Breaking Regulatory Compliance
CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance
The CFPB published its new Enforcement Principles on June 22, 2026 — a four-pillar framework that explicitly narrows when the Bureau will pursue formal action. The Bilt case, resolved without penalties the same week, is the first real-world example of what those principles look like applied.
Table of Contents
TL;DR
- CFPB published its new Enforcement Principles on June 22, 2026 — four pillars built around actual harm, due process, collaboration, and efficiency
- The Bureau will not pursue enforcement where consumers suffered only theoretical or speculative harm, or “simply made unwise decisions”
- The Bilt co-branded card transition case resolved the same week with consumer reimbursement and no civil penalty — the first live example of the principles in action
- State AGs in New York, California, and Texas are actively backfilling the federal enforcement contraction — federal moderation is not the end of the enforcement story
The week the CFPB published its new Enforcement Principles, it also resolved its first case under them. Bilt Technologies, a fintech best known for letting renters earn credit card rewards on rent payments, had a problem: when Wells Fargo exited the co-branded card partnership, roughly 500 customers landed in a gap — they incurred overdraft fees, late fees, and NSF fees in the transition. The CFPB found it through supervision. What happened next is the clearest signal you’ll get about how the current Bureau intends to operate.
No formal enforcement action. No civil money penalty. The CFPB worked with Bilt to identify the affected customers and make them whole. The resolution was described as a direct application of the collaboration and actual harm principles published the same week. If you’re trying to understand what the Bureau’s new enforcement posture actually means for your compliance program, that case is the one to study.
The Four Pillars
The Enforcement Principles organize the CFPB’s enforcement discretion into four pillars. None of them create new legal obligations — they describe how the Bureau will exercise its existing authority.
1. Addressing Actual Harm
The Bureau will focus enforcement on conduct that causes real, concrete harm to consumers. The principles explicitly exclude enforcement for “theoretical or highly speculative harm” and cases where consumers “simply made unwise decisions.” The signal here is a departure from enforcement theories that treated potential harm or structural risk as sufficient — the current Bureau wants demonstrable consumer injury.
For compliance teams, this means that disclosures that were technically compliant but arguably confusing, practices that created theoretical UDAAP risk without clear consumer impact, and speculative unfairness theories are significantly less likely to attract enforcement action. It does not mean that actual harm — fee errors, miscalculated interest, servicing failures that produce concrete consumer losses — has become acceptable.
2. Due Process
The Bureau commits to enforcing against conduct that violates clear, established legal standards — and specifically commits to not using enforcement as a mechanism to advance novel legal interpretations. If the Bureau wants to develop new legal theory, it will do so through rulemaking or guidance, not enforcement.
This is a meaningful protection for institutions caught on the margins of evolving standards. The prior approach occasionally used enforcement to establish legal positions that hadn’t been tested in courts or articulated in regulation. Under the current framework, the Bureau is making an explicit commitment not to do that. Whether that commitment holds through future leadership changes is a separate question.
3. Collaboration
The Bureau’s third pillar is about process, not substance. It commits the CFPB to resolving issues cooperatively with institutions where possible — the principle is that “not all situations require an adversarial process.” Self-reporting explicitly matters: the principles state that institutions won’t be “unnecessarily punished for their candor.”
The Bilt case is a live demonstration of this. Supervisory examination identified a consumer harm. The CFPB worked with the institution to remediate. No formal action. That playbook — find it, fix it, document the remediation — is now explicitly the outcome the Bureau is trying to encourage.
4. Efficiency
The fourth pillar is about deduplication. The Bureau will avoid redundant enforcement when states or other federal regulators are already addressing the same conduct. It’s an acknowledgment that the patchwork of federal and state consumer financial enforcement creates overlapping jurisdiction — and a commitment not to pile on.
The Bilt Case as a Compliance Blueprint
The Bilt resolution deserves more attention than it has gotten, because it’s not just a case study — it’s a template.
The facts: Bilt had a co-branded card through Wells Fargo. When the partnership ended and Wells Fargo exited, approximately 500 customers fell into a service gap during the transition. They incurred fees — overdraft, late payment, NSF — that resulted from the transition, not from their own payment behavior. The CFPB identified the issue during supervision.
The outcome: Bilt worked with the Bureau to identify and reimburse all affected consumers. No enforcement action was filed. No civil money penalty.
What this tells compliance teams:
Supervisory responsiveness matters. The CFPB found this through examination, not consumer complaints. The institution’s response to supervisory inquiry — cooperative, corrective, consumer-focused — is what drove the outcome. An institution that disputed the finding, delayed remediation, or minimized the scope of harm would not have gotten the same result.
Documentation of harm and remediation is the deliverable. The resolution required Bilt to identify the affected population, calculate the fees that shouldn’t have been charged, and return the money. That requires robust record-keeping on fee assessment and a remediation workflow that can execute precisely. If you can’t identify who was harmed and by how much, you can’t demonstrate the remediation.
Scale matters. Five hundred customers with relatively small fee amounts is a tractable remediation scope. The same facts at 50,000 customers with contested fee categorization would look different. Consumer harm that’s wide in scope or difficult to remediate accurately creates compounding risk even under a collaborative enforcement framework.
What the Principles Don’t Change
The new Enforcement Principles represent a real moderation of federal consumer financial enforcement. They are not a withdrawal from consumer protection.
Several areas remain unchanged:
UDAAP substantive standards. The unfair, deceptive, or abusive acts or practices standards haven’t changed. What’s changed is the Bureau’s threshold for bringing enforcement actions under those standards. An act that causes actual consumer harm, uses deception to obtain customer consent, or takes unreasonable advantage of a consumer’s lack of understanding is still clearly within enforcement scope. The shift is at the margins — the speculative and theoretical zone.
