This text has undergone thorough fact-checking to ensure accuracy and reliability. All information presented is backed by verified sources and reputable data. By adhering to stringent fact-checking standards, we aim to provide you with reliable and trustworthy content. You can trust the information presented here to make informed decisions with confidence.
The CFPB Payday Loan Rule, effective March 30, 2025, introduces strict guidelines for payday, auto title, and certain high-cost installment loans. Its key feature, the "two-strike" payment rule, limits lenders from making more than two consecutive failed withdrawal attempts from a consumer's account without new authorization. This rule impacts lenders, debt buyers, and portfolio managers by increasing compliance requirements and altering portfolio valuations. Here's what you need to know:
This rule changes how payday loan portfolios are managed and traded, emphasizing compliance, detailed recordkeeping, and risk management.
CFPB Payday Loan Rule Two-Strike Payment Process and Compliance Requirements
The CFPB payday loan rule lays out a structured approach aimed at shielding consumers from excessive fees and harmful payment practices. For anyone involved in holding or trading payday loan portfolios, understanding these rules is essential. Non-compliance can lead to serious legal and financial repercussions.
This rule limits how lenders and portfolio holders can withdraw payments from consumer accounts. It applies to:
A leveraged payment mechanism refers to any setup where a lender can withdraw funds without additional consumer action, such as ACH transfers, post-dated checks, or payment orders. This mechanism determines whether a loan falls under the rule’s jurisdiction.
One key aspect: if two consecutive withdrawal attempts fail due to insufficient funds, the lender cannot make further debits without obtaining new consumer authorization. This restriction applies not just to the failed payment but to all future payments on the loan and any other covered loans the consumer has with the lender. As the CFPB explains:
"After two straight unsuccessful attempts, the lender cannot debit the account again unless the lender gets a new authorization from the borrower."
Additionally, lenders must notify consumers in writing before attempting to withdraw a payment at an unusual interval or for an unexpected amount. These foundational rules mean portfolio holders must align their operations to meet the rule’s compliance demands.
Portfolio holders must adhere to specific documentation and operational standards under the rule. One major requirement is maintaining systems that monitor failed payment attempts in real time. After two consecutive failures, all automated withdrawal processes must stop until new consumer authorization is obtained.
Key compliance steps include:
The CFPB takes enforcement seriously. Unauthorized payment attempts after two consecutive failures are labeled as an "unfair and abusive practice". Violating the rule’s debit attempt cutoff can also breach the Electronic Fund Transfer Act (EFTA) and Regulation E, potentially leading to private lawsuits where consumers can recover the transferred amounts plus statutory damages. Beyond private actions, state attorneys general may pursue cases under state Unfair and Deceptive Acts and Practices (UDAP) statutes, and the CFPB itself can directly enforce compliance.
Although the CFPB announced in March 2025 that it would not immediately prioritize enforcement for some small loan providers while considering adjustments to the rule, the regulation remains active and enforceable. Portfolio holders should not view this as a reason to delay compliance. The legal framework is in place, and violations can result in serious consequences.
The CFPB payday loan rule has changed how payday loan portfolios are valued in the secondary market. Both buyers and sellers are navigating a new set of risks as recovery expectations, pricing methods, and asset evaluation standards adapt to the updated regulatory framework.
The two-strike limit on collection attempts has directly impacted recovery rates. If two consecutive automated debit attempts fail due to insufficient funds, further attempts are halted until new written authorization is obtained. This rule lowers automated recovery rates and increases costs tied to obtaining renewals. As a result, lenders are now more reliant on manual outreach, which is reflected in settlement trends. For instance, larger accounts often settle for 15%-35% of the balance, while smaller accounts typically settle for 70%-90%. These recovery hurdles play a key role in determining how portfolios are priced in the secondary market.
Pricing negotiations now hinge on compliance costs and regulatory risks. The payday lending market has seen a sharp decline - storefront and online revenue fell from over $9 billion in 2012 to $4.6 billion in 2018, and the number of storefronts dropped from over 24,000 in 2007 to about 13,700 in 2018. This decline, driven by regulatory pressures and a move toward small-dollar installment loans, has reduced both the availability and pricing of traditional payday loan portfolios.
