CFPB Director Rohit Chopra has wasted no time in acting on comments he made at his confirmation hearing regarding the risks posed by the collection of data by large platforms. In just his first full week as CFPB Director, the CFPB sent orders to six technology platforms offering payment services directing them to provide information to the Bureau. The orders were issued as market monitoring orders under the Dodd-Frank Act, which directs the Bureau to monitor for risks to consumers in the offering or provision of consumer financial products or services and authorizes the Bureau to require covered persons and service providers to provide information needed to perform such monitoring.
In his statement about the orders, Director Chopra raised numerous concerns about Big Tech companies’ use of the data collected on their payments platforms. He indicated that the CFPB’s inquiry “will help to inform regulators and policymakers about the future of our payments system” and “will also yield insights that may help the CFPB to implement other statutory responsibilities, including any potential rulemaking under Section 1033 of [Dodd-Frank].” (Section 1033 requires consumer financial services providers to give consumers access to certain financial information and is the subject of an Advance Notice of Proposed Rulemaking issued by the Bureau in October 2020.)
The orders require responses by December 15, 2021. However, in light of the breadth of the information requested, it would not be surprising for the recipients of the orders to seek additional time to respond. The orders request detailed information about the following:
- The information sought relates to specific payment “products” offered by the “company.” The orders’ definition of “company” includes any parent companies, wholly or partially owned subsidiaries, unincorporated divisions, joint ventures, operations under assumed names, and affiliates. The definition of a “product” is any “C2C and/or C2B payments product or services the company offers or provides to consumers, as well as any product or service the company offers or provides to consumers in connection with facilitation of C2C and/or C2B payments, including funds-loading or other fund-receiving transactions made primarily for personal, family, or household purposes that are not C2C or C2B transactions. “C2B” means consumer to business payments made primarily for personal, family, or household purposes so long as the transaction involves a U.S.-based consumer (but business parties do not need to be in the U.S. for a transaction to be covered and transactions in or enabled by cryptocurrency are included.) “C2C” means both domestic U.S. payments made by one consumer to another consumer and payments from consumers in the U.S. to consumers outside the U.S. that are made primarily for personal, family, or household purposes (and includes transactions in or enabled by cryptocurrency.)
- Data harvesting. The information sought relates to “Direct Product Data” and “Indirect Product Data” and the kinds of data that the company generates from this data. “Direct Product Data” means data that the company has collected (and maintained) as a result of consumer’s use of a product. “Indirect Product Data” is data that is both (1) generated, at least in part from Direct Product Data, and (2) about individual consumer users or commercial users of a product. (A commercial user is the non-consumer party that accepts payments from consumers or otherwise makes use of a product to engage in financial transactions with consumers.)
- Data use and monetization. The information sought relates to how the company monetizes Direct and Indirect Product Data, including by improving service delivery to product customers, selling the data, and selling advertising or other targeted content based on attributes derived from the data.
- Access restrictions. The information sought relates to the company’s policies for managing access to products for consumers and commercial entities, whether, and if so how, the company encourages or requires users of other company products or services to use a “product,” and how the company manages third-party involvement in product delivery.
- Consumer Protections. The information sought relates to how the company addresses various aspects of consumer protection, including disclosures and other protections with respect to data practices about a product, detection of fraudulent activity, methods for consumer users to address issues and problems concerning a product, and any accompanying compliance obligations under federal consumer financial laws and applicable Bureau regulations.
- Usage data/metrics. Product-use metrics and related information is sought, including metrics on complaint-handling.
- Organizational structure. Information is sought about the company’s organizational structure as it relates to products.
The Bureau’s issuance of the orders was praised by the Consumer Bankers Association. In its statement about the orders, CBA applauded the Bureau “for advancing the Bureau’s mission of protecting consumers in the rapidly evolving financial marketplace,” observing that “[s]ince the Bureau was founded, a growing share of banking activity has occurred outside of the purview of leading regulators, putting consumers and the resiliency of the financial system at risk.” CBA reiterated its long-standing support for “ a level playing field to ensure every American family receives the protections they deserve, regardless of where they go to meet their financial needs.”