On December 10, 2024, the Consumer Financial Protection Bureau (CFPB) published a final rule bringing certain nonbank digital payment and digital wallet companies under its supervisory regime, allowing the CFPB to subject these companies to reporting requirements and examinations. The CFPB estimated that the rule would cover the seven largest providers in the market—Google Pay, Apple Pay, Samsung Pay, Venmo, PayPal, Cash App, and Facebook—which combined facilitate about 98% of the nonbank general-use digital payment market's approximately $13.5 billion in annual payments.
The rule took effect on January 9, 2025. However, Congress overturned the rule using the Congressional Review Act (CRA) through passage of S.J.Res. 28, which the President signed into law (P.L. 119-11). This In Focus provides an overview of the rule, discusses a sampling of policy issues involving these applications, and details the passage of the CRA resolution.
The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203 (Dodd-Frank), authorizes the CFPB to supervise certain providers of consumer financial products and services and to implement and enforce federal consumer financial law. The CFPB issued the digital payments rule pursuant to its authority under Dodd-Frank to supervise "larger participants" in a consumer financial market.
The rule, which garnered letters of both support and opposition from Members of Congress, applied to "larger participants" in a market for "general-use digital consumer payment applications." This generally encompassed digital applications that facilitate fund transfers and provide payment wallet functionalities used primarily for personal, family, or household purposes. The rule specifically applied to digital applications that "provid[e] a covered payment functionality … for consumers' general use in making consumer payment transaction(s)." These applications may be mobile or web-based services that store bank account and credit card information to facilitate electronic payments, including peer-to-peer or person-to-person (P2P) transfers, or that store balances on the application itself, including products referred to as "digital wallets" and "P2P apps."
Under the rule, a company qualified as a "larger participant" in the market if it is (a) a nonbank that (b) is not a small business as defined by the Small Business Administration and (c) "facilitates an annual covered consumer payment transaction volume of at least 50 million transactions as defined in the rule." The rule defined "consumer payment transactions" to mean, subject to certain exceptions, "the transfer of funds by or on behalf of a consumer who resides in a State to another person primarily for personal, family, or household purposes." The rule excepted from this definition international money transfers, fundraiser donations, purchases of goods or services through the seller's physical or online store, and payments exclusively to repay debts, among other exclusions. The rule also applied only to payments made in U.S. dollars and therefore does not, for instance, apply to payments made in Bitcoin or other cryptocurrencies.
The CFPB posited that the rule would have ensured that companies that offer covered services are complying with consumer financial protection laws, including prohibitions on unfair, deceptive, and abusive acts or practices; the privacy provisions of the Gramm-Leach-Bliley Act, P.L. 106-102 (GLBA); and the Electronic Fund Transfer Act, P.L. 95-630 (EFTA). As a result of this rule, CFPB examiners could have provided on-site supervision of these firms to ensure they are complying with these laws. The rule did not regulate the firms or market for safety and soundness or financial stability.
Digital wallets and platforms that facilitate consumer payments have increased in popularity in the past few years. Research from the Federal Reserve suggests the COVID-19 pandemic may have accelerated the use of payments through these applications. According to Pew research from 2022, 76% of Americans have used one of four popular payment apps or sites; other surveys, including one by McKinsey, have found consumer use of digital payments generally as high as 90%. The CFPB cited the significance of these services and their providers in consumers' "everyday financial lives" as the reason for its decision to issue this rule.
Some have pointed to possible consumer protection concerns with digital wallets regarding data security, fraud and scams, and regulatory arbitrage involving these applications, with some arguing that these products are insufficiently regulated. Others argued additional regulation was unnecessary as "a solution in search of a problem," might have created duplicative supervision, and represented "bureaucratic overreach."
Digital wallets and payment apps may collect and share information about their users, raising concerns about data privacy and security. These companies are subject to the privacy provisions of GLBA, which requires firms to disclose data sharing requirements and enables consumers to opt out of having their nonpublic personal information shared with other financial institutions under certain circumstances. The CFPB asserted that this rule will enable supervision of firm compliance with GLBA and better ensure the privacy and security of consumers' data, which supporters hailed as an improvement. Critics of this rule argue that government regulators have a poor record of protecting consumers from data breaches and that digital wallets have already implemented security measures that are appropriate.
