In addition, the Bureau notes that, in at least some instances, supervision would precede identifying risks, explaining that “the rule would enable the CFPB to monitor for new risks to both consumers and the market,” as the “ability to monitor for emerging risks is critical as new product offerings blur the traditional lines of banking and commerce.”19 This is in tension with the fundamentals of risk-based supervision and would complicate the ability to provide advanced guidance to covered parties.20
If the Bureau does not provide clear and practical guidance to affected parties regarding the anticipated triggers of supervision, its supervision framework would be of limited value as a guide to behavior or incentive for compliance.
A Path Forward
The Bureau should withdraw the Proposed Rule given its lack of justification based on specific risks posed to consumers. The Proposed Rule is not only a solution in search of a problem, but it also counterproductively muddies the waters regarding the types of risks that digital payment app providers should be mitigating and how to prioritize compliance measures.
At the very least, the Bureau must provide clearer guidance to affected parties with respect to risk-based supervision factors. This could include explaining how the CFPB interprets risks under the CFPA’s risk-based supervision criteria, what risks specifically it will attend to in the context of digital payment apps, and what “other factors” it anticipates will be relevant to digital payment apps when prioritizing exams.21
In addition, this proposal raises questions about the nature of CFPB’s authority to both define by rule and supervise larger participants of a market for consumer financial products or services. The Bureau maintains that it “need not conclude before issuing a [larger participant rule] that the market identified in the rule has a higher rate of non-compliance, poses a greater risk to consumers, or is in some other sense more important to supervise than other markets.”22 For the avoidance of doubt—and to head off the Bureau arrogating to itself essentially unbounded supervisory authority—Congress may wish to amend the existing provisions on supervision of nondepository covered persons to expressly clarify that “largeness” alone is an insufficient criterion for subjecting product or service providers to ongoing supervision.
Applying the Proposed Rule to the Crypto and Decentralized Finance Ecosystem Is Inappropriate
Even if the Proposed Rule had been properly justified, its proposed coverage of the crypto and decentralized finance (DeFi) ecosystem presents multiple problems. The Bureau proposes to extend its jurisdiction to transfers of “digital assets,” “[c]rypto-assets,” and “virtual currency” made for personal, family, or household purposes.23 This assertion of authority over crypto and DeFi is based on a thin reed of largely non-pertinent case law and is not supported with a proper cost-benefit or impact analysis. Relatedly, the Proposed Rule risks inappropriately sweeping into its ambit the technology of self-hosted, or non-custodial, crypto wallets.
The Proposed Rule Inappropriately Claims Jurisdiction Over Crypto Assets
The Proposed Rule defines the covered market, in relevant part, to include providers of a “covered payment functionality,” through a “digital application,” for making “consumer payment transactions.”24 Importantly, consumer payment transactions are defined to include consumer fund transfers for personal, family, or household purposes, subject to certain exceptions.25 As the Bureau notes, the CFPA does not specifically define the term “funds.”26 Nonetheless, the Bureau goes on to conclude that “consistent with its plain meaning” the term funds is not limited to fiat currency but also covers “digital assets that have monetary value and are readily useable for financial purposes, including as a medium of exchange.”27 To support this proposition, the Bureau cites a handful of cases interpreting the relationship between the term funds and certain digital assets “for purposes of other federal statutes.”28
It is not settled that the original public meaning of “funds” under the CFPA would include cryptocurrency. The first transfer of the first blockchain-based cryptocurrency—Bitcoin—took place in 2009, the year just prior to the passage of the CFPA, which was part of a legislative package designed to address the 2007–2008 Global Financial Crisis. Ethereum would not launch until 2015. Moreover, the CFPB’s invocation of case law that the Bureau admits addresses other
federal law, and not the CFPA, does little to prove that “funds” under the CFPA covers cryptocurrency broadly.
