BNPL Compliance After the CFPB Rule Rescission: What You Still Owe Consumers

When the CFPB rescinded its BNPL interpretive rule in May 2025, some compliance teams treated it as a green light. Rules pulled, enforcement deprioritized, time to relax.

That’s the wrong read.

The US BNPL market hit approximately $107 billion in 2025 — and 41% of users report missing at least one payment. That combination of scale and consumer harm data doesn’t go unnoticed. The federal regulatory pullback created a vacuum. State attorneys general and state legislatures are filling it. New York already enacted first-of-its-kind BNPL licensing legislation. Seven state AGs sent simultaneous information requests to the six largest BNPL providers. And state UDAP statutes — which don’t require federal agency action to enforce — apply whether or not the CFPB has a rule on the books.

The compliance risk for BNPL hasn’t decreased. It’s fragmented and multiplied.

TL;DR:

• The CFPB rescinded its May 2024 BNPL interpretive rule on May 12, 2025, and confirmed it won’t issue a revised rule
• TILA still applies to BNPL products with finance charges or 4+ installments; UDAP obligations never went away
• New York’s BNPL Consumer Protection Act (signed May 2025) requires NYDFS licensing, caps interest at 16%, and mandates disclosure at three stages
• Seven state AGs are simultaneously investigating Affirm, Afterpay, Klarna, PayPal, Sezzle, and Zip — December 2025
• Sezzle paid $300K in fines and refunds; Afterpay paid ~$1M; Affirm paid $2.25M to Massachusetts for unlicensed servicing

What the CFPB’s BNPL Rule Actually Said (And Why It Was Rescinded)

In May 2024, the CFPB issued an interpretive rule that classified certain BNPL products as “credit cards” under the Truth in Lending Act and Regulation Z. Specifically, the rule covered BNPL products accessed via “digital user accounts” — apps, browser extensions, or merchant integrations — used to make consumer purchases.

Under the rule, BNPL providers would have been treated as “card issuers” required to extend the full consumer protection architecture of Reg Z’s open-end credit provisions: account-opening disclosures, billing statements, change-in-terms notices, dispute rights, billing dispute procedures, and crediting of returns.

The rule was broad. It generated significant industry pushback.

On March 26, 2025, the CFPB announced in a court filing that it intended to revoke the rule. On May 12, 2025, the rescission was published in the Federal Register as part of a withdrawal of 67 guidance documents. In June 2025, the CFPB confirmed it will not issue a revised BNPL rule.

The stated rationale: the interpretive rule was procedurally defective, and it applied open-end credit regulations to products that are structurally closed-end installment loans. Pay-in-4 BNPL products — zero interest, four equal payments, no finance charge — don’t map cleanly to credit card regulatory frameworks built for revolving lines with indefinite terms.

That’s the federal picture. It’s not the whole picture.

What Still Applies: The Compliance Obligations That Never Required the CFPB’s Rule

TILA/Regulation Z: The Baseline Analysis

The CFPB’s interpretation was that BNPL digital accounts = credit cards. That interpretation is gone. But TILA’s underlying statutory triggers still apply independently:

TILA covers consumer credit that either (a) carries a finance charge, or (b) is payable by written agreement in more than four installments. Classic pay-in-4 BNPL — zero fees, zero interest, exactly four payments — is specifically designed to avoid both triggers.

But not all BNPL is pay-in-4.

If your product charges late fees, the question is whether those fees constitute a “finance charge” under TILA. Under 12 CFR 1026.4, a finance charge includes fees imposed as a condition of credit. Late fees that are imposed as a penalty for missed payment may not qualify — but the analysis matters, and it needs to be documented.

Courts are also free to consider the 2024 interpretive rule’s reasoning in private TILA litigation even after rescission. Plaintiff attorneys may pursue TILA arguments against BNPL providers in class actions independent of CFPB enforcement posture.

Federal UDAP: FTC Act Section 5

The FTC has jurisdiction over most non-bank BNPL providers under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. This authority existed before the CFPB’s BNPL rule and persists after its rescission.

