Under the new CFPA proposal, all “general purpose digital consumer payment applications” would be subject to the same compliance rules as banking institutions and credit card companies.
The proposal specifically covers all digital wallets, payment apps, funds transfer apps, and person-to-person (P2P) payment apps.
“The rule would enable the CFPB to monitor for new risks to both consumers and the market… critical as new product offerings blur the traditional lines of banking and commerce,” the Bureau said.
If passed, apps with more than 5 million consumer payment transaction annually would be subject to regulations under the Consumer Financial Protection Act (CFPA).
The CFPB rule would cover all nonbank “consumer payment transactions,” including digital payments and fund transfers to other persons for personal, household, or family purposes, it said.
Digital payment app usage on the rise
Consumers are growing increasingly reliant on digital consumer payment applications to initiate payments while businesses seek to accommodate their preferred payment methods, the Bureau explained.
Market research indicates that 76 percent of Americans have used at least one of four well known P2P payment apps, the CFPB cites.
According to a Pew research poll conducted in the US last September, the percentage of Americans who report to have used the apps break down as:
- PayPal 57%
- Venmo 38%
- Zelle 36%
- Cash App 26%
App use is even higher among the 18 to 49-year-old US demographic.
“Such applications now have a share of e-commerce payments volume that is similar to or greater than other traditional payment methods such as credit cards and debit cards used outside of such applications,” the CFPB stated in the proposal.
Consumer data protection and IT security
The Bureau’s oversight would require compliance with Federal Consumer Financial Law, including the prohibition against unfair, deceptive, and abusive acts and practices.
It would also cover privacy provisions laid out by the Federal Trade Commission (FTC) in the Gramm-Leach-Bliley Act (GLBA) and Regulation P.
The GLBA requires “covered companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”
Regulation P requires the covered financial institution to notify a consumer about its privacy policies and practices, including when sensitive data is shared with nonaffiliated third parties, along with an option to “opt-out” of sharing that data, according to the American Bankers Association.
The Electronic Fund Transfer Act Regulation E protects the consumers funds made by EFT in the case of unauthorized transactions made in error or by fraud.
The CFPB said the new rules will also help to level the playing field between “nonbanks and depository institutions.”
International money transfers, fiat currency and crypto transactions, and payments made to online retailers using accounts or payment credentials stored by the online marketplace or its affiliated company would be excluded from the rule.