On November 7, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a rule that would allow the CFPB to supervise certain large nonbank companies that provide consumer financial services such as digital wallets and payment applications. If enacted, it would subject large technology companies handling more than five million payment transactions per year—such as Apple, Meta and Alphabet—to CFPB supervisory examinations for the first time. Under the proposed rule, these large nonbank companies would have to adhere to certain funds transfer, privacy and other federal consumer financial protection laws, including protections against unfair, deceptive and abusive practices.

The CFPB believes that imposing consistent consumer protection laws among large technology companies and depository institutions will help level the playing field, promote competition and protect consumers’ privacy rights. The proposed rule seeks to promote competition by requiring that firms which offer transaction accounts—such as checking accounts, credit cards and digital wallets—give consumers access to their personal financial data so they can more easily share such data with another provider. It would also prohibit companies that receive such personal data from using it for anything other than the financial services product being offered to consumers. Large technology companies would thus not be allowed to use this personal data for targeted advertising, sell such data to brokers or hold onto personal data indefinitely.

The proposed rule is part of the CFPB’s efforts to monitor the shift to “open banking” in the United States and oversee large technology companies as they enter consumer financial markets—blurring the traditional line between banking activities and commercial activities. Earlier this year, the CFPB published a report asserting that large technology companies have had a negative impact on competition and innovation in the mobile payment industry. In connection with this report, the CFPB requested information from such companies on their use of sensitive personal data (available here). The CFPB has indicated that it believes that the current lack of regulatory oversight or scrutiny of large technology and payments companies exposes consumers to risk since such companies are not subject to the same consumer financial protection laws as banks and credit unions. Last year, the CFPB also issued an interpretive ruling which provided that technology companies that market financial products using behavioral targeting techniques must comply with federal consumer financial protection laws (available here). According to CFPB Director Rohit Chopra, “Federal and state law enforcers can and should hold these firms accountable if they break the law.”

Comments on the proposed rule (available here) must be received by the CFPB on or before January 8, 2024.