CFPB Finalizes Rule to Supervise Large, Nonbank Digital Wallet and Payment App Providers, and Related Legislation

On December 10, 2024, the Consumer Financial Protection Bureau (CFPB) published a final rule bringing certain nonbank digital payment and digital wallet companies under its supervisory regime, allowing the CFPB to subject these companies to reporting requirements and examinations. The CFPB estimated that the rule would cover the seven largest providers in the market—Google Pay, Apple Pay, Samsung Pay, Venmo, PayPal, Cash App, and Facebook—which combined facilitate about 98% of the nonbank general-use digital payment market’s approximately $13.5 billion in annual payments.

The rule took effect on January 9, 2025. This In Focus provides an overview of the rule, discusses a sampling of policy issues involving these applications, and offers some considerations for Congress. Legislation introduced in the 119^th Congress, H.J.Res. 64 and S.J.Res. 28, would overturn this recent rule using the Congressional Review Act (CRA).

The Rule

The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203 (Dodd-Frank), authorizes the CFPB to supervise certain providers of consumer financial products and services and to implement and enforce federal consumer financial law. The CFPB issued the digital payments rule pursuant to its authority under Dodd-Frank to supervise “larger participants” in a consumer financial market.

The rule, which garnered letters both of support and opposition from Members of Congress, applies to “larger participants” in a market for “general-use digital consumer payment applications.” This generally encompasses digital applications that facilitate fund transfers and provide payment wallet functionalities used primarily for personal, family, or household purposes. The rule specifically applies to digital applications that “provid[e] a covered payment functionality ... for consumers’ general use in making consumer payment transaction(s).” These applications may be mobile or web-based services that store bank account and credit card information to facilitate electronic payments, including peer-to-peer or person-to-person (P2P) transfers, or that store balances on the application itself, including products referred to as “digital wallets” and “P2P apps.”

Under the rule, a company qualifies as a “larger participant” in the market if it is (a) a nonbank that (b) is not a small business as defined by the Small Business Administration and (c) “facilitates an annual covered consumer payment transaction volume of at least 50 million transactions as defined in the rule.” The rule defines “consumer payment transactions” to mean, subject to certain exceptions, “the

transfer of funds by or on behalf of a consumer who resides in a State to another person primarily for personal, family, or household purposes.” The rule excepts from this definition international money transfers, fundraiser donations, purchases of goods or services through the seller’s physical or online store, and payments exclusively to repay debts, among other exclusions. The rule also applies only to payments made in U.S. dollars and therefore does not, for instance, apply to payments made in Bitcoin or other cryptocurrencies.

The CFPB posited that the rule would ensure that companies that offer covered services are complying with consumer financial protection laws, including prohibitions on unfair, deceptive, and abusive acts or practices; the privacy provisions of the Gramm-Leach-Bliley Act, P.L. 106-102 (GLBA); and the Electronic Fund Transfer Act, P.L. 95-630 (EFTA). As a result of this rule, CFPB examiners could provide on-site supervision of these firms to ensure they are complying with these laws. The rule does not regulate the firms or market for safety and soundness or financial stability.

Policy and Legal Issues

Digital wallets and platforms that facilitate consumer payments have increased in popularity in the past few years. Research from the Federal Reserve suggests the COVID-19 pandemic may have accelerated the use of payments through these applications. According to Pew research from 2022, 76% of Americans have used one of four popular payment apps or sites; other surveys, including one by McKinsey, have found consumer use of digital payments generally as high as 90%. The CFPB cited the significance of these services and their providers in consumers’ “everyday financial lives” as the reason for its decision to issue this rule. Some have pointed to possible consumer protection concerns with digital wallets regarding data security, fraud and scams, and regulatory arbitrage involving these applications, with some arguing that these products are insufficiently regulated.

Data Security and Privacy Digital wallets and payment apps may collect and share information about their users, raising concerns about data privacy and security. These companies are subject to the privacy provisions of GLBA, which requires firms to disclose data sharing requirements and enables consumers to opt out of having their nonpublic personal information shared with other financial institutions under certain circumstances. The CFPB asserted that this rule will enable supervision of firm compliance with GLBA and better ensure the privacy and security of consumers’ data, which supporters hailed as an improvement. Critics of this rule

CFPB Finalizes Rule to Supervise Large, Nonbank Digital Wallet and Payment App Providers, and Related Legislation

https://crsreports.congress.gov

argue that government regulators have a poor record of protecting consumers from data breaches and that digital wallets have already implemented security measures that are appropriate.

