CFPB Consent Order List 2026: Year-to-Date Roundup

TL;DR. A working catalog of the recurring violation patterns driving Consumer Financial Protection Bureau (CFPB) consent orders in 2026 year-to-date. Ten patterns, with the legal theory and the control to add for each. Junk fees, BNPL, dark patterns, AI-driven consumer interactions, and limited-English-proficiency gaps dominate the docket.

Table of contents

• How to read this list
• The 2026 enforcement themes at a glance
• Pattern 1: Deceptive savings yield claims
• Pattern 2: Junk-fee framing and disclosure
• Pattern 3: BNPL deferred-interest and late-fee practices
• Pattern 4: Autopay cancellation friction
• Pattern 5: Overdraft opt-in interface design
• Pattern 6: Credit reporting accuracy failures
• Pattern 7: Servicing representations that contradict disclosures
• Pattern 8: Partner-merchant and lead-generator copy
• Pattern 9: AI-driven consumer interactions without guardrails
• Pattern 10: Limited English proficiency and translation gaps
• How leading firms track this in real time
• FAQ

How to read this list

Each pattern below is structured as:

• The fact pattern: what the firm did.
• The legal theory: which UDAAP prong, statute, or regulation the Bureau invoked.
• The remedy structure: typical components of the consent order (penalty, redress, attestation, monitoring).
• The control to add: what your firm should do in response.

If you are reading this as a board document, the control to add lines are the action items.

The 2026 enforcement themes at a glance

Five high-level themes summarize the 2026 docket so far:

1. Continued focus on junk fees and deceptive framing, particularly back-end fees not disclosed in proximity to the action that triggers them.
2. Heightened scrutiny of BNPL following the May 2024 interpretive rule bringing pay-in-four products under Regulation Z.
3. Dark-pattern enforcement as an explicit factual predicate to UDAAP findings (see our dark patterns CFPB enforcement catalog).
4. AI-driven consumer interaction guardrails, with consent orders now citing inadequate review of generative AI outputs as a contributing factor.
5. Limited English proficiency (LEP), with bilingual servicing and translation accuracy emerging as a discrete enforcement category.

Pattern 1: Deceptive savings yield claims

The fact pattern. A neobank or savings product markets a high-yield rate as the headline feature. The headline rate applies only to a portion of the balance (a "tiered" structure), only to balances under a cap, or only after qualifying activity (direct deposit, debit card spend). The marketing does not surface these qualifications with substantially equivalent prominence.

The legal theory. Deceptive under 12 U.S.C. § 5531(d). The headline rate is material; a reasonable consumer would understand it as the rate they receive. The qualifying conditions, when disclosed only in fine print, satisfy the deceptive prong. APY disclosure requirements under Regulation DD (Truth in Savings) provide a parallel anchor.

Remedy structure. Civil money penalty plus consumer redress for the differential between the marketed rate and the actual rate paid, typically retroactive to product launch or for two years preceding the order. Attestation requirements for marketing disclosures going forward.

Control to add. Every yield claim in marketing must have a proximate, equally prominent disclosure of qualifying conditions and any caps. Quarterly screenshot audit of all consumer-facing yield representations.

Pattern 2: Junk-fee framing and disclosure

The fact pattern. A consumer finance product (deposit account, loan, BNPL, credit card) charges fees including overdraft, NSF, returned payment, late, paper statement, and expedited disbursement that are not disclosed at the point of the action triggering the fee. The fee appears in the account agreement; the consumer encounters it only after incurring it.

The legal theory. Deceptive (representation about the cost of the product was incomplete in proximity to the decision) or unfair (substantial injury that the consumer could not reasonably avoid given the disclosure design). The CFPB's continued junk-fee initiative provides the policy backdrop.

Remedy structure. Civil money penalty plus restitution for fees collected during the violation period. Often paired with mandatory disclosure redesign and a periodic third-party audit of fee practices.

Control to add. Fee-disclosure proximity test. Every fee category must be surfaced at the action that triggers it, not just in the account agreement. See item 4 of our UDAAP compliance checklist.

Pattern 3: BNPL deferred-interest and late-fee practices

The fact pattern. A BNPL provider markets a pay-in-four or installment product as "interest-free" or "no hidden fees." The product, in practice, applies retroactive interest if the promotional period is missed, or generates substantial revenue from late fees that are not disclosed at checkout. Following the May 2024 interpretive rule, Regulation Z billing-error rights apply but were not honored in practice.

