Emerging Issues and What to Watch for in 2026

As Goodwin anticipated in our 2024 Year in Review, 2025 witnessed a fundamental shift in the consumer financial services regulatory landscape. The frenzied federal enforcement activity that characterized 2024 gave way to sweeping federal retrenchment, most notably by the Consumer Financial Protection Bureau (CFPB). The CFPB’s year was highlighted by the rescission of multiple consent orders, a dramatic drop in enforcement actions, a pause of large-scale supervisory activity, and legal challenges to its attempt to fire most staff.

Across the board, federal financial services regulation was uneven, with a clear split between active and dormant agencies. Unlike the CFPB, the Federal Trade Commission (FTC) stayed active, particularly in consumer protection, advertising, and fintech practices, even as it reconsidered or pulled back certain artificial intelligence–related actions. Banking regulators including the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) were comparatively quiet, emphasizing supervisory continuity and safety-and-soundness standards over new rules or aggressive enforcement. And the U.S. Securities and Exchange Commission (SEC) gave publicly traded financial services companies more to consider with regulations and enforcement on cybersecurity and artificial intelligence (AI) disclosures.

The CFPB had quite a year. Its enforcement and supervisory activity largely stalled following leadership changes and early-year directives that paused or ended active investigations, rulemaking, and litigation. With few new matters initiated, the agency was effectively in a period of dormancy for much of 2025. Ongoing matters were slowed, staff capacity was constrained, and many staff left to find new homes at state agencies. The CFPB’s public posture shifted away from its past aggressive and antagonistic consumer finance enforcement posture to a more business-friendly one. Presently, the CFPB remains operational but subdued: It has resumed core functions and limited supervision; its enforcement docket remains muted; and its regulatory agenda is narrower, with a greater emphasis on maintaining baseline statutory responsibilities rather than pursuing novel consumer protection initiatives.

Further complicating matters, while the CFPB’s acting director, Russell Vought, recently agreed to request funding for the CFPB for at least the second quarter of fiscal year 2026, the en banc U.S. Court of Appeals for the District of Columbia (D.C. Circuit) is considering whether to keep in place a preliminary injunction that prevents Vought from implementing his plan to “right size” the CFPB by firing 88% of its staff pending adjudication of a legal challenge. At the oral argument on February 24, 2025, several jurists expressed skepticism that the acting director would protect the agency’s core statutory functions in the absence of an injunction. The D.C. Circuit’s ruling and any appeal to the U.S. Supreme Court has the potential to further overhaul the federal regulatory and enforcement space for at least the next three years under the current administration.

Yet, federal retrenchment did not mean regulatory silence. State attorneys general and regulatory agencies continued their supervisory roles, with some deliberately stepping up to counterbalance the CFPB’s pullback. In October 2025, California’s governor signed the California Combating Auto Retail Scams Act, which prohibits dealers from misrepresenting material information about vehicle sales and requires clear disclosures, while in December, New York’s governor signed the Fostering Affordability and Integrity through Reasonable Business Practices Act into law, empowering the attorney general to bring civil actions against corporations engaging in unfair or abusive acts and empowering consumers to bring private rights of action for deceptive or abusive practices. Over the past year, several states passed or introduced legislation expanding telemarketing and texting restrictions, including Texas Senate Bill 140, which broadened “telephone solicitation” to include texts and images and introduced a private right of action with statutory damages up to $5,000 per violation; Oregon House Bill 3865, restricting contact hours and limiting daily calls to three per consumer; and similar legislation currently pending in North Carolina, South Carolina, and Washington.

