In the first installment of a two-part Payments Year in Review series, hosts Keith Barnett, Carlin McCrory, and Jason Cover highlight the key federal developments that shaped the payments industry in 2025 and preview what's ahead for 2026.
In the first installment of a two-part Payments Year in Review series, hosts Keith Barnett, Carlin McCrory, and Jason Cover highlight the key federal developments that shaped the payments industry in 2025 and preview what's ahead for 2026.
They cover the evolving status of the CFPB's payday lending rule, shifting BSA/AML enforcement from federal agencies to increasingly active state regulators, and the CFPB's changing approach to earned wage access, including new guidance for certain employer-integrated models. The episode also examines the fallout from the voided FTC "Click to Cancel" rule and the agency's continued reliance on ROSCA and Section 5 to police auto-renewal and cancellation practices.
The discussion wraps up with buy now, pay later (BNPL), focusing on the CFPB's rescinded advisory and New York's move to regulate BNPL more like traditional credit, setting the stage for Part 2's focus on state-level trends.
Payments Pros – The Payments Law Podcast
Payments Year in Review 2025: Federal and State Developments – Part 1
Hosts: Keith Barnett, Jason Cover, Carlin McCrory
Aired: 1/28/26
Keith Barnett (00:05):
Welcome to another episode of Payments Pros, a Troutman Pepper Locke podcast focusing on the highly regulated and ever‑evolving payment processing industry. This podcast features insights from members of our FinTech and Payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. My name is Keith Barnett, and I am one of the hosts of the podcast. Before we jump into today’s episode, let me remind you to visit and subscribe to our blog at TroutmanFinancialServices.com. And don’t forget to check out our other podcasts at Troutman.com/podcast. We have episodes that focus on trends driving enforcement activity, digital assets, consumer financial services, and more. Be sure to subscribe to hear the latest episodes.
Today, I’m joined by my co‑hosts, Carlin McCrory and Jason Cover, for the first in a two‑part series. We’ll look back at what we saw in the payments landscape in 2025 and discuss what we can expect in 2026. Carlin and Jason, thanks for joining me.
Jason Cover (01:12):
Thanks, Keith.
Carlin McCrory (01:13):
Looking forward to it.
Keith Barnett (01:14):
To kick things off, we are going to focus this episode on the biggest federal moves from the past year that have shaped the payments industry. In particular, we are going to talk about the Payday Rule. We are also going to talk about BSA/AML enforcement, earned wage access, the FTC “Click to Cancel” Rule, and auto-renewal enforcement and just FTC enforcement in general. And we are also going to talk about the Buy Now, Pay Later Rule, both on a federal level and also we will talk a little bit about the state law level as well. Let's get started. Jason.
Jason Cover (01:50):
Thanks, Keith. You mentioned the CFPB's rule on payday, vehicle title, and certain high-cost installment loans, which I think is colloquially called the Payday Rule for most people, or maybe the small-dollar rule. 2025 saw at least what initially looked like somewhat of a resolution to the status of the rule. For those of you who have been keeping track, this rule has been going on for over a decade now. If you remember the Small Business Advisory Review Panel where the rule originally happened in April 2015. The initial proposed rule happened in 2016, with a final rule issued in November of 2017 at the tail end of the Cordray administration. The effective date was January 16, 2018. So in theory this rule has been in effect for something eight years now. But the compliance date, the date that everyone was supposed to comply, all the covered borrowers and payment processors and everyone else, was originally slated for August 19, 2019. Before that date, a trade industry group, the CFSA, filed a lawsuit against the CFPB in 2018, and that stayed that compliance date. It was then litigated through a district court in Texas. The rule was originally overturned by the Fifth Circuit, which upheld the Administrative Procedure Act challenge, but then vacated based on the CFPB's purported unconstitutional funding mechanism, which was then subsequently overturned by the Supreme Court in 2024.
