CFPB looking at crypto platform hacks

Stay informed with free updates

The Brookings Institution held a conference on payments today. This fact is not, in itself, especially exciting.

What is noteworthy is that Rohit Chopra, director of the Consumer Financial Protection Bureau, spoke and gave a set of recommendations for regulators’ future approach to payments policy.

One of these ideas — in an area where the CFPB has direct authority — hints at big potential changes in the way crypto platforms will need to deal with hacks.

There’s lots of content in the full speech, which starts around 1hr19min into the broadcast of the Brookings event. The policy recommendations are transcribed below, so our commenters can give it a close read. Feel free to scroll ahead if the suspense is too great, though, as we will focus only on the bolded section today:

 . . . we think a number of steps are warranted. 

– First, the CFPB will be issuing supplemental orders to certain large technology firms to acquire more information that will help us better ascertain their specific business practices and plans, especially with respect to the use of personal data and any issuance of private currency.

– Second, to reduce the harms of errors, hacks and unauthorised transfers, the CFPB is exploring providing additional guidance to market participants to answer their questions regarding the applicability of the Electronic Fund Transfer Act with respect to private digital dollars and other virtual currencies. 

– Third, the CFPB is going to look at . . . supervisory examinations of nonbanks offering consumer payment platforms. We have a number of authorities to do so, such as when these firms serve as service providers to large depository institutions. Another one of these authorities includes defining larger participants in this market by rule, which would subject banks meeting a particular size threshold to CFPB supervision. 

– Fourth, as suggested in the November 2021 report, the Financial Stability Oversight Council should consider exercising its authority under Title VIII of the Dodd-Frank Act to designate this activity as, or as likely to become, a systemically important payment clearing or settlement activity. This could provide for example other agencies with critical oversight and tools to ensure that a stablecoin is actually stable. 

– Finally, it’s critically important for American consumers to have stronger protections against excessive surveillance and misuse of our data. Later this month, I will authorise the publication of a proposed rule regarding personal financial data rights. This is pursuant to section 1033 of the consumer financial protection act. The rule will seek to accelerate America’s shift to open, competitive and decentralised banking while also seeking to safeguard against abuse of our personal data.

Yes, the CFPB is thinking over how the Electronic Fund Transfer Act, or EFTA, might apply to crypto accounts.

The EFTA is meant to protect consumers from payments fraud. Institutions that facilitate electronic fund transfers are required to notify customers of whether, or when, they will be liable for unauthorised transfers (ie fraud). The liability disclosures are supposed to happen before an account’s first transfer takes place, according to CFPB rules.

Interesting! We wonder how many of those disclosures were sent by platforms like Axie Infinity before it and its users (specifically its Ronin bridge) got mega-hacked. Or Or FTX, whose big hack got a little overshadowed by, you know, everything else.

Notably, a platform doesn’t need to disclose its customers’ liability if it doesn’t impose any.

Earlier this year, an opinion from SDNY Judge Denise Cote said cryptocurrencies should be considered “funds”, meaning that the EFTA should apply to crypto platforms. Adam Levitin covered this at the time for CreditSlips:

. . . if you have a crypto account with an exchange, it would seem to be an “account” at a “financial institution” that is primarily for personal, family, or household purposes and is used for electronic transfers of “funds.” In fact, I had just emailed Bob Lawless for a sanity check on this, when I came across a very recent SDNY decision that held that the EFTA applies to crypto.

That’s a huge consumer protection win. Reg E has important consumer protections regarding unauthorized transactions, error resolution, and provision of receipts and periodic statements. It also creates huge compliance headaches for crypto exchanges, which are not set up for dealing with any of those problems.

In light of that ruling, today’s comments about EFTA from CFPB Director Chopra seem even more newsworthy. We will stay tuned.