The CFPB’s new stance could potentially categorize certain monitoring and performance tools as consumer reporting tools, necessitating compliance with FCRA requirements. Employers should take note and review the tools they use, ensuring they align with these updated regulations.

For a comprehensive look at the changes and their implications, check out the full post here.

The Rule’s Coverage

Section 1033 of the Dodd-Frank Act provides that covered entities must make available to a consumer, upon request, specified information in their control related to consumer financial products or services. Congress also authorized the CFPB to “prescribe standards applicable to covered persons to promote the development and use of standardized formats for information,” with the stated goal of increasing competition and encouraging innovation by requiring that covered entities make available to a consumer, upon request, information related to a consumer financial product or service. The rule implements Section 1033 by requiring covered banks, credit card issuers, and certain financial service providers – collectively called “data providers” – to enable consumers to give third parties access to transaction information, account balance information, ACH details, account terms and conditions, bill information, and basic account verification information. The information must be made available in an electronic form usable by consumers or authorized third parties. The final rule is limited to account records regarding “covered financial products and services,” which are bank debit accounts (i.e., Regulation E-covered accounts), credit card accounts (i.e., Regulation Z accounts), or the facilitation of payments from such accounts.

What’s Not Covered

Covered data providers are not required to disclose confidential commercial information, such as algorithms to derive credit scores or risk predictors; information used for preventing fraud, money laundering, or reporting potentially unlawful conduct; or any information that the data provider cannot retrieve in the ordinary course of business. However, the rule makes clear that a data provider cannot restrict access to financial information simply because it is subject to privacy protections.

Third Party Collection and Use Restrictions

The rule also establishes obligations for the third parties accessing consumers’ data. For example, third parties must limit the collection, use, and retention of covered data to what is reasonably necessary to provide the product or service requested from the third party by the consumer. The CFPB makes clear that it does not consider third party use of open banking data for targeted advertising, cross-selling, or the sale of the data to be permitted under the regulations. Third parties also face limitations on their access to covered data. Access is limited to one year without reauthorization, and consumers must be provided with the ability to immediately revoke access resulting in the deletion of their data upon request.

Standards Instead of Web Scraping

According to the Bureau and the rulemaking record, the rule seeks to move the financial services industry away from the “screen scraping” approach relied upon by many businesses, which typically involves consumers providing their account passwords to third parties who use them to access and copy data through online banking portals. The final rule shifts towards open banking through a standardization of third party data access. Instead of scraping data from customer accounts, data providers will be required to establish developer interfaces for third parties to access the customers’ financial data. The rule includes requirements for these interfaces that promote standardized operations, including minimum performance requirements, and security measures, including a requirement to implement an information security program applicable to the interface.

Legal Challenges

Certain industry groups immediately pushed back against the rule by filing a court challenge in the U.S. District Court for the Eastern District of Kentucky, arguing that the rule exceeds the Bureau’s Section 1033 authority and is arbitrary and capricious under the Administrative Procedure Act.

If the rule withstands legal challenges, larger providers would be required to comply with it by April 2026, while the smallest covered institutions would have until April 1, 2030. Certain small banks and credit unions would be exempt altogether. We’ll continue to follow the pending litigation closely.

The 2020 advisory opinion explained that EWA programs would not be considered “credit” under TILA and Regulation Z if certain conditions were met, including that the provider of the EWA program contracts with the employer and the employee makes no payment, voluntary or otherwise, to access EWA funds or otherwise use the program, and there is no assessment of credit risk. But the 2020 opinion did not address whether EWA programs that do not meet the specified conditions were subject to TILA. The opinion suggested that programs that assessed a nominal processing fee would also be outside the scope of TILA, and invited providers to request clarification about specific fees from the CFPB.

The CFPB’s announcement last week and an accompanying report on the EWA marketplace state that the previous opinion addressed only “a very specific paycheck advance product that is not common in the real market.” In addition, the CFPB suggests that the previous opinion introduced confusion in the marketplace.

While EWA products aim to help workers manage the gap between when they earn their wages and when their bills are due, the CFPB's accompanying report expresses concerns that costs associated with such products can be high and not adequately disclosed. The interpretive rule also lays out the CFPB’s position that any fees assessed in connection with EWA products, such as tips and expedited delivery fees, are “finance charges” within the meaning of TILA and Regulation Z. Providers will need to ensure that all fees, including those for expedited services and suggested "tips," are transparently disclosed as finance charges.

The interpretive rule applies to products that provide funds based on accrued wages (estimated or otherwise) and are repaid via automatic means like payroll deductions or preauthorized account debits. While the CFPB distinguishes between direct-to-consumer products that are generally repaid via bank withdrawals and employer-partnered products that are repaid via payroll deductions, both are considered EWA and subject to TILA and Regulation Z if any fee is imposed.

