# CFPB 2025 Enforcement: What Lenders Must Know
By Michael Dunleavey, Founder — LASER Credit Access | 15+ years in credit infrastructure and lending compliance
A Narrower CFPB Does Not Mean a Safer One
On May 28, 2026, the CFPB published a coordinated set of updates that together represent the clearest statement yet of how the Bureau intends to operate under its current leadership: a 2025 Enforcement Lookback, revised Enforcement Principles, updated Supervision and Enforcement Priorities, and an explanation of the Life Cycle of an Enforcement Action. Taken together, these documents describe a Bureau that has pulled back significantly in some areas — and sharpened its focus considerably in others.
The headline numbers are striking. The CFPB closed roughly 40% of its pending investigations during 2025, consistent with its narrowed enforcement priorities — including matters tied to deprioritized markets. Over the same period, the Bureau dismissed or rolled back more than 20 public enforcement actions and terminated or modified a comparable number of already-settled orders. It has also been implementing a significant reduction in supervisory examinations, resuming exams in late 2025 under a narrower framework after a months-long pause.
For lenders trying to calibrate their compliance programs, the temptation is to read this as a reprieve. That reading is a mistake. For FCRA compliance and Regulation V data furnishing obligations, the Bureau's updated materials do not signal retreat — they signal concentration. FCRA and Regulation V violations are named directly in the updated Supervision and Enforcement Priorities. Where the CFPB narrows its scope, it focuses more intensely on what remains.
Lenders using Salesforce-native compliance infrastructure are better positioned to meet the documentation, remediation, and data quality standards the updated framework demands — because those capabilities are built into the workflow rather than assembled in response to an exam notice.
How the CFPB's Enforcement Framework Changed
The May 28 release did not arrive without precedent. It was the operational conclusion of a strategic sequence that ran through the prior 14 months. Understanding the timeline matters because it shows that the framework change was deliberate, staged, and — based on the Bilt case five days after publication — already in practice.
The strategic timeline:
| Date | Event | Significance |
| April 2025 | New supervision and enforcement priorities emerge | Significant reduction in supervisory exams planned; FCRA and Regulation V named as priority areas |
| March 2026 | Draft 2026–2030 Strategic Plan published | Framed around pressing consumer threats, reduced regulatory burden, and internal governance reform |
| April 2026 | Fair lending approach narrowed | Regulation B amended to remove the effects test; ECOA disparate-impact liability no longer recognized by the Bureau |
| May 2026 | CFPB public blog archived | Signal of changing approach to public guidance and policy communication |
| May 28, 2026 | Enforcement framework published | Enforcement Principles, Supervision and Enforcement Priorities, Life Cycle of an Enforcement Action, and 2025 Lookback released simultaneously |
| June 2, 2026 | Bilt case described as framework in action | Direct engagement, consumer redress, documentation review — no formal enforcement action; resolution in weeks, not years |
The sequence matters for lenders because it establishes that these changes are not subject to reversal at the next staff meeting. They represent a structured repositioning with implementation already visible in real enforcement decisions.
Understanding why credit reporting accuracy is a standing legal obligation is essential context here — because while the Bureau's posture has shifted, the statutes underlying these obligations have not changed at all.
So what does this mean for your institution? A deliberate, staged enforcement framework change with a live case study attached is not a bureaucratic memo. It is a statement of operational intent. Compliance programs built around the prior framework's assumptions — broad investigative scope, theoretical harm as a trigger, prolonged litigation as a likely outcome — need to be recalibrated.
The New Enforcement Standard: Four Principles
The CFPB's updated Enforcement Principles represent the most operationally significant part of the May 28 release. The Bureau is not simply adjusting tone — it is changing what must be proven, and how, before enforcement action is taken.
The four principles:
Principle 1 — Actual Consumer Harm
The Bureau will focus on real and measurable consumer harm involving identifiable victims. Theoretical or speculative harm is no longer a sufficient basis for enforcement. For lenders, this shifts the risk calculus: technical violations without demonstrable consumer impact are less likely to drive a formal action. But when harm is identifiable and documentable — as in the Bilt case — the Bureau's response is rapid.
Principle 2 — Due Process
Enforcement will rely on clearly established statutory authority. Novel legal theories and expansive interpretations of the Bureau's mandate are explicitly deprioritized. This makes enforcement more predictable — but it does not alter the core requirements of FCRA, Regulation V, FDCPA, or Regulation F, all of which rest on clearly established statutory ground.
Principle 3 — Collaboration
Self-reporting is now explicitly encouraged. The Enforcement Principles state that institutions that self-report issues will not be unnecessarily punished for their candor. This is a meaningful shift in incentive structure: institutions that identify problems early, disclose proactively, and remediate before regulatory attention arrives are in a materially better position than those that wait.