(03:15)
And that's when we thought we finally had a real compliance deadline in place, which was March 30, 2025. So, in theory, that date has come and passed and covered borrowers are subject to this rule. And just as a reminder, there also originally were ability-to-repay provisions that were rescinded by the Kraninger administration, and what remains are payment provisions. So that caps covered lenders from making a payment attempt after two consecutive failed payments and then has other disclosure requirements that can be somewhat problematic because of their timing restrictions. But in any event, that compliance deadline has passed, but on the tail end—or I am sorry, right before that compliance deadline—the CFPB weighed in once again on March 28, 2025, and noted that while the compliance deadline was slated to pass, it will not prioritize enforcement or supervision actions with regard to any penalties or fines associated with the payment provisions. It also noted that it's contemplating additional rulemaking now to potentially narrow the scope of the rule or otherwise reevaluate it. There's been several items that have popped up in CFPB releases indicating the potential for additional rulemaking. And then most recently, the CFPB held a Consumer Advisory Board meeting with industry participants to discuss the status of the rule on December 10, 2025.
(04:37)
So long story short, Keith, the rule is now in effect. The compliance deadline has passed, but it's not being enforced at the federal level, and I think we have the expectation of still more additional changes to the CFPB's Payday Rule in 2026.
Keith Barnett (04:53):
Yeah, that was interesting, Jason. Because I do know that a lot of our payment processing clients have been paying close attention to this. What, if anything, should payment processors take out of this?
Jason Cover (05:04):
I think it's somewhat of a wait-and-see approach. If you have contacts with trade groups or folks that are in close contact with the CFPB, I think it's certainly time to engage those. I'd get your comment-letter pens ready to the extent there's a rulemaking. With the current administration, certainly, I would think that anything that happens in the future will be more curtailing of rule, not expanding it. So probably good news for the industry and payment processors on the whole, but keep monitoring and be prepared to respond when that opportunity comes up.
Keith Barnett (05:37):
Great, that's very helpful. Thanks, Jason. Next, I want to talk about BSA/AML enforcement over the past year in 2025. Now, if you listen to any of our prior podcasts or any of our writings, you will see that we wrote and spoke a lot in 2024 and actually, quite frankly, during the Biden administration, about a lot of enforcement by the federal government in connection with BSA/AML issues generally, and in particular, a lot of enforcement action on bank–FinTech partnerships in 2024 and before that. And we saw very little activity during 2025 when compared to prior years of BSA/AML enforcement. And instead, we have seen that the states have actually shifted their focus to look more at BSA/AML enforcement.
So, but just because there is less enforcement on the federal level does not mean that financial institutions should just automatically take their foot off the gas pedal with respect to compliance. Because keep in mind that under the BSA/AML rules, financial services firms—including banks or anyone who falls within that definition at a federal level—are required to perform due diligence on customers, including verifying their identities, reporting suspicious activity, and applying appropriate controls, especially for high-risk related accounts, be that accounts related to merchants or processors or money transmitters.
(07:15)
And so what we have seen is that state regulators over the past year have found that licensed money transmitters had not been in compliance with certain requirements, and they have monetarily penalized them along with agreed-upon compliance enhancements. So, even though the federal government has not been as active on BSA/AML as it had been under Biden, the lessons learned are that the financial institutions must have programs—or continue to have programs—that are commensurate with the level of risk and the volume of transactions. And so that includes making sure that you have a written BSA/AML program that conforms to whatever your organization's needs are. So if you are a bank and you bank high-risk merchants or high-risk processors or high-risk money transmitters, you want to make sure that you have a BSA/AML program tailored to your needs. Because where we have seen enforcement, both at the federal and state level, it's not only been deficient—or at least what they perceive to be deficient—written programs, but also deficient compliance or implementation of the written program. So it's not just enough to have a good written program, you actually have to follow that written program.
(08:39)
And not only do you have to follow that written program, but there have been times where either a bank or other type of financial institution has run afoul of the federal government has been the failure to provide for an independent review of the AML program on a frequency commensurate with the services that the financial institution has provided. And we have seen from both the federal enforcement actions, but also the state enforcement actions, that this independent review of the program must be done, or at least should be done, at least once a year. At least that's what the enforcement actions have said. What the regulators are also paying attention to is not only the independent review of the AML program, but any type of recommendations or suggestions from the independent reviewer. The state regulators and the federal regulators will look to see whether or not the changes or the recommendations are being implemented. And if not, they expect to hear a reason why these changes or the recommendations have not been implemented. Chief among these issues are timely investigating and reporting of suspicious activity. In particular, I am talking about suspicious activity reports. That is something that has been top of mind, top of examination, top of everything when it's come to compliance and any type of enforcement actions or investigations.
