Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Breaking Regulatory Compliance

CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance

The CFPB published its new Enforcement Principles on June 22, 2026 — a four-pillar framework that explicitly narrows when the Bureau will pursue formal action. The Bilt case, resolved without penalties the same week, is the first real-world example of what those principles look like applied.

Table of Contents

TL;DR

  • CFPB published its new Enforcement Principles on June 22, 2026 — four pillars built around actual harm, due process, collaboration, and efficiency
  • The Bureau will not pursue enforcement where consumers suffered only theoretical or speculative harm, or “simply made unwise decisions”
  • The Bilt co-branded card transition case resolved the same week with consumer reimbursement and no civil penalty — the first live example of the principles in action
  • State AGs in New York, California, and Texas are actively backfilling the federal enforcement contraction — federal moderation is not the end of the enforcement story

The week the CFPB published its new Enforcement Principles, it also resolved its first case under them. Bilt Technologies, a fintech best known for letting renters earn credit card rewards on rent payments, had a problem: when Wells Fargo exited the co-branded card partnership, roughly 500 customers landed in a gap — they incurred overdraft fees, late fees, and NSF fees in the transition. The CFPB found it through supervision. What happened next is the clearest signal you’ll get about how the current Bureau intends to operate.

No formal enforcement action. No civil money penalty. The CFPB worked with Bilt to identify the affected customers and make them whole. The resolution was described as a direct application of the collaboration and actual harm principles published the same week. If you’re trying to understand what the Bureau’s new enforcement posture actually means for your compliance program, that case is the one to study.

The Four Pillars

The Enforcement Principles organize the CFPB’s enforcement discretion into four pillars. None of them create new legal obligations — they describe how the Bureau will exercise its existing authority.

1. Addressing Actual Harm

The Bureau will focus enforcement on conduct that causes real, concrete harm to consumers. The principles explicitly exclude enforcement for “theoretical or highly speculative harm” and cases where consumers “simply made unwise decisions.” The signal here is a departure from enforcement theories that treated potential harm or structural risk as sufficient — the current Bureau wants demonstrable consumer injury.

For compliance teams, this means that disclosures that were technically compliant but arguably confusing, practices that created theoretical UDAAP risk without clear consumer impact, and speculative unfairness theories are significantly less likely to attract enforcement action. It does not mean that actual harm — fee errors, miscalculated interest, servicing failures that produce concrete consumer losses — has become acceptable.

2. Due Process

The Bureau commits to enforcing against conduct that violates clear, established legal standards — and specifically commits to not using enforcement as a mechanism to advance novel legal interpretations. If the Bureau wants to develop new legal theory, it will do so through rulemaking or guidance, not enforcement.

This is a meaningful protection for institutions caught on the margins of evolving standards. The prior approach occasionally used enforcement to establish legal positions that hadn’t been tested in courts or articulated in regulation. Under the current framework, the Bureau is making an explicit commitment not to do that. Whether that commitment holds through future leadership changes is a separate question.

3. Collaboration

The Bureau’s third pillar is about process, not substance. It commits the CFPB to resolving issues cooperatively with institutions where possible — the principle is that “not all situations require an adversarial process.” Self-reporting explicitly matters: the principles state that institutions won’t be “unnecessarily punished for their candor.”

The Bilt case is a live demonstration of this. Supervisory examination identified a consumer harm. The CFPB worked with the institution to remediate. No formal action. That playbook — find it, fix it, document the remediation — is now explicitly the outcome the Bureau is trying to encourage.

4. Efficiency

The fourth pillar is about deduplication. The Bureau will avoid redundant enforcement when states or other federal regulators are already addressing the same conduct. It’s an acknowledgment that the patchwork of federal and state consumer financial enforcement creates overlapping jurisdiction — and a commitment not to pile on.

The Bilt Case as a Compliance Blueprint

The Bilt resolution deserves more attention than it has gotten, because it’s not just a case study — it’s a template.

The facts: Bilt had a co-branded card through Wells Fargo. When the partnership ended and Wells Fargo exited, approximately 500 customers fell into a service gap during the transition. They incurred fees — overdraft, late payment, NSF — that resulted from the transition, not from their own payment behavior. The CFPB identified the issue during supervision.

The outcome: Bilt worked with the Bureau to identify and reimburse all affected consumers. No enforcement action was filed. No civil money penalty.

