Earlier this week, Facebook launched a small pilot of Novi, the digital wallet app that Facebook has had in the works for over two years, to “test core feature functions, and our operational capabilities in customer care and compliance” and to “demonstrate a new stablecoin use case (as a payments instrument) beyond how they are typically used today.” The pilot is available in the United States (other than Alaska, Nevada, New York and the U.S. Virgin Islands) and Guatemala. Novi wallets can hold and transmit the Pax Dollar (USDP), a stablecoin issued by Paxos.
We’ve dug into the details of the launch and provide our initial observations below.
According to David Marcus, head of Novi, the new payments app is intended to serve the 1.7 billion people that are unbanked worldwide and combat what can sometimes be the high costs and long wait times of sending international remittances for these individuals. According to Marcus, the pilot will allow consumers to send payments to anyone in most U.S. states as well as to individuals in Guatemala “instantly, securely, and with no fees.”
Structure and Connection To Facebook-backed Diem
Facebook launched this pilot without Diem, its long-planned stablecoin product (previously called Libra), which has faced significant pushback over the past few years from regulators worldwide. It appears that Facebook has yet to clear the regulatory hurdles that the company promised it would successfully navigate before launching Diem.
Thus, Facebook is launching this pilot with Paxos Trust Company, LLC, a New York-based financial institution, and using its stablecoin, the Pax Dollar (USDP), which is pegged 1:1 to the U.S. dollar and is backed by fiat currency held in insured depository institutions, debt instruments backed by the full faith and credit of the U.S. government or money-market funds invested in those instruments. Coinbase was selected to custody customers’ USDPs.
(Despite the substitution of USDP for Diem in this pilot phase, Mr. Marcus reaffirmed the company’s support for Diem, promising to launch Novi with Diem “once it receives regulatory approval and goes live.” He also stated that Facebook would in the future offer “cheaper merchant payments and make a profit on merchant services,” in addition to person-to-person payments, the subject of the pilot.)
Marcus’s statement about the pilot was relatively brief. The following provides a summary of what we know so far about this pilot program based on the disclosures on Novi’s website.
According to the Novi website, “there are no fees to add or send money to anyone with a Novi account. Simply add a debit card to put money in your account, and it’ll be converted to USDP. On Novi, 1 USDP is equal to 1 US dollar. Plus, Novi doesn’t add markups to exchange rates.” Recipients can then transfer to a bank account, pick up cash in their local currency or keep a balance securely in the app.
While Facebook is touting the lack of fees for this newly launched payment service, there may in fact be fees imposed at various steps in the transaction. For example, Novi’s terms of service reveal that “Your Payment Method provider may impose fees in connection with your use, or attempted use, of your Payment Method . . . Any fees imposed by Payment Method providers, or any other third party, may not be displayed in the Application or reflected on transaction receipts.” In the section of Novi’s website listing the state licenses it holds, there is a “State Disclosure” providing that “Recipient may receive less than the full amount sent by Sender due to fees and taxes charged by third party service providers.” It’s not immediately clear whether Coinbase will collect fees as a third party service provider in this arrangement.
Furthermore, the ability of a recipient to convert the cryptocurrency to his or her local currency and withdraw that amount in cash may come with fees, but Novi reveals few details about that process.
Indeed, Novi abdicates any and all responsibility over a consumer’s experience in seeking to withdraw cash with any of Novi’s so-called withdrawal partners:
Novi has a limited relationship with withdrawal location partners and does not control the experience, safety, security, or a withdrawal location’s ability to complete your transaction. Novi is not liable for any financial or other loss, damage, or injury (up to and including death and dismemberment) you may sustain while getting cash at a withdrawal location.We encourage you to take any and all reasonable steps to safeguard your person and property while getting cash.
Applicable Regulatory Framework
When Libra was first introduced by Facebook, lawmakers and regulators raised concerns that Facebook had not demonstrated a history of protecting consumer privacy or other interests or shown its ability to protect against financial crime. This raises the question: what has Facebook done, if anything, to resolve those concerns? What regulatory oversight will it be subject to?
