Venmo’s business model, which combines traditional payment processing with social media features, has caused the company compliance headaches. Over the past five years, Venmo has been the subject of enforcement actions by both federal and state actors, including the Federal Trade Commission, the Texas attorney general and the California commissioner of Business Oversight. This article will provide an overview of the applicable oversight regime through which these entities have sought enforcement actions against Venmo and provide insight for other money transmitters navigating the regulatory space.
Venmo is considered a “nonbank money transmitter” under state and federal law because it is not a bank and it accepts funds from one person and transmits those funds to another person. As such, Venmo is subject to the oversight of four federal agencies: the Financial Crimes Enforcement Network, the Office of Foreign Assets Control, the Consumer Financial Protection Bureau, and the Federal Trade Commission. Venmo is also subject to each state’s laws for money transmitters, which include licensing requirements and consumer protection laws.
FinCEN and OFAC oversee money transmitters to prevent criminal activity. FinCEN’s purpose is to combat money laundering and terrorist financing. FinCEN requires money transmitters to register with the agency, file transaction reports and implement anti-money laundering programs. OFAC “administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals.” OFAC maintains a list of “specially designated nationals,” or SDNs, with whom people in the U.S. are prohibited from dealing. Violators of this prohibition may be liable for civil or criminal penalties. OFAC requires money transmitters to ensure that the transactions they process do not involve a party on the SDNs list and are not in violation of OFAC regulations.
The CFPB and the FTC share consumer protection oversight over nonbank money transmitters.
The CFPB enforces Regulation E, which protects consumers who use electronic fund transfer services. Regulation E subjects financial institutions that process electronic transfers to various requirements, including certain disclosures, periodic statements, resolution of errors procedures, records retention and limitations on consumer liability for unauthorized transactions.
1. Regulation E unambiguously applies to transactions through linked accounts. Regulation E generally applies to money transmitters, including those that do not hold the consumer’s account. These rules apply if the transmitter has no agreement with the financial institution that holds the consumer’s account, and the transmitter issues an “access device” that the consumer can use to access the account. The consumer’s mobile phone and the Venmo app both fit Regulation E’s definition of “access device,” so Venmo must comply with Regulation E for consumer transactions that are connected to a consumer’s attached debit card or bank account.
2. Regulation E may not apply to transactions made through the Venmo account balance. Venmo also allows users to transact from a Venmo account balance. In an article published in Duke Law and Technology Review, attorney Eric Pacifici explains that Regulation E does not adequately protect PayPal users because it is uncertain whether Regulation E applies to transactions that are funded through a user’s PayPal account balance. The analysis also applies to Venmo. Regulation E applies to transfers that authorize a financial institution to debit or credit a consumer’s account, but Pacifici notes that it is unclear whether PayPal fits the definition of “financial institution” and whether the PayPal account is an “account” under Regulation E. Regulation E defines these terms as follows:
- “Financial institution” means “a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services.”
- “Access device” means “a card, code, or other means of access to a consumer’s account, or any combination thereof, that may be used by the consumer to initiate electronic fund transfers.”
- “Account” means “a demand deposit (checking), savings, or other consumer asset account ... held directly or indirectly by a financial institution ...”
Therefore, Regulation E’s application to money transmitters depends on the definition of financial institution, which depends on the definition of access device, which depends on the definition of account, which depends on the definition of financial institution. Under Pacifici’s analysis of these circular definitions, it is ambiguous whether Regulation E’s consumer protections apply when a user makes a transfer out of its Venmo account.
3. Consumer liability may not be limited for unauthorized transactions funded through the Venmo account balance. According to Venmo’s user agreement, Venmo complies with Regulation E; however, if Venmo is not required to comply with Regulation E for transactions made directly from the Venmo account, consumers would not have an important protection.
Regulation E limits consumer liability for unauthorized electronic fund transfers to $50 in some circumstances and $500 in others. If Regulation E does not apply to Venmo transactions funded out of a user’s account, then Venmo is not required by law to limit consumer’s liability for unauthorized transactions made from a user’s account, and consumers are left with unequal treatment under the law based on the method with which they transfer money.
The FTC enforces the Federal Trade Commission Act and the Gramm-Leach-Bliley Act, or GLBA. Section 5(a) of the FTC Act protects consumers from unfair or deceptive trade practices. The GLBA protects consumers against financial institutions’ use of nonpublic personal information. Under the authority of the GLBA, Regulation P dictates the rules regarding the use of consumers’ nonpublic personal information, and the safeguard rules provide requirements for keeping consumers’ information secure. Unlike Regulation E, Regulation P and the safeguard rules unambiguously apply to all Venmo transactions.
- Regulation P defines “financial institution” as any “institution the business of which is engaging in financial activities” as described in the Bank Holding Company Act.
- Under the Bank Holding Company Act, “transferring money” is an activity that is considered “financial in nature.”
Therefore, through Venmo’s practices as a money transmitter, it is significantly engaged in financial activities and must comply with the GLBA, Regulation P and the safeguard rules. It was under these rules that the FTC took action against Venmo in 2017, alleging that Venmo was in violation of Section 5(a) of the FTC Act, Regulation P and the Safeguard Rules. Venmo and the FTC reached a settlement in February 2018.
Each state has licensing requirements for money transmitters. As a subsidiary of PayPal, Venmo is licensed through PayPal’s licenses in all 50 states, Puerto Rico and the Virgin Islands. States typically require money transmitters to maintain a minimum net worth, post a surety bond, undergo audits and examinations by regulators, and abide by a list of permissible investments for the funds they handle. State public enforcement actions taken against Venmo have concerned state consumer protection laws and unfair and deceptive trade practices acts. In 2014, the California Commissioner of Business Oversight issued a final order against Venmo mandating that Venmo discontinue 20 specified unsafe practices and accordingly implement compliance procedures. Most of these unsafe practices fell into one of three categories: consumer protection, internal controls and crime prevention. Subsequently, in 2016, the Texas attorney general announced a settlement with PayPal concerning Venmo’s alleged violations of the state’s Deceptive Trade Practices Act, which caused Venmo to implement 11 agreed upon business practices regarding security, consumer protection, customer service and disclosure requirements.
Ultimately, the current legal regime adversely affects consumers and money transmitters alike. Consumers could be harmed by the ambiguous application of Regulation E, as detailed above. Money transmitters are challenged with complying with the laws and regulations of multiple state and federal agencies. The legal regime has not yet caught up with the technological innovations of the industry, and only time will tell how the law will react to these innovations moving forward.