Last week, the CFPB issued its long-awaited report on buy-now-pay-later (BNPL) products.  While the report identifies consumer risk and harms arising from BNPL products, it does not discuss any actions that the CFPB plans to take based on the report.  Those follow-up actions were left for Director Chopra to preview in his prepared remarks on the report and for the CFPB to announce in its press release on the report.  In this blog post, we will take a closer look at the consumer risks identified by the CFPB in the report and the CFPB’s plans for addressing those risks.

On October 3, 2022, from 1 p.m. to 2 p.m. ET, Ballard Spahr will hold a webinar, “The CFPB’s Report on Buy-Now-Pay-Later: What are the Takeaways and the CFPB’s Expected Next Steps?” Click here to register.

The report identified three broad categories of potential consumer risk arising from BNPL: overextension, data harvesting, and “discrete consumer harms” (consisting of lack of standardized disclosures, dispute resolution challenges, compulsory use of autopay, multiple payment re-presentments, and late fees).  According to the CFPB, these concerns manifest themselves as follows:

  • Overextension risk.  The CFPB stated that the data it reviewed “suggests that many BNPL consumers may not be simply shifting their existing purchases to a new payment platform; they may be spending (and borrowing) more than they otherwise would.”   The CFPB views much of this “incremental consumption” as the result of “repeat usage” by consumers and sees it as creating a “risk of overextension” among “a subset of the BNPL borrower base.”  According to the CFPB, this risk can take two distinct forms: loan stacking and sustained usage, which it describes as follows:
    • Loan stacking.  This is the risk that a borrower takes out concurrent BNPL loans at different lenders and is unable to pay some or all of them.  The CFPB believes that the factors creating this risk include the ease with which a borrower can borrow from multiple BNPL lenders within a short time frame and the historical practice of BNPL lenders not furnishing loan performance data to consumer reporting agencies.
    • Sustained usage.  This is the risk that frequent BNPL usage may threaten borrowers’ ability to repay non-BNPL financial obligations, such as rent, utilities, mortgages and other loans.  The CFPB cites a 2017 study published by TransUnion which, to the surprise of the study’s authors, found that consumers with at least one active personal loan, auto loan, mortgage, and credit card prioritized personal loan payments above the other three.  To explain this behavior, the CFPB offers two hypotheses.  One is the prevalence of autopay for repayment of personal loans.  The second is that because payments on personal loans tend to be smaller in amount as compared to mortgage and auto loans, consumers find the prospect of making a full payment on a personal loan more attractive than making a partial payment.  According to the CFPB, the structure of BNPL “is closely aligned” with personal loans, thus making it likely consumers will prioritize repayment of BNPL loans over other debts with higher consequences for nonpayment.
  • Data harvesting.  The CFPB reported that BNPL lenders often collect a consumer’s data “to increase the likelihood of incremental sales and maximize the lifetime value they can extract from the consumer.”  In addition to risks to consumers’ privacy, security, and autonomy, the CFPB cited two other primary risks arising from data harvesting and the monetizing of consumer data.  One such risk is “a consolidation of market power in the hands of a few large tech platforms who own the largest volume of consumer data.”  The second is the risk that harvested data can be used to offer target discounts to some consumers but not others, resulting in different groups of consumers paying different prices for the same goods at the same retailer.  The CFPB divided the use of data by BNPL lenders into two general categories: (1) individual consumer demographic, psychographic, and behavior data leveraged to optimize the specific products and brands promoted to the consumer, and (2) aggregated data that modifies the general product experience (font, color scheme, word choice etc.) “to drive consumer behavior in subtle ways toward a desired outcome.”  According to the CFPB, BNPL lenders benefit financially from these uses through incremental merchant discount fee revenues in the merchant partner acquisition model and increased affiliate fees and interchange revenue in the app-driven model.  The CFPB foresees an increase in the availability and effectiveness of both use categories as lenders acquire more customers through BNPL-branded apps than from merchant partnerships.  It also raised the potential for BNPL lenders’ use of consumer data for revenue-generating purposes to increase overextension “by engendering repeat usage and contribute to market concentration by rewarding a small number of firms who achieve the largest quantity of consumer data.”
  • Lack of standardized disclosures.  The CFPB observed that most BNPL lenders do not provide the initial cost-of-credit disclosures required by Regulation Z or periodic statements required for credit cards.  (Because BNPL loans are typically repayable in not more than four installments and no finance charge is imposed, they are not subject to Regulation Z.)  The Bureau is concerned that “the lack of clear, standardized disclosure language may obscure the true nature of the product as credit and make important information about loan terms, including when and how fees are assessed, and when payments are due, less accessible.”
  • Dispute resolution challenges.  The CFPB cited dispute resolution as the top-ranking BNPL-related complaint category in its consumer complaint database. The CFPB attributed this to the lack of uniform billing error dispute rights such as those that apply under Regulation Z to credit cards.  (With regard to credit cards, Regulation Z provides consumers with the right to assert claims or defenses relating to a purchase against the card issuer and also establishes a process for consumers to dispute billing errors and imposes requirements, including timetables and limitations on collecting disputed amounts and finance charges, that card issuers must follow in responding to such disputes.)
  • Compulsory use of autopay.  The CFPB stated that “[m]ost BNPL lenders require that borrowers use autopay” and that “some BNPL lenders make removing autopay challenging or impossible.”  The CFPB noted the Regulation E prohibition on a requiring loan payments through autopay but did not directly assert that BNPL lenders were violating that prohibition by requiring autopay.  (The report notes that, in addition to withdrawals from a deposit account subject to the Regulation E prohibition, most BNPL lenders permit repayment through credit cards.)
  • Multiple payment re-presentment.  The CFPB stated that all of the five BNPL lenders to whom it sent marketing monitoring orders re-present failed payments “in some instances up to eight times for a single installment.”
  • Late fees.  The CFPB stated that the policy of at least one of the five BNPL lenders to whom it sent marketing monitoring orders allowed it to impose multiple late fees on the same missed payment (but notes “it appears those practices have changed at the time of report publication.”)  The CFPB mentioned the Regulation Z prohibition on assessing multiple late fees for the same missed payment on an open-end credit card account and the requirement that late fees on an open-end credit card account be “reasonable and proportional.” 

