Alston & Bird Consumer Finance Blog


OCC Issues Guidance on “Buy Now, Pay Later” Lending

A&B Abstract:

On December 6, 2023, the Office of the Comptroller of the Currency (OCC) issued a bulletin aimed at providing guidance to national banks and federal savings associations (“Financial Institutions”) involved in “buy now, pay later” (BNPL) lending. The advisory emphasizes the need for these Financial Institutions to carefully manage risks associated with BNPL, focusing on aspects such as underwriting, repayment terms, pricing, and safeguards to protect customers. Additionally, the OCC stresses the importance of clear and prominent marketing materials and disclosures.

The Bulletin

While BNPL products may vary, the bulletin focuses on BNPL loans which involve four or fewer installments without finance charges, and that are commonly offered at the point of sale. Such BNPL products are distinguished from more traditional installment loans with payment terms greater than four installments or that charge interest or carry other finance charges. These loans have become increasingly popular, especially among younger individuals and those with limited credit history.

The OCC identifies various risks related to BNPL loans for both lenders and consumers, including credit, compliance, operational, strategic, and reputational risks. Specific concerns include potential borrower overextension, limited applicant credit history, unclear disclosure language, challenges with merchandise returns and merchant disputes, operational and compliance risks related to third-party relationships, and increased operational risk due to the highly automated nature of BNPL lending.

Further details on risks include the potential for elevated first payment default risk, additional fees for borrowers due to overextension, and the possibility that credit reporting agencies may lack visibility into BNPL activity.

The OCC’s guidance advises Financial Institutions engaged in BNPL lending to establish robust risk management systems, including prudent lending policies for risk identification, measurement, monitoring, and control. Regarding credit risk, the bulletin emphasizes the importance of sound charge-off practices, allowances for credit losses, and timely reporting of comprehensive information to credit bureaus under the Fair Credit Reporting Act.

The guidance also provides recommendations for operational risk management. It encourages Financial Institutions to assess and mitigate fraud risks, subject BNPL lending process models to sound model risk management and integrate BNPL lending into broader compliance management systems. Additionally, it highlights the need for Financial Institutions engaging third parties in BNPL lending to incorporate such relationships into their third-party risk management protocols.


Given the OCC’s focus on the risks associated with BNPL products, now is a good time for Financial Institutions engaged in BNPL Lending to ensure that their compliance management programs are robust enough to ensure compliance with the OCC’s guidance.

California Settlement Offers Reminder that Buy Now Pay Later Participants are Subject to California Financing Law

In August 2022, the California Department of Financial Protection and Innovation (“Department” or “DFPI”) entered into a consent order with a company offering point of sale financing products that the DFPI deemed to be buy now, pay later (“BNPL”) financing, for which a California Financing Law (“CFL”) license is required. The company is required to pay a penalty, refund previously collected fees from California residents, and obtain a CFL license.

The settlement follows an annual report released in October of 2021 in which the DFPI noted a sharp increase in BNPL “consumer loans.” In the accompanying press release to that report, the DFPI stated:

BNPL loans are an increasingly common type of short-term financing that allows consumers to make purchases and pay for them at a future date, often interest-free. Sometimes referred to as point-of-sale installment loans, BNPL products are becoming a popular payment option. The report shows a surge in BNPL unsecured consumer loans reported to the DFPI. This product has grown in recent years and has come under the DFPI regulatory umbrella.

The press release also noted that the Department had rendered prior legal opinions and entered into settlements with three separate BNPL / point-of-sale financers in 2019 and 2020 that were deemed to be structuring their BNPL products in a manner designed to evade regulation under the CFL. These companies had agreed to refund fees to consumers and obtain CFL licenses, and among other requirements, must: (i) consider consumers’ ability to repay loans, (ii) comply with rate and fee caps, and (iii) respond to consumer complaints

In one of those prior opinions, the DFPI (formerly, the Department of Business Oversight) asserted that the CFL applies to making consumer loans and noted that the CFL defines “consumer loan” as a loan “the proceeds of which are intended by the borrower for use primarily for personal, family, or household purposes.” (Note that loans in the principal amount of $5,000 or less for other than personal, family, or household purposes are also included in the definition, bringing certain commercial or business-purpose loans within the scope of the CFL). The Department further stated that the CFL incorporates certain aspects of the common law, including that merchants may sell goods in exchange for cash or in exchange for a consumer’s promise to pay later (a “credit sale”) and that a merchant may charge a premium for credit sales without the transaction being subject to the state’s loan laws and without the premium being subject to the state’s usury limit. The DFPI concluded, however, that “[e]xtensive third-party involvement may cause transactions to be deemed loans even if the underlying credit sale is bona fide.”

