Every Regulatory Disclosure Audit check

Reg Z (TILA) requires that all fees be disclosed before a consumer commits to a credit product — and the FTC Click-to-Cancel rule extends a parallel obligation to subscription billing. When a user reaches the confirmation screen without seeing the full cost, they cannot make an informed choice. Post-commitment fee discovery drives chargebacks, erodes trust, and creates regulatory exposure under CFPB enforcement. FINRA Rule 2210 independently prohibits omitting material information in communications with the public, which courts and regulators have applied to investment product fee schedules. Burying fees in linked Terms & Conditions does not satisfy pre-commitment disclosure — the information must appear in the purchase flow itself.

Why this severity: Critical because a user who commits without knowing the full fee structure cannot give informed consent, exposing the product to CFPB enforcement, FTC action, and chargeback liability simultaneously.

Reg Z (TILA), codified at 12 CFR 1026.6 and 1026.18, mandates that the Annual Percentage Rate be conspicuously disclosed on credit product pages — not buried in a linked PDF or discoverable only after application. A credit product that hides its APR until post-application exposes users to deceptive lending practices and exposes the company to CFPB enforcement and private right of action under TILA. FINRA Rule 2210 reinforces this for investment credit products: omitting material cost information (such as borrowing rates) from customer-facing communications is a standalone violation. APR buried below the fold on a 1080p display also fails the "prominence" standard regulators apply at examination.

Why this severity: Critical because APR omission violates Reg Z (TILA) 12 CFR 1026.18 by withholding a mandated material disclosure, creating CFPB enforcement exposure and private TILA claims.

The FTC Click-to-Cancel rule (effective 2024) requires that subscription terms — billing cycle, first charge date, renewal schedule — be disclosed clearly before the user submits payment. Reg Z (TILA) 12 CFR 1026.6(b) extends this requirement to open-end credit plans by mandating periodic payment disclosures. A checkout screen that shows only "$9.99/month" without specifying when the first charge fires or when it renews is not a billing disclosure — it is a price tag. Users who discover unexpected timing (e.g., charged immediately on free-trial signup) dispute the charge, generating chargebacks and triggering payment processor scrutiny.

Why this severity: High because incomplete billing disclosures violate FTC Click-to-Cancel regulations and Reg Z 12 CFR 1026.6(b), directly causing chargebacks and enabling regulatory action under Section 5 of the FTC Act.

Reg Z (TILA), 12 CFR 1026.18, requires creditors to disclose six specific fields — APR, finance charge, amount financed, total of payments, payment schedule, and prepayment penalty — before consummation of a credit transaction. Omitting any of these fields is not a technicality; CFPB examiners treat each missing field as a separate violation. A product that surfaces only the APR while omitting the finance charge and total of payments deprives users of the information they need to compare loan costs across lenders. The CFPB's TILA guidance (cfpb-tila-guide) specifies that disclosures must be "clear and conspicuous" and delivered in writing before the consumer is bound.

Why this severity: High because TILA 12 CFR 1026.18 treats each missing field as a discrete disclosure violation, with CFPB enforcement authority including civil money penalties and restitution orders.

Dense legalese and unconstrained line lengths push readers past the comprehension threshold, so users click through Terms they never actually parsed. For financial products, that failure mode matters under CFPB UDAAP guidance and state consumer-protection statutes: regulators and plaintiffs treat unreadable disclosures as effectively absent, which undermines the enforceability of indemnity, arbitration, and limitation-of-liability clauses. The content-integrity and user-experience taxons both apply — jargon-heavy paragraphs running 120 characters wide also hurt accessibility for low-vision and cognitively impaired users covered by WCAG 2.2.

Why this severity: High because unenforceable Terms expose the business to regulatory action and invalidated liability protections during disputes.

Regulation B (Equal Credit Opportunity Act), 12 CFR 1002.9, requires creditors to notify applicants of their rights under ECOA at the point of application. Placing this notice only in a Terms & Conditions document does not satisfy Reg B — the notice must appear on or immediately adjacent to the application form itself. A missing or inadequate equal opportunity notice exposes the company to both CFPB enforcement and private ECOA claims, and courts have not been sympathetic to the argument that a hyperlinked document satisfies the co-location requirement. The notice must enumerate protected characteristics; a generic nondiscrimination statement that omits the statutory list of characteristics is insufficient.

