CFPB Proposes Reining in Payment Apps
‘Tis the season of giving thanks and this year some people may be thankful that the CFPB is finally taking payment apps seriously. The proliferation of nonbank companies in the consumer payment space has slowly but surely caused regulators to take notice. The CFPB in particular just issued a proposed rule to supervise nonbank companies that qualify as larger participants in the payment app marketplace.
The words “larger participant” may ring a bell. The CFPB has the authority to supervise nonbank entities that it deems “a larger participant of a market for other consumer financial products or services.” You may be familiar with previously-issued “larger participant” rules for nonbanks engaged in consumer reporting, consumer debt collection, student loan servicing, international money transfers, and automobile financing. This proposed rule would apply to providers of “digital wallets,” “funds transfer apps,” “payment apps,” and “person-to-person or P2P payments apps.” These providers would be considered a “larger participant” if they meet two criteria.
First, during the preceding calendar year, the provider must not be a “small business concern” under the Small Business Act. Second, to be subject to the rule, an entity must have an annual consumer payment transaction volume of at least five million transactions.
A “consumer payment transaction” is a payment transaction that results in the transfer of funds by or on behalf of a consumer. In addition to encompassing a consumer’s transfer of their own funds, a “consumer payment transaction” would encompass a creditor’s transfer of funds to another person on behalf of a consumer as part of a consumer credit transaction. Hence, even though a credit card payment is not an electronic fund transfer subject to Regulation E, the proposed rule would cover the use of digital wallet functionality to purchase nonfinancial goods or services using stored credit card credentials. The CFPB projects that this threshold would make roughly 17 entities subject to its supervision, which is around 9% of all known nonbank companies fitting these criteria.
Also of note, the Consumer Financial Protection Act (CFPA) allows the CFPB to supervise all service providers to entities that it supervises. This would result in the CFPB supervising all service providers to larger participant nonbank providers of payment apps and digital wallets. In addition, as the CFPB also notes, it can supervise any nonbank provider of digital wallets and payment apps—regardless of its size—that the CFPB has reasonable cause to determine is engaged in conduct that poses risks to consumers when providing financial products or services.
This all sounds good so far, but you’re probably wondering what it’s going to mean for these entities to be subject to CFPB supervision. In the CFPB’s view, it would help to ensure that these entities are complying with applicable requirements of Federal consumer financial law, such as the CFPA’s prohibition against unfair, deceptive, and abusive acts and practices, the privacy provisions of the Gramm-Leach-Bliley Act and its implementing Regulation P, and the Electronic Fund Transfer Act and its implementing Regulation E. In addition, as entities increasingly offer funds transfer and wallet functionalities through payment apps, the rule would enable the CFPB to monitor for new risks to both consumers and the market.
A.I. Regulation is On the Way
The words “artificial intelligence” used to provoke thoughts of dystopian science fiction. Now, we think more of ChatGPT and less about “The Terminator.” Artificial intelligence, or A.I., is now ubiquitous and quickly being integrated into every facet of our lives. The consumer finance industry is not immune from its reach. A.I. has become so pervasive and its implications so wide that our government is taking note. On October 29th, the Biden Administration issued a wide-ranging Executive Order (the “Order”) establishing guidelines for consumer safety and protection while emphasizing equity.
For banks that use proprietary A.I., the Order includes provisions directed at A.I. developers and designers. It directs the Secretary of Commerce, in coordination with certain other agencies, to establish guidelines, with the aim of creating industry standards for developing “safe, secure, and trustworthy A.I. systems.” The Order encourages agencies to consider using the full range of their authorities to protect consumers from fraud, discrimination, and threats to privacy, and to address other risks that may arise from A.I., including risks to financial stability. The agencies are also encouraged to consider rulemaking, as well as emphasizing or clarifying where existing regulations apply to A.I. The agencies are also encouraged to clarify the responsibility of regulated entities to conduct due diligence and monitor any third-party A.I. services they use, and to emphasize or clarify requirements and expectations related to the transparency of A.I. models and regulated entities’ ability to explain their use of A.I. models.
The Order encourages the CFPB Director and the Director of the Federal Housing Finance Agency, in order “to address discrimination and biases against protected groups in housing markets and consumer financial markets…to consider using their authorities, as they deem appropriate, to require their respective regulated entities, where possible,” to do the following:
- Use appropriate methodologies including A.I. tools to ensure compliance with federal law;
- Evaluate their underwriting models for bias or disparities affecting protected groups; and
- Assess automated collateral valuation and appraisal processes in ways that minimize bias.
The Order also requires the Secretary of Housing and Urban Development and encourages the CFPB Director, in order “to combat unlawful discrimination enabled by automated algorithmic tools used to make decisions about access to housing and in other real estate-related transactions,” to issue additional guidance addressing how the Fair Housing Act, the Consumer Financial Protection Act, or the Equal Credit Opportunity Act apply to the advertising of housing credit, and other real estate-related transactions through digital platforms, including those that use A.I. models to facilitate advertising delivery, as well as best practices to avoid violations of federal law.
The main takeaway for banks should be “stay tuned.” Our country’s vast regulatory state has been directed to seriously take a look at the state of the A.I. and its application across the economy, including the banking industry. While current A.I. may not be able to invoke “The Terminator” and say, “I’ll be back,” don’t forget about A.I regulation. It’s coming.
