This blog post is co-authored by Chase McGrath.

The Consumer Financial Protection Bureau’s (CFPB) regulatory enforcement drive has subsided in recent years, leaving the door open for states to decide what steps they’ll take and how to protect consumers in their jurisdiction. Read on for details about how states are responding – creating new laws and new government agencies – so that there is no lapse in protection, despite the CFPB’s pullback.

When Mick Mulvaney took over as interim Director, the CFPB signaled that it would take a much more “hands-off” approach to enforcement and consumer protections. It is our view that recent actions from the current Director, Kathy Kraninger, point to the Bureau continuing its efforts to revise policies deemed too burdensome on the financial industry in favor of less stringent controls. For example, while the CFPB is expected later this year to issue guidance clarifying what constitutes “abusive acts or practices” (see Section 1031 of Dodd-Frank Act) against consumers, Kraninger already released a statement foreshadowing regulatory leniency in the Bureau’s pending decision.1 Her commentary that the cost of financial regulation indirectly hurts consumers by limiting access to credit indicates the approach the agency is expected to take during her period of leadership, which could last up to five years if she serves her entire appointed term.

Originally prompted by the CFPB’s new direction under Mick Mulvaney, a series of letters have poured out from State Attorneys General with concerns that the CFPB is no longer an effective “partner” with the states in enforcing consumer protection laws.2 The letters foreshadow a new wave of state enforcement of consumer financial protection laws, since states can take advantage of a little-known provision of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act that grants State Attorneys General the authority to enforce the CFPB’s rules and its broad ban on “unfair, deceptive, and abusive acts or practices.” The lack of response from both Mulvaney and Kraninger, combined with their official objectives for the CFPB, has motivated state legislatures to create their own state-run consumer financial protection bureaus to enforce the applicable state statutes.3 Maryland, New York, New Jersey and Pennsylvania have all strengthened their consumer financial protection arsenals by creating “mini-CFPBs.”4 In addition, the offices of the State Attorneys General in Delaware, Connecticut and Massachusetts have created consumer protection units to focus on prosecuting cases where corporations have violated state or federal consumer financial protection laws.5

Figure 1: Innovation at the state level 

Source: Accenture, January 2020

At the same time, state governments have decided that privacy law is an area which requires more robust statutory protection and state enforcement. Numerous privacy regulations have emerged across different states, ranging from the California Consumer Privacy Act (“CCPA”) – which goes into effect starting January 1, 2020 – to new regulatory legislation introduced, including privacy bills in New Jersey, Washington and other states. Although these new requirements vary in enforcing bodies, jurisdiction, or penalties, they share a similar underlying goal: to fill a void in federal protection of consumers’ rights against abuse from private industry. In response to these new state requirements, we are increasingly seeing businesses implement a variety of broad “Consumer Rights” programs. Rather than implement only the requirements mandated by the CCPA, businesses are building an integrated privacy program that should allow them to respond to existing and future regulations using a unified approach. Such an approach helps businesses to integrate efficiencies, solve for multiple challenges through a single solution, and develop a privacy program to fall back on, and update if necessary, as new regulations emerge.

For the financial services industry, this shift in consumer protection responsibilities from a federal to federated system should inevitably lead to an increasing compliance burden for the organization. Each state is very likely to have a nuanced set of regulations when it comes to consumer protection, much like with consumer privacy law. For the compliance function to effectively manage consumer protection risk for their organization, it requires the right approach to assess the level of regulatory exposure for each state that a firm operates in. This approach should include sourcing applicable regulations and then mapping state-level requirements to provide a comprehensive analysis of regulatory vulnerabilities. Not properly assessing risk could have a profound impact on business operations.

Impacts on Companies

The ongoing paradigm shift in consumer protection poses deep strategic and operational challenges for businesses across different industries. Consumer protection at the federal level has historically focused on financial institutions and telecommunications companies. However, as states begin to augment their own set of regulations, state governments may expand regulatory oversight into new areas of consumer protection or implement rules that impact businesses across various industries.

