January 26, 2024

CFPB Bites of the Month - 2023 Annual Review - Payments

Eric L. Johnson, Justin B. Hosie, Laura J. Bacon, Ryan S. Stinneford, and Thomas P. Quinn, Jr.

In this article, we share a timeline of our monthly "bites" for 2023 applicable to payments, along with some additional related information.

Bite 11: CFPB Report Highlights Military Community Concerns With Digital Payment Applications

On June 20, 2023, the CFPB issued its Office of Servicemember Affairs Annual Report. The Annual Report analyzes complaint data received from servicemembers, veterans and their families during 2022. A key finding of the 2022 Annual Report was a significant increase in complaints regarding payment applications provided by banks, credit unions, and non-bank providers. CFPB analysis of these complaints highlighted three core issues: (a) identity theft involving the use of payment applications that resulted in unauthorized fund transfers, (b) a failure of payment application providers to provide full and timely resolution of unauthorized transfer and other issues, and (c) the downstream impacts both of the foregoing issues caused for servicemembers (including damaging their financial stability, subjecting them to collections and other activity, with the potential for service-related impacts, such as the ability to retain a security clearance). To address these issues the Annual Report recommended that digital payment application providers improve the security of their networks to reduce the potential for fraud, improve their responsiveness to fraud claims from servicemembers (including through better coordination with other parties in the payment application ecosystem), and revise their fraud reimbursement policies to better address the unique experiences of servicemembers using their applications.

Bite 10: Director Chopra's Prepared Remarks at Fintech Conference

On September 7, 2023, CFPB Director Chopra spoke to the Federal Reserve Bank of Philadelphia's Annual Fintech Conference about the payments system. He said that banking and payments are not regulated just by government regulations but also by regulations imposed by private actors outside the democratic process. He further claimed that when essential facilities succumb to unchecked private control, this can undermine the free market. Director Chopra said that BigTech's entrance into the payments system has deepened consumer engagement on their technology platforms, harvested and potentially monetized transaction related data, and exploited traditional financial sector fee streams. He also claims that the rise of the "tap-to-pay" ecosystem has allowed the two major mobile phone companies to develop a monopolistic dominance over payments. He also expressed concerns that the largest firms will be able to stifle competition and fairness, and called on regulatory agencies to equalize the playing field.

Bite 9: CFPB Reports on Role of BigTech in Mobile Payments

On September 7, 2023, the CFPB published an issue spotlight on the role of BigTech in mobile payments. The report indicated that consumers' use of tap-to-pay options has grown considerably in recent years, nearing an estimated $300 billion on the three largest platforms, with some analysts estimating that digital wallet tap-to-pay transactions will grow by over 150 percent by 2028. According to the report, the two most dominant mobile operating systems impose different regulations on contactless payments. One restricts all third-party applications from using the technology, and the other could change its policy to add similar restrictions. According to the CFPB, these restrictions can reduce consumer choice and hamper innovation. The CFPB claims that developers could create payment solutions that better meet consumer needs without these technological roadblocks.

Bite 8: CFPB Cautions Consumers about Storing Funds in Payment Apps

On June 1, 2023, the CFPB issued a caution to consumers about storing funds in payment aps. Specifically, the CFPB published an advisory to consumers to transfer balances to insured banks and credit unions, because funds stored in digital payment apps may be vulnerable in the event of financial distress, as they are not always held in accounts with federal deposit insurance coverage. The use of nonbank payment apps has rapidly grown in the past few years, and these apps allow people to quickly make payments, while also providing the option to store funds. The CFPB estimated that payment app transaction volume in 2022 was approximately $893 billion, and is projected to reach approximately $1.6 trillion by 2027. According to the CFPB, the funds that consumers receive through nonbank payment apps are not automatically swept into bank or credit union accounts of the consumer users, and payment app companies do not necessarily store customer funds in an insured account through a business arrangement with a bank or credit union. Additionally, the user agreements often lack specific information about where the payment apps hold or invest funds, and what would happen to these funds if the entity holding them were to fail.