Principle 4 — Efficiency
Consumer redress is prioritized over prolonged litigation. Where practical remediation is available, the Bureau prefers faster resolution. The Bilt case — resolved within weeks through direct engagement and documented remediation — is the clearest illustration of what this principle looks like in practice.
What institutions now need to be able to demonstrate:
When an issue surfaces, compliance teams must be able to show: what happened, who was affected, whether there was actual measurable harm, how the issue was identified, what corrective action was taken, and how the entire investigation and response were documented. That last point — documentation — has moved from supporting evidence to central exhibit.
For a detailed review of how these documentation obligations map to a real compliance program, our FTC compliance guidance for non-bank lenders covers the overlapping security and recordkeeping expectations that remain squarely within regulators' current priorities.
So what does this mean for your institution? The new enforcement standard does not reduce compliance risk for lenders in named priority areas — it redirects it. The risk now lives in documentation gaps, remediation delays, and the inability to demonstrate operational control. Institutions that can show a clear, timestamped record of what happened, how it was addressed, and that systems are functioning correctly are well-positioned under this framework. Institutions that cannot are not.
Where the CFPB Is Still Watching — and Where It Stepped Back
The updated Supervision and Enforcement Priorities divide the regulatory landscape clearly. For lenders reviewing their compliance posture, the most important task is placing their operations accurately in one column or the other — and not confusing "deprioritized" with "deregulated."
Named CFPB enforcement and supervision priorities (active):
| Priority Area | What Lenders Should Know |
| Servicemembers, veterans, and their families | MLA and SCRA compliance remain active enforcement areas; documentation of military status checks is expected |
| Mortgages | Origination, servicing, and loss mitigation compliance remain within scope |
| FCRA and Regulation V data furnishing violations | Explicitly named — furnishing accuracy, dispute investigation, and Metro 2 data quality remain high-risk areas |
| FDCPA and Regulation F violations | Collection practices remain within scope; debt validation and communication compliance apply |
| Fraudulent overcharges and fees | Junk fee and overdraft enforcement remains active, as the Bilt case illustrates |
| Inadequate controls resulting in actual consumer loss | The framing of "inadequate controls" signals that process and documentation gaps are themselves the violation |
Areas where the Bureau has pulled back:
Student loans, medical debt (following the vacatur of the Medical Debt Rule), remittances, digital payments, P2P lending, and consumer data (following withdrawal of the Data Broker proposed rule) are no longer named priorities.
What "deprioritized" does not mean:
State attorneys general, the FTC, private litigation, and existing federal rules continue to apply in every one of these areas. In May 2026, the Illinois Department of Financial and Professional Regulation launched a new consumer complaint portal explicitly citing federal cutbacks in consumer protection and declining CFPB mediation success rates. State-level enforcement activity is filling the space the Bureau has vacated. Compliance programs built around federal supervision as the primary accountability mechanism are now underestimating the full regulatory environment.
The Regulation B fair lending shift also warrants careful reading. The CFPB's April 2026 final rule removed the effects test and stated that ECOA does not recognize disparate-impact liability. But the Fair Housing Act's disparate-impact standards remain separate and unchanged. As of late May 2026, the rule is also facing active legal challenge: the National Fair Housing Alliance and a coalition of advocacy organizations filed suit in federal court arguing the rule unlawfully eliminates disparate-impact protections. With that litigation pending, the rule may not take effect as written — and lenders should not treat the narrowed ECOA standard as settled.
So what does this mean for your institution? Named-priority status means the CFPB is actively building supervisory cases in those areas with a more targeted — and therefore more efficient — examination approach. If your institution furnishes data to the credit bureaus, handles consumer disputes, or operates in the mortgage space, the Bureau's narrowed focus makes your operations more likely to receive scrutiny, not less.
The Bilt Case: Documentation as the New Compliance Standard
Five days after publishing its updated Enforcement Principles, the CFPB released a case study showing the new framework in practice. The Bilt case is worth studying carefully — not because of what the Bureau did, but because of what it accepted as a sufficient response.
Following Bilt's transition from Wells Fargo to Column Bank and Cardless as its banking partner, a limited number of customers incurred overdraft, late, and NSF fees tied to operational issues during the changeover. The Bureau did not initiate a formal enforcement action. Instead:
- The CFPB engaged directly with Bilt and required full consumer redress
- Bilt contacted affected customers and offered to reimburse transition-related fees
- More than 500 newly identified customers were expected to receive remediation by June 4 — two days after the case was published
- Bilt submitted documentation demonstrating that its systems were back on operational track
- The CFPB accepted the documentation and committed to continued monitoring
The entire resolution occurred within weeks. The outcome was not determined by the size of the violation or the number of affected consumers — it was determined by the quality and speed of the response.
