation E.\292\
---------------------------------------------------------------------------
\292\ While these commenters quoted a description of ``closed-
loop prepaid cards'' they stated came from the CFPB's rules
concerning prepaid accounts, the citation they identified is to a
CFPB website that contains consumer education materials regarding
general-use prepaid cards, prepaid gift cards, and other prepaid
cards at https://www.consumerfinance.gov/consumer-tools/prepaid-cards/answers/key-terms (last visited Nov. 17, 2024).
---------------------------------------------------------------------------
In the context of digital peer-to-peer payment applications or
functionalities, several industry and other commenters stated that the
proposal's approach to defining ``general use'' was too broad. A
nonprofit stated that the Proposed Rule incorrectly treated any peer-
to-peer funds transfer functionality as having general use. Another
nonprofit stated that peer-to-peer payment applications should not have
general use unless also enabled for purchases. In its view, the absence
of a purchase functionality constitutes a ``significant limitation''
within the meaning of the proposed definition of ``general use.''
Another industry association stated that the Proposed Rule should not
have classified a peer-to-peer payment application as having general
use when it restricts the universe of payment recipients to other
persons who are registered users of the same application. Finally,
several industry trade associations stated that the Proposed Rule was
internally inconsistent by treating a payment functionality used
exclusively by people who are incarcerated to make commissary purchases
as having ``general use'' while simultaneously excluding payment
functionalities provided solely for purchase of certain types of goods,
services, or other property, such as food.\293\ Two trade associations
also suggested that the Proposed Rule's assessment that persons who are
incarcerated may put funds received to general use in a closed
environment is inconsistent with how the CFPB views closed-loop prepaid
cards under, Regulation E. Another industry association stated that a
payment functionality for people who are incarcerated to pay for goods
and services does not have ``general use'' within its conventional
meaning.\294\
---------------------------------------------------------------------------
\293\ In addition, they stated that the proposal's different
treatment of these examples created confusion about the identity of
the estimated 17 larger participants. The CFPB discusses comments on
that issue in the section-by-section analysis of the larger-
participant test below.
\294\ Some of these commenters further claimed the cost-benefit
analysis did not consider potential impacts on money transfer
services for incarcerated people, which they considered to be a
distinct product market. In the response to general comments above,
the CFPB responds to comments calling for the CFPB to divide the
proposed market into separate markets for purposes of this
rulemaking. The impacts analysis in part VII further explains how it
analyzes the impacts in the market adopted in the Final Rule.
---------------------------------------------------------------------------
Response to Comments Received
With respect to comments that the proposed definition of ``general
use'' was excessively ambiguous or uncertain, the CFPB also shares the
commenters' goal of reducing ambiguity and uncertainty in the
definition of ``general use.'' Accordingly, the CFPB declines to adopt
the proposal to define ``general use'' as the absence of significant
limitations on the purposes of a consumer payment transactions
facilitated by the covered payment functionality provided through the
digital consumer payment application. Instead, as discussed further
below, the Final Rule adopts an alternative standard for defining
``general use'' as usable to transfer funds in a consumer payment
transaction to multiple unaffiliated persons, with limited exceptions.
With respect to comments on the breadth of the term ``general
use,'' the CFPB believes that the definition of ``general use'' adopted
in this Final Rule is appropriately broad given the characteristics of
the market defined in this Final Rule. The term encompasses digital
consumer payment applications capable of being used for a range of
purposes such as sending funds to friends and family, buying a range of
goods or services at different stores, or both. As discussed above in
response to comments on the market definition in Sec. 1090.109(a)(1),
treating those functions as part of a single market is consistent with
the CFPB's experience and expertise, the views of certain other market
observers, and with common consumer user experience.
In response to the commenter that raised concerns about the rule
including a ``general use'' limitation at all, the CFPB notes that the
``general use'' limitation reduces the breadth of the market, which the
commenter stated already was overly broad. The CFPB also declines to
drop the ``general use'' limitation based on that industry
association's comments suggesting that this limitation impermissibly
excludes economic substitutes. The commenter cited examples of food
delivery applications and automobile purchase
[[Page 99628]]
applications that facilitating payments that consumers also can make
through payment functionalities that have general use.\295\
---------------------------------------------------------------------------
\295\ For the reasons described at the outset of the section-by-
section analysis above, the CFPB disagrees with the industry
association comment that concluded that antitrust law governs how
the CFPB must define larger participants in a market for consumer
financial products or services pursuant to CFPB section
1024(a)(1)(B). In addition, as discussed further above, the CFPB
disagrees that it would be appropriate for the market to include
merchant and marketplace payment functionalities described by the
exclusion in paragraph (C) of the definition of ``consumer payment
transaction.''
---------------------------------------------------------------------------
The CFPB similarly declines the consumer group comments suggesting
that the Final Rule clarify that marketplaces meet the definition of
``general use.'' Regardless of whether they meet that definition, for
the reasons discussed in the section-by-section analysis of ``consumer
payment transaction'' above, the Final Rule adopts the proposed
exclusion in paragraph (C) of the definition of that term for
marketplace payment functionalities.
The CFPB disagrees with the industry and nonprofit comments stating
that the CFPB should adopt a narrower definition of ``general use''
that would exclude some or all peer-to-peer payment applications. Like
a payment functionality that can be used to pay two or more
unaffiliated merchants, a peer-to-peer payment functionality enables
transfers for consumer payment transactions to multiple, unaffiliated
individuals. Thus, it is appropriate to for payment functionalities
that solely support payments to friends and family to fall within the
definition of ``general use'' in the Final Rule. In addition, the
market increasingly bundles both types of payments and many peer-to-
peer payment functionalities can be used formally or informally to make
payments for purchases. Defining the market based on the status of the
recipient as a consumer or a business, as the commenter suggests, would
be inconsistent with how the market has evolved, as further discussed
above in the response to comments on the market definition in Sec.
1090.109(a)(1).
In addition, peer-to-peer digital consumer payment applications
often support payments to millions if not tens of millions of other
users including in some circumstances that industry describes as a
``closed loop'' system. For example, even in such a system, often any
adult consumer who can pass identity verification can enroll to receive
funds.\296\ The Final Rule therefore does not treat the need for a
recipient to sign up for an account to receive funds as a basis for
excluding the corresponding covered payment functionality from the
definition of ``general use.'' This approach also promotes consistent
oversight of consumer financial products and services that allow
consumers to send funds to other consumers, without regard to whether
they operate through depository institutions.\297\
---------------------------------------------------------------------------
\296\ CFPB Deposit Insurance Spotlight, supra (``In closed loop
systems, transactions are enabled through a single provider. Under
this model, both payer and receiver must have an account with the
same provider to complete the payment.'').
\297\ See also Julian Morris, Peer-to-Peer and Real Time
Payments: A Primer, Int'l Ctr. For Law & Econ. (Aug. 21, 2023)
(generally describing how ``closed loop'' is more of an indicator
that the platform may operate outside of the banking system),
https://laweconcenter.org/resources/peer-to-peer-and-real-time-payments-a-primer/ (last visited Oct. 24, 2024). The Final Rule also
does not define ``general use'' by reference to peer-to-peer payment
systems that may be described as ``closed loop'' because usage of
the term ``closed loop'' in that context varies and the market is
rapidly evolving. See, e.g., CFPB Deposit Insurance Spotlight, supra
(describing how ``[c]losed loop payment systems are often connected
to traditional open loop systems, so funds can be deposited or
withdrawn out of the closed loop system.''); Getting the U.S.
Banking Market Ready for Instant Payments, PaymentsJournal (May 21,
2024) (``In other parts of the world, fintechs have taken the lead
by converting their closed-loop stored value wallet propositions and
making them interoperable on the back of real-time payment systems.
U.S. fintechs have the same opportunity.''), https://www.paymentsjournal.com/getting-the-u-s-banking-market-ready-for-instant-payments/ (last visited Nov. 8, 2024); VISA, In 2024,
payments to get global, open, tailored and interoperable (Dec. 15,
2023) (describing how ``money-moving apps and wallets'' operating
within their own ``siloed ecosystem . . . is beginning to change.
With payments players prioritizing interoperability, we will soon
see a more seamless future-state of global money movement--one where
paying across services is as seamless as using any one service''),
https://usa.visa.com/visa-everywhere/blog/bdp/2023/12/14/in-2024-payments-1702577675756.html (last visited Nov. 8, 2024); VISA,
Introducing Visa+ (describing new Visa+ product launched in the
United States where ``users set up one payname in their preferred
wallet, and pay or get paid regardless of the participating app
their peers use.''), https://usa.visa.com/products/visa-plus.html.
(last visited Nov. 8, 2024).
---------------------------------------------------------------------------
The CFPB declines to adopt the suggestion by some industry
commenters that the Final Rule exclude payment functionalities based on
whether they are limited to use at what the industry association
commenters described as a ``finite'' number of merchants. The term
``finite'' is not a workable standard for this Rule, and the CFPB
disagrees with the industry commenters' further suggestion that if it
does not adopt that exclusion (or an exclusion for some other definite
number), the rule would have the paradoxical effect of treating the
universe of potential recipients in closed-loop payment systems for
retail spending as infinite. These comments did not recognize that
paragraph (B) of the proposed definition of ``general use'' already
excluded closed-loop gift cards.\298\ And the comment did not provide a
justification for this Rule to adopt a broader exclusion, such as for
payment functionalities usable at multiple unaffiliated merchants. The
CFPB also disagrees with the individual commenter that the Rule should
define ``general use'' based on the reaching a specific quantity of
merchants, platforms, and purposes. The commenter did not provide any
justification for the specific numbers of merchants, platforms, and
purposes they proposed. In addition, the range of goods and services
offered by an individual merchant can vary widely across merchants. As
a result, the number of merchants where a consumer can make purchases
is not necessarily an indicator of ``general use.'' However, the CFPB
agrees that additional clarification may be helpful as to whether the
type of payment account excluded from Regulation E (by virtue of only
being usable at a single merchant or its affiliates) also would be
excluded from the market definition here based on lacking ``general
use.'' The CFPB provides those clarifications below in the discussion
of the revised definition of ``general use'' adopted in Final
Rule.\299\
---------------------------------------------------------------------------
\298\ In describing the exclusion they were seeking, these
commenters referred to a description of ``closed-loop prepaid
cards'' without acknowledging that term included gift cards, which
the Proposed Rule already proposed to exclude in paragraph (B) of
the definition of ``general use.'' See also CFPB, Final Prepaid
Account Rule, 81 FR 83934, 83936 (Nov. 22, 2016) (explaining how
``consumers can only use funds stored on closed-loop prepaid
products at designated locations (e.g., at a specific merchant or
group of merchants in the case of certain gift cards; within a
specific transportation system in the case of transit cards)'')
(emphasis added).
\299\ The Final Rule does not adopt the consumer group
suggestion of clarifying that online marketplace payment
functionalities have ``general use'' because, for the reasons
discussed in the section-by-section analysis of ``consumer payment
transaction'' above, the Final Rule does not drop the exclusion in
paragraph (C) of the definition of that term. The requested
clarification would create confusion, suggesting online marketplace
payment functionalities excluded by paragraph (C) are covered by the
definition of ``general use.''
---------------------------------------------------------------------------
Finally, the CFPB does not agree with the industry firm commenter
that the Proposed Rule created significant uncertainty as to whether
certain cards, codes, or other devices described in Regulation E
section 1005.20(b) would have general use for purposes of this rule. No
other commenter raised this issue, and the commenter that raised the
issue did not explain why it believed that the CFPB would view all of
the cards, codes, or other devices described in Regulation E section
1005.20(b) as
[[Page 99629]]
having general use, especially in light of the other examples of
accounts that would not have general use described in proposed
paragraph (B). In any event, the CFPB disagrees that Regulation E
section 1005.20(b)(2) describes accounts that would not have general
use for purposes of this rule. Section 1005.20(b)(2) describes general-
purpose reloadable cards that are not marketed as gift cards or gift
certificates. But the absence of gift marketing does not render these
cards lacking in general use, and if they are loaded into a general-use
digital consumer payment application, then they may fall within the
market definition.
Final Rule
In response to the comments analyzed above, the CFPB includes the
proposed term ``general use'' in the Final Rule but defines it
differently than the proposal did. Rather than adopting the proposal to
define ``general use'' using the ``absence of significant limitations
on the purpose'' standard and providing illustrative examples of
activities that would or would not meet the standard, the Final Rule
adopts an alternative standard that is clearer and more administrable,
along with specific, enumerated exceptions. This approach addresses
comments as discussed above and described below.
For purposes of the Final Rule, ``general use'' is defined as
usable for a consumer to transfer funds in a consumer payment
transaction to multiple, unaffiliated persons. The CFPB is adopting
this new standard because it is clearer and more administrable, and
more closely aligns with the similar concept in Regulation E.\300\ The
definition is subject to specific exceptions as described below.
---------------------------------------------------------------------------
\300\ The term ``general use'' in the Final Rule has certain
similarities to terms in Regulation E, 12 CFR part 1005, but differs
in some substantive respects as specified below. Usage, or omission,
of specific language from EFTA or Regulation E in the Final Rule is
not an endorsement by the CFPB of any specific interpretation of
EFTA or Regulation E.
---------------------------------------------------------------------------
This approach is based upon similar concepts in Regulation E, and
therefore improves clarity and reduces uncertainty. For example,
Regulation E defines a prepaid card that has ``general use'' for
purchases based on being ``[r]edeemable upon presentation at multiple,
unaffiliated merchants for goods and services[.]'' \301\ Similarly,
under the Final Rule, a payment functionality that facilitates payments
to multiple, unaffiliated merchants for goods and services also would
have ``general use,'' unless an exception applies. Also similar to
Regulation E, a payment functionality would not meet the definition of
``general use'' in the Final Rule if the consumer payment transactions
it facilitates are solely for a single merchant and its affiliated
companies.
---------------------------------------------------------------------------
\301\ 12 CFR 1005.20(a)(3)(ii).
---------------------------------------------------------------------------
In addition, consumers use digital consumer payment applications to
transfer funds from additional types of payment methods beyond prepaid
cards (e.g., other prepaid accounts, bank accounts, and credit cards)
and to make payments to additional types of entities beyond merchants.
Therefore, the CFPB does not view Regulation E as encompassing the full
scope of activity that market participants include within their
general-use digital consumer payment applications. For that reason, the
Final Rule does not adopt the precise phrase used to define ``general
use'' in the Regulation E definition of prepaid cards, which generally
facilitate purchase transactions from merchants. The Final Rule instead
adopts the phrase ``multiple, unaffiliated persons'' to define the
universe of potential recipients of transfers of funds that determine
whether a payment functionality has ``general use.'' \302\ If a covered
payment functionality facilitates consumer payment transactions to
multiple unaffiliated entities that are not merchants, it would qualify
as having ``general use,'' unless an exception applies. Further, if a
covered payment functionality facilitates consumer payment transactions
to multiple individuals such as family or friends not acting as
merchants, that covered payment functionality still would qualify as
``general use'' for purposes of the Final Rule, unless an exception
applies.\303\ Although this approach includes many common peer-to-peer
transfer systems in the definition of ``general use,'' the CFPB
disagrees with the industry commenters that this indicates the
definition is too broad.\304\ As discussed above, given their mixed
use, these covered payment functionalities often facilitate consumer
payment transactions to sole proprietors and other small businesses
anyway.
---------------------------------------------------------------------------
\302\ See also Regulation E, 12 CFR 1005.2(b)(3)(i)(D)(2)
(defining ``prepaid account'' to include accounts with the ``primary
function [ ] to conduct person-to-person transfers'').
\303\ The CFPA defines ``affiliate'' in section 1002(1) on the
basis of a control relationship between two persons. Two consumers
generally would not qualify as ``affiliates'' because they generally
do not ``control'' one another for purposes of the CFPA.
\304\ A number of industry commenters suggested the proposed
definition was too broad because the Proposed Rule stated that a
covered payment functionality dedicated to transferring funds to
incarcerated people may have ``general use'' based on recipients'
ability to use transferred funds for purchase of a variety of types
of goods, even when those uses might not be subject to Regulation E.
The Final Rule does not adopt that approach because the definition
of ``general use'' in the Final Rule does not depend on the uses of
funds by payment recipients.
---------------------------------------------------------------------------
With regard to the list of examples in proposed paragraphs (A)-(D)
that would not have met the proposed definition of ``general use,'' as
described below, some are not adopted in the Final Rule because it
already excludes them in other ways, others are maintained with
modifications, and two are not adopted because the Final Rule includes
the corresponding examples in the market.
First, the Final Rule need not adopt proposed paragraph (A) because
the CFPB understands that other revisions the Final Rule would make the
exclusion in proposed paragraph (A) unnecessary.\305\ First, the Final
Rule need not adopt proposed paragraph (A) because the CFPB understands
that other revisions the Final Rule would make the exclusion in
proposed paragraph (A) unnecessary. Specifically, if a merchant or
marketplace sells or leases only specific types of goods, services, or
other property, then a payment functionality that is limited to
facilitating payments to that merchant or marketplace already would be
excluded from the Final Rule for other reasons. For example, the
definition of ``general use'' in the Final Rule already does not cover
a payment functionality that facilities consumer payment transactions
solely by facilitating a purchase from a single merchant or its
affiliated companies, including a merchant providing any of the types
of goods, services, or other property listed in proposed paragraph
(A).\306\ Such activities do not facilitate payments to ``multiple,
unaffiliated persons'' in the definition of ``general use.'' In
addition, to the extent an online marketplace
[[Page 99630]]
operator's payment functionality facilitates payments to multiple,
unaffiliated persons for the purchase of goods or services a consumer
selects from the online marketplace (including a marketplace offering
only specific types of goods or services), the online marketplace
operator's conduct of those payment transactions already would be
excluded from the definition of ``consumer payment transaction'' as
described above.
---------------------------------------------------------------------------
\305\ This approach also makes the definition of ``general use''
more consistent with similar concepts in Regulation E. Under
paragraph (A) in the proposed definition of ``general use,'' a
payment functionality that solely supports the purchase or lease of
a specific type of services, goods, or other property from multiple,
unaffiliated merchants would not have had ``general use.'' However,
the relevant provisions of the definitions of ``prepaid account''
and ``general-use prepaid card'' in Regulation E apply to accounts
redeemable at multiple unaffiliated merchants, regardless of whether
they sell the same specific type of services, goods, or other
property. 12 CFR 1005.2(b)(3)(i)(D)(2) & 1005.20(a)(3)(ii). By not
including that exception, the definition of ``general use'' in the
Final Rule is more consistent with Regulation E, which contains no
such exclusion from the definition of ``general-use prepaid card''
or ``prepaid account'' discussed above.
\306\ The definition of ``general use'' in the Final Rule also
does not include a payment functionality that facilitates consumer
payment transactions solely to purchase consumer financial products
or services from a single provider and their affiliated companies.
---------------------------------------------------------------------------
Second, the Final Rule adopts other examples described in proposed
paragraphs (B) and (C) with certain modifications described below for
clarity. In paragraph (B) of the proposed definition of ``general
use,'' the CFPB proposed to exclude using certain accounts described in
Regulation E section 1005.2(b)(3)(ii)(A), (C), and (D), which
Regulation E excludes from the definition of ``prepaid account.'' The
CFPB did not receive any comments agreeing or disagreeing with the
exclusions described in proposed paragraph (B).\307\ Notwithstanding
the adoption of a more specific definition of ``general use'' described
above, the CFPB does not view these types of highly-specialized payment
functionalities as having ``general use'' for purposes of this rule.
For the reasons explained in the Proposed Rule as described above, the
Final Rule therefore maintains these exclusions by listing them as
exceptions.
---------------------------------------------------------------------------
\307\ As noted above, two industry associations expressed
general support for excluding closed-loop transactions in a manner
consistent with Regulation E. In addition, while acknowledging the
exclusion for using accounts described in 12 CFR
1005.2(b)(3)(ii)(C), some consumer groups suggested that the Final
Rule should clarify that other payment apps directed at
servicemembers can have ``general use.'' Subject to the exceptions
discussed here, the definition of ``general use'' in the Final Rule
applies when to a covered payment functionality that facilitates
payments to multiple, unaffiliated persons, regardless of whether
the functionality is directed at servicemembers. In addition, as
discussed above, one commenter sought clarification regarding how
the CFPB reads the exclusion for using accounts described in 12 CFR
1005.2(b)(3)(ii)(D), which the CFPB discusses above.
---------------------------------------------------------------------------
In addition, the Final Rule adopts the exception in proposed
paragraph (C) to pay a specific debt or type of debt. The Final Rule
also clarifies that this exception excludes additional examples beyond
loan servicing functionalities that facilitate repayment of extensions
of consumer credit. The Final Rule states that this exception excludes
payment functionalities provided solely for paying the following two
types of debts: (1) Debts owed in connection with origination or
repayment of an extension of consumer credit; or (2) Debts in default.
Through these exceptions, the Final Rule separates the market it
defines from other distinct markets as described below. It therefore
does not include those payment functionalities in the definition of
this market. With respect to the type of debts described in paragraph
(1), just as the Proposed Rule did not seek to cover loan servicing
such as the servicing of mortgage loans (which is part of the mortgage
market), it also did not seek to cover payment functionalities that
facilitate payments made in connection with origination of a mortgage
loan (such as payments through closing or escrow accounts maintained by
providers of real estate settlement services described in CFPA section
1002(15)(A)(viii)).\308\ The revised exception clarifies this. In
addition, in paragraph (1), the Final Rule specifies the payment of
debts in default as a second type of debt payment functionality that is
excluded by paragraph (B). Specifically, consumers may pay debts in
default through a debt collector as defined in 15 U.S.C. 1692a(6).\309\
As noted in part III above, the CFPB already has issued a rule defining
larger participants in a market for consumer debt collection, and may
supervise service providers to such persons under CFPA section 1024(e).
