Episode 30: Unpacking CFPB’s Proposed Rule on Digital Payments Oversight With Guests From Davis Wright Tremaine

Episode 30: Unpacking CFPB’s Proposed Rule on Digital Payments Oversight With Guests From Davis Wright Tremaine

December 4, 2023

In the latest episode of the Risk Intel Podcast, host, Ed Vincent, CEO of SRA Watchtower, engages in an enlightening discussion with Ryan Richardson and Andy Lorentz, seasoned attorneys and regulatory experts at Davis Wright Tremaine, LLP. This insightful episode unveils the intricacies of the newly proposed Consumer Financial Protection Bureau (CFPB) rule on Digital Payments that aims to extend supervisory authority to larger non-bank participants.

Join Ed, Ryan, and Andy as they navigate the regulatory landscape, shedding light on the potential changes and implications for non-bank entities engaged in diverse consumer financial activities. The conversation also delves into the nuances of direct versus indirect supervision and unravels the challenges faced by technology companies operating in the financial services realm.  Below is a summary of the episode or feel free to listen to the full episode to gain insights into this proposed new rule.

The Regulatory Landscape for Non-Bank Participants

In dissecting the regulatory landscape for non-bank participants, guests Ryan and Andy shed light on the CFPB pivotal focus on larger entities operating outside traditional banking structures. With a spotlight on various consumer financial activities, the proposed rule signifies a significant departure from the status quo. The proposed rule's primary objective is to broaden the scope of supervisory authority, aiming to encompass non-bank entities within its regulatory purview. This prospective extension of authority introduces the possibility of a substantial paradigm shift in compliance management systems for non-bank participants. As the CFPB ventures into this uncharted territory, market participants are poised to navigate a regulatory environment that could redefine the rules governing their operations and compel a comprehensive reassessment of their compliance strategies.

Direct vs. Indirect Supervision

The discussion takes a deep dive into the nuanced dynamics of direct versus indirect supervision, specifically examining the consequences for non-bank companies, notably technology firms engaged in financial services through partnerships with banks. Ryan and Andy both highlight the challenges emerging from the transition to direct supervision, emphasizing the historical context of technology companies being accustomed to operating under the umbrella of indirect oversight. The evolving landscape, especially with the prevalence of cloud-based financial services, poses distinctive hurdles for these entities. While technology companies have honed their compliance strategies to align with indirect supervision, the shift towards direct scrutiny necessitates a recalibration of their compliance management systems. This exploration of direct versus indirect supervision underscores the impending complexities and adjustments that non-bank entities, particularly technology firms, may encounter as regulatory paradigms undergo transformation. This is something we will have to keep a close eye on, as the ruling becomes into effect.

Security Concerns and PCI Standards

The conversation delves into the critical realm of security concerns and the adherence to PCI (Payment Card Industry) standards, specifically within the context of the proposed rule. Ryan and Andy underscore the significance of this aspect, emphasizing that the custody of credentials, particularly in the realm of digital wallets, is not just a consumer protection matter but a paramount IT and security issue.

By addressing the act of storing credentials and their subsequent use in initiating transactions, commonly referred to as "card on file" or unscheduled credential transactions, the discussion brings attention to the existing robust PCI data security standards governing the handling of such sensitive information. While acknowledging the effectiveness of these standards in mitigating security risks, there remains a question about the precise gap that the proposed rule seeks to fill concerning wallet functionality. They also share their keen interest in understanding through the comment process how the rule intends to enhance consumer protection in this domain, while navigating the complexities of existing security frameworks and standards.

Impact on Regulated Entities

So how does this impact banks and other regulated entities? Andy and Ryan share their insights on the potential ramifications for regulated entities, shining a spotlight on depository institutions that have long been accustomed to prudential regulation. The proposed rule introduces a paradigm shift, triggering a cascade of considerations for these entities.

The discussion revolves around the challenges of coordination between the CFPB and other regulators. This nuanced interplay between different regulatory bodies poses a complex landscape for institutions navigating compliance obligations. Our guests underscore the necessity for the regulated community to meticulously evaluate the implications of this rule on their operations, anticipating potential hurdles and ensuring a seamless adaptation to the evolving regulatory framework. Additionally, the conversation brings into focus the ripple effects on partners, emphasizing the need for a comprehensive understanding of the downstream impacts that may emanate from the direct supervision of non-bank participants, further underscoring the intricacies of regulatory relationships within the financial ecosystem.

Guidelines for Commentary and Key Deadlines:

With digital payment applications playing a pivotal role in modern financial transactions, the CFPB emphasizes the need for oversight to safeguard consumers, especially when traditional banking safeguards may not apply. As the proposed rule navigates the rulemaking process, stakeholders are invited to contribute their insights and feedback during the comment period. This is an opportune moment for industry participants to provide their perspectives, voice concerns, and offer recommendations. Comments on the proposed rule must be submitted by January 8, 2024.

Ryan and Andy address the crucial question of what actions their clients should take in response to the proposed rule and advise creating a strategic approach to commenting during the open period. Recognizing the broad and nuanced nature of the proposed rule, they highlight that this is an opportunity for participants to engage in the comment process, shedding light on gaps and implementation questions that need thorough examination. Strategically framing your comments and choosing the most effective channels, be it through direct contributions or collaborative efforts with a trade association is key.


Through these regulatory shifts, market participants face a unique set of challenges and considerations. As the CFPB's proposed rule undergoes a comment period, stakeholders must strategically navigate this evolving landscape, ensuring a forward-looking approach to compliance and risk management. While this summary provides a condensed overview of the in-depth conversation, we highly encourage everyone wanting to learn more about the proposed rule to listen or watch to the full episode.

Below are links to CFPD’s overview of this proposed ruling and links to make comments:

Read CFPD Notice of Proposed Rulemaking

Federal Register: Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework


Book an


discovery session

enterprise risk management for credit unions
Three ways to tap into the people, technology and insights of SRA Watchtower.
We're focused exclusively on the serving the financial & Insurance industries.


Discovery Session
Schedule a 30 minute discovery call with an SRA Watchtower risk expert to understand your challenges or opportunities ahead to see how Watchtower's holistic risk intelligence platform can support your goals.


watchtower demo
Look inside Watchtower, the holistic risk intelligence platform to learn how it helps executives navigate risk and drive growth.

Risk Intel

Risk Intel Podcast
Listen and learn from SRA Watchtower risk enthusiasts, customers, and experts across the financial industry through our weekly risk focused podcast.


Watchtower News

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework