CFPB Takes Next Step in Its Big Tech Regulatory Strategy: New Rule Proposed to Expand Examination Authority Over Digital Wallets and Payment Apps


5 minute read | November.13.2023

The Consumer Financial Protection Bureau (CFPB) has issued a notice of proposed rulemaking that seeks to expand its authority to supervise and examine providers of digital wallets and payment applications.

The proposal is the latest “larger participant” rule issued by the CFPB, and the first since 2015. Prior rules defined larger participants for student loan servicing, consumer reporting, automobile financing, debt collection and remittance markets.

The proposed rule defines a new “general-use digital consumer payment applications market” and sets thresholds and requirements for defining the “larger participants” in that market subject to examination by the CFPB. The CFPB notes that the rule’s scope is intended to include many consumer financial products and services commonly described as “digital wallets,” “payment apps,” “funds transfer apps” and “P2P apps.”

The CFPB estimates that the new rule would apply to approximately 17 nonbank companies. While many states have supervisory programs relating to money transmitters, no federal program monitors these nonbank companies for compliance with consumer-protection laws.

Notably, the proposal includes the CFPB’s first public statement that the term “funds” is not limited to fiat currency or legal tender. Digital assets, including crypto-assets, with “monetary value readily useable for financial purposes, including as a medium of exchange,” may be considered “funds” under the Consumer Financial Protection Act (CFPA). This points to the CFPB’s intention to regulate digital consumer payments applications that use crypto, as well as fiat and legal tender for funds transfers.

How does the CFPB define the general-use digital consumer payment applications market?

The proposed rule would apply to companies that provide a covered payment functionality through a digital application consumers use to make consumer payment transactions.

  • Consumer Payment Transactions include the transfer of funds by a consumer in the United States to another consumer, business or entity for personal, family or household purposes. It includes the transfer of funds on behalf of the consumer as part of a consumer credit transaction (e.g., using digital wallet functionality to purchase a good with a credit card). This general definition is subject to four carve-outs:
    • International remittances
    • The exchange of funds for another form of funds (e.g., currency transfers, purchase or sale of digital assets) or the purchase of security or commodity
    • The purchase or sale of goods or services in an online marketplace if the consumer payment application is provided by the operator of that marketplace
    • Consumer lending by a company through its own digital platform.

  • Covered Payment Functionality includes, in connection with consumer payment transactions:
    • Fund transfer functionality – defined as either receiving funds for the purpose of transmitting them or accepting and transmitting payment instructions or
    • Wallet functionality, including storing account or payment credentials (even in encrypted or tokenized forms) or transmitting, routing or otherwise processing stored account or payment credentials.

  • Digital Applications are software applications a consumer may access through a personal computing device, including but not limited to a mobile phone, smart watch, tablet, laptop computer or desktop computer. Mobile applications and websites are included.
  • General Use transactions are free of significant limitations for the purpose of consumer payment. However, payment functionality provided through a digital consumer payment application would not be deemed “general use” if the purpose of the payment was for the lease or payment of a specific type of service, good or other property, such as lodging, transportation, food, an automobile, a dwelling or real property. In addition, certain consumer debt payments (including repayment of an extension of consumer credit) are not included. The CFPB considers payment functionality limited to person-to-person transfers to be general use.

What entities are covered?

The CFPB proposes to extend its examination authority to “larger participants” in this market, which are defined as: A nonbank with an annual volume of at least five million consumer payment transactions that does not meet the definition of a small business concern based on the Small Business Administration (SBA) size standard.

Under existing larger participant regulations, the CFPB can require the submission of certain records, documents and other information to assess whether an institution is a larger participant of a covered market. Once a nonbank-covered payments provider is designated as a “larger participant,” it will remain subject to examination authority until two years after the first day of the tax year in which the institution last met the larger participant test. Service providers to “larger participants” would also become subject to CFPB supervisory authority.

The CFPB has requested feedback regarding the appropriateness of the proposed criteria, asking whether it should instead be based on the dollar value of consumer payment transactions or other metrics.

What oversight applies to larger participants?

Larger participants are subject to CFPB examination with respect to their compliance with federal consumer financial laws and “risks to consumers.” Specifically, the CFPB would examine for “compliance with applicable provisions of Federal consumer financial laws, including the Electronic Fund Transfer Act and its implementing Regulation E, as well as the privacy provisions of the Gramm-Leach-Bliley Act.” The CFPB also would examine whether larger participants engage in unfair, deceptive or abusive acts or practices and whether they comply with the CFPB’s rule implementing section 1033 of the Dodd-Frank Act, once finalized.

Does the proposed rule affect other regulators’ authority or institutions’ compliance obligations?

The proposed rule only impacts CFPB authority by extending its examination authority to a new cohort of nonbank financial services companies.

Importantly, by statute, the CFPB employs a risk prioritization process to determine which entities among the tens of thousands subject to its supervisory authority it will actually examine. The CFPB coordinates its examinations with relevant state regulators.

The rule would not affect the substantive law applicable to covered institutions, which are all already subject to the requirements of federal consumer financial law and the CFPB’s enforcement authority (i.e., its authority to issue civil investigative demands and take public enforcement actions).

What’s next?

Comments are due by January 8, 2024. The CFPB proposes that the final rule would take effect 30 days after it is published in the Federal Register.