And consumers may repay extensions of credit or debts in default
through a debt settlement firm as described in CFPA section
1002(15)(A)(viii)(II).\310\ The CFPB also views the market for debt
relief services as separate from the market for general-use digital
consumer payment applications.\311\
---------------------------------------------------------------------------
\308\ 12 U.S.C. 5481(15)(A)(iii). Real estate settlement
services generally are part of a distinct market for mortgage
lending that is subject to additional applicable Federal consumer
financial laws such as the Real Estate Settlement Procedures Act, 12
U.S.C. 2601 et seq.
\309\ Fair Debt Collection Practices Act, 15 U.S.C. 1692a(6).
\310\ 12 U.S.C. 5481(15)(A)(viii)(II) (one type of ``financial
product or service'').
\311\ Debt settlement is part of a distinct market that is
subject to additional applicable Federal consumer financial laws
such as the Telemarketing Sales Rule. 16 CFR part 310.
---------------------------------------------------------------------------
Third, for the reasons described below, the Final Rule does not
exclude the example described in proposed paragraph (D) for splitting
charges for specific types of goods or services. As the industry
association comment described above noted, consumers can use general-
use consumer payment applications to make payments for split expenses.
For example, a consumer may transfer funds to a friend or family member
as reimbursement for food or other expenses. Whether the provider
markets its digital application primarily for that use, or for other
uses, it can meet the definition of ``general use'' adopted in this
Final Rule. The CFPB does not believe this change significantly affects
the market-related estimates discussed in the section-by-section
analysis of the larger-participant test below or the impacts analyses
in part VII below. For example, online marketplaces may help consumers
to split bills and make associated payments in circumstances that
already are excluded from the definition of ``consumer payment
transaction.'' \312\ In addition, other products and services marketed
as ``bill splitting apps'' may help consumers to calculate the amount
each consumer will pay, but either do not help consumers to make the
associated payments or refer consumers to a third-party's general-use
digital consumer payment application to make the associated payments.
---------------------------------------------------------------------------
\312\ For example, if a consumer selects food for purchase by
placing a restaurant order through an online marketplace platform
operator that also conducts transactions to split the bill for that
purchase, such activity may qualify for the exclusion in paragraph
(C) of the definition of ``consumer payment transaction.''
---------------------------------------------------------------------------
Finally, the CFPB reiterates that each of the exceptions from the
definition of ``general use'' in paragraphs (A) through (C) of the
Final Rule is for a payment functionality provided through a digital
application solely to support payments of the type listed in the
exception. If a nonbank provides a payment functionality through a
digital application to support one of the types of payments in
paragraphs (A) through (C), but also to support peer-to-peer transfers
to other accountholders generally, then it would still have general
use, as described above.
State
Proposed Sec. 1090.109(a) would have defined the term ``State'' to
mean any State, territory, or possession of the United States; the
District of Columbia; the Commonwealth of Puerto Rico; or any political
subdivision thereof. For consistency, the CFPB proposed to use the same
definition of ``State'' as used in the international money transfer
larger participant rule, Sec. 1090.107(a), which drew its definition
from Regulation E subpart A.\313\ The CFPB requested comment on the
proposed definition of State. No commenters addressed this aspect of
the Proposed Rule, which the Final Rule adopts as proposed.
---------------------------------------------------------------------------
\313\ See International Money Transfer Larger Participant Final
Rule, 79 FR 56631 at 56641.
---------------------------------------------------------------------------
109(b) Test To Define Larger Participants
Proposed Sec. 1090.109(b) would have set forth a test to determine
which
[[Page 99631]]
nonbank covered persons are larger participants in a market for
general-use digital consumer payment applications as described in
proposed Sec. 1090.109(a). Under the proposed test, a nonbank covered
person would have been a larger participant if it meets each of two
criteria set forth in paragraphs (1) and (2) of proposed Sec.
1090.109(b) respectively. First, paragraph (1) specified that the
nonbank covered person must provide annual covered consumer payment
transaction volume as defined in paragraph (3) of proposed Sec.
1090.109(b) of at least five million transactions. Second, paragraph
(2) specified that the nonbank covered person must not be a small
business concern based on the applicable SBA size standard listed in 13
CFR part 121 for its primary industry as described in 13 CFR 121.107.
The Final Rule summarizes and responds to comments about the test in
the section-by-section analysis of this proposed definition below.\314\
---------------------------------------------------------------------------
\314\ As the Proposed Rule noted, prior to issuing the Proposed
Rule, the CFPB conducted analysis of data sources as described in
parts IV, V and VI of the Proposed Rule to identify likely market
participants, and, to the extent of available data: (1) to inform
its general understanding of the market; and, relatedly, (2) to
estimate the level of market activity by market participants, the
degree to which market participants would be small entities, and the
level of market activity by larger participants. These estimates
therefore relied to some degree on preliminary entity-level analysis
that is not dispositive of whether the CFPB would ever seek to
initiate supervisory activity at a given entity or whether, in the
event of a person's assertion that it is not a larger participant,
the person would be found to be a larger participant.
---------------------------------------------------------------------------
Comments Received
Comments from two industry providers, two trade associations, and
some Members of Congress commenters stated that the description in the
Proposed Rule of the confidential data it relied upon was insufficient
to allow for meaningful comment. As described below, these comments
generally focused on two types of data the Proposed Rule did not
release: confidential data about market participants' activities that
the CFPB used to estimate their larger participant status, and,
relatedly, the identities of the individual entities included in the
Proposed Rule's estimate of the number of market participants that
would qualify as larger participants.
With regard to the proposal's estimate of 17 larger participants,
several Members of Congress criticized the Proposed Rule for not
identifying the individual firms included in the estimate. They stated
that the Proposed Rule was not specific enough to allow the public to
identify larger participants, which they stated was necessary for the
public to understand the implications of the proposal and to provide
comprehensive feedback on its impact. A group of industry associations
also stated that uncertainty in the proposed definition of ``general
use'' left uncertainty about the identities of firms included in the
estimate. Meanwhile, a banking industry association suggested that,
separate from the rulemaking, the CFPB should publish a list of larger
participants that are subject to supervision to help consumers and
industry to better evaluate their relationships with these nonbanks.
Some of these industry commenters also stated that the CFPB should
release information about the confidential transaction data for
individual firms that it used to make its estimates concerning the
number of larger participants and their share of market participant
that the Proposed Rule used in support of the proposed threshold. Two
of these comments stated that the CFPB must release the data it relied
upon, while the other comment called for releasing what it called a
sanitized version of the NMLS data it used. One indicated that it
needed such additional information to comment on the Proposed Rule's
estimate of the percentage of the market that larger participants
comprised. This commenter also noted the acknowledgment in the Proposed
Rule that the NMLS data may be overinclusive or underinclusive, and its
acknowledgment about the lack of sufficient data to estimate larger
participant status for certain market participants. Some of these
commenters added that, in their view, more than 17 companies would
qualify as larger participants, due in significant part to the
inclusion of pass-through payment wallet functionalities within the
market definition.
Another industry association stated more generally that the
Proposed Rule was not sufficiently transparent and that the rulemaking
needs to provide more comprehensive information and justification for
the threshold, which it stated should be sector-specific.\315\
---------------------------------------------------------------------------
\315\ An industry commenter also noted in a footnote that they
believed the CFPB could not rely upon data collected through its
2021 section 1022(c)(4) orders because, in their view, the CFPB did
not comply with the Paperwork Reduction Act (PRA).
---------------------------------------------------------------------------
Response to Comments Received
The CFPB disagrees with commenters that the Proposed Rule did not
provide sufficient information for commenters to offer meaningful
comment. As discussed in the proposal and further below, the CFPB
provided commenters with extensive information about the data and other
evidence supporting the rule to enable informed comment, including the
sources of data, the CFPB's methodology for analyzing the data,
descriptions of market concentration, and the limitations of the data.
While the Proposed Rule did not disclose entity-level transaction
volume and revenue data, entities in this market generally keep this
information confidential and do not disclose it to the public.\316\ The
Bureau has routinely gathered this information in carrying out its
statutory functions with the understanding that such information will
be kept confidential consistent with the CFPA and its implementing
rules.
---------------------------------------------------------------------------
\316\ As noted below, the only exception is well-known entities
in the market that are public companies, which disclose revenue
information in public securities filings.
---------------------------------------------------------------------------
Congress anticipated that the CFPB would collect and rely on
confidential data from a variety of sources to support its rulemaking
and other statutory functions, and that it would use that information
in a way designed to protect its confidentiality.\317\ The confidential
transaction and revenue data that the CFPB relied on in the Proposed
Rule came from two sources that the Bureau had access to: confidential
supervisory information regularly shared by the States through NMLS and
data obtained via the CFPB's market monitoring functions.\318\
---------------------------------------------------------------------------
\317\ See 12 U.S.C. 5512(c)(1), (c)(3)(B), (c)(4), (c)(6),
(c)(8); see also 12 CFR part 1070.
\318\ See 12 U.S.C. 5512(c)(8); 12 CFR part 1070.
---------------------------------------------------------------------------
As the Proposed Rule indicated, the States collect nonpublic NMLS
money services business call report data under explicit assurances of
confidentiality.\319\ The NMLS collects all of this commercial or
financial information from the States as part of State supervisory
functions, also under assurances of confidentiality. On behalf of the
States, the State financial regulator association that operates NMLS
authorized the CFPB to use this robust dataset if it complied with the
NMLS confidentiality conditions. When this information is shared with
the CFPB, the CFPB also treats it as confidential supervisory
information, which is generally protected from
[[Page 99632]]
disclosure by statute and CFPB implementing regulations.\320\
---------------------------------------------------------------------------
\319\ The Proposed Rule (88 FR 80107 at 80209-10 n.83 & n.90)
identified the public NMLS website with detailed information about
the type of data collected in NMLS money services business call
reports. In those materials, NMLS emphasizes to money services
business that ``[a]ll data submitted in the [MSB call] report is
confidential[.]'' NMLS MSB Call Report Overview and Definitions at 6
(``Information Sharing''), https://mortgage.nationwidelicensingsystem.org/licensees/resources/LicenseeResources/MSBCR%20Overview%20-%20(FINAL).pdf (last visited
Nov. 8, 2024).
\320\ CFPA sec. 1022(c)(6), 12 U.S.C. 5512(c)(6); 12 CFR
1070.40-48. The CFPB similarly would be obligated to keep such
information confidential had it collected the information directly
from the entities, see 12 CFR 1070.40-1070.48, in addition to
increasing the burden on industry with duplicative requests, cf. 12
U.S.C. 5514(b)(3).
---------------------------------------------------------------------------
The Proposed Rule explained that the CFPB also collected certain
information pursuant to orders issued pursuant to section 1022(c)(4) of
the CFPA. Those orders provided that the CFPB will treat the
information received in response to the order in accordance with its
confidentiality regulations at 12 CFR 1070.40 through 1070.48.\321\
Confidential commercial or financial information about specific
transaction volume collected through those orders also generally would
be protected by FOIA exemption 4,\322\ and therefore would qualify as
confidential information under 12 CFR 1070.2(f).\323\
---------------------------------------------------------------------------
\321\ See https://files.consumerfinance.gov/f/documents/cfpb_section-1022_generic-order_2021-10.pdf (last visited Nov. 7,
2024) (sample 1022 order on website cited in proposal, 88 FR 80197
at 80210 n.90, where the CFPB explained that ``it obtained
transaction and revenue data from six technology platforms offering
payment services through a CFPB request pursuant to CFPA section
1022(c)(4)''). See CFPB Orders Tech Giants to Turn Over Information
on their Payment System Plans (Oct. 21, 2021) (CFPB 1022 Orders
Press Release), https://www.consumerfinance.gov/about-us/newsroom/cfpb-orders-tech-giants-to-turn-over-information-on-their-payment-system-plans/.
\322\ See Food Mktg. Inst. v. Argus Leader Media, 588 U.S. 427
(2019).
\323\ The CFPB also disagrees with the comment suggesting that
the CFPB's section 1022(c)(4) orders did not comply with the PRA.
These orders, which the CFPB addressed to six entities, were not
subject to the PRA requirements. See 5 CFR 1320.3(c)(4) (defining
``collection of information'' from ``ten or more persons'' as
subject to PRA).
---------------------------------------------------------------------------
In the CFPB's experience, virtually no market participants publicly
disclose their volume of consumer payment transactions as defined in
the Proposed Rule, and unless a firm is a public company, it does not
disclose its revenues. No commenters suggested that the individual
firm-level transaction volume data or the revenue data of companies
that are not public companies was not confidential information or
generally available to anyone but the individual company itself. As
discussed in the impacts analyses, in response to the proposal's
request for data, no commenters provided or pointed to sources of
additional relevant data.\324\
---------------------------------------------------------------------------
\324\ 88 FR 80197 at 80211. As discussed in the section-by-
section analysis above, some commenters stated that the CFPB should
use additional data sources to estimate the volume of consumer
payment transactions that transfer digital assets such as crypto-
assets and stablecoins. However, as discussed below, the Final Rule
does not cover those transactions. Therefore, those data sources are
not pertinent to the Final Rule.
---------------------------------------------------------------------------
The CFPB reasonably relied on this confidential transaction data
and revenue data in the Proposed Rule to provide estimates of the
number of firms that would qualify as larger participants compared to
the overall number of estimated market participants and estimates of
larger participants' market participation share of market activity. To
conduct a preliminary entity-level analysis of which market
participants may qualify as a larger participant under the Proposed
Rule, the CFPB generally needed to use available data about the two
criteria for the proposed larger-participant test--an entity's consumer
payment transaction volume and its revenues (which generally governs
small business concern status under applicable size standards).
The absence of such information provided by commenters supports the
conclusion that the money services business call reports when combined
with the CFPB's section 1022(b) order responses are the most
comprehensive sources available for estimating transaction volume at
the firm level for purposes of this rule. Both sources collect
information about consumer payments facilitated in the United States by
market participants. In addition, no commenter indicated that an
individual firm itself did not have access to its own transaction
volume data or its revenue data with which to assess its own larger
participant status under the Proposed Rule. Comments describing
potential difficulty individual firms could face in relying on
available data to assess larger participant status referred to
difficulties in counting of digital assets transactions, which the
Final Rule does not include in the larger-participant test, as
described below.
Courts have held that an agency can rely on confidential
information in its rulemaking so long as the agency discloses
``sufficient factual detail and rationale for the rule to permit
interested parties to comment meaningfully.'' \325\ Here, the Proposed
Rule disclosed, among other information: (1) the sources of the data;
(2) meaningful sources of additional public information about the data;
\326\ (3) the methodologies used to analyze the data; (4) the results
of deploying those methodologies; (5) that the data indicated that the
market was highly concentrated, with a few entities facilitating
hundreds of millions or billions of consumer payment transactions
annually; \327\ (6) that only about one percent of market activity was
conducted by an estimated three entities with transaction volume
between the five and 10 million transaction thresholds considered in
the Proposed Rule; \328\ (7) aggregate transaction estimates for the
proposal's estimated 17 larger participants; (8) the extent to which
the data sources did not include relevant data; and (9) the potential
for uncertainty in its estimates based on the nature of the data. This
detailed information enabled commenters to provide meaningful comment
on, and criticize, the basis for the proposed test to define ``larger
participants'' in the proposed market, and meaningful comment on
whether the Final Rule should adopt a higher, lower, or different
threshold for the larger-participant test. As described further below,
the CFPB received extensive, meaningful comment on these very questions
(as well as numerous other aspects of the rule). The industry
commenters described above also did not explain what additional
information could be provided that would address their comments.
---------------------------------------------------------------------------
\325\ See Fla. Power & Light Co. v. United States, 846 F.2d 765,
771 (D.C. Cir. 1988); see also Riverkeeper Inc. v. EPA, 475 F.3d 83,
112 (2d Cir. 2007); rev'd on other grounds, 556 U.S. 208 (2009).
\326\ 88 FR 80197 at 80210 n.90 (providing links to NMLS and
CFPB public websites where commenters could review descriptions of
the type of data identified in the proposed rule and how the data
was collected, including sample 1022 order and NMLS Money Services
Business Call Report Overview described above).
\327\ 88 FR 80197 at 80210. See also, e.g., FIS 2023 Global
Payments Report at 16 (``North America's credit and debit card
markets are increasingly intermediated by a handful of major digital
wallet brands. These initially consisted of PayPal, Google Pay and
Apple Pay, but challengers such as Shop Pay (Shopify's checkout
solution) and Cash App Pay (recently becoming an open loop wallet)
have joined the playing field.''); 2022 Survey and Diary of Consumer
Payment Choice: Summary Results, supra, at 1 (noting that two-thirds
of consumers reported that they had adopted an online payment
account such as PayPal, Venmo, or Zelle). The Proposed Rule cited
both of these sources at 88 FR 80197 at 80200 n.25.
\328\ 88 FR 80197 at 80210.
---------------------------------------------------------------------------
The CFPB disagrees with the industry comments stating that it was
necessary for the Proposed Rule to unmask confidential data, or
otherwise provide additional information regarding confidential data,
in order to allow for meaningful comment. As discussed above, the CFPB
is obligated to maintain the confidentiality of the confidential
transaction volume and revenue data described above. The CFPB could not
provide a de-identified list of entities linked to their transaction
and revenue data without significant risk of unmasking confidential
data, nor did commenters provide any suggestions as to how the CFPB
could disclose the data in a way that would both preserve
confidentiality and improve commenters' ability to provide
[[Page 99633]]
meaningful comment on the Proposed Rule.
The CFPB also declines the request by certain industry commenters
to publicly disclose the identities of individual firms that comprised
the rule's estimate of the number of larger participants. That CFPB
notes that, in their comments, several commenters specifically
identified firms they believed would be larger participants, indicating
that many commenters believed that they did not need the CFPB to
identify those larger participants in order to provide meaningful
comment on the rule. In any event, the CFPB disagrees that the
identities of the estimated larger participants were critical facts
that commenters needed in order to provide meaningful comment. As
disclosed in the proposal, the CFPB relied on a number of
considerations to define the market (discussed above) and the larger
participant test (discussed below), none of which were the identities
of potential larger participants. Based on those considerations, the
information in the proposal described above, and the rest of the
proposal, many commenters made specific comments on the proposed market
definition and proposed threshold, which the CFPB has fully considered
and responded to above (on the market definition) and below (on the
larger participant test).\329\ The industry commenters seeking release
of the list of 17 firms did not explain how public disclosure of their
identities would allow for more meaningful comment. Further, these
industry comments did not explain how the CFPB could make the
disclosures they requested without disclosing confidential information,
such as implications from such disclosure that could reveal
confidential entity-level transaction information that the States
obtained through their supervisory functions and made available to the
CFPB through NMLS or information that an entity may customarily and
actually treat as private.\330\
---------------------------------------------------------------------------
\329\ For example, many industry and some nonprofit commenters
explained in detail why they believed the proposed market definition
was too broad and why the proposed larger participant test would
cover more larger participants than the CFPB estimated. However,
none of those commenters stated how the methodology and data sources
the proposal used and disclosed would have led the CFPB to fail to
estimate any particular entity as a larger participant. And, as
noted above, no firms provided additional data in response to the
CFPB request.
\330\ For example, disclosing the identities of the 17 estimated
larger participants in the Proposed Rule would have revealed that
the entities had greater than 5 million consumer payment
transactions based on the data available to the CFPB. And disclosing
the names of all seven entities estimated to be larger participants
in this Final Rule would then reveal that the 10 entities who are no
longer estimated to be larger participants have between 5 and 50
million consumer payment transactions per year.
---------------------------------------------------------------------------
Finally, even if the CFPB's estimates had relied entirely on public
data (which they could not), public disclosure of the identities of
estimated larger participants also may be misleading and incompatible
with the administrative process that CFPB has established to determine
which entities are larger participants.\331\ As the Proposed Rule
noted, the market-wide estimates of the rule's scope and impact are
based only on ``preliminary entity-level analysis that is not
dispositive'' of larger participant status or whether the CFPB would
conduct supervisory activity of the entity.\332\ As a result,
publishing the CFPB's preliminary entity-level analysis could
misleadingly suggest that the CFPB already has determined these
entities' larger participant status. However, that is not the purpose
of the CFPB's preliminary entity-level analysis, which instead informs
market-wide estimates of the aggregate scope and impact of the rule. By
contrast, for markets in which the CFPB has finalized larger
participant rules, the CFPB administers a separate process for such
evaluation under section 103 of its larger participant regulation at
part 1090. Based on notice-and-comment rulemaking, it designed that
process to assess which entities qualify as larger participants. As
described in the Proposed Rule, to determine if an individual entity
qualifies as a larger participant, the CFPB can use that same section
103 process to request confidential supervisory information from the
entity and the entity may voluntarily submit such information including
to dispute it qualifies as a larger participant.\333\ The confidential
supervisory process established in section 103 of part 1090 is an
appropriate means for the CFPB to determine which entities are a larger
participants.\334\
---------------------------------------------------------------------------
\331\ See 12 CFR 1090.103(d) & (a). See also 88 FR 80197 at
80198.
\332\ 88 FR 80197 at 80208 n.77. Even when publishing the
highlights of supervisory findings of violations of Federal consumer
financial law, the CFPB does not identify individual entities. See
CFPB Supervisory Highlights Issue 35, Fall 2024 at 3 (``To maintain
the anonymity of the supervised institutions discussed in
Supervisory Highlights, references to institutions generally are in
the plural and the related findings may pertain to one or more
institutions.''), https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights-special-ed-auto-finance_2024-10.pdf
(last visited Nov. 6, 2024).
\333\ See 12 CFR 1090.103(d) and (a). See also 88 FR 80197 at
80198.
\334\ With regard to the banking industry association's comment
seeking publication, outside of the rulemaking process, of the names
of larger participants, the CFPB declines to address that comment
because it is beyond the scope of the rulemaking itself.
