CFPB Under the New Administration: What Changed and What Still Matters

TL;DR

• The CFPB fired Rohit Chopra on February 1, 2025; acting director Russell Vought ordered the agency to halt supervision, stop investigations, and withdraw nearly 70 guidance documents
• 40+ enforcement actions were dismissed — including cases against Apple, US Bank, PayPal, and Regions Bank — with no public explanation
• What’s still active: Military Lending Act enforcement (explicit Trump CFPB priority), bank partner CMS reviews via OCC/FDIC, and state AG enforcement under Dodd-Frank Section 1042
• 23 states have invoked Section 1042 authority; state attorneys general from California, New York, and others are actively filling the federal enforcement void
• Don’t dismantle your consumer compliance program — it’s still required by bank partners and is now your primary protection against state AG exposure

The CFPB fired its director in February 2025. It halted supervision and examination activity. It dropped more than 40 enforcement actions — many without a word of public explanation. It withdrew nearly 70 guidance documents and proposed slashing its staff from 1,689 to 207 employees. A congressional resolution voided its large nonbank supervision rule. Courts have blocked some of the staff cuts, but the direction is unmistakable.

For fintech compliance officers, the temptation is to take this as permission to deprioritize consumer protection compliance.

That would be a mistake. Here’s why — and what the enforcement landscape actually looks like right now.

What Happened: The Timeline

February 1, 2025: President Trump fired CFPB Director Rohit Chopra and appointed Treasury Secretary Scott Bessent as acting director. Within days, OMB Director Russell Vought took over as acting director.

February 8, 2025: Vought directed CFPB staff via email to cease all supervision and examination activity, suspend effective dates on finalized-but-not-yet-effective rules, stop all investigative work, and commence no new investigations. Two senior officials — supervision head Lorelei Salas and enforcement head Eric Halperin — resigned shortly after.

February–March 2025: The bureau began dismissing enforcement actions inherited from the Biden era. Companies that had been subject to active investigations or consent orders saw those matters closed or paused. The CFPB dismissed cases against PayPal and Google Payment, granted early consent order terminations for Apple, US Bank, and Regions Bank, and withdrew more than half of its pending litigation portfolio.

May 2025: The CFPB rescinded nearly 70 guidance documents, the majority issued under Director Chopra. Separately, the bureau rescinded its May 2022 interpretive rule on state enforcement authority under Dodd-Frank Section 1042, narrowing the interpretation of what laws states can enforce directly. Trump also signed a congressional resolution voiding the CFPB’s large nonbank supervision rule.

2025–2026: Courts have blocked the White House’s attempt to cut CFPB staff from 1,689 to 207. The GAO detailed CFPB reorganization, funding cuts, and ongoing litigation in early 2026. Former CFPB staff have moved to state attorney general offices and state regulatory agencies.

What Actually Got Eliminated

To understand what still matters, it helps to be precise about what’s gone.

40+ active enforcement cases were dismissed without public explanation. Companies that had been the subject of investigations — some going back years — received essentially a clean exit with no formal findings and no consumer redress.

Nearly 70 guidance documents were rescinded. This includes several that expanded the scope of the CFPB’s public complaint database and a number of supervisory bulletins from the Chopra era. Importantly, guidance document rescission doesn’t change underlying statutory or regulatory obligations — it removes the CFPB’s interpretive gloss on those obligations.

The large nonbank supervision rule was voided. This rule would have expanded CFPB supervision authority over large nonbank consumer financial companies. Its elimination reduces CFPB’s direct oversight scope for nonbank fintechs.

New investigations suspended. The CFPB has paused opening new investigations into potential consumer protection violations. This doesn’t mean state-level investigations have paused.

The Section 1042 interpretive expansion was rescinded. The 2022 interpretive rule had taken the position that states could enforce any of the 18 enumerated federal consumer financial laws through Section 1042. The May 2025 rescission narrows that: under the current CFPB interpretation, states can enforce CFPA Title X (the Consumer Financial Protection Act itself, including UDAAP) but not necessarily all 18 enumerated statutes.

Note what isn’t on this list: the underlying Dodd-Frank statutory requirements. Section 1031 (which prohibits unfair, deceptive, or abusive acts or practices) hasn’t been repealed. The TILA, ECOA, FCRA, and other federal consumer financial laws haven’t changed. The CFPB has simply chosen not to enforce them aggressively.

What’s Still Active

Military Lending Act Enforcement

The Trump CFPB has been explicit: servicemember protections are a priority. The CFPB’s chief legal officer issued a memorandum in April 2025 identifying 11 enumerated enforcement priorities, with protecting military servicemembers and their families listed first.

This isn’t just words. The bureau reached a settlement with MoneyLion and its subsidiaries for Military Lending Act violations in November 2025, and a settlement with FirstCash for MLA violations in July 2025. Active MLA litigation continued in federal court.

