The federal footprint has narrowed. The enforcement surface has not. Institutions that repriced consumer products in 2024 and 2025 without refreshing their Unfair, Deceptive, and Abusive Acts or Practices (UDAAP) audit coverage will be the ones whose next examination will find the gap
Executive Summary
The narrative in most 2026 board packets is that federal consumer protection enforcement has receded. The narrative is half right. The Consumer Financial Protection Bureau (CFPB) has visibly stepped back, closing investigations, terminating consent orders, and withdrawing guidance, but the legal standard has not shifted, and the enforcement landscape has widened rather than narrowed. State attorneys general, state financial regulators, and private plaintiffs armed with state UDAP (Unfair and Deceptive Acts and Practices) statutes are pursuing exactly the fee practices the Bureau built its 2024 agenda around. For Chief Operating Officers and Chief Compliance Officers at community and regional financial institutions that adjusted overdraft, NSF, servicing, or ancillary fee structures during the last eighteen months, the practical question is no longer whether federal supervision will find the change. It is whether the last internal audit report contains tested evidence that the new fee architecture is not unfair, deceptive, or abusive.
Key Takeaways
• The federal pullback is real but narrow.The CFPB closed roughly 40 percent of its pending investigations in 2025 and rescinded 67 guidance documents. However, the Bureau’s UDAAP statutory authority under Sections 1031 and 1036 of Dodd-Frank remains in force, and the OCC and FDIC continue to examine for UDAP and UDAAP under Section 5 of the FTC Act. [1][2][3]
• States are filling the vacuum in the record. The CFPB’s January 2025 report to state policymakers effectively wrote the playbook, and state attorneys general have publicly committed to executing it, with 2025 marking the most active year on record for state-level consumer finance enforcement. [5][6]
• Fee practices are the pressure point.New Jersey’s June 2026 “junk fees” Enforcement Statement, New York’s FAIR Act, and multistate scrutiny of overdraft, NSF, and pay-to-pay charges all converge on the same activity that institutions repriced in 2024 and 2025. [7][8]
• Private plaintiffs are now inside the door.State UDAP statutes and pending legislation permit statutory and treble damages, as well as attorneys’ fees, with class-action leverage that no federal retreat can diminish. [7]
• The audit report now serves as the rebuttal document.If UDAAP coverage was not refreshed after the fee changes, the last internal audit report cannot be offered as tested evidence, and examiners and plaintiffs will treat that silence as a finding. [9][10]
The Federal Retreat That Wasn’t
The CFPB’s 2025 Enforcement Lookback, published in the final weeks of the reporting year, offers the clearest account of what changed at the Bureau. The agency closed about 40 percent of pending investigations, terminated or modified 22 consent orders, and reoriented its remaining docket toward “identifiable victims with material and measurable damages,” servicemembers, and actual fraud [1]. In May 2025, the Bureau also rescinded 67 guidance documents, arguing that policy through guidance had become an unfair regulatory burden [2]. The financial trade press read this as deregulation.
The statute read differently.
Sections 1031 and 1036 of the Consumer Financial Protection Act, which contain the UDAAP prohibition itself, were not repealed. Section 5 of the FTC Act, which the OCC and FDIC enforce against the banks and thrifts they supervise, was not repealed either. The OCC’s Comptroller’s Handbook on UDAP and UDAAP, updated to Version 1.1 in December 2024 and still in force, remains the operating document examiners use to evaluate a bank’s compliance management system, marketing, disclosures, loan servicing, and fee practices [3]. The FDIC’s Consumer Compliance Examination Manual continues to instruct examiners to identify risks of consumer harm that are “particular to” the products under review, with fees explicitly named [4]. For credit unions, the NCUA’s Federal Consumer Financial Protection Guide likewise continues to direct examiners and institutions to assess and address UDAAP risk as part of a sound compliance management system. What changed at the Bureau did not change at the prudential regulators, and the statutory prohibition remains on the books untouched.
