Carlin McCrory welcomes Jesse Silverman to discuss the Consumer Financial Protection Bureau's recent order asserting supervisory authority over Google Payment Corp.
In the latest episode of Payments Pros, host Carlin McCrory welcomes Jesse Silverman to discuss the Consumer Financial Protection Bureau's (CFPB) recent order asserting supervisory authority over Google Payment Corp.
The CFPB's claim is based on Dodd-Frank Section 1024, which includes a category for entities posing a risk to consumers. The CFPB cited 267 consumer complaints about Google Pay products as the basis for its action. Jesse highlights the ambiguity in terms like "risk" and "reasonable cause" within the Dodd-Frank Act and questions the material impact of CFPB supervision. Google Payment Corp. has sued the CFPB, arguing that the products in question are no longer offered and that the complaints are not substantial enough to warrant supervision. The episode delves into the broader implications of this precedent and the potential outcomes of Google Payment Corp.'s lawsuit.
Payments Pros – The Payments Law Podcast
Navigating Consumer Protection: The CFPB's Expanding Reach
Host: Carlin McCrory
Guest: Jesse Silverman
Aired: January 8, 2025
Carlin McCrory:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke podcast, focusing on the highly regulated and ever evolving payment processing industry. This podcast features insights from members of our fintech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. I'm Carlin McCrory, one of the hosts of the podcast.
Don't forget to check out our other podcasts on troutman.com/podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services, and more. Make sure to subscribe to hear the latest episodes.
Today, I'm joined by my colleague, Jesse Silverman, to discuss the recent order published by the CFPB, establishing its supervisory authority over the tech giant, Google, and the precedent that this sets. Jesse, thanks so much for joining us today.
Jesse Silverman:
Thanks for having me.
Carlin McCrory:
Okay. Well, let's dive in. So, let's set the stage for this, Jesse. The CFPB claimed that it had supervisory authority over Google. What exactly was the basis for the Bureau's claims?
Jesse Silverman:
In Dodd-Frank, Section 1024, I think it's Sub (a)(1), it essentially establishes five categories of non-bank financial companies that are subject to CFPB supervision. Many of those are specifically enumerated categories. There's another category for larger market participants, which the CFPB has issued rules related to, and then there's another category, which the Bureau has not used publicly, at least I should say, and that's the category of covered person that the Bureau has, quote, a reasonable cause, end quote, to believe they're engaged or engaging in conduct that poses a risk to consumers.
The interesting thing here is that, Dodd-Frank Act neither defines risk, nor does it define reasonable cause. So, you're starting with some ambiguity in there. The CFPB, in their order, they've essentially decided that, I don't know, I guess I'll paraphrase, that supervision is not that material of a power. I think what they said was, it reflects the relatively limited impact of such a determination on the entity. I actually wrote that quote down because that one really stood out to me as someone who has worked with examiners while a state enforcement attorney worked with examiners as a CFPB attorney, worked with examiners as a covered entity in-house counsel, and worked with supervised entities as outside counsel.
I have seen all four sides, and the only thing I have never said was that there is a relatively limited impact to supervision. That is absolutely not how I would define it. But their argument, the CFPB's argument, is that Congress chose not to include a materiality requirement in that particular section. Basically, what they found was Google operated two products, peer-to-peer payment platform and a stored value product known as, I think it's Google Pay Balance. They're both accessible through the Google Pay app.
Then, the procedural aspect of this went on for some time. According to the statement was, it goes back to 2003 that they'd issued Google a notice of reasonable cause to notify Google that they believe that they posed a risk to consumers, and thus, were going to become subject to the CFPB's Examination Authority. The primary claims of the CFPB were that, Google posed a risk related to error resolution, in risks related to fraud prevention, which parenthetically, that seems like a real, real challenging one, because I don't know what company out there doesn't pose a risk for fraud prevention.
Given the scope of fraud that's occurring right now everywhere, despite everybody's best efforts, that's the standard. I mean, everyone is subject to supervision under that standard. Now, I'm editorializing a little bit. Just to be clear for the listeners, that was not how the CFPB framed it. That was how I have framed it. The basis for the CFPB's claims, this is another thing that we'll dive into a little bit deeper, but it was essentially 267 consumer complaints about the products. So, that's the core basis of the CFPB's, claim that Google poses a risk to consumers.
Carlin McCrory:
I'm not sure we know the answer to this, Jesse, but out of those 267 claims, we have to at least assume that some of the consumers were not in the right in making those claims as well. So, there may not necessarily have been fraud.
Jesse Silverman:
So, that's absolutely one of my particular issues with this choice was, these were not verified claims. These were not claims that had been validated, verified. Maybe some of them, if I'm being charitable, some of them had more substance than others did. Some of them may have – when I was an attorney for the CFPB, might I have followed their lead and found something? Perhaps. But these were just unverified complaints. As we'll talk about later, I'm sure when we talk about Google's lawsuits, Google was very quick to point out that 267, when you think of the denominator, meaning the number of consumers that they served and the number of transactions that they processed is genuinely objectively infinitesimal.
