Deregulatory Bluster at CFPB
I didn’t expect to write another post so soon on the deregulatory shenanigans of the Trump Administration and the implications for compliance officers, but already we have an example too perfect to ignore: the Consumer Financial Protection Bureau, and the deep freeze that agency entered this weekend.
Vought
In case you missed it, on Saturday night the Trump Administration announced that Russell Vought, a long-time deregulatory zealot and one of the braintrust behind Project 2025, will be new acting director for the CFPB. Vought, who also has a day job as director of the Office of Management and Budget (essentially, the executive branch’s CFO), then announced that CFPB employees were to cease all rulemaking, supervisory examinations, investigation, settlement talks, and other activity immediately.
Vought next said that CFPB headquarters will be closed all this coming week, and all employees are to work remotely unless told otherwise. Meanwhile, Elon Musk and his DOGE crew arrived at CFPB offices last week to muck around in the company’s IT systems, peering at… well, we don’t even know what information they were peering at, because nobody will say; but one can easily imagine the troves of confidential corporate and personal data now at their fingertips. (We should remember that Musk wants to launch an online payments system through Twitter, and he’ll now have access to the confidential data of potential competitors.)
Then, to top off all that CFPB confusion conjured up this weekend, somebody redesigned the CFPB website to make it seem like the site had gone off-line. (See nifty photo, below.) I won’t even guess what insipid stuff Musk has said about the agency on Twitter, although I expect it’s baloney since so much else on that site already is.
So how much does all that chaos actually change the compliance obligations that firms face, and the precautions a wise company should take? Not as much as you’d think.
What Really Happened Here
As compliance officers sift through this chaos, let’s remember a few facts.
First, the CFPB website has not gone off-line. The Trump Administration simply changed up the homepage with a giant ‘404: page not found’ graphic; but as of 7 p.m. ET Sunday evening, the entire website was still active and working just fine. (The attached image isn’t even what a 404 error actually looks like.) Perhaps that will change in the future and the site will be reduced somehow; but at the moment, the cutesy 404 image is just right-wing virtue signaling, where the Administration hopes people won’t notice what’s behind the curtain.
Second, Vought has told all employees to stop doing any substantive regulatory oversight: no new work on investigations, rulemaking, examinations, settlement talks, industry guidance, or anything else. Nor are employees allowed to make any external communications. The office is closed for the coming week.
Third, that does not mean your CFPB compliance risks have gone away. Vought can suspend the agency’s activities, so perhaps your risk of enforcement is now lower — but a violation of CFPB rules or the Consumer Financial Protection Act is still a violation, regardless of whether Vought decides to turn a blind eye to it.
Fourth, your CFPB compliance obligations will continue to exist until the agency actually rescinds its rules. That process takes time, and can be challenged in court. True, the CFPB won’t adopt any new rules, so your compliance obligations won’t increase; but they won’t decrease either. Just because Vought declares, “We’re not doing enforcement any more,” that doesn’t mean your duty to obey the law goes away. It only means your risks of enforcement are lower.
Fifth, state attorneys general still have their own power to enforce the law here. Section 1042 of the Consumer Financial Protection Act (which established the CFPB) empowers state attorneys general to bring their own civil enforcement actions for violations of the law. So if your firm engages in some practice that violates the CFPA, a state attorney general can pursue enforcement of that violation regardless of what the CFPB may or may not do. States also have their own consumer protection laws that could expose a bank to liability.
Sixth, neither Section 1042 nor any other portion of the law can be changed by Vought, Musk, or any other individual in the Trump Administration. Only Congress can do that.
In other words, all the CFPB compliance obligations you had last week still exist today, and they will continue to exist in the future. Perhaps the risk of enforcement is lower, because Vought has suspended all enforcement actions and likely won’t launch any new ones — but the performative theatrics of slapping a 404 image on the website or sending employees home for a week won’t change the duties that the law and CFPB rules impose upon companies. You’re still supposed to obey the law.
Sure, some financial firms will now make a cynical bet that they can ignore CFPB compliance because Vought (and any subsequent director in the Trump 2.0 era) will never bother to enforce that law. Maybe that bet will pay off for some.
For many other firms, however, you’ll be playing with fire. A decision to let your compliance capabilities wither, based on the promises of Vought and Musk, could prove painfully stupid if that leads to other financial, litigation, or compliance risks that punch at you from other directions.
More than anything else, however, this weekend’s nonsense reminds us of what the Trump Administration is so much about: declaring victory and sweeping change, even though not much actually has changed when you take a close look.
President Trump has always been a con artist. Today is no different. Plan accordingly.