The OCC outlines safety and soundness principles and appropriate risk management processes for its regulated institutions that engage in BNPL lending.
On December 6, 2023, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2023-37 (Guidance), which clarifies the OCC’s policy positions on the risk management of “Buy Now, Pay Later” (BNPL) lending. These consumer lending arrangements (also known as “point-of-sale installment loans” or “pay-in-4”) involve short-term installment loans repayable in four or fewer payments and carry no finance or interest charges. The OCC expects that banks engaged in BNPL lending “do so within a risk management system that is commensurate with associated risks.”
The Guidance applies to all OCC-regulated institutions, including national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations. The OCC also highlighted that the Guidance applies to community banks engaging in (or considering engaging in) BNPL lending.
As described in the Guidance, a BNPL arrangement generally involves a bank, a merchant, and a consumer. When a consumer chooses to pay for a purchase using a BNPL arrangement, the bank (lender) pays the merchant for the good or service, and assumes responsibility for granting credit to the consumer and collecting payments per the terms of the installment plan. The bank typically pays a discounted price on the good or service in return for assuming the risk of fraud or default, and obtains the ability to collect installments equivalent to the full (undiscounted) price of the purchase. Banks earn revenue on BNPL loans primarily on the difference between the discounted price paid to merchants and the full amount collected from the consumer over the life of the loan.
BNPL Risk Management
The OCC believes that when offered in a responsible and transparent manner, BNPL loans are a valuable and convenient option for consumers seeking to manage purchases and cash flow. However, BNPL loans pose numerous risks to consumers and institutions as well, and the OCC expects that institutions maintain risk management processes that effectively manage the risks arising from these activities. Some of the highlighted risks and risk management practices are as follows.
Credit and Underwriting Risk
Borrowers may not fully understand BNPL loan repayment obligations or may take on excess credit, and creditors may be disadvantaged by the lack of credit history or BNPL activity captured by credit reporting agencies. Banks should therefore:
- establish and implement policies and procedures for BNPL lending that address loan terms, underwriting criteria, repayment assessment methodologies, fees, charge-offs, and credit loss allowance considerations;
- establish ongoing monitoring and reporting to capture the unique characteristics and risks of BNPL loans;
- tailor charge-off policies for the short-term nature of BNPL loans;
- incorporate BNPL loans into allowances for credit losses methodology (even if no losses have been incurred as of the measurement date); and
- engage in an industry-wide effort to furnish comprehensive BNPL loan information to the credit bureaus in a timely manner.
Banks furnishing BNPL loans via automated processes “with instantaneous credit decisioning and frequent strong reliance on third parties” may experience higher rates of borrower fraud and default. Banks should therefore:
- maintain processes for handling merchandise returns and merchant disputes in a manner that is fair and matches disclosures provided to consumers;
- assess fraud risk and implement controls to mitigate those risks;
- consider operational risks unique to BNPL lending, such as those related to product returns or customer disputes;
- confirm that potential borrowers are of legal age to obtain credit;
- maintain tailored procedures to identify and mitigate first payment default risk;
- recognize charge-offs in a timely manner; and
- incorporate models used in the BNPL lending process into a bank’s overall model risk management processes.
Banks furnishing BNPL loans may not have direct control over the activities of third-party vendors or merchants. Banks should therefore:
- incorporate models regarding third-party vendors into the bank’s third-party risk management and model risk management processes;
- conduct appropriate due diligence on the third-party relationship and on the model itself; and
- comply with the recent interagency supervisory guidelines for banking organizations on managing risks associated with third-party relationships (for more information, see this Latham blog post).
Compliance with various consumer protection-related laws and regulations is critical for banks furnishing BNPL loans to ensure that obligations are understood and met on both sides of the transaction. Banks should therefore:
- determine the applicability of consumer protection-related laws and regulations to the bank’s specific BNPL offerings;
- oversee the product delivery method, including timing and appropriateness of marketing and advertising;
- ensure that consumer disclosures are appropriate, timely, and clearly state the borrower’s obligations under the contract;
- clearly disclose any fees that may apply for late or missed payments;
- consider billing dispute and error resolution rights and practices relating to automatic payments, multiple payment representments, and late fees; and
- incorporate BNPL lending into the bank’s compliance management system, including processes and practices designed to manage consumer compliance risk and prevent consumer harm.
BNPL in US, UK, and EU Regulators’ Sights
The Consumer Financial Protection Bureau (CFPB) has been actively monitoring BNPL activity in the consumer finance marketplace for some time now. In September 2022, it published an in-depth report on the BNPL landscape, and in September 2023 published another report on the consumer financial profiles of BNPL borrowers. The Federal Trade Commission (FTC) also published a short notice in September 2022 on the obligations of BNPL providers vis-à-vis the FTC Act. In addressing BNPL lending for the first time in the present Guidance, the OCC is flagging for supervised banking institutions the potential risks surrounding a payment arrangement that is growing in availability and popularity among consumers.
The growth of BNPL lending is not confined to the US, and regulators in the UK and the EU are implementing measures to address this practice. In these jurisdictions, BNPL lending is currently exempt from the consumer credit regulatory framework, and is largely carried out by relatively new unregulated market entrants, rather than by incumbent financial institutions such as banks. This has raised consumer protection issues, and both the UK and the EU are thus proposing to amend consumer credit legislation to bring BNPL lending within the regulatory perimeter, in certain circumstances. The timing of this change in the UK remains uncertain, while the changes in the EU will apply from November 2026 (see Latham’s related blog posts here and here).
The Guidance is clear that senior managers in OCC-supervised banks should consider their overall strategic plan and risk appetite when evaluating the prospects of BNPL lending arrangements. On the other hand, banks must implement practices that ensure fair and inclusive treatment of consumers, and compliance with applicable laws and regulations.
The safety and soundness of the overall financial system, coupled with the mitigation of adverse customer outcomes, remain the OCC’s top priorities generally, and in the BNPL lending market specifically.
 E.g., Equal Credit Opportunity Act (ECOA) and Regulation B; Electronic Fund Transfer Act (EFTA) and Regulation E; Fair Credit Reporting Act (FCRA) and Regulation V; Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts and practices; and Section 1036 of the Dodd–Frank Wall Street Reform and Consumer Protection Act, which prohibits unfair, deceptive, or abusive acts and practices.