November 2025 marked a turning point in the regulatory environment as the Consumer Financial Protection Bureau (CFPB) confronted a potential shutdown while restarting examinations under its new “Humility in Supervision” approach. From proposed changes to Section 1071 and fair lending oversight to the end of penny production after 232 years, financial institutions (FIs) are operating in a reshaped supervisory landscape — one where federal oversight may be pulling back, but compliance expectations and institutional risk remain firmly in place.
Get our experts’ thoughts on this month’s headlines in our Reg Update podcast. For resources and regulatory analyses on the topics discussed, check your Ncomply solution.
Issues Affecting All
CFPB Faces Potential “Zombie Regulator” Crisis While Resuming Examinations with "Humility Pledge"
The CFPB is navigating a self-created funding crisis that may leave the agency unable to operate beyond December 31, 2025. After Acting Director Vought declined to draw funds from the Federal Reserve earlier this year, Congress passed the One Big Beautiful Bill Act, cutting the Bureau's funding cap by roughly half.
The Bureau claims it cannot legally draw funds from the Fed, citing a novel interpretation of the Dodd-Frank Act's "combined earnings" language — arguing that the Fed can provide funding only when it has profits, not gross earnings. To prevent collapse, the CFPB is transferring all active litigation and enforcement actions to the Department of Justice. However, a recent continuing resolution prohibits staff reductions through January 30, leaving the Bureau without funds but unable to reduce headcount.
Despite its financial uncertainty, the CFPB announced it will resume examinations after a 10-month pause, requiring all examiners to follow a new "Humility in Supervision" Pledge. Under this framework, examinations will be tightly scoped around clear statutory authority, entities will receive advance notice, and information requests will be limited to the exam's specific focus. The Bureau has also committed to shorter exam timelines, findings focused on patterns with tangible consumer harm, and resolving issues through supervision rather than enforcement whenever possible. The agency is also encouraging FIs to self-report violations.
Key Takeaways
The regulatory landscape is shifting, but reduced supervision and fewer enforcement actions don’t mean less compliance risk.
FIs should expect less visibility into CFPB priorities and increased responsibility for identifying and addressing issues internally. Self-reporting will become a critical strategic tool, particularly for large, complex institutions that may experience significantly lighter regulatory oversight. FIs must proactively monitor emerging issues, document controls, self-identify potential harm patterns, escalate concerns promptly, and remediate comprehensively.
Without robust supervision, institutions become their own last line of defense.
CFPB Proposes Major Changes to 1071 Small Business Lending and Fair Lending Rules
The CFPB issued a proposed rule to amend the Small Business Lending Data Collection Rule under Section 1071 of the Dodd-Frank Act, aiming to narrow the scope of covered institutions and transactions, streamline data collection requirements, and reduce regulatory burden. The proposal would raise the coverage threshold from 100 to 1,000 covered credit transactions over two consecutive years, update the definition of a small business from $5 million in gross annual revenue to $1 million, and set a uniform compliance deadline of January 1, 2028, for all covered financial institutions. The proposal would also remove five discretionary data points and the LGBTQI+-owned business status.
The CFPB also issued a separate proposed rule to amend Regulation B, clarifying Equal Credit Opportunity Act (ECOA) obligations in three key areas:
- Whether disparate impact claims are permitted under ECOA
- How the prohibited discouragement of applicants and prospective applicants is defined
- Updated standards for Special Purpose Credit Programs (SPCPs) offered by for-profit organizations, aligning with recent executive orders focused on merit-based opportunity and eliminating disparate-impact liability
Key Takeaways
FIs should continue monitoring Section 1071 developments as the scope of covered transactions and data requirements may be significantly reduced. While compliance dates have been extended uniformly, FIs should be ready to adapt as final rules emerge.
On fair lending, while the proposed Regulation B changes signal a shift away from disparate impact analysis at the federal level, state regulators in Massachusetts, New York, Illinois, California, and other states may continue enforcement. FIs should review their fair lending programs to ensure compliance with both evolving federal standards and potentially stricter state requirements.
For more information on these regs, check out the regulatory analysis documents in Ncomply.
Related: How to Keep Up with State Regulations
CFPB Reverses Course on FCRA Preemption, Expanding Federal Authority Over State Credit Reporting Laws
The CFPB issued a new interpretive rule on Fair Credit Reporting Act (FCRA) preemption that significantly expands federal authority over credit reporting. The new position asserts that federal law controls credit reporting, and most state laws attempting to regulate what goes into consumer reports are preempted.
