CFPB Aiming to Regulate Non-bank Payments Providers

With a proposed rule released last month (the “Proposed Rule”), the Consumer Financial Protection Bureau (“CFPB”) aims to regulate larger nonbank providers of digital wallets, payment apps, and similar services.  The Proposed Rule would regulate companies that process more than 5 million transactions per year, which would cover roughly 17 big tech companies and payments firms processing 13 billion transactions annually according to the CFPB’s estimates. Such companies would be deemed “larger participants” under the current CFPB regulatory regime and thereby be subject to expanded oversight by the Bureau.



Under the Consumer Financial Protection Act (“CFPA”), the CFPB is granted supervisory authority over, among other entity types, “larger participant[s] of a market for other consumer financial products or services,” as the CFPB defines by rule (in addition to providers of real estate, education, and payday loans), as well as any nonbank covered person that the CFPB has reasonable cause to believe “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” The CFPB is authorized to supervise nonbank covered persons subject to CFPA for purposes of (1) assessing compliance with Federal consumer financial law; (2) obtaining information about such persons’ activities and compliance systems or procedures; and (3) detecting and assessing risks to consumers and consumer financial markets.

This Proposed Rule would establish the CFPB’s supervisory authority over certain nonbank covered persons participating in a market for “general-use digital consumer payment applications.”

According to the CFPB, the Proposed Rule has become necessary because “digital applications have a share of ecommerce payments volume that is similar to or greater than traditional payment methods, such as credit cards and debit cards,” together with substantial consumer uptake for in-person purchases as well.  The CFPB contends that the boundaries distinguishing banking and payments from commercial activities are increasingly becoming “blurred” due to nontraditional entrants into consumer finance markets. The CFPB has identified this convergence as a potential risk to consumers because standard banking protections, such as deposit insurance, may not apply; and many non-banking entities in the payments industry are not subjected to the same regulatory oversight as banks and credit unions.

This Proposed Rule is intended to bring the level of supervision for these entities closer to that to which banks are subject.  The CFPB further argues that the Proposed Rule would “ensure federal consumer financial protection law is enforced consistently between non-depository and depository institutions in order to promote fair competition.” If adopted, the Proposed Rule would enable the CFPB to oversee compliance with applicable laws governing privacy, transfers of funds, and standard commercial protections against unfair or deceptive acts or practices in interstate commerce.


Core Components of the Proposed Rule

The Proposed Rule itself mainly relates to defining the scope of larger participants, rather than the substantive requirements for entities deemed to fall within this category, as those requirements are already established under applicable law.

The CFPB is authorized to define “larger participants” in markets for consumer financial products or services. The CFPB contends that this authority applies to the general-use digital consumer payment application market as described by the Proposed Rule. The CFPB includes relevant market descriptions and larger-participant tests in subpart B of the Proposed Rule, and generally sets forth a proposed market definition that includes nonbank entities that provide funds transfer or wallet functionalities via a digital application for general consumer use.

In particular, the Proposed Rule would set forth a test to determine if a nonbank entity is a larger participant in this market. To come within scope, the nonbank entity, along with its affiliates, must provide general-use digital consumer payment applications with an annual volume of at least five million consumer payment transactions and must not be a small business concern as per the Small Business Administration size standard. Once qualified as a larger participant, the entity remains so until two years from the first day of the tax year in which they last met the test.

The CFPB would have authority to require submission of records and other information to assess if a person is a larger participant, assisting the agency in identifying larger participants in the digital consumer payment applications market. If the CFPB intends to undertake supervisory activity, the entity in question may dispute its qualification as a larger participant and provide evidence and arguments to support its claim.

The Proposed Rule would describe the market for consumer financial products or services covered by the Proposed Rule as encompassing “providing a general-use digital consumer payment application,” including the provision of a covered payment functionality through a digital application for consumers’ general use in making consumer payment transactions. Examples include many consumer financial products and services that are commonly described as “digital wallets,” “payment apps,” “funds transfer apps,” “person-to-person payment apps,” “P2P apps,” and similar services.

The term “consumer payment transactions” would be defined to mean the transfer of funds by or on behalf of a consumer physically to another person primarily for personal, family, or household purposes. The proposed definition would clarify that, in general, it covers transfers of consumer funds and transfers made by extending consumer credit.

The CFPB further clarified that it believes that the term “funds” in the CFPA is not limited to fiat currency or legal tender, and includes digital assets that have monetary value and are readily useable for financial purposes, including as a medium of exchange – such as crypto assets and other virtual currencies.


Regulatory Context of the Rulemaking

The regulation comes after CFPB Director Rohit Chopra’s remarks listing core CFPB regulatory priorities with respect to digital payment applications:

  • Issuing additional orders to certain large tech platforms to gather more data and understand their business practices, particularly their use of personal data and private currencies.
  • Offering further guidance on the applicability of the Electronic Fund Transfer Act to private digital dollars and other virtual currencies used by consumers and retailers in order to mitigate harm from errors, hacks, and unauthorized transfers.
  • Using its authority to supervise nonbank entities operating consumer payment platforms, particularly when these firms serve as service providers to large depository institutions or meet a certain size threshold.


Chopra also urged the Financial Stability Oversight Council to use its authority under the Dodd-Frank Act to designate certain activities as systemically important payment, clearing, or settlement activities, which could help ensure the stability of stablecoins; and encouraged lawmakers to expand financial privacy protections beyond the current scope of the Gramm-Leach-Bliley Act.

Kilpatrick will continue to monitor this rulemaking process as it unfolds over the coming months, and update this space as warranted.


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their