The Office of the Comptroller of the Currency (OCC) issued guidance (Bulletin 2023-37) (Bulletin 2023-37) on December 6, 2023, that applies to all national banks and federal savings associations concerning management of risk associated with “buy now, pay later” (BNPL) lending. While the stated aim of this guidance is to ensure that BNPL loans are offered in a manner that is safe and sound, the clear emphasis is on consumer protection in that the focus is on providing fair access to financial services, supporting fair treatment to consumers and complying with applicable laws and regulations. 

The OCC’s guidance is the latest regulatory development in connection with BNPL and reflects increased regulatory scrutiny and oversight after earlier moves in the sector by the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC) and certain state regulators. As a practical matter, banks may find it difficult to implement the extensive and detailed nature of the guidance, and as a result this guidance may effectively serve as a disincentive both to banks already offering BNPL loans as well as those seeking to enter the sector.

Banks may determine that the financial costs and compliance burdens associated with implementing and adhering to the guidance may exceed expected revenue gain from providing short-term BNPL loans. Moreover, additional guidance from the CFPB is expected, which may add additional layers of regulatory risk and compliance burden to BNPL lending.

While BNPL is widely used to describe various types of installment lending products (BNPL loans are also commonly referred to as “point-of-sale installment loans” or “pay-in-4” loans), the OCC guidance is limited to BNPL loans that are payable in four or fewer installments and carry no finance charges (i.e. the loans carry zero percent interest and no other finance charges if balances are fully paid in four installments). BNPL loans with payment terms greater than four installments or that charge interest or carry other finance charges are treated as traditional installment loans (a longstanding bank product) that are subject to Regulation Z and therefore do not fall within scope. 

In their dual role as payment processor and lender, BNPL lenders assume borrower default risk. To compensate for the risk, merchants offer lenders a discounted amount of the full purchase price of the good or service. The lender then collects the full purchase price through installment payments from the borrower. The difference between the discounted amount of the purchase price and total installment payments is the lender’s primary source of revenue from BNPL transactions. Payments are generally made automatically from the borrower’s debit card, credit card or checking account.

In a typical BNPL transaction, the lender pays the merchant for the good or service and takes on the responsibility of granting credit and collecting payments from the borrower. BNPL loans are often approved at the time of purchase, but some lenders approve BNPL loans before or after purchase. Additionally, some lenders require 25 percent of the total transaction cost to be paid at the time of purchase. In most cases, the 25 percent paid at purchase serves as the first payment.

Banks can contract directly with merchants to offer BNPL loans or go through third-party BNPL providers that serve as intermediaries between merchants and lenders. Banks can also offer BNPL loans directly without contracting with merchants or third parties.

The OCC advises banks engaged in BNPL lending to operate within a risk management system that is commensurate with the associated risks and designed to capture the unique characteristics of BNPL loans, as outlined below.

Credit risk management

Borrowers could overextend themselves by taking advantage of one or several BNPL arrangements, or they may not fully understand BNPL loan repayment obligations. Another challenge for lenders is that BNPL applicants may have limited or no credit history, which could present underwriting difficulties. In response, the guidance advises banks to maintain prudent underwriting, repayment terms, pricing and safeguards that minimize adverse customer outcomes. In particular, banks should establish policies and procedures for BNPL lending that address loan terms, underwriting criteria, methodologies to assess repayment capacity, fees, charge-offs and credit loss allowance considerations.

In order for BNPL underwriting criteria and repayment assessment methodologies to provide reasonable assurance that the borrower can repay the debt, such repayment assessment methodologies may include assessing debt-to-income, debt-to-assets or residual income; using deposit account information; or using alternative data. Banks should establish ongoing monitoring and reporting—including forecasting, analytics and stress testing methodsthat capture the unique characteristics and risks of BNPL loans.

Methods to collect BNPL debt, mitigate losses and contact borrowers may warrant specialized approaches and strategies that differ from traditional consumer debt collection practices (e.g. the timing of contacting delinquent BNPL borrowers would ordinarily be shorter than with longer-term loans). Additionally, banks’ charge-off policies should be appropriately tailored for the short-term nature of BNPL loans, and BNPL loans should be incorporated into a banks’ allowances for credit losses (ACL) methodologies, even if no losses have been incurred as of the measurement date. 

Operational risk management

In addition to advising banks that they should have processes for handling merchandise returns and merchant disputes in a way that is fair to consumers and matches disclosures provided to consumers, the guidance provides that banks should assess fraud risk and implement controls to mitigate those risks before offering BNPL loans.

The highly automated nature of BNPL lending, with instantaneous credit decisioning and frequent strong reliance on third parties, may present elevated default, operational and fraud risk. Since the OCC believes BNPL loan structures may present elevated first-payment default risk from intentional fraud or borrower oversight, banks should have procedures in place to address first-payment default.

A bank’s models used in the BNPL lending process (e.g. models used in marketing, credit decisioning, customer service or fraud risk management) should be subject to sound model risk management and incorporated into a bank’s model risk management processes. Additionally, banks should incorporate third-party models into the bank’s third-party risk management and model risk management processes.

Third-party risk management

According to the OCC, third-party relationships may increase a bank’s exposure to operational and compliance risks because the bank may not have direct control of the activity performed by the third party. To address this concern, the OCC expects a bank to have risk management processes to effectively manage the risks arising from its activities, including from third-party relationships. A bank that partners with a third party, including a merchant, to offer BNPL loans should incorporate that relationship into the bank’s third-party risk management processes.

Compliance risk management

Bank management should give close attention to the delivery method, timing and appropriateness of marketing, advertising and consumer disclosures to ensure that they all clearly state the borrower’s obligations under the contract and any fees that may apply. The lack of clear, standardized disclosure language could obscure the true nature of the loan, result in consumer harm or present potential risks of violating prohibitions on unfair, deceptive or abusive acts or practices (UDAAP).

Another important question for bank management to consider is the applicability of consumer protection-related laws and regulations to the bank's specific BNPL offerings, particularly with respect to product delivery methods, marketing, advertising and other standardized disclosures. Bank management should also consider billing dispute and error resolution rights and practices relating to automatic payments, multiple payment representments and late fees.

With loan payments typically tied to a debit or credit card, overextension can also result in secondary fees charged to the borrower, such as overdraft, non-sufficient funds and late fees. BNPL lending should be incorporated into the bank’s compliance management system (CMS). The guidance further highlights that bank management should consider the bank’s strategic plan and risk appetite when making the decision to engage in BNPL lending.

Credit reporting

Lenders may have no visibility into an applicant's borrowing activity on BNPL platforms given limited capture of BNPL activity by credit reporting agencies. In response, the guidance notes that consumer reporting that complies with the requirements of the Fair Credit Reporting Act and its implementing regulations helps banks manage credit risk and would also allow borrowers who make on-time payments to demonstrate positive credit behavior and build credit history. 


The guidance echoes many of the concerns regarding BNPL that the CFPB has previously voiced. The guidance is also significant because its framework includes certain risk management elements to address potential risks that have been previously identified with BNPL products, such as consumer disclosures. Such disclosures have not typically been utilized for BNPL loans that are outside the scope of the Truth in Lending Act/Regulation Z. Industry should continue to closely monitor further regulatory, supervisory and enforcement developments as the BNPL market continues to evolve. 

Further information on previous BNPL regulatory developments can be found in our legal update, "All signs point to increased US regulation of buy now, pay later," Inside FinTech blog, "Buy now, pay later (but take note of the immediate application of the FTC Act)," and Regulation Tomorrow blog, "CFPB publishes new findings on financial profiles of buy now, pay later borrowers."


Senior Counsel

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .