Tea Leaves and Tarot Cards: Developments in the Laws Affecting Electronic Payments and Financial Services

I. Introduction

Once again, the past year proved to be a busy time for financial services regulators, with new laws, new regulations, renewed assertions of old regulatory powers, and, unfortunately, several attempts to clarify policy that only left business lawyers scratching their heads. In this year’s survey, we summarize it all for you. Part II covers developments related to earned wage access at the federal and state level. Part III addresses enforcement activity impacting government benefit cards. In Part IV, we detail revised rules for payroll cards in two states. The Consumer Financial Protection Bureau’s attempts to expand its authority without engaging in new rulemakings are discussed in Part V. In Part VI, we cover warnings from federal regulators about potential unfair and deceptive practices that financial service providers should avoid. Part VII details recent enforcement actions targeting garnishment practices, remittance payments, and deceptive advertising. In Part VIII we discuss recent enforcement actions against cryptocurrency exchanges. And finally, in Part IX we provide some concluding remarks and our opinions as to what business lawyers should be on the watch for in the next twelve months.

II. Activity, But Little Clarity, Surrounds Earned Wage Access Products

A. The CFPB Revokes an EWA Approval Order

In last year’s survey, we discussed an advisory opinion from the Consumer Financial Protection Bureau (“CFPB”) regarding Earned Wage Access (“EWA”) products, which set out the circumstances in which the Bureau would not view an EWA product as an extension of credit for purposes of the Truth in Lending Act. We also discussed a regulatory approval order that the CFPB granted to a certain EWA provider on December 30, 2020. On June 30, 2022, the CFPB rescinded that regulatory approval order. In terminating the order, the Bureau noted that it had informed the provider that it was considering revoking the approval order “in light of certain public statements the company made wrongly suggesting a CFPB endorsement of its products.” In response, the provider notified CFPB that it was planning on modifying the program and requested termination of the approval order, which the CFPB granted in its June 30 order. The following day, the provider announced it was cutting its fees.

The CFPB’s termination of the approval order in this case should provide a strong warning to business lawyers in the financial services space that they need to make sure that their marketing teams do not misconstrue approval orders, advisory opinions, or other statements made by regulators about their products or services. In terminating the approval order, the CFPB also stated that it had received requests for clarification regarding the advisory opinion on EWA and that it planned to issue further guidance on EWA products in the near future. Many EWA providers rely upon the safe harbor created by the advisory opinion. That safe harbor, however, may be in jeopardy depending on the breadth of the CFPB’s “clarifications.”

B. California Concludes at Least Some EWA Is Not Lending

On February 11, 2022, the California Department of Financial Protection and Innovation (“DFPI”) responded to a request from FlexWage for an interpretive opinion on whether its EWA product was subject to licensure under the California Financing Law (“CFL”) and California Deferred Deposit Transaction Law (“CDDTL”). The DFPI concluded that the provider was not engaged in lending covered by the CFL because the employer and not the provider was the source of the funds advanced to the employee and the amount of the advance did not exceed the employee’s net wages. In addition, DFPI found that the fees being assessed were lower than the 5 percent administrative fee that the CFL allows and thus the provider was not attempting to evade the lending laws. Similarly, the DFPI found that the provider was not engaged in deferred deposit transactions under the CDDTL because it was not the source of the funding and the fees are within the parameters allowed by law. The California interpretive opinion will prove useful to the EWA industry because it establishes that an EWA service may be deemed not to be lending even if it assesses fees for services.