So far, it looks like the Novi/Paxos/Coinbase venture will only be subject to state money transmitter requirements — meaning no federal approvals were sought or granted. Novi maintains a National Multistate Licensing System ID and holds 39 state money-transmitter (or similar) licenses, including one in Washington, D.C. As noted previously, Novi’s disclosures represent that the pilot is available in all states other than NY, Alaska, Alabama and the Virgin Islands. It is unclear whether Novi has applied for licenses in those states/territory. Thus, Novi is subject to regulation at the state level in at least those 39 states as a money services business (MSB) (or equivalent), although state money transmitter regulations are significantly less stringent than those applied to entities subject to federal banking regulations.
As at least one commentator has said “the bulk of the prudential regulation to which MSBs are subject is written, monitored, and enforced at the state level . . . [but this regulation] falls far short of the high standards set by . . . the more sophisticated” “conventional bank and MMF” regulatory frameworks.
Privacy and Information Sharing
Of course, underlying global regulators’ concern about Diem and Novi is their link to Facebook and its over 3 billion users. Given the size of Facebook’s reach, policymakers quickly became concerned that a payment tool offered by the company could raise significant systemic concerns on a number of fronts.
As noted, regulators have expressed significant skepticism about Facebook’s ability to protect consumers’ data and concerns about the company’s use of consumer data. Indeed, privacy concerns were a large factor in derailing Facebook’s original plans to launch Libra, the predecessor to the Diem stablecoin.
Thus, some information would clearly be shared among Novi and Facebook and other affiliates, although presumably with certain controls and restrictions in place.
Novi further provides that it uses customer information to provide, personalize and improve its services, promote safety, integrity and security, communicate with its users, advertise Novi’s services to its users, research and innovate for social good, and for legal purposes. Some of these categories could potentially allow for broad use of consumer data.
Novi says that it doesn’t sell its customers’ information, but “shares” data with people and accounts its customers transact with, vendors and service providers, affiliated companies (as described above), regulatory, law enforcement and judicial authorities, with a new owner if Novi changed ownership and third parties with customer consent.
Finally, Novi stores customer information “only for so long as reasonably necessary for the purposes” for which it uses the data and will use “appropriate technical, physical, and administrative measures to help protect [customer] information from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction,” including “firewalls and data encryption, as well as physical access controls to our buildings and files.”
Regardless of what disclosures or representations Novi makes about the security of customer data, ultimately Novi’s, and, more importantly, Diem’s data privacy and security practices must satisfy regulators’ expectations about how the company will safeguard this data; whether those expectations can be satisfied remains to be seen.
Further, regulators’ blessing of Facebook’s privacy and security controls does not appear to be imminent. Some regulators, at least, are still in the early stages of evaluating Facebook’s practices regarding the use and protection of consumer data. The CFPB, for example, yesterday took an initial step towards gathering additional information about how Facebook and other “Big Tech” companies operating in the payments ecosystem gather and use consumer payment data, ordering the companies to provide information on how they collect and monetize payment data and “manage data access to users so the Bureau can ensure adequate consumer protection.” The CFPB, which is technically a part of the Federal Reserve System, characterized this action as “one of many efforts within the Federal Reserve System to make payments safer, faster, and more competitive.”
Given that this data collection effort has just begun, it does not seem likely that the CFPB – or likely other regulators – is yet ready to deem Facebook’s data security practices as sufficient or to greenlight its issuance of Diem.
Facebook’s ability to combat financial crime was yet another significant concern raised by government authorities in 2019 when Facebook first proposed Libra. Novi describes its policies to combat financial crime on its website.
First, federal law requires all MSBs to register with the U.S. Secretary of the Treasury, bringing them within the purview of the Financial Crimes Enforcement Network (FinCEN), and Novi states that it is so registered. FinCEN delegates to the IRS the authority to examine MSBs for compliance with FinCEN’s AML regulations. Also, as a practical matter, state MSB licensing authorities can examine Novi for AML compliance.