The CFPB will continue to monitor the market, collect data, and engage with stakeholders to ensure compliance and address any emerging issues in the paycheck advance marketplace​. The CFPB is seeking public comments on the proposed interpretive rule until August 30, 2024.

As a refresher for those who have not been following the case, several trade associations representing payday lenders and credit-access businesses filed a complaint challenging CFPB regulations relating to high-interest consumer loans. The associations raised a number of statutory and constitutional arguments, including that the CFPB “takes federal government money without an appropriations act” in violation of the Appropriations Clause. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, the Bureau draws public funds from the Federal Reserve System in an amount not exceeding an inflation-adjusted cap.

As we previously discussed here, after a district court upheld the funding mechanism, a panel of the Fifth Circuit reversed and found it to be unconstitutional on the grounds that its funding structure ​“goes a significant step further than that enjoyed by other agencies” based on its insulation from regular congressional control and oversight.

Today’s decision reverses the Fifth Circuit ruling and holds that “an identified source and purpose are all that is required for a valid appropriation.” Tracing pre-founding history and British parliament’s inability to direct how the Crown’s revenues were spent, the Court concludes that the Appropriations Clause required Congress to “designate particular revenues for identified purposes, but beyond that limit, early legislative bodies exercised a wide range of discretion.” The Court rejected a number of related arguments by the associations, including that it was problematic that the Bureau itself decided its amount of annual funding up to a specified limit without a requirement to periodically reobtain Congressional authorization.

It is difficult to overstate the impact of the decision on the Bureau and its ambitious agenda. A contrary ruling would have called into question past, current, and future regulations and enforcement. Now, the Bureau and Director Rohit Chopra will be emboldened to move forward with haste in the remaining months of President Biden’s current term.

The report was released in conjunction with a hearing co-hosted with the Department of Transportation and featuring remarks and a moderated panel discussion with CFPB Director Rohit Chopra and Secretary of Transportation Pete Buttigieg, along with panelists from consumer groups, policy advocacy organizations, financial institutions, and airlines. Both Director Chopra and Secretary Buttigieg emphasized the importance of transparency in promoting and offering rewards programs and expressed concerns around barriers to competition.

The CFPB report details four categories of common consumer complaints and potential regulatory issues with rewards programs:

• Vague or hidden conditions. The report describes complaints from consumers misled by advertising for rewards programs where important limitations were buried in dense terms or not otherwise adequately disclosed. The reports suggests that such practices may constitute deceptive “bait and switch” offers and notes that the Bureau has brought enforcement actions against companies for failure to clearly and conspicuously disclose material conditions in rewards programs upfront. The report notes that such complaints were particularly prevalent for bonus or introductory offers and so-called “churning” prohibitions intended to protect companies from consumers manipulating rewards programs by serially signing up for and canceling accounts.
• Devaluing earned rewards or changing program benefits. According to the report, consumers regularly complained about issuers or partners devaluing rewards or otherwise eliminating certain benefits associated with membership or status tiers. In remarks at the hearing, Director Chopra noted that, while the Credit Card Responsibility and Disclosure Act of 2009 (CARD Act) prohibits credit card companies from unilaterally changing certain terms in credit card agreements, issuers and partners regularly change terms to rewards and loyalty programs because the CARD Act does not apply. Director Chopra suggested that such changes are problematic and may violate the law if they deprive consumers of promised benefits, particularly where they occur without notice.
• Customer service issues and technical glitches. The report details complaints from consumers who were unable to redeem rewards due to technical glitches, customer service issues, or so-called “doom loops” where consumers are unable to reach the correct entity or department.
• Revocation and expiration. Finally, the report notes complaints from consumers who report having their accounts closed and associated benefits revoked, or consumers who had their rewards expired or benefits withheld notwithstanding a current and active account.

While potentially frustrating for consumers, many practices identified in the report are not necessarily unlawful – at least depending on how they are effectuated. Companies can – and often must – preserve flexibility in how they offer benefits and related redemption terms. Similarly, expiring rewards or conditioning benefits on meeting certain requirements is not inherently unlawful: those limitations just need to be clearly and conspicuously disclosed. As for program changes that may devalue rewards or change advertised benefits, companies should have a considered and deliberate execution plan that includes consumer notice and a reasonable opportunity to use already accrued rewards.

In addition to potential enforcement by the CFPB for programs offered in connection with financial products or services, or DOT for airlines rewards programs, the FTC and state AGs also scrutinize rewards programs and related advertising. Plaintiffs’ attorneys are also active in this space, and have brought class actions under state UDAP laws that may result in significant monetary settlements (see for example AutoZone’s class action settlement in 2019 for $50 million).