C. Treasury Wants to Clarify the Tax Rules for EWA

As part of the President’s budget proposal for fiscal year 2023, the Administration recognized a potential tax issue with certain EWA products and proposed legislative changes to address the problem. The issue arises from the fact that employers are required to withhold and transmit payroll taxes to Treasury based upon when the employee actually or constructively receives the wages. EWA programs, which give employees access to wages before their scheduled pay date, may change the time at which the employee has constructive receipt of the wages and thus may change the date upon which the employer is obligated to report the wages to the government. Treasury recognized that requiring employers to modify their payroll systems to allow for tax reporting on a daily basis would be “a significant financial and administrative burden” and thus proposed modifying the Tax Code to allow employers who offer EWA to their employees to report EWA payments on the regularly scheduled pay date. At the time this survey was going to press, no actual legislation implementing this change had been introduced in Congress. It is important to note that Treasury regulations on withholding employment taxes only apply to payments of wages by employers to employees. While the Treasury proposal does not make this explicitly clear, it would only apply to EWA payments that are payments of wages and would not apply if the EWA payment is deemed to be a loan because there is no requirement to withhold taxes from the proceeds of a loan. Consequently, the Treasury tax proposal would only impact those EWA programs that do not involve lending.

Overall, in the past year we have seen federal and state regulators struggle to define EWA products and determine if and how lending laws and tax provisions apply to such products. Legislators have introduced bills to address EWA but so far none have garnered much traction and it isn’t clear that any state will pass new legislation any time soon. We anticipate that the first state regulation of EWA will come in 2023, as DFPI has sought comment on proposed rules that would require providers of “wage-based advances” to register with the Department and submit annual reports on its activities but that don’t substantively regulate EWA products. Pronouncements about EWA from regulators come in dribs and drabs, are limited in scope, and are subject to rescission—forcing business lawyers advising EWA clients to read tea leaves and tarot cards.

III. The CFPB Introduces Uncertainty for Government Benefit Debit Card Providers

A. The CFPB Enters Into Consent Order with JPay

The CFPB settled claims with JPay, LLC arising from JPay’s role in providing prison release prepaid debit card services to state agencies. JPay, a technology and financial services provider to prisons, contracts with state departments of correction to provide prepaid debit cards to inmates who are being released from prison. The prepaid cards contain the balance of funds owed to the inmate upon release, including commissary money and, in some states, a sum of money provided by the department to ease the transition back into society, which is commonly referred to as “gate money.”

In at least some states where JPay provides debit card services, inmates were not given an alternative on how to receive their gate money. The Electronic Fund Transfer Act (“EFTA”) and its implementing regulation, Regulation E, through what is referred to as their compulsory use prohibitions, make it illegal to require a consumer to establish an account with a particular financial institution as a condition of receiving a government benefit. The CFPB asserted that gate money was a government benefit, and, as a result, forcing a consumer to receive such funds via a prepaid card was illegal. For this violation and others related to assessing undisclosed or insufficiently disclosed fees, JPay was ordered to pay $4 million in restitution and $2 million as a civil money penalty. The CFPB also ordered JPay to cease assessing any fees, except for an inactivity fee, on its prison release debit cards.

The CFPB did not offer a rationale for why it concluded that JPay was the entity violating the compulsory use prohibitions instead of the state agency that was paying gate money. Under Regulation E, a government agency that directly or indirectly issues a card to a consumer to make a government benefits payment is deemed a covered financial institution. Instead, the CFPB asserted JPay violated the law by providing a consumer financial product that “is not in conformity with Federal consumer financial law.” In addition, CFPB asserted that it was abusive to enter into a contract that “enable[ed] the [state agencies] to eliminate cash or check options they previously offered.” This is noteworthy because debit card providers often have very little control over whether the payor offers alternative disbursement methods to payees.

B. The CFPB Issues Bulletin on Government Benefit Cards

The CFPB followed the JPay Consent Order with a compliance bulletin reiterating that the compulsory use prohibitions in EFTA and Regulation E apply to government benefit accounts. In a press release announcing the bulletin, the CFPB stated its goal: “to halt prepaid card providers illegally siphoning money away from Americans through exclusive government benefit contracts,” suggesting that this is a continued area of focus for the Bureau. Unfortunately for prepaid card providers, the CFPB did not provide guidance on what measures providers should take to ensure they are not liable for a government agency’s failure to provide alternative methods of receiving government benefits.