Where the Enforcement Migrated
The more consequential shift unfolded outside Washington. In its final weeks under Director Chopra, the CFPB published Strengthening State-Level Consumer Protections, a thirty-three-page report recommending that states add an “abusive” prong to their UDAP statutes, expand private rights of action, and legislate specifically against junk fees and opaque pricing [5]. It was, by design, a handoff document.
The states accepted it. At the National Association of Attorneys General Fall 2025 Consumer Protection Conference, attorneys general from both parties described their role as filling the federal enforcement gap and forecast “more and more state AG enforcement and multistate cooperation” as the CFPB, DOJ, and FTC step away [6]. New York’s proposed FAIR Business Practices Act would import a CFPB-style “unfair, deceptive, or abusive” standard into General Business Law §349, raise statutory damages from $50 to $1,000 per violation, authorize treble damages and attorneys’ fees, and, critically, extend private rights of action to consumers, small businesses, and nonprofits [7]. In June 2026, New Jersey’s Attorney General issued an Enforcement Statement, paired with Governor Sherrill’s Executive Order No. 19, directing state agencies to identify and prosecute “junk fees” across regulated industries, including consumer financial services, under the New Jersey Consumer Fraud Act [8]. Neither action requires new legislation to take effect. Both reinterpret existing law in ways that directly address the fee changes many institutions made in the last two years.
The Fee Structure Trap
Between 2024 and mid-2025, a large share of community and regional institutions repriced consumer products. Some did so in response to the Bureau’s then-active junk-fee agenda, adjusting overdraft matrices, eliminating NSF fees on represented items, or restructuring pay-to-pay and convenience fees. Others made the opposite move after the federal posture shifted, reintroducing or expanding fee revenue as the Bureau’s priorities pulled back. In both directions, the change was material, and in many cases the internal audit universe was not adjusted accordingly.
That is the trap. UDAAP is a principles-based standard, not a checklist, and its risk profile evolves with the product. When the fee, the disclosure, the customer-facing script, and the servicing workflow all changed in the same quarter, the prior year’s UDAAP audit, completed against the prior product, no longer speaks to the current control environment. A state examiner or a plaintiffs’ firm asking whether the new fee is reasonably avoidable, whether the disclosure is clearly and prominently placed, and whether the customer’s consent was informed will not accept an audit report scoped to a product that no longer exists.
What the Audit Report Cannot Say
The Institute of Internal Auditors’ Global Internal Audit Standards, effective January 9, 2025, require that the audit plan be based on a documented assessment of the organization’s strategies, objectives, and risks, and that engagements produce evidence sufficient to support independent re-performance [9]. The CFPB’s UDAAP examination procedures instruct examiners to review products that “combine features and terms in a manner that can increase the difficulty of consumer understanding of the overall costs or risks,” which is the exact profile of a repriced fee schedule [10].
If the last internal audit did not test the current fee against the current disclosure using the current customer journey, the report cannot serve as a rebuttal. Its silence on the redesign is now the finding. That is the exposure COOs and CCOs need to see clearly: not that the institution did something wrong, but that the record does not yet demonstrate it did something right.
Four Things to Do Before Year-End
A refreshed UDAAP posture does not require a new program. It requires four disciplined moves.
- Reopen the UDAAP risk assessment for the current product set. Every fee changed in 2024 or 2025 is a new inherent risk data point. Reassess, document, and route the refreshed assessment through the same governance channel that approved the original.
- Rescope the next UDAAP audit to the redesigned products.Expand the UDAAP audit beyond a governance framework review to include detailed control testing. Test the current disclosure against the current fee, the current script against the current consent, and the current complaint intake against the current escalation path. Retain workpapers that would satisfy an examiner or a plaintiff’s expert.
- Map state exposure explicitly.Identify the states where the institution does business, the UDAP statutes and pending bills in each state, and the mechanics of private rights of action. Treat this as a multistate compliance question, not a federal one.
- Brief the board in plain English.The board’s protection is not a summary of federal retrenchment. It is a management representation that the institution knows what it changed, has tested the change, and can provide the evidence.
