In this special joint episode of Payments Pros and The Consumer Finance Podcast, Carlin McCrory, Keith Barnett, James Kim, and Chris Willis discuss the Consumer Financial Protection Bureau's (CFPB) proposed larger participant rule for consumer payments providers.
In this special joint episode of Payments Pros and The Consumer Finance Podcast, Carlin McCrory, Keith Barnett, James Kim, and Chris Willis discuss the Consumer Financial Protection Bureau's (CFPB) proposed larger participant rule for consumer payments providers.
The rule is designed to supervise general use digital consumer payment applications, defining a market for these applications and subjecting participants to CFPB supervision and examination under the Consumer Financial Protection Act. Proposed on November 7, the rule targets nonbanks that provide general use digital consumer payment applications with an annual volume of at least 5 million consumer payment transactions. The CFPB plans to aggregate transactions among affiliated companies, and any nonbank covered person will be considered a larger participant for two years from the first day of the tax year in which they last met the larger participant test.
The group also discusses the implications of the rule, including the potential for increased enforcement activity and the broad scope of the rule. The rule is expected to be finalized and become effective around fall 2024, with examinations likely to begin in early 2025.
The Consumer Finance Podcast and Payments Pros – The Payments Law Podcast Crossover Episode:
The Future of Digital Consumer Payment Applications: CFPB's Proposed Larger Participant Rule
Speakers: Keith Barnett, Chris Willis, James Kim, Carlin McCrory
Carlin McCrory:
Welcome to the special joint episode of Payments Pros and The Consumer Finance Podcast. These are Troutman Pepper podcasts, but specifically the Payments Pros podcast focuses on the highly regulated and ever-evolving payment processing industry. We are thrilled to join with Chris Willis, who hosts The Consumer Finance Podcast. Thanks for joining us, Chris.
Chris Willis:
Thanks, Carlin. I love collaborating with you and I'm really excited to do this joint episode.
Carlin McCrory:
Me Too. So this podcast generally features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments' industry. I'm Carlin McCrory, one of the hosts of the podcast. But before we jump into today's episode, let me remind you to visit and subscribe to our blog, consumerfinancialserviceslawmonitor.com. And don't forget to check out our other podcasts on troutman.com/podcast. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services and more. Make sure to subscribe to hear the latest episodes. Today I am joined by my colleagues Keith Barnett, James Kim, and Chris Willis to discuss the CFPBs proposed larger participants and payments rule to supervise general use digital consumer payment applications. The proposed rule defines a market for general use digital consumer payment applications and would subject participants in the market to CFPBs supervision and examination and authority under the Consumer Financial Protection Act. I appreciate all of you joining me today, but we'll start it off with Keith to give a broad overview of the rule.
Keith Barnett:
Sure, thanks Carlin. And also by way of more background, the CFPB issued the proposed rule on November 7th, 2023. It was published in the Federal Register on November 17th, 2023, and the comment period closes on January 8th, 2024. Like Carlin said, I'm going to try to give a broad overview. First, who will be the larger participant under the proposed rule? The CFPB has said that non-banks that provide general use digital consumer payment applications with an annual volume of at least 5 million consumer payment transactions in the proceeding calendar year by or on behalf of a consumer physically located in a state must be in the US state to another person primarily for personal, family or household purposes. That's it in a nutshell. It's also important to bring up the fact that with respect to that 5 million transaction threshold, the CFPB plans to count whatever the company is and any of their affiliated companies.
So in other words, you can't have 4,999,000 transactions with one company and then 4,999,000 transactions with another company and get out of supervision. The CFPB will aggregate the transactions amongst affiliated companies. The other thing that the CFPB has said is how long the company will be a larger participant. And the bureau has said that any non-bank covered person will be a larger participant for two years from the first day of the tax year in which the person last met the larger participant test. The CFPB does provide a mechanism through which a party can provide documentary evidence or written arguments in support of its claim that it's not a larger participant, but just know that it's the two-year minimum. As of now, the bureau believes that there are 17 entities and they say that's about 9% of all non-bank covered persons in the market who will fall within this larger participant category.