Bite 7: CFPB Publishes New Findings on BNPL Users

On March 2, 2023, the CFPB published a new report analyzing the financial profiles of customers paying for purchases using Buy Now, Pay Later (BNPL) transactions. According to the CFPB, BNPL consumers paying via BNPL are more likely to use credit products to make payments, such as credit cards, personal loans, and student loans. The CFPB claims that BNPL consumers are also more likely to exhibit measures of financial stress than non-users. The CFPB also claims that BNPL users are more likely to be highly indebted or have revolving balances or delinquencies on their credit cards compared to consumers who don't use BNPL products, and are more likely to use payday loans, pawn transactions, and bank account overdrafts. The CFPB says that this report debunks the idea that BNPL users don't have access to credit as they appear to be more likely to use other credit products. The CFPB found that BNPL users have lower credit scores on average than non-users, are more likely to have a credit record in another account, are more likely to be delinquent by more than 30 days on other credit accounts, and to have higher usage of other loan products. CFPB Director Chopra said "Since [BNPL] is like other forms of credit, we are working to ensure that borrowers have similar protections and that companies play by similar rules."

Bite 6: CFPB Issues Guidance to Address Abusive Conduct in Consumer Financial Markets

On April 3, 2023, the CFPB issued a policy statement explaining the federal prohibition on "abusive conduct" and summarizing a decade of CFPB activity. The CFPB noted that abusive conduct generally includes (1) obscuring important features of a product or service or (2) leveraging certain circumstances—like gaps in understanding, unequal bargaining power, or consumer reliance—to take unreasonable advantage. The policy statement also describes how abusive conduct can arise from the use of what the CFPB calls "dark patterns," business practices that trick or manipulate consumers to make choices, often harmful, that they would not otherwise have made.

Bite 5: CFPB Proposes Rule on Personal Financial Data Rights

On October 19, 2023, the CFPB announced that it was proposing a new rule to give consumers more control over data about their financial lives and new protections against companies misusing their data. This proposed rule implements Section 1033 of the Consumer Financial Protection Act, which charged the CFPB with implementing personal financial data sharing standards and protections. According to the CFPB, this rule will ensure that consumers can access their data without paying "junk fees," give consumers a right to grant third parties access to information, and enable consumers to move their data to competing products and services. The rule will also prohibit companies who receive consumer data from using it for anything but the specific purpose requested by the consumer. The rule's requirements would be implemented in phases, with larger providers being subject to them first. In addition, community banks and credit unions that have no digital interface at all with their customers would be exempt from the rule's requirements. In prepared remarks, CFPB Director Chopra said that this rule will help decentralize the financial services market, give consumers more control, and allow smaller institutions and startups to compete fairly with major market players.

Bite 4: CFPB Focuses on Payment Card Compliance.

The CFPB took two actions of note in connection with prepaid card compliance.

  • CFPB and OCC Announce Action Against Large Bank for Issues Related to Servicing of Unemployment Benefit Prepaid Cards -- On December 19, 2023, the CFPB and OCC announced an action against a large bank. The CFPB claimed that the bank kept consumers from accessing their unemployment benefits. The bank allegedly froze tens of thousands of accounts without providing the customers with a reliable and quick way to regain access and failed to provide provisional account credits while investigating potentially unauthorized transfers. These alleged actions happened during the pandemic, while the bank had contracts with at least 19 states to deliver unemployment benefits. The consumers whose accounts were frozen lost access to their benefits until they were able to verify their identities to unfreeze their accounts, but the bank allegedly did not have a system in place for the identity verification. According to federal law, when accountholders report unauthorized transfers, banks must provide provisional account credits if their investigations take more than 10 days, and the CFPB and OCC alleged that this bank failed to provide those credits. The CFPB required the bank to pay $5.7 million to consumers, a $15 million penalty to the civil penalty fund, and change its practices regarding limiting account access and issuing provisional credits. The OCC also separately fined the bank an additional $15 million.
  • The CFPB Files Amicus Brief in Government Benefits / Prepaid Card Case - On January 10, 2023 the CFPB announced that it had filed an amicus brief in the U.S. Court of Appeals for the Fourth Circuit, in a case involving unemployment benefits on a government benefit card. In the case, a consumer had sought to receive pandemic related unemployment benefits on a prepaid government benefit card. The plaintiff alleged there was a $0 balance when the card arrived, due to unauthorized charges. The plaintiff further claimed that the bank denied the plaintiff's claim to the funds and offered no explanation for the denial. The plaintiff sued the bank claiming the bank violated Regulation E's error resolution requirements. The District Court ruled that the card was not a "prepaid account" because it was established through a third party and loaded with qualified disaster relief payments. In the appeal the CFPB's brief argued that the card was a "prepaid account" subject to Regulation E. The CFPB argued that a government benefit account is not subject to the prepaid account exclusions, so upon determining an account is a government benefit account, no further analysis is needed to conclude that the account is a covered account.

