The federal government is pulling back in some areas and doubling down in others. March brought executive orders on mortgages, cybersecurity, and AI, while the FDIC and Fed published their annual compliance reports with a clear message: fewer rules don’t equal fewer findings.
State regulators are filling gaps of their own, with a 13-state AG coalition suing a lender over add-on product disclosures and courts weighing in on everything from RESPA servicing relationships to TCPA exemptions.
Want a deeper dive into the latest headlines? Watch the April Reg Update podcast. For additional resources and regulatory analyses, check your Ncomply solution.
Issues Affecting All
White House Executive Order Targets Mortgage Framework Overhaul
A new executive order is directing federal agencies to consider sweeping changes to the mortgage regulatory framework, and the scope extends beyond community banks. The order defines "smaller banks" as FIs with up to $100 billion in assets, a threshold that exceeds what most regulations use as a benchmark.
Agencies are directed to discourage civil monetary penalties unless violations are willful, knowing, or reckless, and to give credit for good corporate conduct, self-correction, and a reasonable opportunity to remediate before enforcement escalates. That's a meaningful pivot away from finding violations and toward whether FIs acted in good faith and fixed the problem.
The order also directs agencies to consider replacing the Truth in Lending Act (TILA)/ Real Estate Settlement Procedures Act (RESPA) Integrated Disclosure (TRID) rule's strict timing requirements with a materiality-based standard focused on whether a disclosure impacted the borrower, and potential changes to Ability-to-Repay and Qualified Mortgage requirements, including a broader safe harbor for portfolio loans. The CFPB is separately directed to consider raising the Home Mortgage Disclosure Act (HMDA) exemption threshold and reducing reporting complexity. For FIs that lived through the 2015–2019 overhaul, that last piece may feel less like relief and more like retooling.
Key Takeaways
None of these directives means an immediate rule change, but the breadth of what's being asked of agencies is significant. Stay active on Ncomply for updates as rulemaking moves forward.
Learn more: Want to see our compliance management solution in action? Watch the Ncomply product tour.
White House Unveils National Cyber Strategy
The White House released its national cyber strategy, the latest step in an approach that's pulling back on prescriptive compliance mandates while keeping pressure on supply chains and emerging tech.
The strategy explicitly moves away from what it calls "costly checklists" in favor of streamlining compliance burden and giving industry more agility. The National Cyber Director also hinted that the SEC's 2023 incident disclosure rule may get revisited.
But fewer prescriptive rules don't mean lower expectations. The strategy doubles down on ransomware and phishing as targets for a new interagency action plan, and a proposed Victims' Restoration Fund could increase pressure on FIs to identify and freeze connected funds. Financial services are specifically named when it comes to securing critical infrastructure, with a push to move away from adversary-linked vendors. If your FI hasn't inventoried its third-party tech stack for foreign-origin components, now is the time.
The strategy also flags quantum computing as an emerging priority. When quantum computers arrive at scale, they'll be capable of breaking the encryption protecting most financial data in transit today. FIs don't need to act tomorrow, but if you ask your IT team and vendors whether they have a plan, and the answer is "what's that?" that’s your starting point.
Key Takeaways
The government is treating FIs as active participants in national cyber defense, so your program should reflect that. Revisit your incident response plan and escalation protocols, pressure-test vendor and supply chain risk management, and make sure quantum readiness is on your radar.
Webinar: When Incidents Hit: How to Build an Incident Response Plan That Supports Operational Resilience
Trump Administration Releases National AI Policy Framework
The Trump administration unveiled its national policy framework for AI, and FIs should take note.
The framework calls on Congress to make federal datasets accessible to industry and academia in AI-ready formats for training AI models. That opens the door to previously non-public data being integrated into technology like underwriting and fraud detection. On the regulatory side, the framework directs the federal government to establish a policy that preempts state AI laws that impose undue burdens, putting some existing state laws at risk, including California's rules around automated decision-making technology under the CCPA.
