Adapting Regulation for the FinTech World
With the stroke of a pen, the Consumer Financial Protection Bureau (CFPB) quietly modernized regulations associated with a 38-year-old law to bring consumer safeguards to today’s mobile world.
The consumer-watchdog agency recently issued a final rule aimed at providing wide-ranging protections to pre-paid cardholders. These protections include requiring financial institutions to limit consumers’ losses when their funds are lost or stolen, investigate and resolve errors in connection with pre-paid accounts, and provide consumers with free and accessible information about their accounts, among other protections. And although this new rule largely focuses on pre-paid cards—a rapidly growing form of payment—the CFPB also expanded the protections to cover electronic person-to-person payments, like those made via PayPal.
Expanding these existing consumer protections for financial activities, whether or not they flow through traditional banks, the CFPB implemented a tried-and-true regulatory regime that will foster innovation, competition, and the provision of new and better services to help people access their money in a faster and more secure manner. Even better, the CFPB issued the rule proactively, instead of waiting for a crisis to occur—the latter being too often the case in policymaking.
A bit of background helps shed light on the Bureau’s new rule and why it matters.
In the 1970s, debit cards were a promising new technology. Using the same magnetic swipe technology pioneered for credit cards, debit cards allowed people to access their bank account to make purchases directly from merchants. But before customers could fully enjoy this debit card technology, a new problem had to be solved: who would bear the liability in the case of a lost or stolen card? Consumers were nervous that a single mistake could expose their entire nest egg. Banks wanted to avoid being exposed to millions of dollars of losses from fraud. Merchants were afraid to accept the card lest they not be paid if it turned out to be a fraudulent transaction. The adoption of card-swipe technology required a new legal and regulatory regime.
Congress solved this problem by enacting the Electronic Funds Transfer Act of 1978 (EFTA). The Act offered a straightforward solution: clear guidelines assigned liabilities to the parties regarding their rights and responsibilities concerning this new piece of property, the debit card. EFTA, and its associated regulations, assigned limited liability to consumers of between $50 and $500, assuming that the consumers reported their loss in a responsible and timely manner. Banks assumed substantial liability, which subsequently motivated them to create secure networks with robust fraud detection.
Importantly, the law allowed those liability rights to be traded upon mutual consent of the parties, subject to this basic consumer protection floor, allowing banks to compete by accepting additional liability from consumers in case of a lost card. In fact, banks now compete for consumer’s businesses by offering them greater protection in case of card loss or theft, including offering consumers zero liability.
Economists may notice that EFTA’s framework maps onto the Coase Theorem, a Nobel Prize-winning idea by the late Ronald Coase. In the Coasean world, the proper role of government is to assign property rights clearly, allow them to be traded, and then get out of the way. Relying upon several key assumptions of perfect information and no transaction costs, Coase theorized that the market would efficiently sort out the rest. Although the real world often violates these assumptions, the Coase Theorem is practical enough to rank among the most cited economic theories. In the case of assigning liability and property rights for financial transactions, Coase’s ideas have worked remarkably well.
EFTA’s application originally was limited to transfers tied to specific consumer accounts. The early definitions of customer accounts excluded certain types of transfers, such as international remittances carried out by wire transfer companies like Western Union. The definition was based on certain assumptions about how accounts were structured, such as consumer receipt of monthly paper statements. Such an approach worked well in the 1970s but makes little sense in an online, mobile world.
Accordingly, Congress set in motion a revamp of EFTA as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. First, the legislation explicitly brings remittances into the EFTA framework. I worked on this section of Dodd-Frank both prior to and during its enactment. By including remittances, EFTA expanded to cover transactions that occur outside of the banking system and traditional consumer accounts. Dodd-Frank also moved responsibility for EFTA from The Federal Reserve to the CFPB. Doing so aligned the consumer-oriented mission of the legislation with the CFPB’s consumer focus.