BNPL practices that carry FTC UDAP risk include:

• Deceptive fee disclosures: marketing products as “free” or “no interest” while charging fees consumers don’t expect
• Inadequate dispute procedures: failing to resolve consumer disputes about charges or returns in a reasonable timeframe
• Credit reporting practices: reporting BNPL payments to credit bureaus in ways consumers weren’t clearly told about at origination
• Debt collection practices: using collection practices that are deceptive or abusive

The FTC has obtained and published complaint data on BNPL providers including Klarna. The existence of a complaint volume doesn’t create automatic liability — but the FTC uses complaint data to identify enforcement priorities.

CFPB UDAAP: Section 1031 of the CFPA

For non-bank financial companies above the CFPB’s supervisory threshold, CFPB UDAAP authority under Section 1031 of the Consumer Financial Protection Act still applies independently of any specific rule. UDAAP prohibits unfair, deceptive, or abusive acts or practices.

The CFPB’s retreat from BNPL-specific rulemaking doesn’t mean UDAAP doesn’t apply to BNPL companies. It means the CFPB is choosing not to prioritize BNPL enforcement under the current administration. That’s a posture that can change.

ECOA and Fair Lending

If your BNPL product makes credit decisions using algorithmic models, ECOA and Reg B apply to the extent the product constitutes the extension of credit. Adverse action notice requirements, fair lending analysis, and disparate impact testing obligations don’t disappear because the CFPB’s BNPL rule was rescinded.

The State-Level Compliance Landscape: Where the Real Risk Is Now

New York BNPL Consumer Protection Act

New York Governor Hochul signed the BNPL Consumer Protection Act on May 9, 2025 — the first state licensing law specifically targeting BNPL providers in the US.

Key requirements:

Licensing: All BNPL lenders must obtain a license from the New York State Department of Financial Services. The requirement extends to platform operators and entities that acquire BNPL loans after origination, not just originators. Federally chartered depository institutions are exempt. A BNPL loan made without the required license may be void and uncollectible.

Interest rate cap: 16% on BNPL products.

Fee limits: Fees for violating loan terms (including late payment) are capped at $8.

Three-stage disclosure requirements:

1. Pre-transaction: Terms of the BNPL loan — interest, fees, repayment schedule, billing dispute procedures, credit reporting practices
2. Post-transaction: Confirmation disclosures
3. Periodic statements: Ongoing billing statements consistent with applicable federal regulations

Consumer rights: Dispute and unauthorized use rights equivalent to TILA credit card protections

Effective date: 180 days after NYDFS publishes a Notice of Adoption of final rules. NYDFS issued draft proposed rules on February 23, 2026.

If you’re serving New York consumers and you’re not tracking NYDFS’s rulemaking timeline, you’re behind.

Seven-State AG Coalition: December 2025

In December 2025, attorneys general from California, Colorado, Connecticut, Illinois, Minnesota, North Carolina, and Wisconsin sent coordinated information requests to Affirm, Afterpay, Klarna, PayPal, Sezzle, and Zip.

The inquiry targeted:

• Consumer dispute procedures and resolution rates
• Ability-to-repay evaluation processes
• Credit reporting practices
• Delinquency and default analyses
• User agreements and disclosure quality

Connecticut AG William Tong and North Carolina AG Jeff Jackson are leading the coalition. The explicit framing of the inquiry references TILA/Regulation Z compliance even in the absence of the CFPB rule — meaning state AGs are prepared to argue TILA applies to BNPL products under existing statutory authority, independent of the rescinded interpretation.

State-by-State UDAP Exposure

Every state has a UDAP statute. These laws don’t require federal regulatory action to enforce. Common BNPL practices that draw state AG UDAP scrutiny:

• Insufficient disclosure of late fees and their impact
• Vague or buried dispute resolution procedures
• Automatic credit reporting enrollment without clear consumer notice
• Marketing language that understates total cost

Real Enforcement Actions: The Stakes Are Established

Before anyone argues that BNPL enforcement is theoretical, three real enforcement actions establish that regulators have been willing to act:

Affirm — Massachusetts (2020): The Massachusetts Division of Banks required Affirm to pay $2.25 million after determining that Affirm had been servicing small loans in Massachusetts without the required small loan company license. The company agreed to the civil money penalty and to obtain the appropriate license. This predates the CFPB interpretive rule entirely — it was a state licensing enforcement action under existing state law.

