Dark Patterns and CFPB Enforcement: A Compliance Officer's Field Guide

TL;DR. The Consumer Financial Protection Bureau has spent the last three years building a coherent enforcement theory around "dark patterns," design choices that mislead, pressure, or trap consumers. This piece catalogs the typology examiners now apply, the UDAAP prongs each pattern maps to, and the specific controls compliance teams should add to product reviews.

Table of contents

• What "dark patterns" actually means in CFPB usage
• The CFPB's evolving stance, 2022 to 2026
• The seven-category dark-pattern typology
• How each pattern maps to UDAAP
• Three recent enforcement framings
• A dark-pattern audit framework
• How Sedric helps detect dark patterns at scale
• FAQ

Intro

Five years ago, "dark patterns" was a usability research term. Today it is a regulatory category with consent orders, supervisory highlights, and circular guidance behind it. If you are a Chief Compliance Officer at a fintech, you cannot answer a CFPB exam question with "we test for dark patterns." Examiners will ask which ones, against what taxonomy, with what evidence, on what cadence.

This piece is a working reference. It is not academic. It catalogs the seven dark-pattern categories that have driven CFPB enforcement framing, maps each one to the UDAAP prong examiners typically apply, and gives you the test questions to add to your product and marketing reviews. By the end, you should have something concrete to hand to your design and product teams.

What "dark patterns" actually means in CFPB usage

The CFPB does not have a single statutory definition of "dark patterns." Instead, the Bureau uses the term across guidance documents to describe interface design choices that subvert consumer autonomy, either by deceiving the consumer, pressuring them into actions against their interest, or making it materially harder to exercise rights they have.

The most useful working definition for compliance teams is from the Federal Trade Commission's September 2022 staff report, which the CFPB has cited approvingly: a dark pattern is a "design practice that tricks or manipulates users into making choices they would not otherwise have made and that may cause harm."

In CFPB enforcement, dark patterns are not a free-standing violation. They are evidence supporting a UDAAP (unfair, deceptive, or abusive) finding under Sections 1031 and 1036 of the Dodd-Frank Act.

The CFPB's evolving stance, 2022 to 2026

A condensed timeline of how the Bureau has built the doctrine:

• 2022: CFPB market reports and supervisory highlights begin flagging "negative option" enrollment patterns and friction asymmetry in cancellation flows.
• January 2023: CFPB Circular 2023-01 on negative-option marketing, which sets out the test that cancellation must be at least as easy as enrollment. This is the first piece of formal Bureau guidance that uses dark-pattern reasoning.
• 2023 to 2024: Supervisory highlights flag autopay enrollment, savings account "upgrade" prompts, and overdraft opt-in flows where friction was used to drive consumer behavior.
• 2024: The CFPB's interpretive rule on Buy Now, Pay Later (BNPL) brings checkout dark patterns into Regulation Z's billing-error scope. See our UDAAP examples for BNPL for the specific BNPL scenarios.
• 2025: Consent orders begin explicitly citing dark-pattern design as evidence of unfairness or abusiveness, not merely as a contextual factor.
• 2026: Exam priorities include dark patterns in AI-driven consumer interfaces, push-notification engagement, and partner-channel UX.

The seven-category dark-pattern typology

This is the working typology compliance teams should test against. It draws from the FTC staff report, academic literature (Brignull, Mathur et al.), and the patterns specifically cited in CFPB enforcement.

1. Sneaking

Adding items, fees, or commitments to the consumer's decision without clear disclosure. The classic version is a fee added at the last screen of checkout. The fintech version includes a "tip" pre-filled on a transaction screen, a subscription added to an account opening, or a paid feature pre-enabled in a sign-up flow.

Test question: Does the consumer's final commitment differ from what was disclosed at the decision point?

2. Forced action

Requiring the consumer to do something they did not intend to do in order to complete a desired action. Examples: requiring an account to make a one-time purchase, mandatory autopay enrollment to receive a promotional rate, mandatory data sharing to access a free service.

Test question: Is the additional action necessary to deliver the product, or is it being bundled for revenue or engagement reasons?

3. Obstruction (also known as "roach motel")

Making it hard to perform actions in the consumer's interest. The canonical example is cancellation friction: one-click enrollment, multi-step cancellation. Also includes account closure friction, dispute filing friction, statement-export friction, and opting out of marketing.

Test question: Is the friction to exit, dispute, or opt out symmetric with the friction to enter, accept, or opt in?

4. Interface interference

Visual or structural choices that bias the consumer's decision. Examples: pre-checked boxes, "recommended" plans that are not the lowest cost, confirmation buttons styled to emphasize the choice the firm prefers, fee disclosures rendered in low-contrast or 8-point font.

Test question: If both options were styled identically and the disclosure was in normal-weight 14-point text, would the choice rate change materially?

5. Forced continuity

A subset of negative-option marketing. Free trials that auto-convert to paid without affirmative reconsent, premium upgrades that auto-renew with no cancellation reminder, promotional rates that revert without notice.

Test question: Does the consumer affirmatively consent to the new term, price, or product configuration before the change takes effect?

6. Confirmshaming

Language in opt-out paths designed to make the consumer feel bad about declining. "No thanks, I prefer to pay more in fees." "I'd rather miss out on savings." Most common in upsell flows, declined-feature paths, and unsubscribe confirmations.

Test question: Would the opt-out language be acceptable if read aloud in a regulator's presence?

7. False urgency and false social proof

Time pressure that does not reflect reality ("Only 2 hours left!" with a countdown that resets), scarcity claims ("Only 3 spots left!") that are not factual, social proof ("23 people just signed up!") that is fabricated or non-current.