The institutions that come through the next two examination cycles cleanly will be those whose internal audit report, on the day the state examiner or the plaintiff’s demand letter arrives, already addresses the current product. The federal footprint may have narrowed. The obligation to prove UDAAP compliance with tested evidence has not.
Celeste Burton is Compliance Practice Director and Marketing Manager at AuditOne, with more than 30 years of experience in banking, internal audit, and regulatory compliance. A Certified Internal Auditor and graduate of the ABA National Compliance School, she has held senior management positions in Internal Audit and Compliance at Bank of America, Countrywide, and American Express, covering domestic and international Lending, Deposits, Treasury Management, Operations, Accounting, IT, Compliance, and Secondary Marketing for major financial institutions. Her expertise spans the exact control functions, fee structures, disclosures, servicing workflows, and consumer compliance frameworks, that state regulators and private plaintiffs are now testing under UDAAP and state UDAP statutes. She holds a dual major B.A. in Accounting and Finance from the University of California, Berkeley.
References
[1] Consumer Financial Protection Bureau. 2025 Enforcement Lookback. Last modified May 28, 2026. https://www.consumerfinance.gov/enforcement/2025-enforcement-lookback/ [consumerfinance.gov]
[2] Ballard Spahr LLP. “CFPB rescinds 67 guidance documents.” JD Supra, May 19, 2025. https://www.jdsupra.com/topics/udaap/regulatory-reform/executive-orders/ [jdsupra.com]
[3] Office of the Comptroller of the Currency. Comptroller’s Handbook: Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices, Version 1.1. December 2024. https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/unfair-deceptive-act/index-udaap.html [occ.gov]
[4] Federal Deposit Insurance Corporation. “Unfair, Deceptive, or Abusive Acts or Practices.” Banker Resource Center, updated February 17, 2026. https://www.fdic.gov/consumer-compliance/unfair-deceptive-or-abusive-acts-or-practices [fdic.gov]
[5] Consumer Financial Protection Bureau. Strengthening State-Level Consumer Protections: Promoting Consumer Protection Federalism. January 14, 2025. https://www.consumerfinance.gov/data-research/research-reports/strengthening-state-level-consumer-protections/ [consumerfinance.gov]
[6] Singer, Paul L., Abigail Stempson, Beth Bolen Chun, and Andrea deLorimier. “State AGs and ‘Junk’ Fees: NAAG Consumer Protection Conference Fall 2025.” Kelley Drye & Warren LLP, October 29, 2025. https://www.kelleydrye.com/viewpoints/blogs/ad-law-access/state-ags-and-junk-fees-naag-consumer-protection-conference-fall-2025 [kelleydrye.com]
[7] Pompan, Jonathan L., and Leonard L. Gordon. “New York’s Consumer Protection Overhaul: A Lawsuit Magnet for Banks, Fintechs, and Other Financial Services Providers.” Venable LLP, March 25, 2025. https://www.venable.com/insights/publications/2025/03/new-yorks-consumer-protection-overhaul-a-lawsuit [venable.com]
[8] Kaplinsky, Alan, and Adam Maarec. “New Jersey Attorney General Issues Sweeping Enforcement Statement Targeting ‘Junk Fees.'” Ballard Spahr LLP, June 23, 2026. https://www.jdsupra.com/legalnews/new-jersey-attorney-general-issues-3160739/ [jdsupra.com]
[9] The Institute of Internal Auditors. Global Internal Audit Standardsâ„¢ (The Redbookâ„¢), effective January 9, 2025. https://www.theiia.org/en/standards/what-are-the-standards/recommended-guidance/ [theiia.org]
[10] Consumer Financial Protection Bureau. Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) Examination Procedures. Published October 1, 2012; last modified September 25, 2023. https://www.consumerfinance.gov/compliance/supervision-examinations/unfair-deceptive-or-abusive-acts-or-practices-udaaps-examination-procedures/ [consumerfinance.gov]