On November 7, 2023, the Consumer Financial Protection Bureau (CFPB) announced a notice of proposed rulemaking (NPRM) that would establish CFPB supervisory authority over certain nonbank companies “participating in a market for ‘general-use digital consumer payment applications.'”


The CFPB seeks to subject nonbank companies that provide digital payment wallets and applications to the CFPB’s supervisory authority under the Consumer Financial Protection Act (CFPA), similar to the supervisory authority it currently exercises over banks, credit unions, and other traditional financial institutions. 

The CFPB’s press release on the NPRM notes the specific aims of ensuring that large nonbank companies adhere to applicable funds transfer, privacy, and other consumer protection laws, and fostering a level playing field among such companies and depository institutions when it comes to financial protection. The CFPB expresses particular concern over compliance with the CFPA’s prohibition on unfair, deceptive or abusive acts and practices (UDAAP), the privacy provisions of the Gramm-Leach-Bliley Act and its implementing Regulation P, and the Electronic Fund Transfer Act and its implementing Regulation E.

While covered entities were already required to comply with these and other applicable statutes and regulations, subjecting them to CFPB supervision would subject them to additional regulatory oversight. The supervisory authority would allow the CFPB to (1) assess compliance with consumer financial laws, (2) obtain information about such persons’ activities and compliance systems and procedures, and (3) detect and assess risks to consumer and consumer financial markets information. The CFPB would be permitted to conduct examinations of supervised entities, including on-site review of compliance policies, processes, and procedures; test transactions and accounts for compliance; and evaluate the company’s overall compliance management system. The NPRM warns that, “[e]xaminations may involve issuing confidential examination reports, supervisory letters, and compliance ratings.”

The NPRM would not impose new substantive restrictions on the entities subject to the CFPB’s expanded supervisory authority. However, the CFPB clarifies that its expanded supervisory jurisdiction would “enable [it] to monitor for new risks to both consumers and the market,” which is “critical as new product offerings blur the traditional lines of banking and commerce.” In other words, closer scrutiny of nonbank entities in the digital payments space could spur additional regulation, whether via UDAAP, revised or expanded implementing regulations, coercive non-binding guidance, or other means.

Accordingly, the NPRM will likely have significant implications for the digital payments industry. It will place an expanded burden on covered entities to maintain and provide compliance and related documentation to the CFPB, will subject them to the same supervisory authority as banks in this space, and may well provide the basis for expanded regulation over how applications function and over the various types of “funds” transferred among consumers, among other areas.

Key Definitions

Under the NPRM, a nonbank company would be subject to supervision by the CFPB as a “larger participant” if it:

  • has an annual volume of at least five million consumer payment transactions;
  • is not a small business, as defined by the Small Business Administration (SBA);
  • provides “a covered payment functionality” – i.e., a funds transfer functionality, a wallet functionality, or both – through a digital application; and
  • provides such payment functionality for consumers’ general use in making a “consumer payment transaction.”
  • it must result in a transfer of funds by or on behalf of the consumer. “Funds” include fiat currency, legal tender, and digital assets, including cryptocurrency (though, as noted below, the exchange of one type of funds for another, such as crypto for fiat, is not covered);
  • the consumer initiating the transaction must be physically located in the United States;
  • the funds transfer must be made to another person besides the consumer that initiated the transfer, which could be another consumer, a business, or some other type of entity. This would exclude, for example, ATM withdrawals; and
  • the funds transfer must be primarily for personal, family, or household purposes.
  • international money transfers (as defined in and regulated by the CFPB’s Remittances Rule);
  • a transfer of funds by a consumer that is linked to the consumer’s receipt of another form of funds, including the exchange of fiat currencies or digital assets or the purchase or sale of a digital asset with or for fiat currency, or that is not an “electronic funds transfer” as defined by Regulation E under 12 CFR § 1005.3(c)(4);
  • a transaction conducted by a person from their own online or physical store or marketplace for the sale or lease of goods or services; and
  • an extension of consumer credit made using a digital application provided by the person who is extending the credit or its affiliate.

Note on Digital Assets

The NPRM states that crypto-assets, including virtual currency, constitute “funds” under the CFPA, and therefore, the transfer of funds in the form of crypto-assets “by or on behalf of a consumer physically located in a State to another person primarily for personal, family, or household purposes” would qualify as a “consumer payment transaction,” unless one of the exclusions to that term applies.

Notably, the NPRM proposes to exclude from the definition of “consumer payment transaction” a transaction “for the purpose of exchanging one type of funds for another, such as exchanges of fiat currencies … a purchase of a crypto-asset using fiat currency, a sale of a crypto-asset in which the seller receives fiat currency in return, or the exchange of one type of crypto-asset for another type of crypto-asset.”

Therefore, in its current form, it is reasonable to assume that the NPRM applies to transactions involving digital assets as follows:

  • fiat-to-crypto and crypto-to-crypto trading activity on digital asset exchanges would not be covered;
  • payment applications enabling consumers to purchase goods and services using cryptocurrency, including stablecoins, would be covered; and
  • other activities, such as the transfer of digital assets between consumers, unrelated to exchange activity, would be covered.

CFPB jurisdiction is not exclusive, so entities that become subject to CFPB supervision by virtue of engaging in the above activities would remain subject to existing federal and state regulatory requirements, as appropriate.

Comment Period

The CFPB invites comments on all aspects of the NPRM. It also requests comments on each of the specific definitions, proposals, and criteria proposed by the NPRM.

The comment period for this NPRM closes on January 21, 2024.

* * *

For additional information on this proposed rulemaking or assistance in preparing a comment, please contact a member of Steptoe’s Financial Regulatory Compliance and Policy Practice or Blockchain and Cryptocurrency Practice.