Additionally, the Bureau’s analysis of the costs, benefits, and impact of its proposal to extend authority to the crypto ecosystem is inadequate, raising serious concerns under both the Administrative Procedure Act (APA) and the CFPA itself.29
Reviewing courts must hold unlawful and set aside agency actions that are, among other things, “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.”30 Situations where agency rules are considered to be arbitrary and capricious include those where the agency has “entirely failed to consider an important aspect of the problem.”31 For its part, the CFPA requires that the CFPB consider a proposed rule’s potential benefits and costs to consumers and covered persons, including consumers’ potential loss of access to financial products and services as a result of a rule.32
The Proposed Rule’s cost-benefit section—such as it is—does not consider the specific costs, benefits, and impact of extending CFPB authority to the crypto ecosystem.33 Extending CFPB larger participant authority over the crypto ecosystem would involve a host of questions, such as the distinct implications of the proposal for cryptocurrency vs. fiat currency, for fungible vs. non-fungible digital assets, for crypto tokens earned in connection with providing network security, and for crypto tokens with niche functions. Where the CFPB does not consider questions specific to crypto, or, in other words, where it has not considered an important aspect of the problem, it would run afoul of statutory rulemaking obligations.
These deficiencies pose risks for the Bureau’s specific rulemaking at issue, but they also conflict with work underway in Congress—and in this subcommittee in particular—to directly address the contours and scope of a crypto regulatory framework. Congress should be wary of any administrative actions that attempt to encroach on its exclusive legislative power.
Self-Hosted Crypto Wallet Developers and Manufacturers Are Not Properly Considered Larger Participants
The Proposed Rule would cover certain providers of “wallet functionality” as defined. Yet the Bureau does not discuss whether the rule would apply to the important crypto technology of self-hosted, or non-custodial, crypto wallets. While there are good reasons the Proposed Rule should not be read to cover these technologies, to avoid doubt the Bureau should expressly clarify that self-hosted crypto wallets are not covered under the Proposed Rule. As discussed further below, applying the Proposed Rule, as currently introduced, to the developers and manufacturers of self-hosted crypto wallets would both clash with the requirements of the APA and CFPA and be inappropriate as a policy matter.
The Proposed Rule should expressly clarify its inapplicability to self-hosted crypto wallets.
The Bureau has not expressly clarified, as it should, that the Proposed Rule does not apply to self-hosted crypto wallets. Self-hosted crypto wallets are, at core, hardware or software tools for storing and safeguarding the cryptographic keys (or a mnemonic phrase for recovering them) that enable users to access their own crypto holdings.34
Under the Proposed Rule, wallet functionality, when provided through a “digital application,” is a covered payment functionality regardless of whether it’s paired with “fund transfer functionality.”35 Constituting wallet functionality itself means satisfying two prongs: (1) storing account or payment credentials; and (2) transmitting, routing, or otherwise processing those credentials “to facilitate a consumer payment transaction.”36
One might interpret prong (1) to cover the storage of cryptographic keys for accessing crypto holdings, though the Bureau does not address cryptocurrency private keys nor discuss this possibility. Prong (2) raises questions when it comes to the possible coverage of self-hosted crypto wallets.
The most basic type of self-hosted crypto wallet is simply a piece of paper (or stamped metal) recording a user’s private key (or a relevant mnemonic for recovering it). Under any plain reading of the Proposed Rule, these paper (or stamped metal) wallets should not be covered, both because they do not themselves transmit, route, or process the information they record, nor do they do so through a “digital application” (as also required by the Proposed Rule).37
Other types of self-custodied crypto wallets can be either software or hardware based. While offerings within these broad categories can vary in terms of their capabilities, developers and users may reasonably ask whether such tools would be covered under prong (2) of the definition of wallet functionality. Unfortunately for those seeking clarity, the Proposed Rule does not discuss either self-custodied software or hardware crypto wallets, let alone in connection with the scope of prong (2).
The Bureau ought to expressly clarify that the Proposed Rule does not apply to self-hosted crypto wallets. For instance, the Bureau could explicitly articulate that a self-hosted software or hardware wallet function—composing and signing (with a private key) a message bound for a crypto network—does not constitute covered transmission, routing, or processing of account or payment credentials, or payment instructions, under the Proposed Rule.38
Applying the Proposed Rule to self-hosted crypto wallets would risk violating the CFPA and APA.