Test question: Is the urgency or social proof factually accurate at the moment the consumer sees it, and verifiable?

How each pattern maps to UDAAP

For deeper coverage of the underlying UDAAP framework and a 12-item controls checklist, see our UDAAP compliance checklist.

Three recent enforcement framings

These are descriptions of recurring fact patterns drawn from CFPB consent orders and supervisory highlights, presented generically rather than naming specific firms. For specifics, see our CFPB consent order list for 2026.

Framing 1: Autopay obstruction. A subscription fintech enrolled consumers in autopay at sign-up with a single click. Cancellation required navigating to a settings menu, opening a sub-menu, clicking a "manage" link, and waiting for a customer service chat. The CFPB analyzed this as unfair under Circular 2023-01: substantial injury (additional debits) that the consumer could not reasonably avoid given the friction.

Framing 2: Overdraft opt-in interface interference. A neobank's overdraft opt-in flow placed the opt-in button in high-contrast blue with a "Recommended" badge, while the opt-out option was a low-contrast text link below the fold. Disclosures about the $35 overdraft fee appeared in 9-point gray text. The CFPB framed this as deceptive: visual hierarchy implied the opt-in was the default or recommended path, contrary to Regulation E's affirmative-consent requirement.

Framing 3: Junk-fee sneaking. A lender's loan application flow disclosed an origination fee on screen three of a five-screen flow but added a "processing fee" and "expedited disbursement fee" on the final confirmation screen, after the consumer had already invested 12 minutes in the application. The Bureau framed this as deceptive sneaking: the final commitment materially differed from the cost disclosed at the decision point.

A dark-pattern audit framework

Add the following to your quarterly product compliance review:

1. Inventory every consumer decision surface. Sign-up, checkout, settings, cancellation, dispute, opt-out, upgrade, downgrade. You need a list. Most firms underestimate this by 3 to 5 times.
2. Test each surface against the seven categories. Use the test questions above as a worksheet. Have product, design, and compliance complete it independently and reconcile differences.
3. Capture screenshots. Examiners want to see the artifact, not your description of it.
4. Run a symmetry analysis on enroll-vs-cancel for every product configuration. This is the single highest-yield exercise.
5. Document overrides. If a business team accepts a flagged design with mitigating reasons, log the reasoning. Item 11 of our UDAAP compliance checklist covers this in detail.
6. Tie findings to product roadmap. A dark-pattern finding that does not produce a remediation ticket is not a control; it is a paper trail.

How Sedric helps detect dark patterns at scale

The hardest part of running a dark-pattern audit at scale is not knowing what to look for. It is reviewing every surface, every variant, every A/B test, every partner-distributed screen, against the seven-category typology and the underlying UDAAP framework. At the volume a modern fintech operates, that work cannot live entirely with humans.

Sedric's policy library encodes the seven categories, the test questions, the CFPB enforcement framings, and the firm's own internal dark-pattern rules. The agent reviews consumer-facing surfaces (marketing creative, checkout flows captured as screenshots, partner copy, push notifications, in-app messaging) and flags candidates against each category. Human reviewers focus on the judgment calls and the borderline cases. Every override is logged with reasoning, so the audit trail shows what was reviewed, what was approved, what was flagged, and why. That record is exactly what an examiner asks for in a dark-pattern-focused exam.

For the broader supervisory architecture, see our agentic compliance piece on how the work itself is changing.

FAQ

Are dark patterns a separate CFPB violation?

No. Dark patterns are evidence supporting a UDAAP (unfair, deceptive, or abusive) finding. The legal violation is the UDAAP prong; the dark pattern is the factual predicate.

Where is the CFPB's definition of dark patterns?

The CFPB has not issued a stand-alone definition. The Bureau uses the term across guidance documents and has cited the FTC's September 2022 staff report ("Bringing Dark Patterns to Light"). Compliance teams should treat the FTC framework as the working definition.

Does the FTC also enforce against dark patterns in fintech?

Yes. The FTC has Section 5 jurisdiction over UDAP in most consumer-facing commerce. The CFPB has UDAAP jurisdiction over consumer financial products specifically. Patterns that fall in both buckets can produce parallel actions.

Are A/B-tested CTAs a dark-pattern risk?

Not inherently. A/B testing becomes a risk when the winning variant exploits one of the seven patterns, for example when an A/B test optimizes for confirmshaming or false urgency. Document the design rationale for variants that touch decision flows.

How do dark patterns interact with state consumer protection law?

California, New York, and several other states have specific dark-pattern provisions in their consumer protection statutes. California's CCPA explicitly invalidates consent obtained through dark patterns. State AG enforcement runs in parallel with CFPB action.

Is pre-checked autopay always a dark pattern?

Pre-checked autopay is interface interference and forced continuity if combined with auto-conversion or auto-renewal. Pre-checked autopay with a single uncheck step and a clear disclosure may pass scrutiny, but it is rarely worth the regulatory exposure. Most firms have moved to opt-in.

Does Sedric detect dark patterns in non-English communications?

Yes. Sedric's compliance-dedicated LLM supports multilingual review with the same UDAAP and dark-pattern rule set applied. This is increasingly material for firms with Spanish-speaking consumer bases under the CFPB's limited English proficiency guidance.

See Sedric in action

Sedric is the AI compliance platform for regulated marketing and communications. Every flag is mapped to the specific rulebook provision, every override is logged with reasoning, and the audit trail is the format regulators expect on first request. Book a 30-minute demo and we will walk through your specific compliance footprint.