Beyond Big Tech: CFPB’s Payments Data Obsession May Broadly Target Third-Party Data Purchasers

Financial Services Law

In late October, the Consumer Financial Protection Bureau (CFPB) sent a shot across the bow at Big Tech’s use of consumer payments data. While much of the industry has focused on the impact on Big Tech, some lenders, lead generators and data brokers may be unaware how the recent orders impact them. They do, and we explain why below.

What Happened

On October 21, 2021, the CFPB announced it had issued a series of orders to some of the largest U.S.-based technology companies that operate payment systems. The orders require these companies to provide extensive and fulsome information on (1) specific payment products offered by the company, including features of the payment products, ways in which payment products are marketed to consumers and businesses, fees that may be charged to consumers and businesses, and plans for evolving the product over time; (2) the data the company collects and retains as a result of consumers’ use of its products, including the kinds of data generated from this product use data, and the purposes associated with the harvesting of different data fields; and (3) how the company monetizes the product data described above—including by improving service delivery of the products to customers, by selling the data directly, and by selling advertising or other targeted content based on attributes derived from the data.

In announcing the orders, the CFPB alleged payment companies may be actively sharing payment data across product lines and with data brokers and other third parties. Likewise, the CFPB said, such companies “may be using this data for behavioral targeting,” and such practices “may not align with consumers’ expectations.” Further, the CFPB asserts, the dominance of these platforms may pressure merchants and others to participate, increasing the risk that payment systems operators “will limit consumer choice and stifle innovation by anticompetitively excluding certain businesses.” Finally, the CFPB suggests that consumers “expect to be protected from fraud and payments made in error, for their data and privacy to be protected and not shared without their consent, to have responsive customer service, and to be treated equally under relevant law.”

In a separate announcement, CFPB Director Rohit Chopra sounded an ominous tone: “Little is known publicly,” he said, “about how Big Tech companies will exploit their payments platforms.” After invoking the example of “super-apps” prevalent in China, where “consumers have little choice” and “little market power,” he then listed several worst-case scenarios, including “invasive financial surveillance,” price discrimination, and interference with competitive markets such as by “disqualifying or delisting an individual or business from participating on the platform.” But the Director also called into question more mundane practices already in use, such as using data acquired in payment processing “to profit from behavioral targeting, particularly around advertising and e-commerce.” And he made clear that CFPB’s agenda will not be merely to rein in the worst-case scenarios, but also to apply traditional regulatory oversight well known to financial institutions within the Big Tech space: “How effectively do they manage complaints, disputes and errors? Are they sufficiently staffed to ensure adequate steps are taken to address consumer protection and provide responsive customer service when things go wrong?”

Why It Matters

Although we expect future orders to demand even more information about third parties that obtain payments data from Big Tech, even these initial orders open the door by requesting the identity of companies that partner with or purchase payments data from Big Tech. For example, each of the orders demands companies identify a limited number of third parties, including “commercial users” of, and “consumer-facing intermediaries” that obtain, payments data that Big Tech collects. For example, with respect to data sold to third parties, the CFPB asks for each shared data field (i) the names of three third parties that have paid for data, (ii) the most recent contracts that control the third party’s use of the data and govern the compensation received from sharing that data, and (iii) the gross revenue received from the third party in connection with sharing the data.

As we have previously advised, the CFPB has very likely returned to a period of heightened regulation by enforcement. The Chopra CFPB’s concerns about “consumer expectations,” for example, come as no surprise. On this particular topic, though, one could easily envision a CFPB under Kraninger or Mulvaney issuing largely identical orders referring to Big Tech payment systems as benefiting from “scale and network effects,” and either of the former Directors likewise wondering whether such companies will “use their scale to extract rents from market participants,” as Chopra did in his separate statement. Antitrust scrutiny of Big Tech is a bipartisan endeavor.

In recent years, tech providers have started offering various payment-related products such as “wallets” that store payment information to be electronically presented at a point of sale or consumer apps that directly access and transfer funds from consumer bank accounts to third parties. With the rise of cryptocurrencies, many of these payment products may be actually converting dollars into cryptocurrencies or using various crypto-based payment systems on the back end to conduct the transactions.

Technology companies whose wallets or payment products transmit or store consumers’ funds should evaluate their obligations under applicable consumer protection laws, particularly the Electronic Funds Transfer Act (EFTA) (15 USC 1693, et seq.). Depending on the nature of the payment product, the CFPB may believe that these technology companies are subject to consumer financial protections laws, either directly—or perhaps indirectly to the extent that the technology company may be acting as a service provider to a financial institution.

Once the CFPB obtains and analyzes the data received from these orders, we fully expect the CFPB to issue follow-on orders both to the original recipients and to the third parties that partner with Big Tech to market to consumers. If your company uses or purchases data derived from Big Tech, pay attention.

While the orders are the early stages of a long-term topic we will be watching for years, and much remains to be seen as to how oversight will impact the payment systems industry, one thing is clear: CFPB will bring its traditional regulatory oversight of the payment systems industry to Big Tech. As that oversight plays out, we expect incumbent players in the payment and financial services ecosystem to see substantial advantages as a result of their experience in complying with applicable consumer financial protection laws (GLBA), Reg. P and other federal financial privacy laws (FCRA), and emerging state privacy laws (CCPA, CPRA, Colorado, Virginia)—and due to their already existing data lakes (centralized data repositories) full of consumer transaction data. Such incumbents have already invested heavily in technology infrastructure to build their big data analytic capabilities and platforms and are familiar with federal prudential banking regulators. In short, while Big Tech learns to live with high, enforced limitations on their use and disclosure of consumer payment information, the established financial services giants are experienced with the regulators’ tune and can develop innovative payments and big data solutions at a lower risk of drawing scrutiny from financial regulators worldwide.

Manatt is currently advising clients on payments data issues. Please contact the authors if you have any questions about the CFPB payments data orders to Big Tech and how these orders may impact your institution.



pursuant to New York DR 2-101(f)

© 2023 Manatt, Phelps & Phillips, LLP.

All rights reserved