CFPB's Prepaid Rules Add Risk for Google, PayPal

By Gregory Roberts

Oct. 28 — The Consumer Financial Protection Bureau's prepaid card rules will require mobile wallet businesses to reimburse customers who are victims of fraud—and set aside the money to do so.

That requirement is unlikely to have much of an impact on banks that issue prepaid cards or the largest mobile wallet providers such as PayPal and Google, which already voluntarily provide many of the proposed protections. But it could prove more difficult for newer entrants.

“How many of them could afford it and make good remains to be seen,” Karen Shaw Petrou, managing partner of Federal Financial Analytics told Bloomberg BNA.

There's no question that the prepaid card rules—announced Oct. 5 and taking effect on Oct. 1, 2017—apply to one particular segment of the mobile-wallet marketplace: The “stored value” products, such as PayPal's Venmo and Google Wallet, that can hold money that a customer has moved into a dedicated account on the wallet. Exempt from the rules are products such as Apple Pay, which merely allow consumers to tap into their bank, credit-card or other outside accounts through the wallet. All mobile wallets allow consumers to access accounts via smart phones and other digital devices.

The final rules amount to “a business-model buster that redefines the competitive landscape at a transformational point in time,” Petrou wrote in a recent memo for her clients.

“It's definitely a change,” Elizabeth Khalil of Dykema Gossett PLLC, a former bank regulator with the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp., told Bloomberg BNA. “Only time will tell what the true economic impact is.”

Mobile Wallets Lassoed

The CFPB rules are designed primarily for garden-variety prepaid cards. “It just so happens that from a policy perspective and a regulatory perspective, it becomes very difficult to distinguish those from a digital wallet,” Brian Peters, executive director of Financial Innovation Now, a trade alliance of Amazon, Apple, Google, Intuit, and PayPal, told Bloomberg BNA.

For the stored-value wallets covered by the rule, Petrou told Bloomberg BNA in a telephone interview, “The big risk is their resilience to hacking and to the ability of someone to drain your account. In those instances, it's been very unclear up to this point who is responsible (for assuming the risk). It's clear now that the online payment provider would have increased legal responsibility.

“Venmo — if when you're trying to pay up your bar bill with some of your friends, someone hacks into Venmo and drains your checking account, they (the wallet providers) are screwed,” she said. “That's what changed now, and that's big.

Under the Electronic Fund Transfer Act, passed by Congress in 1978 and put into effect by the Federal Reserve Board as Regulation E, the user of a regular credit card is shielded from charges of more than $50 incurred as the result of loss or theft of the card or of fraud, provided the breach is reported within a certain time limit. And when a customer disputes a transaction, the bank that backs the credit card issuer must credit the customer's account for the disputed amount if the issue is not resolved in 10 days, pending a final resolution.

The new CFPB rulemaking extends those protections to prepaid cards and stored-value mobile wallets.

Risk Transferred

“Certainly, it's going to have an impact,” Linda Odom, a partner in the Washington office of K&L Gates LLP, told Bloomberg BNA. “It's going to, if not stifle innovation, make it more challenging.”

Banks that issue credit cards and prepaid cards set aside resources or buy insurance to cover their “Reg E” risk.

“It's just a cost of doing business that banks are capitalized to absorb because they've been doing it for years,” Petrou said. “New entrants are not.”

The coverage could amount to hundreds of millions of dollars for a major credit-card issuer, Petrou said.

“The banks do have to take into account potential fraud losses, and ensure that there are sufficient funds,” Nessa Feddis, senior federal counsel for the American Bankers Association, told Bloomberg BNA.

The hit from the extension of Reg E to mobile wallets may not turn out to be a heavy blow to the major players in the market, whatever its impact on fledgling start-ups.

“It’s not like this is a complete sea change,” Odom said. “It wasn’t the Wild West.”

Leading stored-value mobile-wallet providers, such as PayPal and Google, have already voluntarily provided their customers many of the protections now mandated, she said.

“Many of the companies in this space have decided they essentially want their products to be Reg E-compliant,” Peters said. “Even though it wasn't a specific requirement of the laws, they did it because their customers expected it.”

Security Increased

Beyond that, mobile wallets provide levels of security that can minimize fraud, Peters said. The smart phone itself can be password-protected, as can the wallet, and biometric applications such as fingerprint identification can enhance security — all of which can reduce the cost of the Reg E risk, he said.

“Our belief is that our technological expertise and capabilities probably make that a more manageable prospect for our companies,” Peters said. “We're good at this stuff. We've been doing this security business really, really well for a long time.”

Both Google and PayPal objected to the inclusion of mobile wallets in the CFPB rule.

“Digital wallets continue to evolve, and overregulation would unnecessarily stifle this emerging market,” Google wrote the CFPB in 2015 in a letter commenting on the then-proposed rule.

PayPal offered a similar argument in its comment letter the same year. The average value stored in its wallets is $6, the letter said, with most of the wallets also linked to credit cards.

“Mobile wallets are a new development, a new product and a new service, and need to be treated separately from a prepaid card,” senior vice president Scott Talbott, of the Electronics Transactions Association (ETA), told Bloomberg BNA; the ETA, an industry group, includes both Google and PayPal among its members. “One size does not fit all.”

Google also said in its comment letter that the use of mobile wallets is in its “infancy” and thus “they pose minimal risk to consumers. Therefore, there is little need for heavy-handed regulation of these products. Instead, heavy regulation would risk inadvertently stunting the continuing development of digital wallets, which could have a deleterious impact on the board range of consumers that would otherwise benefit from such innovation.”

Christina Tetreault, a lawyer with the Consumers Union advocacy organization, thinks the regulation could help the industry grow up. The extension of the “crucial protections” of Reg E to mobile wallets could increase consumer confidence in still largely unfamiliar products, Tetreault said.

“This may be part of the push for greater adoption,” she said.

To contact the reporter on this story: Gregory Roberts in Washington at

To contact the editor responsible for this story: Mike Ferullo at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.