Why this severity: High because ECOA (Reg B, 12 CFR 1002.9) imposes a statutory duty to co-locate the equal opportunity notice with every credit application, and omission creates both regulatory and private civil exposure.

GDPR Art. 13 requires privacy information to be provided at the time personal data is collected, which in practice means the privacy policy must be reachable from every page where a user interacts with the product. The CCPA §1798.100 imposes a parallel obligation for California residents. The FTC's privacy policy guidance treats a footer link as the minimum baseline for consumer awareness. A financial product with authenticated dashboards, account settings, or transaction screens that lack footer privacy links fails to satisfy any of these frameworks — and regulators treat authenticated sections as higher-risk because they process more sensitive data than marketing pages.

Why this severity: Medium because absence of a privacy link on authenticated pages violates GDPR Art. 13 and CCPA §1798.100 notice requirements, but does not directly expose user data or enable unauthorized access.

The FTC's policies on negative option marketing (including the 2024 Click-to-Cancel rule) require that refund and cancellation terms be specific, not discretionary. A policy that says "refunds at our discretion" is not a policy — it is a blank check for dispute. Financial products that lack specific refund timeframes generate disproportionate chargeback rates because users who cannot find cancellation instructions dispute the charge instead. The FTC Click-to-Cancel rule further requires that cancellation be "as easy" as signup, which implies the cancellation path and its terms must be disclosed at the time of purchase.

Why this severity: Medium because a vague or absent refund policy predictably drives chargebacks and FTC Click-to-Cancel violations, causing measurable revenue loss and payment processor risk flags.

The Dodd-Frank Act §1034 requires covered financial institutions to cooperate with CFPB consumer complaint investigations and directs institutions to inform consumers of the CFPB's complaint process. A support page that lists only internal support channels gives users no path to external recourse when they believe the company has acted improperly. For consumer-facing financial products, CFPB contact information is not optional courtesy — it is a mandated disclosure in a supervised entity's customer-facing communications. The absence of this information signals to both regulators and users that the company is not operating as a supervised financial service.

Why this severity: Medium because omitting CFPB contact information on support pages directly contradicts Dodd-Frank §1034 cooperation requirements and signals non-compliance to bank examiners.

Regulation E (Electronic Fund Transfer Act), 12 CFR 1005.11, requires financial institutions to maintain an error resolution procedure and to inform consumers of that procedure with every periodic statement. The Fair Credit Billing Act (FCBA) separately requires a 60-day dispute window disclosure on credit card statements. A transaction history page that shows charges without a dispute notice creates a misleading impression that users cannot challenge errors — and in the absence of a disclosed dispute window, regulators will infer the institution is concealing consumer rights. Institutions that omit this notice face CFPB enforcement and potential liability for undisclosed errors that go unresolved because users were not informed of their rights.

Why this severity: Medium because Reg E 12 CFR 1005.11 mandates that error resolution rights appear on every statement, and omission means consumers may waive rights they are not aware they possess.

A bare `$9.99` is ambiguous the moment a visitor from Canada, Australia, Singapore, or the UK lands on the pricing page — four different dollar currencies share the same symbol, and misreading a 35% exchange delta is a chargeback waiting to happen. Missing jurisdiction statements compound the problem: without naming the governing state and regulator, you cannot rely on choice-of-law clauses in disputes, and you violate disclosure expectations from the CFPB, FTC, and state financial regulators. The content-integrity taxon flags this as a trust-and-accuracy failure rather than a cosmetic one.

Why this severity: Low because the ambiguity is usually resolved before purchase, but it still drives chargebacks and weakens choice-of-law defenses.

The FTC Click-to-Cancel rule and ROSCA (Restore Online Shoppers' Confidence Act) both require affirmative explicit consent before a consumer is enrolled in a recurring charge. GDPR Art. 7 adds the requirement that consent be freely given, specific, informed, and unambiguous — a pre-checked checkbox satisfies none of these criteria. A checkout form where the billing consent checkbox is pre-checked (`defaultChecked={true}`) or where consent is inferred from accepting generic Terms is not compliant under any of these three frameworks. The business impact is concrete: Visa and Mastercard both treat pre-authorization failures as chargeback-eligible events under their dispute guidelines.

Why this severity: Low because the failure is a UI-level consent defect rather than a missing disclosure, but pre-checked or absent billing consent is a ROSCA and FTC violation that chargeback processors specifically flag.