With respect to drilling down on the particulars of the rule, we're going to discuss pretty quickly, or at least hopefully quickly, but enough for you all to understand what are the consumer payment transactions that are subject to the larger participant rule? As I mentioned earlier, a consumer payment transaction is the transfer of funds by or on behalf of a consumer physically located in a state to another person primarily for personal, family or household purposes. Although the term funds is not defined anywhere in the Consumer Financial Protection Act, the CFPB has also stated that the term funds includes digital assets that have a monetary value and are readily usable for financial purposes. So in other words, the CFPB is including digital currencies, cryptocurrencies within its definition of funds even though it's not defined elsewhere. Another important note is that the payment must be through a digital application.
According to the CFPBs current definition, a digital application is a software program accessible to a consumer through a personal computer or a mobile phone, smartwatch, desktop computer, anything like that. A digital application is not a gateway terminal merchants use to obtain a consumer's personal card information. So if you were to go somewhere, swipe your credit card or present your credit or debit card, that is not a digital application. It is a software program accessible on your phone or computer. As I said earlier, the payments must be for general use. That phrase is actually pretty broad and more broad than what we're used to in the payments world. So Carlin, do you want to speak to the general use definition?
Carlin McCrory:
When I first read the rule, the term general use struck me as extremely broad and the term is defined as the absence of any significant limitations on the purpose of consumer payment transactions. The CFPB gives a little bit of background on what it thinks is and is not general use. In my personal opinion, it still remains quite unclear as to what would be considered general use. To start this off the CFPB notes that a P2P application that permits a consumer to send funds to any family member, friend, or other person would qualify as general use. Even if that P2P application can't be used as a payment method at checkout with merchants, retailers, or other sellers of goods or services. A P2P application also would have general use for purposes of the proposed rule, even if it can only transfer funds to recipients who also register with that application provider or otherwise have to participate in a certain network.
What the CFPB is referring to here is a closed loop P2P system that many of you are already aware of. Although the network of potential recipients in a closed loop system can be limited, they say that often any potential recipient may have the option of joining the system and many consumers have already joined these types of systems. Ultimately, the universe of potential recipients for these types of payments is often broad, is what the CFPB says. A digital consumer payment application still could have general use even when the universe of potential recipients for a fund's transfer is fixed. In this respect, the CFPB specifically calls out when a consumer can only make a transfer of funds to friends or family located in prison. Jail or another secure facility. They still determine that that's a general use program. So then what's not general use under the rule?
The first example of a payment functionality that would not have general use under the proposed definition would be a digital consumer payment application whose payment functionality is used solely to purchase or lease a specific type of services, goods or property such as transportation, lodging, food and automobile, a dwelling or real property or consumer financial products or services. Specifically, the example given in this context by the CFPB is providing payment card information to a credit monitoring app to pay for credit monitoring services. Again, I think this is really broad and still needs additional interpretation here as the limitations and restrictions seem to remain a little bit unclear. Another thing that is excluded from the definition of general use is a prepaid account as that term is used in certain sections within Reggie and those provisions in Reggie exclude certain tax advantaged, health, medical spending accounts, dependent care spending accounts, and other types of closed loop accounts for spending at certain military facilities and many types of gift certificates and gift cards.
Next, a payment functionality provided through a digital consumer payment application that solely supports payments to pay a specific debt or type of debt or repayment of an extension of consumer credit is considered not to have general use under the rule. And lastly, the final exclusion that the CFPB mentions is a payment functionality provided through a digital app that solely helps consumers to divide up charges and payments for specific types of goods or services. And in this instance, the CFPB references a type of app that would split a dinner payment between friends. Again, general use is broad, as I've said several times now. It'll be interesting to see moving forward the commentary on the rule and how this shakes out. I do want to have Chris Willis talk a little bit about enforcement of the rule, examination and the implications if and when the rule goes into effect.
Chris Willis:
Sure, thanks a lot. Carlin. Stepping back and talking about the significance of this rule is just something that I think the industry really needs to hear because being subject to CFPB supervision is an enormous sea change for an industry. We've seen that play out over the course of the history of the CFPB as they have taken successive industries under supervision through previous larger participant rules. Industries like consumer reporting and international money transfers, debt collection, auto finance and student loan servicing. By way of background, the CFPB has two kinds of jurisdiction. It has enforcement jurisdiction similar to a State Attorney General or the Federal Trade Commission, where in response to complaints or other information, they may initiate an enforcement investigation over someone. And the CFPs enforcement jurisdiction is very broad. It covers any person or company who offers or provides a consumer financial product or service of any type and payment processing is one of those defined in the statute.
