FinTech Payments Laws TL;DR

Shakespeare got to get paid, son.

So you want to start a FinTech payments company.

Cool beans, but how would it be regulated?

Let’s dig into a few laws…but first, subscribe if you’re interested in getting future FinTech law TL;DRs:

Truth in Lending Act (TILA) and Reg Z

Consumer credit products (e.g., physical and virtual credit cards, loans) are mainly regulated by TILA,¹ while consumer debit is mainly regulated by the Electronic Funds Transfer Act (more on that below).

TILA applies if:

• A company regularly extends consumer credit,²

• The credit is subject to a finance charge or is payable in more than 4 installments,³ and

• The credit is for consumer purposes (personal, family, or household purposes).

Key TILA requirements:

• Before a credit offer is accepted, you need to provide disclosures of standardized credit terms and terminology (e.g., minimum rates and APR, possible rate changes, how credit balances and charges are calculated, potential customer liability).

• It gives consumers protections like:

  • Your liability for unauthorized credit card transactions is capped at $50.

  • You can withhold payments for a credit charge if you dispute it within 60 days of receiving the relevant statement.

  • You can also withhold payments if you claim a merchant didn’t perform its end of the bargain.⁴

Electronic Fund Transfer Act (EFTA) & Reg E

The EFTA applies to “electronic fund transfers,” which are consumer credit or debit transfers made via phone, internet, mag strip, Near Field Communication (NFC), or other electronic means.

Practically, this means EFTA governs debit cards, ATMs, ACHs, and prepaid cards and accounts.⁵

Key EFTA terms:

• It requires disclosure of key terms before any transfers are made (e.g., showing type of transfers allowed, limits on transfers, and fees). 

• If you want to change terms of use, you need to give customers at least 21 days’ notice.

• It caps your liability for lost or stolen cards to: (1) $0 if you notify the debit card issuer before any unauthorized transactions happen, (2) $50 if you notify them within 2 days of the theft, (3) $500 if you notify them after 2 business days.⁶

• Unlike credit cards, debit card holders can’t withhold payments if they claim a merchant didn’t uphold its end of the bargain.

Credit Card Accountability, Responsibility, and Disclosure Act (CARD) Act

Under the CARD Act, if you offer consumer credit cards,⁷ you:

• Must show the minimum monthly payments due, and the amount needed to pay off the balance in 36 months. 

• Must give consumers at least 21 days to pay from when a bill is sent.

• Can’t set payment deadlines on weekends or in the middle of the day, or change their deadlines each month. 

• Must give at least 45 days’ notice before any increase in APR, can’t change terms within a year, and must keep any low, introductory rates for at least six months. 

• Can’t charge more than $25 for if you spend over your credit limit, and must get your consent to change overlimit fees. 

The Prepaid Rule

Consumer prepaid cards and accounts are primarily regulated by the CFPB’s Prepaid Rule.

The Prepaid Rule’s scope:

• Applies to: reloadable prepaid cards and accounts (including digital wallets like Venmo and ApplePay), payroll cards, benefit card accounts, government benefits cards.

• Does NOT apply to: gift cards, certain benefit cards like HSAs and FSAs, checking accounts, NOW accounts, loyalty cards.

Key Prepaid Rule requirements:

• Prepaid accounts/cards providers must provide specific disclosures that cover what you’d expect (fees, basic account info, etc.), but they come in two required “short” and “long” forms.

• Prepaid account/card providers must provide free ways to access your account info. 

• Your liability for unauthorized transactions is capped at $50 if you report them within two days. After that, it goes up to $500.

• Prepaid card/account issuers must investigate claims of fraud and unauthorized charges. 

• Prepaid card/account issuers must submit their user agreements to the CFPB and post them on their site. 

Some special rules apply if a prepaid account/debit allows you to borrow money (e.g., overdraft or cash advance), 

• The card/account provider can’t offer you these services until you’ve had an account with them for at least 30 days. 

• They must provide monthly statements.

• Total fees for credit features can’t be more than 25% of the credit limit during the first year. 

• You have 21 days to pay back any debt before you can be charged a late fee. 

ACH Rules

ACH payments are mainly regulated by a few sets of rules that include the EFTA (you learned this one above!) and National Automated Clearing Housing Association (NACHA) rules. The EFTA sets minimum standards, but NACHA adds additional protections.

NACHA is a nonprofit group of banks that sets ACH standards. Some examples of NACHA rules include:

• The receiving bank must authorize the transaction with the sending bank before money can be sent.

• A sending bank must honor the request of a receiving bank to stop a scheduled debit within 3 days of the debit. 

• Sending banks must represent that their ACH entries don’t violate laws.

• Receiving banks have an obligation to reimburse the user’s bank account for unauthorized debits within 60 days of notification.

• Lots of fun rules for resolving disputes between banks.

UDAPs and UDAAPs

Payment co’s can be liable for unfair, deceptive, or abusive acts and practices (UDAAPs). You can think of these SpaghettiOs like:

• “Unfair:”⁸ behavior like not implementing sufficient security practices, or refusing to release a mortgage after a customer pays it off.

• “Deceptive:”⁹ behavior like “no hidden fees!” when there are fees, or presenting variable interest as if it were fixed.

