At the end of 2017, Mulvaney ordered a delay to the implementations of the bureau’s prepaid-card rules, which was set to go into effect in April, and would have forced financial institutions to limit customer’s losses in the event of a lost or stolen card, to provide easily accessible account information, and to look into and resolve transaction and account errors. The rule would have put significantly more pressure on the operators of such cards to provide accountability and risk management. In a statement that gave few specifics about what changes would be made, or when final implementation might occur, the bureau wrote, “The Bureau expects, based on its review of the comments received, to further extend the effective date of the 2016 rule.” Though the prepaid rule was finalized in 2016, implementation had been slowed as the agency sought comment for ways to improve it, and address concerns from the financial industry. In June, the agency asked for some specific feedback regarding tweaking the rules in order to prevent fraudulent claims, and to provide more clarity on how prepaid debit cards could be used in digital wallets.

On the same day that it announced a slowdown of prepaid implementation, the agency also announced that it was paring back requirements for the Home Mortgage Disclosure Act, which was put in place in 1975, and the authority to make rules related to the act was transferred to the CFPB via the Dodd-Frank Act. In 2015, the bureau set out to update what is known as Regulation C, the provision that governs how information on mortgages is collected, reported, and disclosed. And soon after, the bureau began toying with the idea of changing and clarifying some of Regulation C’s requirements. As of the first of the year, the agency will no longer ask financial institutions to resubmit erroneous data unless the errors were of material importance, and it won’t assess financial penalties for incorrect data. Going forward, the bureau is considering more significant revisions to the rule to reduce the reporting burden on financial institutions. That helps all types of financial companies that had complained about the difficulty of keeping up with the paperwork, reporting requirements, and fines associated with the rule.

Mulvaney has also instituted a freeze on any personal-data collection until the agency further shores up its cybersecurity defense. The use of personal-data collection in the agency’s robust complaint database, as well as the materials provided by financial institutions under the agency’s purview, has long been a sticking point for critics, who say that the practice could be dangerous. But the agency’s advocates note that the ability to pair personal data with financial information has allowed them to spot dangerous patterns, such as discrimination, and to create more tailored and effective rules.