(10:15)
So remember, SAR reporting is important both at the federal and the state level, along with monitoring each transaction for data integrity issues and also just general due diligence procedures. So the bottom line here is there is still an expectation from the regulators that financial institutions institute a more robust—or a robust—program to ensure that customer information is accurate, complete, valid, and properly reflected with respect to regulatory reporting. And so that's it in a nutshell. And with that, I will turn it over to Carlin and Jason to talk about earned wage access.
Carlin McCrory (11:02):
Thanks, Keith. We've seen a lot of movement in the EWA space, and I'll give a brief history. If you'll recall, back in 2020, the CFPB under the first Trump administration issued an advisory opinion stating that certain employer-partnered EWA services did not meet the definition of credit under TILA because they did not involve the right to defer payment of debt or to incur debt and defer its payment. This advisory opinion applied to employer-based services, like I said, that met very specific and certain conditions, but it did not address whether other forms of EWA, like direct-to-consumer, were considered credit.
(11:49)
In 2024, the CFPB issued a proposed interpretive rule that would have treated all EWA services as credit under TILA and classified certain delivery fees and tips as finance charges. The Bureau did not finalize the proposed interpretive rule and instead, in January 2025, it rescinded the 2020 advisory opinion. And thereafter, in May of 2025, the CFPB wiped the slate clean by withdrawing both the advisory opinion and the 2025 rescission. So where did that leave us? That left us with nothing on the slate. So in December of last year, 2025, the CFPB issued an advisory opinion that EWA products with the following characteristics are not credit. And those characteristics are: first, the amount a user can access can't be more than the wages that they have already earned based on payroll data.
(12:49)
It can't be from estimates or information from the worker. Second, the provider must recoup the funds through a payroll deduction the next payday and not by debiting from the user's regular bank account after wages are paid. Third, before the transaction, the EWA provider must disclose that it has no legal or contractual claim or remedy against the user if the payroll deduction is insufficient to cover the full amount of the EWA transaction and won't send any amounts to debt collection or report to a credit reporting agency. And fourth, the provider does not assess the credit risk of individual workers through either credit reports or credit scores. The advisory opinion also states that expedited delivery fees and tips are not finance charges so long as the options are not required and they can be easily avoided. Notably, the opinion also states that plans like direct-to-consumer may not be credit, but the opinion doesn't opine on that specifically.
Jason Cover (14:00):
So it sounds to me like what the CFPB said does not really address the circumstances. Or maybe it says that this is not a loan if you are just providing the technology for EWA. Is that fair to say?
Carlin McCrory (14:17):
The opinion does not necessarily directly answer that question. However, what it does say is if you fall within the purview of these four criteria, so to speak, basically an employer-integrated program with these characteristics would not be considered credit under TILA. And so those providers falling within the employer-integrated model should likely consider and conform to the advisory opinion. But with an administration change, this could all very quickly go away, as we have seen the flip-flopping based off administrations in the past.
Keith Barnett (14:51):
And Carlin, I think one important distinction—in many ways the 2025 opinion is very similar to the Kraninger opinion in 2020. And both, as you noted, are related to employer-based programs that can involve a FinTech or, I suppose, not involve a FinTech sitting with the employer. But one important distinction is that they remove the requirement that it be cost-free to the consumer or the employee. So really important to distinguish there. I think many people thought the 2020 advisory opinion wasn't very useful because many programs have a fee and, as you noted, don't cover the consumer-based programs as well. And I would note that they added in there that the opinion is not meant in any way to establish the CFPB's opinion on the consumer-based program. So that's still somewhat up in the air as well, and it sounded like there may be some future rulemaking on that level.
Carlin McCrory (15:40):
And speaking of future rulemaking, Jason, there is a bill proposed in the House right now that says that both direct-to-consumer and employer-integrated programs are not credit under TILA. And it has very specific disclosure requirements. And I think it would be overall positive for the industry. But Jason, do you have thoughts on where you think that may go, if nowhere?
Jason Cover (16:06):
It is hard to believe that anything will happen in Congress in this day and age, but it certainly would be welcome. I think we are continuing to see lots of litigation at the federal and state level about TILA claims, MLA claims, and state law claims for EWA products. So establishing some certainty, at least at the federal level, would certainly be welcome.
