For the past several years, compliance risks raised by allegations of unfair, deceptive or abusive acts or practices have left financial institutions in a tough spot. Because UDAP/UDAAP is a subjective standard (based on what the “reasonable” customer may deem unfair, deceptive, or abusive), absent precedent it is difficult for institutions (and their compliance personnel) to predict what a court, regulator, or plaintiff’s attorney may deem to be UDAP/UDAAP. During the Biden presidential era, federal regulators leaned heavily on their UDAP/UDAAP authority to cite institutions for practices that examiners found fault with. However, during the Trump presidential administration agencies such as the CFPB have formally announced their rollback of UDAP/UDAAP enforcement efforts. Nonetheless, the CFPB has stated that certain consumer financial products and services, such as those aimed at servicemembers, remain subject to heightened UDAP/UDAAP risk. Furthermore, state-level UDAP/UDAAP enforcement efforts appear to remain heightened. For example, in April 2025, a bill was introduced in the California legislature which reaffirms the state’s right to enforce federal UDAAP statutes, even against California-licensed banks and credit unions, without needing CFPB coordination. Furthermore, in recent months the California Department of Financial Protection and Innovation and the California Attorney General have both made statements indicating that they intend to ramp up consumer financial protection enforcement efforts in light of the CFPB’s enforcement rollback. These announcements followed a January 2025 CFPB report which contained seven specific recommendations for state policymakers on UDAP/UDAAP-related issues such as junk fees and consumer privacy (this CFPB report was published days before Trump took office). This presentation will provide an overview of the current state of UDAP/UDAAP-related risk and enforcement at both the federal and state level. Because UDAP/UDAAP remains an area of heightened risk, this presentation is not one to miss.
Download Handout Here!
Friday, July 25, 2025
12:00 - 1:30 p.m.
Section 1071 of the Dodd-Frank Act (“Section 1071”) added small business loan data collection requirements to the Equal Credit Opportunity Act (ECOA), as set forth in Section 704B (15 USC 1691c-2). On March 30, 2023, the CFPB issued a final rule amending Regulation B (12 CFR Part 1002) to implement the changes to ECOA made by Section 1071. This rule, known as the Small Business Lending Data Collection Rule (“SBLDC Rule”), was published in the Federal Register on May 31, 2023.
While the SBLDC Rule was finalized back in 2023, the compliance deadlines extended were delayed as a result of preliminary injunctions issued in two notable court cases: Tex. Bankers Ass’n, et al. v. CFPB, et al., 685 F. Supp. 3d 445 (S.D. Tex. 2023) and The Monticello Banking Company et al. v. Consumer Financial Protection Bureau et al., No. 6:23-cv- 00148-KKC (E.D. Ky. filed Sept. 14, 2023). While the SBLDC Rule ultimately survived these legal challenges, it has again come under scrutiny, this time by the CFPB itself (the agency that originally issued the rule). On May 28, 2025, the CFPB filed a motion to stay proceedings in the Monticello case to allow the CFPB time to conduct a new rulemaking under Section 1071 and reconsider the SBLDC Rule.
On June 18, 2025, the CFPB issued an interim final rule officially extending the compliance deadlines for the SBLDC Rule (SBLDC IFR). The interim rule extends the existing compliance deadlines for Tier 1, Tier 2, and Tier 3 lenders by about one year. The SBLDC IFR also clarifies which calendar years institutions may use to measure the amount of covered credit transactions they originated to determine their compliance tiers.
Please join us at the July Monthly Telephone Briefing, where the SBLDC IFR will be discussed.
Download Handout Here!