So the CFPB already has enforcement jurisdiction over people who engage in payment processing for consumer transactions. But the thing about enforcement jurisdiction is that it's not nearly as effective a tool for the CFPB as supervision is. And let me try to explain why that is. Enforcement has to be based on information that the agency can learn from outside the organization, consumer complaints or any publicly available information. But when the CFPB engages in a supervisory exam of an entity like a large bank or an auto finance company or a consumer reporting agency, they come into the company. And so your typical CFPB exam involves say, 10 to 12 CFPB examiners that will be onsite and focusing their entire attention on the operations of a single company for six to eight weeks. And it will be accompanied by a very long set of initial information requests and maybe 100, 150, maybe 200 follow-up requests that will occur during the examination itself.
The bureau will look at all kinds of internal reporting, data. They'll even assert the ability to view attorney-client privileged information during an exam, which they cannot do in enforcement. That level of access creates two very important points of leverage for the CFPB. One is that it gives them the ability to discover aspects of a company's operations that never would have been visible if you were looking at the company from the outside because they have access to all of this inside information by virtue of being inside the company for the examination. And so as a tool to discover practices, it is unparalleled in its effectiveness. And so we see the bureau discover things all the time in examinations that would never be discovered of an entity that's not subject to supervision. When those things are discovered, the agency then can do two things. One, it can apply pressure in the supervisory process.
Two, ask the business to change practices that the CFPB disagrees with or thinks are a violation of law. That pressure is there and sort of hanging over that is the idea of if you don't do what I tell you to do, then I may engage in enforcement with you to make you do what I want you to do. Because companies appreciate the confidentiality of supervision because supervision is confidential. There's a lot of pressure for companies to agree to business practice changes that are suggested in a hard or soft way in supervision, and thereby it gives the bureau a lot of ability to affect change in a business through supervision. And then of course, supervision has, for much of the CFPBs history been the breeding ground for public enforcement actions.
If you go back and look at where enforcement actions come from that result in enforcement lawsuits or consent orders, you'll see that many, many, many of them have their roots in issues that were found during supervision, during supervisory exams, then referred to enforcement by the bureau, which is a thing that the bureau does quite frequently these days. When you're subject to supervision, you're not only subject to this intense information gathering and the regulatory expectations around compliance efforts that go along with it, but also the soft pressure in supervision to change practices and the threat of enforcement if you don't or if they discover something that's too big to ignore in a supervisory exam.
So being subject to supervision means having the regulator know much more about what you're doing, exert much greater pressure on you both with respect to your compliance efforts and your substantive business practices bearing a much, much greater risk of public enforcement activity. And all of the success of industries that have been subject to CFPB supervision over the 12 years of the bureau's history have all experienced that. And we would expect the same thing to occur in the payment's industry once this rule is finalized.
Keith Barnett:
Thanks Chris. One thing I'd like to add here is the intersection with the proposed larger participants rule with state laws that govern money transmission and cover payments generally. I say that because as a part of a larger participants rule, the CFPB has made a statement as to how the payments would be affected, what falls within that category, and they have two large buckets. One of the large buckets is called funds transfer functionality. They say that a qualified payment is when one is receiving funds for the purpose of transmitting them so it's pretty much identical to state and federal money transmitter laws. But then they also go on to say that part of the fund's transfer functionality is also accepting and transmitting payment instructions, which means that you don't even have to receive or transmit money if you are just merely directing traffic, which a lot of fintechs do.
They are not holding money because a bank or a trust or someone else is holding money. But if you are directing traffic, you are potentially a part of the larger participants if you hit that 5 million transaction threshold, which quite frankly is not hard to hit. The CFPB in my opinion is either understating intentionally or non-intentionally, I don't know. But it's very easy to hit 5 million transactions in a day for some of the smaller to mid-sized fintechs. So that larger participant's number is going to be much larger than the 17, especially if the larger participant does not have to touch money. And then that second category that the CFPB has is the wallet functionality.