On the appellate front, the Supreme Court and U.S. Courts of Appeals issued a number of significant rulings in 2025 that reshaped the landscape for agency authority and judicial review. In McLaughlin Chiropractic Associates, Inc. v. McKesson Corp. et al (June 2025), the Supreme Court concluded that the Administrative Orders Review Act (aka the Hobbs Act) does not bind district courts in civil enforcement proceedings to an agency’s interpretation of a statute, including the Federal Communications Commission’s interpretation of the Telephone Consumer Protection Act. Also in June, the Supreme Court decided Trump v. CASA, Inc., addressing the use of universal injunctive relief, and concluded that such injunctions “likely exceed the equitable authority that Congress has granted to federal courts,” limiting injunctions to what is “necessary to provide complete relief to each plaintiff with standing to sue.” Appellate courts also continued to tackle Article III standing under the U.S. Constitution and the ability of consumers to pursue claims for prospective injuries.

2025 also marked a pivotal year for regulatory and enforcement activity in cybersecurity, privacy, and AI governance, as regulators such as the SEC and California Privacy Protection Agency (CPPA) introduced new requirements for third-party risk management and incident reporting. AI governance emerged as a dominant theme with the adoption of the CPPA’s regulations governing automated decision-making technology and the release of the White House’s AI Action Plan. The CFPB’s attempt to use the Consumer Financial Protection Act (CFPA) section 1033 rulemaking under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to enact a personal financial data rights rule was effectively suspended pending significant redesign, as the CFPB retreated from its 2024 final rule following extensive litigation and public criticism that the rule was overbroad and technologically unworkable. In August, the Trump administration issued an executive order, “Guaranteeing Fair Banking for All Americans,” aimed at addressing the administration’s concern that financial institutions were discriminating against certain consumers based on their political or religious affiliations or lawful business activities, resulting in the OCC removing “reputation risk” from its Comptroller’s Handbook in December.

Finally, the mortgage industry enters 2026 with a mixture of relief and uncertainty, as federal oversight has loosened but the resulting regulatory vacuum leaves institutions subject to fragmented state regimes and increasing private litigation. The CFPB’s mortgage supervision efforts retracted dramatically this year, and the Federal Housing Finance Agency, meanwhile, pulled back from enforcing unfair and deceptive acts or practices. These decisions suggest that consumer finance companies need to prepare for more fragmented regulatory compliance and potentially inconsistent rulings across jurisdictions.

2025 Key Trends: By the Numbers

On the enforcement front, federal activity declined sharply across most consumer finance sectors. During 2025, Goodwin tracked 51 publicly announced federal and state enforcement actions related to consumer finance, a decrease from the 83 such actions tracked in 2024. Of the actions tracked, 27 involved federal agencies (two of which were joint CFPB-state actions), a marked decrease from 55 such actions tracked in 2024. Among federal agencies, the CFPB was the most active, having been involved in 15 of those actions, although this activity was largely driven by Rohit Chopra–era actions earlier in the year, with the majority of the new matters, including five consent orders and three complaints, announced in January. Of those, the CFPB amended its position on two of the consent orders and voluntarily dropped two of the complaints after the administration changed.

On the state side, 26 actions involved state enforcement officials and agencies, representing a slight decrease from the 31 actions that involved state actors in 2024. Among the states, New York’s, California’s, and Massachusetts’ agencies were the most active, having been involved in nine, eight, and six actions, respectively. Mortgage servicing and origination was the most common industry targeted in those actions. State efforts resulted in total recoveries of about $2.2 billion (including joint state–federal recoveries), a significant increase in total recoveries from the $30 million recovered in 2024.

Across particular industries, debt collection saw a significant drop from the 16 actions tracked in 2024, with only nine enforcement actions. Goodwin tracked five enforcement actions related to payday or short-term small-dollar loans, representing a decrease from the 15 such actions monitored in 2024. In the credit reporting space, despite receiving record-high credit reporting complaints from consumers in 2025, the CFPB largely suspended new rulemaking and enforcement, withdrawing previous guidance and proposed rulemaking pending at the end of the Biden administration. The CFPB did not initiate any enforcement actions against student loan servicers this year, and its 2025 rulemaking agendas did not highlight any new student loan–specific rules. Unlike in those sectors, mortgage origination and servicing actions remained relatively stable, with Goodwin tracking only one fewer this year than last.

