Apple Pay and the CFPB
Apple Pay has been getting a lot of attention, and I hope to do a longer post on it, but for now let me highlight one possible issue that does not seem to have gotten any attention. I think Apple may have just become a regulated financial institution, unwittingly. Basically, I think Apple is now a "service provider" for purposes of the Consumer Financial Protection Act, which means Apple is subject to CFPB examination and UDAAP.
Here's the argument. Be warned: this is a romp through some legal definitions.
The CFPB has authority over two classes of people: "covered persons" and "service providers". The CFPB has authority over these classes to the extent they are offering a "financial product or service." Apple does not currently fit within the definition of "covered person" because it is not offering a "financial product or service". Apple Pay does not actually transmit funds (they way, say PayPal does); that's why Apple doesn't have a MSB license (as far as I'm aware).
But even if one isn't a "covered person," one can still be a "service provider" to a covered person. I think there's a reasonable case that Apple is a "service provider" by virtue of Apple Pay. A "service provider" must provide "a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service". Card issuers are covered persons, and Apple is providing a material service in connection with a consumer financial product--a credit card.
The "service provider" definition explicitly includes those anyone who "participates in designing, operating, or maintaining the consumer financial product or service". There's an argument that Apple participates in designing, operating, and maintaining the card payments that go through Apple Pay, especially as Apple has specific agreements with card networks about what data is transmitted, what format, etc. In other words, Apple isn't just being a common carrier transmitting data for anyone. It's involved in figuring out what to transmit.
The "service provider" definition also explicitly includes anyone who "processes transactions relating to the consumer financial product or service". That sure sounds like Apple's role in the Apple Pay environment. There is a carve-out to this particular illustrative inclusion for parties that "unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes". I don't think Apple meets that carve-out. Apple Pay isn't unknowing or incidental transmission or processing of data. What's more, it is not undifferentiated data--this is special data going through the iPhone's Secure Element, which is, by definition, differentiated data. But even if I'm wrong about the carve-out, the carve-out only applies to the second illustration of service provider, and not to the "participates in designing, operating, or maintaining the consumer financial product or service" illustration.
While there is a carve-out for merchants of non-financial goods and services, there is a claw-back from that carve-out for "service providers," which means that the carve-out doesn't do Apple any good if it is a "service provider."
There is also carve-out from the definition of "consumer financial product or service" for "electronic conduit services," but that doesn't affect whether Apple is a "service provider" to a credit card company, only whether it is a "service provider" to an "electronic conduit service". In any case, I don't think Apple's engaged in an "electronic conduit service" because Apple is selecting the data it transmits and that data is differentiated from other data transmitted.
Now perhaps there's something in the technical details of how Apple Pay works that undermines my analysis. But it sure looks to me like Apple's a "service provider" under a reasonable reading of the statute.
What's the Implication?
So what does this mean if I'm correct and Apple is now a "service provider" under the Consumer Financial Protection Act? First, it means that Apple is now subject to CFPB examination and enforcement authority. Second, it means Apple is subject to UDAAP, including CFPB rulemaking and enforcement and state enforcement of the federal UDAAP statute.
And note that the way the Consumer Financial Protection Act is drafted, UDAAP is not limited to unfair, deceptive, and abusive practices in connection with the offering of the consumer financial product or service. It is a simple prohibition on covered persons and service providers engaging in unfair, deceptive, and abusive acts and practices, period. There is no language saying that the unfair, deceptive, or abusive acts and practices has to have any relationship with the consumer finance business. Read literally, anything Apple does is therefore fair game for state AGs, and for private attorneys who use private rights of action under state UDAP statutes based on a predicate violation of the federal UDAAP statute (that does not contain a private right of action).
Now I don't know if the CFPB would agree with my reading of the statute, and even if it did, I don't think that the CFPB is about to start examining Apple any time soon (perhaps in the future, though); there are more urgent matters and limited resources. And I don't know if Apple would agree with my reading either. But if my reading is correct, Apple just walked into the very different world of being a regulated entity. (Securities law disclosure issue anyone?) Are Apple's lawyers aware of this? Tim Cook?