Financial services companies may feel relief from the aggressive federal oversight and regulation that defined the past decade. However, regulatory risk has not disappeared—it has shifted. State attorneys general, state financial services regulators, and private litigants may step into the gap, making compliance just as critical, but now more fragmented and unpredictable.
For businesses operating in consumer financial services, the new landscape presents both opportunities and risks. As companies adjust to this new reality, they must be proactive in monitoring federal developments, state law trends, preparing for private litigation risks, and developing compliance strategies that account for a shifting enforcement paradigm. Below is a roadmap to help navigate this new consumer financial services landscape.
1. Federal Consumer Financial Law Remains the Law; with State and Private Enforcement Risks
Federal consumer financial law remains unchanged. The Consumer Financial Protection Act, and enumerated consumer laws under Dodd-Frank, such as the Truth in Lending Act (TILA), Fair Debt Collection Practices Act (FDCPA), Fair Credit Reporting Act (FCRA), and Electronic Fund Transfer Act (EFTA), and others, all remain the law of the land.
While the potential absence of aggressive federal oversight and restrictive interpretations may allow for more flexibility in product development, pricing, and marketing, it also increases the likelihood of state-led investigations, multistate regulatory actions, and private lawsuits under consumer protection laws. Many of the statutes that governed CFPB enforcement—such as the TILA, FDCPA, FCRA, and EFTA, can be enforced by the states (although not their implementing regulations), and contain private rights of action, meaning consumers and class action attorneys can enforce them directly, regardless of federal regulatory activity.
2. State Enforcement Can Gain Strength
The CFPB’s regulatory retreat does not mean that financial services companies can ignore compliance obligations. The Federal Trade Commission (FTC) still has enforcement authority with respect to most consumer financial law and nonbanks. And state regulators and attorneys general can actively fill the gap, and in some cases, they are coordinating enforcement efforts across multiple states.
State Attorneys General (AGs): Historically, state AGs have aggressively pursued consumer protection cases under state Unfair and Deceptive Acts and Practices (UDAP) laws. Without federal intervention, AGs may initiate more enforcement actions related to lending, loan servicing, debt collection, marketing practices, and data privacy violations.
State AGs also don’t need permission to bring Consumer Financial Protection Act (CFPA) enforcement actions. While they must notify the Bureau before filing suit, they can and do move forward independently. This opens the door to state AGs continuing to utilize the UDAAP authority under the CFPA, including “abusive” claims that are not always available under state consumer protection statutes. Also, a violation of an enumerated consumer law is a violation of the CFPA, which could result states seeking significant CFPA remedies, not just the enumerated consumer law's remedies. State AGs or the state banking and consumer protection agencies (see below) often also enforce statutes that mirror or reference federal consumer financial law.
State Financial Services Regulators and Consumer Protection Agencies: In states with consumer credit administrators, and strong financial regulatory agencies, such as California’s Department of Financial Protection and Innovation (DFPI) and New York’s Department of Financial Services (NYDFS), scrutiny and enforcement will likely accelerate in the absence of CFPB activity.
Multistate Investigations: With no CFPB leading nationwide enforcement efforts, expect some state AGs and regulators to coordinate more frequently on multistate actions against financial services companies.
Key Takeaway: Companies that operate nationally should not assume that a lack of federal action means fewer regulatory risks. Instead, they must prepare for a decentralized enforcement model that may lead to inconsistent and unpredictable compliance burdens across multiple states.
3. The Growing Threat of Private Litigation and Class Actions
One of the biggest misconceptions in the post-CFPB era is that regulatory risk has diminished. Many of the most consequential financial services laws have private rights of action, meaning consumers (and plaintiffs’ lawyers) can enforce them without any government agency involvement.
Key statutes with private rights of action include:
- TILA (Truth in Lending Act): Enables consumers to sue for improper loan disclosures, unfair billing practices, and failure to comply with consumer lending protections.
- FDCPA (Fair Debt Collection Practices Act): Allows consumers to file lawsuits over aggressive or misleading debt collection practices.
- FCRA (Fair Credit Reporting Act): Subjects credit reporting agencies, furnishers, and users of consumer reports to direct lawsuits for inaccurate reporting, improper use of credit data, and failure to investigate disputes.
- EFTA (Electronic Fund Transfer Act): Authorizes lawsuits against financial institutions for unauthorized transactions, failure to provide transaction disclosures, and improper overdraft practices.
Implications for Financial Services Companies
- Lawsuits Can Arise Without Regulatory Action: Even if no state AG or regulator takes action, private attorneys can still file lawsuits against lenders, servicers, and fintech companies.
