Keith Barnett and Carlin McCrory discuss significant developments in the payments landscape from the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) in 2024 and expectations for 2025.
In the first installment of a four-part Payments Year in Review series, Keith Barnett and Carlin McCrory discuss significant developments in the payments landscape from the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) in 2024 and expectations for 2025.
Our co-hosts begin with an overview of the CFPB's new rule for supervising large tech companies offering digital wallets and payment apps. Despite its finalization, and since our episode has been recorded, the rule has been challenged in the U.S. District Court for the District of Columbia.
The discussion then shifts to the CFPB's final rule on personal financial data rights, aimed at enhancing consumer control over financial data. This rule includes provisions for data access, revocation, and standardized formats but may lead to increased costs for financial institutions.
The episode concludes by highlighting changes to the remittance transfer rule, emphasizing the importance of accurate marketing regarding transfer speed and fees.
Payments Pros – The Payments Law Podcast: 2024 Payments Year in Review: CFPB and FTC Regulatory Trends – Part One
Hosts: Keith Barnett and Carlin McCrory
Aired: January 29, 2025
Keith Barnett:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke Podcast, focusing on the highly regulated and ever-evolving payment processing industry. This podcast features insights from members of our FinTech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. My name is Keith Barnett, and I’m one of the hosts of the podcast.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanFinancialServices.com. And don't forget to check out our other podcasts on troutman.com/podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, and more. Make sure to subscribe to hear the latest episodes.
[EPISODE]
Keith Barnett:
Today, I'm joined here with co-host, Carlin McCrory, and Josh McBeain, for what will be a four-part series that takes a look back at what we have seen in the payments landscape in 2024, and also what we can expect in 2025. Carlin and Josh, thanks for joining me today. We'll just get started with Carlin.
Carlin McCrory:
Thanks so much, Keith. Yes, so we're going to kick this off talking about the larger participants' rule that the CFPB finalized. On November 21st, the Bureau finalized the rule aimed at supervising larger tech companies offering digital wallets and payments apps. Most of the rule stayed the same, and we do have another podcast covering in very specific detail the varying aspects of the rule from when it was proposed originally. So, if you want more detail on the rule itself, you may go back and listen to that episode and then reach out with any questions.
But generally speaking, the elements of the rule and who it covers are a non-bank person along with its affiliated companies must be providing a, quote, “General use digital consumer payment application.” The annual payment volume, which was increased from the proposed rule to the final rule is 50 million consumer payment transactions. Then consumer payment transactions include payments to other people, so P2P payments, but it excludes certain transactions such as remittance transfers, exchanges of different currencies, the sale or lease of goods or services, and some other things that are referenced within the final rule.
Additionally, the final rule excludes non-bank-covered persons that are small business entities as defined by the SBA. So, as I said earlier, the payment transaction volume was increased from 5 million to 50 million. And according to the Bureau, they are estimating that only seven non-banks will be subject to the final rule and that these seven non-banks account for over 13 billion consumer payment transactions each year.
I also want to clarify that the final rule’s scope excludes the market for digital currencies. So, the original rule did propose to include virtual currency, and that's now excluded, which is a big change and a positive change for that industry. We do expect, however, that the final rule will be challenged likely in the new year. So, not only with President Trump being elected, we expect him to replace Director Chopra pretty early in his administration, which could shift some of these regulatory priorities, and it could lead to rescinding of this rule.
If I'm speculating, rescinding of the rule is probably unlikely, just if we're going through Congress. So, the Republicans have narrow majorities in both the House and the Senate, and they could use the Congressional Review Act to reject recent federal regulations within 60 legislative days by a simple majority vote in both chambers, which would then need to be signed by President Trump. If they do that, the agency would be prohibited from issuing a substantially similar rule without explicit legislative authorization.
So ultimately, why I think this specific act would be unlikely is just because it would require pretty quick movement, and there may be other priorities from Congress when they kick off. But I do think there will be some litigation challenging the rule. Keith, do you want to talk a little bit about 1033?
Keith Barnett:
Sure. Before I get to 1033, just to add a little bit as to what you just said, also keep in mind listeners that even if Chopra is fired and for some reason, this is repealed, it's also ultimately up to the agency as to whether or not they're going to enforce it, right? So, even if the rule stays on the book finalized, like query whether or not the next CFPB director will actually move forward with enforcing anything.
