November 24, 2025
Consumer Financial Services Bites of the Month - November 19, 2025 - "November Rain with the CFPB"
Justin B. Hosie, Eric L. Johnson and Kristen Yarows
In this month's article, we share some of our top "bites" covered during the November 2025 webinar.
Bite 15: OIG Finds CFPB's Cybersecurity Program "No Longer Effective"
On October 31, 2025, the Federal Reserve's Office of Inspector General issued a report finding that the CFPB does not have a strategy to respond to cybersecurity risks and is unable to maintain "an effective level of awareness" of its security concerns. The Fed's OIG report was issued as part of its annual audit of the CFPB's information security system. The report cited the use of outdated software and that vendors are no longer providing security updates and patches for the CFPB's information systems. The report stated thatthe CFPB's enterprise risk management program "has been placed on hold as the agency's chief risk officer and other individuals in the ERM office left the agency in March 2025. These individuals' positions have not been backfilled, nor are their roles and responsibilities being fully performed." The report concluded that the CFPB's information security system experienced a rapid drop in effectiveness, falling from a level 4 (out of 5) in fiscal year 2024, to a level 2 rating in fiscal year 2025. The CFPB's chief information officer asserted that the CFPB maintains a "robust cybersecurity posture." The IG made several technical recommendations.
Bite 14: Vought Discusses Plans to Shut Down CFPB
On October 15, 2025, news outlets reported that Director of the Office of Management and Budget and Acting Director of the CFPB, Russell Vought, said that he wants to shutter the CFPB and expected to succeed in the next few months. In an interview, Vought said, we "don't have anyone working there except our Republican appointees and a few careers that are doing statutory responsibilities while we close down the agency." Vought went on to say, we "will be successful probably within the next two or three months." These comments appear to contradict the administration's stance in the National Treasury Employees Union litigation, which has argued that the agency is merely being downsized. The Department of Justice argued that the administration's goal is to streamline the CFPB, not to eliminate it. Vought also said, "this agency, all they want to do is weaponize the tools of financial laws against basically small mom-and-pop lenders and other small financial institutions."
Bite 13: Former CFPB Lawyers Join Pro-Consumer Organization
On November 12, 2025, news outlets reported that three former CFPB senior enforcement lawyers are launching a "strategic enforcement project" to help protect consumers from corporate misconduct with an organization called Protect Borrowers. The effort will bring new litigation "to challenge products and practices that exploit workers, consumers and small business owners." Former top CFPB enforcement lawyers Eric Halperin, Cara Petersen and Tara Mikkilineni will spearhead the effort to bring new litigation. Cara Peterson was part of the founding team of the CFPB and Eric Halperin was the enforcement director at the CFPB from 2021 to 2025. Tara Mikkilineni was a senior advisor to the CFPB Enforcement leadership. The new project will work alongside Protect Borrowers' ongoing litigation and legal strategy practice.
Bite 12: CFPB Publishes Interpretive Rule on FCRA Preemption
On October 28, 2025, the CFPB published an interpretive rule that clarifies the Fair Credit Reporting Act ("FCRA") generally preempts state laws that touch on broad areas of credit reporting. The interpretive rule replaces a July 2022 interpretive rule that the CFPB withdrew in May 2025. The CFPB noted that it was unnecessary for the CFPB in 2022 to opine on the scope of preemption under the FCRA since the FCRA does not compel, or even authorize, the CFPB to provide its legally binding views on preemption. The CFPB also said that the "2022 interpretive rule contradicted the plain text of section 1681t(b)(1), ignored the legislative history of the preemption clause, and reflected a misguided policy choice that would undermine the credit reporting system and credit markets." The interpretive rule does not have the force or effect of law.
Bite 11: CFPB Withdraws Proposed Rule Regarding Form Contract Registry
On October 29, 2025, the CFPB published notice in the Federal Register indicating that it is withdrawing its proposed rule creating a registry of non-bank form contracts that limit legal protections. The proposed rule was published back on February 1, 2023 and would have required certain nonbanks to register information about their use of certain terms and conditions in form contracts. The proposed rule would have required those subject to the rule to file court and arbitrator decisions on the enforceability of terms and conditions in the form contracts. The CFPB planned to publish such information and registrants' identifying information on its website for public review. The CFPB stated that it was withdrawing the proposed rule because the significant costs of the proposed registration and publication system were not justified by their uncertain and speculative benefits.
