CFPB 2.0: Prepaid Cards, Earned Wage Access, and Financial Inclusion

CFPB 2.0: Prepaid Cards, Earned Wage Access, and Financial Inclusion

With a Democratic administration only weeks away from taking office, some are wondering about the prospects for a revitalized Consumer Financial Protection Bureau (CFPB). Created during the last Democratic administration – and largely sidelined during the now-ending Trump administration – the CFPB has found itself back in the fintech headlines in recent days.

PayPal Takes On CFPB Over Card Rules

A federal judge brought resolution to a lawsuit PayPal filed against the Consumer Financial Protection Bureau in December 2019. U.S. District Court Judge Richard Leon agreed with PayPal that the CFPB had overstepped its authority in its effort to regulate prepaid cards and digital wallets. PayPal had asserted that in forcing them to include “short form” fee disclosures that included categories that were not relevant, the CFPB’s rule was confusing customers. What’s worse, customers were being led to believe, PayPal claimed, that they were exposed to a wide variety of potential fees – which was not the case.

The situation seems almost to be one of mistaken identity. The rules being applied by the CFPB with regard to expenses like ATM balance inquiries make sense for providers of reloadable prepaid cards, but not for PayPal, which does not subject its customers to these fees. That said, it was the CFPB’s rule-making authority itself that was the target of what Reuters described as a judicial “decision studded with exclamation points.”


PayActiv Wins Earned Wages Access Approval

Meanwhile, the Consumer Financial Protection Bureau’s aim seems to be more true in the case of of earned wage access. PayActiv, Finovate alum and innovator in the earned wage access space, announced last week that its program is exempt from Federal lending laws per new regulations established by the CFPB.

The key issue was whether or not PayActiv’s Earned Wages Access (EWA) program, which enables workers to get access to their already-earned wages in advance of scheduled paydays, involves credit. If it did, the program would be subject to the Federal Truth in Lending Act, as well as Regulation Z.

Fortunately, the CFPB ruled that “the accrued cash value of an employee’s earned but unpaid wages is the employee’s own money” and, as such, does not create a debt obligation. PayActiv added that the approval was both the first of its kind from the CFPB and specific to PayActiv’s EWA program. The CFPB added that the company’s initiative was an “innovative mechanism for allowing consumers to bridge the gap between paychecks (and) differs in kind from products the Bureau would generally consider to be credit.”

PayActiv co-founder and CEO Safwan Shah called the approval a “watershed moment” for his company. “We are very proud that the CFPB has recognized this important innovation and validated PayActiv’s pioneering work in creating low or no-cost employer-sponsored access to earned wages. Employers can take comfort in knowing that PayActiv continues to be the leader in responsible EWA for employees.”


Synchrony Gets Nod for Secured/Unsecured Credit Card

The new dual feature credit cards (DFCC) from Synchrony Bank are designed to provide financing opportunities for consumers who do not have strong credit profiles. Cardholders provide a security deposit in order to use the credit cards in their secured mode and, if certain eligibility criteria are met after a minimum of one year, the cardholder becomes eligible to use the card in its unsecured mode. And last week, the CFPB gave the wholly-owned subsidiary of Synchrony Financial the green light to go forward with its DFCC solution.

In large part, the CFPB’s ruling for Synchrony represented a broader embrace of bringing financing to consumers with lower credit scores. The Bureau referred to these efforts as “represent(ing) a potentially significant point of access to credit for certain consumers” and favorably compared Synchrony’s dual feature card to other secured card offerings.

Critically, Synchrony will provide complete transparency with regard to the cost differences between the secured and unsecured features, including the lower rate on the secured card. Cardholders that graduate to the unsecured Synchrony credit card are not eligible to return to the secured card.


Photo by Ekaterina Bolovtsova from Pexels

CFPB Sets Sights on Data-Security Practices

CFPB Sets Sights on Data-Security Practices

_____________________________

Guest post by Erica A.N. Kramer and Justin B. Hosie*
________________________________

caution_signIt’s hard to imagine that the Consumer Financial Protection Bureau (CFPB), which is not tasked with enforcing information-safeguarding (Congress left that with the FTC), would impose civil fines on a company for safeguarding representations, when the company in question didn’t have a data breach.

It’s even harder to imagine such an action when the very same agency announced a policy to encourage consumer-friendly financial innovations just a few weeks before imposing the fines. However, we now live in an age when the CFPB seeks to encourage financial innovation one day and stifle it in the next, even when no consumer harm appears to exist.

What happened
Earlier this month, the CFPB announced a consent order in its “first data-security action.” The announcement sends a clear message that the CFPB now has its sights on data-security practices. This enforcement action clearly shows that the CFPB is once again stretching its authority by simply labeling a representation as deceptive and blurring the lines between federal agencies’ jurisdictions. Consequently, we’re likely to see a significant increase of regulatory scrutiny in the data-security arena in the upcoming months.

DwollaLogo2015The action targeted Dwolla, a Finovate alum operating a digital payment network that allows members to send and receive money. It has more than 650,000 members and transfers as much as $5 million per day. The CFPB alleged that Dwolla misrepresented its data-security practices by describing its network as “safe” and “secure” and its data-security practices as exceeding industry standards. While there appears to have been no consumer harm whatsoever, according to the CFPB’s unilateral assertions, Dwolla’s data-security practices did not live up to its claims and the representations constituted deceptive acts and practices. As a result, the CFPB imposed restrictions on Dwolla’s future conduct and ordered Dwolla to pay $100,000 into the CFPB Civil Penalty Fund.

Implications
Imposing civil penalties on innovative companies like Dwolla seems particularly heavy-handed when you consider the lack of evidence of consumer harm. Despite the extremely high volume of money and personal information moving through its network, Dwolla never experienced a data breach or received a consumer complaint regarding its data-security policies.

As Dwolla explained in its blog on March 2, “Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities.” Dwolla also explained that it is continually learning, growing, and adjusting its data-security practices to ensure members are provided with the security they expect. Unfortunately, the CFPB’s order demonstrates little tolerance for the growing pains and adjustments often accompanied by developing new technologies.

Recommendations
Given the CFPB’s none-too-subtle foreshadowing that more data-security-enforcement actions are on the horizon, we urge Fintech companies to consider several important factors:

  • Understate, don’t exaggerate: The CFPB has little tolerance for puffery when it comes to data security. Make sure your claims match your practices.
  • Act, don’t react: Address potential data-security vulnerabilities as soon as they come to your attention. Don’t wait for a problem to arise.
  • Evolve your practices and your claims: Make sure that your data-security practices are growing and changing in lockstep with your product’s development.
  • Follow the rules: Make compliance your top priority. Institute and follow a robust compliance management system that includes regular oversight and input by your company’s management and board.

Since there’s no way to avoid regulatory scrutiny, make sure your data-security practices are above reproach before the CFPB set its sights on your company.

——————-

*Justin B. Hosie is a partner at Hudson Cook LLP, licensed to practice law in Florida and Tennessee. Erica A.N. Kramer is an associate at Hudson Cook LLP, licensed to practice law in Florida. You can contact Justin for more information at 423-490-7560 or jhosie@hudco.com.