The legal theory. Deceptive (the "interest-free" or "no fees" claim contradicts product reality) and, in some cases, unfair (substantial injury via retroactive interest the consumer could not reasonably anticipate). Regulation Z disclosure requirements provide a separate violation theory.

Remedy structure. Penalty plus restitution of retroactive interest and late fees collected during the violation period. Mandatory product redesign, including checkout disclosure parity and billing-error process implementation.

Control to add. Specific BNPL UDAAP controls. See our UDAAP examples for BNPL for the seven scenario-specific controls.

Pattern 4: Autopay cancellation friction

The fact pattern. A subscription-style fintech enrolls consumers in autopay or recurring billing in one click at sign-up. Cancellation requires multiple steps: navigation through settings, sub-menus, customer service chat, or phone call. Consumer cancellation requests are sometimes routed through a retention flow that delays effective cancellation.

The legal theory. Unfair under CFPB Circular 2023-01 on negative-option marketing. Substantial injury (additional debits) that the consumer could not reasonably avoid given the friction. Sometimes paired with abusive findings where the design materially interferes with the consumer's ability to exercise cancellation rights.

Remedy structure. Penalty plus restitution of charges collected after consumers attempted to cancel. Mandatory parity in enrollment and cancellation flows. Documentation of cancellation completion timelines.

Control to add. Symmetry audit of every enroll-vs-cancel flow with screenshots. If enroll is one click, cancel must be one click.

Pattern 5: Overdraft opt-in interface design

The fact pattern. A bank or neobank's overdraft opt-in flow uses visual hierarchy to emphasize the opt-in path. The opt-in is a high-contrast styled button with a "recommended" label; the opt-out is a low-contrast text link. Fee disclosures appear in low-contrast small type. The Regulation E opt-in standard requires affirmative consent.

The legal theory. Deceptive (visual hierarchy implies opt-in is the default or recommended path) and Regulation E violation (affirmative consent not validly obtained). Sometimes paired with dark-pattern reasoning under the abusive prong.

Remedy structure. Penalty plus restitution of overdraft fees collected without valid opt-in. Mandatory redesign with disclosure prominence, neutral styling, and re-consent for affected consumers.

Control to add. Neutral visual styling test for every Regulation E and Regulation DD consent flow. See our dark patterns CFPB enforcement catalog on interface interference.

Pattern 6: Credit reporting accuracy failures

The fact pattern. A furnisher reports inaccurate account information to consumer reporting agencies, including incorrect balances, dispute statuses that do not reflect the actual dispute outcome, and accounts that should have been removed but were not. Dispute investigations under the Fair Credit Reporting Act (FCRA) § 623 are conducted without reasonable investigation procedures.

The legal theory. FCRA violations under § 623(a) (accuracy) and § 623(b) (investigation duties). Often paired with UDAAP findings where the inaccurate reporting caused consumer harm.

Remedy structure. Civil money penalty plus consumer redress for furnishing-related harms. Mandatory furnishing-process redesign and periodic accuracy audits.

Control to add. Furnishing accuracy controls, including a documented dispute investigation procedure with timeline tracking and a sample-based quality review.

Pattern 7: Servicing representations that contradict disclosures

The fact pattern. A customer service representative makes a material representation that contradicts the firm's formal disclosure: that a fee will be waived when policy is to charge it, that a dispute will be resolved by a deadline that is not the actual deadline, that a product feature behaves differently than the terms state.

The legal theory. Deceptive under § 5531(d). Representations made in service interactions are material; consumers reasonably rely on them. The CFPB has framed inadequate QA programs as a contributing factor.

Remedy structure. Penalty plus restitution of charges or losses tied to the misrepresentations. Mandatory script revision, expanded QA sampling, and corrective-action workflows for off-script representations.

Control to add. Documented QA program with sampling rates, transcript review, and reconciliation between service representations and formal disclosures. For phone channels, see our TCPA call recording disclosure script guide.

Pattern 8: Partner-merchant and lead-generator copy

The fact pattern. A lender or BNPL provider works with merchants, affiliates, or lead generators. The partner's promotional copy misrepresents the lender's product: claims "interest-free" for a product that accrues interest, claims "instant approval" for a product with a 24-hour decisioning window, or uses a brand name without permission.

The legal theory. The covered person is responsible for material representations made by service providers or partners under § 5536 and the CFPB's service provider guidance. Deceptive prong applied to the underlying claims.