Buyers must account for the costs of maintaining compliance programs, detailed recordkeeping, and the risk of regulatory enforcement. For example, in March 2023, the CFPB ordered Portfolio Recovery Associates to pay over $12 million in consumer redress and an additional $12 million civil penalty for illegal debt collection practices. CFPB Director Rohit Chopra emphasized:
"CFPB orders are not suggestions, and companies cannot ignore them simply because they are large or dominant in the market."
This regulatory focus forces buyers to discount portfolio prices to account for potential penalties and compliance expenses. These pricing adjustments also reflect the quality of the underlying assets, prompting buyers to scrutinize documentation and recovery patterns more closely.
The quality of payday loan portfolios is now heavily tied to documentation and compliance history. Portfolios with properly documented authorization renewals are more valuable, as they offer a clearer recovery pathway. On the other hand, portfolios without adequate authorization records or those filled with older accounts nearing the statute of limitations are often devalued.
The 2020 revocation of ATR (ability-to-repay) underwriting shifted the focus toward managing default risks and monitoring loan sequences. Buyers now evaluate portfolios for compliance with the 30-day cooling-off period after three successive covered loans. Additionally, loans with a leveraged payment mechanism and an APR above 36% are subject to the two-strike limit, which affects their recovery potential.
Portfolios are increasingly judged on clean payment logs, timely consumer notices, and accurate data submitted to CFPB-registered information systems. Without these elements, portfolios are likely to face valuation cuts in today’s market. These shifts in asset quality standards highlight the far-reaching impact of the CFPB rule on how portfolios are managed and valued.
To navigate the CFPB payday loan rule, businesses need systems that can effectively track, document, and enforce compliance across their debt portfolios. These strategies tackle the challenges of portfolio valuation and risk management while ensuring adherence to regulatory standards. Below are key approaches for building compliance systems tailored to debt portfolio management.
The first step toward compliance is proper loan categorization. Loans must be classified into specific categories: short-term loans (repaid within 45 days), longer-term balloon-payment loans, or high-cost longer-term loans with an APR over 36% and a leveraged payment mechanism. This categorization determines which regulations apply and the necessary documentation.
A critical focus is on leveraged payment mechanisms. These occur when lenders can initiate account transfers - via ACH, checks, or electronic fund transfers - without additional consumer action. It’s important to differentiate between "push" payments (initiated by the consumer) and "pull" payments (initiated by the lender), as only pull payments typically trigger leveraged payment requirements.
Tracking exemptions also requires precision. For alternative loans, systems must confirm that the principal amount is between $200 and $1,000, the term spans one to six months, and borrowers do not hold more than three such loans within a 180-day period. For accommodation loans, firms must ensure that the lender and its affiliates issued no more than 2,500 covered loans in the current and prior calendar years. Resources like the CFPB's "Small Entity Compliance Guide" and "Payday Examination Procedures" offer detailed checklists that can be incorporated into internal audits.
Strong risk management protocols minimize the chance of regulatory penalties by ensuring continuous monitoring and documentation. Payment transfer audits are a key component. Systems should automatically suspend recurring debits after two NSF (non-sufficient funds) returns, acting as a "kill switch" under the two-strike rule.
Recordkeeping is equally important. Under 12 CFR 1041.12, firms must maintain thorough records, including loan terms, payment attempts, consumer authorizations, and proof of recurring income for exempt loans. These records should be digitally archived, well-organized, and easily searchable for regulatory reviews.
Volume tracking is essential for firms relying on the accommodation loan exemption. A centralized system should monitor the total number of covered loans issued by affiliates to ensure they remain under the 2,500-loan cap. Additionally, firms must verify that no more than 10% of their receipts in the prior tax year came from covered loans.
Technology plays a vital role in streamlining compliance and reducing manual errors. Automated systems can generate and send required payment notices before transfers occur. These systems also integrate model disclosures into loan management platforms, triggering notifications based on payment schedules and authorization status.
APR calculation engines are indispensable for determining whether loans exceed the 36% cost of credit threshold under Regulation Z. Real-time analytics can flag when an open-end credit plan transitions into a covered loan - such as when fees push the cost of credit above 36% - and apply the appropriate compliance measures.
