Learn more about the 2025 Coin Center Annual Dinner

New CFPB rulemaking makes no distinction between custodial and self-custody wallets

They are completely different products with different risks and covering self-custody is beyond statutory authority and unconstitutional.

by 

Blog Consumer Protection Privacy & Autonomy CFPB

Today the CFPB released a new notice of proposed rulemaking (NPRM) on “Electronic Fund Transfers Through Accounts Established Primarily for Personal, Family, or Household Purposes Using Emerging Payment Mechanisms.” In it, they call for a reinterpretation of the Electronic Funds Transfer Act (EFTA) to apply to cryptocurrency activities, but they fail to differentiate between cryptocurrency services provided by trusted intermediaries, which may rightly be subject to ongoing consumer protection requirements, and software tools used to secure one’s own crypto, which are protected speech and should never be subject to a permission-based regulatory regime.

Coin Center’s mission is to defend Americans’ rights to build and use cryptocurrency technology. Typically when discussing the application of regulations to cryptocurrency activities we advocate for equal treatment with traditional finance where only trusted intermediaries face direct licensing and regulatory obligations. Therefore, if the CFPB intends only to obligate trusted custodial wallet providers to Reg E (EFTA’s implementing regulations) we do not necessarily object. The subject of how trusted intermediaries are regulated in this space is generally outside of our core mission.

However, the CFPB’s current NPRM is silent on the question of whether it would extend Reg E requirements to only custodial wallet service providers or to self-hosted wallet software providers as well. The NPRM simply says it would apply to “virtual currency wallets that can be used to buy goods and services or make person-to-person transfers.” That language is vague and certainly seems to include any wallet, custodial or not.

Self-hosted wallets and custodial wallets are entirely different products with entirely different consumer risks and benefits. The people behind these two different types of wallet products are also engaged in entirely different business activities. Custodial wallet providers are engaged in an ongoing service with promises made to the user: securing your funds on your behalf. Self-custody software providers are engaged in software development and publication: releasing wallet software such that you can secure your own funds.

That the CFPB’s NPRM neglects to even reference the important distinction between custodial and self-custody wallets within their monolithic class of “virtual currency wallets” shows either that this NPRM has been rushed out the door with insufficient time to even tee-up issues ripe for public comment, or that the NPRM’s authors are unaware of highly relevant facts about the nature of the products they are proposing to regulate. Either way, the NPRM is flawed.

If the CFPB intends to cover self-custody wallets under Reg E and to subject the authors of self-custody software to direct regulation, then the proposed rule goes beyond the CFPB’s statutory authority and is also unconstitutional, as we’ll discuss in the remainder of this post.

Beyond Statutory Authority

The EFTA’s application is limited under its definitions section to the regulation of “electronic fund transfer[s].” That term is defined as

any transfer of funds, other than a transaction originated by check, draft, or similar paper instrument, which is initiated through an electronic terminal, telephonic instrument, or computer or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account.

Key to that definition are three further terms: “funds,” “financial institution,” and “account.”

The CFPB argues that “funds” includes crypto. There is no definition of the term in the EFTA. Looking at the plain meaning of the word and Black’s Law Dictionary it is true that the term typically means any “pecuniary resources which are readily converted into cash.” We do not take issue with this interpretation.

The CFPB argues that “financial institution” includes more than traditional banks but does not describe a clear outer limit to that definition. They write that “financial institutions”

include nonbank entities that directly or indirectly hold an account belonging to a consumer, or that issue an access device and agree with a consumer to provide EFT services.

We will get to what it means to hold an account in our discussion of the term “account” below. For now, with respect to this proposed interpretation of “financial institution” we will note two things: (1) the language “issue an access device and agree with a consumer to provide EFT services” is not in the statute. The statute limits the term “financial institution” to persons who, “directly or indirectly, hold[] an account belonging to a consumer.” (2) to the extent that the CFPB is correct that the statute authorizes them to regulate mere providers of “access devices” the requisite “agreement” with the consumer to trigger such regulatory obligations should be an agreement for actual account management services (holding that consumer’s account directly or indirectly per the statute) rather than merely a licensing agreement to use software (wherein the user holds her crypto herself using the software).

