CFPB’s Proposed Interpretative Rule and Request for Information Target FinTech, Crypto, and Gaming Platforms

The Consumer Financial Protection Bureau (“CFPB”) kicked off 2025 by publishing a notice of proposed interpretive rule and a request for information on January 10 that came on the heels of recent measures taken to address the growth of emerging payment technology industries. The interpretative rule clarifies that the Electronic Fund Transfer Act (“EFTA”) and Regulation E are broad enough to regulate stablecoins, other “similarly-situated fungible assets that either operate as a medium of exchange or as a means of paying for goods or services,” and non-traditional asset accounts like crypto wallets and video game accounts. For its part, the request for information, which relates to financial companies’ collection, use, disclosure, and protection of user payment data, further highlights the CFPB’s priority in supervising financial technology payments products and services.

This is not the first time that the CFPB has spoken out about nontraditional payment systems. For example, in April 2024, the CFPB reported on financial and privacy risks to consumers in video gaming marketplaces, citing to the growth of online marketplaces that increasingly resemble traditional financial systems. Also on January 10 and in connection with the interpretive rule, the CFPB published a blog post asking gamers to share their experiences with video game currencies—including any problems they may have encountered and the protections they think are needed to protect in-game transactions, currency, and stored value.

The EFTA and Regulation E apply to electronic fund transfers (“EFTs”) that authorize financial institutions to debit or credit consumer accounts. Among the legal obligations that the EFTA and Regulation E impose include investigation and error resolution obligations, such as limits on consumer liability for unauthorized EFTs, as well as initial and ongoing disclosures about the terms of EFT services. In this interpretive rule, the CFPB clarifies that the terms “financial institution,” “funds,” and “account” under these two laws encompass much more than the traditional transfer of fiat currency from checking and savings accounts between banks. According to the CFPB’s interpretation, non-bank entities that directly or indirectly hold consumer accounts into which assets that act like money can be deposited are likewise subject to the EFTA and Regulation E.

The CFPB’s proposed interpretation of “funds” broadly captures assets that serve as a medium of exchange, measure of value, or means of payment. The interpretive rule explicitly names stablecoins and cryptocurrencies like Bitcoin, even though their value may fluctuate. The interpretive rule clarifies, however, that whether certain digital assets constitute “funds” under the EFTA or Regulation E is a fact-specific inquiry, and assets that can neither be used to make payments nor be “readily exchanged” for fiat are not “funds.” The CFPB acknowledges, for example, that most non-fungible tokens (“NFTs”) are unlikely to classify as “funds.”

For an account to fall within the scope of the EFTA and Regulation E, it must be “established primarily for personal, family, or household purposes.” But as the interpretive rule explains, the statutory text and legislative history have always captured any types of consumer asset accounts that contain features of deposit or savings accounts—such as the ability to pay for goods and services from multiple merchants, to withdraw funds or obtain cash, and to transfer funds to others. Accordingly, the interpretive rule lists prepaid accounts, virtual currency wallets, video game accounts, and credit card rewards points as categories of accounts that fall within the EFTA’s and Regulation E’s definition of “account.”

Notwithstanding this interpretive rule, the CFPB clarified that EFTs for which the primary purpose is to purchase or sell a regulated security or commodity remain exempt from the EFTA and Regulation E—unless the SEC- or CFTC-regulated account is used to purchase consumer goods or services.

Through its request for information, the CFPB requests comments from the public to better understand how companies are collecting, using, sharing, and protecting personal financial data obtained from consumer payments. It also seeks proposals to revise or reform Regulation P, which requires financial institutions to disclose their privacy practices.

In 2021 and 2023, the CFPB issued orders to financial and large technology firms in the payments market and found that they collected data “far beyond what is necessary to facilitate a transaction.” This included, among others, prediction of income, propensity to spend money, behavior across platforms, and geolocation data. The CFPB’s request for information reflects its concern that financial institutions are not meaningfully protecting sensitive consumer data. It also highlights challenges faced by consumers, including frequent updates to privacy policies and cross-references to multiple, partial privacy policies that the CFPB suggests paint an incomplete picture of the scope of data that is collected and how it may be used.

Among other inquiries, the CFPB’s request seeks information about incentives companies have to collect more personal data than necessary to complete transactions, privacy and opt-out notice practices, whether current data collection and use practices constitute unfair, deceptive, and abusive acts or practices under federal law, and what tools could support whistleblowers to report conduct that violates consumer data protection rights.

Comments on the proposed interpretive rule notice are due March 31, and the comment period for its request for information will remain open until April 11.

Although not unexpected, the proposed interpretative rule and request for information demonstrate the CFPB’s ongoing scrutiny of the financial and emerging payment technology sectors. O’Melveny has extensive experience preparing comments and responding to the rulemaking process, and our professionals regularly advise on consumer protection regulations, payments regulation compliance, and mitigating whistleblower risk. Please reach out to any of the contacts included here, or any member of our Financial Services, Privacy, or Regulatory & Advisory groups.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas; AnnaLou Tirol, an O’Melveny partner licensed to practice law in the District of Columbia and California; Pamela A. Miller, an O’Melveny partner licensed to practice law in New York; Elizabeth L. McKeen, an O’Melveny partner licensed to practice law in California; Danielle Morris, an O’Melveny partner licensed to practice law in California; and Juan Antonio Solis, an O’Melveny associate licensed to practice law in Texas, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2025 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.