August 2025 Regulatory Update: One Big Beautiful Bill and CFPB Compliance Challenges

Our July regulatory update has a clear theme: lawsuits and rule changes that just keep coming. From the newly signed reconciliation bill with major banking provisions to the CFPB’s ongoing compliance and enforcement battles, staying informed is essential for financial institutions navigating today’s complex landscape. Join our regulatory experts as we break down what these changes mean for your institution. 

Want more insights? Watch or listen to the Regulatory Update podcast for a deeper dive. For detailed analysis and compliance tools, look no further than Ncomply. 

Issues Affecting All

Reconciliation Bill with Banking Provisions Signed Into Law

The “One Big Beautiful Bill” reconciliation package was signed into law on July 4, 2025, and includes several key provisions for financial institutions (FIs): 

• Reduces CFPB funding from 12% to 6.5%
• Allows FDIC-insured depository institutions to exclude 25% of interest earned on loans secured by qualified rural or agricultural real estate from taxable income
• Exempts most transfers from FIs from remittance tax
• Requires FIs earning over $600 in interest on a qualified vehicle loan in 2025 to report it to the IRS (similar to Form 1098 mortgage reporting) and provide borrowers with a written statement. 

This last requirement applies to the 2025–2028 tax years and could mean extra work for auto lenders. With no word yet on whether the IRS will provide a list of qualified vehicles, FIs should begin creating monitoring systems for qualified vehicles and evaluate vehicle loans made this year to determine whether they qualify for these reporting requirements. 

Related: Compliance for Mortgage Companies: How to Avoid Top Violations

CFPB Regulatory Updates

New Litigation Adds to CFPB's 1071 Challenges

A coalition of civil rights and economic justice groups has sued the CFPB over Section 1071, alleging the agency unlawfully extended compliance dates without public input, announced improper non-enforcement policies, and abandoned its duty to collect and publish small business lending data. If successful, the suit could restore earlier compliance dates. This case runs alongside other ongoing challenges in Texas and Kentucky, with resolution likely months away, but interim court orders are possible. 

FIs should continue to stay prepared by standardizing their business loan process, including having written applications, collecting data (such as gross annual revenue, but excluding demographic data), and identifying gaps to address. 

For a breakdown of the statutory mandates that will survive any rule revision and regulatory additions that may change, check out our latest 1071 update. 

CFPB Granted Stay on Section 1033 Data Sharing Rule

After asking a federal court to vacate its Personal Financial Data Rights Rule, the CFPB has made what appears to be a 180-degree turn and instead asked a judge to pause legal action so the agency can revise the rule. The court granted the stay on July 29th. The CFPB has promised a speedy revision process to release an advanced notice of proposed changes within three weeks — a fast turnaround by regulatory standards. 

What does this mean for FIs? The compliance deadlines are the same, meaning smaller institutions still have until April 2030 and larger ones until April 2026 to meet the requirements. Continue to prepare as if nothing has changed, though significant changes are anticipated. Updates will come every 45 days as the parties check in with the court.

Our compliance team will continue to track updates, so log in to Ncomply regularly to stay in the know.  

Medical Debt Rule Vacated, But State Laws Ramp Up

In January 2025, the CFPB issued a rule to halt reporting of medical debt on credit reports and halt using medical debt in credit underwriting. The rule was initially set to take effect in March but was delayed until July. In line with expectations that the rule might be short-lived, a U.S. district court in Texas has now struck it down entirely.

FIs should monitor individual state updates, as many are implementing laws and regulations that prohibit medical debt reporting to consumer reporting agencies. Some states (including those listed below) explicitly prevent medical debt from being used in negative credit decisions: 

• California
• Colorado
• Connecticut
• Maine
• Minnesota
• New York
• Oregon
• Vermont
• Rhode Island
• Virginia
  

Related: How to Keep Up with State Regulations 

CFPB Enforcement Actions

CFPB Reaches $9M Settlement Over Military Lending Act Violations

The CFPB reached a $9 million settlement with FirstCash, Inc. and its subsidiaries for violating the Military Lending Act (MLA). The company allegedly had problems with over 42,000 pawn loans given to servicemembers between 2016 and 2024. The main issues involved charging interest rates above the legal military limit of 36%, including mandatory arbitration clauses (which are not allowed for military borrowers), and failing to provide the necessary information about loan terms. 

