The Consumer Financial Protection Bureau recently issued a series of Consumer Protection Principles to be considered as new, faster payment systems are being developed.
The Rapidly Changing Regulatory Landscape for Faster Payments
A number of other government bodies and industry groups have been rapidly working to implement and impact faster payment systems: the Federal Reserve System issued a paper titled Strategies for Improving the U.S. Payment System in January 2015 and has established a Faster Payments Task Force; NACHA issued a same-day ACH payment rule in May 2015; and legislators have convened to study faster payment systems, forming a Congressional Payments Technology Caucus in the U.S. House of Representatives and a Payments Innovation Caucus in the U.S. Senate. The CFPB has already inserted itself and its consumer protection priorities into the payments ecosystem by participating as a Steering Committee Member of the Federal Reserve’s Faster Payments Task Force, and submitting a comment letter on the NACHA same-day ACH rule. In the newly-released guidelines, the agency identifies nine consumer protection principles as part of its efforts to ensure that new, faster payment system developments address consumer needs and interests.
CFPB’s Guiding Principles for Faster Payment Systems
According to the CFPB, the following nine principles are intended to promote safety, transparency, accessibility and efficiency while addressing consumer protection concerns, many of which involve consumer disclosures and consumer choice. The principles also seek to embed structural features in innovations to prevent erroneous or fraudulent transactions and limit the related consumer harm.
- Consumer control of payments. Consumers should be able to place parameters on payments, dictate when and how payments will be conducted, and limit the scope of payment authorizations based on time, amount, and payee. And the terms and conditions under which any payment has been authorized should be clear.
- Data and privacy. When helpful, consumers should be informed of what data is being transferred and how, who can access the data, and any potential risks. As appropriate, consumers should be able to specify what data can be transferred and whether it can be shared with third parties. Finally, any consumer data should “only [be] used in ways that benefit consumers.”
- Fraud and error resolution protections. Information should be created and recorded to permit post-transaction resolution of mistaken, fraudulent, unauthorized, or otherwise erroneous transactions, and systems should be in place to reverse these transactions once they are identified. Protections under Regulations E and Z should also be incorporated.
- Transparency. Real-time access to the status of transactions should be provided, including confirmations that a payment has been sent and received. Disclosures should also be given regarding the costs, risks, funds availability (presumably the timing of funds availability), and security of all payments.
- Cost. To ensure payment systems are ubiquitous and accessible for all consumers, payment system costs should be “affordable” and clearly disclosed in a manner that facilitates comparison.
- Access. Consumer access and usability depends on widespread adoption by businesses and other consumers. “Qualified intermediaries”, such as mobile wallets, payment processors, and other non-depositories in the payment system, can be used to enhance access except to the extent necessary to “protect functionality, security, and other key user values.”
- Funds availability. Faster access to funds will decrease consumer overdrafts and declined transactions, which will benefit consumers, depository institutions, and third parties.
- Security and payment credential value. Mechanisms to detect and limit errors, unauthorized transactions, and fraud should be built into the payment system. Gateways should be able to provide enhanced security protections for consumers. Finally, payment credentials should be without value, such as tokenized payment data, so that security breaches are less lucrative for fraudsters and less harmful to consumers
- Strong accountability mechanisms that effectively curtail system misuse. Commercial participants in the payment system should be incentivized to prevent fraudulent, unauthorized, or otherwise erroneous transactions by being held responsible for risks, harms, and costs they introduce into the system. In addition, payment systems should automatically monitor for these types of transactions, create incentives for reporting misuse, and have transparent enforcement procedures.
Will the CFPB’s Actions Foster or Stifle Innovation?
The CFPB’s Guiding Principles highlight the tension between consumer choice, consumer protection, and cost which financial institutions face. For example, making funds available to consumers quickly, while at the same time allowing a high degree of reversibility for fraud and error, increases the risk of loss to financial institutions. Similarly, truncating or tokenizing transaction information enhances data security, but at the same time makes the retrieval of such information and the reversal of transactions more time consuming and costly. The Guiding Principles do not acknowledge the inevitable tradeoffs that must occur for them to implemented, while implicitly and explicitly assuming that payment system members rather than consumers will take on the responsibility of compliance. While the CFPB’s goals of protecting consumers in the payments ecosystem are commendable, the potential for this policy to stifle innovation is significant.
For example, while the guidelines address data security and privacy concerns in a manner generally consistent with existing GLBA requirements, they go further than the Federal Trade Commission’s recent recommendations over data broker practices by stating that consumer data should only be used in ways that benefit consumers. Since not all data uses will directly impact consumers, it is unclear whether consumer oriented data use policies (including disclosure and customer choice) might have the unintended consequence of limiting innovations that ultimately could benefit consumers. Another example is the “transparency” principle’s requirement that costs be disclosed: it is unclear whether interchange rates or the fees charged by a mobile wallet provider to a credit card issuer would be required to be disclosed, and if so, whether those fees could be accurately disclosed to consumers in a useful way. These types of ambiguities can negatively impact the development of innovative payment system technologies. The CFPB’s recognition of the role that financial technology companies play in the payments ecosystem in its discussion of “qualified intermediaries” is important. These companies propel payment system innovation, often in a cohesive and symbiotic way with incumbent financial institutions.
The CFPB has an important role to play in advocating for and implementing policies that protect consumers when they interact with payment systems. While the agency does not seem poised to adopt any rules governing consumer protections in payment systems at this time (beyond those that already exist in Regulations E and Z), the threat of an enforcement action for unfair, deceptive, or abusive acts or practices against payments system participant always remains.