The ‘New CFPB’ Era: Back To Basics Without Backsliding On Compliance

For years, compliance teams at financial institutions have operated in a world defined by a steady cadence of new rules, expanded supervision, and an increasingly active enforcement environment. The landscape is changing fast. But the regulations themselves haven’t changed.

The Consumer Financial Protection Bureau (CFPB) has undergone significant disruption in recent years. Acting Director Russell Vought moved quickly to scale back the agency, seeking deep staff reductions, canceling major vendor contracts, and initially attempting to halt new funding requests from the Federal Reserve. Courts blocked that effort and ordered the agency to remain funded, leading Vought to request $145 million in January 2026 and an additional $75.8 million in March to keep the CFPB operating.

At the same time, the CFPB pulled back from numerous enforcement matters and signaled a narrower regulatory posture. The current focus appears more concentrated on clear-cut consumer harm cases, particularly fraud involving identifiable victims and measurable damages, while broader rulemaking and supervisory activity have slowed.

The rulemaking picture tells a similar story. Several high-profile CFPB protocols covering credit card late fees, buy now pay later, the nonbank registry, and nonbank digital payments have been paused, withdrawn, or overturned. Other major regulations, including Section 1033 (open banking) and Section 1071 (small business lending data), continue to evolve. In May 2026, the CFPB revised the 1071 rule to delay compliance to 2028 and significantly narrow its scope, raising coverage thresholds, excluding additional transaction types, and reducing required data fields, highlighting a broader shift toward more measured, less expansive regulatory requirements, even as rulemaking remains active. The Section 1033 rulemaking remains active but uncertain, with implementation timelines, scope, and technical standards still subject to ongoing revision, stakeholder input, and potential legal challenge.

While the formal pipeline remains active, with multiple rules in the early, proposed, and final stages, the path forward is far less certain. Staff reductions and lawsuits from both industry groups and consumer advocates are slowing progress and creating added uncertainty. This is a significant shift. But financial institutions that interpret it as a green light to ease up on compliance may be misreading the moment.

The rules are still the law.

A quieter CFPB does not mean less regulation. It means regulation is increasingly shifting to the states. In many cases, states are moving quickly to fill the gap.

Attorneys general now play a larger enforcement role, while state legislatures continue passing consumer protection laws covering junk fees, buy now pay later products, data privacy and more. Colorado, for example, became the first state to enact a comprehensive AI consumer protection law in 2024 and later revised it in 2026. Numerous other states have passed laws or regulations governing AI use.

For compliance teams, the challenge is not getting smaller; it is just getting more complex. Instead of one primary federal framework, companies face a growing patchwork of state-by-state rules. Multi-state transactions, varying foreclosure laws, community property rules, and conflicting legal standards all require close attention. Federal deregulation does not eliminate that complexity.

The Case for Discipline in a Deregulatory Moment

Refocusing on fundamentals is not a license to do less; it is a mandate to do the right things with greater precision and discipline. The fundamentals that have underpinned financial institutions, such as safety, soundness, and consumer protection, remain the standard against which compliance programs will be measured. Consumer mortgage compliance remains a top enforcement priority, while CRA and HMDA review policies are among the areas flagged for ongoing attention. Financial institutions that have allowed foundational compliance programs to drift during a period of regulatory flux may find that the basics were never as optional as they appeared.

This is where technology becomes not just a convenience but a strategic imperative. Modern cloud-based compliance infrastructure, built to automate regulatory updates, manage multi-state complexity, and maintain consistency across loan documentation and disclosures, enables financial institutions to absorb rapid regulatory changes without driving operational chaos. When a statute or regulation is vacated or revised, that change should spread automatically across workflows, not require months of manual remediation. When state law imposes requirements different from federal law, the system should enforce the change or flag it, rather than rely on a compliance officer to catch it.

What Finastra consistently observes is that financial institutions with the strongest compliance frameworks are not those with the largest compliance teams, but those that have invested in systems that enable consistent, adaptable compliance at scale. There is a growing belief that AI will be an important part of the platforms and systems financial institutions rely upon.

AI, applied thoughtfully within a clear policy framework and with human oversight, makes the platforms financial institutions rely on more powerful. The keyword here is thoughtfully. As AI regulation evolves at both the state and federal levels, financial institutions need clear internal AI policies. The basics of compliance apply regardless of whether AI is involved. Does your financial institution have a formal AI policy? If not, that needs to be the first agenda item. If yes, now is the time to stress-test it against the realities of current state-level AI laws and the shifting federal framework.

What this moment demands

The current CFPB era is not a reprieve, but a recalibration. Financial institutions that thrive in this environment will be those that resist the temptation to associate reduced federal enforcement activity with reduced regulatory risk, who account for state-level developments with the same diligence applied to federal rulemaking, and who build compliance infrastructure durable enough to handle whatever comes next, because the one certainty in compliance is that what comes next will be different from what came before.

Back to basics without backsliding is the mandate for compliance in 2026 and beyond.

By: Jay Jennings, Senior Director, Compliance Counsel for Lending, Finastra