What Is the CFPB? How It Affects Fintech Companies

The Consumer Financial Protection Bureau is the U.S. federal agency responsible for protecting consumers in the financial marketplace. Created by the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010 in direct response to the consumer protection failures exposed by the 2008 financial crisis, the CFPB has broad authority to write rules, examine financial companies, and bring enforcement actions against businesses that harm consumers.

For fintechs, the CFPB is one of the most significant regulatory relationships to understand — particularly if your product serves individual consumers rather than exclusively business customers. Understanding what the CFPB regulates, how it exercises its authority over non-bank fintechs, and what its enforcement priorities look like is essential for any consumer-facing fintech building a sustainable compliance program.

What the CFPB Does

The CFPB has three core functions that shape its impact on fintechs.

1. Rulemaking — the CFPB writes regulations governing consumer financial products and services. When the CFPB finalizes a rule, covered companies must comply. Recent and ongoing rulemaking activity relevant to fintechs includes rules on open banking and data sharing, small business lending data collection, buy-now-pay-later products, and earned wage access programs.
2. Supervision — the CFPB examines financial companies to assess compliance with federal consumer financial laws. Critically, the CFPB has examination authority over non-bank financial companies — including fintechs — in specific markets, not just banks and credit unions.
3. Enforcement — when the CFPB identifies violations through examination or investigation, it can bring enforcement actions resulting in civil money penalties, required consumer remediation, and binding compliance program requirements. CFPB enforcement actions are public and have lasting reputational and operational consequences.

Does the CFPB Have Authority Over Your Fintech?

This is one of the most important regulatory questions a fintech founder can ask — and the answer is more likely to be yes than many founders assume.

The CFPB has supervisory authority over non-bank financial companies in specific markets including mortgage origination, servicing, and brokering, payday loans and certain high-cost installment loans, private student loans, consumer reporting and credit bureaus, debt collection, prepaid accounts including digital wallets and general purpose reloadable prepaid cards, money transmission, and check cashing.

Beyond these enumerated markets, the CFPB has supervisory authority over larger participants in markets it defines through rulemaking — and it has used this authority to extend examination coverage to significant players in consumer payments, credit reporting, and digital lending.

Even fintechs not currently subject to CFPB examination are subject to the CFPB's enforcement authority if they engage in UDAAP violations or violate applicable federal consumer financial laws. Examination authority and enforcement authority are separate — a company can be subject to CFPB enforcement action without having been subject to a CFPB examination.

Key Laws and Regulations the CFPB Enforces

• UDAAP — Unfair, Deceptive, or Abusive Acts or Practices. The CFPB's broadest enforcement authority, applicable to virtually any consumer-facing financial practice that causes harm. Covered in detail in the UDAAP article.
• Regulation E — the Electronic Fund Transfer Act implementing regulation governing electronic fund transfers for consumer accounts, including digital wallets, prepaid cards, and peer-to-peer payment products. Covers error resolution, unauthorized transfer liability, and disclosure requirements.
• Regulation Z — implements the Truth in Lending Act governing disclosures for consumer credit products including credit cards, installment loans, and buy-now-pay-later products.
• The Equal Credit Opportunity Act — prohibits discrimination in credit decisions based on race, color, religion, national origin, sex, marital status, age, or receipt of public assistance. Increasingly relevant to fintechs using algorithmic underwriting models.
• The Fair Credit Reporting Act — governs use of consumer credit information, relevant to any fintech using credit reports in onboarding, underwriting, or account management.
• The Prepaid Account Rule — specific requirements for prepaid accounts including digital wallets, covering standardized fee disclosures, error resolution, and periodic statement access.
• The Home Mortgage Disclosure Act — for fintechs involved in mortgage lending, governing data collection and reporting on mortgage applications and originations.

How CFPB Supervision Works for Non-Banks

The CFPB's supervisory process for non-bank fintechs follows a structured examination process.

Examination notification — the CFPB notifies the company that it will be examined and provides an information request covering documents, policies, procedures, data, and records the examination team will review.

Off-site document review — CFPB examiners review submitted documentation to build an understanding of the company's products, customer base, compliance program, and practices before any on-site work begins.

On-site or remote examination — examiners conduct the substantive examination including additional record review, management and staff interviews, transaction testing, and compliance control evaluation.

Examination report — the CFPB issues a confidential examination report identifying any findings. Findings that require remediation are issued as Matters Requiring Attention. More serious violations may result in referral for formal enforcement action.

What the CFPB Is Focused On in Fintech

CFPB supervisory and enforcement priorities shift with leadership and the regulatory environment, but recurring themes in fintech-related oversight include fee practices including unexpected or undisclosed fees and practices that maximize fee revenue at consumer expense, buy-now-pay-later products with particular focus on disclosures, dispute resolution, and credit reporting practices, digital payment applications including peer-to-peer payment products and the error resolution and fund availability practices of major platforms, algorithmic underwriting and pricing fairness including whether AI-driven credit and pricing decisions create illegal disparate impact on protected classes, complaint responsiveness including whether companies have adequate processes for receiving, investigating, and resolving consumer complaints, and dark patterns including digital design choices that manipulate consumers into decisions against their own interests.

Frequently Asked Questions

Does the CFPB regulate all fintechs or only large ones? 

The CFPB's examination authority over non-banks is focused on certain markets and on larger participants within those markets. However, the CFPB's enforcement authority — including UDAAP enforcement — applies to all companies offering consumer financial products and services regardless of size. A small fintech that engages in UDAAP violations is subject to CFPB enforcement even if it has never been subject to a CFPB examination.

What is the difference between a CFPB examination and a CFPB enforcement action? 

A CFPB examination is a supervisory process where the CFPB reviews a company's compliance program and practices. Examinations are confidential and typically result in findings communicated privately to the company. A CFPB enforcement action is a formal legal proceeding that results in a public consent order, civil money penalties, and required remediation. Enforcement actions typically follow either a CFPB examination that revealed serious violations or a CFPB investigation triggered by consumer complaints or other intelligence.

How should a fintech prepare for a potential CFPB examination? 

The most important preparation is building a genuine compliance program before examination notice arrives — not in response to it. Key elements include written policies covering all applicable CFPB-regulated areas, evidence that those policies are actually followed in practice, a complaint management system with documented resolution processes, staff training records, and a record of regular internal compliance reviews. Companies that receive examination notice should also retain qualified legal counsel with CFPB examination experience.

How ComplyOne Helps

ComplyOne helps consumer-facing fintechs build compliance programs that address CFPB requirements — from UDAAP policies and Regulation E error resolution procedures to complaint management systems and examination preparation — through advisory services and compliance technology.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.