---------------------------------------------------------------------------
Final Rule
In consideration of the comments described above on data used in
the Proposed Rule and comments on the criteria and threshold for the
proposed larger-participant test described below, the Final Rule adopts
the two proposed criteria--annual covered consumer payment transaction
volume and small business concern status. As described below, the Final
Rule makes certain adjustments to the calculation of annual covered
consumer payment transaction volume (by counting only those
transactions denominated in U.S. dollars) and the threshold volume that
determines when entities that are not small business concerns qualify
as larger participants (adopting a significantly higher volume, of 50
million).
Criteria
Proposed Rule
The Proposed Rule reiterated that the CFPB has discretion in
choosing criteria for assessing whether a nonbank covered person is a
larger participant of a market.\335\ It explained how the CFPB selects
criteria that provide ``a reasonable indication of a person's level of
market participation and impact on consumers.'' \336\ It noted how
previous larger participant rulemakings acknowledged that, for any
given market, there may be ``several criteria, used alone or in
combination, that could be viewed as reasonable alternatives.'' \337\
---------------------------------------------------------------------------
\335\ See, e.g., 77 FR 42874 at 42887 (consumer reporting larger
participant rule describing such discretion); 77 FR 65775 at 65785
(same, in consumer debt collection larger participant rule).
\336\ 77 FR 42874 at 42887 (consumer reporting larger
participant rule); see also 80 FR 34796 at 37513 (automobile
financing larger participant rule describing how aggregate annual
originations are a ``meaningful measure'' of such participation and
impact); 78 FR 73383 at 73393-94 (same, for account volume criterion
in student loan servicing larger participant rule).
\337\ 77 FR 65775 at 65785 (consumer debt collection larger
participant rule).
---------------------------------------------------------------------------
Here, the CFPB proposed to combine the two criteria described
above: the annual covered consumer payment transaction volume and the
size of the entity by reference to SBA size standards. The Proposed
Rule's larger-participant test would have combined these criteria as
follows: a nonbank covered person would have been a larger participant
if its annual covered consumer payment transaction volume exceeded the
proposed threshold, discussed in the section-by-section
[[Page 99634]]
analysis further below, and, during the same time period (i.e., the
preceding calendar year), it was not a small business concern.
The first criterion would have been based on the number of consumer
payment transactions. Specifically, proposed Sec. 1090.109(b)(3) would
have defined the term ``annual covered consumer payment transaction
volume'' as the sum of the number of the consumer payment transactions
that the nonbank covered person and its affiliated companies
facilitated by providing general-use digital consumer payment
applications in the preceding calendar year.\338\ The Proposed Rule
explained how the CFPB viewed this to be an appropriate criterion for
defining larger participants in a market defined by reference to
products that facilitate certain consumer payments. Each transaction
counted under this criterion also generally is a payment. In that way,
a transaction is essentially a well-understood unit of market activity.
---------------------------------------------------------------------------
\338\ Under the CFPA, the activities of affiliated companies are
to be aggregated for purposes of computing activity levels in larger
participant rules. See 12 U.S.C. 5514(a)(1)(B), (3)(B).
---------------------------------------------------------------------------
The Proposed Rule further noted that, as in the CFPB's
international money transfer larger participant rule, here the number
of transactions also reflects the extent of interactions between the
nonbank covered person providing the in-market consumer financial
product or service. Each one-time consumer payment transaction
typically results from a single interaction with at least one
consumer.\339\ And, in the case of recurring consumer payment
transactions, consumers also have at least one interaction with the
covered persons in the market. The number of transactions also is a
common indicator of market participation.\340\
---------------------------------------------------------------------------
\339\ See, e.g., 79 FR 56631 at 56641 (international money
transfer larger participant rule noting that the absolute number of
transactions ``reflects the extent of interactions'' between the
provider and the consumer because ``each transfer represents a
single interaction with at least one consumer'').
\340\ State regulators, for example, require money transmitters
to report this metric. See generally NMLS, Money Services Business
Call Report, https://mortgage.nationwidelicensingsystem.org/slr/common/Pages/MoneyServicesBusinessesCallReport.aspx (last visited
Oct. 23, 2023).
---------------------------------------------------------------------------
The Proposed Rule stated that the CFPB considered proposing
different criteria, such as the dollar value of transactions or the
annual receipts from market activity, and explained why it did not
propose either of those alternatives. First, digital wallets often are
used for consumer retail spending, which can grow in amount through
inflation. For the proposed market that included digital wallets, a
dollar value criterion may become affected by inflation or other
factors.\341\ At the same time, as the Proposed Rule noted, in general,
a higher number of transactions also may often comprise a higher dollar
value of transactions.
---------------------------------------------------------------------------
\341\ In addition, as discussed in the impacts analyses in parts
V and VI of the Proposed Rule, some of the data sources the CFPB
relied upon in formulating the Proposed Rule may be overinclusive by
including certain payments that are not within the market defined in
the Proposed Rule, such as certain business-to-business payments.
Those payments may have higher dollar values. The Proposed Rule
noted how it would have been less affected by those data distortions
by proposing number of transactions as a criterion.
---------------------------------------------------------------------------
With respect to annual receipts, the Proposed Rule explained that
data was less available, especially for market participants that are
not publicly traded or that do not file call reports on money
transmission at the State level. In addition, in the context of the
market at issue, the Proposed Rule noted that an annual receipts
criterion could miss significant market participation and consumer
impacts, such as where a provider is subsidizing a product or otherwise
not earning significant per-transaction revenues.
As noted above, the CFPB proposed a second criterion that also must
be satisfied for a nonbank covered person to be a larger participant,
in addition to the annual covered payment volume criterion. Under the
second criterion, in the previous calendar year, the nonbank must not
have been a ``small business concern'' as that term is defined by
section 3(a) of the Small Business Act, 15 U.S.C. 632(a), and
implemented by the SBA under 13 CFR part 121, or any successor
provisions. Thus, under the Proposed Rule, an entity would have been a
small business concern if its size were at or below the SBA standard
listed in 13 CFR part 121 for its primary industry as described in 13
CFR 121.107.\342\
---------------------------------------------------------------------------
\342\ In addition, under the SBA's regulations, a concern's size
is measured by aggregating the relevant size metric across
affiliates. See 13 CFR 121.103(a)(6) (``In determining the concern's
size, SBA counts the receipts, employees, or other measure of size
of the concern whose size is at issue and all of its domestic and
foreign affiliates, regardless of whether the affiliates are
organized for profit.'').
---------------------------------------------------------------------------
The CFPB proposed this second criterion because it was not seeking
to use this rulemaking as a means of expending its limited supervisory
resources to examine small business concerns. The consumer digital
payments applications market is potentially broad and dynamic, with
rapid technological developments and new entrants. But many well-known
market participants have large business operations that have an impact
on millions of consumers. As explained in the Proposed Rule, in light
of its resources, the CFPB believes that it would be preferable to
focus on larger entities, instead of requiring all entities with an
annual covered consumer payment transaction volume over five million to
be subject to supervisory review under the Proposed Rule. If a
particular nonbank covered person were a small business concern
participating in this market in a manner that posed risks to consumers,
the CFPB has authority to pursue risk-based supervision of such an
entity pursuant to CFPA section 1024(a)(1)(C).\343\
---------------------------------------------------------------------------
\343\ 12 U.S.C. 5514(a)(1)(C). See generally 12 CFR part 1091
(regulations implementing CFPA section 1024(a)(1)(C)).
---------------------------------------------------------------------------
The CFPB requested comment on its proposed criteria, including
whether, instead of basing the annual volume criterion described above
on number of consumer payment transactions, it should be based on a
different metric, such as the dollar value of consumer payment
transactions, and, if so, why.
Comments Received
A few industry commenters addressed the proposed criteria of volume
of consumer payment transactions. Two industry associations and a law
firm commenter stated that the amount (value) of a consumer payment
transaction more directly correlates with risks to consumers than their
frequency (volume).\344\ In their view, if two entities have the same
transaction volume, then the one facilitating the higher dollar amount
typically poses greater risk to consumers.\345\ Thus, in the view of
one of these commenters, a test based on transaction value would better
facilitate the CFPB's operation of a risk-based nonbank supervision
program as required by CFPA section 1024(b)(2). The second commenter
stated that the CFPB should consider either a transaction value
threshold alone or in conjunction with transaction volume. In its view,
the proposal field to articulate a connection between transaction
volume and risks to consumers across the various different types of
activity in the market. The third commenter stated that either approach
could be done, but recommended the combined approach in order to ensure
the rule captures only larger participants. Finally, another industry
association stated that to profitably
[[Page 99635]]
serve lower-income consumers who conduct transactions with lower
values, companies needed to engage in higher volumes of activity; but
rather than describing this as a reason to use a different criteria, it
described this as a reason to increase the transaction volume
threshold, as discussed below.
---------------------------------------------------------------------------
\344\ The industry association commenters also stated that the
risks are different for firms that hold or transmit funds compared
to those that transmit payment instructions or act as merchant
payment processors.
\345\ At the same time, the law firm commenter indicated that,
in its view, entities with lower consumer payment transaction
volumes also generally pose less risk to consumers.
---------------------------------------------------------------------------
Some comments also addressed the proposed second criteria, an
exclusion for entities that qualified as a small business concern in
the previous year. Several commenters supported an exclusion for small
businesses in general,\346\ though some stated that the exclusion did
not change their views, discussed further below, that the proposed
consumer payment transaction volume threshold was much too low. No
commenter disagreed with excluding small business concerns from larger
participant status with respect to transactions covered by the Final
Rule.\347\ For example, two banking industry associations supported the
proposed exclusion for a small business concern. Another industry
association stated that it supported the proposed exclusion because it
believed small business concerns should be provided more flexibility
than its competitors to innovate and grow. This commenter also stated
that the rulemaking should provide a fuller explanation of its impact,
including whether the CFPB had identified any companies that exceed an
annual consumer payment transaction volume threshold but would have
qualified as small business concerns. It suggested that to the extent
that small business concerns have a volume that exceeds the proposed
threshold, this would support their view that the proposed transaction
threshold was too low. It stated that consideration would be relevant
not only with regard to the proposed threshold of five million annual
consumer payment transactions, but also to potential thresholds of 50
million and 500 million annual consumer payment transactions. It also
stated that the rule should consider what advantages a small business
concern would have as a result of such an exclusion. Another industry
association stated that the proposed small business exclusion was
inadequate for identifying larger participants in this market for
several reasons, including that the small business size standard
updates every five years are not frequent enough for this market in
light of its ongoing growth, the variety of product offerings market
participants have means they can exceed the small business threshold
even with small volumes of market activity, and, by their estimate,
even based only on the market activity alone a small or medium-sized
market participant serving approximately 220,000 consumers could exceed
the highest potentially-applicable small business concern cutoff by
charging a one percent fee on the value of the average consumer
activity levels. Finally, another industry association agreed that many
small businesses and startups have annual receipts that exceed small
business concern size standards, in light of users' average annual
digital payment transaction values (which it stated were $7,610 in
2023).
---------------------------------------------------------------------------
\346\ An individual commenter that expressed general support for
the Proposed Rule also stated that the CFPB should clarify the
methods and data sources the CFPB would use to determine small
business concern status.
\347\ Some commenters focused on the digital asset industry
stated that the exclusion would be unfair to entities not eligible
for small business status such as foreign businesses or nonprofits
or entities that may be small but ineligible for small business
concern status because they are dominant in their field.
---------------------------------------------------------------------------
Response to Comments Received
With regard to comments calling for the Final Rule to use a
criteria other than the volume of consumer payment transactions, none
of these commenters addressed the Proposed Rule's rationale for
proposing a volume rather than value-based criterion: the potential for
inflation to shrink the coverage of the rule under a value-based
criterion, and the potential for greater distortion to the extent data
relied upon included business-to-business transactions that would not
be in the market.\348\ For those reasons, the CFPB continues to favor
use of a transaction volume criterion. In addition, the CFPB agrees
with the industry comment noting that lower-income consumers have
significant adoption levels for general-use digital consumer payment
applications. Compared with consumers that have higher incomes,
smaller-dollar transactions by lower-income consumers generally would
comprise a larger share of their disposable income. Their payment
activity therefore may be better captured by a transaction volume
criterion. Finally, the CFPB disagrees with the suggestion by a few
commenters that the rule adopt an additional criteria, such as
combining transaction volume and value. That approach would increase
complexity in the administration of the rule and, given the
significantly higher consumer payment transaction volume threshold
adopted in the Final Rule discussed below, would not be necessary to
ensure the rule only identifies bona fide larger participants. In any
event, when the CFPB prioritizes entities for examination based on
indicators of risk, the CFPA provides a basis for the CFPB to consider,
among other factors, not just the number but also the value of consumer
payment transactions facilitated.\349\
---------------------------------------------------------------------------
\348\ 88 FR 80197 at 80209.
\349\ See CFPA section 1024(b)(2)(B), (E). 12 U.S.C.
5514(b)(2)(B), (E).
---------------------------------------------------------------------------
The CFPB agrees with the commenters that a small business concern
exclusion is appropriate for this larger participant rule. This
exclusion will ensure that the CPFB's exercise of its larger
participant supervisory authority under this rule does not extend to
small business concerns. The CFPB disagrees with the industry
association commenter to the extent it was suggesting this exclusion is
likely to confer undue advantages on small business concerns. As
discussed in the below section-by-section analysis of the threshold for
the larger-participant test, which the Final Rule sets at 50 million
consumer payment transactions annually, available data does not
establish that any nonbank market participant that exceeds that
threshold would qualify as a small business concern. And even if a
small business concern were to exceed the threshold, it would not
necessarily avoid CFPB supervision simply due to not qualifying as a
larger participant under this rule. For example, if its risk profile
warranted prioritization for an exam, then the CFPB also may consider
it for supervisory designation under CFPA section 1024(a)(1)(C).
Finally, with regard to comments that the exclusion is inadequate to
define larger participants (including comments stating that companies
with volumes at or slightly above the proposed threshold of five
million annual consumer payment transactions are unlikely to qualify as
small business concerns under SBA size standards), the CFPB understands
those comments to be primarily focused on the threshold for the other
proposed criteria for the larger-participant test (the annual covered
consumer payment transaction volume threshold). The CFPB further
discusses comments on that threshold below.
Final Rule
As explained further above, the Final Rule adopts the two proposed
criteria, and makes certain changes to the threshold and its
calculation, as described below.
[[Page 99636]]
Threshold
Proposed Rule
Under the Proposed Rule, a nonbank covered person would have been a
larger participant in a market for general-use digital consumer payment
applications if the nonbank covered person satisfies two criteria.
First, it must facilitate an ``annual covered consumer payment
transaction volume,'' as defined in proposed Sec. 1090.109(b)(3), of
at least five million transactions. As explained in proposed Sec.
1090.109(b)(3)(i), the volume is aggregated across affiliated
companies, as required by CFPA section 1024(a)(3)(B).\350\ Thus, the
proposed threshold included the aggregate annual volume of consumer
payment transactions facilitated by all general-use digital consumer
payment applications provided by the nonbank covered person and its
affiliated companies in the preceding year.\351\ Second, under proposed
Sec. 1090.109(b)(2) as explained above, the CFPB also proposed to
exclude from larger-participant status any entity in the proposed
market that was a small business concern in the previous calendar year
based on applicable SBA size standards.\352\ The Proposed Rule stated
that the CFPB viewed this proposed threshold and the proposed small
entity exclusion, discussed above, to be a reasonable means of defining
larger participants in this market.\353\
---------------------------------------------------------------------------
\350\ 12 U.S.C. 5514(a)(3)(B) (providing that, ``[f]or purposes
of computing activity levels under [CFPA section 1024(a)(1)] or
rules issued thereunder [including larger participant rules issued
under CFPA section 1024(a)(1)(B)], activities of affiliated
companies (other than insured depository institutions and insured
credit unions) shall be aggregated'').
\351\ The Proposed Rule noted that the available data do not
always conform to the precise market scope of covered consumer
payment transactions. For example, the data do not always
distinguish between transactions in which a business sent funds,
which would not be covered consumer payment transactions, from
transactions in which a consumer sent funds. In addition, in some
cases the data may include funds a consumer transfers between one
deposit or stored value account and another, both of which belong to
the consumer. As the Proposed Rule further noted, the analysis in
the Proposed Rule included transaction volume broadly defined, and
the CFPB cannot distinguish between this overall activity and
covered market activity (to the extent they differ). Therefore, the
analysis in the Proposed Rule may be an overestimate of covered
market activity and larger-participant status of providers of
general-use digital consumer payment applications subject to the
larger-participant threshold.
\352\ As discussed above and below, the proposed exclusion would
have applied to any nonbank that, together with its affiliated
companies, in the previous calendar year was a small business
concern based on the applicable SBA size standard listed in 13 CFR
part 121 for its primary industry as described in 13 CFR 121.107.
The SBA defines size standards using North American Industry
Classification System (NAICS) codes. The Proposed Rule noted that
the CFPB believed that many--but not all--entities in the proposed
market for general-use digital consumer payment applications are
likely classified in NAICS code 522320, ``Financial Transactions
Processing, Reserve, and Clearinghouse Activities,'' or NAICS code
522390, ``Other Activities Related to Credit Intermediation.''
Entities associated with NAICS code 522320 that have $47 million or
less in annual receipts are currently defined by the SBA as small
business concerns; for NAICS code 522390, the size standard is $28.5
million. However, the Proposed Rule noted that other entities that
the CFPB believes to be operating in the proposed market may be
classified in other NAICS codes industries that use different
standards, including non-revenue-based SBA size standards, such as
the number of employees. While the CFPB had data to estimate the SBA
size status of some market participants in the Proposed Rule, such
as publicly-traded companies, the CFPB lacked data sufficient to
estimate the SBA size status of some market participants. See SBA,
Table of Small Business Size Standards Matched to North American
Industry Classification System Codes, effective March 17, 2023,
Sector 52 (Finance and Insurance), https://www.sba.gov/document/support--table-size-standards (last visited Oct. 26, 2023).
\353\ The Proposed Rule stated that the CFPB identified
approximately 190 entities from available data that provide general-
use digital consumer payment applications and may be subject to the
Proposed Rule. Of those entities, the CFPB had data on about half
sufficient to estimate larger-participant status, including whether
those entities would be subject to the small business exclusion
built into the larger-participant test. The estimate that
approximately 17 entities would have been larger participants was
based on the set of entities for which the CFPB had sufficient
information to estimate larger participant status.
---------------------------------------------------------------------------
The CFPB estimated in the Proposed Rule that the proposed threshold
would have brought within the CFPB's supervisory authority
approximately 17 entities,\354\ about 9 percent of all known nonbank
covered persons in the market for general-use digital consumer payment
applications.\355\ The Proposed Rule noted that this was a rough
estimate because the available data on entities operating in the
proposed market for general-use digital consumer payment applications
was incomplete.\356\
---------------------------------------------------------------------------
\354\ The Proposed Rule noted that the estimate of 17 entities
excluded entities where either (1) available information indicated
that the small entity exclusion would have applied or (2) the CFPB
lacked sufficient information regarding the entity's size to assess
whether the small entity exclusion would have applied.
\355\ The Proposed Rule described in detail how the CFPB based
its market estimates on data from several sources. The CFPB obtained
transaction and revenue data from six technology platforms offering
payment services through a CFPB request pursuant to CFPA section
1022(c)(4). See CFPB 1022 Orders Press Release, supra. The CFPB was
also able to access nonpublic transaction and revenue data for
potential larger participants from the Nationwide Mortgage Licensing
System & Registry (NMLS), a centralized licensing database used by
many States to manage their license authorities with respect to
various consumer financial industries, including money transmitters.
Specifically, the CFPB accessed quarterly 2022 and 2023 filings from
nonbank money transmitters in the Money Services Businesses (MSB)
Call Reports data (for a description of the types of data reported
in MSB call reports, see NMLS, Money Services Business Call Report).
Additionally, the CFPB compiled a list of likely market
participants, as well as transaction and revenue data where
available, from several industry sources (including Elliptic
Enterprises Limited) and various public sources including the CFPB's
Prepaid Card Agreement Database, https://www.consumerfinance.gov/data-research/prepaid-accounts/search-agreements (last visited Oct.
23, 2023), company websites, press releases, and annual report
filings with the U.S. Securities and Exchange Commission.
\356\ The Proposed Rule noted that its estimate that
approximately 190 entities are participating in the market may have
been an underestimate because, for certain entities, the CFPB lacked
sufficient information to assess whether they provide a general-use
digital consumer payment application. In addition, it noted that for
some entities that are among the approximately 190 participants in
the market, the CFPB lacked sufficient information to assess whether
certain products they offer constitute a general-use digital
consumer payment application.
---------------------------------------------------------------------------
In the Proposed Rule, the CFPB anticipated that the proposed annual
covered consumer payment transaction volume threshold of five million
would have allowed the CFPB to supervise market participants that
represent a substantial portion of the market for general-use digital
consumer payment applications and have a significant impact on
consumers. Available data indicated that the market for general-use
digital consumer payment applications is highly concentrated, with a
few entities that facilitate hundreds of millions or billions of
consumer payment transactions annually, and a much larger number of
firms facilitating fewer transactions. The Proposed Rule stated that
the CFPB believed that a threshold of five million was reasonable, in
part, because it would have enabled the CFPB to cover in its nonbank
supervision program both the very largest providers of general-use
digital consumer payment applications as well as a range of other
providers of general-use digital consumer payment applications that
play an important role in the marketplace. Further, certain populations
of consumers, including more vulnerable consumers, may not transact
with the very largest providers and instead may transact with the range
of other providers that exceed the five million transaction threshold.