Careful readers of the JPay Consent Order and the CFPB bulletin may be left wondering what, if anything, debit card providers can do to avoid incurring liability if a government agency fails to comply with its obligation to offer alternative disbursement methods to its benefits recipients. Those readers may also note that Regulation E’s compulsory use prohibition applies to the payment of wages too. Specifically, a person cannot require an employee to open an account at a particular financial institution as a condition of employment, functionally prohibiting an employer from forcing employees to receive their wages on a payroll card. Can payroll card providers be held liable if an employer forces its employees to receive their wages on a payroll card? Does it matter if the payroll card provider is unaware of the practice? Business lawyers advising providers of debit cards that are loaded by third parties subject to Regulation E’s compulsory use prohibition should consider what sort of measures providers can take to prevent those payors from violating federal law given CFPB’s apparent view that the payor’s violation creates liability for the provider.

IV. West Virginia and Oklahoma Update Payroll Card Regulations

The method by which employers pay their employees is generally regulated at the state level. While the particulars vary from state to state, it is common for states to require employers to obtain an employee’s consent to be paid by direct deposit. For non-consenting employees and for employees who consent but do not provide their account and routing numbers to their employers, payroll cards may present an attractive option for employers trying to avoid the costs and administrative burdens of issuing paper checks. However, many states also require an employer to obtain employee consent to pay via payroll card. Since there will occasionally be employees who do not consent to direct deposit or consent but fail to designate a financial institution by providing the requisite account and routing information, it is difficult for employers to achieve 100 percent electronic wage payment in states that require employee consent to be paid via a payroll card. Two states amended their labor codes to address this problem and make it a bit easier for employers to pay all their employees electronically.

A. West Virginia

In March 2022, West Virginia amended its labor code by eliminating the requirement that an employer obtain an employee’s written consent before paying that employee via direct deposit or payroll card. The upshot is that West Virginia employers will now be able to achieve 100 percent electronic payment of wages by paying those employees who do not consent to direct deposit or do not provide their direct deposit information by payroll card. The new law also added fairly standard disclosure and access requirements but introduced a somewhat ambiguous restriction on fees. Under the new law, fees for in-network withdrawals and transfers are prohibited. This could be read as prohibiting fees for in-network ATM withdrawals and point-of-sale transactions. It could also be read more broadly as prohibiting fees on other kinds of transfers like those made via the automated clearinghouse or real-time transfers available through debit networks.

B. Oklahoma

In May 2022, Oklahoma updated its labor code by passing Senate Bill 1345, which explicitly permits the payment of wages by payroll card. Prior to this bill’s passage, employers relied on an Oklahoma Attorney General opinion letter issued in 2009 that concluded payroll cards were a lawful method of wage payment so long as the employee voluntarily consented to receiving his or her wages via payroll card. The new law eliminates this consent requirement and allows Oklahoma employers to pay employees who do not consent to direct deposit or fail to designate a financial institution by payroll card.

V. The CFPB Expands Its Authority

A. The CFPB Expands Scope of Regulation E Through Informal Guidance

Over the prior year, the CFPB updated the Electronic Fund Transfers FAQs on its website to clarify that Regulation E covers person-to-person (“P2P”) payments and to expand the scope of unauthorized transactions to include authorized but otherwise fraudulent transactions. The CFPB states that a P2P transfer that meets the definition of electronic funds transfer is covered by the regulation. The Bureau goes on to explain that this means that Regulation E covers P2P transactions that use a consumer’s debit card or that debit a consumer’s deposit, prepaid, or mobile account. In addition, the CFPB states that while the term “unauthorized use” does not include a transaction initiated by a person to whom the consumer gave the access device, this exclusion does not apply to transfers where a person fraudulently induces a consumer to provide the consumer’s account information. This is a substantial departure from prior interpretations of Regulation E and shifts liability to the financial institution for electronic funds transfers that the consumer authorizes but later claims to be fraudulent. It is important to note that these FAQs are a “compliance aid” under CFPB policy and are not binding on financial institutions. The CFPB’s Policy Statement on Compliance Aids is clear that “regulated entities are not required to comply with the Compliance Aids themselves. Regulated entities are only required to comply with the underlying rules and statutes.” To the degree that the FAQs depart from the actual regulations, financial institutions are not required to follow them.

