Crypto Complaint Handling: Preparing Your Platform for CFPB Scrutiny

TL;DR:

• CFPB received 8,300+ crypto complaints through 2022; 63% were fraud/scams by September 2022 — complaint volume has kept rising even as federal oversight pulled back
• CFPB withdrew its Reg E extension for crypto in May 2025, but state AG enforcement is accelerating to fill the gap
• Massachusetts AG sued Bitcoin Depot (March 2026) after finding 80%+ of high-value customers were scam victims — complaint handling failures were central to the case
• GENIUS Act creates new consumer disclosure and redemption requirements but lacks explicit fraud restitution provisions — state law fills that gap, and state AGs know it

The CFPB retreated from crypto. The Reg E extension proposal — the one that would have applied Electronic Fund Transfer Act protections to stablecoins and digital wallets — got quietly shelved in May 2025. If you’re reading that as a green light to deprioritize your complaint handling program, you’re reading the wrong enforcement signals.

State attorneys general are filling the CFPB’s gap at a pace that should concern every crypto compliance team. The Bitcoin Depot lawsuit — filed by the Massachusetts AG in early 2026 — is the most concrete preview of what complaint handling failures look like when regulators decide to act. And the GENIUS Act, for all its gaps, has put stablecoin issuers specifically on notice that consumer-facing obligations are coming whether the federal government leads or not.

The Complaint Data You Can’t Ignore

In November 2022, the CFPB published its Complaint Bulletin analyzing crypto-asset consumer complaints. The numbers were stark: the agency had received more than 8,300 crypto complaints between October 2018 and September 2022, with the majority arriving in just the final two years of that period. By September 2022, fraud and scams accounted for 63% of all crypto-related complaints — up from roughly 40% over the full historical period.

The most common complaint types:

• Fraud, theft, and scams: Consumers losing funds to “pig butchering” schemes, fake investment platforms, and social engineering attacks. Scammers spent weeks or months building trust before directing victims to create crypto accounts and transfer funds.
• Transaction execution failures: Consumers unable to execute transfers, swaps, or withdrawals — often at critical moments during market volatility.
• Account access problems: Platforms freezing accounts for identity verification, security holds, or technical failures — sometimes trapping funds during sharp price moves.
• Failure to reverse unauthorized transactions: Unlike credit card disputes, most crypto platforms had no error resolution process and explicitly disclaimed any obligation to reverse transactions.

That last category is where enforcement risk concentrates. “Crypto transactions are irreversible” has been the industry’s answer to fraud complaints for years. Regulators are starting to reject it as a complete answer.

Federal Retreat, State AG Acceleration

The CFPB under the current administration has significantly pulled back from aggressive crypto oversight. The proposed interpretive rule extending Regulation E to digital payment mechanisms — including stablecoins and crypto wallets — was formally withdrawn on May 15, 2025. The Bureau has also reduced its supervisory focus on crypto-adjacent fintechs.

But the enforcement vacuum isn’t staying empty.

State attorneys general have moved into the space using existing consumer protection statutes — unfair, deceptive, or abusive acts and practices (UDAAP) equivalents at the state level — to pursue crypto platforms that fail consumers. These actions don’t require new rulemaking. They use existing authority that was always there.

The FTC is also in the mix. Under Section 5 of the FTC Act, the Commission has authority over unfair or deceptive practices regardless of industry sector. The FTC has signaled that crypto fraud targeting vulnerable populations will remain a priority — and the FTC’s authority to pursue deceptive marketing of crypto products is not diminished by the CFPB’s retreat.

For compliance officers assessing enforcement risk: the CFPB’s quiet period is not a safe harbor. State AG actions don’t require federal rulemaking, and they can access the same consumer protection theories that the CFPB would use.

For a deeper look at state AG enforcement patterns in crypto, see UDAAP in Crypto: Why State Attorneys General Are Your New Enforcement Risk.

The Bitcoin Depot Case: What Complaint Handling Failure Looks Like

In March 2026, Massachusetts Attorney General Andrea Campbell sued Bitcoin Depot — one of the largest Bitcoin ATM operators in the country — in Suffolk County Superior Court. The AG’s core allegation: Bitcoin Depot failed to implement proper fraud prevention mechanisms and failed to provide remedies to scam victims.

The facts were damaging. The AG’s office reviewed customers who had spent $10,000 or more at Bitcoin Depot kiosks between August 2023 and January 2025. More than 80% of them were scam victims. The company allegedly knew patterns of fraudulent transactions were occurring — and did not act to stop them or remediate harmed consumers.

Maine reached a separate settlement with Bitcoin Depot before the Massachusetts suit was filed — approximately $2 million. Maine has also enacted first-in-the-nation protections specifically targeting crypto ATM operators, including transaction limits, licensing requirements, and mandatory refunds for fraud victims.

What the Bitcoin Depot case establishes for the broader industry:

1. Volume-based liability: If your platform processes enough transactions where fraud patterns are visible in the data, “we don’t review individual transactions” is not a defense.
2. Complaint handling as evidence: The AG’s case is, in part, about what the company knew from complaints and what it did — or didn’t do — with that information.
3. Remediation obligation: “Irreversible blockchain transactions” doesn’t end the inquiry. Regulators are asking whether the company failed to act at a point where intervention was still possible.

