CFPB Announces Adjustment in Enforcement Priorities Regarding Digital Accounts for BNPL

The Consumer Financial Protection Bureau (CFPB) has issued a significant update to the public record, indicating a strategic shift in its enforcement posture. This update specifically concerns the scope of enforcement actions taken under the Truth in Lending Act (TILA) and Regulation Z, particularly in relation to the use of digital user accounts to access Buy Now, Pay Later (BNPL) loans. The guidance, released on May 31, 2024, and referenced in 89 Fed. Reg. 47,068, clarifies that the Bureau will not prioritize enforcement actions on the specific basis of these digital account provisions. This decision represents a resource allocation choice by the CFPB to focus its limited enforcement resources on other areas of consumer financial protection, while maintaining that all other statutory obligations under TILA remain fully in force.

Executive Summary

The CFPB is announcing that it will not prioritize enforcement actions taken on the basis of the Truth in Lending (Regulation Z); Use of Digital User Accounts to Access Buy Now, Pay Later Loans. This update concerns 89 Fed. Reg. 47,068 (May 31, 2024) (“Buy Now, Pay Later”). The guidance indicates a strategic shift in regulatory focus towards other compliance areas. The primary impact is on entities engaged in digital lending and Buy Now, Pay Later (BNPL) services. Financial institutions must review their current TILA compliance programs and adjust risk mitigation strategies accordingly. The CFPB’s decision suggests a potential reduction in active scrutiny regarding digital account access for BNPL loans, though general compliance requirements remain unchanged.

Entities subject to this guidance include banks, credit unions, fintech companies, and other entities that engage in consumer lending. The scope is limited to consumer protection matters covered under Regulation Z. The CFPB emphasizes that this does not absolve entities of their statutory obligations under TILA. Instead, it signals a resource allocation decision to focus on other areas of consumer financial protection. The official text of the announcement can be accessed at https://cfpb.gov. The Bureau encourages stakeholders to review the guidance for specific language regarding regulatory priorities. The guidance also highlights the importance of ongoing compliance with TILA requirements, even if enforcement actions are not prioritized. Financial institutions are advised to continue monitoring regulatory updates for any changes in enforcement priorities or interpretations of TILA.

What the Regulator Issued

In a recent update released on the Federal Register, the Consumer Financial Protection Bureau (CFPB) issued a guidance document. The announcement explicitly states that the Bureau will not prioritize enforcement actions based on specific provisions of the Truth in Lending Act, particularly those relating to the use of digital user accounts to access Buy Now, Pay Later loans. This decision marks a notable change in the CFPB’s enforcement posture regarding digital lending mechanisms. The guidance references the 2024 final rule regarding Buy Now, Pay Later (89 Fed. Reg. 47,068), indicating that while the rules remain in effect, the enforcement priorities have shifted.

Entities subject to this guidance include banks, credit unions, fintech companies, and other entities that engage in consumer lending. The scope is limited to consumer protection matters covered under Regulation Z. The CFPB emphasizes that this does not absolve entities of their statutory obligations under TILA. Instead, it signals a resource allocation decision to focus on other areas of consumer financial protection. The official text of the announcement can be accessed at https://cfpb.gov. The Bureau encourages stakeholders to review the guidance for specific language regarding regulatory priorities. The guidance also highlights the importance of ongoing compliance with TILA requirements, even if enforcement actions are not prioritized. Financial institutions are advised to continue monitoring regulatory updates for any changes in enforcement priorities or interpretations of TILA.

Who Is Impacted

The guidance issued by the CFPB impacts a wide array of financial entities and platforms. Specifically, banks, credit unions, and consumer finance companies that offer loans facilitated through digital user accounts are directly affected. This includes traditional banking institutions that have adopted Buy Now, Pay Later (BNPL) programs to compete in the digital lending space, as well as standalone BNPL providers operating as fintech companies or marketplace lenders. The impact extends to non-profit lenders and other consumer financial service providers that must adhere to Regulation Z requirements. While the guidance focuses on the use of digital accounts, it also implicitly affects institutions that handle sensitive consumer data for these lending products. The regulatory update signals that the CFPB is reallocating its enforcement resources, which means that while the scrutiny on digital account access for BNPL loans may decrease, scrutiny on other areas such as unfair, deceptive, or abusive acts or practices (UDAAP), data privacy, and mortgage servicing remains at high levels. This necessitates a comprehensive review of compliance programs across the organization to ensure that all statutory obligations are met, regardless of enforcement priorities. Institutions that rely heavily on digital onboarding and account verification methods must ensure their processes continue to meet baseline compliance standards, even if specific enforcement actions are deprioritized.

