CFPB Compliance Audit Overview

A CFPB compliance audit is a structured examination of a financial institution's adherence to the federal consumer financial protection laws administered by the Consumer Financial Protection Bureau. These audits apply to a broad set of entities — including banks, credit unions, mortgage servicers, payday lenders, debt collectors, and certain fintech firms — that offer or service consumer financial products. Understanding the scope, mechanics, and decision criteria of CFPB compliance audits is essential for any institution operating under the Bureau's supervisory authority.

Definition and Scope

The Consumer Financial Protection Bureau holds supervisory authority under Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (12 U.S.C. § 5515–5516). That authority extends to "larger participants" in defined markets, nonbank covered persons, and depository institutions with assets exceeding $10 billion. A CFPB compliance audit — whether conducted internally by the institution or triggered by CFPB examination — evaluates conformity with statutes such as the Truth in Lending Act (TILA), the Real Estate Settlement Procedures Act (RESPA), the Fair Debt Collection Practices Act (FDCPA), the Equal Credit Opportunity Act (ECOA), and the Electronic Fund Transfer Act (EFTA), among others.

The audit scope encompasses three distinct dimensions:

  1. Policy adequacy — Whether written compliance management systems (CMS) meet CFPB examination manual standards.
  2. Operational conformity — Whether day-to-day practices align with disclosed terms, regulatory timing requirements, and prohibited conduct rules.
  3. Consumer harm assessment — Whether identified gaps produced quantifiable consumer injury, including financial loss, denial of credit, or deceptive disclosure.

For a broader classification of audit types that intersect with CFPB compliance, see Financial Audit Types Explained and the distinction drawn in Compliance Audit vs Financial Audit.

The CFPB's Supervision and Examination Manual organizes review modules by product and law, providing the primary public reference framework for what examiners evaluate.

How It Works

A CFPB compliance audit — whether self-initiated or examination-driven — follows a phased structure:

  1. Scoping and risk assessment — The institution or auditor identifies applicable regulations based on product lines offered, geographic markets served, and historical complaint data. CFPB examination teams use complaint data from the CFPB Consumer Complaint Database and prior examination findings to prioritize risk.
  2. Documentation request and collection — Policies, procedures, training records, consumer disclosures, loan files, servicing records, and complaint logs are assembled. CFPB examiners typically issue a document request list 30 to 60 days before an examination start date.
  3. Transaction testing — A statistical sample of consumer accounts or transactions is drawn to test disclosure accuracy, timing compliance, and fee calculation. Sampling methodology follows risk-based principles discussed in Audit Sampling Methods for Financial Firms.
  4. Interview phase — Compliance officers, operational staff, and third-party vendor representatives may be interviewed to assess whether written controls function as documented.
  5. Preliminary findings and response — Draft findings are shared with institution management, who provide factual corrections and context before final findings are issued.
  6. Corrective action and follow-up — Findings classified as violations or matters requiring attention (MRAs) trigger a formal corrective action plan with defined remediation timelines.

The CFPB can escalate findings to enforcement actions, including civil money penalties. Under 12 U.S.C. § 5565, civil penalties are tiered: up to $5,000 per day for violations, up to $25,000 per day for reckless violations, and up to $1,000,000 per day for knowing violations (CFPB, Supervisory Highlights, published periodically).

The Dodd-Frank Audit and Reporting Provisions page covers the statutory foundation that enables this enforcement structure.

Common Scenarios

CFPB compliance audits cluster around specific regulatory pressure points:

Mortgage servicing is consistently among the most examined areas. Regulation X (implementing RESPA, [12 C.F.R. Audit testing commonly reveals failures in these timing requirements, particularly during loan transfer events.

Fair lending examinations apply the ECOA (15 U.S.C. § 1691) and Regulation B (12 C.F.R. Part 1002) to test for disparate treatment and disparate impact in underwriting, pricing, and servicing decisions. Regression analysis of loan files across demographic proxies is a standard audit tool in this area. See Fair Lending Audit Requirements for methodology detail.

Debt collection reviews under the FDCPA examine communication timing, prohibited contact practices, validation notice accuracy, and dispute handling. The CFPB's Debt Collection Rule (Regulation F, 12 C.F.R. Part 1006) added specific electronic communication provisions that post-date legacy compliance programs at most institutions.

Prepaid accounts and payment products fall under Regulation E (12 C.F.R. Part 1005) and the 2017 Prepaid Accounts Rule, which established error resolution and disclosure requirements. Payment Processor Audit Requirements covers this space in further detail.

Decision Boundaries

Not every institution faces identical CFPB audit exposure. The Bureau's jurisdictional and supervisory thresholds create meaningful classification boundaries:

Supervised vs. non-supervised entities — Depository institutions with assets at or below $10 billion are examined by their prudential regulator (OCC, FDIC, or Federal Reserve), not directly by the CFPB, though CFPB rules still apply to them. Institutions above $10 billion fall under direct CFPB examination authority (12 U.S.C. § 5515).

Nonbank supervision — The CFPB may supervise nonbank covered persons posing risk to consumers under its larger participant rules or through individual risk determinations. Mortgage companies, private student loan servicers, and payday lenders above defined volume thresholds are subject to direct supervision regardless of charter type.

Internal vs. CFPB-initiated audits — An institution's internal compliance audit and a CFPB supervisory examination are structurally similar but operationally distinct. Internal audits produce privileged findings that management can address proactively; CFPB examination findings become part of the supervisory record and can escalate to public enforcement. The Internal vs External Audit Differences page explores this distinction further.

Risk-tiered examination frequency — The CFPB's examination schedule is risk-based. Higher-risk institutions — those with significant complaint volume, prior findings, or rapid market growth — are examined more frequently. Audit Frequency Requirements for Financial Institutions details the cadence frameworks applicable across federal financial regulators.

An institution subject to CFPB oversight that also issues securities or maintains broker-dealer operations may face overlapping compliance obligations with the SEC and FINRA, covered in SEC Reporting and Audit Requirements and FINRA Audit Obligations for Broker-Dealers.

References

📜 13 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Compound Interest Calculator