Federal deregulation doesn’t mean compliance professionals can relax. CCI contributing writer Carrie Pallardy investigates the implications of a weakened Consumer Financial Protection Bureau and why finserv compliance experts recommend maintaining robust programs despite federal pullbacks, from the threat of state enforcement to reputation risk.
In just the past couple of months, the Consumer Financial Protection Bureau (CFPB) has dropped a lawsuit over the payment app Zelle, a case against Capital One accusing the bank of cheating customers out of interest payments and a half-dozen other actions against student loan servicers, credit card companies, mortgage lenders and other financial institutions. Meanwhile, a judge’s injunction in mid-April halted the planned layoffs of 90% of the agency’s workforce, a cost-cutting effort spearheaded by Elon Musk and his DOGE operatives; that case remains ongoing.
With the day-to-day operations of the CFPB in a state of flux, predicting what could happen next may be a fool’s errand, said Jonathan Kolodziej, a partner at Bradley Arant Boult Cummings and co-leader of the law firm’s CFPB practice.
“It’s all very fast and hectic right now, and I think … we just have to let the dust settle. I don’t think anyone truly knows what [exact plans] the Trump Administration [has for] the CFPB,” Kolodziej said.
What remains clear, financial sector observers and experts told CCI, is that finserv firms hoping to reduce their focus on compliance could be in for a rude awakening, whether from state enforcers or simply because of the added complexity created by the CFPB’s absence.
And of course, the CFPB is not the only federal agency being affected by the Trump Administration’s push for deregulation. The DOJ has paused enforcement of the FCPA, and the Treasury Department suspended enforcement of Corporate Transparency Act (CTA) beneficial ownership reporting requirements for US citizens and domestic entities.
In this chaotic landscape, corporate compliance teams must consider the regulatory gaps that couls arise — with the potential for more shakeups in the future in the wake of last summer’s Loper Bright ruling overturning Chevron deference.
State enforcement
The CFPB may not be wielding its enforcement power like it has in the past, but states have enforcement power in many cases. Just prior to the change in administrations, the CFPB released recommendations on state-level consumer protections.
“Smart compliance departments are already mapping key risks that are associated with state authorities, and they should be expecting … in my opinion, an uptick in regulatory activities in the states,” said Ana Petrovic, director of financial services compliance and regulation at advisory firm Kroll.
In 2022, the CFPB issued an interpretive rule explaining state authority to enforce federal consumer financial protection laws. According to that rule, states can enforce the Consumer Financial Protection Act; they can coordinate on an enforcement action with the CFPB, but they can also act independently: “A state may also bring an enforcement action to stop or remediate harm that is not addressed by a CFPB enforcement action against the same entity,” the rule says.
Increased state enforcement could keep teams previously focused on CFPB enforcement hard at work.
“The individuals that are already in those roles will need to shift to learning and having the ability to identify the state laws,” said Janet Hale, senior managing director at FTI Consulting.
Some states are looking to step into the void left by the CFPB with new legislation. In Illinois, State Sen. Mark Walker, a Democrat, introduced a bill that would strengthen consumer financial protection laws in the state. “Buy now, pay later” loans garnered CFPB scrutiny in 2024, and New York lawmakers have attempted to introduce oversight in their state with a series of bills.
‘At Times of Stress, People Make Stupid Decisions’: Why FCPA Interlude Demands Greater Vigilance
Training and communication remain critical as future of anti-corruption enforcement is murky
Varied impact on compliance teams
The size of a compliance team will vary depending on the individual enterprise, but in some organizations, entire teams may be dedicated to complying with the CFPB’s rules, Hale said.
“There are large departments that are fully staffed to support CFPB compliance,” said Hale, who worked in corporate risk management and compliance roles at KeyBank prior to her career in consulting and helped to manage a CFPB examination.
On the surface, the agency dropping lawsuits and signaling a lighter enforcement touch could suggest a reduced workload for teams focused mostly on CFPB compliance. Plus, the change in course for the CFPB could mean that certain proposed or recently finalized rules may not come to fruition.