Afterpay — State enforcement: Afterpay agreed to pay approximately $1 million in fines and loan refunds following state regulatory inquiries into consumer protection practices.

Sezzle — State enforcement: Sezzle agreed to pay $300,000 in fines and loan refunds in connection with state regulatory actions.

None of these required the CFPB’s interpretive rule. All of them came from state regulators applying existing state consumer protection and licensing law.

The pattern is clear: state licensing failures and consumer harm practices create real monetary risk for BNPL providers, regardless of what the CFPB is or isn’t doing.

The TILA Litigation Wildcard

The rescission eliminated the CFPB’s regulatory interpretation — not the statutory text of TILA. Courts evaluating TILA claims against BNPL providers can consider the 2024 interpretive rule’s analysis as persuasive authority even after rescission. Plaintiff attorneys in class actions are not bound by the CFPB’s enforcement posture.

The specific litigation risk: class actions arguing that BNPL digital accounts constitute “credit cards” under TILA’s statutory language, and that providers who failed to provide billing statements, dispute rights, or proper disclosures violated the statute. The CFPB’s reasoning — even in a rescinded guidance document — may be cited in these cases.

This isn’t speculative. The same legal argument that the CFPB made in the interpretive rule can be made in federal court by private plaintiffs.

What BNPL Compliance Programs Need Right Now

Step 1: Map your product against TILA’s statutory triggers. Document whether your product carries a finance charge or is payable in more than four installments. If the answer to either is yes, Reg Z applies regardless of what the CFPB says. Get a clean legal memo on file.

Step 2: State licensing audit. Every state where you originate or service BNPL loans needs a licensing assessment. The Affirm Massachusetts action was $2.25M for exactly this gap. Many states require small loan, consumer lending, or money transmitter licenses for BNPL activity. Don’t assume that prior analysis from 2021 or 2022 reflects current state law.

Step 3: New York NYDFS monitoring. If you serve New York consumers, track NYDFS’s BNPL rulemaking timeline. The draft rules were published February 23, 2026. The licensing requirement becomes effective 180 days after the Notice of Adoption. Get your NYDFS license application in advance of effective date.

Step 4: Disclosure and dispute review. Regardless of TILA applicability, your disclosures need to be clear, conspicuous, and accurate. State UDAP laws prohibit deceptive practices — and “deceptive” is measured by what the reasonable consumer would understand, not by whether you technically disclosed it somewhere. Review your disclosure stack: pre-transaction, post-transaction, periodic statements, and late fee notices.

Step 5: Ability-to-repay documentation. The state AG coalition specifically asked for ability-to-repay evaluation processes. If you don’t have one, build one. If you have one but it’s not documented, document it. This is a central focus of state-level BNPL scrutiny.

Step 6: Complaint management program. Your consumer complaint intake, investigation, and resolution process needs to be documented and defensible. State AGs and the CFPB both look at complaint data as a leading indicator of systemic consumer harm. A high complaint volume with poor resolution rates is an enforcement target.

For tracking BNPL exam and regulatory findings as they come in from state agencies and AG actions, the Issues Management Tracker provides a structured remediation system with root cause analysis and escalation workflows.

So What? The Federal Vacuum Isn’t the Story

The story isn’t that the CFPB’s BNPL rule was rescinded. The story is that the CFPB created an enormous regulatory focus on BNPL consumer protection, published complaint data, issued market analyses, and then stepped back — leaving state regulators with a detailed roadmap of the industry’s consumer harm patterns and the motivation to act on it.

State AGs have the data. They have the legal authority. They have the political motivation. And they’ve already demonstrated willingness to coordinate across seven states simultaneously.

BNPL compliance isn’t simpler post-rescission. It’s more complex and more distributed. The federal rule would have been one compliance standard. What you have now is 50 states’ worth of UDAP exposure, a New York licensing regime that’s actively being built out, and a coalition of AGs who have already put their questions in writing.

Related reading:

• UDAAP Risk Assessment: How to Evaluate Products Before the Examiner Does
• CFPB Under the New Administration: What Changed and What Still Matters
• Fair Lending Compliance in 2026: State AG Enforcement Is Filling the Federal Void