How does the CFPB plan to address the potential consumer risks that it identified in the report?  To address “discrete consumer harms,” the CFPB described two courses of action it plans to take in its press release.  First, it “will identify potential interpretive guidance or rules to issue with the goal of ensuring that [BNPL] lenders adhere to many of the baseline protections that Congress has already established for credit cards.”  Based on the report and Director Chopra’s comments, it appears the baseline protections that the CFPB has in mind are Regulation Z disclosures, dispute and error resolution procedures, and late charge limits.  Since BNPL is generally not subject to the Truth in Lending Act and Regulation Z, the CFPB would not appear to have any applicable rulemaking authority other than its UDAAP and Section 1032 rulemaking authority.  In issuing interpretative guidance, the CFPB would presumably rely on its UDAAP authority. 

Second, the CFPB stated in its press release that it “will also ensure [BNPL] lenders, just like credit card companies, are subjected to appropriate supervisory examinations.”  In his remarks, Director Chopra stated that “[w]e understand that some [BNPL] firms may welcome CFPB examination in order to identify potentially problematic business practices before they create widespread harm.  We are inviting these firms to self-identify to us if they wish to be examined.”  He also stated that the CFPB was reviewing its “appropriate authorities to conduct examinations on a compulsory basis, as well.”  Presumably, as the basis for conducting compulsory examinations of nonbank BNPL lenders, the CFPB would look to either its risk-based supervisory authority or its authority to supervise “larger participants.”  Director Chopra also commented that the CFPB would “also be working with state regulators that license nonbank finance companies on examinations of these firms.”

With regard to Director Chopra’s suggestion that companies self-identify if they wish to be examined, it is unclear what Director Chopra has in mind.  Under the CFPB’s procedural rule on risk-based supervision, a nonbank that receives a notice from the CFPB that it may have reasonable cause to determine that the nonbank is engaged in conduct that poses risks to consumers may voluntarily consent to the Bureau’s supervision.  We are not aware of any other procedure that allows a nonbank to voluntarily consent to CFPB supervision.

To address the risk of overextension, both Director Chopra’s remarks and the CFPB’s press release indicate that the CFPB will be looking at how the industry and consumer reporting agencies (CRAs) “can develop appropriate and accurate credit reporting practices.”  These practices can be expected to include those outlined by the CFPB in a June 2022 blog post.  In the blog post, the CFPB indicated that BNPL providers who furnish BNPL payments to CRAs should furnish both positive and negative data.  The CFPB also criticized CRAs for their slowness in developing “mature credit reporting protocols” for BNPL.  It also called on CRAs to adopt appropriate standardized BNPL furnishing codes and formats, to incorporate the BNPL data into core credit files, and ensure that BNPL data are accurately reflected on consumer reports.  Additionally, the CFPB called on credit scoring companies and lenders to build and calibrate scoring models that account for the unique characteristics of BNPL loans.

The steps that the CFPB plans to take to address risk issues with data harvesting were outlined by Director Chopra in his remarks.  He stated that the CFPB will be looking into “some of the types of demographic, transactional, and behavioral data that is collected for uses outside of the lending transaction, including for the purpose of sponsored ad placements, sharing with merchants, and developing user-specific discounting practices.”  He indicated that this inquiry was related to the CFPB’s inquiry into Big Tech payment systems, “which appear to be integrating [BNPL] into their offerings.”  In addition, Director Chopra stated that the CFPB will be coordinating with the FTC “ which launched a rulemaking process on commercial surveillance, and, if finalized, these rules will be enforceable by the CFPB in the financial services arena.”