CFPB took note of the explosive growth in reloadable pre-paid cards. Use of these cards reportedly has grown from $1 billion in 2003, to $40 billion in 2010, and researchers expect pre-paid cards will generate $100 billion this year. Used by a disproportionately lower income population, pre-paid cardholders often are unbanked, meaning they do not use or have access to basic services from a bank..
Extending EFTA protections to this market is the right thing to do. The extension provides similar rights regarding error resolution, stolen or lost cards, and easily accessible information around fees and account balances to a more financially vulnerable population. Why should people using one form of magnetic swipe cards be granted better protections than another?
Even though many pre-paid cards voluntarily offered consumers many of the EFTA’s protections, research by The Pew Charitable Trusts, a non-profit research organization, revealed that many consumers—especially unbanked ones—were unaware of these protections. Yet the safeguards hinge upon consumer awareness: cardholders must take certain steps, such as registering cards and filing complaints within certain timeframes to qualify for many of these protections. Establishing uniform rights for consumers solves some of the awareness problem. By extending protections to a broad set of pre-paid cards, regulators eliminate the prior patchwork of inconsistent protection systems.
Yet CFPB extended safeguards beyond pre-paid cards to a much broader world by choosing to adopt a product-based regulatory mindset. That is, the Bureau opted to treat similar products similarly, regardless of form or entity. Thus, the CFPB extended EFTA rules to cover person-to-person online and mobile payment systems and new financial technologies, an industry known as FinTech.
Think about when you send money to someone over PayPal: what if you fat-fingered your keyboard and accidentally sent it to the wrong email address? If you used your debit card as the funding source, EFTA protections were automatically triggered through the card. But until recently, if you misdirected a payment funded through your PayPal account, it was unclear who bore the associated liability. PayPal could and did offer many of the EFTA protections voluntarily in case of an error or fraud. But were consumers aware that their legal rights differed on the basis of where their money was sent? And what about new payment apps that did not voluntarily provide those protections?
By assigning liability and property rights comparably across product types, the modernized rule does not preference one type of system to another. Establishing a common floor for consumer protection allows products to compete on quality, speed, and meeting consumer demands. The uniform standard even provides enhanced consumer protection, just as banks responded in the debit card market. Furthermore, nothing in the CFPB’s rule prevents companies from offering better protections to consumers as occurred in the debit card market; in fact, some financial technology companies offered customers greater safeguards than legally required even before the CFPB adopted the rule.
Moving money is all about trust. Markets work more efficiently when consumers, businesses, payment processors, and financial institutions all trust each other. The CFPB’s actions in modernizing EFTA regulations marks an important step forward in creating a regulatory regime that enhances trust, provides the legal and regulatory framework to assign rights and responsibilities, and allows the market to work and innovate. Expanding on the existing regulatory structure provides businesses and consumers a clear and low-cost framework to which they can adapt easily. These protections will offer important assistance to pre-paid card users, who are predominantly lower-income individuals and younger consumers, when they face the scenario of lost or stolen funds.
The modernization of the EFTA rules for Internet and mobile-based FinTech companies reveals the hidden gem in CFPB’s actions. Too often regulators and legislators wait for public scandals or breakdowns to occur before expanding consumer protection rights. A reactive approach is particularly harmful in FinTech, an industry in which businesses and consumers innovate and use new products every day.
Establishing a regulatory structure ahead of time, as CFPB did, allows enterprises to plan their businesses models accordingly, and consumers get the basic financial protections to which they have grown accustomed. Building on what works with debit cards creates a level playing field across similar products and activities, regardless of whether a bank or a FinTech firm facilitates the payment.
Implementing this type of regulatory system, in which similar products face similar rules and regulations—as opposed to regulating bank products one way and non-bank products another—remains a major goal of regulators in the post-financial crisis era. The CFPB deserves credit for carrying out this undertaking and extending EFTA and Coase Theorem logic to the modern FinTech world.