Taken together, the Department’s prior statements, opinions, and enforcement actions signal a broad interpretation of the CFL that could potentially apply to many lenders and third parties involved in point-of-sale financing, including the offering of buy now, pay later products. In the press release accompanying the most recent enforcement action, the DFPI concluded that it “continues investigating other companies offering Buy Now, Pay Later products.”

Update Regarding the CFPB’s Buy Now, Pay Later Orders

In a prior post, we reported that the language used in orders recently issued by the CFPB to leading Buy Now, Pay Later (“BNPL”) providers suggested that the CFPB intends to use the information it collects to build enforcement cases rather than monitor market developments. We also reported that if this is the case, it is a departure from historic precedent and can be considered an end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act to ensure that due process is afforded to financial institutions that become the target of CFPB enforcement investigations.

The CFPB’s intentions were apparently confirmed in a January 5 article in Axios about the BNPL orders, which quotes the CFPB’s small dollar, marketplace and installment lending program manager as saying:

It is certainly possible that we could as a result of the data collection take enforcement action.

Assuming this quote is accurate, recipients of CFPB 1022(c)(4) market monitoring orders should be well aware that any information provided to the agency may be used for enforcement purposes.

Is the CFPB using its market monitoring orders to build enforcement cases?

As we previously noted, on October 21, the CFPB issued orders to six large technology firms seeking information about their payment product business plans (the “October 21 Orders”). According to the Bureau, the purpose of orders was to “shed light on the business practices of the largest technology companies in the world.” The CFPB’s use of its market monitoring authority under Section 1022(c)(4) of the Dodd-Frank Act for this amorphous purpose was a break from established precedent. Historically, the CFPB issued 1022(c)(4) orders to support its efforts to issue specific rulemakings or Congressionally-mandated research reports. (See, e.g., Appendix B of the CFPB’s 2018 Sources and Uses of Data report).

On December 16, the CFPB again broke with historic precedent when it issued a new set of 1022(c)(4) orders, this time to five Buy Now, Pay Later (“BNPL”) providers (the “December 16 Orders”). Much has already been written about the information demanded by the CFPB in the orders, and about the institutions subject to the orders. However, less attention has been paid to what the CFPB might do with the information it receives.

Traditionally, the CFPB has maintained a firewall between its market monitoring function and its enforcement function, in recognition of the distinction established by Congress in the Dodd-Frank Act. Section 1022(c)(4) of the Dodd-Frank Act authorizes the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, including developments in markets for such products or services. Congress specified that information obtained by the CFPB using this general power may only be made public (if at all) through aggregated reports or other formats designed to protect the confidentiality of the information. Accordingly, Congress provided few procedural safeguards to financial institutions subject to such collections. Section 1052 of the Dodd-Frank Act establishes the specific enforcement powers of the CFPB and provides that the CFPB may collect information by means of civil investigative demands (CIDs) for the purpose of ascertaining whether a financial institution has violated Federal consumer financial law. Congress provided several procedural safeguards for the targets of CFPB enforcement investigations, including requirements for the service and contents of CIDs, the collection of oral testimony, and the receipt of petitions to modify or set aside the CIDs.

In announcing its October 21 Orders, the CFPB publicly released a sample order representing the actual orders sent to the six technology firms. The language used in the sample order maintained the firewall between its market monitoring and enforcement activities, stating in relevant part:

This is a market-monitoring order issued under Section 1022(c)(1) & (4) of the Dodd-Frank Act… It is not a supervisory order …, nor is it being issued under section 1052 of the Dodd-Frank Act.

By contrast, the sample order released in connection with CFPB’s announcement of the December 16 Orders to the five BNPL providers lacks the language acknowledging that the order is not being issued under Section 1052, and only states in relevant part:

This is a market-monitoring order issued under Section 1022(c)(1) & (4) of the Dodd-Frank Act… It is not a supervisory order.

Also, the December 16 sample order contains new language not present in the October 21 sample order, stating:

The Bureau reserves the right to use the information for any purpose permitted by law.

Read together, these two changes suggest that the CFPB intends to remove the firewall between its market monitoring and enforcement functions and could use the information collected from the BNPL providers pursuant to the December 16 Orders to build enforcement cases. If so, this development could be considered an attempted end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act. The CFPB can, if it wishes, provide express procedural safeguards within the orders that are equivalent to the types provided in Section 1052 or by agencies like the FTC in similar circumstances, but it has elected not to do so at this time. Recipients of future 1022(c)(4) orders should be mindful of this development in their responses to the CFPB.