One key policy concern in this space is potential fraud and scams perpetrated on digital wallets and payment applications. This issue has led to previous congressional oversight over these applications through hearings and letters to relevant companies. The CFPB recently brought fraud-related enforcement actions against Cash App and three large banks for fraud on their Zelle digital payment network, although that suit was eventually dropped by the CFPB.
The CFPB contended that this rule, if enforced, would enable the agency to supervise the firms' compliance with various laws, including the EFTA, in order to provide protections from scams and fraud. Critics of the rule argue that the impact of these new authorities may stop firms from utilizing payment data to identify fraud due to regulatory uncertainty and increase firms' compliance costs, leading to less investment in anti-fraud technologies, leaving all else equal. More broadly, some financial trades argue that companies should not be liable when their customers fall victim to scams.
The rule reflected a debate on whether certain regulatory approaches may be susceptible to arbitrage generally and whether this rule is warranted given that covered payment providers are already subject to various consumer protection laws because of the products and services they offer.
Regulatory arbitrage occurs when a company structures its offerings to avoid costly or onerous regulatory requirements or supervision. For example, a firm that performs similar functions to banks (e.g., by holding cash or facilitating payments for clients), while not organizing itself as a bank, may avoid onerous supervisory and regulatory requirements (such as bank chartering and deposit insurance premiums) but may still benefit from access to low-cost funds and revenue from transfers. This can raise policy questions about whether the regulations applicable to these firms adequately account for the full scale of risks posed by their activities or whether they have an unfair advantage over other market participants. This rule would have brought covered digital wallet and P2P applications into a consumer protection supervisory regime similar to those that are already applicable to traditional banks and credit unions.
Critics of this rule, on the other hand, note that many of the products and services offered by covered companies—such as credit cards, prepaid cards, or checking account transactions—can be subject to federal consumer protection laws like the EFTA, GLBA, and the Truth in Lending Act. As such, they argue, subjecting covered companies to the rule is unnecessary. For example, two industry trade associations filed a lawsuit, TechNet and NetChoice LLC v. CFPB, requesting the court to vacate the rule. In response to the rule's rescission, the plaintiffs voluntarily dismissed their suit. The plaintiffs had alleged that the rule violated the Administrative Procedure Act, P.L. 79-404 because it was arbitrary and capricious and exceeded the CFPB's statutory authority. Specifically, the plaintiffs argued, among other things, that the CFPB, in defining larger participants subject to its supervision, failed to assess whether state laws sufficiently regulate covered products to account for consumer risk, or "to consider what is good for consumers," as required by Dodd-Frank. The plaintiffs further alleged that the rule would have placed "enormous burdens" on covered firms, which would have "inhibit[ed] innovation and the roll-out of new products and features."
The CFPB did not file a response to the plaintiffs' complaint before the complaint was dismissed, but the preamble to the rule addressed some of the arguments ultimately raised by the plaintiffs. The CFPB argued that, while some of the products and services offered by covered companies are subject to federal consumer protection laws, others they offer are not. The CFPB further asserted that subjecting covered firms to up-front supervision would enable consumer financial law to be "enforced consistently … to promote fair competition."
This rule was overturned by Congress under the fast-track legislative procedures of the CRA. On February 27, 2025, Representative Flood and Senator Ricketts introduced, respectively, bicameral joint resolutions, H.J.Res. 64 and S.J.Res. 28, which aimed to overturn the rules using the CRA. In March and April 2025, respectively, the Senate and the House voted to pass S.J.Res. 28, which the President signed into law (P.L. 119-11). Because a joint disapproval was enacted, the CFPB may not issue a rule in "substantially the same form" in the future absent authorization in a subsequent law. The CRA does not define the phrase substantially the same form, and no courts have weighed in on the phrase's meaning.