Companies may not look to federal regulations to provide umbrella statutes under which state regulations can fall. Insurance carriers have already experienced firsthand the impact of state-led regulation on the industry. Underwriters are subject to myriad state laws and regulatory frameworks that begin and end at each state border. This environment has shaped the industry, from the operating structure of companies to the insurance product portfolio and pricing that carriers offer within each state. Along with the increased oversight from each state comes the risk of litigation and fines for non-compliance.

To maintain compliance in this type of environment, businesses should create a new and transformative framework for consumer protection that can respond to multiple regulations on similar topics. Doing so requires organizations to build cross-functional programs that can operate across the entire enterprise to 1) provide a centralized approach to responding to regulations, 2) cover the scope of requirements the business may be facing, and 3) continuously improve to control the burden of burgeoning compliance costs. While this may appear costly and burdensome, a centralized program or framework for compliance with consumer protection regulations also yields ancillary benefits throughout the organization. It allows businesses to simultaneously revise processes and assess technology capabilities across their enterprise. This creates opportunities to innovate and adopt new technologies, resulting in long-term agility that can help the firm more quickly adapt as compliance requirements inevitably change.


  1. “CFPB’s Kraninger Signals Next Steps on Clarifying ’Abusive’ Standard in UDAAP,” ABA Banking Journal, April 17, 2019. Access at:
  2. See Letter from the State of New York Office of the Attorney General to United States President Donald Trump, December 12, 2017, (the AG assignees will “continue to vigorously enforce consumer protection laws regardless of changes to the [Consumer Financial Protection] Bureau’s leadership or agenda.”) Access at: See also Letter from the California Office of Attorney General to the Consumer Financial Protection Bureau, April 25, 2018, (leading a coalition of 16 Attorneys General, called on the Trump Administration to respect the Consumer Financial Protection Bureau’s (CFPB) investigative authority). Access at: Letter from the State of New York Office of the Attorney General to Director Kraninger, October 15, 2019, (signed by 13 Attorneys General, urges the CFPB not to undermine the ability to enforce fair lending laws nor prevent discrimination against communities of color in the mortgage lending market). Access at:
  3. See Letter from the State of New York Office of the Attorney General to United States President Donald Trump, supra. Access at:
  4. Maryland House Bill 1634, ch. 731, Financial Consumer Protection Act of 2018, May 15, 2018, created the Maryland Financial Consumer Protection Commission. Access at: “Acting DFS Superintendent Lacewell Announces Appointment of Katherine Lemire as Executive Deputy Superintendent of Newly Created Consumer Protection & Enforcement Division,” New York State Department of Financial Services, April 29, 2019. Access at: New York Consumer Protection and Financial Enforcement Division, under the auspices of the Department of Financial Services (the NYDFS placed a strategic focus on consumer financial services and the prioritization of enforcement as a preferred regulatory tool. New York was the 2nd state to create a “mini-CFPB,” following Pennsylvania). The New Jersey Division of Consumer Affairs (“DCA”) is under the auspices of the New Jersey Department of Law and Public Safety and is found at: (includes the Office of Consumer Protection, which enforces the Consumer Fraud Act, one of the nation’s strongest consumer protection statutes). Pennsylvania House Bill 2438, Act 86 (2012), created the Pennsylvania Department of Banking and Securities (“DOBS”). Access at: Further, in 2017, the Pennsylvania Attorney General Josh Shapiro created a Consumer Financial Protection Commission to augment the DOBS.
  5. The Delaware Consumer Protection Unit found at, The Consumer Protection Department established under the Connecticut Unfair Trade Practices Act, ch. 735a (1973): The Massachusetts Consumer Financial Protection Agency, established under the Massachusetts Consumer Protection Act, ch.93A found at:

Submit a Comment

Your email address will not be published.