Carlin McCrory (16:26):
Yeah. And the bill actually preempts state laws that go further than the proposed bill, which would also be positive because we have about 13 states that have EWA laws right now. And in 2025, 25 states proposed EWA legislation, but of course all of those states didn't pass the legislation. I am predicting for 2026 that we'll definitely see more proposed EWA legislation, leading to a hodgepodge of state laws that these companies may or may not need to comply with moving forward.
Jason Cover (17:04):
Definitely agree, Carlin.
Keith Barnett (17:06):
Okay, do you want to move on to the FTC Click to Cancel Rule?
Carlin McCrory (17:10):
Yeah. So the FTC's Click to Cancel Rule was voided by the U.S. Court of Appeals for the Eighth Circuit after the court found that the FTC failed to follow proper rulemaking procedures. But despite the rule being voided, the FTC's enforcement efforts remain robust. And instead, the FTC is relying on its authority to enforce these types of rules under ROSCA, which is the Restore Online Shoppers' Confidence Act, and Section 5 of the FTC Act to bring new enforcement actions against companies that they allege engage in deceptive business practices relating to auto-renewing products or services.
(17:54)
One complaint that I want to talk about to kick it off is the FTC alleged that Match.com deceptively induced consumers to subscribe by promising a complimentary six-month subscription without adequately disclosing the requirements to qualify for the free subscription period, that it unfairly suspended accounts of users who disputed charges, denying them access to paid services, and that they made cancellation procedures confusing and cumbersome. So the enforcement action against Match.com culminated in a $14 million settlement to be paid to consumers allegedly harmed by Match's practices. And the settlement requires Match.com to clearly disclose all material terms and conditions of its guarantees; refrain from misrepresenting restrictions or conditions related to those guarantees; to stop retaliatory actions against consumers who file billing disputes; and provide simple, accessible cancellation methods.
(19:00)
Similarly, the FTC announced a $7.5 million settlement with Chegg, which is an education technology provider, resolving allegations that Chegg continued to charge consumers after they attempted to cancel their subscriptions. They made online cancellation options difficult to locate. They created a confusing and cumbersome cancellation process, and they failed to improve cancellation accessibility even after being notified of consumer difficulties. The settlement also imposes compliance requirements on Chegg, including that the online cancellation mechanism must be easy to find, and that Chegg promptly processes those requests to cancel. I think the highlight here is the FTC is still enforcing rules, even though it may not be under the Click to Cancel Rule. And for these auto-renewing products and services, there must be clear and conspicuous disclosures of all of the material terms. You can't take retaliatory actions for consumers who file any sort of billing disputes. And of course, you need to make cancellation easy, ideally as easy as the consumer was able to sign up for the service and in the same method that the consumer signed up for the service, such that they can cancel in an efficient manner. Keith, do you want to talk about some other FTC enforcement actions?
Keith Barnett (20:33):
The other enforcement actions actually just go along the lines of what you just said. So even though 2025 saw a—I won't even say a less active, a non-active—CFPB with respect to enforcement actions in particular, especially in the payments world, to your point, Carlin, the FTC has still been active, right? So the FTC, in another enforcement action in 2025, filed an action against Cleo for alleged violations of ROSCA, which you just mentioned, and the FTC Act, Section 5. And it's very similar. There were allegations against an online cash advance company for making it difficult to cancel any type of recurring payments. According to the FTC's complaint, Cleo did not permit consumers with an outstanding cash balance to cancel their subscriptions. And if they tried to cancel, the company told them, according to the complaint, that the consumers could not cancel subscriptions until the full cash advance was repaid. And according to the FTC, this was a violation of ROSCA and the FTC Act. In addition to that, the FTC initiated an enforcement action against Paddle USA, which is a company that provides payment processing services for software companies, including sellers of tech support services.
(21:59)
And again, along the lines of ROSCA and the FTC Act, what we have been discussing, this also involved alleged violations of the Telemarketing Sales Rule, which the FTC and the CFPB enforce. But with the vacuum created by the CFPB, we're going to see more of the FTC actions to the extent that there is anything involving the Telemarketing Sales Rule. But according to the Paddle complaint, Paddle allegedly assisted tech support sellers in what the FTC called deceptive telemarketing by processing consumer debit and credit card payments for tech support sellers. And according to the complaint, Paddle knew that these sellers used deceptive advertisements and nonetheless processed these payments. So it almost has that Operation Choke Point type of feel. The other allegation which I found interesting, the other set of allegations on Paddle, was that Paddle processed card charges for these sellers, presenting those charges under Paddle's own name as a PayFac instead of the actual sellers' names. And according to the complaint, that was a violation of the FTC Act because that act had impeded the banks' and card networks' ability to detect and monitor those sellers' transactions to see if there were excessive chargebacks or excessive returns.
