Lawsuit Challenges CFPB’s ‘Buy Now, Pay Later’ Rule

On Oct. 18, 2024, fintech trade group Financial Technology Association (FTA) filed a lawsuit challenging the Consumer Financial Protection Bureau’s (CFPB) final interpretative rule on “Buy Now, Pay Later” (BNPL) products. Released in May 2024, the CFPB’s interpretative rule classifies BNPL products as “credit cards” and their providers as “card issuers” and “creditors” for purposes of the Truth in Lending Act (TILA) and Regulation Z.

The FTA filed its lawsuit challenging the CFPB’s interpretative rule in the U.S. District Court for the District of Columbia. The FTA alleges that the CFPB violated the Administrative Procedure Act’s (APA) notice-and-comment requirements by imposing new obligations on BNPL providers under the label of an “interpretive rule.” The FTA also alleges that the CFPB violated the APA’s requirement that agencies act within their statutory authority by ignoring TILA’s effective-date requirement for new disclosure requirements and imposing obligations beyond those permitted by TILA. The FTA also contends that the CFPB’s interpretive rule is arbitrary and capricious because it is “a poor fit for BNPL products,” grants “insufficient time for BNPL providers to come into compliance with the new obligations” imposed by the rule, and neglects “the serious reliance interests that [the CFPB’s] prior policy on BNPL products engendered.”

In a press release announcing its lawsuit, the FTA said the BNPL industry would welcome regulations that fit the unique characteristics of BNPL products, but that the CFPB’s interpretive rule is a poor fit that risks creating confusion for consumers. “Unfortunately, the CFPB’s rushed interpretive rule falls short on multiple counts, oversteps legal bounds, and risks creating confusion for consumers,” FTA President and CEO Penny Lee said. “The CFPB is seeking to fundamentally change the regulatory treatment of pay-in-four BNPL products without adhering to required rulemaking procedures, in excess of its statutory authority, and in an unreasonable manner.”

The FTA’s pending lawsuit notwithstanding, BNPL providers may wish to consult with legal counsel regarding compliance with the CFPB’s interpretive rule. Retailers marketing BNPL products should also consider working with legal counsel to implement third-party vendor oversight policies to enhance BNPL-partner compliance with the rule.

CFPB Plans to Increase Regulation over “Buy Now, Pay Later” Lenders

The Consumer Financial Protect Bureau (CFPB) issued a release on September 15, 2022, announcing its intent to issue additional interpretive guidance or rules to ensure “Buy Now, Pay Later” (BNPL) lenders comply with the same or similar regulations already established for credit cards following a study on the industry.

In its press release, the CFPB Director Rohit Chopra noted the rapidly growing use of “Buy Now, Pay Later is a rapidly growing type of loan that serves as a close substitute for credit cards.” While credit cards include interest charges, BNPL loans do not, making them more attractive to consumers. Instead, these loans allow consumers to purchase a product and repay the purchase price through several installment payments. As a result, BNPL loans have become prominent over the past several years, particularly during the COVID-19 pandemic. These previously niche loans, typically used for apparel and beauty purchases, are now used in almost all consumer-facing industries.

The CFPB noted several highlights of BNPL loans found through the study, which include:

  • Increased loan approval rates year over year;
  • Increased occurrences of late fee charges;
  • Increased product returns by consumers; and
  • Shrinking profit margins by BNPL lenders.

As a result of the study, the CFPB outlined the following concerns with the BNPL industry, mainly because the marketing of these loans leads consumers to believe the loans are a “zero-risk credit option.”

  • Limited Consumer Protections: While BNPL loans are used as an alternative to credit cards, they lack the standard credit disclosures, dispute resolution rights, etc., that similar consumer credit transactions often require.
  • Data Harvesting: Lower profit margins associated with BNPL loans have pushed the industry to monetize consumer data, potentially impacting consumer privacy.
  • Debt Accumulation: According to the CFPB, BNPL loans encourage consumers to purchase more products and borrow more, resulting in consumers becoming overleveraged. While the CFPB notes that the lenders in this space do not furnish credit data to credit reporting companies, the CFPB is concerned about this industry extending credit to consumers who may not be able to repay the debt.

Takeaways

The CFPB has yet again reinforced its commitment to regulate lenders that extend consumer credit. The CFPB’s decision to either enforce existing consumer laws (i.e., the Truth in Lending Act disclosures already required for credit cards and other consumer loans) or create new rules on the growing BNPL industry is not unexpected. However, the CFPB’s release shows a renewed focus on protecting consumers’ privacy rights and ensuring that consumers can afford to repay their credit lines before offers of credit are extended, and demonstrates once more that the Bureau will seek to regulate emerging forms of consumer credit.

© 2022 Bradley Arant Boult Cummings LLP

To 8-K, or not to 8-K? For Target, that is indeed the question.


MintzLogo2010_Black

As anyone with a pulse and a computer, television or carrier pigeon knows, Target Corporation (NYSE: TGT) suffered a major data breach in December – the extent of which is still being uncovered – and pegs the latest number of customers that have had their personal information stolen anywhere from 70 to 110 million.  As a public company, a breach of this magnitude should be material enough to warrant a Form 8-K filing, right?  As of this post, Target doesn’t seem to think so.

Form 8-K contains mandatory disclosure requirements when certain enumerated events occur, as in the entry into a material definitive agreement (Item 1.01) or the resignation of a director (Item 5.02).  Reporting an event such as the Target data breach would likely fall under Item 8.01 of Form 8-K, which is used to report “Other Events.”  Item 8.01 permits the registrant, at its option, to disclose any events not otherwise called for by another Form 8-K Item that the registrant “deems of importance to security holders,” and is an entirely voluntary filing.

Although filing under Item 8.01 of Form 8-K is voluntary, other companies that have suffered smaller data breaches have opted to file an 8-K to disclose such breaches, including The TJX Companies, Inc.’s (NYSE: TJX) breach disclosed in an 8-K in January, 2007, and Morningstar, Inc.’s (NASDAQ: MORN) more recent breach disclosed in an 8-K in July, 2013.  Target’s securities lawyers may believe that the breach is not “important to security holders,” or  is not sufficiently material enough to the roughly $38 billion company to warrant the filing of an 8-K, but 70 to 110 million affected customers is hardly immaterial, even for Target.   In a statement released January 10, Target warned that the costs related to the breach “may have a material adverse effect on Target’s results of operations in fourth quarter 2013 and/or future periods.”

Indeed, Target evidently determined when filing its Form 10-K for 2012 that the risk of a data security breach was material enough to warrant disclosure in its risk factors:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.”

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant.  If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.” (emphasis added)

Of course, there is no time limit for filing under Item 8.01 of Form 8-K due to it being a voluntary filing, so a filing may still be forthcoming from Target.  In any event, one can only imagine that the risk factor language above will look very different in Target’s next Form 10-K filing in two months.

Article by:

Of:

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.