According to the CFPB's estimates in the Proposed Rule, the
approximately 17 providers of general-use digital consumer payment
applications that meet the proposed threshold collectively facilitated
about 12.8 billion transactions in 2021, with a total dollar value of
about $1.7 trillion. The CFPB estimated that these nonbanks were
responsible for approximately 88 percent of known transactions in the
nonbank market for general-use digital
[[Page 99637]]
consumer payment applications.\357\ At the same time, this threshold
likely would have subjected to the CFPB's supervisory authority only
entities that can reasonably be considered larger participants of the
market defined in the Proposed Rule.
---------------------------------------------------------------------------
\357\ See 88 FR 80197 at 80209-10 nn.86-91. The Proposed Rule
noted that the 88 percent estimate was calculated among all of the
entities for which the CFPB has transaction information. Id. n.92.
---------------------------------------------------------------------------
Proposed Sec. 1090.109(b)(3)(i) also would have clarified how the
activities of affiliated companies of the nonbank covered person are
included in the test when the affiliated companies also participate in
the proposed market. It provided that, in aggregating transactions
across affiliated companies, an individual consumer payment transaction
would only have been counted once even if more than one affiliated
company facilitated the transaction. It also provided that the annual
covered consumer payment transaction volumes of the nonbank covered
person and its affiliated companies would have been aggregated for the
entire preceding calendar year, even if the affiliation did not exist
for the entire calendar year.
The Proposed Rule noted that because the general-use digital
consumer payment applications market has evolved rapidly and market
participants can grow quickly, the CFPB also was not proposing a test
that is based on averaging multiple years of market activity. As a
result, if an entity has less than the threshold amount for one or more
calendar years but exceeds the threshold amount in the most recent
calendar year, it would have been a larger participant. The Proposed
Rule stated that this would have ensured that the CFPB can supervise
nonbanks that quickly become larger participants, without waiting
several years.
The Proposed Rule further stated that the CFPB was considering a
lower or higher threshold.\358\ Lowering the threshold therefore would
not have substantially increased the number of entities subject to
supervision, in part because many entities that exceed a lower
threshold would have been excluded as small entities. Thus the Proposed
Rule noted that lowering the threshold would have resulted in only a
marginal increase in market coverage. The Proposed Rule provided an
example of a higher threshold. The Proposed Rule estimated that an
annual covered consumer payment transaction volume threshold of 10
million would have allowed the CFPB to supervise approximately 14
entities, representing approximately 87 percent of activity in this
market.\359\ However, at this higher threshold the CFPB would not have
been able to supervise as varied a mix of nonbank larger participants
that, as discussed above, have a substantial impact on the full
spectrum of consumers in the market.
---------------------------------------------------------------------------
\358\ The Proposed Rule discussed an example of a lower
threshold. An annual covered consumer payment transaction volume
threshold of one million might have allowed the CFPB to supervise
approximately 19 entities, still representing approximately 88
percent of activity in this market. See id. at 80210.
\359\ See id.
---------------------------------------------------------------------------
The CFPB sought comment, including suggestions of alternatives on
the proposed threshold for defining larger participants of the market
for general-use digital consumer payment applications as defined in the
Proposed Rule.
Comments Received
Many of the industry association commenters, a law firm, and some
nonprofits stated that the proposed five million consumer payment
transaction volume threshold was too low and did not identify bona fide
larger participants. A nonprofit stated the threshold appeared designed
to maximize oversight rather than define true larger participants. Some
of these commenters stated that the proposed threshold was so low that
it would treat virtually all market participants as larger
participants, including those with very small market shares, exposing
small/mid-size companies to supervision when they cannot support the
cost of exams, and more generally stifling market entry, innovation,
and competition. These commenters generally stated that the proposal
did not adequately explain the reasoning and evidence in support of
such a threshold.\360\
---------------------------------------------------------------------------
\360\ One nonprofit commenter also encouraged the CFPB to
consider setting different thresholds in the Final Rule for what it
referred to as different sectors within the proposed market.
However, it did not state which parts of the market should be
differentiated. The CFPB generally considers comments further above
on whether to define a single market in this Final Rule. Because it
has determined to do so, it is not finalizing a larger-participant
test that works differently for different parts of the market.
---------------------------------------------------------------------------
One industry association commenter encouraged the CFPB to set the
threshold here cautiously, in consideration of the stage of this
market's development. It stated that, unlike in prior larger
participant rules, this market is in the growth stage not the maturity
stage, where data and settled expectations can be more helpful in the
development of larger-participant tests. It viewed the proposed
threshold as too low given the market's current stage and stated that a
higher threshold as necessary for properly determining the true larger
participants in the market as it matures and to allow for proper
scalability within the market without impeding competition.\361\
---------------------------------------------------------------------------
\361\ This commenter also encouraged the CFPB to conduct
periodic reviews of the threshold as the market grows to ensure it
continues to capture larger participants. The CFPB notes that it
already monitors this market, among others, as part of its statutory
functions. See 12 U.S.C. 5512(c). The CFPB will continue to monitor
this market and may consider adjustments to the threshold, to the
extent necessary or appropriate through future rulemakings.
---------------------------------------------------------------------------
Another industry association stated that the proposal of a small
business exclusion for the first time in a larger participant rule
appeared to support its concern that the proposed threshold was too
low, and still would discourage firms that are not small businesses
from entering the market. It suggested that the rulemaking should
specifically consider a volume of 50 million or 500 million annual
consumer payment transactions. It also criticized the Proposed Rule for
not making clear whether entities who were small business concerns
would have otherwise met the transaction volume threshold. It also
stated that the rule should consider a threshold more in line with the
debt collection larger participant rule, under which larger
participants comprised an estimated 63 percent of market activity.
Several industry associations offered rough estimates to illustrate
how the proposed threshold would treat firms with very small market
shares (ranging from, in their estimates, as low as 0.005 percent of
overall consumer payment transactions to no more than two percent of
app-based transactions) as larger participants, which in their view
would not make them ``larger'' participants under the statute.
Several of these commenters added that the proposed threshold would
discourage entry into the market and innovation and competition. A
nonprofit commenter suggested that the threshold would deter small and
mid-sized businesses from expanding. One of the industry associations
stated these effects could limit access to payment products for low-/
moderate-income consumers, and urged the CPFB to set the threshold
dynamically, at a level that represents a significant share of market
activity.
The law firm commenter added that the proposal would subject firms
with barely five million consumer payment transactions annually to the
same supervision as firms with hundreds of millions or billions of such
transactions, when the smaller larger participants cannot sustain the
costs of exams.
[[Page 99638]]
On the other hand, banking and credit union industry trade
associations supported the proposed five million consumer payment
transaction volume threshold to define nonbanks that are larger
participants. One of them called for periodic CFPB evaluation of this
threshold including to see whether entities may be structuring their
activities to evade it and publication of the results, while another
called for adding criteria to capture large, well-resources, fast-
growing organizations with fewer transactions.\362\ A nonprofit stated
that two thirds of its members surveyed supported the proposed
threshold, and that some of its members supported lowering the
threshold to one million annual consumer payment transactions. Some
consumer groups and part of the membership of a nonprofit also stated
that the proposed threshold was too high because, among other reasons,
some money transfer services for incarcerated people have a dominant
position within that area despite facilitating less than five million
consumer payment transactions. Other consumer groups estimated that
large firms that contract with incarceration facilities to provide
money transfer services would qualify as larger participants under the
proposed larger-participant test. They added that the CFPB should
ensure that they are subject to the CFPB's supervisory authority under
a Final Rule.\363\
---------------------------------------------------------------------------
\362\ This commenter did not offer a specific criteria for
achieving its goal, which may better be achieved through the more
flexible supervisory designation process than through a regulatory
test.
\363\ These commenters also stated that the threshold test
should include all consumer payment transactions a market
participant facilitates, even when they are not facilitated through
the digital application that made the entity a market participant.
These commenters called for counting in-person, kiosk-based, and
telephonic transfers, which they stated would qualify more
correctional money-transfer companies as larger participants, and
the test may be more efficient to administer because it would not
require breaking out which transactions occur through the digital
app channel.
---------------------------------------------------------------------------
An industry association stated that the test should be applied over
a longer period (at least two years) than the proposal (one year). They
stated that short-term fluctuations could create an inaccurate
determination of market share. They also noted that, given how the
market has been growing, the CFPB should consider a threshold that is
dynamic and grows as the market grows, so that if the market grows for
example more than ten-fold in the future, the test still would
reasonably identify larger participants. In addition, in their view, a
one-year period would not provide sufficient time for entities to
undertake the compliance improvements the proposal stated larger
participants would undertake to prepare for supervision. Another
commenter, a nonprofit, stated that an unspecified minority of its
membership suggested applying the test over multiple years.\364\
---------------------------------------------------------------------------
\364\ This commenter noted, without further elaboration, a
suggestion of at least one member to set a first-year threshold of
10 million and a second-year threshold at 5 million.
---------------------------------------------------------------------------
Several consumer groups supported aggregating activities of
affiliates for purposes of the transaction threshold in the proposed
larger-participant test. In their view, without aggregation, market
participants could avoid larger participant status by structuring
different types of consumer payment transactions, such as consumer
payment transactions using different types of stored value, through
different entities within a corporate family. However, two industry
commenters stated that the larger-participant test should not consider
activities of affiliates. An industry association stated that
aggregation would allow the CFPB to supervise activities of individual
entities whose activity levels alone do not qualify them as larger
participants, resulting in an internally contradictory result. Another
industry association stated that, to avoid covering entities with low
market shares, the rule should not count receipts of affiliates not
engaged in market activity toward the small business concern test.
Response to Comments Received \365\
---------------------------------------------------------------------------
\365\ As noted in the section-by-section analysis further above,
the CFPB is not including transfers of digital assets in the Final
Rule. The CFPB considers the above comments on the proposed
threshold in light of this update, which the Final Rule implements
through a limitation in the threshold described further below.
---------------------------------------------------------------------------
In consideration of comments on the Proposed Rule stating that the
proposed threshold of five million annual consumer payment transactions
was too low and could capture certain entities with very small market
shares, as well as the comment suggesting that the CFPB consider
thresholds of 50 million or 500 million annual consumer payment
transactions, the Final Rule adopts the significantly higher threshold
of 50 million annual consumer payment transactions. As discussed below,
this higher threshold encompasses the group of firms that have
considerably higher transaction volumes and are in the concentrated
part of the market. The CFPB finds the higher threshold to be
appropriate, considering the concentrated market structure and how a
significant number of market participants that would not qualify as
larger participants as discussed below. To the extent any firm has
activity levels at or slightly above the threshold, it may have an
individual market share of less than one percent. But such a firm still
has larger participation than the vast majority of participants.\366\
The CFPB also declines to adopt the industry association suggestion to
make the threshold dynamic because that approach would be unnecessary
and difficult to administer.\367\
---------------------------------------------------------------------------
\366\ See, e.g., Automobile Finance Larger Participant Rule, 80
FR 37496, 37515 (June 30, 2015) (``Each of the [larger participants]
provides or engages in hundreds of automobile originations each week
and falls in the top 10 percent of nonbank entities in the market
according to the Bureau's estimates. They can reasonably be
considered larger participants of the market. Some entities that
meet this threshold will have considerably less than 1 percent
market share, but that is due in large part to the fragmentation of
the market and does not change the fact [that] they are `larger'
than the vast majority of participants.'').
\367\ As noted above, to the extent necessary or appropriate,
the CFPB may adjust the threshold through future rulemakings that
may reflect shifts in the market and other data that may be
available to the CFPB.
---------------------------------------------------------------------------
For the reasons described above, the CFPB disagrees with the
comments that supported the proposed threshold of five million annual
consumer payment transactions. Based on available data, the CFPB
estimates in the Final Rule suggest that all of those nonbanks with
annual covered consumer payment transaction volume between 5 million
and 50 million combined facilitate at most a few percent of the market
activity. While some consumer groups estimated that a much higher
threshold than the CFPB proposed may not capture some firms providing
what they described as high-risk money transfer services to people who
are incarcerated, those comments also stated that other large
corporations provide a broad suite of money transfer services to people
who are and are not incarcerated alike. In any event, as discussed
above, the CFPB declines to define larger participants based on the
goal of targeting activities that may pose specific types of levels of
risk to consumers. As discussed in the section-by-section analysis of
the market definition further above, the CFPB accounts for risk when
operating its nonbank supervision program. Any nonbank covered person,
including firms providing digital services for consumers to transfer
funds to incarcerated people, can qualify as a larger participant if it
meets or exceeds the threshold in the Final Rule. And through operation
of its risk-based larger participant supervision program, the CFPB may
determine how to exercise its supervisory authority with respect to
such a larger participant. Given the number of consumers those types of
firms serve, even the higher threshold
[[Page 99639]]
that the Final Rule adopts is reasonably likely to allow it to conduct
some supervisory activities in this area.
In addition, given that the Final Rule adopts a higher threshold of
50 million annual consumer payment transactions as discussed below, the
CFPB is not persuaded by claims by some commenters that nonbank firms
would be discouraged from entry, innovation, or growth due to the
potential exposure to CFPB examinations resulting from this rule. The
CFPB notes its existing enforcement authority over market participants
generally regardless of size, their existing obligations to comply with
Federal consumer financial law regardless of size, how this rule
imposes no substantive consumer protection obligations, how the CFPB
uses a prioritization process to allocate limited supervisory resources
toward those nonbanks that pose relatively higher risks to consumers,
and that no firm that is a small business concern would incur the cost
of examination under this rule. Considering all of these factors, the
CFPB does not believe that this rule is likely to shape market
participation patterns in the way those commenters describe.
With regard to the industry association commenter asking whether
any firms would have exceeded the proposed threshold but qualified for
the small business concern exclusions, the CFPB notes that it did not
include any such firms in its estimate of 17 larger participants
because such firms would not have qualified as larger participants
under the Proposed Rule. The Final Rule discusses this question further
in the explanation below of the threshold adopted in the Final Rule.
With regard to comments on the look-back period for applying the
proposed larger-participant test, the CFPB disagrees that the rule
should apply a longer period such as two years. Fluctuations in market
participants' transaction volumes may occur over time, but if their
volumes exceed the threshold in a calendar year, then they would be
sufficient, over a long enough time period (12 months), to conclude
that the entity's market activity has been having a significant impact
on consumers. As the international money transfer larger participant
rule noted in adopting a one-year lookback period, ``[b]ecause the
criterion directly measures the number of transfers in the market, it
should not be subject to temporary fluctuations that are unrelated to
an entity's market participation.'' \368\ In addition, for this rule,
as with the international money transfer larger participant rule, the
CFPB ``believes that the single-year approach will make the Final
Rule's definitions easier to apply . . . and alleviate the concern
expressed by some commenters about the overall complexity of'' certain
provisions. For example, this is the first larger participant rule that
adopts a larger-participant test with two criteria, and the first
larger participant rule that adopts an exclusion for small business
concerns as one of the criteria. It would significantly increase
complexity in the administration of the test to judge two different
criteria, which generally are measured over a calendar year (such as
small business concern criteria measured by annual receipts) over
multiple years.\369\ Further, to the extent commenters assumed that all
entities that exceed the proposed threshold in the prior year for the
first time would face immediate examination the following year, that
assumption is an incorrect reading of the Proposed Rule. First, if the
entity were a small business concern in the previous calendar year,
under the proposed larger-participant test, it would not have qualified
as a larger participant, even if its volume of consumer payment
transactions did exceed the threshold for the first time in that same
calendar year. Second, as the Proposed Rule explained, consistent with
the CFPA, the CFPB conducts a risk-based supervision program for
nonbanks subject to supervisory authority under CFPA section 1024(a).
This includes a process for prioritizing entities for examination as
described in its public Supervision and Examination Manual cited in the
Proposed Rule and discussed in part I above. As part of that process,
where appropriate, the CFPB can consider the entity's volume of
consumer payment transactions, including the degree to which it exceeds
the transaction threshold and for how long it has exceeded that
threshold.
---------------------------------------------------------------------------
\368\ 79 FR 56631 at 56637.
\369\ Although the CFPB's first larger participant rules
averaged annual receipts over time, those rules only adopted that
single criterion (annual receipts).
---------------------------------------------------------------------------
With regard to comments on the proposal to aggregate activities of
affiliated companies, CFPA section 1024(a)(3)(B) requires aggregation
of activity across affiliated companies for purposes of determining
activity levels in larger participant rules. To clarify that the
purpose of paragraph (b)(3) is to implement that requirement, the Final
Rule adds language to the header for paragraph (b)(3) that describes
the provision as outlining the ``method'' for computing aggregate
activity levels. With regard to the industry association comment
calling for the rule to assess small business concern status without
counting receipts of affiliated companies, the CFPB disagrees. The
overall size of the business organization, including affiliates, is a
relevant reference point as the CFPB considers which types of entities
may incur the estimated cost of examination pursuant to this rule.
Final Rule
The Final Rule adopts in paragraph (b)(3) a threshold annual
covered consumer payment transaction volume of 50 million consumer
payment transactions denominated in U.S. dollars as described further
below.\370\
---------------------------------------------------------------------------
\370\ The Final Rule also makes non-substantive clarifying
revisions to paragraph (b), including identifying in paragraph (b)
that both criteria in paragraphs (b)(1) and (2) are based on the
preceding calendar year and associated revisions.
---------------------------------------------------------------------------
The CFPB estimates that seven nonbanks that are not small business
concerns have annual consumer payment transaction volumes that exceed
this threshold, that these seven nonbank firms account for
approximately eight percent of the 85 market participants for which the
CFPB has sufficient data to estimate larger participant status (and an
even lower share of the approximately 130 known market
participants),\371\ and that these
[[Page 99640]]
seven nonbank firms facilitated approximately 13.3 billion consumer
payment transactions, accounting for approximately 98 percent of the
over 13.5 billion consumer payment transactions market participants
provide.\372\ Despite the increase in the threshold, larger
participants' share of market activity also increased largely because
the nonbank market size estimate in the Final Rule does not include an
entity that the Final Rule estimates, based on further research in
response to a comment described above, may not be a nonbank covered
person.\373\
---------------------------------------------------------------------------
\371\ Due to the Final Rule's adoption of a threshold limited to
transfers of funds denominated in U.S. dollars discussed further
below, the Final Rule does not include in its estimate of nonbank
market participants firms that appear to provide consumer payment
transactions solely in the form of digital assets. The Final Rule
also does not include in this estimate two firms that public
information indicates are not nonbank market participants, as
described in n.373 below.
In addition, the estimated 130 nonbank market participants
includes four additional nonbank financial firms, as follows: (1)
Based on its review of the clarified definition of ``general use''
described above, the Final Rule has identified two nonbank financial
firms that provide payment functionalities for family and friends to
transfer funds to postsecondary students; (2) The removal of the
proposed exclusion for bill splitting in the definition of ``general
use'' described above also results in one estimated additional
nonbank market participant; and (3) Through its general activities,
the CFPB became aware of one additional nonbank providing a peer-to-
peer app-based payment functionality for a deposit account. Nonbank
financial institutions providing these services generally do not
appear to be licensed as money transmitters and the account
agreements do not appear to be filed in the CFPB's prepaid account
agreement database.
Further, as noted above and in the Proposed Rule, an entity is
included in the estimated number of nonbank market participants if
public information indicates it currently offers at least one
consumer financial product or service within the market definition;
however, for some of these 130 estimated nonbank market
participants, the CFPB lacks sufficient information to assess
whether certain other products they offer or are developing
constitute a general-use digital consumer payment application. As
also noted in the Proposed Rule, the CFPB's estimate of the number
of nonbank market participants may be an underestimate because, for
certain entities, the CFPB lacks sufficient information to assess
whether they provide a general-use digital consumer payment
application.
\372\ Due to the threshold's limitation to transfers of funds
denominated in U.S. dollars discussed further below, the Final Rule
does not include in the market transactions that the data sources
specifically identify as digital assets transactions. In addition,
as a result of that limitation on the threshold in the Final Rule,
the Final Rule does not use the transaction volume data from the
CFPB's section 1022 order responses for one of the estimated larger
participants and instead uses money service business call report
data in NMLS.
\373\ To respond to the industry association comment (described
above) asking whether any of the rulemaking's estimated nonbank
market participants would have exceeded the consumer payment
transactions volume threshold and also qualified as a small business
concern, the CFPB has reviewed public information and makes two
updates to the estimates in the Final Rule. First, the CFPB
identified one entity that would have exceeded the proposed
transaction volume threshold that the proposal did not estimate to
be a larger participant because the data sources described in the
proposal did not indicate whether the entity was a small business
concern. To respond to the comment, the CFPB reviewed public
information, which suggested the entity may not be a nonbank covered
person, and the Final Rule does not include that entity among the
estimated nonbank market participants or its transaction volume in
the market size estimate. Second, for another entity that had that
level of transaction volume and which the proposal estimated was not
a small business concern, the CFPB reviewed public information and
found that the firm had previously sold its general-use digital
consumer financial application to an unaffiliated entity, for which
the CFPB lacks data to estimate its transaction volume data or
whether it is a small business concern. Therefore, the Final Rule
does not include the selling entity among the estimated market
participants or its transaction volume in the market size estimate.
As a result of these two updates, the CFPB estimates that all
nonbank entities with data indicating over 50 million consumer
payment transactions are not small business concerns. As noted, the
CFPB still does not have transaction volume data for some market
participants; to the extent any of them have over 50 million
consumer payment transactions, it is possible they could be a small
business concern. But given that the CFPB estimates that none of the
seven nonbank firms that available transaction volume data indicates
have over 50 million consumer payment transactions are small
business concerns, it may be unlikely that if any other firms did
have a volume that exceeds the threshold, they would be a small
business concern.