(23:30)
And according to the complaint, that's a violation of UDAP under the FTC Act. And along those lines as well, the complaint alleged that Paddle's payment aggregation practices—and what that means is that Paddle would process payments for multiple merchants, aggregate them together, and as a result, according to the complaint, the chargeback rate or the return rate would be artificially lowered. And according to the complaint, that practice obscured the deceptive sales practices of the clients. The complaint went on to say that Paddle failed to adequately screen its clients and ignored warnings of their deceptive practices and in some instances helped to conceal the deceptive practices of its clients.
(24:21)
And then finally, getting back to what you were talking about earlier, Carlin, about the trend with the FTC and ROSCA, the complaint also alleged that Paddle violated ROSCA by charging consumers for auto-renewing tech support subscription services without clearly disclosing the material terms, including the fact that the consumers will be charged on a recurring basis unless the subscriptions were canceled. So once again, we see a theme from 2025 with the FTC. But chief among them within that theme is ROSCA and auto-renewals and the failure to make sure that if someone wants to cancel an auto-renewal, that they make it easy to do so. With that, we'll wrap up this federal portion by turning it back to Jason to talk about Buy Now, Pay Later.
Jason Cover (25:12):
Yeah, Keith, continuing on another theme, this one being a notice or advisory opinion that is rescinded at a later date by the Trump administration. In 2024, the CFPB had issued an advisory opinion stating that Buy Now, Pay Later products were credit cards under Regulation Z, which caught many people off guard because most people did not think that a BNPL pay-in-four type product would be a credit card under Regulation Z. That classification causes a host of problems, which were further exacerbated by FAQs provided by the CFPB. Because most pay-in-four or other BNPL products are closed-end products, that classification as a credit card subjects closed-end products—or in theory, subjects those closed-end products—to multiple open-end provisions of Regulation Z, which really just is pounding a square peg in a round hole. Shockingly, this was met by widespread industry objection and a lawsuit. And then in 2025, that rule was rescinded by the Trump CFPB. We have seen a lot of this just in this podcast—rules that were made and then rules that were rescinded. All of these were obviously done without formal rulemaking, which made them very susceptible to someone wiping the proverbial slate clean in one fell swoop with an administration change.
(26:07)
What is really interesting though is, and kind of leading into our next podcast on state laws, at least one state, New York, has now essentially codified that same rulemaking—Buy Now, Pay Later products as credit cards under Regulation Z—in legislation passed last year. In addition to that classification, it also defines Buy Now, Pay Later loans extremely broadly. This was a similar problem under the CFPB's rule as well. So it's not always clear what may or may not be a Buy Now, Pay Later loan. It also added a licensing requirement and then, at least to some types of Buy Now, Pay Later loans, potential interest rate or fee caps. And there are some other substantive disclosure and record-retention requirements in that law.
(27:22)
But an interesting trend of a state somewhat picking up where the CFPB left off, to Carlin's earlier point, we're seeing at least some of that in the EWA space as well. It will be an interesting trend on a lot of these so-called informal rulemakings that the CFPB made and were formally rescinded—whether states will pick up that torch and codify, or regulators or AGs might have rulemakings or opinions of their own on those topics. As a segue to our next podcast, stay tuned and we'll be talking more about those issues.
Keith Barnett (27:54):
Sounds great. Well, Carlin and Jason, thank you for joining me today. Great to have you all here. I would like to remind our listeners that this is part one of our two-part series, so be sure to tune in the next time as we dive into the most important state level developments over the past year and how new laws, litigation trends and regulatory approaches are affecting the payments industry across jurisdictions. And don't forget to visit our blog, TroutmanFinancialServices.com and subscribe so you can get the latest updates. Also, please be sure to subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. We look forward to part two with you.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.
---------------------------------------------------------------------------
DISCLAIMER: This transcript was generated using artificial intelligence technology and may contain inaccuracies or errors. The transcript is provided “as is,” with no warranty as to the accuracy or reliability. Please listen to the podcast for complete and accurate content. You may contact us to ask questions or to provide feedback if you believe that something is inaccurately transcribed.