Both Republican and Democratic administrations have historically enforced servicemember protections vigorously. Any company offering credit products to military personnel should treat MLA compliance as if the enforcement environment hasn’t changed — because in this particular area, it hasn’t.

Bank Partner and Prudential Regulator Oversight

The CFPB pullback doesn’t affect OCC, FDIC, or Federal Reserve examination activity. Banks chartered by the OCC — and by extension, fintech programs operating under OCC-chartered bank sponsors — remain subject to full consumer compliance examinations. Those examinations cover UDAAP, CMS, consumer complaint management, and fair lending.

If your fintech operates through a bank partner, the bank’s examination results reflect on your program. A bank with a deficient consumer compliance rating from its OCC examiner will push the remediation obligation directly to its fintech partners. The CFPB pulling back at the federal level doesn’t change what your bank sponsor’s charter requires.

This is the practical reason why compliance officers at bank-sponsored fintechs cannot deprioritize consumer compliance: the enforcement signal hasn’t come from their direct regulator.

State Attorneys General Under Dodd-Frank Section 1042

This is where the CFPB pullback matters most — and where the enforcement story is moving.

Dodd-Frank Section 1042 gives state attorneys general authority to bring civil actions to enforce federal consumer financial laws. Approximately 50 actions have been filed under Section 1042, with 23 states participating in at least one action — from California and New York to Texas and Arkansas.

As the CFPB has scaled back, state AGs have accelerated. Former CFPB supervisory and enforcement staff have joined state AG and regulatory offices, bringing federal-level expertise to state enforcement programs. California’s AG and New York’s AG in particular have been explicit about their intent to fill the federal enforcement void.

Yes, the CFPB narrowed its Section 1042 interpretive rule in May 2025 — states can now only definitively enforce CFPA Title X under that interpretation, rather than all 18 enumerated statutes. But courts have not definitively settled the scope of Section 1042, and states are continuing to invoke it. The Mayer Brown analysis from August 2025 is direct: expect increased state consumer finance enforcement.

For a fintech operating in California, New York, Illinois, or any of the states with active AG offices — the enforcement environment for consumer protection is, if anything, more intense than it was before the CFPB pullback, not less.

The Compliance Program Calculus

Here’s the honest practical reality: the consumer compliance obligations that the CFPB historically enforced haven’t disappeared. They’ve shifted.

The shift looks like this:

The temptation to read the first two rows and decide consumer compliance is now optional ignores the last four rows entirely.

There’s also a reversion risk: compliance programs that are dismantled now are expensive to rebuild when the political environment shifts. Consumer protection has historically been a bipartisan enforcement priority at the state level and often at the federal level. The CFPB’s current posture reflects a specific administration’s priorities — not a permanent change in the legal landscape.

What This Means for Your UDAAP Program

The UDAAP risk assessment framework published by the CFPB is still the operative standard for what unfair, deceptive, and abusive practices look like. The standards under Section 1031 of Dodd-Frank haven’t changed — the agency that enforces them has simply become less aggressive.

State AGs enforcing CFPA Title X are applying those same standards. Your UDAAP product review documentation isn’t for the CFPB anymore — it’s for your bank partner’s examiner, for any state AG that subpoenas your compliance records, and for you.

For your consumer complaint management program, the complaint data you’re generating is still being used as evidence of consumer harm by state enforcement agencies. Patterns of unresolved complaints suggesting unfair treatment are exactly the factual predicates state AGs look for when deciding which companies to investigate.

So What?

The CFPB under the current administration has made a deliberate choice to reduce its own enforcement capacity. That doesn’t make consumer protection compliance optional.

Three things to do:

1. Maintain your CMS infrastructure. Bank partners, OCC/FDIC examiners, and state AGs are all still evaluating your consumer compliance program. The documentation you’d need for a CFPB exam is the same documentation you need for a state AG civil investigative demand.

2. Know your state exposure. If you have significant operations or customer bases in California, New York, Illinois, or other states with active AG offices, treat those state enforcement programs as your primary regulatory risk. Review what Section 1042 enforcement has targeted historically and whether your products have features that have drawn state-level scrutiny.

3. Don’t reduce servicemember compliance. MLA enforcement has continued actively and has bipartisan support. If you offer credit products to military personnel, treat this as full enforcement posture — because it is.

For compliance teams tracking the regulatory environment, the Regulatory Change Management framework is useful here: document what’s changed, track what’s still uncertain (particularly the Section 1042 scope litigation), and maintain the program infrastructure that covers the enforcement pathways that remain active.

The CFPB got quieter. The compliance obligation didn’t.

Sources:

• Consumer Financial Enforcement After Six Months of the Trump-Era CFPB – Cornerstone Research
• The Continued State Enforcement of Federal Financial Regulatory Laws – Orrick
• Potential for Increased State Consumer Finance Enforcement – Mayer Brown
• Servicemember Financial Protections Emerge as a Trump Enforcement Priority – Steptoe
• CFPB Rescinds Interpretive State Enforcement Rule – Federal Register