Ultimately, while the Bureau’s report questions whether rewards programs are ultimately beneficial for most consumers, it also seems to acknowledge that the growing popularity of these programs reflects that they are here to stay. Companies offering such programs – or partnering with third parties to offer such programs – should take note of the renewed regulatory interest and evaluate their marketing and servicing practices to ensure that any risk is worth the reward.

Kelley Drye Advertising and Marketing Paralegal, James Firsick, assisted with this blog post.

Cooperation and Role of State AGs

Director Chopra began by complimenting the State AGs for their important consumer protection work, including by ringing the alarm bells on the foreclosure crisis. While he discussed the roles of states throughout his remarks, he emphasized that states and the CFPB need to work together. He reminded the AGs that early on, the CFPB published a procedural rule clarifying that State AGs can bring suit under the CFPB’s organic statute including a whole host of consumer credit and data laws, which several states have utilized. Director Chopra said the CFPB is looking for ways to collaborate with more states, noting they have been able to collect billions in penalties that can be used for consumer redress even in unrelated cases to make victims whole. Director Chopra asked that consumers send complaints to both State AG offices and the CFPB, because their consumer complaint system immediately routes complaints to the financial company at issue to get a response and resolution without staff intervention. The CFPB also is able to use data visualization tools to provide states with information about hot issues in different regions. The CFPB has used complaint data in collaboration with states to work on medical debt and other collection cases. Director Chopra said the CFPB is always looking upstream to identify warning signs to avoid future crises like the one caused by subprime mortgages.

Consumer Data and Security

Director Chopra explained that President Biden’s executive order on protecting sensitive personal data highlights a broad bipartisan interest in stopping the bulk transfer of consumer data. He explained that State AGs can work alongside the CFPB to enforce the Fair Credit Reporting Act, not only against the big three reporting companies, but also against data brokers. He noted the CFPB will propose additional rules to require data brokers to adhere to accuracy standards and otherwise protect consumer data. Director Chopra described categories of data and lists that brokers can purchase about vulnerable consumers, and his concern that there be a way for these people to be able to participate in the digital world without sacrificing privacy and security. He pointed to state laws requiring additional privacy and security such as Washington’s recent My Health My Data Act, and said he supported the fight against preemption of state privacy laws.

Big Tech and AI

Director Chopra reminded the audience of big tech’s efforts to become payment processors, providing them consumer transaction data. He noted these payment methods were used as a vector for imposter fraud, specifically citing the DOJ and states’ March lawsuit against Apple. Director Chopra explained the CFPB has recruited additional technologists with knowledge of user interfaces and design, and the agency has hosted enforcer roundtables with states to discuss issues with AI and technology, including how to draft CIDs.

On AI, Director Chopra said the CFPB is looking at marketing and advertising for discriminatory or manipulative AI. They are also reviewing how loans are being written, because if AI cannot explain why it denied credit to a person, it is a violation of federal law that requires explanation for denial. Director Chopra also said chat bots are another form of AI used by banks for customer service. He alluded that it could be considered deceptive to use human names and “…” thinking signals to simulate human activity. Director Chopra said he wants to see institutions affirmatively describe these chat bots as robots and ensure the bots do not provide inaccurate information or a poor customer service experience.

Bank Relationships

Director Chopra said the CFPB’s work has shifted some from mortgage lending issues with banks into non-banks. He said they have also heard from the AG community that national chartered banks have not cooperated on investigations, claiming preemption. Director Chopra said when that happens, the CFPB will work with the states to obtain the information themselves. His expectation is that banks work with the states to ensure consumers are protected.

Junk Fees

As a former businessperson himself, Director Chopra said pricing consultants he encountered in the past left a big impression on him. He noted that industries such as air travel, event ticketing, and banking have made it difficult to compare pricing resulting in reduced competition. He described certain bank fees such as a paper statement fee (when nothing is printed and no paper is sent) as “fake fees,” and harkened back to past CFPB actions against banks reordering payments to trigger multiple overdraft fees. Director Chopra also said that some credit card issuers created a business model based on rooting for people to be late, causing late fees. The CFPB has proposed rules to close what he described as a loophole in the credit industry, stating people understand they will have to pay interest but do not understand the other layers of fees they may not be able to control. Director Chopra also pointed to potential concerns with credit card reward “bait and switch” offers as a core truth in advertising concept. Though the CFPB is using rulemaking and enforcement actions to combat junk fees, Director Chopra also gave credit to the business community for taking initiative to become more upfront and transparent.

Stay tuned as our team will be hearing more from the State AG community on AI and other tech topics in less than two weeks at the NAAG and AGA’s Southern Regional Meeting/Artificial Intelligence and Preventing Child Exploitation Seminar.