Remedy structure. Penalty plus restitution. Mandatory third-party oversight program, including contractual UDAAP representations, periodic creative sampling, and remediation rights.

Control to add. Vendor UDAAP attestation file with contractual reps, an approved-creative library, periodic sampling, and an off-boarding workflow. Item 8 of our UDAAP compliance checklist.

Pattern 9: AI-driven consumer interactions without guardrails

The fact pattern. A firm deploys a generative AI chatbot, AI-assisted email reply, or AI-generated marketing copy. The model produces representations that are inaccurate or misleading: invented product features, incorrect fee information, contradictory disclosure language. The firm has no documented review process for AI outputs.

The legal theory. Deceptive prong applied to AI-generated representations, which are attributable to the firm. The CFPB has been explicit that automation does not shift responsibility. Inadequate model governance becomes a contributing factor.

Remedy structure. Penalty plus restitution for harms tied to AI-generated misrepresentations. Mandatory AI governance program, including pre-deployment testing, output review, and ongoing monitoring.

Control to add. AI governance program with documented testing, output sampling, and a real-time review process. See our AI compliance software for financial services guide for the operational specifics.

Pattern 10: Limited English proficiency and translation gaps

The fact pattern. A firm markets in Spanish (or other non-English language) but provides servicing, disclosures, or dispute processes only in English. Translations of key disclosures are partial, inaccurate, or inconsistent with the English version. Bilingual consumers receive different effective product terms based on language channel.

The legal theory. Deceptive (different representations in different languages), unfair (LEP consumers cannot reasonably avoid the harm), and Equal Credit Opportunity Act (ECOA) concerns where language is a proxy for protected characteristic. The CFPB's January 2021 LEP statement remains operative guidance.

Remedy structure. Penalty plus restitution. Mandatory translation accuracy program, bilingual servicing capacity, and disclosure parity across languages.

Control to add. Language parity audit. For every consumer-facing surface marketed in a non-English language, verify the disclosure, servicing, and dispute process is equivalent. Document translation review with a qualified translator's sign-off.

How leading firms track this in real time

The firms that come out of these enforcement waves cleanest do not read consent orders quarterly. They ingest them as they drop. The operational pattern is straightforward. A consent order publishes. The compliance team reads the violation theory, maps it to the firm's own surfaces (which marketing claim does this look like, which checkout flow, which servicing script), updates the policy library if needed, and re-reviews the existing content estate against the new pattern.

For Sedric customers, that workflow runs through the agentic compliance layer. The policy library is updated, the agent re-reviews the last 12 months retrospectively against the new pattern, and any flagged content surfaces for human review. The work that previously took a compliance team three weeks to do across the content estate becomes an overnight job.

FAQ

Where can I find the official CFPB consent order list?

The CFPB maintains an enforcement actions page at consumerfinance.gov/enforcement. The page is searchable by date, defendant, and product. The Bureau also publishes Supervisory Highlights, which describe anonymized exam findings: these are operationally more useful than the consent orders themselves.

How often does the CFPB issue consent orders?

The cadence varies. Historically, the Bureau issues 30 to 60 public actions per year, with a heavier concentration in the second half of the calendar year. Supervisory Highlights are published two to three times per year.

Can I cite a consent order in board materials?

Yes, with care. Cite the specific docket number and the violation pattern, not a generic summary. If you cite a pattern without a specific docket, frame it as "a recurring fact pattern" rather than attributing it to a named firm.

What is the difference between a consent order and a stipulated judgment?

A consent order is the negotiated resolution document that captures the violations, remedies, and consumer relief. A stipulated judgment is the court order that adopts the consent order in litigated matters. Functionally, the underlying violation analysis is the same.

How long do consent orders typically last?

Most CFPB consent orders include a five-year monitoring period, with annual or semi-annual reporting requirements. Some are longer for severe or repeat violations.

Do supervisory highlights have the same weight as consent orders?

Operationally, yes. Supervisory highlights are the Bureau's articulation of what it views as violative practices, even though no specific firm is named. Examiners apply the same standards in your firm's exam.

Should we mirror remediation actions even if we are not the firm named?

Often yes. The CFPB has been explicit that it expects firms to read consent orders against other firms and self-correct. "Wait to be sued" is not a defensible compliance posture.

See Sedric in action

Sedric is the AI compliance platform for regulated marketing and communications. Every flag is mapped to the specific rulebook provision, every override is logged with reasoning, and the audit trail is the format regulators expect on first request. Book a 30-minute demo and we will walk through your specific compliance footprint.