- Class Actions Pose a Serious Risk: Many of these statutes allow for statutory damages, making them attractive to class action plaintiffs’ firms that specialize in consumer financial litigation.
- Arbitration Agreements and Class Action Waivers May Be Challenged: While many financial services companies rely on arbitration clauses to mitigate litigation risk, these clauses continue to face legal challenges, particularly in state courts.
Key Takeaway: Consumer financial laws remain enforceable through private lawsuits, meaning companies must not assume that deregulation equates to lower litigation risk. Instead, they must proactively monitor legal trends and prepare for increased consumer-driven legal challenges.
3. UDAP Laws: The State-Level Enforcement Wild Card
Every state has its own “mini-FTC Act” or Unfair and Deceptive Acts and Practices (UDAP) law, which broadly prohibits unfair and deceptive business practices. While they vary from state-to-state, these laws serve as a catch-all enforcement mechanism, often allowing state AGs and private plaintiffs to target financial services companies, even in the absence of a specific regulatory violation.
What Makes UDAP Laws Particularly Dangerous?
Broad and Flexible Standards: Unlike the CFPB’s UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) standard, state UDAP laws do not require federal notice before using for enforcement—giving AGs more discretion in what constitutes a violation.
Private Rights of Action: Many state UDAP laws allow private individuals to sue, creating another pathway for class actions.
Statutory Damages and Attorney’s Fees: Some states allow enhanced damages or attorney’s fees, which further incentivizes litigation.
Key Takeaway: Even if a business practice complies with federal law, state UDAP laws may still provide a basis for lawsuits or AG enforcement actions. Companies should proactively review their marketing, lending, servicing, and debt collection practices for potential UDAP exposure.
4. Practical Strategies for Navigating the New Landscape
Given these enforcement and litigation risks, financial services companies must take a balanced approach—ensuring compliance without overcorrecting in a way that stifles innovation or growth.
There is an opportunity for consumer financial services companies to use this period of regulatory shift to reassess risk exposure and refine compliance strategies. This means maintaining good relationships with state regulators, ensuring vendor oversight meets federal and state law requirements, and reviewing policies for consistency across multiple jurisdictions.
While scaling back unnecessary federal compliance measures that were intended solely to placate the CFPB’s expectations may end up being appealing, companies should be careful not to weaken their overall compliance management systems for overall legal compliance, and specific controls in areas where states are likely to enforce, such as fee disclosures, fair lending practices, and data privacy protections, and where there is the potential of federal regulator snapback at some future time. It is also important to recognize the potential for regulatory snapback in some future administration or in response to significant event drawing the attention of the current administration and Congress.
A. Maintain a Strong Compliance Management System (CMS):
A CMS should focus on federal and state law compliance and consumer complaint monitoring, ensuring that emerging risks are quickly identified and mitigated.
B. Reassess Arbitration Clauses and Litigation Risk:
Given the rising risk of private lawsuits, financial services companies should review their consumer contracts, arbitration clauses, and class action waiver enforceability.
C. Engage with State Regulators Proactively:
Companies and sectors that engage with state regulators before issues arise may be able to influence interpretations of state laws and reduce enforcement risks.
D. Monitor Emerging Consumer Litigation Trends:
Watch for new legal theories being used in class actions, especially under state UDAP laws and data privacy statutes.
E. Prepare for Multistate Compliance Challenges:
Companies should conduct multi-state legal reviews to promote compliance with lending laws, fee disclosures, and collection regulations.
Final Thoughts: The Future of Consumer Financial Services Compliance
The new regulatory landscape is not one of less risk, but different risk. Consumer financial services law is unchanged. While federal regulatory oversight may be fading, state enforcement and private litigation risks are rising. Companies that mistake deregulation for a compliance-free environment may find themselves unprepared for the next wave of legal challenges.
The best approach is not to overreact—but to be proactive, understand the law, and take risk into account. By adjusting compliance strategies to account for private litigation risk, state regulatory trends, and UDAP enforcement, financial services firms can position themselves to navigate this new era confidently and successfully.
* * * * * *
Related Articles
Consumer Financial Services Outlook 2025 – Deregulation, State Impact, and Industry Shifts
A Primer on State Consumer Financial Regulation: What Businesses Need to Know Now
Consumer Finance’s Deregulatory Shift—The Evolving Role of Compliance
Navigating Financial Services M&A: Observations from Regulatory Due Diligence
The Biden/Chopra CFPB's 2025 Guidance Compendium: A Last Gasp or Lasting Legacy?
State Attorney General Investigations