So, I would expect to see less enforcement from the CFPB and the Federal Trade Commission, and especially given that the people who are advising Trump have already said some not-so-positive things about what they think about the CFPB. That's something to keep in mind and actually that's a perfect segue into what I am talking about which is open banking section 1033.
Also, during 2024, the CFPB issued its final rule on personal financial data rights and with the guise of being aimed at enhancing consumer control over their financial data and promoting competition in the financial services industry. At least that's what the CFPB said, that's how they type counted rule 1033.
Under the final rule, consumers will have the right to access their financial data and authorize third parties to access this data on their behalf. They're also going to have the right to revoke access to their data immediately and ensure that third parties cease data collection and use upon revocation. Then the third thing is that the consumers will have the right to benefit from standardized and machine-readable data formats, which according to the CFPB will promote consistency and reliability in data transmission.
Also, according to the CFPB, these provisions will allow consumers to switch financial service providers more easily and take advantage of the products and services offered by others. But the increased regulatory requirements will probably lead to higher financial costs for financial institutions, which experts have been speculating will be passed on to consumers in the form of higher fees or reduced service offerings. So, we have this on the one hand where the CFPB has spent the past two to three years, or at least under Chopra, talking about junk fees that we want to get rid of junk fees. But this act or this new rule might actually increase the fees that consumers might have to pay.
Also, there are a few key points, at least with respect to compliance with the rule. The CFPB, in the final rule, issued a timeline for compliance. They extended it from the proposed rule by 10 months and they provided a tiered compliance schedule which gives the larger FinTechs until April 1st of 2026 to comply, while the smallest entities have until April 1st, 2030. Additionally, depository institutions with assets of $850 million or less are exempt from the rules requirements, while non-depository entities of all sizes must comply. And according to the CFPB, this phased approach allows for a smoother transition and gives companies adequate time to implement the necessary changes.
Another key thing that I want to discuss with you is that the final rule provides third parties with the limited ability to engage in secondary uses and consumer-permissioned data such as to improve the consumer-requested product or service or for fraud detection and prevention. However, entities are prohibited from maintaining access to consumer data for more than one year without express reauthorization.
The other thing I want to discuss just globally is like liability and third-party risk management because that's also important. One of the main topics discussed actually in the public comments submitted on the proposed rule was the allocation of liability concerning third-party risk management and information security. In the final rule, the CFPB decided that it would not be appropriate for the rule to impose a comprehensive approach to assigning liability amongst commercial entities or safe harbors from the requirements of EFTA or Reg E or the Truth and Lending Act/Reg Z.
It's interesting here, I want to read a quote from the CFPB on this particular issue. The CFPB said, “Although this rule facilitates sharing of payment initiation information with third parties so that they can initiate electronic payments, the rule does not require account write access or otherwise require payment initiation. Applicable payment authorization requirements continue to separately apply. As noted in the proposal, consumers have a statutory right under EFTA to resolve errors through their financial institution, while private network rules, contracts, and other laws address which payment market participant is ultimately liable for unauthorized transfers and other payment errors.”
As you know from listening to our other podcasts, Nacha just implemented additional private network rules that deal with some of these issues. The final rule does not require third parties to limit their collection use and retention of consumer data to what is reasonably necessary to provide the requested product or service. They also must implement robust information security programs that comply with Gramm Leach-Bliley safeguards rule.
One last thing that I want to point out, and this is, we say last but not least, but last and equally if not more important than everything else I said, the final rule has elicited mixed reactions from industry stakeholders. So, on the one hand, you have data aggregators that have reacted favorably by highlighting the rules potential to promote secure data transfers, but the traditional banking institutions have expressed concerns about the rule’s impact on data security and the potential for increased regulatory burdens. And notably, the same day that the final rule was released, and as we're recording this, the Kentucky Bankers' Association and Bank Policy Institute filed a complaint against the CFPB for a declaratory relief and injunction action, asserting that the CFPB overstepped its statutory authority in this finalized rule. We will see what happens going forward, given that seems to be the theme almost every time the CFPB has a new rule, there is a lawsuit that winds up getting resolved several years down the road. So, we'll see what happens with this suit in 2025 to see if the new administration actually wants to fight this suit or they're just going to figure out a way to convince the plaintiffs to let it go or they just lay down in the suit. With that, I'll kick it back to you, Carlin.