The CFPB correctly notes in this NPRM that much turns on the definition of account: “Given the breadth of the term ‘funds,’ the applicability of EFTA and Regulation E will often turn on the definition of ‘account’ in EFTA and Regulation E.” The definition of account in the EFTA is as follows:

(2) the term “account” means a demand deposit, savings deposit, or other asset account (other than an occasional or incidental credit balance in an open end credit plan as defined in section 1602(i) [1] of this title), as described in regulations of the Bureau, established primarily for personal, family, or household purposes, but such term does not include an account held by a financial institution pursuant to a bona fide trust agreement.

This is a frustrating definition for various reasons. First, it includes the defined term in the definition: “the term ‘account’ means a …. account.” Second, it calls on the agency to define the term further “as described in regulations of the Bureau.” Third, it creates no real limiting principle for the scope of the definition beyond “established primarily for personal family or household purposes.” We can only conclude that Congress intended for the plain meaning of the term account to stand, and to allow the agency to define a subspecies of personal family or household accounts in regulation.

Under Loper Bright we cannot assume that the definition of account is entirely up for grabs given the ambiguity in the statutory definition. Even if the only textual limit to account is “established for personal family or household purposes,” my contractual agreement with a nanny is still not an account despite being “established for personal family or household purposes.” Account is still limited by the plain meaning of the word, and contracts for child care are not accounts even if Congress didn’t say so explicitly. In other words, after Loper Bright, we would not give deference to the agency if they choose to define “account” in a way averse to the plain meaning of account. So what is the plain meaning of “account?” In the context of this rulemaking, it cannot include balances in self-hosted wallets. Here’s why.

First, a self-hosted wallet is best analogized to a safe for valuables that one might keep in one’s home. It may be a physical object like a safe, as when one has a Ledger or a Trezor wallet, or it might be software running on the user’s home computer. Either way, like a safe, the user bears the responsibility for securing her own assets with the tools she has purchased or acquired from others. The contents of a safe might be “funds” understood as “pecuniary resources which are readily converted into cash” but the safe is not an “account.” Black’s Law Dictionary does not have a definition of “account” and instead directs us to “bank account,” already a telling indication of the term’s typical usage. There one finds:

A sum of money placed with a bank or banker, on deposit, by a customer, and subject to be drawn out on the latter’s check. The statement or computation of the several sums deposited and those drawn out by the customer on checks, entered on the books of the bank and the depositor’s passbook.

So, an account is a sum of money placed with a bank. We can accept that the EFTA statutorily broadens the typical plain meaning of account, bank account, by including non-bank entities and pecuniary assets beyond money. But even with that broadening, the term account still means that some pecuniary valuable is “placed” with a trusted entity. Further, the valuables in that account are “subject to be drawn out” of that placement by the customer’s request, a “check.” In other words, the only reasonable interpretation of “account” is a sum of assets that are held by a trusted entity on behalf of a customer. One would never refer to the internal contents of one’s own safe as an account held by the safe manufacturer. Therefore, any reasonable reading of the statutory authority in EFTA would limit its application to custodial wallet providers.

Again, the CFPB has failed to be clear about whether it even intends to regulate self-custody software developers in this rulemaking. If that is its intent, the agency is acting beyond its authority because the assets held in self-custody are not in “accounts” and the agency is only empowered to regulate transfers to and from accounts held by bank and non-bank financial institutions.

Unconstitutional

Statutory authority aside, if it is the CFPB’s intent is to regulate mere wallet software developers under this rule, then it will be imposing a content-based prior restraint on speech. If the rule was finalized as drafted, one could be banned from publishing wallet software that does not include the particular fraud-prevention mechanisms mandated by the CFPB and compelled to publish software with those protections and consumer disclaimers. The rule would face strict scrutiny and should be found to be a violation of the First Amendment. The First Amendment does not prohibit the government from regulating ongoing service providers (e.g. custodial wallets), nor would it even prohibit the CFPB or the FTC from bringing an action against a software developer for “unfair and deceptive acts and practices.” The First Amendment does, however, limit the government from pre-emptively censoring or blocking the publication of software or compelling software publishers to write their software in certain ways.

Additionally, complying with the regulatory requirements would necessitate that software developers collect information about the users of that software and the transactions they make using it. That mandated mass collection of private data, without user consent and without a legitimate business purpose for collection apart from the regulatory mandate, would constitute a warrantless search and seizure and should be found unconstitutional under the Fourth Amendment.

We’ve recently outlined why the IRS broker rule would be unconstitutional for the above reasons and will not rehash the arguments fully here. Check out our broker comment for a preview and you can expect our full arguments in our response to this rulemaking, due in March.