Is The California DFPI The New CFPB?

The California Department of Financial Protection and Innovation (DFPI) has clearly become more active and aggressive in the last few years, and whether it has “gone too far” really depends on whose perspective you take: consumers or regulated firms.

What DFPI is doing now

• DFPI’s powers expanded under the California Consumer Financial Protection Law (CCFPL), allowing it to police “unlawful, unfair, deceptive, or abusive acts and practices” across a broad range of financial products, including many that used to be lightly regulated (debt collectors, credit repair, fintech products, some crypto services).

• Its 2024 activity included nearly 700 CCFPL-related investigations, over 200 public enforcement actions (about a 12% increase from the prior year), and millions of dollars in penalties and consumer restitution.​

• It has brought cases against mortgage lenders, consumer lenders, student loan debt relief companies, and digital asset/crypto businesses for alleged overcharging, unlicensed activity, and abusive practices.

Arguments that DFPI is too aggressive

Industry groups and some businesses argue DFPI is overreaching in several ways:

• Broad UDAAP authority: The open‑ended nature of “unfair, deceptive, or abusive” gives DFPI wide interpretive discretion, which can make it hard for companies to know in advance what conduct will trigger enforcement and can feel like regulation by enforcement rather than clear rules.

• Crypto and innovation concerns: California’s Digital Financial Assets Law (sometimes referenced with AB‑2269) and related licensing expectations empower DFPI to license and sanction crypto businesses, including limits on stablecoins and significant potential daily fines, which industry groups say create an “onerous, uncertain, and expensive licensing regime” and could drive innovators out of the state.

• Volume and size of penalties: DFPI has secured multi‑million‑dollar penalties and restitution orders (for example, actions against mortgage lenders and other finance companies for excess interest, fees, or servicing issues), and trade and law‑firm commentary notes a pattern of DFPI “repeatedly” using its authority to challenge pricing and fee structures.

For a lender, servicer, or crypto platform, especially a smaller one, this pattern can feel like DFPI has gone beyond basic consumer protection into heavy‑handed deterrence that raises compliance costs and business risk.

Arguments that DFPI is appropriately tough (or not tough enough)

From the consumer and enforcement perspective, the same facts are framed very differently:

• DFPI was explicitly created and expanded to be California’s state‑level counterpart to the federal CFPB, after concerns that federal enforcement had softened in some periods.

• Many cases involve clear consumer harms: overcharging interest or per‑diem mortgage interest, unlawful fees for student loan “debt relief,” unlicensed debt collection with threats on time‑barred debts, or failure to provide required disclosures and validation notices.

• In 2024 alone, DFPI reports hundreds of investigations and actions that generated penalties and refunds for consumers, and the agency portrays this as fulfilling its legislative mandate to protect Californians from predatory practices in a rapidly evolving financial market.

From this vantage point, DFPI is doing what the legislature asked it to do: step in where gaps exist, especially around newer products (fintech, crypto, student‑loan relief services) and historically problematic sectors (debt collection, high‑cost lending).

How to think about “gone too far” for your situation

• Right now, the best neutral description is: DFPI is in a high‑enforcement phase with broad statutory tools; some businesses see this as overreach, while policymakers and consumer advocates see it as overdue oversight in a state with a lot of financial innovation and a large vulnerable consumer base.

Several recurring criticisms have emerged about DFPI enforcement, mostly from industry, trade groups, and regulatory commentators.

“Regulation by enforcement”

• Commentators argue DFPI often relies on broad “unfair, deceptive, or abusive acts or practices” (UDAAP) standards instead of issuing detailed, prospective rules, making it hard for firms to know what is prohibited until an enforcement action lands.

• This is described as “regulation by enforcement,” similar to criticism of the CFPB, where policy is effectively made through consent orders and complaints rather than clear guidance.

Breadth and retroactivity concerns

• DFPI’s new UDAAP rules now reach some commercial and small‑business financing, not just consumer products, which critics say significantly expands its reach beyond traditional consumer protection.

