Once sharply focused on an expansive enforcement agenda, the Consumer Financial Protection Bureau (CFPB) has reprioritized matters it pursues, amended or scaled back certain actions, and faces an (at best) uncertain environment as the new year dawns.
For financial institutions and technology firms, the change signals a regulatory environment that is less predictable but not absent — and offers opportunities for innovation.
A Wave of Dismissals and De-Prioritized Enforcement
In May 2025, the CFPB publicly announced it would not prioritize enforcement actions tied to buy now, pay later credit under its earlier interpretive guidance, effectively stepping back from aggressive BNPL oversight pursued in prior years.
In this May document from then-acting director Russell Vought, the CFPB revoked dozens of interpretive rules, advisory opinions and guidance.
The announcement did not rescind existing law, but it signaled a lower enforcement posture toward, among other firms, BNPL providers at a time when installment credit remains popular among inflation-strained consumers. PYMNTS has reported extensively on BNPL’s role in household budgeting and merchant checkout strategies.
The CFPB has also dismissed or wound down multiple enforcement actions inherited from prior leadership. Dismissals have been notable, particularly in areas involving debt collection practices, remittance transfers and older fair-lending disputes. By way of example, the agency withdrew its suit against Capital One, as PYMNTS reported earlier this year. In another example, the CFPB dropped its suit against Zelle.
Advertisement: Scroll to Continue
Rulemaking Has Not Stopped
Rulemaking has narrowed but is still in play.
Among the most consequential outstanding effort remains Section 1033 of the Dodd-Frank Act, which governs consumer access to financial data and underpins open banking. The CFPB continues to list the Personal Financial Data Rights rule as under development, with reconsideration activity ongoing. This means banks, FinTechs and data aggregators still lack final federal standards for APIs, data permissions, liability and security, even as consumer data sharing continues to scale. PYMNTS reported in coverage on the commentary period afforded to stakeholders that consortium approaches to data sharing and fee structures are key issues for consideration.
A revised rule may indeed implement a “reasonable fee” or similar standard. This would help banks recover data-sharing costs while avoiding pricing FinTechs and aggregators out of the market.
Larger Participant Rules
Additional rulemaking still in play determine which nonbanks fall under CFPB supervision in markets such as consumer reporting, auto finance, debt collection and remittances. Although thresholds have not been formally proposed, higher thresholds in terms of transaction count or size would reduce the number of companies subject to supervision. This would materially shrink the bureau’s reach across several nonbank markets.
Funding Constraints Shape the CFPB’s Role
As critical factor affecting the next year will be funding. The CFPB notified courts that it could not lawfully draw funds from the Federal Reserve under current conditions, reinforcing operational uncertainty. Reduced funding affects staffing, litigation capacity and the pace of rulemaking, forcing prioritization rather than expansion. This has practical consequences for how aggressively the agency can pursue enforcement even when statutes remain unchanged.
Implications for Banks and FinTechs
For banks, the reduced enforcement focus on certain compliance actions may lower immediate litigation risk and reduce the burden of defending against new CFPB suits in areas like BNPL. However, absent clear enforcement priorities, institutions must still independently assess risk and maintain strong compliance systems in credit reporting, disclosures and credit product management.
For FinTech innovators, especially those building on consumer-authorized data access, the continuation of Section 1033 rulemaking means that interoperability standards, API specs and data governance frameworks remain in play, and there is some room for collaboration, though firms cannot yet rely on a final federal standard.
For small businesses and lenders, the CFPB’s non-prioritization notices — for instance on registration requirements for small loan providers — provide short-term relief in terms of additional, or changing, compliance mandates. And as noted here just last week, The Consumer Financial Protection Bureau has said that certain earned wage access (EWA) products are not credit and are not covered by Regulation Z of the Truth in Lending Act.