The 2022 guidance treated FCRA's preemption as narrow and targeted, leaving states with room to impose additional protections — especially on matters like medical debt. The new guidance takes a broad interpretation of FCRA's preemption clause, stating that if a state law tries to regulate what can be reported, who can furnish information, or other subject matter Congress already addressed, it is generally preempted.
As an interpretive rule, the guidance is not binding — only persuasive in court. Courts will ultimately decide whether specific state laws are preempted and whether the FCRA's preemption clause should be read broadly or narrowly. State medical debt bans and limits on reporting certain criminal records remain in effect but face increased federal scrutiny.
Key Takeaways
Expect increased litigation testing whether state medical-debt and criminal-record reporting limits survive under this broader preemption theory. FIs must continue complying with existing state laws and FCRA until courts rule otherwise.
Now is the time to inventory where your FI relies on state-level rules around medical debt and employment credit checks, flagging potential conflict areas for monitoring.
For more on this update, view the regulation analysis document in Ncomply.
Related: Laws vs. Regulations vs. Rules vs. Guidance: What Are the Differences?
Major Data Breach at Third-Party Vendor Exposes Risks for Over 700 FIs
Marquis Software Solutions, a third-party vendor for many banks and credit unions, experienced a data breach on August 14, 2025 — potentially exposing personally identifiable information (PII), such as names and addresses, dates of birth, Social Security and tax identification numbers, and financial account information.
One credit union’s breach notice related to the incident revealed the vendor paid a ransom. While paying a ransom isn't illegal, it creates significant regulatory risks for FIs for a few reasons:
- The Office of Foreign Assets Control (OFAC) has issued clear guidance that ransom payments can trigger sanctions violations, operating on a strict liability standard — meaning FIs can be held liable even without knowledge of paying a sanctioned entity.
- FinCEN requires FIs to evaluate whether a Suspicious Activity Report (SAR) must be filed for ransomware-related incidents. If a vendor pays a ransom without proper due diligence, regulatory exposure can flow back to the FI.
Paying ransoms also provides no guarantee that attackers won't share stolen data on the dark web and can signal to other bad actors that the organization is willing to pay, making it a target for future attacks. Given that the vendor serves over 700 FIs, additional disclosures are expected in the coming weeks.
Key Takeaways
This cyber incident underscores that customer data is only as protected as vendor systems, regardless of an institution's internal controls.
With vendor breaches continuing to dominate headlines, FIs should revisit their third-party risk management (TPRM) programs, ensuring contracts clearly spell out breach notification requirements and timelines. Incident response plans must be ready to execute immediately, as customers will contact their institution (not the vendor) when breaches occur.
Compliance teams should also work closely with TPRM team members, as vendor breaches create both regulatory exposure and operational challenges.
Related: Stay updated on the latest TPRM news and resources in our weekly recap.
Issues Affecting Depositories
U.S. Mint Ends Penny Production After 232 Years
The U.S. Mint officially stopped producing pennies following President Trump's directive to halt minting.
The decision comes down to economics: over the past decade, the cost to produce a single penny has climbed to nearly four cents per coin. While pennies will remain legal tender, the Mint will only produce limited collector editions. An estimated 300 billion pennies remain in circulation.
The Federal Reserve's FedCash Services released FAQs outlining changes to penny ordering and deposits as distribution locations run out of inventory:
- The Fed will continue fulfilling orders and accepting deposits if inventory allows, though availability will vary by location.
- Distribution centers are monitoring inventory weekly, and when locations run out, they stop fulfilling orders.
- Institutions attempting orders at depleted locations will see error messages and should remove pennies from orders, try different endpoints, or explore alternative solutions.
- Some locations may continue accepting deposits after stopping order fulfillment, while others may stop both simultaneously.
The Fed has not issued official rounding guidance, leaving the decision to individual institutions.
Key Takeaways
FIs should decide on a rounding approach for cash transactions and review branch procedures, including check cashing, cash vault shipments and orders, and cash drawer balancing. If your coin-counting machines need reprogramming, contact your core provider to determine whether teller systems need updates to handle rounding logic and whether you should adopt symmetric rounding, always round down, or take another approach.