The settlement includes $4 million in fines and $5 million for affected military families. Servicemembers who reclaimed pawned items will receive 120% of all fees and interest paid, while those who lost items will be refunded all fees plus the original loan amount.

Moving forward, the company must implement changes, including confirming military status using the Department of Defense database and providing loan products that comply with the MLA for all customers. They will also undergo compliance checks every six months for the next five years and cannot include any terms that strip servicemembers of their legal rights or impose prepayment penalties.

The key takeaway is that whether you're a traditional bank or an online lender, following the MLA should be a top priority in your risk management efforts. Protecting military families from unfair lending practices remains a key focus for the CFPB.

Federal Judge Rejects Request to Release from Redlining Settlement

As noted in last month’s regulatory update, the CFPB released a bank from a redlining settlement, noting that the FI had met enough requirements and should no longer be closely monitored if the bank informed the CFPB when the remaining tasks were done. 

However, a federal judge has rejected the agency’s request, claiming that meeting some of the requirements didn't fulfill the purpose of the agreement, which was aimed at fixing the bank's earlier discriminatory lending practices. Many of the noted requirements require ongoing compliance over several years.

In the future, we may see the Trump administration face similar legal challenges. It’s essential to remember that the court system is an independent body. The judicial branch is responsible for interpreting and upholding the law, and just because the administration makes a statement, it doesn't mean that's the final word on the matter.

Issues Affecting Depository Institutions

CFPB Lifts $95M Order Against CU Regarding Overdraft Fees

The CFPB recently made a surprising decision regarding a credit union that had previously been penalized for overdraft fees affecting servicemembers. Between 2017 and 2022, the credit union was accused of improperly charging these fees, but it has since stopped this practice and refunded some affected members. 

In November 2024, the agency  ordered the credit union to refund over $80 million to its members, stop the illegal overdraft fees, and pay a $15 million fine. However, this month, the Bureau unexpectedly lifted that order without providing any explanation, meaning the credit union no longer has to refund the $80 million or pay the fine. There are no details on how much was refunded or paid before this decision was made. 

Many senators have sent a letter to the CFPB expressing concerns about this case, especially given that one of the agency’s stated priorities is the consumer protection of servicemembers.

Moving forward, ensure your FI is not charging Authorize Positive, Settle Negative (APSN) overdraft fees, as they continue to be subject to extensive litigation. 

Banks

CRA Update

The Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) are suggesting rescinding the 2023 rule aimed at modernizing the Community Reinvestment Act (CRA). Instead, they want to return to the rules that were in place in 1995, while making some updates for 2025.

The 2023 modernization would have increased the asset size thresholds for bank sizes, created an assessment area that expanded well beyond an institution's physical locations, and created new tests for Intermediate Small and Large Banks. However, this modernized rule has been on hold since March 2024. 

Under the new proposal, the asset size limits for the year 2025 are as follows:

• Small Bank: Less than $402 million in assets over the last two years, evaluated only on lending practices. 
• Intermediate Small Bank: At least $402 million in both prior years but less than $1.609 billion in either year, subject to a combination of lending and community development tests.
• Large Bank: At least $1.609 billion in both prior years, evaluated on lending, investment, and service tests.

These limits consider inflation for 2025 and will be adjusted every year. 

It's also important to note that as federal regulations change, individual states such as New York, Massachusetts, Illinois, and California are looking to enforce community reinvestment laws. These laws would apply to certain banks and credit unions with specific asset sizes and lending activity. 

For more detailed information about this proposal to roll back the changes, check the Regulatory Analysis document in Ncomply.

Senate Confirms Jonathan Gould as Comptroller of the Currency

Jonathan Gould has been confirmed as the 32nd Comptroller of the Currency. The Senate voted 50-45 for him, and he officially took office on July 15th. 

Gould isn't new to the OCC, having previously worked there as Senior Deputy Comptroller and Chief Counsel from 2018 to 2021 during the Trump administration. Since then, he has served as a partner at Jones Day and as chief legal officer at Bitfury, bringing both regulatory expertise and private-sector insight, particularly in cryptocurrency.