---------------------------------------------------------------------------
As some commenters noted, the market continues to grow and evolve
rapidly and that some new entrants may quickly exceed the proposed
threshold of five million transactions. For the reasons explained
above, the CFPB does not believe the threshold used to define a larger
participant in this Final Rule is likely to significantly affect market
activity such as new entry, innovation, and growth. But the
significantly higher threshold the Final Rule adopts nonetheless would
provide new entrants and others with smaller volumes more room to grow
before coming under the CFPB umbrella of larger participant supervision
in this rulemaking. For example, based on the estimates in the Final
Rule at this threshold, eight fewer entities would qualify as larger
participants because their volume of consumer payment transactions
falls between 5 and 50 million annual consumer payment transactions
(and another two are no longer estimated to be nonbank market
participants, as noted above). Yet, the remaining entities that the
CFPB estimates qualify as larger participants under the higher
threshold adopted in the Final Rule still account for approximately 98
percent of the market activity as noted above. In addition, this higher
threshold would allow CFPB supervision to focus more consistently on
nonbank firms that account for almost all market activity including the
part of the market that the Proposed Rule described as ``highly
concentrated, with a few entities that facilitate hundreds of millions
or billions of consumer payments annually[.]'' \374\ At the same time,
based on its estimates, the CPFB finds that the higher threshold still
would serve the goal described in the Proposed Rule of covering larger
participants that serve a mix of consumer populations including more
vulnerable consumers such as justice-involved individuals as well as
lower-income consumers and the unbanked or underbanked populations more
generally. In any event, because the seven nonbank firms that the CFPB
estimates would be larger participants at the threshold of 50 million
account for approximately 98 percent of market activity, the CFPB does
not believe that adopting a lower threshold that would cover additional
market activity would be warranted. The CFPB also does not believe that
it would be appropriate to adopt a threshold that would result in
substantially less market activity being covered, such as the estimated
63 percent in the consumer debt collection rulemaking that one industry
association commenter suggested the CPFB consider here. As that
rulemaking noted, the data used to estimate overall market activity
included receipts from the collection of medical debt, which were not
included in the larger-participant test.\375\ As a result, the
circumstances surrounding that estimate in that rule were unique to
that rule and that test. In addition, due to the highly-concentrated
nature of the market described above, adopting any higher threshold
(even 500 million transactions, as one commenter suggested the CFPB
consider) would not significantly reduce larger participants' share of
market activity. A threshold of 500 million transactions would result
in an estimated four larger participants with an estimated 96 percent
share of market activity. The CFPB also does not seek to adopt a
threshold at a level that is so high that it only captures the few
largest participants, which would have the incongruous effect of
treating only the largest participants as ``larger'' participants, and
in any event would not achieve the CFPB's stated goal of covering a mix
of activities described above.
---------------------------------------------------------------------------
\374\ 88 FR 80197 at 80210.
\375\ 77 FR 65775, 65788 n.98.
---------------------------------------------------------------------------
In addition to increasing the threshold as described above, the
Final Rule limits the definition of ``annual covered consumer payment
transaction volume'' to transactions denominated in U.S. dollars. With
this clarification (and a corresponding edit to paragraph (b)(3)(i)),
the larger-participant test in this Final Rule excludes transfers of
digital assets, including crypto-assets such as Bitcoin and
stablecoins. For the reasons discussed in the section-by-section
analysis of ``consumer payment transaction'' above, the Final Rule
excludes these transactions from the threshold to ensure the
administrability of the larger-participant test while the CPFB
continues to monitor developments in the market for consumer payments
involving digital assets.
VI. Effective Date of Final Rule
The Administrative Procedure Act generally requires that rules be
published not less than 30 days before their effective dates.\376\ In
the Proposed Rule, the CFPB proposed that, once issued, the Final Rule
for this proposal would be effective 30 days after the Final Rule is
published in the Federal Register. For the reasons discussed below, in
consideration of the comments, the Final Rule adopts that effective
date.
---------------------------------------------------------------------------
\376\ 5 U.S.C. 553(d).
---------------------------------------------------------------------------
Comments Received
An industry trade association stated that nonbanks would need at
least 90
[[Page 99641]]
days from publication in the Federal Register to prepare for CFPB
supervision. This commenter stated that some companies may not have
reasonable notice from the Proposed Rule that they are participating in
the proposed market. The commenter also pointed to effective date
periods of 60 or more days in previous larger participant rules as a
precedent. A law firm made similar points in support of its view that a
60-day pre-effective date period is needed. It also noted that the
rationale the CFPB adopted in the consumer reporting larger participant
rule for a 60-day period--including recognizing the need for entities
that have never been examined to conduct training to prepare for the
CFPB examination process \377\--also applies here.\378\ Finally,
although two trade associations representing depository institutions
and a trade association representing credit unions called for the CFPB
to use or develop examination procedures for larger participants in a
manner consistent with its procedures for examining banks and credit
unions, they did not call for extending the effective date period.
---------------------------------------------------------------------------
\377\ See 77 FR 65775 at 65778-79 & n.30 (consumer debt
collection larger participant rule adopting rationale for a 60-day
effective date period in the consumer reporting larger participant
rule, recognizing that ``companies affected by the Consumer
Reporting Rule might not previously have been supervised at the
Federal or State level'').
\378\ A digital assets payment provider stated that a two-year
implementation period would be needed to allow these types of firms
and the CFPB time to prepare for supervision. A digital assets
industry trade association stated that firms in this area would need
more time to assess whether they are larger participants. The Final
Rule does not include digital assets in the larger-participant test
and therefore those issues are not relevant to setting the effective
date.
---------------------------------------------------------------------------
Response to Comments Received
The CFPB disagrees that additional time, beyond the minimum 30-day
period prescribed by the APA noted above, is necessary before this
Final Rule can take effect. Larger participant rules do not impose
substantive consumer protection obligations. Although larger
participants might choose to increase their compliance with Federal
consumer financial law in response to the possibility of supervision,
market participants are already obligated to comply, and should already
comply with, applicable Federal consumer financial law, regardless of
whether they are subject to supervision. Thus, entities that qualify as
larger participants under the Final Rule should not require additional
time to come into compliance with Federal consumer financial law.
Moreover, the CFPB designs its examination procedures and process to
allow companies a reasonable amount of time to provide responses to
information requests before examiners begin the examination. This is in
addition to a 45-day period in which the entity may challenge the
assertion that it is a larger participant under 12 CFR 1090.103(a). In
addition, the CFPB believes that many larger participants have
examination experience at the State level, and in some cases with the
CFPB.\379\ As noted in the Proposed Rule, some larger participants may
already be subject to CFPB examination authority, including but not
limited to as larger participants pursuant to the international money
transfer larger participant rule. For all of these reasons, the CFPB
disagrees that a later effective date is necessary to allow companies
more time to prepare for CFPB supervision.\380\
---------------------------------------------------------------------------
\379\ The law firm commenter's claim that many larger
participants have not previously been examined was not supported by
examples or specifics. It was unclear whether the commenter was
considering examination at the State level, which was part of the
rationale for the 60-day effective date in the consumer reporting
larger participant rule as noted above. As noted above, many
industry commenters stated that many market participants are money
transmitters subject to examination at the State level.
\380\ With regard to an individual commenter's suggestion of a
two-phased adoption process, prior rules have not taken that
approach and the CFPB believes it is not warranted here since, as
noted above, larger participant rules do not impose substantive
consumer protection obligations, and the Final Rule does not include
digital assets transactions.
---------------------------------------------------------------------------
VII. Dodd-Frank Act Section 1022(b) Analysis
A. Overview
In developing this Final Rule, the CFPB has considered the
potential benefits, costs, and impacts of the Rule as required by
section 1022(b)(2) of the CFPA.\381\ The Proposed Rule set forth a
preliminary analysis of these effects, and the Bureau requested and
received comments on the topic.
---------------------------------------------------------------------------
\381\ Specifically, CFPA section 1022(b)(2)(A) calls for the
Bureau to consider the potential benefits and costs of a regulation
to consumers and covered persons, including the potential reduction
of access by consumers to consumer financial products or services;
the impact on insured depository institutions and insured credit
unions with $10 billion or less in total assets as described in CFPA
section 1026; and the impact on consumers in rural areas. The manner
and extent to which the provisions of 12 U.S.C. 5512(b)(2) apply to
a rulemaking of this kind that does not establish standards of
conduct are unclear. Nevertheless, to inform this rulemaking more
fully, the CFPB performed the analysis described in those provisions
of the CFPA.
---------------------------------------------------------------------------
The CFPB is issuing this Rule to establish supervisory authority
over larger participants in the defined market for general-use digital
consumer payment applications. Participation in this market will be
measured on the basis of the aggregate number of annual consumer
payment transactions denominated in U.S. dollars that a nonbank
facilitates through general-use digital consumer payment applications,
defined in the Final Rule as ``annual covered consumer payment
transaction volume.'' If a nonbank covered person, together with its
affiliated companies, has an annual covered consumer payment
transaction volume (measured for the preceding calendar year) of at
least 50 million and is not a small business concern, it will be a
larger participant in the market for general-use digital consumer
payment applications. As prescribed by existing Sec. 1090.102, any
nonbank covered person that qualifies as a larger participant will
retain larger participant status until two years from the first day of
the tax year in which the person last met the larger-participant
test.\382\
---------------------------------------------------------------------------
\382\ 12 CFR 1090.102.
---------------------------------------------------------------------------
B. Baseline for Analysis and Data Limitations
The discussion below relies on information that the CFPB has
obtained from industry, other regulatory agencies, and publicly-
available sources, as well as on CFPB expertise. These sources form the
basis for the CFPB's consideration of the likely impacts of the Final
Rule. The CFPB provides estimates, to the extent possible, of the
potential benefits and costs to consumers and covered persons of this
Final Rule, against a baseline in which the CFPB takes no action. This
baseline includes the current state of the market and existing
regulation, including the CFPB's existing rules defining larger
participants in certain markets.\383\ Many States have supervisory
programs relating to money transfers, which may consider aspects of
Federal consumer financial law.\384\ Federal prudential regulators'
supervisory programs for banks also may extend to certain nonbank
service providers, and may consider aspects of Federal consumer
financial law related to the banking institutions subject to the
jurisdiction of
[[Page 99642]]
those regulators. However, the activities of larger participants in
this market extend beyond State-regulated money transmitting and acting
as service providers to banks. In addition, at present and other than
the CFPB's activities, no program for supervision of nonbanks that
participate in the general-use digital consumer payment applications
market is dedicated exclusively to promoting compliance with Federal
consumer financial law.
---------------------------------------------------------------------------
\383\ See, e.g., 12 CFR 1090.107 (defining larger participants
of a market for international money transfers subject to the CFPB's
supervisory authority under 12 U.S.C. 5514(a)(1)(B)). The CFPB has
discretion in any rulemaking to choose an appropriate scope of
analysis with respect to potential benefits and costs and an
appropriate baseline. The CFPB, as a matter of discretion, has
chosen to describe a broader range of potential effects to inform
the rulemaking more fully.
\384\ The Financial Crimes Enforcement Network's (FinCEN)
Federal regulation of money transmitters generally does not apply
Federal consumer financial law.
---------------------------------------------------------------------------
To the extent that this rule establishes supervisory authority over
entities or their activities that already are subject to State or
Federal supervisory oversight, as discussed in parts I and V above, the
CFPB coordinates with the applicable State and Federal regulators in
the operation of its risk-based nonbank supervision program to prevent
unnecessary duplication and burden. To the extent that entities already
are subject to the CFPB's supervisory authority (such as entities
subject to supervision as service providers under section 1025(d) or
1026(e) of the CFPA or larger participants under a prior larger
participant rulemaking), this rule will establish an additional basis
for the CFPB to supervise those entities.
The CFPB notes at the outset that limited data are available with
which to quantify the potential benefits, costs, and impacts of the
Final Rule. As described above, the CFPB has utilized various sources
for quantitative information on the number of market participants,
their annual revenue, and their number and dollar volume of
transactions.\385\ However, the CFPB lacks detailed information about
their rate of compliance with Federal consumer financial law and about
the range of, and costs of, compliance mechanisms used by market
participants. Further, as noted above in the section-by-section
analysis of the threshold for the larger participant test, the CFPB
lacks sufficient information on approximately one-third of known market
participants necessary to estimate their larger-participant
status.\386\ Compared to the lower threshold test of five million
annual transactions that the CFPB proposed in the Proposed Rule, it is
less likely that those entities would be larger participants at the
higher threshold test of 50 million annual transactions in the Final
Rule.
---------------------------------------------------------------------------
\385\ See section-by-section analysis of Sec. 1090.109(b).
\386\ As stated above, the CFPB estimates that approximately 130
entities operate in the market for providing general-use digital
consumer payment applications as defined in the Final Rule. Of those
entities, the CFPB has data on roughly two-thirds sufficient to
estimate larger-participant status, including whether those entities
would be subject to the exclusion for small business concerns. The
CFPB estimates that approximately seven of those would be larger
participants under the larger-participant test defined in the Final
Rule.
---------------------------------------------------------------------------
In light of these data limitations, this analysis generally
provides a qualitative discussion of the benefits, costs, and impacts
of the Final Rule. General economic principles, together with the
limited data that are available and the CFPB's experience operating its
supervision program, provided insight into these benefits, costs, and
impacts. Where possible, the CFPB has made quantitative estimates based
on these principles and data as well as on its experience of
undertaking supervision in other markets.
C. General Comments Received on the 1022(b) Analysis
Several industry commenters and some Members of Congress generally
asserted that the cost-benefit analysis for the proposal was
inadequate. For example, three industry associations stated that the
proposal overlooked various direct and indirect costs associated with
supervision and that it underestimated the costs, or that it
opportunistically framed the costs and benefits, or that it overstated
benefits of supervision with respect to larger participants that are
not ``financial institutions'' under Regulation E implementing the EFTA
and Regulation P implementing the GLBA. One industry association
commenter referenced the cost to what it referred to as custodial and
non-custodial cryptocurrency-asset wallet developers to change their
business model in order to collect and verify identity and transaction
information. Another industry association commenter stated that the
cost of any new regulation, including this Rule, would be incorporated
into production costs and passed on to the consumer. Similarly, another
industry association commenter claimed the CFPB failed to explain how
expanding its supervisory authority would bring about consumer benefits
from increased compliance. In addition, a company commenter claimed
that the proposal failed to account for all costs, to accurately
quantify the benefits and costs, and to find that the benefits would
outweigh the costs of the Rule. A law firm commenter stated that the
costs of CFPB examinations would outweigh benefits to consumers for
firms at or near the proposed threshold of five million
transactions.\387\
---------------------------------------------------------------------------
\387\ Some commenters stated that the CFPB should conduct
separate cost-benefit analyses for what they characterized as
disparate markets. The CFPB responds to comments on the market
definition above, in Sec. 1090.109(a)(1). This section analyzes the
costs and benefits of the Rule for the market defined in the Final
Rule.
---------------------------------------------------------------------------
The CFPB disagrees with the general assertion that its
consideration of benefits and costs under section 1022(b) of the CFPA
in the proposal was inadequate. The CFPB conducted a thorough analysis
of the reasonably-available data to estimate and quantify benefits and
costs to the extent possible. As noted in the proposal as well as
above, where data do not support reliable quantitative estimates, the
CFPB has qualitatively discussed potential benefits and costs based on
general economic principles and its experience engaging in supervisory
activities in other markets. The CFPB has provided additional responses
to particular comments below, and where appropriate has updated its
consideration of the Rule's benefits and costs in response to comments.
For example, some industry commenters provided additional information
on wages and salaries as well as predictions of larger participants'
likely future staffing levels for CFPB supervisory examinations in this
market and the CFPB has incorporated this information into cost
calculations below. The CFPB notes that the general criticism of a lack
of quantification generally was not accompanied by submissions of data
that would aid in further quantifying potential costs or benefits that
were not quantified in the proposal.\388\
---------------------------------------------------------------------------
\388\ The Proposed Rule sought ``submissions of additional data
that could inform the CFPB's analysis of the costs, benefits, and
impacts of the Proposed Rule.'' 88 FR 80197, 80211.
---------------------------------------------------------------------------
Above and further below, the Rule discusses how expanding the
supervisory authority of the CFPB to cover this market will help
increase compliance.
D. Potential Benefits and Costs to Consumers and Covered Persons
The discussion below describes three categories of potential
benefits and costs. First, the Final Rule authorizes the CFPB's
supervision of larger participants of a market for general-use digital
consumer payment applications. Larger participants of the market may
respond to the possibility of CFPB supervision by changing their
compliance systems and conduct, and those changes may result in costs,
benefits, or other impacts. Second, if the CFPB undertakes supervisory
activity of specific larger participant providers of general-use
digital consumer payment applications, those entities may incur costs
from responding to supervisory activity, and the results of these
[[Page 99643]]
individual supervisory activities also may produce benefits and costs.
Third, the CFPB analyzes the costs that might be associated with
entities' efforts to assess whether they would qualify as larger
participants under the Rule.
1. Benefits and Costs of Responses to the Possibility of CFPB
Supervision Conducting an Examination or Other Supervisory Activities
The Final Rule subjects larger participants of a market for
general-use digital consumer payment applications to CFPB supervision.
As described in the Proposed Rule, that the CFPB will be authorized to
undertake supervisory activities with respect to a nonbank covered
person who qualifies as a larger participant would not necessarily mean
that the CFPB would in fact undertake such activities regarding that
covered person in the near future. Rather, the CFPB generally would
examine certain larger participants on a periodic or occasional basis.
The CFPB's decisions about supervision are informed, as applicable, by
the factors set forth in CFPA section 1024(b)(2) \389\ relating to the
size and transaction volume of larger participants, the risks to
consumers created by their provision of consumer financial products and
services, the extent of State consumer protection oversight, and other
factors the CFPB may determine are relevant. Part I of the Final Rule
provides additional background on the CFPB's risk-based prioritization
process (including how it considers field market intelligence), which
is not the subject of this rulemaking. Each entity that believes it
qualifies as a larger participant will know that it is subject to CFPB
supervision and might gauge, given its circumstances, the likelihood
that the CFPB would initiate an examination or other supervisory
activity.
---------------------------------------------------------------------------
\389\ 12 U.S.C. 5514(b)(2).
---------------------------------------------------------------------------
The prospect of potential CFPB supervisory activity could create an
incentive for larger participants to allocate additional resources and
attention to compliance with Federal consumer financial law,
potentially leading to an increase in the level of compliance. They
might anticipate that by doing so (and thereby decreasing risk to
consumers), they could decrease the likelihood of their actually being
subject to supervisory activities as the CFPB evaluated the factors
outlined above. In addition, an actual examination would be likely to
reveal past or present noncompliance, which the CFPB could seek to
correct through supervisory activity or, in some cases, enforcement
actions. Larger participants therefore might judge that the prospect of
CFPB supervision increases the potential consequences of noncompliance
with Federal consumer financial law, and they might seek to decrease
that risk by taking steps to identify and cure or mitigate any
noncompliance before the CFPB conducts an examination.
The CFPB believes it is likely that many larger participants would
increase compliance in response to the CFPB's supervisory activity
authorized by the Final Rule. However, because the Final Rule itself
would not require any provider of general-use digital consumer payment
applications to take such action, any estimate of the amount of
increased compliance would require both an estimate of current
compliance levels and a prediction of market participants' behavior in
response to a Final Rule. The data that the CFPB currently has do not
support a specific quantitative estimate or prediction. But, to the
extent that nonbank entities allocate resources to increasing their
compliance in response to the Final Rule, that response would result in
both benefits and costs.\390\
---------------------------------------------------------------------------
\390\ Another approach to considering the benefits, costs, and
impacts of the Proposed Rule would be to focus almost entirely on
the supervision-related costs for larger participants and related
benefits of any increased compliance resulting from examination
activity and omit a broader consideration of the benefits and costs
of increased compliance by entities in anticipation of such
examination activity. As noted above, the CFPB has, as a matter of
discretion, chosen to describe a broader range of potential effects
to inform the rulemaking more fully.
---------------------------------------------------------------------------
Benefits From Increased Compliance Based on Possibility of CFPB
Examination
Increased compliance with Federal consumer financial laws by larger
participants in the market for general-use digital consumer payment
applications would be beneficial to consumers who use general-use
digital payment applications. Increasing the rate of compliance with
Federal consumer financial laws would benefit consumers and this market
by providing more of the protections mandated by those laws.
Entities are aware that the CFPB would be examining for compliance
with applicable provisions of Federal consumer financial laws,
including the EFTA and its implementing Regulation E, as well as the
privacy provisions of the GLBA and their implementing Regulation
P.\391\ In addition, the CFPB would be examining for whether larger
participants of the market for general-use digital consumer payment
applications engage in unfair, deceptive, or abusive acts or
practices.\392\ Conduct that does not violate an express requirement of
another Federal consumer financial law may nonetheless constitute an
unfair, deceptive, or abusive act or practice. To the extent that any
provider of general-use digital consumer payment applications is
currently engaged in any unfair, deceptive, or abusive acts or
practices, the cessation of the unlawful act or practice would benefit
consumers. Providers of general-use digital consumer payment
applications might improve compliance policies and procedures in
response to possible supervision in order to avoid engaging in unfair,
deceptive, or abusive acts or practices.
---------------------------------------------------------------------------
\391\ The CFPB also can supervise larger participants for other
Federal consumer financial laws that apply, including rules that
have recently taken effect, such as the CFPB's nonbank registration
regulation at 12 CFR part 1092, or for which compliance is mandatory
in the future, such as its Personal Financial Data Rights Rule.
\392\ 12 U.S.C. 5531.
---------------------------------------------------------------------------
The possibility of CFPB supervision also may help to make
incentives to comply with Federal consumer financial laws more
consistent between the likely larger participants and insured banks and
insured credit unions, which are subject to Federal supervision with
respect to Federal consumer financial laws. Although some nonbank
market participants already are subject to State supervision and also
may be supervised by Federal prudential regulators in certain
capacities, introducing the possibility of Federal supervision that
applies to market activities regardless of the degree to which they are
subject to State or Federal prudential regulatory oversight could
encourage nonbanks that likely are larger participants to devote
additional resources to compliance. It also could help to ensure that
the benefits of Federal oversight reach consumers who do not have ready
access to bank-provided general-use digital consumer payment
applications.
