On Thursday, September 16, 2022, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) published a report (the “Report”) detailing the regulatory risks of Buy Now, Pay Later (“BNPL”) products in response to last December’s market monitoring orders to five BNPL companies.

BNPL generally refers to a credit product offered by a third-party institution that enables consumers to split the payment for a retail transaction into four equal installments: the first payment is a down payment due at checkout, and the remaining payments are made in two-week intervals over the next six weeks. BNPL lenders do not charge interest; rather, they incur revenue in the form of late fees and, in some instances, transaction fees.

This blog post first provides a brief overview of some of the unique qualities of the BNPL industry, which has been experiencing significant growth over the past few years. It then outlines the key risks to consumers posed by the BNPL industry as highlighted in the Report as well as the Bureau’s stated next steps for increasing its oversight of the industry. At least in the near term, it appears that the Bureau intends to exercise its jurisdiction over BNPL lenders through supervisory examinations and the issuance of interpretive rules or similar guidance to provide consumers with protections similar to those in the traditional credit card space. This blog post outlines steps that BNPL lenders may wish to consider taking to mitigate the potential risks to consumers that the Report identifies.

Buy Now, Pay Later’s Position in the Credit Industry

BNPL has established itself as a key player in the digital commerce ecosystem, taking advantage of the opportunities afforded by consumers’ attachment to their mobile devices and preferences for “one-stop” applications through which they can manage purchases and finances. Historically, BNPL lenders have partnered with merchants that offered BNPL products to consumers at the point of sale, either in-store or by embedding the BNPL product on their checkout pages, giving consumers the opportunity to apply for a BNPL loan to complete their purchase. Lenders are increasingly turning toward more direct consumer engagement through social media and proprietary applications. Through these proprietary apps, consumers can apply for a line of credit that can be used at any number of participating merchants in a virtual shopping mall accessible through such apps.

This “app-driven acquisition model” utilizes information regarding consumer behaviors to tailor individual consumer experiences to drive sales and increase the likelihood of repeat usage. These apps also allow BNPL lenders to offer consumers proprietary rewards programs such as cash-back offers from certain retailers as well as the ability to “unlock” other rewards when certain usage thresholds are met. Such rewards may or may not be financial in nature. For example, at least one rewards program provides eligible consumers with the ability to change payment dates or defer the first payment on certain transactions once they achieve a particular status.

Potential Risks to Consumers

Below we summarize the key potential risks to consumers posed by the BNPL industry, as highlighted in the Report. These risks fall into three primary categories: (1) risks arising out of BNPL’s position outside of existing regulatory frameworks; (2) risks arising out of unique qualities of BNPL; and (3) risks arising out of lenders’ collection and use of data.

BNPL Operates Outside of Existing Federal Regulatory Frameworks

The current structure of BNPL products places these products and lenders outside traditional consumer financial protection frameworks.

Consumer understanding

Because BNPL products do not impose an interest charge and are payable in no more than four installments, BNPL products are not subject to the Truth in Lending Act (“TILA”), as implemented by the Bureau’s Regulation Z (“Regulation Z”), which requires lenders to provide, among other things, standardized disclosures to consumers regarding key terms of a loan, when and how fees are assessed, and when payments are due. The Report expressed concern that BNPL products’ lack of standardized disclosures may make it difficult for consumers to clearly understand the nature of what they are agreeing to, which could increase the likelihood of a consumer being charged fees.

Dispute resolution

The lack of any standard requirements or consumer rights for disputes or issues with products purchased with BNPL loans may result in financial harm to consumers. For example, Regulation Z gives credit card consumers the right to withhold payment while a billing dispute is being resolved, while BNPL lenders sometimes continue to charge consumers their loan installments despite a pending dispute. The potential harms from this process are reflected in consumer complaints to the Bureau, which indicate that returns and disputes are a common concern.

Multiple late fees

The Report highlighted that at least one BNPL lender’s terms historically permitted it to impose multiple late fees on the same missed payment, while noting that Regulation Z prohibits credit card issuers from assessing multiple fees on a consumer for a single violation. Notably, this restriction does not apply to closed-end extensions of credit, and so would not have applied to BNPL even if it was not excluded by the scope provisions of the regulation. That the Report nonetheless raised this seems to reflect the CFPB’s concern that BNPL consumers are not afforded the same level of protections as traditional open-end credit card consumers.

Compulsory use of autopay

The Electronic Funds Transfer Act and its implementing Regulation E (“EFTA” and “Regulation E”) generally prohibit any person from conditioning an extension of credit on the consumer’s repayment by preauthorized electronic fund transfers. Most BNPL products require consumers to link a payment method to be charged automatically for repayments, though consumers are typically given the option of linking either a debit card (which is a form of electronic fund transfer) or a credit card (which is not an electronic fund transfer). While such an arrangement may constitute technical compliance with Regulation E, the Report expressed concern that such practices “may adversely limit consumer choice and flexibility to elect or change payment methods, or to skip a BNPL payment to satisfy other financial obligations.”

Multiple payment re-presentments

Some BNPL lenders attempt to charge a consumer’s method of payment multiple times in the event that there are insufficient funds to satisfy the consumer’s obligation to the lender. This in turn may result in multiple non-sufficient funds fees being charged to the consumer’s account. Notably, such practices would be prohibited under the Bureau’s “Payday Lending” rule (12 CFR part 1041), which is currently stayed in litigation.

Risk of Overextension

Data suggests that many BNPL users are not merely shifting their existing purchases to a new payment platform, but are spending (and borrowing) more than they otherwise would. The Report highlights that BNPL’s novel qualities that have contributed to its success in the marketplace are also contributing to the risk of overextension, including “loan stacking” and “sustained usage.”