Novi is “firmly committed to” combating “money laundering, the funding of terrorist activities, and other illicit conduct,” and has “implemented a risk-based global anti-money laundering compliance program designed to comply with the AML and sanctions laws.”
In addition, Novi “monitors transactions for potential fraud, suspicious activity, and sanctions evasion,” and does not offer services to “any individual or entity that is the subject of economic or trade sanctions administered or enforced by any Governmental Authority . . .” Novi also emphasizes that customers will be verified using valid government-issued photo IDs. However, additional details on Novi’s plans or programs to fight financial crime are not provided.
It is of course not clear from Novi’s descriptions alone whether Novi has established – or whether Diem will establish – a sufficiently robust BSA/AML compliance program to assuage policymakers’ previous concerns about Facebook’s proposed issuance of a stablecoin.
Immediate Congressional Response
The launch of this pilot program as a step towards that goal drew the immediate ire of five Democratic senators, who sent a letter to Facebook this week asking the company “to immediately discontinue your Novi pilot and to commit that you will not bring Diem to market.” The letter cited CEO Mark Zuckerberg’s 2019 testimony before the House Financial Services Committee pledging not to launch financial products such as these without U.S. regulatory approval, which Facebook has not received. Further, the senators asserted that “Facebook cannot be trusted to manage a payment system or digital currency when its existing ability to manage risks and keep consumers safe has proven wholly insufficient,” citing the recent disclosures from a Facebook whistleblower, the company’s “relentless pursuit of profits at the expense of its users,” and its failure to provide “a satisfactory explanation for how Diem will prevent illicit financial flows and other criminal activity.”
In sum, this latest development in Facebook’s drive to launch its own cryptocurrency does not seem to clearly answer any of the questions that regulators and policymakers have raised for the past several years – at least not on its face. In some ways, the pilot raises more questions than it answers.
 Novi does not have a money transmitter or similar license in any of these states or territories. Licenses | Novi.
 USDP-Examination-Report-September-2021-Published.pdf (paxos.com). Paxos received a conditional approval from the OCC to establish a national trust bank. That approval is subject to the review that Acting Comptroller Michael Hsu has initiated of regulatory actions taken prior to his appointment as head of the agency in June of 2021.
 Licenses | Novi.
 Terms of Service | Novi.
 Licenses | Novi. The “precise term [of a money transmitter] varies across regulatory frameworks: with some calling these firms “money services business,” others “money transmission businesses,” and others “money remittance businesses.” See Bad Money (ssrn.com) at 46, n. 174.
 See Bad Money (ssrn.com) at 47. For example, Awrey notes that state MSB “requirements typically contemplate a relatively thin layer of protection in comparison with bank capital requirements.” See id. At 48.
 See, e.g., “Joint statement on global privacy expectations of the Libra network,” in which data privacy commissioners from Australia, Albania, Burkina Faso, Canada, the EU, the U.K., and the U.S., highlighted their concerns “about the privacy risks posed by the Libra digital currency and infrastructure . . . The involvement of Facebook Inc. as a founding member of the Libra Association has the potential to drive rapid uptake by consumers around the globe, including in countries which may not yet have data protection laws in place. Once the Libra Network goes live, it may instantly become the custodian of millions of people’s personal information.” Joint statement on global privacy expectations of the Libra network (ico.org.uk).
 Awrey, n. 178, citing 31 U.S.C. § 5330 (2018); Licenses | Novi.
 Terms of Service | Novi.
 “. . . (including but not limited to the lists maintained by the United Nations Security Council, the Office of Foreign Assets Control of the U.S. Department of the Treasury, the European Union or its Member States, or other applicable Governmental Authority).” Although, these terms exclude “any such comprehensive sanctions that, if complied with, could cause Novi to violate U.S. anti-boycott laws.” Terms of Service | Novi.