UDAAP in 2026: What the CFPB Is Actually Looking For in Fintech Products
UDAAP enforcement has shifted. The CFPB's current examination priorities are not primarily focused on what a fintech says in its marketing. They are focused on how a fintech's product is designed, how fees are disclosed, how AI-generated communications present information to consumers, and whether default product configurations benefit the company at the consumer's expense.
The Shift from Marketing Claims to Product Design
Through 2021, UDAAP enforcement against fintechs concentrated on advertising claims: misleading comparisons, overstated product benefits, inadequate fee disclosure in promotional materials. Those cases remain active, but the CFPB's examination focus has moved upstream into product architecture itself.
The Bureau's 2022 circular on junk fees, its 2023 guidance on dark patterns, and its 2024 supervisory priorities all signal the same examination lens: regulators are asking whether product design choices that disadvantage consumers were intentional, and whether those choices were adequately disclosed. The distinction between an unfair act and an abusive act matters here. Unfair requires substantial consumer injury. Abusive requires only that the company took unreasonable advantage of a consumer's inability to protect their own interests, or of a consumer's reasonable reliance on the company to act in their interest.
Current CFPB Examination Focus Areas
Fee transparency and timing. The CFPB is examining how and when fees are disclosed relative to the point at which a consumer incurs them. Fees disclosed at account opening that become relevant only at transaction time are receiving heightened scrutiny, particularly when the disclosure pathway is buried in a terms-of-service document rather than presented at the point of fee incurrence.
Default product configurations. Products that default consumers into higher-fee tiers, automatic renewals, or data-sharing arrangements that primarily benefit the company rather than the consumer are being examined as potential abusive acts. The abusiveness analysis does not require proof of intent. It requires demonstrating that the default configuration took unreasonable advantage of a consumer's inability to evaluate the product configuration they are enrolled in.
AI-assisted customer communications. The Bureau issued a circular in late 2024 on AI-generated consumer communications making clear that UDAAP liability attaches to the company, not to the underlying model. Communications that create false urgency, that misrepresent product terms, or that use personalization to identify and exploit financially stressed consumers are being examined under the abusiveness prong regardless of whether the communication was generated by a human or an algorithm.
Negative option marketing in embedded finance. The integration of financial products into non-financial consumer journeys — BNPL at retail checkout, savings accounts offered during onboarding flows for non-financial apps — is receiving examination attention focused on whether consumers meaningfully understood they were enrolling in a financial product with ongoing obligations.
The practical standard: CFPB examiners are applying a consumer-reasonableness test to product design decisions. Would a reasonable consumer, based solely on the information presented to them at the point of each product interaction, understand what they are agreeing to, what it costs, and what the alternatives are? If the answer requires knowledge that was available only in full terms-of-service documentation, the design is exposed.
Conducting a UDAAP Product Assessment
A UDAAP assessment of a fintech product is not a document review exercise. It requires walking through every consumer-facing touchpoint — onboarding, activation, feature use, fee incurrence, account management, and off-boarding — and applying the CFPB's consumer-reasonableness standard at each step.
The gaps that surface most frequently are not in obvious advertising materials. They are in fee disclosure timing during transaction flows, in default settings that were set to company-favorable configurations at launch and never revisited, and in AI-generated communications that have not been reviewed under the same UDAAP framework applied to human-drafted communications.
The Regulatory Health Check engagement offered by this practice includes a full UDAAP product assessment as a core component. The assessment produces a prioritized findings report with specific design and disclosure recommendations, written in the framework an examiner would use, which is the same framework a bank sponsor's compliance team will apply when reviewing the product for their own program agreement approval.