• “Abusive:”¹⁰ behavior like...well, there actually hasn't been that much “abusive” enforcement yet. But it would be behavior like knowing a customer doesn’t speak English, only giving them an agreement in English, and misleading them about what it says.

At the federal level, the FTC and CFPB have authority to enforce “unfair” and “deceptive” acts, while the CFPB can enforce those two + “abusive” acts. This is why you’ll see them discussed as UDAPs (FTC, where “abusive” is left out) and UDAAPs (CFPB).

Durbin Amendment

No payments convo is complete without the Durbin Amendment (aka, “Durbin”).  Durbin was part of the 2010 Dodd-Frank reforms.

What to know:

• Durbin caps the debit interchange¹¹ that banks with over $10B in assets can charge.

• To promote competition, Durbin also gives merchants the right to route their debit transactions on their choice of at least two unaffiliated debit networks.

Money Transmitter Laws

A “money transmitter” is a business that (1) receives or sends money for consumers, (2) provides products that receive, send, or store money for consumers (e.g., digital wallets, prepaid cards), or (3) exchanges currencies.¹²

If you’re a money transmitter, you’re subject to regulation by the states where you offer services.  This regulation typical includes:

• Getting a license with each state, which requires disclosing the company’s financial and business health, background checks, and on-site visits.

• Passing annual exams.

• Minimum net worth requirements.

• Posting a bond in the state.

• Record-keeping requirements.

Currently, 49 (!) states have their own unique money transmitter laws, but there’s been recent movement to simplify the money transmitter examination process:

• Starting in late 2020, money transmitters that already operate in 40 or more states only need to go through one exam for all states.  

• The OCC has also proposed a national money transmitter license that would only require one license at the federal level; TBD if they actually have authority to do that. 

Deposit Brokers

Deposit brokers are businesses (e.g., FinTechs) that make or facilitate FDIC-insured deposits held by banks on behalf of third parties (e.g., FinTech customers).

Deposit brokers face restrictions based on how well capitalized they are.  Well-capitalized FinTechs will face no restrictions, will less well-capitalized FinTechs may have limits on how much interest they can pay, or may not be able to broker deposits at all. 

A few exceptions to the deposit broker rules exist.  Most relevant:

• Any FinTech whose primary purpose is not placing deposits.¹³

• FinTechs that only make deposits at one bank.¹⁴

Regulation D

Savings accounts are normally limited to six transfers and withdrawals per month under Reg D. The Fed removed this limit during COVID, but it typically exists to encourage banks to keep adequate cash reserves. 

FCRA

FinTech payment companies that use credit reports are subject to the Fair Credit Reporting Act (FCRA).  Check out the FinTech lending TL;DR for FCRA details.

Anti-Money Laundering Obligations

Payments companies are also subject to anti-money-laundering laws and regs.  Check out the AML and BSA TL;DR for details.

---

Don’t want to miss more FinTech law summaries as they roll out in the coming weeks?

If you enjoyed the summaries, why not share?

---

About

Hi! I’m Reggie. I’m a FinTech lawyer at BlueVine, and any views expressed are my own (well, sort of? I mean, they’re laws and regulations, so they’re not really “mine”). These TL;DRs are not legal or financial advice, obv.

Come say hi on Twitter

1

Regulations (“regs”) implement laws.  Laws are often broad and general, which is why agencies typically need to create more details (in the form of regs) to fill in the gaps.  I’ll refer to sets of law (like TILA) + reg (like Reg Z) by their law.

2

Specifically, companies who offered credit >25 times in the prior year.

3

Oh how convenient, most BNPL companies don’t charge interest (aka, a finance charge) and don’t offer more than 4 installments..

4

Oddly, this only applies if the transaction is in the same state as, or within 100 miles of, the cardholder’s mailing address.

5

Prepaid cards/accounts have separate disclosure requirements under the CARD Act (discussed below).

6

Note that TILA gives you a blanket $50 liability cap but EFTA doesn’t. Aka, you can be responsible for much more if you use a debit card.

7

The CARD Act also has some gift and prepaid card regs.

8

The legal “unfair” test: (1) likely to cause substantial harm, (2) the harm can’t be reasonably avoided by the consumer, and (3) the harm is not outweighed by any benefits to consumers or competition.

9

The legal “deceptive” test: a material statement or omission that is likely to mislead consumers who are acting reasonably under the circumstances.

10

The legal “abusive” test: an act or practice that: (1) materially interferes with the ability of a consumer to understand a term or condition of the product or service, or (2) takes unreasonable advantage of the consumer’s (a) lack of understanding of the risks, costs, or terms, (b) inability to protect its interests in selecting or using the product/service, or (c) reasonable reliance on the company to act in the consumer’s best interest.

11

“Interchange” is the fee that a business pays to your bank when you use your debit debit card.

12

If you want more detail on money transmitters, this Congressional report is great. Technically, money transmitters are a type of “money services business.”

13

Specifically, this applies if either (1) less than 25% of the FinTech’s assets are deposits or (2) the FinTech puts 100% of the deposits in accounts that don’t pay fees, interest, or other $$ to the customer.

14

See the FDIC’s December 2020 rule for more color.