Unpacking CFPB’s Unwieldy Buy Now, Pay Later Guidance

This article was originally published on November 12, 2024 on Law360 and is republished here with permission.

On Sept. 18, the Consumer Financial Protection Bureau issued guidance in the form of frequently asked questions for its interpretive rule subjecting buy now, pay later transactions to provisions of Regulation Z applicable to credit cards and charge cards.[1]

The rule, issued May 22, represents a potential sea change not only in the regulatory landscape for buy now, pay later providers — these no cost, four-payment installment loans will now be treated as if they were open-end cards — but also in the CFPB’s rulemaking process.

Effect on Buy Now, Pay Later Providers

Because most buy now, pay later providers issue closed-end products without finance charges, and that are payable in four or less installments, most take the stance that the Truth in Lending Act, or TILA, and its implementing regulation, Regulation Z, are inapplicable.[2]

However, in its rule, the CFPB argues with little additional support that a buy now, pay later provider that allows a consumer to access its products through a digital user account has issued an “other credit device” or “other single credit device” within TILA/Regulation Z definition of a “credit card.”[3] Rather unhelpfully, the rule does not precisely define “digital user accounts” — or “buy now, pay later” for that matter — but it notes that such accounts typically are a form of secure, personal profile activated by the buy now, pay later provider for the consumer that allows the consumer to access and utilize buy now, pay later credit to make purchases.

This has profound consequences because, once a buy now, pay later provider has issued a credit card, it becomes a creditor subject to many of the same legal protections and consumers rights that apply to traditional credit cards, including the rights to dispute charges and demand refunds for returned products.[4]

But this same logic extenders further, broadly subjecting providers to Subpart B of Regulation Z that would otherwise apply only to open-end credit.

This not only creates substantive and burdensome procedural requirements for buy now, pay later providers, but also subjects providers to regulatory confusion as to which provisions of Subpart B are — or are not — applicable. For example, must a provider give disclosures found in Subpart B that, on their face, seemingly apply only to open-end credit? The CFPB’s answer — not surprisingly — is often, “yes.”

Presumably in response to industry comment letters requesting clarification of these issues, the CFPB posted the FAQs regarding the rule on Sept. 18.

The FAQs consist of a series of questions and answers purportedly designed to clarify the application of Regulation Z; however, they tend to offer a rather maximalist interpretation of the rule, TILA and Regulation Z — often in an inconsistent manner and without textual support — and with little relief for buy now, pay later providers. For example:

• The FAQs go beyond merely clarifying points made in the rule, stating that digital user accounts issued by providers are not only credit cards, but also charge cards. This is a significant expansion which the rule itself failed to reference.

• The FAQs contain internal inconsistencies. For example, on Page 6 of the FAQ, the CFPB states that requirements for open-end consumer credit plans do not apply to digital user accounts, but, on Page 11, it changes tact and asserts that the so-called 14-day rule for periodic statements, which by its plain terms only applies to open-end consumer credit plans, is, in fact, applicable.[5]

• The FAQs also interprets Regulation Z’s requirements in a manner inconsistent with the plain language of the statute. TILA specifies exactly which requirements can be imposed on card issuers, regardless of whether the amount due is payable in more than four installments or if a finance charge is required.[6] The FAQs suggest that additional requirements, such as tabular account opening disclosures under Section 1026.6(b) of Regulation Z and closing dates on statements, are applicable, which go beyond the nine disclosure requirements listed in TILA.

Read together, both the rule and the FAQs are not only onerous, but place buy now, pay later providers in murky waters with the unenviable position of attempting to place a square, closed-end product in a round, regulatory framework meant for open-end products.

Rulemaking Through “Guidance”

To further complicate matters, the CFPB appears to have taken an outcome-oriented approach in issuing the rule that may not be supported by applicable law.

Specifically, the CFPB claims its authority for the rule — in lieu of a formal rulemaking — stems from TILA and Regulation Z and its general authority to issue guidance as set forth in Section 1022(b)(1) of the Consumer Financial Protection Act.

However, in crafting the rule, the CFPB has ignored its own commentary on Regulation Z that a mere account number used to access credit and that is associated with closed-end credit is not a credit card even if used “to purchase goods and services.”[7] It also seems to ignore TILA’s definition of credit card, which contemplates a physical device.

Moreover, the CFPB’s policy rationale for the rule — extending the protections of the Fair Credit Billing Act, such as dispute rights to buy now, pay later customers — arguably fails to align with the Fair Credit Billing Act or the plain language of TILA.

That is, the reason the Fair Credit Billing Act affords physical credit cards or credit devices special protections is that physical devices can easily be obtained, picked up, stolen, etc., and used by anyone. This is decidedly different from a buy now, pay later product accessible via what the CFPB’s own rule describes as a “secure, personal profile.”

Put another way, the key protections for physical credit cards exist because of how easily they can be stolen and/or misused. Buy now, pay later credit, on the other hand, generally requires a username, a password, and a number of other checks related to identity and fraud before any purchase.

There accordingly is an open question as to whether the rule violates the Administrative Procedure Act — which requires various substantive and procedural requirements, such as a formal notice and comment period — given that the CFPB appears to have made a significant amendment to Regulation Z through a mere interpretive rule in a manner that may be arbitrary and capricious.

Given the above, a blistering 60-day compliance deadline — which itself arguably violates TILA — and the aggressive, if not statutorily deficient, interpretations of TILA in the FAQ, in October, the Financial Technology Association filed a complaint against the CFPB in the U.S. District Court for the District of Columbia seeking to invalidate the rule.[8]

While any guess as to the ultimate status of the rule would be mere prognostication at this stage, the litigation seems poised to clarify the legality of the CFPB’s new approach to rulemaking through guidance.[9] But, in the short term, providers and other participants in the consumer credit markets should prepare for additional guidance in lieu of formal rulemaking.

[1] 89 Fed. Reg. 47078 (promulgating the Rule); Buy Now, Pay Later Product FAQs, CFPB (Sept. 18, 2024), available at https://files.consumerfinance.gov/f/documents/cfpb_BNPL-frequently-asked-questions.pdf.

[2] See 12 C.F.R. § 1026.2(a)(17)(i) (generally excluding non-credit card products with these features from the definition of “creditor” under Regulation Z).

[3] See, e.g.,12 C.F.R. § 1026.2(a)(15)(i) (defining a “credit card” as any card, plate, or other single credit device that may be used from time to time to obtain credit).

[4] See, e.g., 12 C.F.R. § 1026.2(a)(17)(ii) (defining a “creditor” to include, for the purposes of Subpart B of Regulation Z, “any card issuer that extends either open-end credit or credit that is not subject to a finance charge and is not payable by written agreement in more than four installments”).

[5] See 12 C.F.R. §1026.5(b)(2)(ii)(B).

[6] See 15 U.S.C. § 1602(g).

[7] See Regulation Z, Comment 2(a)(15)-2.ii (“In contrast, credit card does not include, for example: An account number that accesses a credit account, unless the account number can access an open-end line of credit to purchase goods or services or as provided in § 1026.61 with respect to a hybrid prepaid-credit card.”).

[8] See Fin. Tech. Assoc. v. CFPB, Case No. 1:24-cv-2966 (ACR) (D.D.C. Oct. 18, 2024).

[9] See, e.g., 89 Fed. Reg. 61358 (July 31, 2024) (CFBP “guidance” asserting that certain non-credit products are in fact “credit” under Regulation Z).