On the deposit operations side, establish reconciliation procedures that account for penny differences in teller cash reconciliations. Consider implementing procedures now to limit the number of pennies single customers can withdraw in bulk, to avoid burning through remaining inventory before operational processes are ready.
Related: Policy Management Best Practices for Financial Institutions
Issues Affecting Banks
Federal Banking Regulators Announce Coordinated Shift Toward Risk-Based Supervision
Federal Reserve
The Federal Reserve announced a new set of operating principles aimed at sharpening bank supervision by centering examinations on issues that matter for safety and soundness: capital, liquidity, concentration risk, and governance. The Fed wants ratings to better reflect actual risk rather than technical missteps, with faster remediation and clearer expectations, while eliminating duplicate work. Examiners are being retrained now, and the Fed plans to formalize this approach in future guidance.
The OCC quietly recalibrated its own exam schedules and scoping processes earlier this year, implementing leaner exams for well-run institutions and more intensity for those requiring deeper supervisory attention.
FDIC
The FDIC updated its Consumer Compliance Examination Manual and extended exam cycles significantly for most institutions. Instead of the previous 12-36-month cadence, institutions are now placed into one of three cycles based on asset size, Consumer Compliance, and CRA ratings:
- 66-78 months
- 54-66 months
- 24-36 months
Shorter exam cycles remain for FIs with elevated risk. Those rated 4 or 5 can expect 1-12-month cycles for both consumer compliance and CRA, while FIs with a 3 rating and a Substantial Noncompliance CRA rating can be pulled into the 1-12-month CRA window. For institutions on 54-66-month or 66-78-month schedules, examiners will conduct mid-point risk analyses to determine whether targeted visitation or limited-scope work is needed.
Key Takeaways
The federal banking shift signals a move toward a risk-tiered supervision model. FIs with strong governance, effective controls, and stable consumer compliance postures will see regulators step back, while those with slipping ratings or emerging risk signals will face tightened timelines immediately. With longer gaps between full-scope reviews, examiners will expect institutions to self-identify, self-correct, and document remediation with less prompting.
Related: Prudent Risk Management Is About Clarity, Not Caution
OCC
The OCC announced several measures aimed at reducing regulatory burdens for community banks.
Effective February 1, 2026, the OCC will implement Community Bank Minimum BSA/AML Examination Procedures. Since 2005, the FFIEC BSA/AML Examination Manual has applied the same minimum examination procedures across all institutions — from trillion-dollar global banks to small community banks. The OCC determined this one-size-fits-all approach has been unduly burdensome, given that money laundering and terrorist financing risks vary dramatically based on size, products, geography, and customer base.
The new procedures give examiners significantly more discretion:
- Examiners can rely on satisfactory independent testing rather than duplicating that work
- For areas like training and BSA compliance officer oversight, examiners can carry forward conclusions from prior exam cycles if risk profiles haven't changed significantly
- Examiners have discretion to determine whether full transaction testing is necessary or whether analytical testing or other reviews are appropriate
Also, the OCC is discontinuing the Money Laundering Risk System data collection, an annual requirement where community banks categorize products, services, and customers according to the OCC's framework. The OCC determined it can obtain appropriate risk information through less burdensome means, including tailored requests during on-site examinations.
Institutions are expected to continue to understand money laundering and terrorist financing risks and comply with BSA requirements, but they are no longer required to complete the annual categorization exercise.
OCC Request for Information on Third-Party Service Provider Challenges
The OCC also issued a Request for Information (RFI) soliciting comments on the key challenges and barriers community banks face when engaging with core service providers and other essential third-party service providers. The RFI focuses on ensuring that community banks remain competitive in a rapidly evolving marketplace and includes questions on the challenges community banks face related to contract negotiations and terms, fees, billing practices, oversight, due diligence, innovation, core conversions, data access and modernization, and interoperability issues.
Key Takeaways
Community banks should prepare for the transition to tailored BSA/AML examination procedures by February 2026, ensuring independent testing programs are robust and well-documented to support examiner reliance. The elimination of annual MLR data collection provides immediate relief, though institutions must maintain their understanding of money laundering and terrorist financing risks.
Community banks can also respond to the OCC's RFI to provide input on third-party service provider challenges, as this feedback may inform future regulatory guidance or relief measures.
Related: How to Create Dynamic BSA/AML/CFT Risk Assessments
Explore Ncomply in just five minutes and see how it brings regulatory updates, task tracking, and exam preparedness into one streamlined platform.
