Whether it is PayPal, Venmo, Cash App, or something else, most Americans have used one or more payment platforms. These platforms are usually “viewed as offering a relatively fast, easy, secure, and affordable way of making and receiving retail payments.” 

Soon, the payment platform marketplace may grow a bit more crowded. In a blog post from January 2024, X (formerly Twitter) announced that it would soon launch its own peer-to-peer payments system. Turning X into an “everything app,” as majority owner Elon Musk has described is his intention, would require him to “convince millions, even billions of people to entrust his X platform with all of their money, in order to conduct various financial transactions,” all on his reimagined X as payment platform.

This effort raises a host of legal and regulatory issues, many of which no firm has ever faced in the United States. X Payments LLC, an affiliate of the social media company, has already obtained almost 40 state-based money transmission licenses, which is an important first step to bringing Musk’s vision into reality. In the discussion that follows, we set forth the key regulatory and legal challenges that X’s payment system will need to navigate.

Background on Payment Platforms

X Payments, like most payment platforms, will presumably operate as a closed-loop system. Unlike banks, which allow accountholders to send payments to any account at any bank in the world, closed-loop systems require both the sender and recipient for any given transaction to have accounts with the same platform, which then “facilitate[s] the transfer of funds via book transfers between customer accounts held and administered by the [platform] itself.”

Money enters a closed-loop system when customers fund their accounts through credit cards or bank transfers. Platforms comingle these funds on their balance sheets, maintaining a ledger of what assets are owed to which account. Senders can then transmit money to other accountholders via the platform’s web portal or phone application, debiting senders’ accounts and crediting recipients’. At that point, “recipients may either retain funds in their accounts for an indefinite period (to fund future payments) or transfer funds from the platform to their bank accounts.” Withdrawals do not occur until the accountholder “affirmatively requests a transfer of those funds out of this closed loop system and into their bank account or prepaid card.” Until users’ funds are transferred in this way, platforms “use customer funds to purchase investment assets for their own benefit.”

The Law of Payment Platforms

Payment platforms, like X Payments, are subject to prudential (i.e., financial stability) regulation by state banking authorities as “money transmitters.” To the extent federal regulations apply, they are limited to financial privacy laws and antimoney laundering statutes. However, payment platforms that become significantly large may be subject to enhanced prudential standards by federal banking regulators or subject to supervision by the Consumer Financial Protection Bureau.

State Money Transmitter Laws

These regulatory measures are aimed at ensuring that firms act prudently with the money entrusted to them by their customers. Although the rules and regulations may vary by state, money transmitters are generally subject to “minimum net worth requirements,” “surety bond and other security requirements,” and “restrictions on permissible investments,” all of which serve to protect customers from platforms’ possible financial misdeeds.

Money transmitters are also subject to examination by their regulators, whether by individual state banking regulators or as part of a coordinated multi-state examination. This process allows examiners to access platforms’ books and records to ensure that they are solvent and are acting lawfully.

Anti-money Laundering Restrictions

Under the Bank Secrecy Act, certain nonbanks that transmit money must “register with the Treasury Department as money services businesses (MSBs) and comply with the Department’s regulations.” This isn’t a particularly onerous set of requirements, with the rules mostly focused on reporting suspicious activity to the government rather than protecting customer funds.

Financial Privacy Requirements

As a firm that collects payment and social media information (the implications of which, we discuss below), there are two key federal privacy laws that could come into play for X Payments—the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).

The GLBA imposes privacy and data security obligations on “financial institutions” (i.e., any company significantly engaged in financial activities¹), which includes those who are engaged in “transferring money.” At its core, GLBA requires financial institutions to protect consumers’ nonpublic personal information and give consumers notice and choice about how their information is shared with third parties. 

The FCRA regulates the collection, dissemination, and use of consumer credit information. While primarily focused on traditional credit reporting agencies like Experian and TransUnion, the law applies to any entity that regularly assembles or evaluates consumer information to provide “consumer reports” to third parties for purposes like credit, insurance, or employment decisions. As we explain below, a payment platform that analyzes transaction data to make assessments about creditworthiness could potentially qualify as a “consumer reporting agency” under FCRA, triggering various legal duties.