• Legal alerts note concern that DFPI may try to apply its UDAAP authority to conduct that occurred before certain rules took effect, by tying it to other laws like California’s Unfair Competition Law, raising fears of quasi‑retroactive enforcement and larger penalty exposure.

Size and leverage of penalties

• DFPI can seek civil penalties similar to the CFPB’s, including per‑day violation penalties, which can add up quickly and put substantial settlement pressure on companies even when liability theories are contested.

• Some enforcement actions seek or extract large penalties and restitution (e.g., six‑ or seven‑figure amounts in consent orders with lenders and fintechs), which industry lawyers describe as aggressive given the legal uncertainty around newer products or business models.

Unclear standards for fintech and “true lender” theories

• In actions against fintech platforms, DFPI has alleged that the platform—not its partner bank—is the “true lender” based on who holds the economic interest, performs underwriting, and services loans.​

• Critics say this approach creates uncertainty for bank‑fintech partnerships, because DFPI has not issued detailed rules on when a fintech becomes the “true lender,” yet is willing to seek very large penalties using that theory.

Crypto and digital asset enforcement

• With the Digital Financial Assets Law and focused actions against crypto kiosks and platforms, DFPI has signaled a strict stance on licensing, fees, and compliance.

• Crypto industry voices argue the combination of licensing requirements, high potential penalties, and enforcement sweeps risks chilling innovation and making California a particularly difficult jurisdiction for digital‑asset firms, especially smaller operators.

DFPI was explicitly designed as a “mini‑CFPB,” and its enforcement tools look very similar, but it operates on a smaller, state‑focused scale and tends to concentrate more on California‑specific markets and newer business models like fintech and crypto.

Legal powers and standards

• Both DFPI and CFPB use the same UDAAP standard (“unfair, deceptive, or abusive acts or practices”) as a core enforcement hook, allowing broad actions across many types of financial products.

• Like the CFPB, DFPI can bring civil and administrative cases, issue subpoenas, demand reports, and seek rescission, restitution, disgorgement, damages, and public orders limiting a company’s activities.

Penalties and remedies

• DFPI’s authorizing law allows civil money penalties up to about 1 million dollars per day for knowing, continuing violations, mirroring the top CFPB penalty tier.

• At the federal level, CFPB enforcement has produced roughly 19.7 billion dollars in consumer relief and 5 billion dollars in civil penalties through early 2025, illustrating a much larger overall footprint given its national jurisdiction.

Scope and who they target

• CFPB covers most consumer‑facing financial products nationwide (large banks, card issuers, major mortgage and auto lenders, big debt collectors and credit reporting agencies, large fintechs), and often focuses on “too‑big‑to‑ignore” institutions like Wells Fargo, large payment apps, and national mortgage companies.

• DFPI focuses on entities serving California consumers, including many that might be small or mid‑sized nationally: state‑licensed lenders and servicers, debt collectors operating in California, fintech partnerships, and digital‑asset firms offering services to Californians.

Aggressiveness and strategic focus

• Commentators describe DFPI as being structured and funded to enforce “aggressively and independently,” with a goal of making California a leading state‑level consumer regulator, not a passive follower of the CFPB.

• CFPB, especially under recent leadership, has also been aggressive, but with a strong emphasis on very large, repeat‑offender institutions and big systemic issues (e.g., multi‑billion‑dollar cases against major banks, payment apps, and high‑profile fintechs).

Practical implications for companies

• A company offering consumer financial products in California can face both CFPB and DFPI scrutiny, with similar legal theories (UDAAP, servicing abuses, junk fees) but different case selection and priorities.

• Compared to CFPB, DFPI may be more likely to investigate smaller or niche providers that are significant in California but not large enough to be a federal priority, especially in areas like state‑licensed lending, local debt collection, and crypto kiosks or platforms that target Californians.