At Long Last the CRA Final Rule is Here
Without a doubt, the most difficult part of working the Compliance Alliance Hotline is that we are expected to know the ins and outs of any regulatory compliance question at any time, no matter how new the rule is, and we enjoy that challenge. And our members did not disappoint when the new 1,500 page CRA Final Rule was released. Within minutes our advisors, who by virtue of working the hotline had not fully digested all the nuances of the Rule, were being inundated with CRA questions. “Minutes” may be a slight exaggeration but we really have received plenty of chats, emails, and calls on this topic since day one and we want to use this platform to go over some of the most commonly asked questions thus far.
First, to back up a second, on October 24th, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued a final rule modernizing their regulations implementing the Community Reinvestment Act. The agencies also issued a Fact Sheet and an Interagency Overview in which they highlight key elements of the Rule and changes from the proposal. The Rule updates the 1977 anti-redlining law for, effectively, the first time in nearly three decades.
Not surprisingly, the most common question thus far has been “what are the revised bank asset size thresholds? Please tell me I’m still a small bank.” The good news is that if you’re a small bank now, you’ll still be a small bank and some intermediate small banks will be small banks once the rule goes into effect. Per the rule, small banks are banks with assets under $600M (the threshold is $376M under the current framework); intermediate banks will be any bank between $600M–<$2B (from $376M–$1.503B); and large banks: ≥$2B (from ≥$1.503B). In the future the asset-size thresholds will be adjusted annually for inflation.
So, when do you need to comply? Although the Rule is effective April 1, 2024, the compliance date for the majority of the Rule’s provisions is January 1, 2026. The Rule, in a change from the proposal, requires data collection beginning January 1, 2026, with reporting the following year, by April 1, 2027. The Rule’s new data collection and reporting requirements do not apply to small and intermediate banks and certain of such requirements, such as the requirement to annually collect, maintain, and report deposits based on the location of the depositor, apply only to large banks with assets over $10 billion.
The next question you’re likely to have is something like, “Alright, we’re a small bank but what does that mean? How are we being tested?” The evaluation framework for banks includes six tests: Retail Lending Test, Retail Services and Products Test, Community Development Financing Test, Community Development Services Test, Intermediate Bank Community Development Test, and Small Bank Lending Test. The six tests apply as follows:
- Large banks will be evaluated under the Retail Lending Test, Retail Services and Products Test, Community Development Financing Test, and Community Development Services Test.
- Intermediate banks will be evaluated under the Retail Lending Test and Intermediate Bank Community Development Test or, at the bank’s option, the Community Development Financing Test
- Small banks will be evaluated under the Small Bank Lending Test or, at the bank’s option, the Retail Lending Test.
Banks of all sizes retain the option to request approval to be evaluated under an approved strategic plan. For large banks, the Rule reduces the proposed weight assigned to the Retail Lending Test and increases the proposed weight assigned to the Community Development Financing Test so that each test is weighted equally.
The Rule is too large to fully summarize here but hopefully this answers some of your initial questions. Please stay tuned as we update our CRA tools and develop a summary of this rule. As always, our hotline team is happy to help with any questions you may have about CRA or any other topic, no matter how recently it was updated.
CFPB Commences Long-Awaited Section 1033 Implementation
Last month the Consumer Financial Protection Bureau (“CFPB”) released a proposed rule that, if enacted, would aim to grant consumers greater access rights to the data their financial institutions hold. The proposed Personal Financial Data Rights Rule (the “Proposed Rule”) signals the first step towards the implementation of regulations aimed at “open banking” that were initially required under the Dodd-Frank Act and is the first proposal to implement Section 1033 of the Consumer Financial Protection Act.
The Proposed Rule would provide consumers the right to request information related to their account transactions, balances, and third-party bill payments from their financial institutions. Consumers would also be able to request information used to initiate ACH transactions, information regarding product and services terms and conditions, and account verification information. Notably, the access rights exclude information that would constitute confidential business information and certain information concerning mortgages, auto loans, and student loans. Financial institutions would be required to make covered data available in a readily usable electronic form to the consumer and, if applicable, a third-party authorized by the consumer, such as other financial institutions, upon request and at no cost.
There is a limited exemption for community banks without “consumer interfaces.” A “consumer interface” is defined in the Proposed Rule as “an interface through which a data provider receives requests for covered data and makes available covered data in an electronic form usable by consumers in response to requests.” The term is intended to encompass consumer-facing digital banking interfaces that allow consumers to make requests for information, such as online banking or mobile banking applications.
While the vast majority of financial institutions offer consumer interfaces, a small number of institutions do not offer any such service. In the CFPB’s view, these smaller institutions generally provide timely and understandable information through ongoing personal relationships to assist customers in making decisions about financial transactions and would be unduly burdened by not having the means to access data covered by the Proposed Rule with the same speed and efficiency that institutions with such interfaces do. The Proposed Rule would not provide a grace period for institutions that do not have a consumer interface as of the effective date but subsequently offer such an interface to their customers. So if any such institution later chooses to offer a consumer interface after the compliance date then those institutions will be expected to comply starting on day 1.
For financial institutions subject to the Proposed Rule, there is staggered implementation. Larger data providers will be subject to compliance sooner than smaller institutions. Financial institutions holding at least $500 billion in total assets would be required to comply within six months of final rule publication. Financial institutions between $50 and $500 billion in total assets would have a compliance timeframe of twelve months. Institutions holding between $850 million and $50 billion would have thirty months or 2.5 years, while institutions holding less than $850 million in total assets would have four years.
Comments on the Proposed Rule are due on or before December 29, 2023.