X as a Payment Platform: Financial Privacy Implications

While some issues are routine to all payment platforms, X’s ambitious push into money transmission services represents a fascinating convergence of social media networking and financial technology that raises novel implications with which the law has not had to deal. The integration of payment services into a platform where millions already engage in public discourse creates unique considerations around financial privacy and financial surveillance. A user’s payment transaction history could potentially be correlated with their posting and sharing history in ways that traditional payment processors simply cannot replicate. That combination or integration of social media data and payment data can be incredibly powerful. As Raúl Carrillo has written: “If social media activity says what we “like,” payments data provides a clearer picture of what we do.” In this way, social media captures aspirational or performative behavior, such as what people want others to think they care about, whereas payment data reveals actual committed choices where people “put their money where their mouth is.” The combination of these two data types is particularly powerful—it facilitates the ability to identify gaps between a user’s projected identity and their real behaviors. In turn, these gaps can be exploited for marketing or other commercial-related purposes. 

For our purposes, this combination stretches the presumptions inherent in existing financial privacy frameworks. GLBA requires financial institutions to provide privacy notices and opt-out rights before sharing users’ nonpublic personal information with nonaffiliated third parties but allows unrestricted sharing of consumer financial information between affiliates of the same company.² This discrepancy is thanks to GLBA’s inherent presumption, by way of the Bank Holding Company Act, that financial institutions do not have commercial affiliates—indeed, GLBA elsewhere made clear its presumption that firms would not engage in both financial and nonfinancial activities. Accordingly, if X wanted to share a consumer’s information with an unaffiliated data analytics company that analyzes spending patterns and social media activity, it would have to provide a privacy notice and opt-out ability to that consumer, but would have no similar requirement if it conducts those analyses in-house with users’ social media information.  

The FCRA also poses limitations on these data combinations. If X or its partners were to use this rich, integrated dataset to make determinations as to users’ eligibility for credit, insurance, or employment, this could trigger the imposition of the duties associated with being a so-called “consumer reporting agency” and/or a “user” of consumer reports. However, if X were to limit its data use to only marketing, advertising, or other commercial purposes that fall outside FCRA’s credit, insurance, and employment categories—that is, all activities of X’s social media arm—then these duties would not attach. We note that there is also an exception in the law that allows for free sharing among corporate affiliates. 

X as a Payment Platform: Solvency Implications

In other ways, X’s foray into financial services is remarkably conventional. Like many other payment platforms, X’s payments functionality is likely to be a closed-loop system in which users can store funds, rather than one that does not hold customer cash for long periods. Indeed, Musk’s goal for the platform is that “you won’t need a bank account.”

Although the intention may be for X to be an alternative to banks, because payment platforms are not banks, users will not receive the benefits of bank regulations—a critical detail that may not be immediately apparent to users. Perhaps most notably, customers’ funds held on payment platforms are not insured by the Federal Deposit Insurance Corporation (FDIC), which covers deposits up to $250,000 per person per institution. Relatedly, if payment platforms fail, their customers are unsecured creditors last in line for reimbursement in bankruptcies that can last for months or years, whereas the FDIC resolves failed banks quickly without bankruptcy and banks’ depositors receive a statutory preference rendering their claims second only to the FDIC. Payment platforms’ customers may wait lengthy time periods just to learn that they received nothing at all.

Moreover, although payment platforms and banks face similar risks, including the risk that their customers will run by demanding their cash en masse, payment platforms do not have the same regulatory protections. In addition to protecting depositors when their institutions fail, deposit insurance also helps to limit customers’ incentives to run in the first place—a protection that payment platforms lack. Moreover, payment platforms do not have access to the Federal Reserve’s discount window, which allows solvent but illiquid institutions to remain going concerns in times of crisis.

Conclusion

X’s entry into payment systems demonstrates both the conventional challenges of operating a nonbank payment firm and novel issues arising from the convergence of social media and financial services. While state money transmitter laws and federal privacy regulations provide some oversight, the unique combination of payment and social media data, along with the lack of traditional banking protections for users, suggests that regulators may need to develop new or targeted approaches to address the distinctive risks posed by such a hybrid platform.

Matthew Bruckner is a Professor of Law at Howard University School of Law.

Christopher K. Odinet is a Professor of Law & Mosbacher Research Fellow at Texas A&M University School of Law.

Todd Phillips is an Assistant Professor at Georgia State University J. Mack Robinson College of Business.

---

¹ The applicable definition is drawn from the Bank Holding Company Act. See 15 U.S.C. § 6809(3); 12 U.S.C. § 1843(k); 12 C.F.R. § 1016.3(l)(1). See also 12 C.F.R. § 1016.3(l)(3)(i).

² 15 U.S.C. § 6802. The law’s only condition is that the financial institution indicate that it may disclose nonpublic personal information to affiliates in its privacy notice to consumers. 15 U.S.C. § 6802(a)(1); 12 C.F.R. § 1016.6. An affiliate is defined as “any company that controls, is controlled by, or is under common control with another company.” See 12 C.F.R. § 1016.3(a)(1).