Mixed fee formats — `$0.50` on pricing, `.5 USD` at checkout, `0.50` on statements — make users second-guess the amount and erode trust at the exact moments they are deciding whether to pay. Inconsistent decimal precision is also a reconciliation hazard: a fee rendered `$10` on the pricing page and `$10.00` on the invoice looks fine to humans but breaks downstream CSV parsers and accounting imports. The content-integrity taxon captures both the user-facing confusion and the data-quality drift across surfaces.

Why this severity: Low because the dollar amounts themselves are correct, but the inconsistency costs trust and breaks downstream parsers.

SOX §802 imposes criminal liability for knowingly destroying or falsifying records that are "made or kept in connection with" a financial transaction — a standard that courts have applied broadly to financial service documents, not just audit records. ISO 27001:2022 A.5.28 independently mandates preservation of evidence for legal proceedings. For fintech products, compliance document archives are the primary evidence in CFPB examinations, FTC investigations, and customer disputes. A company that operates a financial product but maintains only the current version of its Terms and Privacy Policy has no ability to prove what disclosures a user accepted at the time of signup — a critical gap in any dispute resolution or regulatory examination.

Why this severity: Low because compliance archives are a defense-in-depth control rather than a direct user-facing disclosure, but their absence makes legal disputes and regulatory examinations significantly harder to defend.

CFPB supervision includes examination of whether regulated entities monitor and respond to regulatory changes that affect consumer disclosures. A financial product whose Privacy Policy or Terms of Service has no version number and no last-updated date cannot demonstrate regulatory currency — examiners will treat undated documents as potentially stale. The CCPA was amended by CPRA in 2023; TILA has seen Reg Z updates in 2024; FTC Click-to-Cancel rules took effect in 2024. A product operating without dated, versioned legal documents that reflect these changes is operating on borrowed time. The business risk is not just regulatory: users who discover they agreed to a Terms document from three years ago that no longer reflects actual practices have grounds for misrepresentation claims.

Why this severity: Low because undated documents are a compliance posture failure rather than a direct user harm, but they undermine the ability to demonstrate regulatory currency during CFPB or FTC examination.

FINRA Rule 2210 requires that all retail communications be reviewed by a registered principal before use. SEC Regulation Best Interest (Reg BI) requires broker-dealers to implement written compliance policies and procedures — and documented legal sign-off is the minimum evidence that those policies exist. For any financial product operating under FINRA or SEC oversight, AI-generated boilerplate Terms and Privacy Policy documents that have never been reviewed by counsel are not just a liability risk — they are a direct violation of the written supervisory procedures requirement. Even for non-FINRA entities, documented legal review is the threshold evidence in FTC Section 5 deceptive practices cases that distinguishes negligence from willfulness.

Why this severity: Info because the absence of documented review evidence does not directly harm users but creates significant legal exposure when disclosures are later found to be deficient, especially under FINRA Rule 2210 and SEC Reg BI written procedures requirements.

Disclosure effectiveness measurement is the mechanism by which a financial product proves its disclosures actually work — not just that they exist. ISO 25010:2011 §4.2.4 (usability quality characteristics) treats measurability as a component of quality assurance. A product that ships TILA disclosures, fee tables, and a dispute notice but never tracks whether users view or engage with them cannot demonstrate "clear and conspicuous" compliance under CFPB standards — because clarity is a function of user comprehension, not document presence. Analytics on disclosure pages also surface the difference between required content that users find helpful and content so buried that it functions only as legal cover.

Why this severity: Info because disclosure measurement is a quality improvement signal rather than a compliance floor, but its absence means the product cannot demonstrate "clear and conspicuous" effectiveness under CFPB examination.

State money transmitter laws impose geographic licensing requirements that vary by jurisdiction — offering a payment or lending product in a state without the required license is a strict-liability violation. A product that does not disclose its supported regions forces users from unlicensed states to apply, have their application rejected, and potentially have their personal data collected without regulatory authority. Beyond licensing, geographic availability disclosure is required under CFPB fair lending principles: if a product is not available in certain regions, that limitation must be transparent to prevent disparate impact claims. A user who discovers post-application that their state is not supported has a legitimate data minimization complaint under CCPA and GDPR.

Why this severity: Info because the disclosure gap is a transparency deficiency rather than an active harm, but operating in unlicensed states without geographic availability disclosures creates strict liability under state money transmitter laws.