While the Bureau has always had enforcement authority over digital wallets and payment apps, the proposed rule would newly authorize the Bureau to “supervise” the providers, including by conducting periodic examinations, which can include on-site or remote inspections, review of company compliance policies and procedures, testing transactions and accounts, and evaluating management and recordkeeping systems. Examinations may result in supervisory letters, compliance ratings, or, if inspectors identify perceived legal violations, enforcement actions with fines and civil penalties.

The Bureau’s proposed rule – its sixth effort to supervise nonbank providers of financial services – comes as an increasing number of financial transactions occur outside the traditional banking system. “Payment systems are critical infrastructure for our economy,” Director Chopra said in a press release announcing the new rule. “These activities used to be conducted almost exclusively by supervised banks” and the proposed rule is intended to require fintech providers to “play by the same rules as banks and credit unions.”

The rule would open up supervision and inspection for “larger participants” offering “general-use digital consumer payment applications,” including digital wallets, payment apps, funds transfer apps, person-to-person (P2P) payment apps, or similar. The proposed rule notes that subject entities would be examined for compliance with federal consumer financial laws and their prohibition against unfair, deceptive, and abusive acts and practices, the privacy provisions of the Gramm-Leach-Bliley Act and Regulation P, and the Electronic Fund Transfer Act and Regulation E, amongst other laws.

The rule would only apply to companies that the CFPB defines as “larger participants” and proposes a threshold of companies that process five million transactions in a year (including affiliated companies) that are not considered a “small business concern” by the Small Business Administration. The Bureau estimates that 17 providers of general-use digital consumer payment applications would currently meet the proposed threshold and that those providers handle roughly 88% of known transactions in the nonbank market for general-use digital consumer payment applications. Notably though, those numbers are just estimates – and could be based on incomplete or inaccurate data. Either way, that number is likely to grow as fintech transactions continue to grow in popularity.

A few additional highlights on scope and key definitions:

• The proposed rule applies to larger participants providing a “covered payment functionality through a digital application for consumers’ general use in making consumer payment transactions.”
• A “covered payment functionality” is a “funds transfer functionality,” a “wallet functionality” or both. Wallet functionality is defined broadly to include any product or service that stores account or payment credentials, and that transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.
• “Digital applications” are defined as software programs run from a personal computing device, like a mobile phone, watch, or a tablet. The application should be available for “general use,” meaning it does not have significant limitations on its use for consumer payment transactions. According to the proposed rule, if the application can only be used to buy a specific category of products or services (i.e., transportation, lodging, food), it does not meet the definition of general use.
• The proposed rule defines “consumer payment transactions” to include paying another person for a “personal, family, or household purpose” and to exclude international money transfers or foreign exchange transfers, or a transaction conducted by a person for the sale of goods/services at that person’s store or marketplace.

The Bureau solicits comments on all aspects of the proposed rule, as well as specific definitions and limitations, and will accept comments until January 8.

Here, the Fifth Circuit panel unanimously held that, although the Bureau did not exceed its statutory authority in promulgating the Rule, it “lacked the wherewithal to exercise that power via constitutionally appropriated funds.” The panel held that Congress’s decision to cede its power of the purse to the Bureau violates the Appropriations Clause of the Constitution and the clause’s underpinning, the constitutional separation of powers. As such, the court reasoned that while most of “Plaintiffs’ claims miss their mark, . . . one arrow has found its target” and the Payday Lending Rule could not stand given the Bureau’s unconstitutional funding mechanism “deprived [it] of the lawful money necessary to fulfill those responsibilities.”

The CFPB’s funding method was established in the 2010 Dodd-Frank Act. Rather than receiving funding through annual congressional appropriations, the Bureau receives funding directly from the Federal Reserve—eliminating the periodic assessments that accompany congressional appropriations analyses. The Federal Reserve, which itself exists outside the appropriations process, must grant the CFPB’s self-directed funding requests up to a certain cap. Although other federal financial regulators also receive funding from independent sources, the panel held that its structure “goes a significant step further than that enjoyed by other agencies”—pointing to the Bureau’s double-insulation from Congress’s purse strings coupled with its singular director and expansive enforcement authority.

In the near term, the Bureau will continue to be unable to enforce the Payday Lending Rule, but its immediate practical impact on other CFPB efforts is likely to be limited. The agency is likely to seek a stay and petition the full Fifth Circuit for an en banc review, but the decision could lead to an increase in litigation challenging other Bureau actions, whether rulemaking or enforcement, that are supported of course by the same funding mechanism found to be unconstitutional.

The Fifth Circuit’s holding differs from certain other courts that have heard the issue, so the split may ultimately find its way before the Supreme Court. Regardless of ultimate impact and outcome, Wednesday’s decision is another example of recent judicial scrutiny of regulatory authority, which has impacted regulatory and enforcement activities at a number of agencies including the CFPB, FTC, and EPA.