Compliance Checklist

• Review TILA Disclosure Requirements: Ensure all periodic statements and disclosures provided to consumers comply with Regulation Z requirements, including accurate disclosure of terms and costs.
• Audit Digital Account Procedures: Evaluate the security and accuracy of digital user accounts used for BNPL loans to ensure they meet baseline standards for consumer protection.
• Update Risk Assessment Models: Adjust risk models to account for the reduced enforcement priority in this area, while maintaining robust risk management for other regulatory areas.
• Monitor Regulatory Updates: Establish a process to regularly review updates from the CFPB and other regulators to stay informed of changes in enforcement priorities or rulemaking.
• Train Compliance Teams: Ensure legal and compliance teams are educated on the nuances of the CFPB’s guidance, focusing on the distinction between enforcement priorities and statutory obligations.
• Assess Third-Party Vendors: Review contracts with third-party vendors who provide digital account access or BNPL services to ensure they are not relying on non-compliant methods.
• Document Compliance Decisions: Maintain detailed records of compliance decisions and risk assessments related to digital account access to demonstrate due diligence in case of future inquiries.

By following these checklist items, financial institutions can position themselves for a compliant environment despite the shift in regulatory focus. It is essential to understand that the lack of enforcement priority does not equate to a lack of legal obligation. Institutions must continue to adhere to all TILA requirements, ensuring that disclosures are accurate and timely. Furthermore, any changes to internal policies regarding digital account access should be documented and justified to withstand regulatory scrutiny in other areas.

Open Questions

Several open questions remain following the CFPB’s announcement. One key question is how this guidance will affect the long-term development of the BNPL market. If enforcement is deprioritized, will this lead to a relaxation of standards in this sector? Another question concerns the duration of this enforcement posture. Is this a temporary measure to address resource constraints, or is it a permanent shift in regulatory philosophy? Furthermore, stakeholders are wondering if this guidance signals a broader trend towards focusing enforcement on more severe consumer harms, such as predatory lending or data breaches, rather than technical compliance with specific disclosure rules. Additionally, there is uncertainty about how state-level regulators will respond. Will state attorneys general or other state banking regulators issue conflicting guidance or maintain stricter enforcement standards? Finally, the guidance raises questions about the potential for future rulemaking. Could the CFPB propose new rules that supersede the current guidance, or will they continue to rely on a priority-based enforcement model? These open questions require ongoing attention from legal and compliance professionals to navigate the evolving regulatory landscape.

Practical Implications

The practical implications of this guidance are significant for financial institutions and BNPL providers. While the CFPB states that it will not prioritize enforcement actions related to digital account access, institutions cannot simply assume they have a free pass. The underlying legal obligations remain, and failure to comply with TILA could still result in significant penalties or reputational damage if challenged. Institutions must balance the CFPB’s guidance with their internal compliance risk tolerance. For example, a bank that relies on digital accounts to streamline the loan origination process must still ensure that the terms of the loan are accurately disclosed. This may require updates to internal systems to ensure that disclosures are accurate even if enforcement is less likely. Furthermore, the guidance highlights the importance of resource allocation. Institutions may choose to invest more in other compliance areas, such as fair lending or UDAAP, knowing that resources are not being concentrated on BNPL digital account issues. However, they must remain vigilant to ensure that any resource shifts do not lead to unintended compliance gaps.

Another practical consideration is the impact on business strategy. BNPL providers may adjust their business models in anticipation of this guidance, potentially exploring new product offerings or partnerships that align with the new regulatory environment. However, they must also ensure that any new offerings do not inadvertently expose them to compliance risks in other areas. For instance, a BNPL provider might partner with a bank to offer digital accounts, but must ensure that the bank’s compliance programs cover all aspects of the joint venture. Finally, the guidance serves as a reminder that regulatory enforcement is dynamic and subject to change. Institutions must remain agile and ready to adapt to new regulatory priorities, ensuring that their compliance programs are robust and adaptable to evolving regulatory landscapes.