The framework also coincides with Treasury's launch of its AI Innovation series, a public-private initiative focused on how the U.S. financial system adapts to accelerating technological change. Four roundtables will bring together FIs, tech firms, regulators, and experts to explore high-value AI use cases and approaches to scaling innovation while preserving safety and soundness.
Key Takeaways
This framework, combined with February's Treasury AI Lexicon and Financial Services AI Risk Management Framework, adds another layer to an already complex picture, so FIs should continue to monitor Ncomply for updates.
Related: AI Governance for Financial Institutions: Using AI Safely and Responsibly
State AGs Sue Lender for Alleged Bait-and-Switch Scheme
A coalition of 13 state attorneys general filed suit against a lender alleging a bait-and-switch scheme involving add-on products. The states are seeking hundreds of millions in restitution, penalties, and injunctive relief, including potential changes to practices, credit reporting impacts, and loan rescission.
The complaint centers on how optional products such as credit insurance and membership programs were presented at closing. States allege these products were bundled into loan balances without clear disclosure that they were optional, increasing the total loan amount and interest paid over time. Process concerns are also central to the case, including pressure on employees to include add-ons, control over the closing screen, and rushing borrowers through documents in a way that limited their ability to understand what they were signing.
This is another example of state regulators focusing on how products are delivered in practice, not just how they're designed on paper. The gap between written policies and operational execution is a consistent theme in cases like this, and the scale and consistency of the allegations stand out.
Key Takeaways
Make sure your disclosure practices, sales processes, and employee incentives are aligned and consistently executed, especially when add-on products are involved. If your written policies don't reflect what's happening at the point of sale, regulators will notice.
Related: How to Build Better Governance with Stronger Policies
Ohio Court Denies Summary Judgment in RESPA Case Against Lender and Servicer
A district court in Ohio denied a summary judgment motion against two FIs accused of RESPA violations: a mortgage lender that funded home loans and a bank that serviced them.
The plaintiffs allege the lender wrongfully terminated loan modifications after refusing payments made in accordance with the modification terms. They also allege that communications misrepresented the relationship between the two entities, including a letter claiming the lender was "rebranding" as the servicer when the two are allegedly separate.
When borrowers can't tell who holds their loan and who services it, that confusion creates risk on multiple fronts. Unclear communications weaken your position in court regardless of how different jurisdictions treat vicarious liability, and misrepresenting that relationship can implicate UDAAP for deceptive practices.
Key Takeaways
If you outsource servicing, communicate what that means for borrowers. Clear disclosures and robust third-party monitoring are your best tools for minimizing compliance liability when servicing relationships get complicated.
Federal Court Allows Telephone Consumer Protection Act Claims to Proceed Against Real Estate Company
A federal judge allowed TCPA claims to proceed against a real estate company that sent unsolicited texts offering to purchase a plaintiff's home. The company argued the messages were informational, but because it offered appraisal, title, escrow, and paperwork services built into its home purchases, the court found enough to suggest a potential sales motive.
This case is a useful reminder of where TCPA exemptions end. Fraud alerts, data breach notifications, and transaction or account notifications are exempt from prior written consent requirements, but only when they’re informational. If promotional or sales messaging enters the picture, TCPA requirements apply and the bar is lower than many assume. The TCPA doesn't require an explicit mention of a service if the context suggests one is being offered.
Key Takeaways
Periodically audit your FI’s internal communications to identify these issues before they become problems. If a message could reasonably be read as promoting a product or service your institution benefits from, it warrants a review.
Nebraska Community Bank Reaches $2.4M Settlement in MOVEit Data Breach Class Action
A community bank in Nebraska agreed to a $2.4 million settlement to resolve a class action brought by over 200,000 individuals affected by the 2023 MOVEit Transfer breach. MOVEit was a widely used file transfer platform exploited by a ransomware gang in May 2023, compromising over 2,700 organizations and exposing data for roughly 93 million individuals.