Loan stacking refers to situations in which a borrower obtains multiple BNPL loans at the same time, taking advantage of the seemingly instantaneous availability of credit and the fact that individual BNPL lenders do not have insight into whether a particular borrower is concurrently purchasing products with credit from another BNPL lender. Consumers’ use of BNPL may also result in the risk of overextension when they subsequently obtain credit from other traditional sources, including credit cards, mortgages, and auto loans. This is because traditional consumer reports—which often serve as the primary source of data about a consumer’s creditworthiness—do not currently include information regarding a consumer’s use of BNPL products in a standardized way, if at all. As a result, traditional lenders may overestimate consumers’ ability to repay and provide them with more credit than they might have otherwise provided.

Sustained usage refers to the trend of repeat customers of BNPL products, which raises concerns regarding consumers’ ability to meet other financial obligations in the long term. Further buttressing the risk of overextension is the scope and magnitude of data collected by BNPL lenders and their partners in order to tailor consumers’ experiences. The Report cited critics who believe BNPL’s data-driven ecosystem and tailored consumer experiences “will create an unfair and potentially costly environment for consumers, who are being lured—as BNPL companies openly claim—into spending more money at greater frequency.” Moreover, studies have shown that consumers tend to prioritize the repayment of BNPL loans over other loans that may carry greater consequences of nonpayment (such as mortgages), thereby increasing the risk of substantial harm to the consumer (such as foreclosure and eviction) and also increasing the risk of default on conventional credit products more broadly.

Use of Data Regarding Consumer Behaviors

The Bureau also expressed concern that data collected by BNPL lenders could be used to offer targeted discounts to some consumers but not others, ultimately resulting in different prices being paid for the same goods at the same retailer. Such practices could pose fair lending issues.

The Report also expressed concern that the consolidation of market power in the hands of a few large tech platforms could reduce long-term innovation, choice and price competition in the industry.

Expectations for Regulatory Action

In prepared remarks accompanying the publication of the report, CFPB Director Rohit Chopra identified several next steps for his staff:

  • Identify potential interpretive guidance or rules to ensure BNPL lenders adhere to consumer protections similar to those imposed in the credit card industry.
  • Coordinate with the Federal Trade Commission to identify data surveillance practices of BNPL lenders that may need to be curtailed.
  • Consider options for improving credit reporting practices to better reflect consumers’ credit obligations.
  • Assess the Bureau’s authority to conduct compulsory supervisory examinations of BNPL lenders, and work with state regulators that license nonbank finance companies on examinations of these firms. (The CFPB also invited firms to self-identify if they wish to be examined.)
  • Take steps to ensure the methodology used by the Bureau and the Federal Reserve System to estimate household debt burden considers the role of BNPL to ensure that related policies are informed by comprehensive data.

The Bureau’s stated next steps recognize that BNPL products play an important role in the small-dollar loan market. For now, it appears that the Bureau intends to police perceived loopholes resulting from such products falling outside existing formal regulatory frameworks through supervision, interpretive guidance, coordination with other regulators, and action in the adjacent credit reporting space. Nonetheless, BNPL lenders should note the potential harms that the Bureau has identified, including various data surveillance practices for which there may be existing FTC precedent. The risks described in the Report serve as a roadmap to potential future regulatory action, including potential enforcement action in cases in which unfair or deceptive practices by BNPL lenders cause consumer harm. To mitigate these risks, BNPL lenders should consider:

  • providing clear, upfront disclosures of fees, payment schedules, and the cost of the product;
  • developing, maintaining and clearly communicating to consumers effective error dispute and return processes;
  • employing underwriting criteria to better understand a consumer’s overall debt profile to mitigate the risk of overextension; and
  • implementing policies and practices reasonably designed to ensure consumer privacy and mitigate fair lending risks that may arise out of the collection and use of consumer behavior data.

Please do not hesitate to contact us with any questions.

To subscribe to the Data Blog, please click here.


Courtney M. Dankworth is a litigation partner who focuses her practice on internal investigations and regulatory defense, including banking enforcement actions and disputes related to financial services and consumer finance.


Gregory Lyons is a corporate partner and Co-Chair of the firm’s Financial Institutions Group. Mr. Lyons is also Chair of the New York City Bar Association Committee on Banking Law. His practice focuses on serving the needs of financial institutions, as well as private equity and other entities that invest in financial institutions, with a particular emphasis on domestic and cross-border bank regulatory, transactional and examination matters. He can be reached at gjlyons@debevoise.com.


Jehan Patterson is a litigation counsel based in the firm’s Washington, D.C. office and a member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on advising the firm’s financial institutional clients on matters related to consumer finance law and enforcement.


Zila R. Acosta-Grimes is a member of Debevoise's Financial Institutions Group based in the New York office. Ms. Acosta-Grimes’ practice focuses on banking regulatory, transactional and compliance matters. She can be reached at zracosta@debevoise.com.


Alexandra Mogul is a corporate associate and a member of the firm’s Financial Institutions Group. Ms. Mogul’s practice focuses on consumer finance and banking regulatory, transactional and compliance matters. She regularly advises banks, FinTechs, industry trade associations and other firms on a variety of regulatory, transactional and compliance matters relating to federal and state banking regulations, Consumer Financial Protection Bureau regulations and guidance, as well as related state consumer financial protection and licensing requirements. Ms. Mogul’s practice also includes advising financial institutions on anti-money laundering, broker-dealer, cybersecurity and data privacy issues. She can be reached at anmogul@debevoise.com.


Courtney Bradford Pike is a corporate associate and a member of the Financial Institutions Group. Her practice focuses on banking regulatory, transactional and compliance matters as well as structured and funds finance.