Comments Concerning Benefits of Increased Compliance Based on
Possibility of CFPB Examination
Two industry association commenters expressed doubt about whether
there would be benefits to consumers from larger participants
increasing compliance with Federal consumer financial laws in
anticipation of a possible CFPB supervisory examination due to the data
gaps described in the proposal and the lack of an estimate regarding
the number of supervisory examinations the CFPB plans to undertake in
any given year. These commenters moreover suggested that companies that
believe they are larger participants will have to assume they
[[Page 99644]]
will be examined such that all potential larger participants would
experience the increased anticipation cost associated with being
subject to the rule.
Response to Comments
With respect to data gaps in the analysis of larger participant
status, the CFPB notes that larger participants likely possess more
information than the CFPB regarding their own transaction volume,
revenue and/or employee counts necessary to determine their larger
participant status. The CFPB expects the higher threshold of 50 million
annual transactions to reduce uncertainty among potential larger
participants as to their larger participant status. While the CFPA and
CFPB regulations thereunder do not require larger participants to
prepare for the examination process before they receive notice of an
actual examination, the CFPB believes it is plausible that many larger
participants would respond to the incentives described above as part of
their risk-management strategy, especially if they expect there to be a
reasonable chance of examination in the near future. Commenters did not
offer evidence to the contrary. Part V of the Final Rule above provides
additional discussion of general comments concerning the Final Rule's
promotion of compliance with Federal consumer financial law.
Costs of Increased Compliance Based on Possibility of CFPB Examination
To the extent that nonbank larger participants would decide to
increase resources dedicated to compliance in response to the
possibility of increased supervision, the entities would bear any cost
of any changes to their systems, protocols, or personnel. Whether and
to what extent entities would increase resources dedicated to
compliance and/or pass those costs on to consumers would depend not
only on the entities' current practices and the changes they decide to
make, but also on market conditions. The CFPB lacks detailed
information with which to predict the extent to which increased costs
would be borne by providers or passed on to consumers, to predict how
providers might respond to higher costs, or to predict how consumers
might respond to increased prices, and commenters did not provide such
detailed information in their comments. The CFPB further considers and
responds to related comments about the cost of compliance enhancements
below.
2. Benefits and Costs of Individual Supervisory Activities
In addition to the responses of larger participants anticipating
supervision, the possible consequences of the Final Rule would include
the responses to and effects of individual examinations or other
supervisory activity that the CFPB might conduct with respect to larger
participants in the market for general-use digital consumer payment
applications.
Benefits of Supervisory Activities
In the CFPB's experience, supervisory activity generally provides
several types of benefits. As discussed above, the CFPB operates a
risk-based nonbank supervision program, and prioritizes markets and
individual entities for supervisory activity on the basis of a risk
assessment that considers the factors listed in CFPA section
1024(b)(2). Due to this risk-based approach, in the CFPB's experience,
the CFPB's nonbank supervisory activities often uncover compliance
deficiencies indicating harm or risks of harm to consumers.\393\ In its
supervision and examination program, the CFPB generally prepares a
supervisory letter or report of each examination. The CFPB shares
examination findings with the supervised entity because one purpose of
supervision is to inform the entity of problems detected by examiners.
Thus, for example, an examination may find evidence of widespread
noncompliance with Federal consumer financial law, or it may identify
specific areas where an entity has inadvertently failed to comply, or
it may identify weaknesses in compliance management systems including
policies and procedures. These examples are only illustrative of the
kinds of information an individual examination may identify.
---------------------------------------------------------------------------
\393\ See, e.g., response to general comments in part V above
citing examples of Supervisory Highlights issues that identified
compliance deficiencies, violations of Federal consumer financial
law, and risks of violations of Federal consumer financial law by
nonbank covered persons, including larger participants in other
markets.
---------------------------------------------------------------------------
Detecting and informing supervised entities about such problems is
generally beneficial to consumers including by identifying issues
before they become systemic or cause significant harm. When the CFPB
notifies entities about risks or noncompliance associated with aspects
of their activities, the entities are expected to adjust their
practices to reduce those risks. In the CFPB's experience, those
responses frequently result in increased compliance with Federal
consumer financial law, with benefits like those described above in
connection with the possibility of CFPB examination. However, the
benefits in connection with individual supervisory activities may be
greater because the CFPB often will identify specific acts or practices
that violate Federal consumer financial law and direct specific
corrective actions including compliance improvements as well as
restitution and remediation. For more than a decade, the CFPB has
regularly described these corrective actions, including by larger
participants, in its Supervisory Highlights publication.\394\ Such
responses can also avert violations that would have occurred if CFPB
supervision did not detect the risk or noncompliance promptly. In some
circumstances, the CFPB also informs entities about acts or practices
that risk violating Federal consumer financial law. Action to reduce
those risks is also a benefit to consumers.
---------------------------------------------------------------------------
\394\ See, e.g., id.; see also Supervisory Highlights (website
compendium of all of these publications), supra, at https://www.consumerfinance.gov/compliance/supervisory-highlights/ (last
visited Oct. 17, 2024).
---------------------------------------------------------------------------
Given the obligations providers of general-use digital consumer
payment applications have under Federal consumer financial law and the
existence of efforts to enforce such laws, including by the CFPB and
States,\395\ and based on the CFPB's supervisory experience in other
markets, the CFPB also expects that the results of CFPB supervision
will benefit larger participants under supervision by detecting
compliance problems early. When an entity's noncompliance results in
litigation or an enforcement action, the entity must face both the
costs of defending its action and the penalties for noncompliance,
including potential liability to private plaintiffs. The entity must
also adjust its systems to ensure future compliance. Changing practices
that have been in place for long periods of time can be expected to be
relatively difficult because they may be severe enough to represent a
serious failing of an entity's systems. Supervision may detect flaws at
a point when correcting them would be relatively inexpensive. Catching
problems early, in some situations, can forestall costly litigation. To
the extent early correction limits the amount of consumer harm caused
by a violation, it can help limit the cost of redress. In short,
supervision is likely to benefit providers of general-use digital
consumer payment applications under
[[Page 99645]]
supervision by, in the aggregate, reducing the need for other more
expensive activities to achieve compliance.\396\
---------------------------------------------------------------------------
\395\ See, e.g., CFPB, Interpretive Rule, Authority of States to
Enforce the Consumer Financial Protection Act of 2020, 87 FR 31940
(May 26, 2022) (interpreting CFPA section 1042 and related
provisions).
\396\ Further potential benefits to consumers, covered persons,
or both might arise from the CFPB's gathering of information during
supervisory activities. The goals of supervision include informing
the CFPB about activities of market participants and assessing risks
to consumers and to markets for consumer financial products and
services. The CFPB may use this information to improve regulation of
consumer financial products and services and to improve enforcement
of Federal consumer financial law, in order to better serve its
mission of ensuring consumers' access to fair, transparent, and
competitive markets for such products and services. Benefits of this
type would depend on what the CFPB learns during supervision and how
it uses that knowledge. For example, because the CFPB might examine
a number of larger participants in the market for general-use
digital consumer payment applications, the CFPB would build an
understanding of how effective compliance systems and processes
function in that market.
---------------------------------------------------------------------------
Comments Regarding Benefits to Compliance
The CFPB received differing comments regarding the potential
compliance benefits of the Rule. Three nonprofits and one company
commented that the proposal lacked support for the claimed benefit to
consumers from increased compliance because the CFPB failed to
demonstrate a baseline lack of compliance with Federal consumer
financial laws. For example, one commenter stated that the proposal did
not provide data to show that supervision and compliance positively
correlate with consumer welfare. The company commenter criticized that
the Bureau did not explain how much compliance there currently is and
how much incremental compliance would be achieved by supervision. None
of these commenters provided additional information that would aid in
quantifying current compliance levels. In contrast, other commenters,
including consumer groups, an industry commenter, and a group of State
attorneys general, discussed related and additional potential benefits
of the Rule without quantifying these specifically, including: ensuring
compliance of payment applications and digital wallet providers with
EFTA and the error resolution responsibilities of Regulation E; the
improved ability of the CFPB to coordinate with State regulators to
prevent or address violations of the prohibition against unfair,
deceptive, and abusive acts and practices; effective oversight of
compliance with the privacy provisions of the GLBA in order to address
data privacy issues imposed by digital payment applications; and an
improved ability of the CFPB to monitor payment fraud, which one
consumer advocate commenter described as extremely common.
Three industry association commenters claimed that the proposal
overstated the benefits of supervision under the Federal consumer
financial laws it referenced because, commenters asserted, many market
participants are not financial institutions under the EFTA and GLBA and
their respective implementing regulations, and the Rule would therefore
not have the stated compliance benefits for consumers of the products
of those firms. Similarly, another industry association and one company
asserted that pass-through wallets or payment method wallets are not
subject to Regulation E.
Two of the above-mentioned commenters from industry associations
further stated that the proposal overstated benefits to consumers of
supervision due to already-existing State and Federal oversight that
they argued would be duplicative of the additional oversight
established by this Rule. In contrast, several State attorneys general
submitted a comment letter stating that the Rule would help existing
regulatory oversight efforts in the market and would allow Federal and
State authorities to coordinate to prevent unlawful conduct.
Response to Comments
The CFPB agrees with several commenters that this Rule provides
potential benefits to consumers that may arise through increased
supervision for compliance with Federal consumer financial laws
including the CFPA's prohibition against unfair, deceptive, and abusive
acts and practices, EFTA and Regulation E, and Regulation P and the
privacy protections of the GLBA.
The CFPB disagrees with comments suggesting that the CFPB must
estimate or quantify the baseline level of non-compliance in the market
in order to conclude that the Rule is likely to increase compliance.
Such comments are inconsistent with the CFPB's supervisory experience.
As discussed above, the CFPB's risk-based supervision program is
designed to prioritize supervisory activity among nonbank covered
persons on the basis of risk, and thus to focus on those activities
where consumers have the greatest potential to be harmed. Further,
following the issuance of its five prior larger participant rules, the
CFPB has successfully used its supervisory authority to detect
violations and promote compliance in each of the markets covered by
those rules, as reflected in its Supervisory Highlights
publication.\397\ Above, the CFPB provides additional discussion of
comments concerning the Final Rule's promotion of compliance with
Federal consumer financial law, including comments stating that the
CFPB should measure the baseline level of non-compliance before issuing
this Rule.
---------------------------------------------------------------------------
\397\ See CFPB, Supervisory Highlights (website compendium of
all of these publications), at https://www.consumerfinance.gov/compliance/supervisory-highlights/ (last visited Oct. 17, 2024).
---------------------------------------------------------------------------
With respect to comments that some market participants are not
financial institutions subject to EFTA and GLBA, as discussed in the
section-by-section analysis above, this rulemaking does not prescribe
substantive consumer protections or otherwise determine the scope of
those laws. Regardless, supervision of those entities that are
financial institutions for their compliance with those laws will still
benefit consumers. More broadly, the Bureau will examine whether larger
participants in the market for general use digital payment applications
engage in unfair, deceptive, or abusive acts or practices.\398\ As
covered persons, larger participants are subject to the CFPA's
prohibition against such acts and practices. To the extent that any
larger participant or its service provider currently is engaged in any
such act or practice, the cessation of the unlawful act or practice
will benefit consumers.\399\
---------------------------------------------------------------------------
\398\ 12 U.S.C. 5531.
\399\ The CFPB Supervision and Examination Manual provides
further guidance to CFPB examiners on how the prohibition against
unfair, deceptive, and abusive acts and practices applies to
supervised entities. See CFPB Supervision and Examination Manual,
part II.C (UDAAP statutory-based procedures).
---------------------------------------------------------------------------
With respect to comments regarding existing oversight, as discussed
further above, the CFPB agrees with the group of State attorneys
general who stated that the rule would help existing regulatory
oversight efforts in the market and would allow Federal and State
authorities to coordinate to prevent unlawful conduct. The CFPB
disagrees with comments suggesting that the CFPB's supervision will be
duplicative of existing State and other Federal regulatory oversight.
As discussed further above, in the response to general comments on this
topic in the section-by-section analysis of the Final Rule, and in the
background section of the rule in part II, the CFPB coordinates its
supervisory activities with Federal prudential regulators, the FTC, and
States in order to avoid duplication. Furthermore, there is currently
no Federal program for supervision of nonbank covered persons in the
market for general-use digital consumer
[[Page 99646]]
payment applications with respect to Federal consumer financial law
compliance, and this Rule will fill that gap.
Costs of Supervisory Activities
The potential costs of actual supervisory activities would arise in
two categories. The first category would be the cost to individual
larger participants of supporting supervisory activity itself. The
second category would involve any costs to individual larger
participants of increasing compliance in response to the CFPB's
findings during supervisory activity and to supervisory actions. These
costs in the second category, discussed further below, would be similar
in nature to the possible compliance costs based on the possibility of
CFPB examination, described above, that larger participants in general
may incur in anticipation of possible supervisory actions. This
analysis will not repeat that discussion. As the CFPB Supervision and
Examination Manual notes, the reason entities need a sound compliance
management system is ``[t]o maintain legal compliance'' with Federal
consumer financial law.\400\ That is the case regardless of whether the
entity is examined by the CFPB. For that reason, if a company already
has established a sound compliance management system or improves that
system in anticipation of possible CFPB supervisory actions as
discussed above, then it is less likely to incur the costs in this
second category described further below in response to actual CFPB
supervisory activities.\401\
---------------------------------------------------------------------------
\400\ See CFPB Supervision and Examination Manual, part II.A
(compliance management review examination procedures).
\401\ A comment by an industry association stated that the
proposal's estimate of the cost of supporting an examination
``seem[ed] to ignore'' costs related to establishing compliance
programs and systems. However, that comment appears to have
misunderstood the scope of that estimate. The CFPB does not consider
the costs of establishing a compliance management system to be part
of the cost of supporting the supervisory activity itself. Rather,
the CFPB considers the costs of establishing or improving a
compliance management system, if they are incurred, as either borne
in anticipation of its supervisory activity (discussed above) or in
response to findings of its supervisory activity (the second
category of costs, discussed below). In any event, the Final Rule
itself does not impose any requirements related to the establishment
of a compliance management system. Firms are expected to have the
systems and policies necessary to ensure they comply with existing,
applicable substantive legal requirements, such as EFTA, its
implementing Regulation E, the privacy provisions of the GLBA, their
implementing Regulation P, and the CFPA's prohibition against
unfair, deceptive, or abusive acts or practices. The CFPB's
Supervision and Examination Manual describes aspects of compliance
management that examiners review, but does not impose requirements;
firms have flexibility in designing those systems and policies.
---------------------------------------------------------------------------
With respect to the first category of cost of supervisory
activities, those activities may involve requests for information or
records, on-site or off-site examinations, or some combination of these
activities. For example, in an on-site examination, CFPB examiners
generally contact the entity for an initial conference with management.
That initial contact often is accompanied by a request for information
or records. Based on the discussion with management and an initial
review of the information received, examiners determine the scope of
the on-site exam. While on-site, examiners spend some time in further
conversation with management about the entity's policies, procedures,
and processes. The examiners also review documents, records, and
accounts to assess the entity's compliance and evaluate the entity's
compliance management system. As with the CFPB's other examinations,
examinations of nonbank larger participants in the market for general-
use digital consumer payment applications may involve issuing
confidential supervisory letters or examination reports and compliance
ratings. The CFPB Supervision and Examination Manual describes the
supervision process and indicates what materials and information an
entity could expect examiners to request and review, both before they
arrive and during their time on-site.
The primary costs an entity would face in connection with
supporting an examination would be the cost of employees' time to
collect and provide the necessary information. The frequency, duration,
and scope of examinations of any particular entity would depend on a
number of factors, including the size and transaction volume of the
entity, the compliance or other risks identified, the extent of State
consumer protection oversight, and other relevant factors, such as
whether the entity has been examined previously, and the demands on the
CFPB's supervisory resources imposed by other entities and markets.
Nevertheless, some rough estimates may provide a sense of the magnitude
of potential staff costs that larger participants may incur in
supporting the examination of their consumer financial products and
services.\402\
---------------------------------------------------------------------------
\402\ In addressing comments in part V above, the Final Rule
notes that the market definition, market-related definitions, and
larger participant test do not depend or rely on the CFPB's position
that the CFPA authorizes supervision and examination of all of the
consumer financial products and services provided by nonbank covered
persons subject to CFPA section 1024(a). This rule does not
determine the extent to which the CFPB would examine other consumer
financial products and services provided by larger participants
besides general-use digital consumer payment applications.
Nonetheless, the CFPB considers that the cost to a larger
participant of supporting a typical eight-week on-site examination
should not vary significantly depending on which consumer financial
products or services are scoped into the examination.
---------------------------------------------------------------------------
The cost of supporting supervisory activity may be calibrated using
prior CFPB experience in supervision. In the proposal, the CFPB
outlined that examinations of larger participants in the market for
general-use digital consumer payment applications would be anticipated
to be approximately eight weeks on average,\403\ with an additional two
weeks of preparation. This estimate assumed that each examination would
require two weeks of preparation time by staff of larger participant
providers of general-use digital consumer payment applications prior to
the examination as well as on-site assistance by staff throughout the
duration of the examination. The CFPB has not suggested that counsel or
any particular staffing level is required during an examination.
However, based on prior estimates, the CFPB assumed in the Proposed
Rule that an entity might dedicate the equivalent of one full-time
compliance officer and one-tenth of the time of a full-time attorney to
assist with an exam. The national average hourly wage of a compliance
officer is $39; the national average hourly wage for an attorney is
$85.\404\ These averages accounted for the likelihood that some
compliance officers and attorneys will earn below or above the national
average. Assuming that wages and salaries account for 70.3 percent of
total compensation for private industry workers, the CFPB estimated in
the proposal that the total employer cost of labor to comply with an
examination would amount to approximately $25,000.\405\
---------------------------------------------------------------------------
\403\ For an estimate of the length of examination, see Board of
Gov. of Fed. Res. System Office of Inspector General, The Bureau Can
Improve Its Risk Assessment Framework for Prioritizing and
Scheduling Examination Activities (Mar. 25, 2019) at 13, at https://oig.federalreserve.gov/reports/bureau-risk-assessment-framework-mar2019.pdf. (last visited Oct. 31, 2023).
\404\ For current U.S. Bureau of Labor Statistics (BLS)
estimates of mean hourly wages of these occupations, see BLS,
Occupational Employment and Wages, May 2023, 13-1041 Compliance
Officers, at https://www.bls.gov/oes/current/oes131041.htm#(1) (last
visited Aug. 15, 2024); BLS, Occupational employment and Wages, May
2023, 23-1011 Lawyers, at https://www.bls.gov/oes/current/oes231011.htm (last visited Aug. 15, 2024).
\405\ See BLS, Employer Costs for Employee Compensation--March
2024 (table 1 for 2024 Q1 estimates of the share of wages and
salaries in total compensation of private sector workers), at
https://www.bls.gov/news.release/pdf/ecec.pdf. (last visited Aug.
15, 2024). This cost is calculated as follows: ((((0.1 x $84.84) +
$38.55)/0.703)) x 40 hours x 10 weeks.
---------------------------------------------------------------------------
[[Page 99647]]
Comments Received
The CFPB received comments on the Proposed Rule advocating for
higher estimates of the entity's cost of supporting supervisory
activity, including on the wage and or salary level used in the
analysis and on the number of employees typically called upon to
support a supervisory exam. For example, two industry associations and
one commenter stated that the types of staff tasked with supervisory
examinations at large technology firms are highly specialized and
compensated at rates that are higher than the national average. Two of
these commenters provided alternative estimates for wages and salaries
based on industry publications or U.S. Bureau of Labor Statistics (BLS)
compensation estimates for firms with 500 workers or more. A commenter
from a non-profit associated with the cryptocurrency industry stated
that companies would devote ``hundreds of thousands of dollars on
support services'' but did not describe the components of these costs
or provide evidence to substantiate this claim. A law firm representing
an interested party likewise criticized the examination cost estimate
of approximately $25,000 as an underestimate and cited a former CFPB
Deputy Director stating that the costs would amount to ``at least ten
times that'' estimate, but did not provide a detailed explanation of
the estimated cost components.
Relatedly, two industry associations stated that companies may hire
consultants and outside counsel to support an examination, in addition
to attorneys, compliance officers and other staff. Another industry
commenter provided a link to an industry study finding that the top 100
U.S. law firms charge clients on average $917 per hour for outside
counsel. Neither commenter elaborated on the frequency or magnitude of
this practice, including the share of firms that would hire outside
counsel or the number of hours they would contract to support company
responses to requests for information from CFPB examiners.
Several industry commenters suggested larger participants would be
likely to dedicate multiple compliance officers and attorneys to the
preparation and support of a supervisory examination. For example, one
company commenter asserted that both the preparation and the support
for an actual examination would require multiple full-time compliance
personnel and attorneys. Two other industry association commenters
asserted that supporting an examination and meeting the CFPB's
expectations for entities' compliance management systems would require
``dozens of employees'' who collaborate across multiple departments in
order to respond to information requests. One industry association
stated that firms not previously supervised may increase staffing due
to the lack of previous experience with CFPB examinations, and also due
to what the commenter stated was antagonistic rhetoric by the CFPB
toward this industry.
The CFPB also received comments regarding the estimated length of a
typical supervisory examination that asserted that the true length
would be longer than two weeks of preparation and eight weeks of
examination engagement. For example, one company stated that it takes a
year to prepare for examinations and two industry association
commenters stated that the full examination process including
responding to follow-up requests spans multiple months and oftentimes
over a year. However, none of these commenters provided a detailed
accounting of specific duties, time estimates, or other evidence to
substantiate these statements. Two further industry association
commenters likewise questioned the two- plus eight-week examination
timeline, indicating they thought a longer period to be more accurate,
although neither provided an alternative length estimate.
