US Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra has long been focused on “big tech” and its uses of consumer data. This interest predates his tenure at the CFPB and has continued in that role as well. The CFPB has taken several high-profile steps regarding these issues. These include:
- Issuing an advance notice of proposed rulemaking to implement section 1033 of the Dodd-Frank Act, which provides the CFPB with rulemaking authority regarding how financial institutions are to provide consumers with account information (predating Chopra’s arrival at the agency);
- Issuing orders to large tech and buy-now, pay-later (BNPL) companies for information about their business practices, including how they use consumer data;
- Issuing an Advisory Opinion that provides that digital marketing providers that are materially involved in the development of content strategy may be “service providers” to covered financial institutions such that they would be subject to the agency’s authority to enforce the prohibition on unfair, deceptive, or abusive acts or practices (UDAAP) (read our analysis); and
- Issuing a circular stating that financial companies may violate that UDAAP prohibition when they fail to take appropriate steps to safeguard consumer data.
Lost in the shuffle is a report recently issued by the CFPB that provides important insights into how the agency (and presumably Chopra) thinks about these issues and what next steps we might expect. The report, titled “The Convergence of Payments and Commerce: Implications for Consumers,” discusses what the agency describes as three emerging use cases in the payment space, and their implications for consumers.
The first use case is what the CFPB calls “super apps.” The CFPB describes “super apps” as apps that combine several services into a single smart phone app and cites a few foreign examples of these apps. The report acknowledges that “the U.S. market is developing differently” and that it’s “unlikely” that the foreign super app model will get traction in the U.S. Instead, the report focuses on what it describes as the “bank in an app approach”—“[b]eyond mobile banking apps offered by most financial services companies, this concept combines additional services related to financial services and payments to add value and retain the user.” With respect to these apps, the report notes that “the price of convenience is limited choice, as determined by the wallet provider” and that consumers may be exploited if they are not fully aware of the app’s capabilities and permissions.
The second use case focuses on the BNPL products that have proliferated in the market. The report describes these products as “a form of unsecured short-term credit that allows consumers to split purchases into four equal interest-free installments at the point of sale, with the first installment due at checkout.” The CFPB describes the evolution of the BNPL market from its original iteration, in which providers offered their product on merchant web pages, to what the agency calls the “lead generation” model, in which BNPL providers “driv[e] consumer traffic directly through their own apps and monetiz[e] that traffic by charging referral (or affiliate) fees to merchants willing to pay for prime advertising space.” The CFPB analogizes this evolution to the emergence of indoor shopping malls in the traditional retail context—while consumers used to go to a single store (or visit a specific retailer’s website), they can now shop in one location with multiple stores (the shopping mall or the BNPL app).
The third use case is what the CFPB terms “embedded commerce”—the ability to shop or make payments directly in an app or in a social media feed “rather than via traditional ad-based links to a retailer’s own site.” The agency notes that “[e]mbedded commerce may make it easier for a consumer to be defrauded by an illegitimate merchant or unintentionally commit to a subscription that results in ongoing payments.”
Risks to Consumers
“Monetization of Consumer Financial Data”
After surveying these uses cases, the report goes on to describe what the agency sees as the emerging risks to consumers from these developments in the payments ecosystem. First, and not surprisingly given Director Chopra’s prior comments, is what the CFPB calls “the monetization of consumer financial data.” After describing the myriad ways that consumers generate and companies collect data, the CFPB notes that “more data can create greater opportunities to misuse that data.” Reflecting Director Chopra’s repeatedly stated skepticism of algorithms and machine learning, the report states that with the use of this technology, “companies increasingly have the capability to leverage consumer financial data to achieve outcomes that may take significant financial advantage of consumers that may result from automated decision-making with limited transparency.” The agency, the report says, intends to monitor for potential UDAAP and fair lending risks associated with these practices. The report also describes consumer lack of understanding of how their data is used and the sale of that data to third parties as potential risks.
“Scale and Market Power”
The second consumer risk identified by the report is the risk of “scale and market power.” In this regard, the report is consistent with Director Chopra’s repeated comments about abuse of market power and the antitrust lens through which he tends to view consumer protection issues. Absent regulation, the report states, payment providers may “evolve into monopolies, duopolies, or oligopolies,” and the report notes that the “current payment ecosystem, for example, consists of four large card networks for payment processing and two major facilities for processing bank-to-bank transactions.” The use of consumer data further compounds this risk, according to the report, because “data aggregation, particularly when powered by the commingling of financial and non-financial data, has the potential to create business models with further staying power.” Although the CFPB is not an antitrust enforcer, it has, as we’ve previously discussed, relied on allegations of abuse of market power in asserting an abusiveness claim under its UDAAP authority.
Ultimately, the report concludes with a short section about the CFPB’s forthcoming areas of focus: (i) proposing a rule to implement Section 1033 “to give consumers greater control of their financial data, including their payments and transaction data;” (ii) issuing a report on the BNPL market and determining “whether regulatory interventions are appropriate;” and (iii) focusing on the shift toward real-time payments and “seeking to mitigate the potential consequences of large technology firms moving into this space,” including by “evaluating ways to protect consumers and reduce fraud losses incurred by consumers and market participants.” In short, the CFPB is laser-focused on big tech’s involvement in the consumer finance and payments markets, with a particular interest in how consumer data is used (or, in the agency’s views) misused. Market participants should consider potential CFPB perspectives and actions as they continue to innovate in these areas.