Bite 10: CFPB Terminates Consent Order with Credit Bureau
On November 3, 2025, the CFPB terminated a 2023 consent order with a credit bureau over allegations that the credit bureau failed to remove security freezes and locks on consumers' access to their credit reports in a timely manner. The consent order alleged violations of the FCRA and the federal prohibition of unfair, deceptive, and abusive acts or practices. The CFPB terminated the consent order three years early by stating that the company had already paid fines and restitution to the harmed consumers. The company issued a statement that it had "fully complied with all aspects of the security freeze consent order and is pleased the CFPB determined that an early termination of the order was warranted." The termination of this consent order is one of several consent orders that the CFPB has terminated early over the past year.
Bite 9: CFPB Issues Proposed Rule Regarding 1071 Rule
On November 13, 2025, the CFPB published a proposed rule to revise certain provisions of Regulation B, which implements the Equal Credit Opportunity Act (ECOA). The CFPB is reconsidering coverage of certain credit transactions and financial institutions; the small business definition; inclusion of certain data points and how others are collected; and the compliance date. The CFPB claims that these proposed changes would streamline the rule, reduce complexity for lenders, and improve data quality, advancing the purposes of section 1071 and comply with recent executive directives. The CFPB also claims that a longer-term approach to advance the statutory purposes of section 1071 would be to commence the collection of data with a narrower scope to ensure its quality and to limit, as much as possible, disturbance to small businesses. The CFPB noted that it intends to approach the section 1071 rule like the CFPB did with the Home Mortgage Disclosure Act with an incremental approach. Public comments on the proposed rule must be received on or before December 15, 2025.
Bite 8: CFPB Issues Proposed Rule on ECOA
On November 13, 2025, the CFPB published a proposed rule for public comment amending provisions related to disparate impact, to discouragement of applicants or prospective applicants, and special purpose credit programs under Regulation B. The proposed changes provide that ECOA does not authorize disparate-impact liability (effects test), further define discouragement, and add prohibitions and restrictions for special purpose credit programs. In 2020, the CFPB issued a Request for Information on the Equal Credit Opportunity Act ("ECOA") and Regulation B that solicited information about disparate impact, prospective applicants, and special purpose credit programs, among other topics. Earlier this year, President Trump issued two executive orders, one titled "Ending Illegal Discrimination and Restoring Merit-Based Opportunity," and the other titled "Restoring Equality of Opportunity and Meritocracy" that are relevant to the CFPB's administration of ECOA. Public comments on the proposed rule must be received on or before December 15, 2025.
Bite 7: CFPB Rescinds Amendments to Adjudication Proceedings
On October 29, 2025, the CFPB published a final rule rescinding amendments to the Rules of Practice for Adjudication Proceedings. The amendments were adopted in February 2022 and March 2023. The amendments included a new deposition process, amendments concerning timing and deadlines, bifurcation of proceedings, the process for deciding dispositive motions, and requirements for issue exhaustion, as well as other technical changes. The CFPB noted concerns that the amendments transferred authority to decide dispositive motions from the hearing officer who is presiding over the proceeding (normally an administrative law judge) to the Director. After reviewing the comments, the CFPB decided to retain certain narrow amendments related to procedure. These include clarifying the method for computing deadlines, permitting copies of electronic documents, and technical amendments that replaced the term "the Bureau" with either "the Director," "the Office of Administrative Adjudication," or "the Office of Enforcement" to avoid ambiguity.
Bite 6: CFPB Rescinds Nonbank Registry Rule
On October 29, 2025, the CFPB published a final rule rescinding its Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders ("NBR Rule") that was adopted on July 8, 2024 and took effect on September 16, 2024. The NBR Rule sought to require certain nonbank covered persons subject to certain final public orders obtained or issued by a government agency in connection with the offering or provision of a consumer financial product to report the existence of those orders to the CFPB's registry. The CFPB noted that it is rescinding the NBR Rule based on concerns that the costs of the rule are not justified by the speculative and unquantified benefits to consumers. The CFPB also noted that the NBR Rule was rescinded in part because of the cost for the CFPB to maintain the registry system. The final rule will be effective immediately.
Bite 5: Judge Blocks CFPB's Open Banking Rule
On October 29, 2025, news outlets reported that the United States District Court for the Eastern District of Kentucky paused the compliance deadlines on the CFPB's open banking rule. The rule was finalized last year under the previous administration and sought to allow consumers the ability to access and share data from bank accounts, credit cards, mobile wallets, payment apps, and other financial products. In July 2025, the CFPB indicated it would begin a rulemaking to reconsider and revise the rule. Banking groups filed a lawsuit arguing that the regulation exceeded the CFPB's authority and imposed costly burdens on the industry. U.S. District Judge Danny Reeves in Lexington, Kentucky, agreed with the banking groups saying that the "plaintiffs and their members are being compelled to incur expenses that would be unrecoverable and unnecessary." The Judge also said that the plaintiffs were likely to succeed on the merits of their lawsuit.
