As the lending industry looks toward the new year, it’s an important time to review compliance infrastructure and ensure readiness for the evolving regulatory landscape. Given the recent slowdown in federal rulemaking from the CFPB, the focus on state-level regulatory compliance has never been more critical. In reviewing recent changes, between January 2024 and September 2025—a twenty-month period—state legislatures and regulatory bodies enacted 119 changes that directly impact non-prime and indirect auto lending workflows credit evaluation processes, add-on products, and dealership operations. 

While this volume of change sits within what we consider an “average” operating environment, the sheer breadth of updates serves as a powerful reminder that continuous compliance vigilance isn’t optional—it’s foundational to sound business practice. The end of the year is the ideal moment to conduct a comprehensive internal audit, not just to fix known issues, but to proactively review internal best practices for challenges in the upcoming year, especially for dealers and subprime lenders whose operational risk increases when multiple state rules shift simultaneously.

A Balanced View of State-Level Shifts

A majority of the recent regulatory activity we track remains centered on vehicle-specific transactions, underscoring the enduring complexity of state-by-state auto finance laws. Of the total changes, 119 updates were concentrated in the motor vehicle space alone. This included significant activity in areas of dealer profit and consumer protection: there were 16 updates to add-on product regulations (like service contracts and GAP waivers) and 26 updates to dealer regulations, covering everything from warranty work wages to manufacturer relations. 

For subprime lenders, BHPH operators, franchise and independent dealers, even stable revenue streams require continued scrutiny of associated disclosures and refund processes to ensure compliance across different jurisdictions, including disclosure requirements for GAP Waiver in states like Massachusetts and Illinois. This is especially crucial in the non-prime segment, where add-on products are often central to front-end gross profit and are evaluated more closely for potential consumer harm.

Beyond sales, administrative requirements saw important shifts, including 17 updates establishing or mandating the use of Electronic Lien Provisions. While these systems streamline processes, they often introduce new compliance fees that must be accurately implemented and disclosed – a key risk area for finance companies and dealers placing non-prime paper who must ensure these pass-through fees do not inadvertently trigger Truth-in-Lending violations.

Similarly, 12 updates to Dollar Bracket Adjustments for retail installment sales contracts (RISCs) and small loans ensure that lenders must keep pace with incremental rate and threshold changes, many of which are tied to the Consumer Price Index (CPI). Maintaining system agility to handle these small, frequent adjustments is key to maximizing permissible returns and avoiding compliance headaches, particularly in states with strict rate limits that change annually or on a regular cadence – an area where subprime lenders who operate near statutory max APRs face heightened exposure.

The Emerging Compliance Frontier: Data Privacy

While the bulk of regulatory activity has been steady and predictable, one area shows a clear and accelerating upward trend: Info Security and Data Privacy. Overall, the period saw 18 updates related to consumer data protections affecting consumer credit. What’s particularly noteworthy is the emerging focus on data privacy within the motor vehicle sales cycle. Although the number of direct MV Privacy Provisions is currently small—with only three updates identified—this is the segment showing a distinct “lift.”

This is the industry’s early warning signal of motor vehicle-specific data privacy laws—the compliance equivalent of a future disruption. These updates focus specifically on provisions for data removal following a sale, often requiring dealers to delete consumer data stored in the vehicle itself.

This trend is set to accelerate. For subprime lenders and dealers who regularly handle sensitive consumer information, this means going beyond traditional information security—protecting customer data on internal servers—to understanding and enforcing the downstream obligations of data handling post-sale. As an example, a robust modern compliance plan must include specific protocols for managing and deleting data in connected vehicles, defining who is responsible for this task, and ensuring compliance across the dealership network – a notable shift for lenders who increasingly rely on telematics, connected-car payment tools, and GPS devices in the non-prime space.

A Year-End Compliance Checklist

The 179 state-level changes over the past two years reinforce a singular priority for the new year: robust operational readiness. An average volume of change is still a massive volume of work when executed across 50 states.

Auto dealers, subprime lenders, BHPH operators, and indirect finance partners should implement a targeted, year-end compliance checklist:

  1. Review System Agility: Verify that systems for calculating rates, fees, and payments are immediately updated to reflect the 12 observed bracket adjustments and the 11 documentary fee updates. 
  2. Audit Add-on Disclosures and Refund Processes: Conduct a full audit of all add-on product sales (16 updates) to ensure current disclosures and refund procedures align with the latest state laws, particularly for GAP waivers.
  3. Prioritize Data Privacy Preparedness: This is the most critical step for future-proofing your compliance management system. Develop and test internal protocols for handling requests for data deletion, especially for data stored within the vehicle itself, and be prepared for increased regulation in this space.

By addressing the steady flow of traditional motor vehicle and lending changes while keeping a vigilant eye on the rapidly increasing importance of data privacy, the subprime lending and dealership community can enter the new year not just compliant, but strategically positioned for future stability, compliance responsiveness, and overall growth. Do not mistake regulatory uncertainty or a shifting federal focus for permission to relax internal processes and guidelines. In fact, the fragmented and active state landscape demands the opposite. Use this moment to invest in tightening your policies and procedures—reshaping today’s compliance efforts into tomorrow’s competitive advantage.