What this tells compliance teams:

Supervisory responsiveness matters. The CFPB found this through examination, not consumer complaints. The institution’s response to supervisory inquiry — cooperative, corrective, consumer-focused — is what drove the outcome. An institution that disputed the finding, delayed remediation, or minimized the scope of harm would not have gotten the same result.

Documentation of harm and remediation is the deliverable. The resolution required Bilt to identify the affected population, calculate the fees that shouldn’t have been charged, and return the money. That requires robust record-keeping on fee assessment and a remediation workflow that can execute precisely. If you can’t identify who was harmed and by how much, you can’t demonstrate the remediation.

Scale matters. Five hundred customers with relatively small fee amounts is a tractable remediation scope. The same facts at 50,000 customers with contested fee categorization would look different. Consumer harm that’s wide in scope or difficult to remediate accurately creates compounding risk even under a collaborative enforcement framework.

What the Principles Don’t Change

The new Enforcement Principles represent a real moderation of federal consumer financial enforcement. They are not a withdrawal from consumer protection.

Several areas remain unchanged:

UDAAP substantive standards. The unfair, deceptive, or abusive acts or practices standards haven’t changed. What’s changed is the Bureau’s threshold for bringing enforcement actions under those standards. An act that causes actual consumer harm, uses deception to obtain customer consent, or takes unreasonable advantage of a consumer’s lack of understanding is still clearly within enforcement scope. The shift is at the margins — the speculative and theoretical zone.

Fee transparency and disclosure obligations. The Bureau is still actively examining fee structures, junk fee practices, and disclosure adequacy. The CFPB’s fee scrutiny hasn’t softened; the enforcement theory around it has narrowed to cases with clear consumer injury.

Mortgage, student loan, and credit reporting obligations. These are areas where the statutory framework is explicit, existing consent orders are ongoing, and examiner activity continues. The new principles don’t create special protection in heavily regulated product categories.

Fair lending. ECOA and fair lending obligations are federal law. The CFPB’s enforcement of fair lending hasn’t meaningfully contracted, and in several categories — algorithmic underwriting, appraisal bias, small business lending data — examination intensity has remained stable or increased.

The State Enforcement Gap-Fill

The part that’s missing from most analyses of the CFPB’s new posture is what’s happening at the state level.

Federal enforcement moderation creates a vacuum. State attorneys general fill it — and they’ve been moving quickly. New York, California, and Texas have each expanded consumer financial enforcement activity in the first half of 2026. The CFPB’s efficiency principle — deferring when states are already pursuing the same conduct — means state action is less likely to be preempted by a simultaneous federal action, which historically slowed state enforcement.

For any institution with material consumer presence in New York, California, or Texas, the practical implication is that your compliance exposure hasn’t shifted to the CFPB — it’s shifted toward state enforcement channels that have their own enforcement tools, their own investigative cadence, and their own theories of harm.

New York DFS has been particularly active in fintech oversight — payment apps, digital lending, and virtual currency licensees are all subject to active supervisory programs that haven’t softened. California’s DFPI has expanded its coverage of embedded finance, earned wage access, and digital payment platforms. Texas operates differently structurally, but the AG’s consumer protection division has been pursuing financial services enforcement in areas that overlap with CFPB authority.

The compliance deadline calendar for the second half of 2026 includes the state-level enforcement developments worth tracking alongside federal timelines.

What to Actually Do With This

Three specific adjustments for compliance teams responding to the CFPB’s new posture:

Formalize your self-reporting protocol. The collaboration pillar explicitly rewards candor. That means your internal escalation process for identified compliance failures should have a clear decision point for self-reporting to the CFPB — criteria for when to self-report, a process for preparing the disclosure, and documentation of the decision. Ad hoc decisions about whether and when to self-report expose you to the worst of both worlds: if you don’t self-report and the Bureau finds it independently, you’ve lost the credit the principles promise.

Build your state AG monitoring into your compliance calendar. Most compliance programs monitor federal regulators carefully and treat state AG actions as reactive. Given the enforcement environment, that needs to reverse. Active monitoring of New York DFS, California DFPI, and Texas AG enforcement actions — including settlement terms, consent order provisions, and examination findings — should be part of your regular compliance intelligence program.

Pressure-test your consumer harm remediation capabilities. The Bilt case hinges on the ability to identify the affected consumer population and remediate accurately. That requires the records and operational capacity to run remediation at scale on short notice. If a supervisory finding came in tomorrow identifying a fee error affecting a subset of your customer base, could you identify them precisely, calculate the correct amounts, and execute remediation — and document every step for the regulator? That capability is the difference between a Bilt outcome and a formal enforcement action.