What the GENIUS Act Does (and Doesn’t) Require

The GENIUS Act, signed into law in 2025, establishes the first comprehensive federal framework for payment stablecoin issuers. Its consumer-facing requirements include:

• Redemption policy: Issuers must maintain a publicly disclosed redemption policy with clear procedures for timely redemption of outstanding stablecoins.
• Fee disclosure: All fees associated with purchasing or redeeming stablecoins must be publicly and clearly disclosed in plain language. Fee changes require at least seven days’ advance notice to consumers.
• State consumer protection law preservation: The Act explicitly does not preempt state consumer protection laws or the remedies available under them.

What the GENIUS Act conspicuously does not require:

• An explicit error resolution or dispute process comparable to Reg E
• Fraud restitution obligations
• A complaint intake and response timeline

As New York prosecutors have publicly argued, the Act’s silence on restitution means issuers can potentially retain reserves tied to assets stolen from consumers without obligation to remediate. That argument hasn’t been tested in court yet — but it signals how enforcement agencies will frame future cases.

For stablecoin issuers specifically, the GENIUS Act’s requirements are a compliance floor, not a ceiling. State law fills the gaps — and the state law that applies is whatever state your customers are in, not where you’re incorporated.

For a fuller analysis of the GENIUS Act’s compliance requirements, see Reg E Is Coming to Crypto: Your Roadmap to EFTA Compliance.

Building Your Crypto Complaint Handling Program

The CFPB’s Consumer Response process — outlined in the CFPB Examination Manual — is the most useful framework for what a defensible complaint program looks like, even if you’re not currently subject to CFPB examination. What the CFPB would examine for is what state AGs use to assess whether your consumer protection was adequate.

Intake and Logging

You need a dedicated complaint intake channel — not just a customer service email that mixes complaints with support tickets. Options include:

• Dedicated web form with required fields for contact info, issue type, dates, and amounts involved
• Designated email alias routed to a compliance-monitored queue
• Phone line with complaint-specific intake protocol

Every complaint should be logged at receipt with: date received, channel, consumer contact information, product/service type, issue category, amount involved (if applicable), and assigned owner.

Issue Classification

Crypto complaints fall into roughly six categories, and how you classify them determines your escalation path:

Fraud and scam complaints require a separate escalation path that goes beyond complaint resolution. If a customer was victimized, that transaction may still be reversible depending on when you act, what blockchain it occurred on, and whether counterparty platforms will cooperate. Your fraud team needs to own this — compliance tracks it, fraud investigates.

Response Timeline

The CFPB expects 30-day initial resolution with 45-day extension available for complex complaints. Even without CFPB jurisdiction over your platform, 30 days is the industry standard that state AGs will benchmark against. For fraud-related complaints, your first contact should occur within 48–72 hours — both because urgent intervention may still be possible and because delayed response is a fact pattern state AGs document.

Root Cause Analysis and Trend Reporting

This is the component most crypto platforms skip — and the one that distinguishes a complaint system from a complaint log.

If 30% of your fraud complaints in a quarter involve the same transaction pattern, that’s a control gap you’re required to identify and close. The Bitcoin Depot enforcement case is partly a story about a company that had visible fraud patterns in its transaction data and complaint records — and didn’t act on them.

Monthly complaint trend reports should capture:

• Total complaint volume by category
• Resolution rate and mean time to resolution
• Unresolved complaints aging past 30 days
• Recurring patterns requiring root cause investigation
• Escalated complaints with regulatory notification implications

Quarterly, that data should go to your risk committee or compliance committee. If you have a bank sponsor, it will almost certainly go to them too — bank partners routinely require complaint reporting as part of ongoing oversight.

Regulatory Notification Triggers

Some complaints trigger notification obligations beyond just responding to the consumer:

• CFPB Consumer Response Portal: If your platform is registered (or becomes registered) with the CFPB’s complaint database, portal complaints have defined response timelines.
• State AG notification: Some state consumer protection laws require notification when you identify a pattern of fraud affecting residents. Check applicable state laws for your customer base.
• Bank Sponsor Notification: If you have a sponsor bank, your banking agreement almost certainly requires prompt notification of significant consumer complaints, fraud patterns, or regulatory inquiries.
• SAR Filing: Complaints that reveal fraud may independently trigger Bank Secrecy Act Suspicious Activity Report filing obligations through your BSA/AML program.

What CFPB Examiners Look For (Even If They’re Not Examining You Now)

The CFPB Examination Manual’s consumer complaint management module looks for:

1. Written policy: Does a documented complaint management policy exist? Who is responsible?
2. Intake process: Can the company demonstrate it captures and categorizes complaints consistently?
3. Response process: What is the response timeline? Is it met?
4. Root cause process: Does the company analyze complaint trends to identify systemic issues?
5. Board/management reporting: Are complaint trends reported to management regularly?
6. Employee training: Are frontline employees trained to identify and route complaints correctly?

Most crypto platforms can answer “yes” to item 2 (“we have a support ticket system”) and struggle with items 4, 5, and 6. That’s the exam gap pattern. A complaint system that logs but doesn’t analyze is a compliance liability, not a compliance program.

For the complaint tracking and issues management infrastructure that makes a defensible program, see Consumer Complaint Management Program: What the CFPB Exam Manual Requires.

So What?

The enforcement pattern for crypto consumer protection is clear: the federal government is retreating, states are accelerating, and the complaint record is exhibit A in every state AG case. Building a defensible complaint program isn’t about anticipating imminent CFPB examination — it’s about being able to demonstrate, when a state AG comes calling, that you knew what was happening to your customers and had a systematic process to respond.

The Issues Management Tracker is a practical starting point for complaint tracking and remediation documentation — with root cause analysis templates, management reporting, and the escalation structure a bank partner or state AG will expect to see.