On May 22, the Consumer Financial Protection Bureau (“CFPB”) issued an interpretive rule purportedly clarifying the breadth of the term “credit card” for Truth in Lending Act (“TILA”)/Regulation Z purposes in the buy-now/pay-later (“BNPL”) context (the “Interpretive Rule”). The clarification asserts that “digital user accounts” that permit consumers to access credit in the course of a retail purchase are “credit cards,” subjecting the “card issuer” to certain additional disclosure and substantive obligations under Federal law. The Interpretive Rule would become effective 60 days after publication in the Federal Register. The CFPB is accepting comments on the Interpretive Rule through August 1, 2024, notwithstanding that the Bureau’s position is that notice-and-comment rulemaking is unnecessary for its interpretation to become effective.

Under TILA and its implementing regulation, Regulation Z, whether a credit product involves use of a credit card is critical to determining the scope of regulatory requirements. Subject to certain exceptions, non-card products trigger Regulation Z compliance obligations if they bear a finance charge (such as interest or various—but not all—types of fees) or are repayable by written agreement in more than four installments. When a credit card is involved, however: (i) products may fall within the scope of certain Regulation Z compliance obligations even if they lack a finance charge and are repayable in four or fewer installments; and (ii) more substantial requirements, such as ability-to-repay underwriting and limitations on penalty fees (the “CARD Act Requirements”), apply if a product involves a credit card, is structured as an open-end credit plan, and is not a home equity line of credit or an overdraft line of credit accessed by a debit or hybrid prepaid-credit card.

For these purposes, “credit card” means, subject to certain exceptions, “any card, plate, or other single credit device that may be used from time to time to obtain credit.” The term is not limited to physical cards, but may also include intangible access devices. Prior to the Interpretive Rule, for example, Regulation Z commentary provided that mere “account numbers” could be “credit cards” if they provided access to an open-end line of credit to purchase goods or services. The Interpretive Rule distinguishes “digital user accounts” from mere account numbers and asserts that at least some such accounts may meet the definitional elements of a credit card—i.e., reusability from time-to-time to obtain credit—particularly when there is a relatively frictionless flow permitting the consumer to access credit through the digital user account to purchase goods or services from online retailers or physically in stores.

While the Interpretive Rule acknowledges that not all digital user accounts are credit cards, it leaves significant ambiguity as to what the structure of a digital user account may be to avoid characterization as a credit card. In particular, it asserts that the fact that each BNPL is separately underwritten and may be denied would not be sufficient to shield an account structure from treatment as a credit card, nor would the fact that consumers’ use of the account results in a one-time account number or similar credential that may be used to make a single purchase at an online retailer. It also does not comprehensively address the role the digital user account must play in the retail checkout flow or the level of integration with a merchant’s systems that must exist before the account becomes a credit card. Accordingly, treatment of any particular BNPL digital user account may require nuanced, fact-intensive assessment to determine similarities and differences between card and non-card user experiences.

The Interpretive Rule primarily engages with the “core” BNPL product currently offered in the US, which is an obligation bearing no finance charge that is repayable in not more than four installments (typically a down payment followed by three periodic payments). For such a product, even if a credit card is involved, CARD Act Requirements would not apply. That said, potential obligations do include incremental: (i) advertising disclosures; (ii) application/solicitation and account-opening disclosures; (iii) change-in-terms notifications; (iv) periodic statements; (v) prohibitions on unsolicited issuance of a credit card; (vi) limitations on consumer liability for unauthorized use of the card; (vii) billing error resolution requirements (both substantive and procedural); (viii) rights of the cardholder to assert claims or defenses otherwise running against the merchant against the card issuer instead (also involving both substantive and procedural requirements); (ix) limitations on offset rights; (x) requirements related to prompt notification of returns and crediting of refunds; and (xi) limited payment processing restrictions. Of these, the CFPB’s primary focus (based on its initial press release and public statements) seems to be on dispute and refund rights, as well as the provision of periodic statements, though the Interpretive Rule does not set aside any of the requirements that otherwise would be applicable to a card-accessible consumer credit product.

Though the requirements applicable to non-CARD Act credit cards are not as substantive as CARD Act Requirements, they can require nuanced analysis as to which specific sub-requirements apply to credit cards accessing closed-end credit vs. only those accessing open-end lines of credit. Additionally, the party to which the requirements technically apply—the “card issuer”—may be a BNPL provider, a bank partner originating BNPL credit, a payment processor providing an entry point into card or payment networks, or even some combination of the three, depending on the facts of the underlying program; and, even once specific requirements and the party to which they apply are identified, setting up and testing appropriate automation and compliance controls can take time. Particularly in programs implemented through partnerships among multiple (typically bank and non-bank) parties, these considerations already are beginning to generate conversations regarding amendments to consumer-facing and partnership/service provision agreements, build-out of compliance management systems and compliance team capacity, incremental monitoring and testing requirements, and similar issues.

Industry comments may challenge whether guidance absent notice-and-comment rulemaking is appropriate for this particular Interpretive Rule, as well as challenge or seek clarification as to the types of digital user account fact patterns covered by the interpretation. Litigation challenging the Interpretive Rule is also a possibility, though no such litigation has been advanced as of the date of this post.