As P2P payment products using real-time fund transfer services have been more widely adopted by consumers, the amount and types of fraud associated with these products have also grown. Quickly following the emergence of fraud problems, we are also now seeing class action lawsuits against banks and financial service providers for failing to prevent the fraud. We expect to see a large amount of this kind of litigation in the next year or two, fueled by increasing fraud and the CFPB’s attempts to increase banks’ liability for fraud under Regulation E.

B. The CFPB Revives Dormant Authority to Examine Non-Bank Companies

On April 25, 2022, the CFPB announced plans to revive its “dormant authority” to “examine” non-bank companies whose products and services it determines, by order based upon reasonable cause, to be posing “risks” to consumers. This authority is referred to as dormant because, while the CFPB published procedural rules for implementing it in 2013, the agency has never utilized the rule. The CFPB amended the regulation, effective April 29, 2022, to allow the public release, in whole or part, of final supervisory decisions or orders that otherwise would be afforded confidential treatment.

Examination authority allows review of certain providers’ books and records and required reports. Using examination authority allows the CFPB to avoid use of civil investigative demands to obtain information. The CFPB has statutory authority to examine other providers—banks with more than $10 billion in assets, providers that the CFPB through rulemaking designates as “large market participants,” and all providers in the payday lending, student loan, and mortgage origination sectors regardless of their size.

VI. Regulators Warn About Potential Unfair and Deceptive Acts Violations

A. The CFPB Says Limiting Customers’ Ability to Post Online Reviews Is Unfair

On March 28, 2022, the CFPB issued a compliance bulletin stating that contractual limitations on customers’ ability to post online reviews are unfair and deceptive acts that violate the Consumer Financial Protection Act (“CFPA”). The guidance cites two recent enforcement actions taken by the Federal Trade Commission and explains how the CFPB plans to exert its authority over providers whose contract terms limit customer reviews.

B. Regulators Warn FinTechs Not to Make False Claims About FDIC Insurance

The Federal Deposit Insurance Corporation (“FDIC”) issued new regulations establishing a process for it to investigate and prosecute entities that misuse the FDIC name or logo. The move came in response to an increasing number of cases where financial service providers or other entities have used the FDIC’s name or logo inappropriately, usually to suggest that a product or service is protected by FDIC deposit insurance when it is not. The CFPB quickly chimed in to note that misrepresentations about deposit insurance also could constitute a deceptive act or practice under the CFPA. Cryptocurrency exchanges and FinTech companies that partner with banks that offer FDIC-insured accounts should make sure that their marketing materials do not imply that the bank’s FDIC protections also apply to products that do not qualify for deposit insurance. We expect to see multiple enforcement actions on this subject in the next year.

VII. Enforcement Actions Related to Regulation E and the CFPA

A. The CFPB Fines Bank of America over Garnishment Practices

On May 4, 2022, the CFPB ordered Bank of America (“BoA”) to pay a $10 million civil penalty and to refund not less than $592,000 to customers affected by BoA’s garnishment practices. The CFPB alleged that BoA acted unfairly or deceptively in garnishing customers’ accounts based on garnishment orders from states other than those in which the consumers resided and in failing to comply with the garnishment requirements of consumers’ home states. The CFPB cited state garnishment laws to support its position that BoA violated the CFPA. The CFPB found at least 3,700 consumers had suffered frozen accounts or payments made to out-of-state creditors while BoA ignored state requirements.