One industry association criticized that the CFPB declined to state
the expected frequency of examinations. Several commenters stated that
the cost of supervision could stifle new entry, innovation, competition
and consumer access to the covered products, and that the proposal did
not adequately account for these costs. For example, one commenter from
a non-profit stated that the proposal's coverage of pass-through
wallets could disincentivize offerings such as the tokenization of
payments and credit products offered through wallets. Three additional
commenters from industry associations asserted that the proposed
transaction test of five million covered transactions was so low that
it could lead to barriers to market entry, innovation, competition, and
consumer access to these products. None of the commenters offered
specific estimates or research to help quantify such potential costs,
nor did they make suggestions of how to more adequately evaluate them
qualitatively.
Related to the impact of costs on consumers' access to covered
products, some commenters claimed the proposal inadequately considered
potential pass-through costs to consumers and merchants. For example,
some Members of Congress expressed concern that supervisory costs could
have a negative impact on merchants that use covered products. They
cited an industry study that finds that, of the small and medium-sized
businesses throughout nine global markets, including the United States,
that responded to their survey, 73 percent reported digital payments to
be ``fundamental to their growth.'' \406\ A non-profit and an industry
association representative called for the CFPB to provide evidence that
the Rule will not significantly impact small businesses or consumers.
---------------------------------------------------------------------------
\406\ See VISA, Back to Business Global Study: 2022 Small
Business Outlook, at https://usa.visa.com/dam/VCOM/blogs/visa-back-to-business-study-2022-outlook-jan22.pdf (last visited Aug. 26,
2024). The nine markets include Brazil, Canada, Germany, Hong Kong,
Ireland, Russia, Singapore, UAE and the United States. Percentages
in the study are not necessarily representative of small and medium-
sized businesses in the United States.
---------------------------------------------------------------------------
Some of these same commenters as well as a company commenter
claimed the proposal did not adequately consider the potential for
supervisory costs to be passed through to consumers. For example, the
nonprofit commenter noted that supervisory costs could create barriers
to entry into the market and increase prices to consumers. The company
stated that payment method wallets are free to consumers and that the
Rule's costs could lead to firms charging consumers for the product. An
individual consumer questioned whether the Rule would lead firms to
charge fees for covered products. One industry association suggested
the use of the average dollar amount of transactions to estimate
potential pass-through costs to consumers.
Finally, an industry association commenter suggested that the Rule
could increase the risk of privacy breaches and data leaks by
increasing the number of individuals with access to sensitive, private
information about customers of larger participants.
Response to Comments
The CFPB acknowledges the concerns raised by industry comments
that, in the context of this market, the cost of supervisory activities
may generally be higher than suggested in the Proposed Rule, and the
CFPB is revising certain estimates in the discussion that follows in
response to those comments. As noted above and discussed further below,
the cost of supervisory activities can vary based on a number of
factors, and thus the costs of examination activities may differ among
larger participants within the market defined in this Rule. Those costs
are partly
[[Page 99648]]
within the control of larger participants, some of whom may choose to
devote more resources to responding to supervisory activities than
others (e.g., more staff time or support from outside counsel and
consultants). In addition, as a general matter, the costs of
supervisory activities are likely to be greater where examiners
identify compliance violations or other risks to consumers, which are
more likely to generate follow-up information requests and more
extensive engagement with an entity as the CFPB attempts to correct the
identified violations and address other risks.\407\ These variations
mean that the cost figures provided in this section are necessarily
rough estimates, and that individual larger participants' costs may
diverge from these estimates.
---------------------------------------------------------------------------
\407\ For the same reason, as a general matter, examinations
with more extensive follow-up activities are more likely to provide
benefits to consumers.
---------------------------------------------------------------------------
While none of the commenters provided alternative estimates of
examination costs that included specific salaries combined with
staffing levels and alternative proposals of the average examination
length, the following paragraphs describe how estimates would change
under different salary, staffing and length assumptions. For these
scenarios, the CFPB draws on comments provided on the proposal. In a
first scenario, the alternative estimates below incorporate higher
salary levels that some commenters suggested would be more accurate in
this market. In a second scenario, the CFPB uses these higher salary
estimates in conjunction with higher staffing levels than those
discussed in the proposal. A third scenario introduces an example of
when the combined preparation and examination time would be longer than
the proposed ten weeks. Under this scenario, the CFPB provides
alternative estimates for an examination lasting 12 weeks, under the
assumption of the higher salaries from scenario one as well as under
both the higher salary and higher staffing levels from scenario two.
The CFPB does not have complete information pertaining to wages and
salaries paid by all entities that may be subject to the Rule, and does
not advocate for any particular wage or salary level for staff that
support supervisory activities. However, the CFPB acknowledges that the
cost to larger participants in this market of complying with a
supervisory examination are likely to be higher than that of the
average firm, in part because of where larger participants are located.
For example, the top-paying metropolitan area for both compliance
officers and lawyers is San Jose-Sunnyvale-Santa Clara, California,
where the mean hourly wage for compliance officers is $56 and for
lawyers is $129. Using these wage levels and the staffing assumptions
set forth in the Proposed Rule,\408\ the estimated total employer cost
of labor to comply with an examination would increase to approximately
$39,000.\409\ This estimate is roughly $8,000 higher than the
equivalent employer cost of labor suggested by one industry commenter
on the Proposed Rule.\410\
---------------------------------------------------------------------------
\408\ 88 FR 80197, 80213 (describing assumption of one full-time
compliance officer and one-tenth of the time of a full-time attorney
to assist with the examination for 10 weeks).
\409\ This cost is calculated as follows: ((((0.1 x $129.12) +
$55.83)/0.703)) x 40 hours x 10 weeks. An alternative way to
calculate the costs imposed on entities that pay some of the highest
national wages for compliance officers and attorneys would be to
use, for example, the 90th percentile of wages rather than the mean.
However, the BLS top codes (suppresses) wages above $115/hour for
lawyers such that the official wage estimates above that threshold
would be imprecise. The 90th percentile of national hourly wages for
compliance officers was $59/hour. Using these wage estimates would
yield a total employer cost of labor of approximately $40,000 to
comply with a supervisory exam.
\410\ One industry commenter, citing three industry
publications, asserted that the median rate for a compliance officer
with four-six years of experience is $91,500 and the annual base pay
for the majority of in-house counsel in large cities is ``at least
$200,000.'' Using these numbers, the total employer cost of an
examination would be approximately $31,000 ((0.1 x (($200000 x 10)/
52)) + (91500 x 10/52))/0.703.
---------------------------------------------------------------------------
Based on its review of comments, and in light of the higher
transaction threshold in this Final Rule, the CFPB is providing
additional estimates with respect to staffing the preparation and
support of a supervisory examination in order to account for the fact
that many entities are likely to choose higher staffing levels than
those set forth in the proposal. The estimate of one full-time
compliance officer and one tenth of one attorney took into account that
there could be multiple individuals engaged part-time in an examination
and part-time in other non-examination obligations. Although commenters
did not provide precise or entirely consistent estimates regarding how
larger participants are likely to staff examinations, the CFPB
acknowledges that many larger participants in this market may choose to
staff examinations with more full-time equivalent attorneys, compliance
officers and other staff than is typically the case in previously
supervised larger participant markets. The larger participants in this
market are larger in terms of revenue compared to larger participants
in other established larger participant markets.\411\ For illustrative
purposes, the CFPB has estimated that an entity that pays salaries at
the level of the highest-paying metropolitan area and staffs an
examination with three full-time compliance officers, two full-time
attorneys and one outside counsel that spends 30 hours throughout the
duration of the two-week preparation and eight-week examination period,
would incur costs close to $270,000 per examination.\412\
Alternatively, at this cost, the entity could staff the examination
with more than five in-house staff if some of them work part-time on
the examination and part-time on other duties. For example, some
additional personnel may spend some number of hours on data analysis or
coding or otherwise preparing materials for presentations to the CFPB,
or may attend and provide information at the standard opening and
closing meetings
[[Page 99649]]
for the examination, or other initial meetings where they provide a
brief overview of discrete issues. These meetings typically last only a
few hours. The CFPB does not have detailed information to reliably
quantify the exact amount of time these additional employees would
devote to such supporting activities, but does not expect these limited
engagements to materially affect this estimate.
---------------------------------------------------------------------------
\411\ For example, the 2012 debt collection rule estimated that
168 of the 175 larger participants had annual receipts between $10
million and $250 million, see 77 FR 65775, 65789. Among larger
participants in the market covered by this Rule, average annual
revenue was $208 billion in 2023. Higher revenue may indicate more
complexity, or firms with higher revenue may decide to devote more
resources to a supervisory examination because those costs comprise
a small fraction of their operating budget. While it is reasonable
to expect that larger participants in this market generally would
devote more resources to a supervisory examination compared to many
previous larger participants, the CFPB does not have information
indicating that would necessarily always be the case.
\412\ Without stating a specific number, one individual firm
commented on the Proposed Rule that firms likely would staff
supervisory examinations with multiple full-time compliance officers
and multiple full-time attorneys and another industry association
commenter asserted that firms would hire outside counsel to support
an examination. Two industry trade associations stated that they
expect larger participants to devote ``dozens'' of staff to a
supervisory examination, but did not elaborate on the number of
hours they would work or otherwise provide more specific numbers or
information to substantiate that claim. Based on supervisory
experience in other markets, the CFPB assumes in-house compliance
officers spend more time on examinations than in-house attorneys.
Therefore, in line with the general views of these commenters, the
Bureau has assumed for purposes of its estimate that an entity would
devote three full-time compliance officers, two full-time attorneys,
and one outside counsel. Because outside counsel does not typically
engage directly with examiners during the 10-week examination
process described above, based on supervisory experience in other
markets, the CFPB does not have data on how outside counsel is
typically involved during a standard examination, but acknowledges
that the larger participants in this specific market may seek
outside advice on how to respond to and participate in an
examination. The CFPB assumes the number of hours of outside counsel
support in this scenario could be approximately 20 hours of
preparation and 10 hours of support during the examination and
assumes for illustrative purposes an hourly fee of $917 for outside
counsel, as provided by one commenter. The cost of $270,000 is
calculated as follows: ((((2 x $129.12) + (3 x $55.83))/0.703)) x 40
hours x 10 weeks + (917 x 30).
---------------------------------------------------------------------------
With regard to the company comment that claimed that preparation
for supervisory examinations of nonbanks is generally ``a year-round
affair,'' this commenter did not explain or support this claim. Nor
does it fit with the CFPB's experience since entities generally do not
receive notice a year in advance of a scheduled examination. This
assumption also is not in line with the experience of the CFPB from the
supervision of other larger-participant markets. Supervision typically
involves requiring documents from time to time and conducting
occasional in-depth examinations of a company typically over the 10-
week engagement period described above. For example, the CFPB may
conduct supervisory monitoring activities throughout the year,
including ``contacting the appropriate officer of the institution to
discuss new products or services, events that may impact compliance
management, and any questions raised by information reviewed by the
[CFPB's central point of contact for supervision].'' \413\ However,
these engagements generally are brief and often occur in the form of
one phone call or videoconference. In contrast, during an in-depth
examination of a company, CFPB examiners may ask to see a company's
existing compliance policies and procedures, otherwise review a
company's records and operations including for selected customer
accounts, conduct interviews with personnel, and assess how the company
complies with applicable Federal consumer financial laws. The scope of
an examination will depend on, among other factors, the size and
complexity of the firm.
---------------------------------------------------------------------------
\413\ See CFPB Supervision and Examination Manual, part I.A
(page 13 of Overview section).
---------------------------------------------------------------------------
With respect to comments regarding post-examination costs, the CFPB
acknowledges that entities may face such costs. While the estimated
cost for a larger participant in this market to support a supervisory
examination described above assumes two weeks of preparation and eight
weeks of engagement with the CFPB, some examinations may result in a
Potential Action and Request for Response (PARR) letter, which provides
a supervised entity with notice of preliminary findings of conduct that
may violate Federal consumer financial laws and advises the entity that
the Bureau is considering taking supervisory action against the
entity.\414\ In such an event, the CFPB estimates an additional two
weeks of staff time necessary to respond to the PARR. In this third
scenario of potentially higher examination costs, an additional two
weeks would result in the cost of an examination increasing by
approximately $8,000, to approximately $47,000, using the average wages
of the top-paying metropolitan area, assuming staffing at the level set
forth in the Proposed Rule. Under the higher salary and staffing
assumptions described above, including three full-time compliance
officers, two full-time attorneys and one outside counsel contracted
for 80 additional hours of work on a PARR, an additional two weeks
would increase the examination cost by approximately $122,000, to
approximately $392,000.\415\
---------------------------------------------------------------------------
\414\ See CFPB, Request for Information Regarding the Bureau's
Supervision Program, 83 FR 7166, 7168 (Feb. 20, 2018).
\415\ This scenario assumes that outside counsel become more
intensively involved in the event of a PARR and devoted 80 hours to
support the larger participant in responding to the PARR, in the
event that the larger participant chose to engage outside counsel
for $917 hourly. Examination costs of approximately $47,000 and
$392,000 in scenarios with a PARR are calculated as (((0.1 x
$129.12) + $55.83)/0.703) x 40 hours x 12 weeks and as (((2 x
129.12) + (3 x 55.83))/0.703) x 40 hours x 12 weeks + (917 x 110),
respectively.
---------------------------------------------------------------------------
As stated in the proposal, the overall costs of supervision in the
market for general-use digital consumer payment applications would
depend on the frequency and extent of CFPB examinations and other
supervisory activity. Neither the CFPA nor the Final Rule specifies a
particular level or frequency of examinations.\416\ The frequency of
examinations would depend on a number of factors, including the larger
participants' size and volume of transactions; the CFPB's understanding
of the conduct of market participants and the specific risks they pose
to consumers; the extent of existing State consumer protection
oversight; and other relevant factors, including the responses of
larger participants to prior examinations and the demands that other
markets make on the CFPB's supervisory resources. These factors can be
expected to change over time, and the CFPB's understanding of these
factors may change as it gathers more information about the market
through its supervision and by other means. The CFPB therefore declines
to predict, at this point, precisely how many examinations in the
market for general-use digital consumer payment applications it would
undertake in a given year.
---------------------------------------------------------------------------
\416\ The CFPB declines to predict at this time precisely how
many examinations it will undertake at each larger participant of
general-use digital consumer payment applications. Based on its
experience in examining larger participants in other markets, it
does not expect to conduct an examination of each larger participant
in this market each year. If the CFPB were to examine each entity
estimated to be a larger participant of the market for general-use
consumer digital payment applications once every two years, the
expected annual labor cost of supervision per larger participant
under the higher salary, staffing and examination length assumptions
would be approximately $196,000 (the cost of one examination,
divided by two), depending on the staffing and remuneration
decisions of the larger participant as well as on whether the
examination is followed up with a PARR.
---------------------------------------------------------------------------
However, the CFPB notes that it is unlikely that all seven
potential larger participants would undergo supervisory examinations in
the same year. The frequency with which entities undergo supervision
will determine the industry-wide costs. If each of the seven larger
participants underwent examination every other year, the estimated
annual direct cost of supervision would be around $137,000 industry-
wide using average wages of the top-paying metropolitan area and the
examination length and staffing levels set forth in the proposal. Even
at the highest range of estimates, where each entity devoted three
full-time compliance officers, two full-time attorneys, and contracted
110 hours of outside counsel with one of the largest 100 U.S. law
firms, and all received a PARR, and half of the larger participants
undergo supervision in any given year, the industry-wide estimated cost
using the highest-paying metropolitan area wages would be approximately
$1.4 million, or $392,000 x 3.5.
With respect to the consideration of pass-through costs to
consumers and merchants, the CFPB disagrees that it did not consider
such potential impacts. The CFPB recognizes that many merchants provide
website pay buttons that link to general-use digital consumer payment
applications provided by unaffiliated third parties and that small
businesses in particular may rely on those consumer financial products
and services for growth. However, the CFPB expects the costs of
supervisory examinations to not exceed $1.4 million industry-wide
annually even if half of the larger participants were to undergo an
extended supervisory examination every year, which is unlikely.\417\ As
[[Page 99650]]
stated in the proposal, the CFPB cannot foresee how larger participants
may respond to the cost of supervision. One possibility is that larger
participants absorb the entire cost of supervision. Another possibility
is that they pass through the entire cost of supervision, or some
fraction of the cost of supervision, to merchants and consumers. The
extent to which larger participants would pass through their costs of
supervision to merchants (for products that support payments for
purchases) or consumers (for products that support purchases and/or
payments to other consumers) will be limited by competitive forces in
the market. For example, if one larger participant increases its fees
for services, merchants or consumers may switch providers. This
potential response to increased prices and competition for merchants'
and consumers' business could prevent a full pass-through of costs.
Moreover, the highest estimate of examination costs described in the
scenarios above amounts to approximately $392,000 per larger
participant, or 0.0002 percent of the average revenue (approx. $208
billion) of the estimated seven larger participants.\418\ Because the
examination support costs are a small fraction of the total revenue of
larger participants, the CFPB believes it is less likely that these
costs would cause firms to substantially change their business models.
---------------------------------------------------------------------------
\417\ As discussed in the section-by-section analysis in part V,
the estimates in this Rule do not reflect supervisory conclusions
that particular entities are larger participants; once the Final
Rule takes effect, the CFPB will make those assessments and will
prioritize conducting supervisory activity at specific larger
participants in this market based on risk as described in the
Supervision and Examination Manual, consistent with CFPA section
1024(b)(2). Therefore, the CFPB cannot predict in this Final Rule
how many examinations or other types of supervisory events it will
conduct at larger participants of this market in a given year.
However, based on its experience with prioritization of supervisory
activity at larger participants in five other markets, the CFPB
believes it is unlikely that it would conduct eight-week on-site
examinations of most or even many larger participants in a single
year.
\418\ Using revenue information from annual report filings with
the U.S. Securities and Exchange Commission described above, the
CFPB estimates the average total annual revenue of larger
participants to be approximately $208 billion in 2023. As an
alternative comparison, and in response to one industry commenter,
this cost comprises approximately 0.0003 percent of larger
participants' average annual total transaction value in 2021-2023.
This number is likely higher in 2024, as the majority of data points
for transaction values stem from 2021 and the market continued to
expand during this period. In any event, the CFPB views this number
as small.
---------------------------------------------------------------------------
Even in the event that larger participants pass through the entire
cost of the higher end of the CFPB examination support cost estimates
to merchants that use these products, the cost per merchant likely
would be very small. One industry study estimates that there were 13.7
million online stores in 2024.\419\ If 59 percent of merchants use buy
buttons, as indicated by one industry report,\420\ then roughly 8.1
million online merchants use these products. The CFPB estimates that
seven larger participants are responsible for approximately 98 percent
of transactions in the market. Therefore, even if larger participants
that underwent an examination were to pass through 100 percent of $1.4
million in estimated annual examination costs (under the higher
estimate) to approximately eight million merchants, the amount per
merchant would likely be low. Measured against the $1.1 trillion in
online retail sales in 2023, the Bureau views this cost to be
negligible and not large enough to discourage entry, innovation or
growth among merchants that use or would like to use these
products.\421\ Likewise, the CFPB views the cost relative to the gains
from doing business in this market as too low to disincentivize
offering credit products through wallets, in particular as a lender's
own app-based lending activity can be excluded by paragraph (D) of the
definition of ``consumer payment transaction'' as discussed in part V
of the rule. With respect to the statement by one commenter that the
cost of the Rule could disincentivize investments in the tokenization
of payments, as discussed in part V above, the commenter did not
commenter did not explain why larger participants would seek to offset
the costs of CFPB examination by reducing investment specifically in
anti-fraud protections or provide evidence to support its view, and the
CPFB notes that the Rule also could incentivize investments.
---------------------------------------------------------------------------
\419\ See Capital One, Total Number of Online Stores (July 24,
2024), at https://capitaloneshopping.com/research/number-of-online-stores/ (last visited Aug. 26, 2024).
\420\ See PYMNTS, 6 in 10 Subscription Merchants Drive
Conversion with `Buy Buttons,' at https://www.pymnts.com/subscriptions/2023/60percent-subscription-merchants-drive-conversion-with-buy-buttons/ (last visited Aug. 26, 2024).
\421\ For e-commerce retail sales, see the Federal Reserve Bank
of St. Louis, E-Commerce Retail Sales, at https://fred.stlouisfed.org/series/ECOMSA (last visited Aug. 26, 2024).
---------------------------------------------------------------------------
As explained above, the CFPB also does not expect larger
participants to pass through the full cost of supervisory examinations
to consumers directly. However, even if they passed through $1.4
million annually to the millions of consumers who use these products,
the cost per consumer would likely be low.\422\
---------------------------------------------------------------------------
\422\ See U.S. Census Bureau, National Population by
Characteristics: 2020-2023, at https://www.census.gov/data/tables/time-series/demo/popest/2020s-national-detail.html (last visited
Aug. 26, 2024); see, e.g., Pew 2022 Payment App Article, supra.
---------------------------------------------------------------------------
As a result of some examinations, supervised entities may incur
costs associated with addressing the CFPB's supervisory communications
and actions, such as by making changes to its compliance systems or
procedures. As noted above, the CFPB considers these costs as a
separate category of costs from the costs of supporting an exam. Where
appropriate, in exercising its supervisory authority, the CFPB conveys
its findings, conclusions, expectations, and recommendations to a
supervised entity regarding its compliance, and utilizes various forms
of supervisory communications and actions to promote compliance and
address associated risks.\423\ The CFPB's supervisory communications
may specify corrective actions such as changes to practices and
operations, payment of remediation to consumers,\424\ and steps to
prevent such violations from occurring or recurring, including
compliance-management-system improvements. In the CFPB's experience,
when an entity adopts preventive measures in response to those types of
CFPB supervisory communications and actions, the entity's actions
generally will reduce risk of violation of Federal consumer financial
law. As such, these costs may be necessary to maintain compliance with
Federal consumer financial law, as described in the CFPB Supervision
and Examination Manual. In any event, the CFPB is not able to estimate
these costs in advance, as such costs will vary depending on the nature
and scope of the CFPB's supervisory communications and actions and the
entity's response. As discussed above, in many cases CFPB supervision
also may benefit providers under supervision by detecting compliance
problems early, which can reduce costs in the long run.