Platforms like Debexpert enhance compliance workflows with secure file sharing, end-to-end encryption, and portfolio analytics. Buyers can request compliance records, while sellers provide authorization histories, payment logs, and exemption documentation. These tools ensure portfolio compliance before transactions are finalized.
Digital recordkeeping systems further centralize compliance data by tracking leveraged payment authorizations, failed payment attempts, consumer notices, and total loan volumes across affiliates. Organized and accessible records not only simplify regulatory reviews but also help mitigate the risk of penalties tied to documentation lapses.
The new rule has reshaped how payday loan portfolios are traded. Buyers now face heightened compliance risks, while sellers must provide detailed documentation. Since the March 30, 2025 compliance deadline, portfolio transactions have shifted from focusing primarily on recovery rates to requiring thorough audits of payment histories, consumer authorizations, and exemption qualifications. These due diligence steps are directly tied to pricing negotiations and the disclosures required in portfolio transfers.
When trading payday loan portfolios, due diligence isn't just important - it's essential. Buyers need to conduct a detailed audit of loan classifications to determine whether each loan qualifies as a "covered loan." These include short-term loans repaid within 45 days, longer-term loans with balloon payments, or high-cost loans with an APR over 36% and a leveraged payment mechanism. This classification is critical because it determines the compliance obligations that accompany the portfolio.
Another key step is the two-strike rule audit. This involves reviewing the payment transfer history of each loan to ensure no third attempt was made after two consecutive failed attempts due to insufficient funds - unless a new consumer authorization was obtained. To verify this, buyers should request a table showing transfer dates, due amounts, attempted amounts, and payment methods. Violations in this area can make loans uncollectible or expose buyers to regulatory penalties.
Buyers must also verify the status of leveraged payment mechanisms. This means distinguishing between "push" payments (initiated by the consumer, such as through online banking) and "pull" payments (initiated by the lender, like ACH debits or post-dated checks). The rule's requirements apply only to pull payments, which significantly affects portfolio valuation.
For portfolios claiming exemptions, buyers need to confirm that the loans meet specific criteria. For example, accommodation loan exemptions require proof that the lender and its affiliates issued 2,500 or fewer covered loans in both the current and prior calendar years, with covered loans accounting for no more than 10% of receipts in the previous tax year.
Regulatory compliance costs have a direct impact on how payday loan portfolios are valued. Portfolios with high delinquency rates often require steep discounts because re-engaging consumers to obtain new payment authorizations after two failed attempts can be costly . Break-even analysis under the rule has also become more complex. For instance, a $500 loan with a three-month term might need an APR above 60% to cover expenses and a 10% default rate.
When negotiating, portfolios should be segmented based on compliance status. Loans with clean payment histories and proper authorizations are more valuable than those with documentation gaps or requiring re-authorization. Exempt loans, particularly those meeting alternative loan criteria, may fetch a premium due to reduced regulatory exposure. However, as Greg Baer, President & CEO of the Bank Policy Institute, warns:
"Banks recognize... that any favorable guidance could be rescinded, or that another agency might take a different, even contradictory view".
This uncertainty often leads to risk discounts during pricing negotiations.
Higher compliance tracking requirements also add to servicing costs. Advanced systems are needed to monitor payment strikes and automatically stop withdrawals after two failed attempts, which increases operational expenses . Buyers should adjust their pricing to account for these ongoing costs, especially for portfolios requiring active collection efforts.
Clear and comprehensive disclosure is critical for sellers to avoid transferring hidden compliance risks. Sellers must provide detailed records of payment transfer disclosures, including written notices sent to consumers before attempting to withdraw payments from their accounts . Buyers should request these notices to verify their timing and accuracy.
Authorization records are another key requirement. As Lauren Saunders, Associate Director at the National Consumer Law Center, explains:
"The Payday Loan Rule deems it an unfair and abusive practice for lenders to attempt to withdraw payment from a consumer's account after the lender's second consecutive attempt fails due to insufficient funds unless the lender obtains a new consumer authorization".
Sellers need to provide evidence of these new authorizations, along with documentation detailing how they were secured.
