I strongly suggest you read Georgetown law professor Adam Levitin’s new post on why he believes Apple’s newly announced Apple Pay service puts Apple under the CFPB’s jurisdiction but virtue of having made itself a regulated financial institution. And Levitin means all of Apple’s consumer services, not just Apple Pay. He believes that Apple is now a “service provider” under the Consumer Financial Protection Act. That makes Apple subject to CFPB examination and UDAAP.

What, say you, is UDAAP? UDAAP stands for “unfair, deceptive, or abusive acts and practices”. UDAAP is the CFPB’s most feared power. From CSI Regulatory Compliance:

Can one word actually have power? Did the addition of “abusive” to the original Unfair and Deceptive Acts or Practices (UDAP) regulation give it the teeth to cause the most significant problems for the industry? Among all the changes the Dodd-Frank Act (DFA) wrought, many believe UDAAP will turn out to do just that. And given the significance of other DFA changes, that’s quite a statement. But we believe that UDAAP’s broad and vague scope, combined with the Consumer Financial Protection Bureau’s (CFPB’)s declination to provide specific UDAAP rules, make it potentially the most dangerous weapon in the Bureau’s arsenal. In an Inside Counsel article, Martin Bishop warns that, “UDAAP gives the CFPB the power to look at the acts and practices of anyone subject to its jurisdiction and declare those acts or practices–without notice–to be unfair, deceptive or abusive.” Take a look at the events of late, which reveal the CFPB’s plans for this powerful weapon.

The report lists a series of cases in 2013 and concludes:

These events make clear that UDAAP is a top priority for the CFPB, and this focus is filtering to other regulatory and law enforcement agencies as well. Several of the CFPB’s enforcement actions were issued jointly, with such other agencies as the Office of the Comptroller of the Currency, the FDIC, state agencies and state attorneys general. The other eye-opening fact to note is that while all of the CFPB’s enforcement actions cited UDAAP, none of them claimed “abusive” practices, leaving this amorphous term’s definition still elusive to institutions. One does wonder, though—given the charges in the CFPB’s enforcement actions—if the expansion of UDAAP with the word “abusive” added weight to the original two–-unfair and deceptive.

Let us return to the issue of Apple’s exposure to CFPB oversight. Levitin makes clear that his reading is preliminary. My gut is that he’s correct, but that the CFPB will choose to use its powers narrowly rather than expansively. But that may not save Apple from the attentions of state-level enforcers.

Here is the guts of Levitin’s analysis:

The CFPB has authority over two classes of people: “covered persons” and “service providers”. The CFPB has authority over these classes to the extent they are offering a “financial product or service.” Apple does not currently fit within the definition of “covered person” because it is not offering a “financial product or service”. Apple Pay does not actually transmit funds (they way, say PayPal does); that’s why Apple doesn’t have a MSB license (as far as I’m aware). But even if one isn’t a “covered person,” one can still be a “service provider” to a covered person. I think there’s a reasonable case that Apple is a “service provider” by virtue of Apple Pay. A “service provider” must provide “a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service”. Card issuers are covered persons, and Apple is providing a material service in connection with a consumer financial product–a credit card. The “service provider” definition explicitly includes those anyone who “participates in designing, operating, or maintaining the consumer financial product or service”.

Yves again. Levitin reviews a series of carve-outs and concludes that none offer Apple any relief. His conclusion:

So what does this mean if I’m correct and Apple is now a “service provider” under the Consumer Financial Protection Act? First, it means that Apple is now subject to CFPB examination and enforcement authority. Second, it means Apple is subject to UDAAP, including CFPB rulemaking and enforcement and state enforcement of the federal UDAAP statute. And note that the way the Consumer Financial Protection Act is drafted, UDAAP is not limited to unfair, deceptive, and abusive practices in connection with the offering of the consumer financial product or service. It is a simple prohibition on covered persons and service providers engaging in unfair, deceptive, and abusive acts and practices, period. There is no language saying that the unfair, deceptive, or abusive acts and practices has to have any relationship with the consumer finance business. Read literally, anything Apple does is therefore fair game for state AGs, and for private attorneys who use private rights of action under state UDAP statutes based on a predicate violation of the federal UDAAP statute (that does not contain a private right of action).

Levitin thinks the CFPB is unlikely to examine Apple any time soon even if it agrees with his reading; the agency already has a full plate. But he wonders whether Apple missed this one entirely, or chose not to disclose it, which would raise securities law issues.

And if the CFPB isn’t ready to take an expansive view of its powers, that does not mean Apple can rest easy. Levitin stresses that UDAAP makes a covered person liable for any “unfair, deceptive, and abusive acts and practices” irrespective of whether it relates to providing a consumer financial service. In light of Apple’s wage fixing scheme, would other Apple employment practices fall short of this standard?

If nothing else, New York State banking superintendent Benjamin Laswky has been particularly creative and aggressive. If a deep pockets, high profile player like Apple were to run afoul of banking regulations, the technology giant would make for a very attractive target.