The bank was using MOVEit to transfer files containing customer data, including personally identifiable information, and when the vulnerability was exploited, that data was accessible. The bank argued the software vendor's vulnerability caused the breach, but that defense hasn't held up consistently across MOVEit-related litigation. Courts have repeatedly held that the organization that holds the data bears responsibility, even when the vulnerability originated in a vendor's software. A $117 million settlement against Comcast in January made the same point at a much larger scale.
Key Takeaways
Remember, your vendor's risk is your risk. Perform a fresh risk assessment of what data flows through any managed file transfer solution, review vendor contracts for breach notification and indemnification clauses, and run a tabletop exercise specifically around a vendor compromise, not just a direct network breach.
Related: TPRM 101: What is a Vendor Risk Assessment
Issues Affecting Banks
FDIC and Fed Publish Annual Compliance Reports
The FDIC and the Federal Reserve both published their annual compliance supervisory reports this month, and together they tell one complete story about the gaps FIs face.
Note: Even if your FI isn't supervised by either agency, many of the same laws apply across banks and credit unions. There's no better exam prep blueprint than regulators telling you exactly what they're finding.
FDIC Consumer Compliance Supervisory Highlights
The FDIC conducted roughly 800 exams in 2025, down from 900 the prior year, but the violation count held steady at 1,275 — fewer trips, same number of problems.
The top five violations accounted for nearly three-quarters of everything cited: TILA, Flood Disaster Protection Act (FDPA), Truth in Savings Act (TISA), Reg E, and HMDA, which is new to the top five this year. TILA topped the list, with violations centered on loan estimates, closing disclosures, and periodic statement issues. Flood came second, with the most common violation being failure to have adequate insurance in place when a loan is made, increased, renewed, or extended in a special flood hazard area.
The financial consequences sharpened in 2024. The FDIC assessed $5.6 million in civil monetary penalties, and FIs paid $33.3 million in voluntary restitution to roughly 400,000 consumers, up from about $7 million the prior year.
Fed Consumer Compliance Outlook
The Fed's report paints a similar picture, with complaint volume up 39% in 2024 to 8,355 investigated complaints. Restricted or blocked accounts topped the list at 37% of all complaints, many involving prepaid cards and mobile banking, where accounts were frozen after consumers reported fraud. Consumers report unauthorized activity and then find themselves locked out of their wages and benefits for weeks. That's both a customer service problem and a compliance one.
Reg E dominated violation findings from complaint investigations, representing nearly 80% of all violations over the past five years, which is consistent with the FDIC’s findings.
Key Takeaways
Flood insurance trips up FIs year after year, as the technical requirements are unforgiving, and an end-to-end audit of that process is overdue for most. Reg E error resolution is the other consistent weak spot; if your procedures haven't kept pace with how consumers move money today, examiners will find it. And when customers can't reach a human when something goes wrong, complaints follow.
Issues Affecting Credit Unions
NCUA Announces Seventh and Eighth Rounds of Deregulation Proposals
NCUA announced a seventh and eighth round of proposals in March, the latest in its deregulation initiative.
The seventh round proposes streamlining record retention under Part 749 by removing prescriptive appendices and allowing more flexibility in how credit unions maintain records. The eighth round addresses indirect vehicle loans serviced by third parties, proposing to replace existing concentration limits with a principles-based approach that allows credit unions to set their own risk-based policies.
Both proposals reflect a broader shift away from prescriptive requirements and toward principles-based expectations — more flexibility on paper, but greater responsibility to define, document, and execute controls in practice.
Key Takeaways
Neither proposal is final, but the direction is clear. As prescriptive rules come down, the expectation that FIs can demonstrate how they are managing risk goes up. Follow Ncomply for updates as both proposals move forward.
Managing compliance in a changing regulatory environment comes with challenges. Get best practices on building and maintaining a strong program with less examiner feedback in our 2026 Regulatory Compliance Outlook.