The issues management workflow in the compliance program documentation covers how to structure internal escalation so issues identified in monitoring or examination are documented and tracked through to resolution.

The Bigger Picture

The CFPB’s Enforcement Principles represent a real shift in how the Bureau will exercise its authority under the current leadership. The Bilt case is a useful calibration point — consumer harm found through supervision, resolved cooperatively, with no formal action. That outcome is what the principles are designed to enable.

What they’re not designed to enable is a compliance program that assumes federal moderation equals reduced regulatory exposure. The state enforcement fill-in is real, it’s accelerating, and it doesn’t come with the same due process and collaboration commitments the CFPB has made. A compliance program that optimizes for the new federal posture but ignores the state enforcement environment has rebuilt the wrong thing.

The practical answer: keep your consumer harm controls strong, strengthen your remediation capabilities, build the self-reporting protocol, and expand your state monitoring. The compliance program that survives this enforcement environment is the one that would have been fine under the old one — and has now added the specific capabilities the new one rewards.

A Compliance Essentials Bundle covers the issues management tracking, policy documentation, and self-reporting workflow structures that make a compliance program functional under any enforcement posture — including the one where self-disclosure is explicitly rewarded.

What OCC and Federal Reserve examiners are asking about compliance programs in 2026 provides useful context for understanding how federal supervisory priorities are evolving alongside the CFPB’s enforcement posture shift.


Sources:

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What are the CFPB's new Enforcement Principles?
Published June 22, 2026, the CFPB's Enforcement Principles organize the Bureau's enforcement posture around four pillars: (1) addressing actual harm to consumers, not theoretical or speculative harm; (2) due process — no novel legal interpretations, no surprises; (3) collaboration — resolving issues cooperatively where possible; and (4) efficiency — avoiding duplicative enforcement with states or other federal regulators. The principles do not create new legal obligations but signal how the Bureau will exercise enforcement discretion.
What happened in the CFPB's Bilt case?
Bilt Technologies, a fintech that had issued a co-branded credit card through Wells Fargo, found itself with roughly 500 customers who incurred overdraft fees, late fees, and NSF fees during a rocky transition when Wells Fargo exited the partnership. The CFPB identified the issue through supervision and worked with Bilt to reimburse the affected consumers rather than pursuing a formal enforcement action. No civil money penalty was assessed. The resolution was cited as the first direct application of the new enforcement principles — specifically the collaboration and actual harm pillars.
Does the CFPB's shift away from theoretical harm mean less scrutiny for financial institutions?
Not necessarily. The 'actual harm' standard eliminates some of the speculative enforcement theories from prior years, but the Bureau is still fully active on matters involving concrete consumer injury. The bigger practical shift is the rise of state AG enforcement as the federal posture has contracted — New York, California, and Texas are all expanding consumer financial enforcement. Federal deregulation has compressed the top of the enforcement funnel, not removed it.
What does 'no novel interpretations' mean in practice under the CFPB's principles?
The CFPB committed to enforcing against conduct that violates clear, established legal standards — not using enforcement as a mechanism to develop new legal theories. For compliance teams, this means the risk of being caught in an aggressive first-wave enforcement action on emerging legal interpretations is reduced. However, it also means the Bureau is less likely to issue interpretive guidance proactively, which can create its own ambiguity.
How should compliance teams adjust to the CFPB's 2026 enforcement posture?
Three adjustments matter most: (1) self-reporting threshold — the principles explicitly note that candid self-disclosure reduces enforcement risk, so a clear internal escalation and self-reporting protocol is now more valuable; (2) state AG monitoring — enforcement is shifting downward, so your compliance calendar needs to track state-level actions, not just federal ones; (3) internal remediation documentation — the Bilt resolution shows that consumer harm remediated proactively gets credit. Document what you found, what you fixed, and when.
Does the CFPB's collaboration approach change how examiners conduct supervisory exams?
The principles apply to enforcement decisions, not examination procedures. Exams continue under standard supervisory protocols. Where collaboration matters is in the transition from examination to potential enforcement — the Bureau is signaling it will work with institutions to address issues found in supervision before escalating to formal action, as long as the institution is responsive and the harm is remediable. Institutions that respond adversarially to supervisory findings are less likely to benefit from the collaborative approach.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

● Don't wait for your own enforcement action

Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.

Compliance Essentials

Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.