For institutions navigating system conversions, portfolio acquisitions, platform migrations, or bank partner transitions, the standard is now explicit: identify the harm, remediate quickly, document everything, and engage proactively. The Bureau is not rewarding institutions for perfection. It is rewarding institutions for transparency and control.
Credit compliance intelligence in a shifting regulatory environment means more than monitoring regulatory changes — it means having the operational infrastructure to respond to compliance events at the speed the Bureau now expects.
So what does this mean for your institution? The Bilt case establishes a template. When something goes wrong — and in lending operations, something eventually will — the question is not whether you can prevent the Bureau from finding out. The question is whether you can produce a complete, timestamped record of what happened, who was affected, and what you did about it. Institutions with that capability resolve issues in weeks. Institutions without it face prolonged scrutiny.
Why LASER for CFPB-Ready Compliance
The CFPB's updated framework does not create new legal obligations — FCRA, Regulation V, and FDCPA requirements are exactly where they were. What it does is shift the weight of the compliance standard from regulatory investigation as the primary accountability mechanism to self-documentation, proactive remediation, and operational control as the primary evidence.
That is a systems problem as much as a legal problem. And it is exactly the kind of problem that Salesforce-native compliance infrastructure is built to address.
Salesforce-native credit access, built-in compliance, and decisioning — unified in a single app, ready from day one.
LASER Credit Access operates natively inside Salesforce, which means every credit pull, every dispute action, every compliance workflow event, and every decisioning output is logged within the same system of record your team uses to manage the loan lifecycle. When a regulator asks what happened, who was affected, and how the issue was resolved, the answer exists in the same platform — not assembled from exports across three disconnected systems.
For furnishing and dispute teams specifically, LASER's COMPLY pillar provides the built-in compliance workflow infrastructure that the updated CFPB framework now treats as evidence of institutional control. Consistent monitoring, dispute documentation, corrective action tracking, and management reporting are not audit-preparation activities — they are the continuous operational output of a compliant furnishing workflow.
Explore LASER's built-in compliance tools for FCRA and Regulation V furnishing workflows and Salesforce-native credit bureau access for lenders to see how this operates inside your existing system of record.
Learn more about LASER Credit Access and the team behind our Salesforce-native compliance infrastructure.
Five Things That Changed for Your Compliance Program
The May 28 framework updates translate directly into five operational shifts that compliance teams need to address before the next examination cycle.
1. Self-reporting is now an explicit advantage.
The Bureau's Enforcement Principles state that institutions that self-report will not be unnecessarily punished for their candor. The Bilt case confirms that proactive engagement, not forced disclosure, is the path to faster resolution. Compliance programs that have no self-reporting protocol are leaving a meaningful risk-reduction mechanism unused.
2. Documentation is now the primary compliance defense.
The ability to demonstrate what happened, who was affected, and how the issue was resolved — with a complete, timestamped record — is now as important as the corrective action itself. Process documentation, investigation logs, and remediation tracking are the evidence that determines how the Bureau responds.
3. FCRA and Regulation V furnishing exposure is unchanged.
Credit reporting and data furnishing are not side issues in the updated framework. They are named priorities. Furnishing accuracy, Metro 2 data quality, dispute investigation completeness, and corrective action documentation are all within active CFPB supervisory scope.
4. Fair lending exposure has narrowed, not disappeared.
The Bureau's Regulation B final rule removes ECOA disparate-impact enforcement — but the Fair Housing Act's disparate-impact standards remain separately in place. The rule faces active litigation and may not stand as written. Compliance programs should not treat the narrowed ECOA standard as a broad fair lending safe harbor.
5. State enforcement is filling the federal gap.
Deprioritized at the federal level does not mean unregulated. State attorneys general and state financial regulators are actively expanding their enforcement activity in areas the CFPB has pulled back from. Illinois launched a new complaint portal in May 2026 with an explicit reference to declining federal consumer protection activity. Compliance programs must account for the full enforcement environment — federal and state.
So what does this mean for your institution? Each of these five shifts has a direct operational implication that a compliance policy update alone cannot address. They require workflow changes — in how issues are identified, how responses are documented, and how corrective actions are tracked and reported. Institutions whose compliance infrastructure is embedded in their operational systems are best positioned to demonstrate the control the Bureau now expects.
Ready to Build a CFPB-Ready Compliance Workflow Inside Salesforce?
The CFPB's updated framework does not ask lenders to do less. It asks them to do specific things demonstrably well — identify harm early, remediate quickly, document thoroughly, and engage proactively. The institutions best positioned under this framework are not the ones with the most sophisticated legal teams. They are the ones whose compliance operations are embedded in their core systems.
LASER Credit Access delivers Salesforce-native credit access, built-in compliance workflows, and decisioning tools in a single application. If your institution needs to close gaps in furnishing accuracy, dispute documentation, or corrective action tracking before the next examination cycle, a compliance discussion is the right starting point.
→ Schedule a Compliance Discussion