Carlin McCrory:
Right. Then, can you talk a little bit about, has the CFPB done this before with any other companies?
Jesse Silverman:
So, I think the answer to that is yes. We certainly have seen some aspects, and the CFPB – and again, this is something else that Google brought up in their complaints. I feel like I'm jumping the gun here. For all those listening, Google sued the CFPB over their action and their decision. One of the claims that they made in their complaint against the CFPB was that, one, like I said, it was an infinitesimal number of complaints and that the CFPB had essentially said that any quantum of risk was sufficient, rather than any materiality. It was just Anything that they believed posed a risk to consumers was enough to establish supervisory authority.
Again, that's where I keep coming back to that. The claim, risk of fraud. The risk of fraud is so prevalent everywhere. You can't find a business or a financial institution large or small that isn't working hard to combat fraud these days. It is everywhere. It's a material part of every business, unfortunately.
Carlin McCrory:
So, to get back to your point about the lawsuit, Google sued the CFPB in attempt to stop the CFPB's examination. Can you talk a little bit about that lawsuit, generally speaking, and the basis for lawsuit?
Jesse Silverman:
Yes. The first and most notable claim that Google makes in their lawsuit against the CFPB is that, Google does not, in fact, pose a risk to consumers, most notably because this product no longer exists. These products are not being offered currently, so they can't pose a risk to consumers. The CFPB, of course, they didn't respond to the complaint yet, but they provided some substantive responses in their initial notice. Their claim is that, Dodd-Frank allows them to look backwards at posed a risk to consumers. Obviously, Google doesn't agree, and it's philosophically a little hard to wonder why you would need supervisory authority for a product that no longer exists.
Now, that's not to say that the CFPB doesn't have and shouldn't have enforcement authority if that product had caused problems in the past. Well, then, the CFPB absolutely has the tools at its discretion to go and investigate that. But supervisory authority is fundamentally a different process. It solves a different purpose, and that, you're generally trying to prevent violations from occurring. You're trying to make sure that these things don't happen in the past because enforcement authority already gives them the tools that they need to handle violations, which occurred in the past. There's absolutely no reason to have supervisory authority over a product that doesn't exist. I say that as a policy matter.
Carlin McCrory:
Jesse, when we talk about supervisory authority, what I'm envisioning is, 40 plus CFPB personnel showing up on site, at Google, and not only looking at this one specific product, but looking completely under the hood of the car at all Google products, looking for UDAPs, et cetera. Supervisory authority is broad. It wouldn't be related just to this product. Can you talk a little bit about that?
Jesse Silverman:
Correct. Again, that's why I'll go back to that quote that I had from there or that I had written down, that it reflects the relatively limited impact of such a determination on the entity. Supervisory authority is incredibly powerful. It's also incredibly burdensome. To your point, yes, there will be a team of examiners that will send hundreds of examination questions, asking about every aspect of their business. You're 100% correct that the CFPB, once they have supervisory authority on one aspect, they have supervisory authority on all the aspects of a particular business insofar as it relates to consumer financial products and services. It's not – I don't know that they could go look at Google's ad servers if it wasn't somehow tied to a consumer financial product and service.
But once you're under the hood, that gives you an awful big free reign. So, it's an incredible, incredible burden. I mean, like I said, I've taken part in every possible side of an exam, and it is a substantial undertaking, especially for a company that has no experience. If the CFPB walks into any large bank, this is a well-worn process. They've gone through exams for some of them for a hundred years, right? When the examiners ask for data, they can readily present it with the push of a button, because they've done it quarterly, annually. They've done it forever. Some
of the largest banks are under continuous supervision, so they have examiners in their office literally 365 days a year. This is of no consequence to them. That's not to say that they love it, but they have a well-worn path.
The other aspect that I always find very challenging is the CFPB does not believe that the attorney-client privilege exists. So, you could be a company, like Google, having conversations with your counsel, which you believe rightly are privileged. And then, the CFPB has decided to designate you as a risk to consumers, and the CFPB doesn't believe that your attorney-client privilege attaches. That's a very, very big difference. That is quite onerous.
We know that the CFPB has used this approach with other tangential companies to consumer finance. This, however, is the first time that they have ever publicly done this where they have essentially outed a company that they believe that they pose a risk to consumers, and it's certainly the first time that any company has challenged that declaration legally. So, this is a very different stage in the Bureau's authority.
Carlin McCrory:
Jesse, especially with the new administration, what do you think that the potential outcomes are from Google's suit against the CFPB?
Jesse Silverman:
That's a very interesting question. So, some of the other claims that Google made in their challenge to the order, first of all, like I said, their biggest claim to me is that the product no longer exists, so they can't pose a risk to consumers. But Google also claims that the risk to consumers, there has to be some measure of materiality or substantiality, rather than just any quantum of risk. It's just not a reasonable standard. Google also notes they've got an adequate compliance management system. They're already regulated by the states because they have MTM, money transmitter licenses. So, it's not as if this goes entirely unregulated.