Fraud and Scams One key policy concern in this space is potential fraud and scams perpetrated on digital wallets and payment applications. This issue has led to previous congressional oversight over these applications through hearings and letters to relevant companies. The CFPB recently brought fraud-related enforcement actions against Cash App and three large banks for fraud on their Zelle digital payment network.

The CFPB contended that this rule, if enforced, will enable the agency to supervise the firms’ compliance with various laws, including the EFTA, in order to provide protections from scams and fraud. Critics of the rule argue that the impact of these new authorities may stop firms from utilizing payment data to identify fraud due to regulatory uncertainty and increase firms’ compliance costs, leading to less investment in anti-fraud technologies, leaving all else equal. More broadly, some financial trades argue that companies should not be liable when their customers fall victim to scams.

Regulatory Arbitrage The rule reflects an existing debate on whether certain regulatory approaches may be susceptible to arbitrage generally and whether this rule is warranted given that covered payment providers are already subject to various consumer protection laws because of the products and services they offer.

Regulatory arbitrage occurs when a company structures its offerings to avoid costly or onerous regulatory requirements or supervision. For example, a firm that performs similar functions to banks (e.g., by holding cash or facilitating payments for clients), while not organizing itself as a bank, may avoid onerous supervisory and regulatory requirements (such as bank chartering and deposit insurance premiums) but may still benefit from access to low-cost funds and revenue from transfers. This can raise policy questions about whether the regulations applicable to these firms adequately account for the full scale of risks posed by their activities or whether they have an unfair advantage over other market participants. This rule would bring covered digital wallet and P2P applications into a consumer protection supervisory regime similar to those that are already applicable to traditional banks and credit unions.

Critics of this rule, on the other hand, note that many of the products and services offered by covered companies—such as credit cards, prepaid cards, or checking account transactions—can be subject to federal consumer protection laws like the EFTA, GLBA, and the Truth in Lending Act. As such, they argue, subjecting covered companies to the rule is unnecessary. For example, two industry trade associations filed a lawsuit, Technet and Netchoice LLC v. CFPB, requesting the court to vacate the rule, alleging that it violates the Administrative Procedure Act, P.L. 79-404

(APA), because, they allege, it is arbitrary and capricious and exceeds the CFPB’s statutory authority. Specifically, the plaintiffs argue, among other things, that the CFPB, in defining larger participants subject to its supervision, failed to assess whether state laws sufficiently regulate covered products to account for consumer risk, or “to consider what is good for consumers,” as required by Dodd-Frank. The plaintiffs further allege that the rule would place “enormous burdens” on covered firms, which would “inhibit innovation and the roll-out of new products and features.”

The CFPB had not filed a response to the plaintiffs’ complaint as of the publication date of this In Focus. But in the preamble to the Rule, the CFPB argued that, while some of the products and services offered by covered companies are subject to federal consumer protection laws, others they offer are not. The CFPB further asserted that subjecting covered firms to up-front supervision would enable consumer financial law to be “enforced consistently ... to promote fair competition.”

Considerations for Congress

On January 31, 2025, President Trump designated Secretary of the Treasury Scott Bessent as acting director of the CFPB. In line with a January 20, 2025, Executive Memorandum calling for a regulatory freeze, Acting Director Bessent instituted a widespread freeze of CFPB activity. The President replaced Secretary Bessent as acting CFPB director with Russell Vought on February 7, 2025, one day after the Senate confirmed Mr. Vought as director of the Office of Management and Budget. On February 8, 2025, Acting Director Vought ordered CFPB employees to halt “all supervision and examination activity.” These directives would appear to encompass CFPB regulatory and supervisory activities related to covered digital payment and wallet providers. A federal employee union filed suit challenging the acting director’s stop work order and other directives, arguing, among other things, that they exceeded the acting director’s statutory authority in violation of the APA.

As an alternative to CFPB’s apparent cessation of enforcement of the rule, CFPB’s new leadership could modify or repeal the rule administratively. The rule likewise could be overturned by Congress, including, for a period of time, under the fast-track legislative procedures of the CRA. On February 27, 2025, Representative Flood and Senator Ricketts introduced, respectively, bicameral joint resolutions, H.J.Res. 64 and S.J.Res. 28, which seek to overturn the rules using the CRA. If a joint disapproval is enacted, the CFPB may not issue a rule in “substantially the same form” in the future. Alternatively, the agency and Congress could also opt to allow the rule to be enforced as issued.

David H. Carpenter, Legislative Attorney Karl E. Schneider, Analyst in Financial Economics Paul Tierno, Analyst in Financial Economics

IF12935

CFPB Finalizes Rule to Supervise Large, Nonbank Digital Wallet and Payment App Providers, and Related Legislation

The Rule

Policy and Legal Issues

Considerations for Congress

Disclaimer