Fee transparency and disclosure obligations. The Bureau is still actively examining fee structures, junk fee practices, and disclosure adequacy. The CFPB’s fee scrutiny hasn’t softened; the enforcement theory around it has narrowed to cases with clear consumer injury.
Mortgage, student loan, and credit reporting obligations. These are areas where the statutory framework is explicit, existing consent orders are ongoing, and examiner activity continues. The new principles don’t create special protection in heavily regulated product categories.
Fair lending. ECOA and fair lending obligations are federal law. The CFPB’s enforcement of fair lending hasn’t meaningfully contracted, and in several categories — algorithmic underwriting, appraisal bias, small business lending data — examination intensity has remained stable or increased.
The State Enforcement Gap-Fill
The part that’s missing from most analyses of the CFPB’s new posture is what’s happening at the state level.
Federal enforcement moderation creates a vacuum. State attorneys general fill it — and they’ve been moving quickly. New York, California, and Texas have each expanded consumer financial enforcement activity in the first half of 2026. The CFPB’s efficiency principle — deferring when states are already pursuing the same conduct — means state action is less likely to be preempted by a simultaneous federal action, which historically slowed state enforcement.
For any institution with material consumer presence in New York, California, or Texas, the practical implication is that your compliance exposure hasn’t shifted to the CFPB — it’s shifted toward state enforcement channels that have their own enforcement tools, their own investigative cadence, and their own theories of harm.
New York DFS has been particularly active in fintech oversight — payment apps, digital lending, and virtual currency licensees are all subject to active supervisory programs that haven’t softened. California’s DFPI has expanded its coverage of embedded finance, earned wage access, and digital payment platforms. Texas operates differently structurally, but the AG’s consumer protection division has been pursuing financial services enforcement in areas that overlap with CFPB authority.
The compliance deadline calendar for the second half of 2026 includes the state-level enforcement developments worth tracking alongside federal timelines.
What to Actually Do With This
Three specific adjustments for compliance teams responding to the CFPB’s new posture:
Formalize your self-reporting protocol. The collaboration pillar explicitly rewards candor. That means your internal escalation process for identified compliance failures should have a clear decision point for self-reporting to the CFPB — criteria for when to self-report, a process for preparing the disclosure, and documentation of the decision. Ad hoc decisions about whether and when to self-report expose you to the worst of both worlds: if you don’t self-report and the Bureau finds it independently, you’ve lost the credit the principles promise.
Build your state AG monitoring into your compliance calendar. Most compliance programs monitor federal regulators carefully and treat state AG actions as reactive. Given the enforcement environment, that needs to reverse. Active monitoring of New York DFS, California DFPI, and Texas AG enforcement actions — including settlement terms, consent order provisions, and examination findings — should be part of your regular compliance intelligence program.
Pressure-test your consumer harm remediation capabilities. The Bilt case hinges on the ability to identify the affected consumer population and remediate accurately. That requires the records and operational capacity to run remediation at scale on short notice. If a supervisory finding came in tomorrow identifying a fee error affecting a subset of your customer base, could you identify them precisely, calculate the correct amounts, and execute remediation — and document every step for the regulator? That capability is the difference between a Bilt outcome and a formal enforcement action.
The issues management workflow in the compliance program documentation covers how to structure internal escalation so issues identified in monitoring or examination are documented and tracked through to resolution.
The Bigger Picture
The CFPB’s Enforcement Principles represent a real shift in how the Bureau will exercise its authority under the current leadership. The Bilt case is a useful calibration point — consumer harm found through supervision, resolved cooperatively, with no formal action. That outcome is what the principles are designed to enable.
What they’re not designed to enable is a compliance program that assumes federal moderation equals reduced regulatory exposure. The state enforcement fill-in is real, it’s accelerating, and it doesn’t come with the same due process and collaboration commitments the CFPB has made. A compliance program that optimizes for the new federal posture but ignores the state enforcement environment has rebuilt the wrong thing.
The practical answer: keep your consumer harm controls strong, strengthen your remediation capabilities, build the self-reporting protocol, and expand your state monitoring. The compliance program that survives this enforcement environment is the one that would have been fine under the old one — and has now added the specific capabilities the new one rewards.
A Compliance Essentials Bundle covers the issues management tracking, policy documentation, and self-reporting workflow structures that make a compliance program functional under any enforcement posture — including the one where self-disclosure is explicitly rewarded.
What OCC and Federal Reserve examiners are asking about compliance programs in 2026 provides useful context for understanding how federal supervisory priorities are evolving alongside the CFPB’s enforcement posture shift.
Sources:
- CFPB Enforcement Principles, June 22, 2026
- CFPB: CFPB Resolves Issue Involving Bilt Technologies and Former Credit Card Program Issuer, June 2026
- American Banker: CFPB Unveils Enforcement Framework Focused on Actual Consumer Harm
- Ballard Spahr: CFPB Issues New Enforcement Policies
- CFPB Consumer Financial Protection Bureau Newsroom
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What are the CFPB's new Enforcement Principles?
What happened in the CFPB's Bilt case?
Does the CFPB's shift away from theoretical harm mean less scrutiny for financial institutions?
What does 'no novel interpretations' mean in practice under the CFPB's principles?
How should compliance teams adjust to the CFPB's 2026 enforcement posture?
Does the CFPB's collaboration approach change how examiners conduct supervisory exams?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
● Don't wait for your own enforcement action
Every case like this started with a gap someone knew about but hadn't documented. The template below gives you the framework to get ahead of it.
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Jul 5, 2026
Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Jul 4, 2026