Bite 4: 10th Circuit Lifts Preliminary Injunction over DIDMCA Opt-Out
On November 10, 2025, the United States Court of Appeals for the Tenth Circuit reversed a lower court injunction against the enforcement of Colorado's Depository Institutions Deregulation and Monetary Control Act ("DIDMCA") opt-out. For background, DIDMCA is a federal law that is generally understood to permit state-chartered banks to export their interest rates into other states, but it allows states to "opt-out" of such exportation. Under DIDMCA, legislation must state "explicitly and by its terms" that such state does not want the DIDMCA rate exportation section "to apply with respect to loans made in such State." In June of 2023 the Colorado legislature passed H.B. 23-1229, which provides that Colorado's interest and fee limitations function as an opt-out from Section 521 of DIDMCA. In March 2024, three trade groups sued over the legislation, and a federal district court granted the trade groups' preliminary injunction. The Tenth Circuit held that "loans made in such State" refers to loans in which either the lender or the borrower is located in the opt-out state and because Colorado opted out of Section 1831d of DIDMCA, that statute no longer preempts Colorado's interest-rate cap for loans from out-of-state banks to Colorado borrowers. Thus, Colorado's rate and fee limitations apply.
Bite 3: CFPB Settles Military Lending Act Lawsuit
On October 15, 2025, news outlets reported that the U.S. District Court for the Southern District of New York granted the CFPB and online lender's joint motion because the parties agreed to resolve their case. In 2022, the CFPB accused the online lender of targeting military families, illegally imposing fees and making it difficult to cancel monthly subscriptions to a membership program that offered access to online loans marketed as having low interest rates. Most of the CFPB's original complaint survived a motion to dismiss, and the CFPB filed an amended complaint in April. After the motion to dismiss, the New York Attorney General filed a lawsuit against the online lender. This case was one of the few CFPB cases that has continued during this administration.
Bite 2: CFPB Notifies Court it Cannot Access Funds from the Fed
On November 10, 2025, the Department of Justice filed a notice of potential lapse in appropriations to pay the expenses of the CFPB in the National Treasury Employee Union litigation. The DOJ's Office of Legal Counsel wrote a memorandum addressed to Acting Director Vought regarding whether the CFPB can continue to draw funds from the Federal Reserve system under 12 U.S.C. § 5497 when the Fed. is operating at a loss. According to the memo, the Federal Reserve began operating in late 1914 and was profitable in every subsequent year until 2022, after which its costs have exceeded its revenue. The DOJ Office of Legal Counsel concluded that it was legally prohibited from drawing cash from the Federal Reserve to support the CFPB's operations when the Fed is operating at a loss. The CFPB anticipates having sufficient funds to continue operations until at least December 31, 2025. The CFPB notified the court that in light of the Office of Legal Counsel opinion, the Acting Director of the CFPB anticipates preparing a report to the President and to congressional appropriations committees, as statutorily required, identifying the "funding needs of the Bureau."
Bite 1: FTC and Nevada Take Action Against Tax Debt Relief Company
On October 17, 2025, the FTC and State of Nevada filed a lawsuit against a tax debt relief company over allegations that the company falsely impersonated government agencies, including the IRS; deceptively marketed tax debt relief; and threatened consumers. The Commission alleges the company's operators falsely claimed they could settle taxpayers' back taxes for "pennies on the dollar" or for only a "fraction" of what taxpayers' owed, often making these claims before evaluating the taxpayer's circumstances. The Commission also alleges that the company falsely claimed that the IRS was investigating the consumer or that the IRS marked their account as "high risk." The FTC alleges that the company violated the FTC Act, the Gramm-Leach Bliley Act, the Telemarketing Sales Rule, and the Impersonation Rule and the State of Nevada alleges the company violated Nevada law. The FTC and State of Nevada moved for a temporary restraining order and asset freeze. The FTC's Bureau of Consumer Protection Director, Christopher Mufarrige said that the "FTC will not hesitate to stop companies . . . that target hard-working Americans with bogus debt relief services." The Commission voted 3-0 to approve filing the complaint.
Still hungry? Please join us for our next Consumer Financial Services Bites of the Month. If you missed any of our prior Bites, request a replay on our website.