What’s in Your (Digital) Wallet? The CFPB Seeks to Supervise Digital Wallets and Payment Applications

There are certain nonbank markets that the Consumer Financial Protection Bureau (“CFPB”) has the statutory right to supervise irrespective of size (e.g., mortgage, private education loan, payday lending). Then, there are other consumer finance markets to which Congress gave the CFPB supervisory authority over only “larger participants.” But what constitutes a “larger participant,” like what supervisory rules should be applied by the Bureau, was left in the first instance up to the CFPB.

The CFPB has already attempted to define what constitutes a “larger participant” for several industries, including consumer reporting, consumer debt collection, automobile financing, and student-loan servicing. In early November 2023, it proposed a new rule, this time defining what a “larger participant” meant when it comes to “general-use digital consumer application[s].” Per the proposed rule, such applications would encompass “providing a covered payment functionality through a digital application for consumer’s general use in making consumer payment transaction(s).” Although fleshed out through byzantine pathways of regulatory definitions and exceptions, the CFPB explained that its primary focus was digital wallets (“wallet functionality”) and payment apps (“fund transfer functionality”), most notably those offered by “Big Tech.”

To qualify as a “larger participant” in this market, the CFPB has tentatively proposed setting the bar as (1) providers that, with their affiliates, facilitate at least 5 million transactions annually in a general-use digital consumer payment application; and (2) providers that are not characterized as a “small business concern” as defined by the Small Business Administration (“SBA”). Such “larger participants” could be subject to compulsory examination and information sharing with the Bureau, all with the ostensible purpose of evaluating risks to consumers and consumer financial markets.

The CFPB explained that the focus of its supervisory efforts would be twofold. First, it hoped to police compliance with regulations targeting unfair, deceptive, and abusive acts and practices (“UDAAP”); consumer money transfers; and privacy protections. Second, it aimed to “foster a level playing field with depository institutions,” forcing these “larger participants” to undergo scrutiny commensurate with that applied to traditional depository institutions, such as banks and credit unions.

At present, it is projected that the CFPB’s definition, if adopted, would directly impact about 17 companies that account for a combined total of 88% of consumer payment transactions. Given the relatively low transaction-volume bar in the context of the payments industry (which could conceivably be reached even by truly nascent players, likely leading to the CFPB’s express exclusion of “small business concern[s]” from the definition), the rule could easily sweep up emerging players in the payments and digital wallet industries, potentially subjecting them to innovation-stifling levels of regulatory oversight. Seeming to acknowledge this potential for unintended reach, the CFPB made clear that it is continuing to evaluate the threshold and would await public comment before finalizing the standard.

Those interested in expressing their views to the CFPB should plan to submit responses within the comment period, which is currently slated to close in early January 2024.