The term scuttlebutt (which is just a fun word to say and to type) refers to a cask (also known as a butt) on a sailing ship that holds fresh water and that has been scuttled by making a hole in it so the water could be withdrawn.

Sailors would gather around the scuttlebutt to grab a drink and would talk and exchange news and gossip, hence the more common usage of the term now (i.e. water cooler talk).

Having just spent a few days in the sweltering heat of Washington, D.C. (constantly drinking water), I had the opportunity to engage in a lot of scuttlebutt with folks in bank and fintech policy circles, and I thought I’d report back some of the anonymous (but well-sourced) insights.

The CFPB is moving fast.

When I asked folks what they were seeing and hearing from the CFPB, the word that kept coming up was “sprinting”.

In advance of the election, the CFPB appears to be trying to knock as many items off its to-do list as possible. One way that this is manifesting is the increased use of non-binding interpretive rules, which allow the bureau to clarify or explain existing laws or regulations, rather than going through the formal rulemaking process.

One recent example of this is the CFPB’s interpretive rule confirming that BNPL loans are credit cards, for the purposes of consumer protections under Reg Z. This rule has annoyed some of the big pay-in-4 BNPL providers (especially Klarna), which I’m empathetic to on some points (requiring monthly billing statements for pay-in-4 BNPL seems like a bad fit) and less empathetic to on other points (outsourcing a lot of the dispute and refund work to the merchants, as some BNPL providers do today, isn’t the optimal approach IMHO).

Another example, hot of the presses, is the CFPB’s proposed interpretive rule explaining that earned wage access (EWA) products are loans for the purposes of specific provisions within the Truth in Lending Act (TILA).

This one has fintech policy land all riled up, so let’s take a quick minute to review it.

According to an analysis done by the CFPB:

  • In 2022, roughly 10 million workers utilized earned wage product transactions to access over $31.9 billion. Roughly 70% of that came through employer-partnered EWA, with the remaining 30% coming from direct-to-consumer EWA.
  • In the CFPB’s data sample (which is sourced from employer-partnered EWA providers), the average EWA transaction size was $106 and the average worker accessed $3,000 in funds per year. The average worker had 27 earned wage transactions per year and the share of workers using the product at least once a month increased from 41% in 2021 to nearly 50% in 2022.
  • Across the CFPB’s data sample, in 2021 and 2022, roughly 90% of workers paid at least one earned wage product-related fee. The most common type of fee, by far, was a fee for expedited access to the funds (i.e. making the standard 1-3 day ACH transfer go faster). Among the companies in the CFPB’s data sample that collect fees, the average cost per transaction ranged from $0.61 to $4.70. When workers paid a fee, the average size was approximately $3.18. Workers paid an average of $68.88 per year in fees.     

The proposed rule would apply many of the same pricing and disclosure requirements under TILA that existing loan products fall under today. As a practical matter, it would require EWA providers to act as lenders.

I’m still trying to work through my thoughts on the proposed rule, but here are a couple of quick reactions:

  • It’s weird to me how focused the CFPB was, in both its research and its rule, on employer-partnered EWA over direct-to-consumer EWA. The bureau notes in its analysis that in employer-partnered EWA, employers rarely subsidize the costs of expedited transfer fees. However, this ignores just how much of the overall costs of EWA employers do pick up in the employer-partnered EWA model. Without employers involved, EWA is much more expensive for consumers (which the CFPB admits in its research). Why did the CFPB decide to lump employer-partnered and direct-to-consumer EWA together in its rule? One is very payday lending-like. The other is not.
  • The CFPB did go out of its way to clarify that optional tipping, which is quite common in the direct-to-consumer EWA model, can be considered a finance charge (and subject to disclosure requirements under TILA). I won’t comment on the bureau’s legal argument here (not a lawyer!). I’ll just say YAY! Tipping in fintech, as I have written before, is complete bullshit.
  • One stat that the CFPB didn’t share in its analysis is the relationship, in employer-partnered EWA, between frequency of use and likelihood of paying a fee for expedited funds transfers. The CFPB’s data shows that there are two types of EWA users – those who use the product occasionally and those who use the product habitually (nearly 28% of employer-partnered EWA users do 25+ transactions in a year). My educated guess is that those who use the product habitually are much more likely to pay for faster funds delivery, which would suggest that there are two distinct use cases in employer-partnered EWA that should perhaps be regulated differently. 
  • The impact of this proposed rule, assuming that it gets finalized (and that’s not a safe assumption given the overwhelming likelihood of lawsuits coming the CFPB’s way), is likely very bad for direct-to-consumer EWA providers (over 80% of Dave’s operating revenue from Q1 of this year came from expedited funding fees and tips) and potentially positive for EWA providers (both employer-partnered and direct) that have already taken the necessary steps to operate as regulated lenders.

Do we need a different way to disclose the costs of short-term, small-dollar loans?