What to Watch for in 2026

As regulatory priorities continue to evolve across agencies and jurisdictions, 2026 is shaping up to be another year of legal complexity for financial services companies. Federal regulators, state attorneys general, and private plaintiffs are increasingly focused on how emerging business models intersect with long-standing consumer protection frameworks, often testing the boundaries of existing statutes rather than relying on sweeping new rules. Against this backdrop, companies should expect continued enforcement activity; regulatory experimentation at the state level, including by states pursuing enforcement under the CFPA after providing advanced notice to the CFPB that they are doing so; and ongoing uncertainty in areas in which federal policy remains in flux. The following are the key regulatory and enforcement developments we expect to shape compliance risk and litigation exposure in 2026.

Artificial Intelligence

Shortly after returning to office, President Trump issued a new AI-focused executive order (Executive Order 14179), which rescinded Biden-era directives. The order directed federal agencies to prioritize innovation, avoid unnecessary barriers to entry, and coordinate across the federal government to promote consistent policy signals to industry, reflecting broader concerns about global competition and the need for a cohesive national strategy. In response, federal agencies removed certain existing guidance and rescinded past orders that targeted AI. For example, the Equal Employment Opportunity Commission took down its prior guidance on how existing antidiscrimination laws apply to AI in hiring, firing, or promotion decisions. And, in December 2025, the FTC reviewed and set aside a Biden-era enforcement order issued against Rytr, a business that offers an AI-enabled “writing assistance” service that allows users to generate online reviews. Under the consent order, the FTC had previously taken the position that, because Rytr’s software had the ability to generate reviews regardless of experience, the technology could be used in a deceptive and misleading manner and was thus an instrument to make false or deceptive statements. In setting aside the consent, the FTC announced that the mere capability to potentially create false or deceptive consumer reviews was insufficient to support a violation of the FTC Act, and that the prior order could unduly burden AI innovation.

The current administration’s deregulatory posture, however, has left a void on federal AI regulation and, as a result, nearly 40 states moved to fill perceived gaps by proposing or enacting their own AI-related laws. California passed several AI laws, including the Transparency in Frontier Artificial Intelligence Act, the first US state law focused on transparency and catastrophic risk from “frontier” AI models. Arkansas enacted legislation clarifying ownership and rights around AI-generated content and identity. Pennsylvania adopted digital identity and consent protections related to AI and AI-generated content. Utah enacted provisions related to the use of generative AI in consumer transactions and regulated services. The rapid growth of state-level legislation has caused concern among major technology companies facing a fractured regulatory environment. A consortium of technology companies has pushed for a consistent federal AI regulatory framework, noting that the patchwork of conflicting state laws will make compliance more difficult and costly.

This federal–state tension took on a sharper legal dimension with the issuance of Executive Order 14365 in December 2025. This order directed the US attorney general to take action against state AI laws that “unconstitutionally regulate interstate commerce” and the FTC to formulate a policy statement that “explain[s] the circumstances under which State laws that require alterations to the truthful outputs of AI models are preempted by the [FTC’s] prohibition on engaging in deceptive acts or practices affecting commerce.” This reflects a broader dynamic in emerging technology governance, which usually plays out slowly over time: balancing states’ traditional role as policy laboratories against the federal government’s interest in uniform standards for technologies that inherently operate across state and national borders.

The unprecedented pace of AI development has created a collision course among the technology and new state and federal regulation. We expect this federal–state tension to continue influencing AI-related regulatory and enforcement activity throughout 2026.

Data Governance, Data Sharing, and Open Finance

In 2026, account access, data sharing, and open finance are likely to remain central issues in the regulation of consumer financial products as regulators seek to balance innovation, competition, and consumer protection. Financial institutions and fintech providers increasingly rely on consumer-permissioned data sharing to support payments, credit underwriting, account aggregation, and personalized financial services, heightening concerns regarding consumer consent, data security, and secondary use.