Because the Bureau does not address the applicability of the Proposed Rule to self-hosted crypto wallets and the impact of the Proposed Rule on the market for those technologies (e.g., the benefits, costs, and reduction of consumer financial access that would stem from the application of the Proposed Rule to self-hosted crypto wallets), the application of the Proposed Rule to self-custodied crypto wallets likely would be unjustified under the CFPA and improper under the APA.39
For instance, the APA requires that an agency must “examine the relevant data and articulate a satisfactory explanation for its action including a ‘rational connection between the facts found and the choice made.’”40 When it comes to self-hosted crypto wallets, the Bureau did not examine relevant data, articulate any explanation for its action—let alone a satisfactory one—or describe any connection between the facts and its choice. Without that examination and explanation, the proposal’s application to self-hosted crypto wallets likely would be deficient under the APA.
Applying the Proposed Rule to self-hosted crypto wallets would be inapt policy.
Moreover, applying the Proposed Rule to self-hosted crypto wallets would be inappropriate as a policy matter. Unlike a digital payment app that involves necessary user reliance on a service provider to access assets, a self-hosted crypto wallet allows the user to access her own crypto holdings without relying on an intermediary. Importantly, those crypto holdings are neither held nor even documented by the software developer or hardware manufacturer involved in the initial development or production of the self-hosted crypto wallet. Rather, those crypto holdings are recorded on a public blockchain that does not itself rely on the self-hosted wallet developer or manufacturer to operate.
It is inappropriate to apply a rule designed to supervise digital payment app providers’ ongoing compliance with consumer financial protection law where there is no ongoing consumer reliance on a service provider. Moreover, there is no broader argument that the developer of a software-based, or manufacturer of hardware-based, self-hosted crypto wallet is providing general consumer financial infrastructure, as the backbone of the crypto ecosystem is not based on closed networks of wallet providers but rather on open and public blockchains that are agnostic to the developers or manufacturers of the wallets used to interact with them.
In the event that a user has an issue with the self-hosted crypto wallet she possesses, such issues are best addressed by the user to the relevant developer or manufacturer according to any agreement that governs their relationship or another private cause of action available at law, not a public regulatory agency’s ex ante supervisory regime designed to assess compliance by those providing and maintaining payment services on an ongoing basis.
A Path Forward
As it stands, the Proposed Rule should not properly apply to the crypto ecosystem. In the event that the Bureau were able to resolve the procedural deficiencies, such as inadequate cost-benefit and impact analyses, any application of the Proposed Rule to self-hosted crypto wallets would remain substantively inappropriate. Accordingly, to the extent the Proposed Rule were to move forward, the Bureau must expressly clarify that self-hosted crypto wallets are outside of its scope.
Perhaps most importantly for the long-term health of both the financial technology ecosystem and the constitutional order, Congress should establish the scope and limits of jurisdiction over crypto technology.
Conclusion
The availability of diverse payment tools benefits U.S. consumers, engineers, and entrepreneurs. Consumers benefit from a competitive marketplace and the ability to choose the products and services that best serve their needs. Engineers and entrepreneurs benefit from opportunities to act on their innovative technical and business ideas without facing arbitrary barriers to entry.
Preserving a diversified financial technology ecosystem requires that any regulatory interventions be risk-based and pursuant to lawful process. Regulators should target market failures, not market successes. They should act neither arbitrarily nor capriciously.
To defend consumer choice and the freedom to innovate, Congress, not administrative agencies, should define the bounds and limits of regulators’ jurisdiction.
Given its deficiencies, the Proposed Rule should be withdrawn. At the very least, the CFPB must justify its proposal based on specific risks to consumers; conduct an adequate cost-benefit and impact analysis regarding any extension of the Proposed Rule to the crypto ecosystem; provide clear and advanced guidance to covered persons regarding how the Bureau will prioritize supervisory actions in practice; and expressly clarify that the Proposed Rule does not apply to self-hosted crypto wallets.
* * *
Thank you for the opportunity to provide this information. I welcome any questions that you may have.