One part of the CFPB’s argument for treating EWA as a loan is that if we don’t do it, consumers won’t be able to fairly evaluate the costs of different short-term, small-dollar credit options. In other words, how will consumers make informed choices if they don’t know the APR?!?

For illustrative purposes and using average inputs from our sample data, a single earned wage product transaction of $106 with $3.18 in fees for a ten-day period equates to an APR of 109.5%. As actual APRs will vary depending on transaction size, fees paid, and duration, a 109.5% APR understates APRs for smaller transactions with shorter terms. For example, a $50 transaction with $3.18 in fees for four days equates to a 580.4% APR.

I don’t know, man. Speaking strictly as a consumer, that illustrative example from the CFPB does nothing for me.

A 580% APR sounds really bad! But is it actually? Is choosing to pay $3.18 for instant access to $50 4 days early an indefensibly bad financial decision? Is it predatory for a provider to offer it to me? Particularly when the loan is closed-ended (I can’t revolve it like a credit card balance) and non-recourse (the lender won’t try to collect if I can’t or don’t pay?)

Personally, I don’t think so.

I completely understand the original justification for TILA. In the 1960s, there were no standards for disclosing the price of credit to consumers, and this created some really bad outcomes. However, I also think it’s entirely reasonable to suggest that we need to modernize these requirements to account for the differences in different product structures and to provide a disclosure framework that is more useful to consumers than annual percentage rate.

FCRA is the biggest (most under-discussed) shoe to drop.

If you asked fintech and bank policy folks – what is the most consequential regulatory rule that is currently being worked on and that no one is really talking about? – you would likely get the same answer from a lot of them.

The CFPB’s rulemaking on consumer reporting under the Fair Credit Reporting Act (FCRA).

I wrote in more detail about this (and how it fits into the bureau’s work on open banking) here, but the basic idea is that the CFPB wants to expand the scope of the FCRA to cover more data brokers, restrict the sale of consumer report data for non-FCRA purposes, and classify certain types of consumer report data (like credit header data) as FCRA data.

This has a lot of banks, fintech companies, and data providers worried.

The CFPB’s registry of nonbank troublemakers.

Another under-the-radar CFPB initiative that is generating some controversy – the registry of nonbank troublemakers.

Based on the CFPB’s Nonbank Registration of Orders Rule, nonbank entities covered under the Dodd-Frank Act (basically everyone except car dealers) will soon be required to report final public orders related to violations of consumer financial laws to the CFPB. The bureau will make this registry of public orders available for all to see – regulators, consumers, and the general public alike.

It’s a bit like if I created a database – let’s call it “The Refrigerator Database” – that was available to all my children’s family, friends, and teachers and then required them to upload their report cards into it. Embarrassing, but arguably a reasonable solution to the “not showing your parents a bad report card” problem.

Interestingly, the CFPB has gotten A LOT of pushback on this rule from a source you might not expect – the Conference of State Bank Supervisors (CSBS)!

I wrote about the CSBS in last week’s essay, if you are curious to learn more about the organization. Specific to this rule, the CSBS’s objection is that the CFPB’s registry would be redundant to its Nationwide Multistate Licensing System & Registry (NMLS), an interstate system for state licensing and supervision, which already has a consumer-facing database that captures much of this information.

In considering these objections to its draft rule, the CFPB’s final rule includes a one-time registration option for covered nonbanks to link their data in NMLS to the bureau’s registry. This will save nonbanks some time (don’t have to submit redundant data to two different databases), but it doesn’t do anything to reduce the CSBS’s anxiety about competition between its consumer portal and the CFPB’s registry.

I wouldn’t be surprised if we see a lawsuit over this from the CSBS or an organization they are affiliated with.

BSCA or Third-party Risk Management (TPRM): Choose Your Fighter

The Synapse/Evolve/BaaS situation was obviously a topic that was on everyone’s mind.

The general sense from the people I spoke with was that fintech companies that partner with banks will soon face much more scrutiny from federal regulators.

The question is, through which mechanism will this scrutiny be applied?

The two leading contenders are third-party risk management (TPRM) and the Bank Service Company Act (BSCA).

TPRM is the primary framework under which BaaS is regulated at the federal level today. It requires banks to vet and supervise all third-party service providers (and their service providers), including fintech partners and BaaS middleware platforms.

Last year, the OCC, Federal Reserve, and FDIC released updated guidance for banks’ third-party risk management programs, followed by an addendum specifically geared toward community banks. As I wrote about at the time, the guidance appeared to address novel, fintech-centric third-party risk vectors like BaaS. However, as with almost all regulatory guidance, the TPRM guidance was incredibly vague and non-prescriptive.

There is a sense among the financial services policy crowd that this guidance may become significantly less vague in the near future, in response to the very public mess that BaaS has become. Multiple regulators have hinted at this in recent comments.