At the federal level, the CFPB finalized a personal financial data rights rule under section 1033 of the Dodd-Frank Act in October 2024, establishing a framework for standardized access to consumer financial data. Implementation of that rule, however, has been stayed while the CFPB undertakes reconsideration and potential revisions. Revisiting the topic in August 2025, the CFPB issued an advance notice of proposed rulemaking (ANPR), which reopened several foundational elements of the 2024 “open banking” rule, including whether data providers should be permitted to charge fees to offset the cost of API access. The combination of these two developments has left the regulatory trajectory for open banking and open finance unsettled. As a result, industry participants continue to face uncertainty regarding technical standards, liability allocation, and compliance timelines.

At the same time, state attorneys general and the FTC are expected to continue scrutinizing practices involving screen scraping, opaque consent flows, and unauthorized data use under theories of unfair and deceptive practices. As open finance ecosystems expand beyond traditional banking into credit, payments, and payroll-linked products, disputes over account access, downstream accountability, and interoperability standards are likely to increase, positioning data governance as a defining regulatory and litigation frontier in 2026.

Earned Wage Access

At the end of 2025, the CFPB took steps to reduce long-standing uncertainty regarding the treatment of earned wage access (EWA) products under federal consumer credit law. On December 23, 2025, the CFPB issued an advisory opinion clarifying that certain employer-facilitated EWA products — those allowing workers to access wages already earned, relying on payroll deductions, and imposing no recourse or credit risk — are not “credit” under the Truth in Lending Act (TILA) and Regulation Z. This advisory opinion draws an important regulatory distinction between wage access and consumer credit, easing compliance concerns for many providers and employers heading into 2026.

The CFPB made clear, however, that not all EWA products fall outside the scope of credit regulation — only ones that meet certain specific criteria. Based on the advisory opinion, EWA products could fall outside the “Covered EWA” safe harbor and may be subject to TILA and/or Regulation Z if (i) the provider advances an amount that may or may not be fully documented by payroll data (e.g., based on the worker’s estimate of hours worked); (ii) when repayment does not occur solely through payroll deduction but instead is automatically debited to the worker’s bank account after payday; or (iii) the arrangement could create a debt obligation because repayment is not tied strictly to a passive payroll process and could require collection activity if funds are insufficient. The advisory opinion leaves open further evaluation of other EWA models and legal frameworks beyond Regulation Z, signaling that federal oversight may continue to evolve through additional guidance, enforcement activity, or potential rulemaking as new product structures emerge.

Meanwhile, states continue to craft or enforce their own approaches to EWA regulation. Some have classified certain EWA arrangements as loans, triggering licensing and consumer protection requirements, while others have adopted bespoke regimes focused on fees, disclosures, and worker protections. These divergent approaches, combined with evolving federal guidance, are likely to create continued compliance complexity and litigation risk for multistate employers and service providers throughout 2026.

Subscription Auto-Renewal and Cancellation

Auto-renewal laws and subscription cancellation practices are expected to remain an active area of regulatory enforcement and class action litigation in 2026. Despite the U.S. Court of Appeals for the Eighth Circuit vacating the FTC’s nationwide “click-to-cancel” Negative Option Rule, codified at 16 Code of Federal Regulations (CFR) section 310.2(w), on procedural grounds in July 2025, the rule should still be regarded as a clear signal of regulator expectations as it relates to conspicuous disclosures, express consumer consent, and straightforward cancellation mechanisms. Indeed, in February 2026, the FTC announced that it was conducting a proposed rulemaking on the Negative Option Rule, and it had publicly spoken in favor of the rule even after the Eighth Circuit’s ruling. Consistent with its focus on these issues, in 2025, the FTC demonstrated its willingness to pursue alleged “dark patterns,” inadequate disclosures, and cancellation friction under section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act, including through a $7.5 million settlement with education tech provider Chegg and a $2.5 billion settlement with Amazon. Under the Amazon settlement, the company is subject to various forms of injunctive relief, including “providing clear and conspicuous disclosures about the Prime enrollment and cancellation process, obtaining express informed consent before charging consumers,” and, notably, providing “customers with a clear button to cancel their Prime membership, consistent with the original” click-to-cancel rule.