“There is all manner of ways those rules could be challenged and will be,” said Michele Alt, cofounder and partner of the advisory and investment firm Klaros Group. “I wouldn’t spend a lot of money building complex compliance functions or processes for rules … that are unlikely to ever see actual implementation.”
For example, the CFPB finalized a rule on personal financial data rights, which activates Section 1033 of the Consumer Financial Protection Act, in October 2024. But large institutions do not have to comply until April 1, 2026, while compliance for small institutions stretches out to April 1, 2030. But it’s unclear if those dates will ever actually have meaning.
So, does a lighter workload mean corporate compliance professionals focused on CFPB compliance risk losing their jobs? With states’ enforcement ramping up, probably not. People in these roles will need to pivot to understand those laws and manage the stress that inevitably comes with significant uncertainty, observers said.
They may face even more complexity in their roles, as they will need to navigate many laws across different states — the age-old challenge of a regulatory patchwork.
Compliance teams at organizations with strong regulatory change management programs may be in a better position to handle the kind of reshuffling necessitated by the upheaval of the CFPB and federal regulatory agencies in general, Hale said.
“Compliance officers generally manage the … regulatory change management program, which is tasked with identifying new laws and regulations, knowing which line of business it affects, which policies it affects, what processes need to be revisited, who may implement that new regulation, who’s going to test that new regulation,” she said.
An organization with an established program in place will be able to direct compliance staff where they are needed, and enterprises may take the CFPB’s withdrawal from enforcement as an opportunity to examine how they manage regulatory change and look for ways to become more efficient.
“If an institution is looking to cut costs … and create more efficiencies, they should probably look at processes that are tangential to compliance, just to ensure that they’re not siloed or duplicated,” Hale said.
Financial institutions may also be in the position to add more talent to their compliance teams. The mass layoffs and firings happening at federal agencies, not just the CFPB, are flooding the job market with talent. State and local governments are leaping at the chance to hire those federal workers, and financial institutions could potentially benefit, too.
“There are some very, very smart and capable people out there that are likely looking for a new role. Hopefully financial institutions will scoop them up,” Hale said.
Enforcement actions aren’t the only threat
Compliance teams will have plenty to keep them busy. In addition to state authorities, compliance departments should keep private rights of action in mind.
“If … a provider violated a law, didn’t provide us a protection or a right that we have under federal law, we oftentimes have the right to sue them to enforce compliance and recoup damages or penalties,” Kolodziej said. “So, that certainly isn’t going away just because the bureau isn’t quite as forceful or active as it has been.”
Entities subject to the laws historically enforced by the CFPB also have to consider statutes of limitation.
“The decisions and activities that these institutions take today, they may be held accountable for in the future assuming it’s within the statute of limitation,” Petrovic said.
Even as the administration embraces deregulation, that does not mean that risk vanishes.
“Fewer regulators does not mean fewer risks,” Petrovic said. “When you think about risk, it’s not just regulatory enforcement risk. It’s reputational harm, consumer good will, competitive advantage.”
In many cases, compliance with consumer protection laws is good for your brand, regardless of whether enforcement is at play.
“There shouldn’t be any sort of complacency or assumptions that just because enforcement is not at work that the regulations still don’t exist,” Petrovic said. “For in-house compliance departments, this is the time to not pump the brakes but hit the gas pedal.”
Navigating the upheaval
The fate of the CFPB is far from settled, but it does seem likely to exist in a scaled-back version under the current administration, given that it was established by an act of Congress.
“Whatever the resulting agency or legal framework that we see, I think it will be leaner in terms of people, and I think there will be more reliance on technologies,” Alt said. “If you’re, say, a chief compliance officer, who’s your counterpart at the agency? Who are you interacting with? That could look very different.”
Compliance professionals will have to figure out how to interact with a leaner CFPB, if it exists, and they should stay abreast of state enforcement that comes into play and consider the risks of another big regulatory swing in the future.
“I think uncertainty requires compliance professionals,” Kolodziej said.