They noted that throughout the process, the CFPB changed the basis for their claims, and therefore, violated their own rules by not giving Google adequate time to respond to the changed claims. Google claims that this implicates the major question doctrine. And they also, which I find moderately troubling, they also claim that the CFPB leaked advanced notice to the press of this decision. Because there was an article several months ago saying that it looked like they were attempting to bring Google under its examination authority, but they leaked that advanced notice to the press at a time when Google was essentially statutorily barred from discussing or disclosing any aspect of it. So, that highlighted the reputational risk to Google from the CFPB's action, and that they had done so in an attempt to essentially leverage Google into backing down.
So, there's a whole series of claims in there, and then all of that is a long way of getting back to your question, what do I think happens? So, there's a couple of possibilities. One, I think the case can continue and a judge finds that – one, obviously it's possible, the judge believes that Dodd-Frank gives them the authority. I have a hard time believing that for several reasons. The most notable one is, like I said, and like Google said, they don't offer the product anymore. It's hard to justify this posing a risk to consumers for a product that doesn't exist, especially when they have enforcement authority for past conduct. There's just no good policy reason to go forward with it, which again, gets to, I think, your question with the new admin, will they continue to go down this path? I don't know, I don't think so, because there are very, very few good policy reasons to do so.
Then, there's also the possibility that the judge chooses to end his or her analysis at that first question, in which case, you know what, it's mildly embarrassing for the CFPB, but really no harm, no foul, right? Because this is a kind of an odd scenario where the entity doesn't offer the product or service anymore. The bigger concern that I have is that, the judge goes to the next question, which is, there has to be a measure of materiality. 267 complaints out of, and I don't know the total denominator, but 267 million transactions cannot be a reasonable risk to consumers.
In that case, I think that the CFPB could find its powers curtailed, meaning, they would very much say, "Okay, here is the new standard for bringing a company that you believe poses a risk to consumers under your authority," which, again, just begs the question, you know – I think the saying is, bad facts make bad law. As a policy matter, why would you choose a company with that few complaints that is no longer offering the product? That does not feel to me like the case that I want to test my statutory authority on. There are lots and lots of other companies out there that feel like you could have made better law than this one.
End of the day, I don't know what happens. I would imagine the Trump admin, whoever takes over, would not want to have that risk that I just laid out. I certainly wouldn't if I were them, and I would walk away from this one and save my authority for other cases. I would test it on better cases. If they don't, I feel like there's a very reasonable chance that the CFPB loses. And in so doing, has their authority constrained a bit.
Carlin McCrory:
Jesse, I'm going to put you on the spot and see if you're willing to predict the future a little bit. When we eventually have a democratic administration back in place at some point, do you think this is a Chopra-led initiative, or is this something that maybe we can expect from other future democratic leaders of the Bureau?
Jesse Silverman:
You know, that's a great question. I mean, I think to some extent, this is a Chopra-led, but it's hard to say. I philosophically understand why Congress put this power into Dodd-Frank, you know, generally. It's very hard to predict all possible future outcomes. I will say, I've never been a big fan. It is a very onerous process to be supervised, but it is the cost of doing business in these regulated entities. But I think at a bare minimum, you should know. You should be a business that decides, "Do I want to get into this line of work? Do I want to offer these products and services? If I do, then I'm going to have to be subject to supervision, and I can build my business accordingly." This is a real oddity in supervision. You don't see this at the state level. You don't see this with any other prudential regulator.
Every other regulated supervised entity knows at day one that they are regulated and supervised. This is a real oddity as a policy matter. I've never been a big fan of this. So, I think this is a bit of a Chopra-led initiative, talking about their dormant authority to supervise entities. I don't think that it's particularly good, so I would hope that neither admin goes forward using this particular authority. If you would like to bring a particular industry under your supervision, like we've seen with digital wallets, issue a rule. Bring the industry under your supervision, then everyone has the ability to challenge that rule or not, as the case may be, through the administrative process, in the court systems, and there is a large amount of clarity that that brings.
This one off where you may or may not be supervised at some point, it creates a host of problems. For instance, the attorney-client privilege, does the CFPB's ability in an examination of one of these designated entities, does that mean they've lost the attorney-client privilege forever? Does that mean they lost the attorney-client privilege only on the day that they became supervised? These are questions that are really complicated legal questions that no court has ever addressed, because no other regulatory body has the ability to one-off designate a company for supervision. These are really challenging legal questions that I don't think are great for anybody on any side of the table.
Carlin McCrory:
Well, Jesse, thank you so much for joining us today. This has been really insightful and thank you to our audience for listening to today's episode. Don't forget to visit our blog and subscribe so you can get the latest updates. Make sure to also subscribe to this podcast via Apple Podcast, Google Play, Stitcher, or whatever platform you may use. We're looking forward to next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.