States were also active in this space in 2025. California passed its amended Automatic Renewal Law, which, among other provisions, requires businesses to get a “consumer’s express affirmative consent” to auto-renewal or continuous service offer terms and applies to contracts “entered into, amended, or extended […] on or after July 1, 2025.” New York likewise enacted additional requirements for auto-renewal products through its 2025–2026 budget bill, effective beginning in November 2025, making 2026 the first full year of operation under the updated regime. These requirements include a provision requiring companies to clearly and conspicuously disclose the material terms of an automatic-renewal offer — including the price, the frequency of charges, the deadline by which consumers must act to prevent future charges, and how to cancel — before the company requests consent or billing information. Further, companies must provide “a simple cancellation mechanism that is as easy to use as the mechanism that the consumer used to provide consent and that is through the same medium that the consumer used to provide consent.” Additionally, Colorado passed a law, SB25-145, which took effect on February 16, 2026, that expressly requires an online cancellation option when a consumer consented online. We anticipate continued federal and state legislative and enforcement focus on auto-renewal and subscription products in 2026.

Junk Fees

Regulators are likely to continue their scrutiny of “junk fees” in 2026.

Throughout 2025, the FTC continued to emphasize the need for price transparency. In May 2025, the FTC’s Trade Regulation Rule on Unfair or Deceptive Fees took effect, prohibiting certain pricing practices in the live-event ticketing and short-term lodging sectors. While the scope of the rule is limited, the FTC made clear in the accompanying press release that it will continue to pursue alleged junk fee practices more broadly under section 5 of the FTC Act. “Junk fee” is a broad term the CFPB has used to describe a wide range of fees financial institutions may charge consumers, ranging from so-called “surprise” overdraft fees to “pay-to-pay” convenience fees.

Additionally, in September 2025, the FTC’s commissioner signaled that the agency’s view of consumer protection is to ensure “that consumers can make well-informed choices” and “that the information provided to consumers is in fact truthful and not misleading.” In 2026, we anticipate that the FTC will likely continue to emphasize the “total price” principle, which challenges advertising practices that promote a base price while relegating unavoidable fees to later stages of a transaction. Increased scrutiny of digital interfaces and checkout flows is also anticipated, particularly when fees surface only after consumers have invested time or entered personal information.

State junk fee enforcement is expected to accelerate, particularly in jurisdictions that have enacted or expanded price-transparency statutes in 2025, such as Minnesota, Connecticut, Colorado, Maine, Nevada, Rhode Island, and Oregon.

Consumer Protections Afforded to Service Members

Compliance with the Servicemembers Civil Relief Act (SCRA) and the Military Lending Act (MLA) is likely to remain a significant enforcement priority in 2026, as financial services for military service members is high on the administration’s consumer protection agenda. SCRA provisions relating to interest rate caps, foreclosure and eviction protections, and stays of civil proceedings continued to generate litigation and regulatory scrutiny in 2025, given the potential for significant remediation and penalties.

For example, one of the few enforcement actions by the CFPB in 2025 was the settlement of an MLA action against MoneyLion. The parties entered into a stipulated final judgment in November 2025. Under that judgment, MoneyLion agreed to pay approximately $1.75 million in restitution to affected consumers and must allow military and other borrowers to cancel memberships even if loan balances or past membership fees remain. In parallel, the U.S. Department of Justice emphasized SCRA compliance, including through joint communications with the CFPB reminding financial institutions of their statutory obligations.

Together, these developments suggest that institutions involved in credit, foreclosures, repossessions, or lease terminations affecting active-duty personnel are likely to remain under close regulatory and litigation scrutiny in 2026.

*  *  *

Read the next chapter, “Mortgage Origination and Servicing.”