CFPB Announces Plan to Review Offenses Carrying Criminal Penalties

On June 27, the Consumer Financial Protection Bureau (CFPB) issued a policy statement, “Guidance on Referrals for Potential Criminal Enforcement,” which outlines its plan to address criminal regulatory offenses within its jurisdiction, as directed by President Donald Trump’s May 9, 2025, Executive Order (EO)14294, “Fighting Overcriminalization in Federal Regulations.” EO 14294 defines a “criminal regulatory offense” as a “Federal regulation that is enforceable by a criminal penalty,” and directs the head of each federal agency to provide a report containing a list of “all criminal regulatory offenses enforceable by the agency or the Department of Justice” (DOJ), and for each criminal regulatory offense identified, “the range of potential criminal penalties for a violation and the applicable mens rea standard for the criminal regulatory offense.” EO 14294 “strongly discourages[]” criminal enforcement of any criminal regulatory offense not identified in the report.

Referrals for criminal prosecution

While it is widely known that the CFPB administers and civilly enforces federal consumer financial laws, some regulations issued by the CFPB under these laws carry criminal penalties. The CFPB may refer alleged violations of criminal regulatory offenses to the DOJ for prosecution. The policy statement indicates that, in doing so, the CFPB will consider the following four factors – among others – when exercising discretion in referring criminal regulatory offenses to the DOJ:

• The harm or risk of harm caused by the alleged offense.
• The potential gain to the putative defendant that could result from the offense.
• Whether the putative defendant held specialized knowledge, expertise or an industry license related to the regulation at issue.
• Evidence of the putative defendant’s general awareness of the unlawfulness of its conduct as well as its knowledge of the regulation at issue.

By May 9, 2026, the CFPB will submit to the director of the Office of Management and Budget (OMB), in consultation with the attorney general, a report listing all criminal regulatory offenses enforceable by the CFPB or DOJ, along with the range of potential criminal penalties for a violation of each offense and the applicable mens rea standard for the offense.

When weighing whether to refer a criminal regulatory offense to the DOJ, the CFPB will consider whether the contemplated criminal offense is on the list. This report will be updated on at least an annual basis and made publicly available on the CFPB’s website.

Historically, the CFPB has referred cases to the DOJ for criminal prosecution when such cases involve egregious conduct. For example, in 2013, the DOJ charged the owner and employees of a debt relief company with conspiracy to commit mail and wire fraud – the “first-ever criminal charges based on [CFPB] referral.” In that case, the defendants orchestrated a multimillion-dollar fraud scheme that convinced more than 1,200 “debt-ridden individuals” to pay for debt settlement services, and the defendants “never paid a penny to the customers’ creditors.” Similarly, in 2017, a jury in the US District Court for the Southern District of New York convicted the principal of a payday lending enterprise of wire fraud, aggravated identity theft, and violations of the Racketeer Influenced Corrupt Organizations Act and the Truth in Lending Act, following a civil action brought by the CFPB. The defendant in that case “systematically evaded state usury laws in order to charge illegally high interest rates,” and issued payday loans to consumers who never sought them.

Evaluation of mens rea

EO 14294 calls for each federal agency to examine whether the agency’s statutory authorities allow it to adopt a “background” or default mens rea standard for criminal regulatory offenses. The CFPB will assess, in consultation with the attorney general, whether it can adopt a default mens rea standard. In addition, the CFPB will submit a report to the OMB director assessing whether the applicable mens rea standards for criminal regulatory offenses are appropriate. If necessary, the CFPB also will present a plan to change the applicable mens rea standards to a generally applicable standard and provide a justification for each criminal regulatory offense for which the CFPB plans to deviate from the default standard.

Future rules and notices of proposed rulemaking

Finally, the CFPB will coordinate with the DOJ to draft a statement to be included in all future notices of proposed rulemaking (NPRMs) and final rules that carry a criminal penalty. The statement will indicate that the proposed or final rule is a criminal regulatory offense and will cite the authorizing statute for that penalty. Additionally, all NPRMs and final rules will include the mens rea requirement for each element of the offense.

Looking ahead

While the CFPB has used its criminal referral authority in the past in more limited fashion, the rhetoric of the last administration – labeling companies “repeat offenders” for even minor missteps, emphasizing “illegal” conduct for technical regulatory violations and targeting individuals for enforcement actions – caused much anxiety about the subjectivity and discretion in the CFPB’s reach. While there are many reasons we expect to see a decrease in CFPB activity all around, because the EO’s stated policy is that strict liability offenses are “generally disfavored,” it is possible that this process may result in changes to enforcement of certain statutory violations. Moreover, because so many of the laws applicable to financial institutions were written without contemplation of evolving technology, consumer behavior and industry practices, providing clarity behind the analysis and decision-making process will provide companies with helpful context when evaluating their own risk.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may have been generated with the assistance of artificial intelligence (AI) in accordance with our AI Principles, may be considered Attorney Advertising and is subject to our legal notices.