---------------------------------------------------------------------------
\423\ See, e.g., CFPB Bulletin 2021-01, supra.
\424\ See id.
---------------------------------------------------------------------------
Regarding the risk of privacy breaches, the CFPB agrees with the
commenter that consumer data privacy is important. The CFPB recognizes
that data privacy breaches can impose costs on consumers and firms and
therefore adheres to the Federal requirements to reduce the risk of
data and other privacy breaches. For example, the CFPB complies with
requirements provided in the Presidential Executive Orders, Federal
Information Security Management Act (FISMA), applicable Office of
Management and Budget (OMB) Memoranda, U.S. Department of Homeland
Security (DHS) Cybersecurity
[[Page 99651]]
and Infrastructure Security Agency (CISA) Binding Operational
Directives, as well as National Institute of Standards and Technology
(NIST) Federal Information Processing Standards and Special
Publications, and other applicable guidance. Further, CFPB implements
improvements from annual information security audits of its data
security practices by the Office of Inspector General (OIG), the
Government Accountability Office (GAO) and other auditors, as
recommended. The CFPB believes that these steps mitigate the risk of
privacy breaches.
3. Costs of Assessing Larger-Participant Status
Providers of general-use digital consumer payment applications
might decide to incur costs to assess whether they qualify as larger
participants, to respond to CFPB requests for information to assess
larger participant status under 12 CFR 1090.103(d), or potentially to
dispute their status.\425\ Larger-participant status would depend on
both a nonbank's aggregate annual covered consumer payment transaction
volume and whether the entity is a small business concern based on the
applicable SBA size standard. The CFPB expects that many market
participants already assemble general data related to the number of
transactions that they provide for general-use digital consumer payment
applications. Moreover, many providers are required to report certain
transaction data to State regulators.\426\
---------------------------------------------------------------------------
\425\ A nonbank covered person that is subject to certain orders
may be required to register pursuant to the CFPB's nonbank
registration regulation, 12 CFR part 1092. If such a registered
entity is not already supervised by the CFPB under section 1024(a),
and it participates in this market, then it may need to assess its
larger participant status to determine whether it must comply with
certain additional requirements under that rule that may apply to
persons supervised under CFPA section 1024(a), including larger
participants. See also response to general comments on promoting
compliance with Federal consumer financial law, supra.
\426\ As noted above, the States have been active in regulation
of money transmission by money services businesses. For example, 49
States and the District of Columbia requiring entities to obtain a
license to engage in money transmission, as defined by applicable
law. Further, many States also actively examine money transmitters,
including certain products and services they provide through
general-use digital consumer payment applications. See, e.g., CSBS
Reengineering Nonbank Supervision MSB Chapter at 4 (discussing how
providers of digital wallets hold and transmit monetary value).
---------------------------------------------------------------------------
To the extent that some providers of general-use digital consumer
payment applications do not already know whether their transactions
exceed the threshold, such nonbanks might, in response to the Final
Rule, develop new systems to count their transactions in accordance
with the proposed market-related definitions of ``consumer payment
transactions,'' ``covered payment functionality,'' ``general use,'' and
``digital application'' discussed above. The data that the CFPB had at
the time of the Proposed Rule did not support a detailed estimate of
how many providers of general-use digital consumer payment applications
would engage in such development or how much they would spend, and
commenters did not provide this information. Commenters also did not
provide any estimates or data to support estimates. Regardless,
providers of general-use digital consumer payment applications would be
unlikely to spend significantly more on specialized systems to count
transactions than it would cost to be supervised by the CFPB as larger
participants.
The CFPB notes that larger-participant status also depends on
whether an entity is subject to the proposed small business exclusion.
In certain circumstances, larger-participant status may depend on
determinations of which SBA size standard applies, and by extension,
which NAICS code is most applicable. Therefore, providers of general-
use digital consumer payment applications may choose to incur some
administrative costs to evaluate whether the small business exclusion
applies. However, providers would not need to engage in this evaluation
if they could establish that their annual covered consumer payment
transaction volume was below 50 million.
It bears emphasizing that even if a nonbank market participant's
expenditures on a new transaction counting system enabled it to
successfully prove that it was not a larger participant (which, again,
it would not need to do if it was a small business concern according to
SBA standards), it would not necessarily follow that this entity could
not be supervised under other supervisory authorities the CFPB has that
this rulemaking does not establish. For example, the CFPB can supervise
a nonbank entity whose conduct the CFPB determines, pursuant to CFPA
section 1024(a)(1)(C) and regulations implementing that provision,
poses risks to consumers.\427\ Thus, a nonbank entity choosing to spend
significant amounts on a transaction counting system directed toward
the larger-participant transaction volume test could not be sure it
would not be subject to CFPB supervision notwithstanding those
expenses. The CFPB therefore believes very few if any nonbank entities
would be likely to undertake such expenditures.
---------------------------------------------------------------------------
\427\ See 12 U.S.C. 5514(a)(1)(C); 12 CFR part 1091.
---------------------------------------------------------------------------
Commenters on the Proposed Rule stated that providers of digital
applications to make payments using cryptocurrency-assets may need to
change their product design to capture data that would allow them to
identify consumer payment transactions that would determine larger
participant status under the Proposed Rule. However, because the Final
Rule adopts a larger participant test based on the transfer of funds in
consumer payment transactions denominated in U.S. dollars, those
providers would not face the potential for those types of impacts.
An industry association commented that the ambiguity of the
proposal could cause firms to incur costs when assessing their larger
participant status. The significantly higher threshold test of 50
million annual transactions adopted in the Final Rule should
substantially diminish the level of uncertainty compared to the
proposal regarding an entity's larger participant status. Additional
clarifications of the market in the Final Rule, including clarifying
the definition of ``general use'' and limiting the definition of
``annual covered consumer payment transaction volume'' to transactions
denominated in U.S. dollars, should further facilitate the
determination of whether an entity is a larger participant.
E. Potential Specific Impacts of the Final Rule
1. Insured Depository Institutions and Insured Credit Unions With $10
Billion or Less in Total Assets, as Described in Dodd-Frank Act Section
1026
The Rule does not apply to insured depository institutions or
insured credit unions of any size. However, as noted in the section-by-
section analysis of ``digital application'' above, it may apply to
nonbank covered persons to the extent that they provide covered payment
functionalities through a digital application of an insured depository
institution or insured credit union. In addition, it might have some
competition-related impact on insured depository institutions or
insured credit unions that provide general-use digital consumer payment
applications. For example, if the relative price of nonbanks' general-
use digital consumer payment applications were to increase due to
increased costs related to supervision, then insured depository
institutions or insured credit unions of any size might benefit by the
relative change in costs. These effects, if any, would likely be small.
[[Page 99652]]
2. Impact of the Provisions on Consumers in Rural Areas
Because the Rule would apply uniformly to consumer payment
transactions that both rural and non-rural consumers make through
general-use digital consumer payment applications, the Rule should not
have a unique impact on rural consumers. The CFPB is not aware of any
evidence suggesting that rural consumers have been disproportionately
harmed by Federal consumer financial law noncompliance by providers of
general-use digital consumer payment applications.
Comments Received
The CFPB sought information from commenters related to how digital
consumer payments affect rural consumers. A nonprofit associated with
decentralized finance commented that rural communities in particular
may benefit from digital payment technologies due to limited access to
brick-and-mortar financial services and suggested that costs imposed by
this Rule could limit rural communities' access to such technology.
That commenter did not offer research to substantiate this assertion.
In contrast, a nonprofit commented that 94 percent of their member
webinar participants did not believe that digital consumer payments
impacted rural consumers differentially. Several State attorneys
general advocated for increased oversight in this market in part
because they believe it would benefit in particular some consumers who
rely on applications covered by this Rule and who do not use
traditional banks and their bank-provided digital consumer payment
applications.
Response to Comments
The CFPB believes that both rural and non-rural consumers may
benefit from general-use digital consumer payment applications as
defined in the Final Rule. As discussed further above, the Bureau does
not expect the costs imposed by this Rule to be high enough to impact
the availability of this technology to consumers irrespective of
whether they reside in rural or non-rural areas. Moreover, the Final
Rule does not cover transactions in cryptocurrencies or stablecoins.
VIII. Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act (RFA), as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires each
agency to consider the potential impact of its regulations on small
entities, including small businesses, small governmental units, and
small not-for-profit organizations.\428\ The RFA defines a ``small
business'' as a business that meets the size standard developed by the
SBA pursuant to the Small Business Act.\429\
---------------------------------------------------------------------------
\428\ 5 U.S.C. 601 et seq. The term `` `small organization'
means any not-for-profit enterprise which is independently owned and
operated and is not dominant in its field, unless an agency
establishes [an alternative definition after notice and comment].''
5 U.S.C. 601(4). The term `` `small governmental jurisdiction' means
governments of cities, counties, towns, townships, villages, school
districts, or special districts, with a population of less than
fifty thousand, unless an agency establishes [an alternative
definition after notice and comment].'' 5 U.S.C. 601(5). The CFPB is
not aware of any small governmental units or small not-for-profit
organizations to which the Proposed Rule would apply.
\429\ 5 U.S.C. 601(3). The CFPB may establish an alternative
definition after consultation with SBA and an opportunity for public
comment. As mentioned above, the SBA defines size standards using
NAICS codes that align with an entity's primary line of business.
The CFPB believes that many--but not all--entities in the proposed
market for general-use digital consumer payment applications are
primarily engaged in financial services industries. See, e.g., SBA,
Table of Small Business Size Standards Matched to North American
Industry Classification System Codes (eff. Mar. 17, 2023), sector 52
(Finance and Insurance), at https://www.sba.gov/document/support--table-size-standards (last visited Oct. 26, 2023).
---------------------------------------------------------------------------
The RFA generally requires an agency to conduct an initial
regulatory flexibility analysis (IRFA) of any Proposed Rule subject to
notice-and-comment rulemaking requirements, unless the agency certifies
that the Proposed Rule would not have a significant economic impact on
a substantial number of small entities.\430\ The CFPB also is subject
to certain additional procedures under the RFA involving the convening
of a panel to consult with small entity representatives prior to
proposing a rule for which an IRFA is required.\431\
---------------------------------------------------------------------------
\430\ 5 U.S.C. 605(b).
\431\ 5 U.S.C. 609.
---------------------------------------------------------------------------
In the Proposed Rule, the undersigned certified that the proposal
would not have a significant impact on a substantial number of small
entities (SISNOSE) and that an IRFA was therefore not required.
Comments Received
The CFPB received comments from several industry associations and
some Members of Congress suggesting that the RFA should include
potential indirect effects on small merchants that allow consumers to
use general-use digital consumer payment applications. Another industry
association expressed support for the small business exclusion in the
proposal, but objected to certification that the Rule would not result
in a significant impact on a substantial number of small entities
without providing a more comprehensive analysis of entities that would
not qualify as larger participants due to the small business exclusion
alone.\432\
---------------------------------------------------------------------------
\432\ It added that in its view, notwithstanding the assessment
in the Proposed Rule that it would not have a significant impact on
a substantial number of small entities, the Small Business
Regulatory Enforcement Fairness Act (SBREFA) review process still
provides an informative tool to consider these types of issues. For
the reasons discussed in part VII and this part VIII, the CFPB does
not believe that discretionary application of the SBREFA review
process is warranted here.
---------------------------------------------------------------------------
Response to Comments
The Bureau notes that, in line with statutory requirements, the RFA
analysis analyzes the potential impacts on small entities to which the
Rule applies. Therefore, the CFPB declines the request by some
commenters that the analysis of potential indirect effects be
incorporated into the RFA analysis. However, the CFPB considered these
potential impacts of pass-through costs on merchants that may be small
business concerns in the cost-benefit analysis, as described in the
1022(b) analysis above.
Compared to the proposal, the Final Rule adopts in paragraph (b)(3)
a significantly higher threshold of 50 million annual consumer payment
transactions denominated in U.S. dollars. At this threshold, no entity
for which the CFPB has complete transaction information indicating
transaction volumes of at least 50 million annually would be excluded
from larger participant status based on the small business concern
exclusion.\433\
---------------------------------------------------------------------------
\433\ See section-by-section analysis of threshold adopted in
final rule, supra. The CFPB has complete transaction information for
roughly two-thirds of known market participants.
---------------------------------------------------------------------------
The Final Rule defines a class of providers of general-use digital
consumer payment applications as larger participants of a market for
general-use digital consumer payment applications and thereby
authorizes the CFPB to undertake supervisory activities with respect to
those nonbank covered persons. The Rule establishes a two-pronged test
for determining larger-participant status. First, the Rule adopts a
threshold for larger-participant status of at least 50 million in
annual covered consumer payment transactions denominated in U.S.
dollars in the previous calendar year. Second, the larger-participant
test incorporates a small entity exclusion. As a result, larger-
participant status only applies to a nonbank covered person that,
together with its affiliated companies, both meets the 50 million
transaction threshold and
[[Page 99653]]
is not a small business concern based on the applicable SBA size
standard. Because of that exclusion, the number of directly affected
small business entities participating in the market that would
experience a significant economic impact due to the Rule is, by
definition, zero.\434\
---------------------------------------------------------------------------
\434\ In addition, the CFPB is not aware of any nonprofit
entities that would be larger participants under the Final Rule.
---------------------------------------------------------------------------
Finally, CFPA section 1024(e) authorizes the CFPB to supervise
service providers to nonbank covered persons encompassed by CFPA
section 1024(a)(1), which includes larger participants.\435\ Because
the Rule does not address service providers, effects on service
providers need not be discussed for purposes of this RFA analysis. Even
if such effects were relevant, based on the frequency with which the
CFPB typically examines service providers of nonbank larger
participants, the CFPB believes that it would be very unlikely that any
supervisory activities with respect to the service providers to the
approximately seven larger participants of the nonbank market for
general-use digital consumer payment applications would result in a
significant economic impact on a substantial number of small
entities.\436\
---------------------------------------------------------------------------
\435\ 12 U.S.C. 5514(e); 12 U.S.C. 5514(a)(1).
\436\ Particularly in light of complexity in the applicable
market, including how larger participants generally serve a variety
of consumer populations across many States and facilitate very
substantial volumes of consumer payment transactions for multiple
types of recipients using multiple different payment methods, these
firms typically would rely upon numerous service providers. However,
as explained in its prior larger participant rules and as noted
above with respect to the larger participants themselves, the
frequency and duration of examinations that would be conducted at
any particular service provider would depend on a variety of
factors. Based on its experience conducting service provider
examinations, the CFPB concludes that it is implausible that in any
given year a substantial number of service providers that are small
business concerns are subject to CFPB examinations. In any event,
the impact of any supervisory activities at any small firm service
providers can be expected to be less than at the larger participants
themselves given the CFPB's exercise of discretion in supervision.
---------------------------------------------------------------------------
The Final Rule adopts the Proposed Rule, with some modifications
that do not lead to a different conclusion. Therefore, a final
regulatory flexibility analysis is not required.
IX. Paperwork Reduction Act
The CFPB has determined that the Final Rule does not impose any new
recordkeeping, reporting, or disclosure requirements that would
constitute collections of information requiring approval under the
Paperwork Reduction Act, 44 U.S.C. 3501, et seq.
X. Congressional Review Act
Pursuant to the Congressional Review Act,\437\ the CFPB will submit
a report containing this rule and other required information to the
U.S. Senate, the U.S. House of Representatives, and the Comptroller
General of the United States prior to the rule taking effect. The
Office of Information and Regulatory Affairs has designated this rule
as not a ``major rule'' as defined by 5 U.S.C. 804(2).
---------------------------------------------------------------------------
\437\ 5 U.S.C. 801 et seq.
---------------------------------------------------------------------------
List of Subjects in 12 CFR Part 1090
Consumer protection, Credit.
Authority and Issuance
For the reasons set forth in the preamble, the CFPB amends 12 CFR
part 1090 as set forth below:
PART 1090--DEFINING LARGER PARTICIPANTS OF CERTAIN CONSUMER
FINANCIAL PRODUCT AND SERVICE MARKETS
0
1. The authority citation for part 1090 continues to read as follows:
Authority: 12 U.S.C. 5514(a)(1)(B); 12 U.S.C. 5514(a)(2); 12
U.S.C. 5514(b)(7)(A); and 12 U.S.C. 5512(b)(1).
0
2. Add Sec. 1090.109 to subpart B to read as follows:
Sec. 1090.109 General-use digital consumer payment applications
market.
(a)(1) Market definition. Providing a general-use digital consumer
payment application means providing a covered payment functionality
through a digital payment application for consumers' general use in
making consumer payment transaction(s) as defined in this subpart.
(2) Market-related definitions. As used in this section:
(i) Consumer payment transaction(s) means, except for transactions
excluded under paragraphs (a)(2)(i)(A) through (D) of this section, the
transfer of funds by or on behalf of a consumer who resides in a State
to another person primarily for personal, family, or household
purposes. The term applies to transfers of consumer funds and transfers
made by extending consumer credit, except for the following
transactions:
(A) An international money transfer as defined in Sec.
1090.107(a);
(B) A transfer of funds by a consumer:
(1) That is linked to the consumer's receipt of a different form of
funds, such as a transaction for foreign exchange as defined in 12
U.S.C. 5481(16); or
(2) That is excluded from the definition of ``electronic fund
transfer'' under Sec. 1005.3(c)(4) of this chapter;
(C) A payment transaction conducted by a person for the sale or
lease of goods or services that a consumer selected from that person or
its affiliated company's online or physical store or marketplace, or
for a donation to a fundraiser that a consumer selected from that
person or its affiliated company's platform; and
(D) An extension of consumer credit initiated through a digital
application that is provided by a person who is extending, brokering,
acquiring, or purchasing the credit or that person's affiliated
company.
(ii) Covered payment functionality means a funds transfer
functionality as defined in paragraph (a)(2)(ii)(A) of this section, a
wallet functionality as defined in paragraph (a)(2)(ii)(B) of this
section, or both.
(A) Funds transfer functionality means, in connection with a
consumer payment transaction:
(1) Receiving funds from a consumer for the purpose of transmitting
them; or
(2) Accepting from a consumer and transmitting payment
instructions.
(B) Payment wallet functionality means a product or service that:
(1) Stores for a consumer account or payment credentials, including
in encrypted or tokenized form; and
(2) Transmits, routes, or otherwise processes such stored account
or payment credentials to facilitate a consumer payment transaction.
(iii) Digital payment application, for purposes of this subpart,
means a software program a consumer may access through a personal
computing device, including but not limited to a mobile phone, smart
watch, tablet, laptop computer, or desktop computer. Examples of
digital payment applications covered by this definition include an
application a consumer downloads to a personal computing device, a
website a consumer accesses by using an internet browser on a personal
computing device, or a program the consumer activates from a personal
computing device using a personal identifier such as a passkey,
password, PIN, or consumer's biometric identifier, such as a
fingerprint, palmprint, face, eyes, or voice. Operating a web browser
is not an example of providing a digital payment application.
(iv) General use, for purposes of this subpart, means usable for a
consumer to transfer funds in a consumer payment transaction to
multiple, unaffiliated persons, subject to an exception for a payment
functionality provided through
[[Page 99654]]
a digital consumer payment application solely for the following:
(A) Using accounts described in Sec. 1005.2(b)(3)(ii)(A), (C) or
(D) of this chapter; or
(B) To pay a specific debt or type of debt including:
(1) Debts owed in connection with origination or repayment of an
extension of consumer credit; or
(2) Debts in default.
(v) State means any State, territory, or possession of the United
States; the District of Columbia; the Commonwealth of Puerto Rico; or
any political subdivision thereof.
(b) Test to define larger participants. A nonbank covered person is
a larger participant of the general-use digital consumer payment
applications market if the nonbank covered person met both of the
following criteria during the preceding calendar year:
(1) It provided annual covered consumer payment transaction volume
as defined in paragraph (b)(3) of this section of at least 50 million
consumer payment transactions; and
(2) It was not a ``small business concern'' as that term is defined
by section 3(a) of the Small Business Act, 15 U.S.C. 632(a) and
implemented by the Small Business Administration under 13 CFR part 121,
or any successor provisions.
(3) Annual covered consumer payment transaction volume means the
sum of the number of consumer payment transactions denominated in U.S.
dollars that the nonbank covered person and its affiliated companies
facilitated in the preceding calendar year by providing general-use
digital consumer payment applications.
(i) Method of aggregating the annual covered consumer payment
transaction volume of affiliated companies. The annual covered consumer
payment transaction volume of each affiliated company of a nonbank
covered person is first calculated separately, treating the affiliated
company as if it were an independent nonbank covered person for
purposes of the calculation. The annual covered consumer payment
transaction volume of a nonbank covered person then must be aggregated
with the separately-calculated annual covered consumer payment
transaction volume of each person that was an affiliated company of the
nonbank covered person at any time in the preceding calendar year.
However, if any two or more of these companies facilitated a single
consumer payment transaction denominated in U.S. dollars, that consumer
payment transaction shall only be counted one time in the aggregated
annual covered consumer payment volume calculation. The annual covered
consumer payment transaction volumes of the nonbank covered person and
its affiliated companies are aggregated for the entire preceding
calendar year, even if the affiliation did not exist for the entire
calendar year.
Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2024-27836 Filed 12-9-24; 8:45 am]
BILLING CODE 4810-AM-P