Skip to main content
December 18, 2023

OCC Issues Guidance on Risk Management of “Buy Now, Pay Later” Lending


On December 6, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2023-37 (the Bulletin), providing guidance to national banks and federal savings associations on how to effectively manage risks associated with “buy now, pay later” (BNPL) lending. Specifically, the Bulletin addresses BNPL loans that are payable in four or fewer installments and carry no finance charges. BNPL loans, also referred to as “point-of-sale installment loans” or “pay-in-4” loans, have grown in popularity in recent years, particularly among younger consumers and consumers with limited or no credit history.

The Bulletin follows the Bureau of Consumer Financial Protection’s (CFPB) September 2022 report on market trends and consumer impacts of BNPL, its March 2023 report on consumer use of BNPL, and the Federal Reserve Bank of New York’s September 2023 study on the users of BNPL. These reports indicated that borrowers with lower credit scores, greater unmet credit needs, and greater financial fragility make up a disproportionate share of all BNPL users and identified several areas of potential consumer harm associated with BNPL lending, including inconsistent consumer protections, such as lack of standardized disclosures, divergent approaches on late fees and consumer fees as a whole, and data-harvesting, and the risk of excessive debt accumulation and overextension.


In a typical BNPL transaction, the lender pays the merchant for the good or service and takes on the responsibility of granting credit and collecting payments from the borrower. To compensate for the risk of default by the borrower, the merchant charges the lender a discounted amount of the full purchase price of the good or service. The lender then collects the full purchase price through installment payments from the borrower. If the borrower does not pay on time, the lender may charge late fees and refuse to make additional BNPL loans to the borrower until the borrower brings the account current.

Managing Risks Associated With BNPL Lending

While the OCC acknowledges in the Bulletin that, when used responsibly and offered in a transparent manner, BNPL loans can support consumers’ overall financial capabilities by providing a convenient and relatively low-cost financing alternative, the OCC believes that BNPL lending nevertheless carries risks for both consumers and banks. The Bulletin identifies several types of risks banks face through BNPL loans and provides recommendations to mitigate those risk, including:

  • Credit Risk: The Bulletin explains that BNPL loans are typically approved using soft credit bureau inquiries and that BNPL loans are not yet included in reporting by the three major credit bureaus. As a result, banks may have limited visibility into applicants’ activities on other platforms and limited insight on a borrower’s risk of default. Borrowers may also overextend themselves or may not fully understand BNPL loan repayment obligations. To address issues with credit bureau reporting, the OCC encourages banks to furnish comprehensive information on BNPL loans to the credit reporting bureaus in a timely manner. The Bulletin also suggests that banks establish policies and procedures for BNPL lending that address loan terms, underwriting criteria, and methodologies to assess repayment capacity, fees, charge-offs, and credit loss allowance considerations. The OCC notes that BNPL loans create unique challenges for credit underwriting and repayment assessment methodologies. Repayment assessment methodologies may include assessing debt-to-income, debt-to-assets, or residual income; using deposit account information; or using alternative data. An example of a credit risk management strategy is lower lending caps for new or higher-risk borrowers that gradually increase as the borrower exhibits positive repayment behavior. The OCC further indicates that methods to collect BNPL debt, mitigate losses, and contact borrowers may require specialized approaches and strategies that differ from traditional consumer debt collection practices.
  • Operational Risk: The Bulletin refers to the highly automated nature of BNPL lending and observes that, with rapid credit decisions and frequent strong reliance on third parties, BNPL lending may present elevated operational risk, specifically including fraud risk and risks associated with model use. The OCC identifies that merchant returns and disputes are a common consumer complaint, and that banks should have processes for handling merchant returns and disputes that are fair to consumers and match disclosures provided to consumers. The Bulletin discusses steps that banks should take to address fraud risk, including implementing processes to confirm that potential borrowers are of legal age to obtain credit (particularly for online transactions); adopting procedures to address first payment default; and developing controls to promptly identify suspected fraud, take steps to mitigate loss, and recognize charge-offs in a timely manner. The Bulletin also advises that models used in the BNPL lending process (e.g., models used in marketing, credit decision making, customer service, or fraud risk management) should be subject to sound model risk management and incorporated into a bank’s model risk management processes.
  • Compliance Risk: The Bulletin indicates that banks could be at risk of violating prohibitions on unfair, deceptive, or abusive acts or practices due to the lack of clear, standardized disclosure language. Borrowers may also overextend themselves and, with loan payments typically tied to a debit or credit card, overextension can result in secondary fees charged to the borrower, such as overdraft, non-sufficient funds, and late fees. The Bulletin provides that banks should pay close attention to marketing, advertising, and consumer disclosures to ensure that they clearly state the borrower’s obligations and any fees that may apply. The OCC also expects banks to consider the applicability of specific federal consumer protection laws and regulations to the bank’s particular BNPL lending practices.
  • Third-Party Risk: The Bulletin notes that banks that provide BNPL loans through a merchant or a third-party intermediary BNPL provider should have effective risk management processes to manage the risks from third-party relationships. Third-party relationships may increase a bank’s exposure to operational and compliance risks because the bank may not have direct control of the activity performed by the third party. The Bulletin provides that banks that partner with third-parties to offer BNPL loans should incorporate that relationship into the bank’s third-party risk management processes.

Key Takeaways

The Bulletin outlines the OCC’s expectations for national banks and federal savings associations that engage in BNPL lending. On the one hand, the Bulletin highlights certain consumer needs that potentially may be served by BNPL lending. However, on the other hand, the Bulletin reflects a recognition by the OCC of the unique characteristics and risks of BNPL loans – in particular, its high automation, reduced borrower information, and reliance on third-parties – and that banks seeking to engage in this lending activity may be required to implement new, specialized risk management approaches that differ from traditional practices.

Third-party risk continues to be a top concern of the federal banking agencies, as discussed in a prior Advisory on the agencies’ Interagency Guidance on Risk Management of Third-Party Relationships. BNPL merchants and intermediary third-parties may present increased compliance risks due to their unfamiliarity with banking regulations. Banks should consider enhancing their oversight of BNPL partners and reviewing third-party risk management controls, particularly for underwriting standards, repayment and fee practices, processes for handling merchant returns and disputes, as well as marketing and disclosures.

In addition, the OCC expects banks to do their part to improve credit reporting of BNPL loans. The reporting of BNPL loans to credit bureaus will create operational and compliance risks with respect to reporting data correctly. As the three major credit bureaus get ready to include BNPL transactions in their reporting, banks should review and, if necessary, update their credit reporting policies and practices to account for the unique characteristics of BNPL loans. In the meantime, banks should consider some of the recommended methods identified in the Bulletin to avoid borrower overextension and reduce credit risk in the absence of full credit information at the time the loans are approved.

Lastly, given the recent attention of the CFPB on BNPL loans and the emphasis on consumer protection throughout the Bulletin, it would be to the benefit of banks and other BNPL providers to ensure that their BNPL lending practices align with traditional lending laws and regulations.

Financial institutions interested in how the OCC’s Bulletin may impact their businesses may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services team would be pleased to assist with any questions about the Bulletin or banking regulation, or consumer protection more broadly.

© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.