The Office of the Comptroller of the Currency (OCC) has issued a bulletin (2023-37) that provides guidance on managing risks associated with “buy now, pay later” (BNPL) lending.  The BNPL loans addressed in the bulletin are loans that are payable in four or fewer installments and carry no finance charges.

The bulletin cautions banks about the risks to banks and consumers associated with BNPL lending.  It contains a list of such risks that includes the following:

  • The lack of clear, standardized disclosure language could obscure the true nature of the loan, result in consumer harm, or present a risk of violating prohibitions on unfair, deceptive, or abusive acts or practices.
  • The highly automated nature of BNPL lending, with instantaneous credit decisioning and frequent strong reliance on third parties, can elevate operational risk, including elevated first payment default risk from fraud.
  • Lenders may have no information about an applicant’s borrowing activity on BNPL platforms because of the limited capture of BNPL activity by credit reporting agencies. Incomplete reporting of BNPL loans can make it difficult for lenders to know the total dollar amount of debts and other obligations that applicants have before determining whether to approve them for new credit.  (Although the three major credit bureaus have announced that they would begin including BNPL transactions in their reporting, it could take some time before BNPL activity is consistently reflected in credit reports.)

The bulletin advises banks engaging in BNPL lending to do so within a risk management system that is designed to capture the unique characteristics and risks of BNPL loans.  In discussing each of the elements of such as system, the bulletin provides guidance in the following areas:

  • Credit Risk Management.  The bulletin discusses the policies and procedures that banks should establish for BNPL lending to address loan terms, underwriting criteria, methodologies to assess repayment capacity, fees, charge-offs, and credit loss allowances.  Banks are advised that methods to collect BNPL debt, mitigate losses, and contact borrowers may require specialized approaches and strategies that differ from traditional consumer debt collection practices.  With regard to charge-off practices, banks are advised to appropriately tailor their charge-off policies for the short-term nature of BNPL loans.
  • Credit Bureau Reporting.  The bulletin discusses the need for industry-wide reporting of BNPL loans.
  • Operational Risk Management.  The bulletin discusses actions banks should take to address the operational risks of BNPL lending, which include steps banks should take as part of fraud risk and model risk management.  These steps include establishing: internal controls and processes for handling merchandise returns and merchant disputes; processes to confirm that potential borrowers are of legal age to obtain credit; procedures to address first payment default; controls to identify suspected fraud in a timely manner (so that a bank can take steps to mitigate loss and recognize charge-offs in a timely manner); and risk models (e.g., models used in marketing, credit decisioning, customer service, or fraud risk management) that are subject to sound model risk management and incorporated into a bank’s model risk management processes.  Banks are also advised to incorporate third-party models into their third-party risk management and model risk management processes and management is advised to conduct appropriate due diligence on third-party relationships and  the model itself.
  • Third-Party Risk Management.  The bulletin discusses the OCC’s expectations for managing the risks arising from third-party relationships used in connection with making BNPL loans, such as relationships with merchants.
  • Compliance Risk Management.  The bulletin discusses disclosures that should be given to consumers in connection with BNPL loans.  Bank management is advised to consider the applicability of consumer protection-related laws and regulations to the bank’s specific BNPL products, particularly with respect to product delivery methods, marketing, advertising, and other standardized disclosures, and to consider billing dispute and error resolution rights and practices relating to automatic payments, multiple payment representments, and late fees.  The bulletin gives the following examples of federal laws and regulations that may apply to BNPL loans: Equal Credit Opportunity Act and Regulation B; Electronic Fund Transfer Act and Regulation E; Fair Credit Reporting Act and Regulation V; Section 5 of the Federal Trade Commission Act (which prohibits unfair or deceptive acts and practices); and Section 1036 of the Dodd–Frank Act (which prohibits unfair, deceptive, or abusive acts or practices.)  The bulletin advises that BNPL lending should be incorporated into a bank’s compliance management system.

The CFPB has issued two reports on BNPL products, one in March 2023 and the other in September 2022.