Insights

It's no secret that 2025 turned the federal regulatory ecosystem on its head. The Consumer Financial Protection Bureau was significantly downsized and almost neutered. The Federal Trade Commission's leadership and composition were changed, as were its focus and enforcement priorities.

This upheaval has, for the most part, given the auto finance industry a breather from federal enforcement of federal consumer protection laws. State enforcement is another matter, but let's set that aside for now.

Keep in mind that the federal laws haven't gone away; they are still there. It's just that we have a pronounced pause in the federal government enforcing them. So, what's a company to do? Throw caution to the wind and do whatever is necessary to make money? If that's your instinct, rethink that option. Instead, be smart and take advantage of this time.

If there's anything we know for sure it's that nothing ever stays the same. That couldn't be more true than with the White House and who (or what party) is in charge. We may have two plus years left of this regulatory pause—that's not a whole lot of time, especially as it relates to the longevity of your business. In fact, in the legal and compliance arena, it's just about the right amount of time to implement a robust compliance infrastructure. So, why not take this break in enforcement to do that? And if you already have a compliance program in place, why not take this opportunity to reassess whether it's sufficiently robust? You could use this time to have it tested by a compliance attorney, consultant, or another third party and then retool it according to the findings.

This pause is a gift of time—time to get your compliance house in order and make sure that what you "think" you have in place is actually compliant. Here are some things you should do:

• If you have a formal written compliance program, hire an attorney knowledgeable about F&I, credit, data privacy, and data security law to assess your current program—both your written materials and your actual practices.
• If you don't have a formal written compliance program, begin putting one in place. Talk to an attorney knowledgeable about F&I, credit, data privacy, and data security law to help you do so. The attorney should help you with triage, deciding what to tackle first, followed by a plan to get to the compliance finish line.
• Take a look at your consumer complaints—all of them, not just those from attorneys general, Better Business Bureaus, and other third parties. These complaints are a window into your practices (and possibly policies) that could lead to unfair or deceptive acts or practices claims and/or claims of violations of other laws. This is an easy way to identify low-hanging fruit that you can address before the regulators visit.
• There are a lot of new laws being enacted by states in response to the federal pullback. New York, for example, just enacted the FAIR Act, which gives its AG brand new enforcement powers over unfair and abusive practices. Understand what changes have taken place in the laws of the states in which you operate. Are there new disclosure requirements? Are there new privacy protections?
• Update your training materials and retrain your employees regularly. This practice keeps employees knowledgeable about current legal and compliance obligations and requirements while also emphasizing your company's commitment to complying with the law. It's just good business. I always encourage clients to include a section on what happens when the law is violated—not to scare employees but to highlight the real-life implications of violating the company's compliance policies and procedures.
• Send your compliance officer and other compliance professionals to third-party training. Nothing beats getting your compliance professionals outside of your organization to network with other compliance professionals and discuss best practices. The cost of the program, hotel, and travel will more than pay for itself in the return to your organization.

Now, on to a list of specific topics your organization should be thinking about when it comes to compliance:

• use of AI;
• information privacy practices;
• customer data safeguarding practices;
• outreach to and transactions with limited English language proficiency consumers;
• outreach to and transactions with vulnerable consumers;
• outreach to and transactions with servicemembers; and
• use of third-party vendors (i.e., do they have compliance programs, are they using AI, what are their privacy practices, what are their safeguarding practices?).

I could go on and on.

Given the whiplash we felt from 2024 to 2025, if a Democrat takes over the White House in 2029, we may feel an equally explosive whiplash back to robust enforcement. I expect any new administration will have a goal of gaining back lost ground, but if you take the time now to get your organization's compliance house in order, you will be ready.

Patricia E.M. Covington is a partner in the Virginia office of Hudson Cook, LLP. Patty can be reached at 804.212.1201 or by email at pcovington@hudco.com.