For portfolios involving wage advances or no-cost advances, sellers must disclose whether they assured consumers that the debt would not be sold to a third party. If such assurances were made, selling the portfolio could bring these loans under the rule's full scope. This protects buyers from unknowingly acquiring portfolios with hidden compliance obligations.
Sellers also need to disclose the leveraged payment mechanism status of each loan. According to the CFPB:
"The condition regarding a leveraged payment mechanism... is satisfied if the loan agreement provides that the consumer authorizes or must authorize the lender or service provider to debit the consumer's account on a recurring basis at some future date".
This information helps buyers assess compliance requirements and determine accurate portfolio pricing.
APR calculations under Regulation Z must also be disclosed. Any loan exceeding a 36% APR with a leveraged payment mechanism qualifies as a covered longer-term loan. Sellers should provide detailed credit cost calculations to avoid disputes over loan classification. Additionally, sellers must share recordkeeping documentation - such as loan agreements and payment transfer histories - which must be maintained for three years after a loan is no longer active.
Platforms like Debexpert simplify these disclosure processes by offering secure file sharing and encryption. Sellers can upload critical documents like authorization histories, payment logs, and exemption details, while buyers can request specific compliance records before finalizing a deal. This centralized system streamlines due diligence and ensures both parties have the necessary documentation for compliant portfolio transfers.
The CFPB's Payday Loan Rule, effective March 30, 2025, has reshaped how lenders and portfolio holders handle payments on covered loans. The rule's centerpiece is the "two-strike" provision, which prohibits further payment withdrawals after two consecutive failed attempts unless the borrower provides new authorization [3,6]. This applies to short-term loans (45 days or less), longer-term balloon-payment loans, and high-cost loans with an APR over 36% that use a leveraged payment mechanism [3,11]. Although the "ability-to-repay" requirements were repealed in July 2020, the payment provisions remain enforceable. Additionally, portfolio holders must retain detailed records for three years after a loan ends.
Now that the rule is clear, let’s focus on actionable steps to ensure compliance:
Regulatory changes will continue to shape the payday loan market. While the CFPB hinted in March 2025 at potentially narrowing the rule's scope for certain products - like "buy now, pay later" services or small loan providers - state attorneys general still have full authority to enforce the rule independently [3,1]. This dual enforcement system means federal priorities may shift, but state-level actions remain a constant concern.
Private lawsuits are also on the rise, with consumers increasingly citing rule violations to support claims under the Electronic Fund Transfer Act and state consumer protection laws. These trends are likely to impact portfolio valuations, as compliance costs grow. Loans with thorough documentation will likely fetch higher prices, while those requiring re-authorization or missing key records may see reduced demand.
Success in this changing landscape depends on maintaining strong compliance systems, staying updated on federal and state regulations, and conducting meticulous due diligence during portfolio transactions. A proactive approach will help navigate the risks and opportunities ahead.
A "failed attempt" under the two-strike rule generally means a borrower's payment attempt that does not go through successfully. However, the exact definition of what constitutes a "failed attempt" isn't explicitly outlined here. For precise details, it's best to refer to official CFPB regulations or other compliance-related materials.
A lender is allowed to make additional withdrawal attempts after two failed debit attempts, but only if they secure the consumer's new and explicit authorization for these extra transactions. This process helps ensure they meet legal standards while respecting the rights of the consumer.
Buyers should always ask for documentation that confirms compliance with regulations and provides clear details about loan terms. Key documents to review include underwriting records, loan agreements, borrower financial information, and payment attempt records. Make sure there’s evidence of adherence to record retention rules, such as disclosures, payment histories, and borrower communications.
It’s also important to carefully examine loan origination files. This step helps ensure transparency and compliance with fair lending practices while giving insight into the portfolio's quality and potential risks.
More than a decade of Ivan's career has been dedicated to Finance, Banking and Digital Solutions. From these three areas, the idea of a fintech solution called Debepxert was born. He started his career in Big Four consulting and continued in the industry, working as a CFO for publicly traded and digital companies. Ivan came into the debt industry in 2019, when company Debexpert started its first operations. Over the past few years the company, following his lead, has become a technological leader in the US, opened its offices in 10 countries and achieved a record level of sales - 700 debt portfolios per year.
.svg){kind=icon}
.svg){kind=icon}
.svg){kind=icon}