Gould has been vocal about the importance of "prudent risk-taking" and is critical of some of the regulatory measures resulting from the 2008 financial crisis. However, he doesn't want to eliminate all risks but rather manage them more effectively. During his confirmation hearings, he noted he wants to create rules that fit each bank's size and type, rather than using the same rules for all. He also wants the focus of supervision to be on real financial risks, not on reputation. Additionally, he is concerned about "debanking," which is when banks stop providing services to certain customers or industries without clear reasons based on risk.

This change in leadership could lead to a regulatory environment that encourages innovation and smart risk-taking, while keeping safety and stability in mind.

OCC Removes References to Disparate Impact from Fair Lending Manual 

The OCC has removed all references to disparate impact liability in its fair lending examination manual following President Trump’s Executive Order “Restoring Equality of Opportunity and Meritocracy” on April 23rd.

As a result, OCC examiners will no longer examine banks for disparate impact risk or request related internal analyses. However, banks are still expected to ensure fair access to financial services and comply with all applicable laws, as examiners will continue to look for evidence of intentional discrimination — or disparate treatment.

It’s crucial to note that while federal regulatory scrutiny has decreased, disparate impact claims can still be brought through private litigation and by state regulators. The executive order doesn't override existing statutes or Supreme Court precedent. Some states are already pushing back, including Massachusetts, which just announced a $2.5 million settlement over disparate impact claims.

Bottom line: Even with major shifts at the federal level, FIs still need strong fair lending compliance programs and should be mindful that state regulators may take a different approach than federal agencies.

FDIC Rescinds 2024 Bank Merger Statement of Policy for Previous Version

The FDIC is rescinding its 2024 Bank Merger Statement of Policy and reinstating its previous version, which takes a more quantitative approach for assessing competitive effects in mergers. 

The agency is also eliminating the requirement that applicants must show their merger offers greater public benefits than the existing situation, as this was criticized for lacking clear, objective measures. Additionally, the FDIC will continue to conduct traditional reviews related to capital, management, earnings, CRA compliance, and anti-money-laundering (AML) practices when evaluating proposed mergers between two insured institutions. Financial stability will also remain a key factor in this evaluation process.

Credit Unions

NCUA Board Members Reinstated

A federal judge has ruled that NCUA board members Todd Harper and Tanya Otsuka were wrongfully removed from their positions and has ordered them to be reinstated immediately. The judge determined that the law governing the NCUA limits the President's ability to remove board members. While the judge's decision allowed Harper and Otsuka to attend a board meeting in July, their reinstatement has since been  put on hold by an appeals court.

There are two main issues at play. First, a quorum, which is necessary for making decisions, typically requires at least two out of three board members. However, the remaining Republican member, Chairman Hauptman, has contended that one member is sufficient to constitute a quorum. If he acts on this claim, it may lead to an increase in legal disputes. Second, the situation raises questions about the extent of the President's authority over the semi-judicial and semi-legislative roles of executive agencies.

Our compliance team will keep you updated on both fronts, though it's likely the Supreme Court will ultimately decide the latter.

SEC-Regulated Entities

FinCEN Delays and Reopens Investment Adviser AML Rule

The Financial Crimes Enforcement Network (FinCEN) is delaying the start date of the Investment Adviser AML Rule from January 1, 2026, to January 1, 2028. 

The bureau plans to reopen and reassess the rule's scope and requirements to ensure it accurately addresses the AML/CFT risks associated with investment advisers, rather than simply adopting the existing standards for depository institutions, such as filing CTRs and SARs, appointing a designated AML/CFT officer, and implementing a risk-based AML/CFT program that includes policies, procedures, and internal controls. 

Additionally, FinCEN and the SEC intend to revisit the proposed joint rule aimed at establishing customer identification programs (CIPs) for registered investment advisers (RIAs).

Want to see how Ncomply makes managing compliance easier?

Take a 5-minute tour to discover how Ncomply centralizes regulatory change, streamlines task management, and keeps your institution exam-ready.