ANAYLSIS: The CFPB recently announced that it is withdrawing 67 regulatory guidance documents it has issued since 2011. This includes guidance regarding fair lending, overdraft fees, buy now, pay later loans, earned wage access programs, and more.
The withdrawal is not necessarily final. The CFPB said that it will review these documents to decide whether some should be retained. In the meantime, the withdrawn guidance “should not be enforced or otherwise relied upon by the Bureau while this review is ongoing.”
Why the withdrawal?
The CFPB said that three factors led it to withdraw these documents:
- Compliance burdens: The CFPB said that it aims to issue guidance only when necessary and when doing so reduces compliance burdens rather than increases them. The withdrawal allows the Bureau to evaluate whether each document 1) is prescribed by statute; 2) is consistent with statutes and regulations; and 3) imposes or decreases compliance burdens.
- Reduction in enforcement activities: In line with directives to deregulate and streamline bureaucracy, the CFPB said that it is reducing enforcement activities, focusing only on statutorily required areas.
- Non-binding nature of guidance: The CFPB said it recognizes that guidance is generally non-binding. The withdrawal reflects a shift towards ensuring that guidance aligns strictly with statutory requirements and reduces unnecessary compliance burdens.
The following is based on an article from a nationally recognized consumer financial services law firm, plus material from America’s Credit Unions. It is not a complete list of all the withdrawn guidance documents; it only highlights certain documents (in chronological order) that we believe are of interest to credit unions. (The CFPB announcement lists all 67 withdrawn documents.)
Policy statements
The CFPB has withdrawn 8 policy statements, including these:
- Policy Statement on No Action Letters, 90 FR 1970 and Policy Statement on Compliance Assistance Sandbox Approvals, 90 FR 1974 (Jan. 10, 2025). These statements 1) created a formal application process and promised that the Bureau would not bring supervisory or enforcement actions against a product or practice described in an approved no-action letter; and 2) allowed institutions to test innovative products under controlled conditions while enjoying a temporary shield from enforcement.
- Statement on Enforcement and Supervisory Practices Relating to the Small Business Lending Rule Under the Equal Credit Opportunity Act and Regulation B, 88 FR 34833 (May 31, 2023). This policy addressed the Consumer Financial Protection Act of 2010 (CFPA), which defines and prohibited abusive acts or practices by covered persons or service providers. This policy aimed to provide an analytical framework for identifying such conduct, focusing on actions that materially interfered with consumer understanding or took unreasonable advantage of consumer vulnerabilities.
- Statement of Policy Regarding Prohibition on Abusive Acts or Practices, 88 FR 21883 (Apr. 12, 2023). The CFPA prohibits certain “unfair, deceptive, or abusive act or practice” (UDAAP) and defines abusive conduct. This policy statement explained how the Bureau would apply the “abusive” prong of UDAAP, emphasizing factors such as consumer comprehension and reasonable reliance. The policy provided a broad interpretation of the term “abusive.”
Interpretive rules
The CFPB has withdrawn 7 interpretive rules, including these:
- Use of Digital User Accounts to Access Buy Now, Pay Later Loans, 89 FR 47068 (May 31, 2024). This interpretive rule subjected “Buy Now, Pay Later” (BNPL) transactions to many Reg. Z requirements that apply to credit cards, such as giving BNPL consumers rights to dispute charges, demand refunds for returned products, and potentially receive periodic statements.
- The Fair Credit Reporting Act’s Limited Preemption of State Laws, 87 FR 41042 (July 11, 2022). This interpretive rule narrowly interpreted Fair Credit Reporting Act (FCRA) preemption, greenlighting most state data privacy and credit reporting laws that were “not inconsistent” with the federal law. Thus, it encouraged states to enact more laws regulating consumer reporting, arguing that states’ powers are only constrained in limited ways by the FCRA.
- Authority of States to Enforce the Consumer Financial Protection Act of 2010, 87 FR 31940 (May 26, 2022). This interpretive rule invited states to exercise their authority under the CFPA to sue in federal court for UDAAP violations and for any violations of the consumer laws the CFPB enforces.
- Equal Credit Opportunity (Regulation B); Discrimination on the Bases of Sexual Orientation and Gender Identity, 86 FR 14363 (Mar. 16, 2021). This interpretive rule declared sexual orientation and gender identity discrimination illegal under Reg. B, the CFPB’s Equal Credit Opportunity Act regulation. The League summarized it in this Compliance Courier.
Advisory opinions
The CFPB has withdrawn 13 advisory opinions, including these:
- Truth in Lending (Regulation Z); Consumer Credit Offered to Borrowers in Advance of Expected Receipt of Compensation for Work, 90 FR 3622 (Jan. 15, 2025). This advisory opinion rescinded a previous advisory opinion that the Bureau issued in 2020. That 2020 opinion had described how a specific type of “earned wage” product did not constitute the offering or extension of “credit” under the Truth in Lending Act (TILA) and Reg. Z.
- Truth in Lending (Regulation Z); Consumer Protections for Home Sales Financed Under Contracts for Deed, 89 FR 68086 (Aug. 23, 2024). This advisory opinion addressed contract-for-deed home financing, a/k/a, land contracts. The CFPB concluded that such financing is “consumer credit” under the TILA and Reg. Z and, therefore, that many providers of such financing must comply with the ability-to-repay and other rules in Reg. Z for consumer mortgages.
Other guidance
The CFPB has withdrawn 39 other guidance documents, including these:
- Consumer Financial Protection Circular 2024-05: Improper Overdraft Opt-in Practices, 89 FR 80075 (Oct. 2, 2024). This circular said that financial institutions may violate Reg. E if they charge consumers certain overdraft fees without affirmative proof that those consumers “opted in” and consented to be charged. Significantly, the circular seemed to suggest that credit unions and other financial institutions should keep proof of a consumer’s opt-in indefinitely, even though Reg. E only requires a two-year retention period. The League summarized this circular in this Compliance Courier.
- Consumer Financial Protection Circular 2024-03: Unlawful and unenforceable contract terms and conditions, 89 FR 51955 (June 21, 2024). This circular warned that including unlawful or unenforceable terms and conditions in consumer contracts could violate the prohibition on deceptive acts or practices in the CFPA. According to the CFPB, a representation or omission was deceptive if it was likely to mislead a reasonable consumer and was material – meaning that it “involves information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding, a product.”
- Consumer Financial Protection Circular 2024-02: Deceptive marketing practices about the speed or cost of sending a remittance transfer, 89 FR 27357 (Apr. 17, 2024). According to this circular, providers could be liable under the CFPA for deceptive marketing practices if they market: remittance transfers as being delivered within a certain time frame when transfers actually take longer; remittance transfers as “no fee” when in fact the provider charges fees; promotional fees or promotional exchange rates for remittance transfers without sufficiently clarifying when an offer is temporary; and remittance transfers as “free” if they are not.
- Consumer Financial Protection Circular 2022-06: Unanticipated overdraft fee assessment practices, 87 FR 66935 (Nov. 7, 2022). In this circular, the CFPB determined that “authorize positive, settle negative” overdraft fees were unfair.
- Consumer Financial Protection Circular 2022-04: Insufficient data protection or security for sensitive consumer information, 87 FR 54346 (Sept. 6, 2022). This circular gave three examples of insufficient data protection or information security practices that could violate the CFPA’s prohibition on unfair acts or practices: inadequate authorization, poor password management, and lax software update policies.