B. Regulators Target MoneyGram Over Remittance Payments

On April 21, 2022, the CFPB and the Attorney General of the State of New York jointly took action against MoneyGram International, Inc. and MoneyGram Payment Systems, Inc. relating to their remittance services. The regulators alleged various violations of Regulation E including disclosure and recordkeeping failures and unfair retention of remittance payments. Separately, on March 15, 2022, MoneyGram International, Inc. agreed to pay $8.25 million to the New York State Department of Financial Services for failure to supervise agents in the United States who engaged in suspicious transactions with China. A “spike” in money transfers to China made by six agents in New York City occurred in 2016 and 2017. The suspicious activity involved 25,000 transfers totaling $100 million. This activity should have raised concerns because China is a high-risk destination and many transfers were sent to the same recipients.

C. The CFPB Goes After Internet Lenders

In September 2021, the CFPB sued LendUp Loans alleging it had violated a 2016 consent order relating to deceptive advertising by falsely promising borrowers that repeated loans could help them “unlock” lower interest rates for later loans. After the 2016 consent order, LendUp allegedly did not end its deceptive behavior. Additionally, the CFPB alleged that LendUp failed to provide timely and accurate “adverse-action notices” to applicants it denied, as the Equal Credit Opportunity Act requires.

The CFPB announced on July 12, 2021, that it entered into a consent order with GreenSky, LLC, a lender focused on the home improvement market, for unfairly enabling merchants to secure loans for their customers without consumers’ authorizations. GreenSky must refund or cancel up to $9 million in loans, pay a civil penalty of $2.5 million, and revise procedures to prevent fraudulent loans in the future. GreenSky allegedly had received more than 6,000 consumer complaints about loan applications consumers did not submit. This enforcement action should remind business lawyers to pay attention to the volume and tenor of customer complaints.

D. The FTC Settles Deceptive Advertising Claims with Lending Club

On July 14, 2021, the Federal Trade Commission (“FTC”) settled charges against Lending Club Corporation that its advertising deceptively claimed it charged “no hidden fees” and falsely told customers their loan applications had been approved. The settlement prohibits Lending Club from making misrepresentations to consumers and requires clear and conspicuous disclosures about prepaid or upfront fees consumers will pay and the total amount of funds consumers will receive from their loans.

VIII. OFAC and the CFTC Address Cryptocurrency Exchanges

On September 21, 2021, the Office of Foreign Assets Control (“OFAC”) for the first time sanctioned a cryptocurrency exchange. OFAC charged SUEX OTC, S.R.O., an exchange that is incorporated in Czechia and operates in Russia, with facilitating ransomware. OFAC also designated SUEX for providing material support to the “threat posed by criminal ransomware actors.” Simultaneously, OFAC issued guidance on using cryptocurrency to pay ransomware.

The Commodity Futures Trading Commission (“CFTC”) sued cryptocurrency exchange BitMEX for operating in the United States as a commodities commission merchant without being registered as such and for failure to comply with CFTC regulations including Know-Your-Customer and other anti-money-laundering requirements. It also settled the CFTC’s 2020 charges against BitMEX’s three co-founders by ordering them to pay $10 million each for their roles.

IX. Conclusion

There are some obvious life lessons to be learned from this year’s survey of legal developments affecting electronic payments and financial services. Business lawyers must exercise control of their marketing departments. Misstatements about regulatory approval orders, fees or the lack thereof, and product features and limitations continue to be a ripe source for enforcement actions. Counsel should monitor the volume and tenor of customer complaints and make informed changes based on what they learn from that review. This year’s survey also demonstrates that regulators continue to be unable to provide clear guidance on some financial products on which consumers, businesses, and governments rely. This statement is true not only for relatively recent innovations like earned wage access, but also for established products like government benefit cards. The failure to establish clear regulatory frameworks, and the even worse practice of continually changing and undermining the limited guidance that has been provided, will stifle innovation, create costly uncertainty in the marketplace, and generate unnecessary litigation. We’ll be sure to provide all the gory details in next year’s survey.