Carlin McCrory:
I think on 1033, the industry is hoping for some additional guidance if this rule is going to be enforced. We've been working on client-specific analyses based off 1033. And I think when you get into the nitty-gritty details of the rules and certain fact patterns, et cetera, there’s some lack of clarity in certain circumstances. So, hopeful that there may be additional guidance released on 1033.
But last on the deposit side products or non-credit products rather, I wanted to talk about some changes to the remittance transfer rule. So, on March 27th, the Bureau issued a circular addressing this specific question, which I will read because it tees up the rest of this analysis, which is, when do remittance transfer providers violate the prohibition on deceptive acts or practices in the Consumer Financial Protection Act, the CFPA, in their marketing about the speed and cost of sending a remittance transfer?
So, according to the Bureau, remittance transfer providers violate the CFPA's prohibition on deceptive acts or practices, if they market transfers as being delivered within a certain time frame when transfers actually take longer to reach recipients. So, what they mean by this is advertising that a transfer occurs instantly or in 30 seconds or within seconds could be misleading if the transfers weren't actually delivered within that time frame.
I want to note this more broadly though. They said this in the context of remittance transfers, but we frequently see clients with advertisements stating that something will happen within one minute. We caution when using those terms to make sure that they really are accurate. So, while the Bureau is saying this in the context of remittance transfers, even if you're in another industry that is regulated by the Bureau, you should be on alert that this is their position, that stating something about a time frame that ends up not being accurate could be a UDAP.
Next, according to the Bureau, remittance transferred providers also violate the CFPA's prohibition on UDAPs, if they it transfers as having no fee when in fact the provider charges a fee. I think this is a pretty common sense here, but they use the example that if a provider markets a no-fee remittance transfer but includes in the FAQs that remittance transfers carry a 1% fee, that could be found to be misleading. Honestly, I don't think that is rocket science. That makes sense to me as well.
Then the Bureau also contends that remittance transfer providers may violate the CFPA when they don't clarify that an offer is limited in time or scope. So, if there is a promo on a remittance transfer that needs to be disclosed, and they state that it can't be disclosed in fine print or later in the transactions. Consumers should understand that the pricing is promotional and may increase in subsequent transactions as well. So, make sure you're upfront with your disclosures. And I assume what the Bureau is getting at is that they want the promo to be disclosed on the front end so that consumers don't think if they come back to the same provider that they may get the same price offer.
Rounding out this part, the CFPB also states that if you advertise a transfer as free, they should actually be free. Imposing additional costs on consumers, whether that's the exchange rate spread or any other type of fee would violate the CFPA if you're advertising the transfer as free.
Next, as it relates to remittance transfers, on September 20th, the Bureau announced a proposed rule aimed at amending the disclosure requirements. The comment period closed on November 4. These were pretty minor changes, but EFTA and Reg E mandate that remittance companies provide senders with a disclosure at the time of payment which includes contact information for both state regulators and the Bureau. According to the Bureau this has led to a significant number of consumers contacting the Bureau with questions that are actually more appropriately addressed by the remittance transfer provider so I don't think the Bureau foresaw that by adding their own contact information that they may get a host of questions on products that maybe they didn't actually want.
So, in order to do this, they have clarified disclosure statements that would amend Reg E to require to inform consumers that they should contact their remittance transfer provider for specific issues related to the transfer and only unresolved problems or complaints should be directed to state regulators or the Bureau. There should also be enhanced contact information under the proposed rule, which would update the model forms provided in Appendix A to Reg E, to make the remittance transfer providers contact information more prominent and easier to locate, and then there's just some consistency. So minor amendments to the formatting and consistency of the model forms will be made in order to ensure uniformity.
Keith Barnett:
Well, Carlin, I want to thank you for joining me today. I would like to remind our listeners that this is part one of a four-part series. Be sure to tune in the next time as we continue to discuss developments from the CFPB in 2024.
And don't forget to visit our blog, TroutmanFinancialServices.com, and subscribe so you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. We look forward to the next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.