Bite 3: CFPB Proposes New Rule on Digital Wallets and Payment Apps

On November 7, 2023, the CFPB announced that it was proposing a new rule on digital wallets and payment apps, that will subject larger providers to examinations like banks. The CFPB issued a Notice of Proposed Rulemaking, which it said is designed to define a market for general-use digital consumer payment applications. The proposed market would cover providers of funds transfer apps and digital wallets for consumer use, and larger participants of this market would be subject to the CFPB's supervisory authority under the CFPA. The CFPB indicated that the proposed rule would ensure that these nonbank financial companies, specifically larger companies handling more than 5 million transactions per year, adhere to the same rules as large banks, credit unions, and other financial institutions already supervised by the CFPB. According to the CFPB, Big Tech and other companies operating in consumer finance markets blur the traditional lines that have separated banking and payments from commercial activities, and this can put consumers at risk, especially when traditional banking safeguards like deposit insurance don't apply.

Bite 2: CFPB Takes Actions against International Money Transfer App; Highlights Compliance Deficiencies with Remittance Transfer Rules

On October 17, 2023, the CFPB announced that it had taken action against an international money transfer app, claiming that it violated the EFTA and the Remittance Transfer Rule. The CFPB claimed that the operator of the mobile app allegedly deceived customers about the speed and costs of remittance transfers, forced consumers to waive legal rights, failed to provide required disclosures and receipts, and failed to properly investigate disputes. According to the CFPB, the company violated the EFTA when it required users to waive the company's liability for losses incurred through the app, as the EFTA provides that the rights conferred by the EFTA cannot be waived. The CFPB's Remittance Transfer Rule requires that consumers receive timely receipts, specific disclosures about funds availability, and correctly calculated exchange rates- all of which the company allegedly failed provide. The CFPB also alleged that the company deceived consumers by falsely claiming that transfers would be delivered instantly and without fees. The CFPB's order required the company to refund consumers who paid for "fee-free" transactions or whose payments were not delivered on-time. The company also paid a $1.5 million penalty to the civil penalty fund.

This action followed discussion in two preceding CFPB Supervisory Highlights expressing concerns with shortfalls in complying with the remittance transfer rules. For example, the Summer 2023 Supervisory Highlights noted that some institutions had not developed written error resolution policies and procedures as are required by the remittance transfer regulations. The CFPB noted that this was a concern highlighted in several prior Supervisory Highlights publications, and that it was a continuing concern of the Bureau. Concerns with remittance transfer error resolution compliance continued in the Fall 2023 Supervisory Highlights, as the CFPB noted that certain remittance transfer providers failed to provide timely refund of fees imposed on remittance transfers that did not arrive by the promised availability as required by CFPB Regulation E. The Fall 2023 Supervisory Highlights publication also observed that certain remittance transfer providers failed to disclose fees imposed by their agents at the time of transfer as required by Regulation E. This resulted in a reduction of the total amount of funds received by the recipient when compared to the amount disclosed.

Bite 1: CFPB Issues Order against Payment Firm for Allegedly Processing Unauthorized Payments

On June 27, 2023, the CFPB issued an order claiming that a payment processor improperly initiated approximately $2.3 billion in unlawful mortgage payment transactions, which could have subjected up to 500,000 homeowners to overdraft and NSF fees from their financial institutions. In April of 2021, the payment firm had conducted tests of its platform, but allegedly sent several files filled with actual customer data into the ACH network, accidentally initiating approximately $2.3 billion in electronic payment transactions from homeowners' accounts without notice or authorization. At one bank, for example, more than 60,000 accounts reportedly experienced more than $330 million in combined unlawful debits. Among these account holders, approximately 7,300 had their available balances reduced by more than $10,000. The CFPB claims that these actions violated Regulation E, and in addition to a $25 million penalty, the CFPB required the company to change its security and testing practices so that it does not happen again.

Conclusions and Predictions

We believe technical innovation and consumer convenience (such as so-called "real time" payment functionality through payment apps and account-to-account (A2A) and person-to-person (P2P) transfers) will continue to drive growth trends in the payment industry. However, that growth - particularly by non-bank payment services providers - may bring increased regulatory scrutiny and will likely lead to even greater efforts by the CFPB to regulate the industry. It will be very interesting to watch how these opposing forces interact. At the very least, new compliance burdens appear likely for industry players.

Still hungry? Please join for our next CFPB Bites of the Month. Here is our lineup for 2024. If you missed any of our prior Bites, request a replay on our website.

Hudson Cook, LLP provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.