Within that the definition is if the larger participant stores an account or payment credentials, including encrypted or in tokenized form and transmits routes or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction. So once again, it's a pretty broad definition, does not require the company to hold, receive or send money. It is just sending payment instructions. That is something that businesses need to look out for. Do not just look at the rule or listen to us and say, oh, the CFPB says it's 17 companies are going to be affected. I know I'm not one of those top 17, so I don't have to worry about it. That is not necessarily true. James, do you have anything to add to what we've been saying about the scope of the rule or the process?
James Kim:
I have a few thoughts, no particular order, but I'll touch upon a variety of points that all of you have made. First, I do think it's intentional by the CFPB to make the trigger very low or easy. I don't know where they came up with 5 million, but it's a very low threshold, especially with the broad definitions that Carlin touched upon. What is general use? What does facilitate payment transactions mean? I can say that based on past CFPB activities, specifically enforcement actions, when you're involved in payment processing, air quote, "for consumers" the bureau's position is you don't have to actually touch the consumer.
We all know that most payment transactions are a chain, and if you are somewhere in the middle of the chain and you are far away or not touching the consumer, the bureau, at least in prior enforcement actions has taken the position that you are still payment processing, air quote, "for consumers". So I think there's a lot of areas, lots of facets of the proposed rule that give the CFPB extreme flexibility and discretion and white space to do whatever it wants. I don't think they have a clear idea. That's the whole point of the rule as Chris said, it's a diagnostic tool. They just start to examine the larger companies to see what's there. They don't know what to find until they get underneath the hood and then they see what they see, come up with findings and then make decisions about what to do, not only particular to that institution that's being examined, but broader policy initiatives, other substantive rulemaking and guidance and other things that they want to do.
So the output from the exams are quite broad. It's company specific, the company that's being examined, but also it informs their larger decision-making strategic priorities and other departments in the bureau, their research in markets, enforcement, consumer education, so on and so forth. The other thing I wanted to point out is really following up on Chris's point about what the consequences are of being under the CFPB supervisory authority. They are very clear in this proposed rule and in every larger market participant rulemaking, that once they have the hook, once you are a larger market participant, once you meet that threshold, they can and will examine you for every single consumer financial law that they have jurisdiction over.
So that's close to 20 statutes plus related rules. So in other words, even though your hook might be, I'm a payment processor or I'm a student loan servicer, or I'm a credit reporting agency, the examination will not be limited in scope to payment processing, student loan servicing or credit reporting. They will look at everything, privacy, GLBA, you name it, including they always do a baseline compliance management system examination. So in other words, their first touch or first exam with the company typically involves just an overall review of your CMS system. So they'll look at every policy and procedure, all your processes and controls, and none of it will be specific or limited to payment processing in this case. So there's something else for people to think about.
Carlin McCrory:
Chris, can you talk about next steps with the rulemaking process and when we think examinations may begin?
Chris Willis:
Sure. And we have a pretty good history with the CFPB doing larger participant rules because it's done them since almost the agencies in inception. I think the first one was in 2012. Historically, these are not that complicated for the agency to finalize, and we typically see that the final rule is implemented roughly a year after the rule was proposed. This one was just proposed recently, so we would expect it to be finalized and become effective, say fall of 2024, something like that. And then historically, when we've seen larger participant rules come into being, we've seen very rapid examination activity begin of certain larger participants in those industries. And typically we've seen them prioritized based on size. So the very largest of the larger participants might expect to have an exam in the very first year following the finalization of a larger participant rule. And so I think it's likely that we'll see examinations occur of payment processing companies as defined by this larger participant rule starting in maybe early 2025 would be my best guess.
Smaller ones they may pick up over the ensuing years and the larger ones may get repeat exams every few years after that. That I think is my best guess on timing. The one other thing I would mention is I'm certain there will be significant industry comments on the larger participant rule, and we in fact are involved in helping associations draft some of those. Historically, we have not seen significant variations between proposed and final larger participant rules. We've seen only minor tweaks in those between the proposal and the final rule. If that bears true for this one as well, we would expect the final rule to look a lot like what was proposed recently.
Carlin McCrory:
Thanks for that. And Keith, Chris, James, thanks for joining me today and thank you to our audience for listening to today's special joint episode of The Consumer Finance Podcast. Please make sure to also subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform that you may use. We're looking forward to next time.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.