I grew up in a small town and farming community 40 miles outside of Oklahoma City. At that time, we had 3 stop lights, a Sonic, a Pizza Hut, and a fantastic old-time burger shop that served ready-made burgers hot off the grill. I worked at the family’s car dealership, doing whatever needed to be done including selling tractor and combine parts to local farmers needing the parts to fix their decades old tractors and combines during the summer wheat harvest. Oftentimes you’d hear an old farmer say: “Make hay while the sun is shining.” This expression means that farmers should take advantage of a sunny day to cut their hay because if it were to rain, it would prevent them from doing so. It’s a good reminder that when conditions are favorable, you don’t wait – you act. In the world of consumer financial services compliance, that saying perfectly captures where many auto finance companies find themselves right now.
After years of headline-grabbing CFPB enforcement actions, regulation by enforcement, and rapid regulatory changes, the current regulatory and enforcement environment for auto sales and finance feels—at least for the moment—more stable. That doesn’t mean enforcement has disappeared or that regulators have packed up their briefcases. But it does mean that many companies are experiencing a rare and valuable commodity: breathing room.
And breathing room is exactly when smart companies invest in compliance—not because they are being forced to, but because they finally can. Feel that warmth on your skin from the sunshine? Now is the time to make hay while the sun is shining.
A Rare Window of Opportunity
Let’s be honest: most major compliance overhauls don’t happen during crisis. They happen after the crisis, when leadership finally has the time and bandwidth to reflect and rebuild. Over the past several years, auto finance companies have had to navigate several challenges: aggressive enforcement by both federal and state regulators; rapid technology adoption, such as the increasing adoption and use of artificial intelligence; increased scrutiny around data security and privacy; new risks from marketplace participants; brain-drain from turnover and lack of qualified staffing; and political and regulatory uncertainty.
In many companies during this period, compliance became reactive. Employees were constantly in response mode; responding to regulator examinations, responding to regulators’ demand for information, responding to consumer complaints, and responding to the onslaught of new federal regulations.
Right now, for many companies, that constant emergency pace has slowed just enough to offer a brief window for proactive work. However that window will not stay open forever.
Compliance Is Easier When You’re Not Under Fire
One of the hardest truths about compliance is that it is often most difficult to build out when you need it the most. When a regulator shows up onsite, when a Civil Investigative Demand hits, or when a class action complaint is served, you’re immediately in reactive mode. There’s no time to carefully prepare and fully develop needed policies and procedures; clean up legacy practices; fix documentation gaps; improve vendor oversight; train staff properly; or conduct your own internal compliance audit.
Instead, everything becomes rushed. Decisions are made under pressure. Mistakes get baked into systems. And companies often end up paying far more in legal or consultant fees, remediation costs, penalties, and reputational damage than they would have ever spent building compliance correctly on the front end.
The companies that emerge strongest from regulatory scrutiny are almost always the ones that invested during calm periods—not crisis periods.
The Illusion of “We’ll Get to It Later”
A common mindset persists in auto financial services companies: “We know we need to update compliance, but we’ll get to it later when things slow down.” However, the problem is simple: things never really slow down. There’s always pressure to increase revenue, staffing turnover, a new product launch, etc. Later rarely arrives. And when it finally does, it often comes in the form of a regulatory inquiry or action – exactly the worst possible timing.
Enforcement Trends Still Matter—Even During a “Calm” Period
Even when enforcement headlines cool off, like what’s currently happening with the CFPB, regulators are still watching. In fact, these calm periods are often when agencies develop new rulemakings; analyze complaint data; build investigative pipelines; test legal theories; coordinate with other state regulators, and make plans for another day (e.g., when administrations change). By the time enforcement actions become public, the strategies behind them have usually been in development for years. Companies that wait for the next wave of enforcement actions to start preparing are already behind.
What “Making Hay” Looks Like in Compliance
Using this moment wisely doesn’t require tearing everything down and starting from scratch. For most companies, it means focusing on the fundamentals that too often get neglected during busy periods.
Here are some practical examples of what “making hay” in compliance can look like right now:
- Policy and Procedure Refresh
Many companies are operating under policies and procedures that were drafted many years ago and never updated. A controlled review of policies and procedures, without the pressure of an active regulator investigation, pays enormous dividends.
- Vendor Oversight
Third-party risk continues to be one of the fastest-growing compliance exposures. Fintech partners, marketing vendors, lead generators, payment processors, and service providers can all create liability for an auto finance company. Now is the time to re-diligence vendors, especially your critical vendors, confirm vendor licensing, confirm consumer complaint history and reporting, update your vendor contracts, and review your vendor’s own policies and procedures.
- Complaint Management as an Early Warning System
Consumer complaints are not just customer service issues; they are regulatory intelligence. If you haven’t properly defined a “complaint” or your complaint data is not being categorized correctly, reviewed by compliance personnel, reported to organization leadership, and used to drive corrective action within your company, then you’re sitting on valuable risk intelligence without using it. A strong complaint management program can catch compliance issues months or years before a regulator (or a plaintiff’s attorney) does.
- Testing, Audits, and Monitoring
Self-testing during quiet periods allows companies to find and fix issues privately. Testing under pressure rarely produces clean results.
Leadership Sets the Tone—Especially During Calm Periods
One of the greatest compliance risks isn’t broken rules; it’s misaligned priorities. When leadership treats compliance as something that only matters when regulators are watching, that message travels fast (and far) through the organization. The strongest compliance cultures are built when leadership invests during peaceful periods—not panic periods. That sends a powerful message: compliance isn’t about fear. It’s about professionalism, sustainability, and trust.
The Cost of Wasted Sunshine
Companies that fail to use calm periods wisely often repeat the same cycle: regulatory scrutiny increases, panic sets in, emergency fixes are rushed, costs explode, the crisis fades, investment stops, and the next crisis begins (again). This “boom-and-bust” approach to compliance is expensive, inefficient, and exhausting for everyone involved.
Contrast this approach with companies that steadily invest during quiet periods. They will typically experience fewer emergencies, lower enforcement risk, have more predictable spending, stronger regulator relationships, and greater employee confidence (and, dare I say greater employee retention).
Preparing for the Next Shift—Not the Last One
One of the biggest mistakes companies make is preparing for the last enforcement action instead of the next one. Political priorities shift. Enforcement theories change. Rules and administrative opinions evolve. Administrations change. New risks emerge.
The companies that thrive are not the ones chasing yesterday’s problems. They’re the ones building adaptable compliance programs that can flex as the compliance and regulatory environment changes. That work happens during calm periods—not crisis periods.
The Sun Never Shines Forever
History teaches us one consistent lesson about regulation: no calm period lasts forever. We’re in a relatively sweet spot where the CFPB is in “timeout” and many states haven’t picked up their enforcement mantle – yet. The only question is when conditions will change – not if.
This moment – right now – is when auto finance companies have the time, budget clarity, leadership bandwidth, and regulatory breathing room to invest in doing things correctly. Waiting may feel comfortable. Delaying may feel harmless. But the cost of inaction compounds quietly in the background.
So if the sun is shining for your company right now, don’t admire the weather. Make hay.
Previously published in Non-Prime Times.