Fed Vice Chair for Supervision Michael Barr indirectly referenced the Synapse disaster in a speech last week:

Banks must have controls to manage risks and prevent violations of law, and their approach must keep pace with the growth of new products and services. Complexity can exacerbate risks and requires banks to pay particular attention to ensure that laws are followed and customers protected. To the extent banks are working with fintech partners, banks have a responsibility to manage the risks associated with the third parties they partner with to serve their customers.

We have, unfortunately, seen examples of failures of banks to effectively manage the risks of partnerships with other companies that support services to their end customers, and these failures have resulted in customer harm.

And Jonathan McKernan, a Federal Deposit Insurance Corp. board member, said at a conference last week that the existing TPRM guidance could be clearer, as reported by Banking Dive: 

[McKernan] said there is room for activity-specific advice under existing interagency guidance on third-party relationships. 

Guidance could articulate “with greater clarity, even some black-and-white rules of the road,” he said. Banks need to continually monitor to ensure partner fintechs are fulfilling obligations, and identify gaps, said McKernan, who noted that this often doesn’t happen.

Federal regulators could also choose to make BaaS a priority under the Bank Service Company Act (BSCA). 

As Jason Mikula explained in his newsletter, the BSCA is a bit of a mystery box. However, in theory, it can be stretched to apply to novel areas like BaaS if regulators feel the risks posed by those novel areas rise to a sufficient level of importance, as it did after the Capital One/AWS data breach in 2019, which pulled the public cloud computing providers (Amazon, Microsoft, Google) into the orbit of the BSCA. 

OCC Acting Comptroller Hsu mentioned the BSCA specifically in a recent speech about the growing complexity of the banking supply chain:

As the recent bankruptcy of Synapse has shown, the line between where a bank ends and where a nonbank begins is increasingly hard for consumers, regulators, and market participants to discern. This makes it challenging to know who is responsible for what—a challenge that is playing out tragically for the millions of consumers and end users caught up in the Synapse bankruptcy. 

Federal banking agencies like the OCC have relied on the Bank Services Company Act (BSCA) for authority to examine third-party service providers and on third-party risk management guidance to inform banks’ engagements with nonbanks.  

No one seems to know exactly what the Fed, FDIC, and OCC are going to do in response to the Synapse/Evolve situation, but the feeling is that one of TPRM or the BSCA (or both) will be leaned on more heavily. 

FDIC pass-through insurance is Schrödinger’s cat.

Another BaaS question that came up this week – what happens if a BaaS bank fails and FDIC insurance does actually come into play? In this “reverse Synapse” situation, would FDIC insurance protection apply to the fintech programs’ end customers?

In theory? Yes. This is what FDIC pass-through insurance is for.

The trick is that customers holding deposits at a bank through a third-party custodial arrangement like BaaS qualify for pass-through insurance if, and only if, the arrangement meets some very specific conditions. Crucially, the FDIC only confirms that those conditions have been met after the bank fails.

This means that end customers cannot know in advance if the FDIC insurance of their fintech company’s partner bank will protect them in the event that the bank fails.

This seems suboptimal in a world in which FBO accounts are frequently being used to support transactional banking experiences.   

National fintech charter?

Here’s another bit from Acting Comptroller Hsu’s speech this week that I loved:

The gap between state money transmitter licensing and prudential federal bank agency oversight is likely to become starker over time. Customer-facing nonbank fintechs generally are regulated as state-licensed money services businesses (MSBs). None are supervised prudentially at the federal level. Proponents of the state MSB regime claim that this has enabled innovation. Perhaps. More clearly, however, it has enabled customer confusion. For instance, fintechs have been able to play fast and loose with how they market their services and their relationship to FDIC insurance, which does not cover their failures. Addressing this and other infirmities of the money transmitter regulatory regime through state-by-state action is highly unlikely. As one academic noted recently, “[S]tates are not well-positioned to address these critical challenges.” Rather, tailored federal payments regulation and supervision is needed.

National fintech charter! Bring it back!

How do we help consumers avoid being scammed?

My primary reason for visiting D.C. this week was to participate in an off-the-record roundtable about how banks, fintech companies, telco companies, regulators, and law enforcement can do more to help consumers and small business owners avoid scams.

I’ve written before about how the energy we expend in financial services, drawing distinctions between fraud (when a consumer’s money is stolen without their authorization) and scams (when a consumer is tricked into authorizing the theft of their money), is misdirected. When the customer’s money is stolen, it’s a problem for financial services providers, period.

Industry participants are coming around to this point of view, and it was an honor to participate in a discussion about how we turn this point of view into a national strategy.

I’ll be writing more about this topic in future newsletters, but if you’d like to start sinking your teeth into this topic, read this paper by Nick Bourke – Stopping Scams Against Consumers:   Roadmap for a National Strategy.

Alex Johnson
Alex Johnson
Join Fintech Takes, Your One-Stop-Shop for Navigating the Fintech Universe.

Over 36,000 professionals get free emails every Monday & Thursday with highly-informed, easy-to-read analysis & insights.

This field is for validation purposes and should be left unchanged.

No spam. Unsubscribe any time.