The Consumer Protection Principles continue the CFPB’s expansive approach.
Stating that it wants to ensure that “any new payment systems are secure, transparent, accessible, and affordable to consumers” and have “robust protections when it comes to fraud and error resolution,” the Consumer Financial Protection Bureau (CFPB) recently issued a document titled “Consumer Protection Principles: CFPB’s Vision of Consumer Protection in New Faster Payment Systems” (Consumer Protection Principles).[1]
The Consumer Protection Principles indicate that the CFPB intends to have a central role with respect to payments and the development of new payments technology.[2] Although the Consumer Protection Principles are only guidance and therefore not enforceable regulations, in light of the CFPB’s broad enforcement authority and active supervision and enforcement program, all participants in the area of payment systems—including service providers who do not interact directly with consumers—should be mindful of these principles and other CFPB statements regarding payment systems.
The Consumer Protection Principles state that “to be safe, transparent, accessible and efficient, faster payment systems must keep certain consumer protections in mind,” including the following:
- Consumer control over payments (clear consumer authorizations and ability to revoke authorization)
- Data and privacy (disclosures and consumer control over what data is transferred, who has access to the data, and potential risks)
- Fraud and error resolution protections (mechanisms to reverse erroneous and fraudulent transactions, as well as regulatory protections similar to those in Regulation E and Regulation Z)
- Transparency (real-time access to information and timely disclosures)
- Cost (full disclosure of fees to allow for comparison of different payment options)
- Access (ensuring systems are widely accepted by businesses and other consumers)
- Funds availability (ensuring consumers enjoy the faster access to funds)
- Security and payment credentials (systems have error and fraud protections and limit the value of consumer information to make the systems less valuable if there is a data breach)
- Strong accountability mechanisms that effectively curtail system misuse (accountability of providers for risks and fraud that they might introduce to the payment systems)
The Consumer Protection Principles reflect, in part, statements that have been made by the CFPB in prior speeches and comment letters, although they represent a more comprehensive articulation of CFPB expectations for new payment systems. The issued principles may portend the CFPB’s willingness to use its powerful and expansive supervision and enforcement authority in the oversight of consumer payment systems, especially with respect to preventing unfair, deceptive, or abusive acts or practices (UDAAP) in connection with consumer financial products and services. A prudent approach for participants in payment systems would be to view the Consumer Protection Principles as an indication of regulatory expectations and to anticipate the CFPB’s supervisory applications of those expectations (whether through its normal examination process or through its broad Civil Investigative Demand authority to request documents and other information that might be relevant to a CFPB investigation).
Payment systems are generally operated by payment networks and providers under a series of private rules (e.g., NACHA Operating Rules and Guidelines, Visa Core Rules, MasterCard Rules). At present, the only federal laws under CFPB statutory and regulatory supervision and enforcement authority that typically apply to payment systems are the Electronic Funds Transfer Act/Regulation E (EFTA)[3] and the Truth in Lending Act/Regulation Z (TILA).[4] The CFPB, however, also has the broad UDAAP enforcement authority mentioned above.[5]
The Consumer Protection Principles may signal the CFPB’s interest in applying its EFTA, TILA, and UDAAP supervision and enforcement authority to a broad range of payment systems activities. Instead of citing specific statutory or regulatory authority, the Consumer Protection Principles broadly reference “consumer protection concerns” and “consumer interests” that faster payment systems “must” keep in mind, without much further commentary about those concerns and interests. Although the CFPB does not reference any statutory authority in the Consumer Protection Principles for its oversight of payment systems, it has done so in the recent past.[6]
Complicating the analysis of the Consumer Protection Principles is the fact that some of these principles, such as real-time access and wide acceptance of faster payment systems, seem to fall short of the statutory threshold for preventing practices that are unfair[7] or abusive.[8] Moreover, the list of nine principles is specifically and intentionally not an exclusive list (“faster payment systems must keep certain consumer protection concerns in mind, including the following . . .” (emphasis added)), leaving room for the CFPB to further expand its view of consumer interests that it believes should be taken into consideration with respect to new payment systems.
This overall lack of clarity regarding statutory and regulatory authority over payment systems could be viewed by critics as another example of CFPB regulatory overreach. Additionally, it could prove quite costly to payment system participants if they try to implement policies and procedures that meet CFPB expectations without clearer guidance and clarity as to those expectations, and certainty that the expectations will not change in the future.
[1] consumerfinance.gov/newsroom/cfpb-outlines-guiding-principles-for-faster-payment-networks
[2] The CFPB has already issued proposed rules that would extend its regulatory authority over prepaid products by extending Regulation E and Regulation Z to a wide range of “prepaid accounts.” See our December 2014 LawFlash “CFPB Proposes Sweeping New Regulations for Prepaid Products.” The proposed rule is expected to be finalized early next year.
[3] 12 U.S.C. § 5481(12)(C).
[4] 12 U.S.C. § 5481(12)(O).
[5] 12 U.S.C. § 5531.
[6] See Letter of February 9, 2015 from David Silberman, Associate Director, CFPB, to Maribel Bondoc, NACHA (“[C]onsumers currently enjoy important regulatory protections when making and receiving ACH payments. These protections are established by the [EFTA] . . . and by the Dodd-Frank Act, which protects consumers of financial products or services from acts or practices that are unfair, deceptive or abusive.”).
[7] The CFPB cannot declare an act or practice to be unfair (and thereby unlawful) unless “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers[,] and such substantial injury is not outweighed by countervailing benefits to consumers or to competition.” 12 U.S.C. § 5531(c).
[8] The CFPB cannot declare an act or practice to be abusive (and thereby unlawful) unless the act or practice “materially interferes with the ability of a consumer to understand a term or condition” of a product or service or “takes unreasonable advantage of” the consumer’s lack of understanding, inability of the consumer to protect his own interests, or reasonable reliance on a provider to act in the consumer’s interest. 12 U.S.C. § 5531(d).