The compliance landscape in 2026 is shifting in two directions at once. Federal regulators are pulling back, but state enforcement, private litigation, and operational complexity are accelerating. For compliance and risk professionals at financial organizations, that tension is the defining challenge of the year.
This update covers six developments shaping the risk environment right now: deregulation and fair lending in flux, rising consumer complaints as a supervisory signal, AI risk across governance and cybersecurity, evolving state regulations, AI in third-party risk management, and Nacha ACH fraud monitoring deadlines already in motion.
Keeping up with federal and state regulations takes more than a good reading list. Have complex questions that need answers? Nquiry delivers cited, auditable answers to regulatory questions in minutes.
Deregulation and Fair Lending: What Changed, What Didn't, and Where the Risk Went
Two federal actions in early 2026 are reshaping the mortgage and fair lending compliance landscape in ways that appear to offer relief, but neither one is a signal to scale back your compliance program.
The Mortgage Credit Executive Order
On March 13, President Trump signed an executive order directing federal regulators to reduce compliance burdens on mortgage origination and servicing, with a focus on community banks under $30 billion in assets and smaller banks under $100 billion. The order reflects the administration's view that post-Dodd-Frank requirements have inflated compliance costs and reduced bank participation in mortgage lending.
The proposed changes are significant. The order directs the CFPB to consider amendments to Regulation Z that would tailor the Ability to Repay/Qualified Mortgage (ATR/QM) requirements for smaller financial institutions, potentially expand the QM safe harbor for portfolio loans, and replace the TILA-RESPA Integrated Disclosures (TRID) prescriptive timing rules with a materiality-based standard focused on whether a disclosure error caused actual borrower harm. It also signals higher HMDA reporting thresholds, reduced data collection requirements, and a supervisory shift toward sound underwriting policies rather than technical procedural compliance.
The order doesn't change any existing rules, however. Every substantive provision requires notice-and-comment rulemaking, and the most significant changes are unlikely to be final before late 2026 or 2027. In the meantime, lenders should continue to monitor agency proposals, identify processes that could be streamlined when rules are finalized, and leave existing compliance obligations as they stand.
Related: April 2026 Regulatory Update: Mortgage Overhaul & Examiner Findings
CFPB Final Rule: Disparate Impact Eliminated from ECOA
Unlike the executive order, the Regulation B rule is final, with a July 21 compliance deadline. Finalized on April 22, the rule rewrites Subpart A of Regulation B, which implements the Equal Credit Opportunity Act (ECOA), in three ways:
- Disparate impact eliminated from ECOA. All "effects test" references are removed. Facially neutral policies that produce statistical disparities across protected classes are no longer, by themselves, a federal ECOA violation. Enforcement now focuses solely on intentional discrimination and proxy-based theories.
- Discouragement standard narrowed. The prohibition on discouraging applicants is now limited to statements or images reflecting an intent to discriminate. In-branch decisions, marketing footprint, and outreach patterns no longer fall under this standard.
- Special Purpose Credit Programs restricted. For-profit creditors may no longer use race, color, national origin, or sex as eligibility criteria in Special Purpose Credit Programs (SPCPs). Existing programs must be revised or wound down by July 21.
What the rule didn’t change also matters. The Fair Housing Act (FHA) still carries disparate impact liability, and state fair lending laws remain fully in force. Massachusetts, California, New York, and New Jersey all have active enforcement environments where regulators and attorneys general can pursue effects-based theories regardless of what happens federally. Litigation challenging the rule is widely anticipated, and organizations that dismantle statistical fair lending monitoring before courts weigh in are taking a risk the rule itself doesn't require.
Before July 21, revisit your fair lending compliance program to distinguish ECOA intentional-discrimination analysis from FHA disparate impact analysis. Audit any existing SPCPs against the new eligibility restrictions, and update consumer-facing materials and training for the narrowed discouragement standard. Keep your statistical monitoring intact, as the FHA, state law, and an unresolved litigation landscape require it.
Consumer Complaints Are a Supervisory Signal Now
Consumer complaint volumes are rising, and regulators are using them to scope examinations.
The FDIC processed 32,128 written complaints and phone inquiries in 2025, a 21% increase from 2024. Credit reporting errors topped the list, and third-party providers were identified in nearly 6,356 cases, a 48% jump from the prior year. The Federal Reserve flagged unresponsive customer service and improper error resolution as the primary reasons consumers escalated complaints directly to the regulator.
The best-positioned organizations are treating complaint data as a leading indicator of compliance gaps rather than a customer service scorecard. That means mapping internal logs against regulator data and extending complaint monitoring to vendor-serviced functions.
Related: What is Complaint Management and How Does It Work?
AI Risk: New Frameworks, Cybersecurity, and AI Governance Gaps
Three significant publications from the past several months define what AI risk looks like for financial organizations in 2026. Together, they frame it as a two-sided challenge: AI governance and defense against AI-enabled attacks.
Related: March 2026 Regulatory Update: A $68M Fair Lending Settlement and More
Financial Services AI Risk Management Framework
On February 19, the U.S. Department of the Treasury — working with the Financial Services Sector Coordinating Council, the Cyber Risk Institute, and 100-plus financial institutions — released the Financial Services AI Risk Management Framework (FS AI RMF) and an accompanying AI Lexicon. While non-binding, similar frameworks have historically served as the scaffolding for regulatory examinations in financial services, much as FFIEC standards did for IT and cybersecurity.
The FS AI RMF is built around four components:
- An AI Adoption Stage Questionnaire to classify your organization's AI maturity
- A Risk and Control Matrix (RCM) with 230 control objectives spanning governance, data, model development, validation, monitoring, third-party risk, and consumer protection
- A User Guidebook providing a structured implementation path
- A Control Objective Reference Guide with examples of effective compliance evidence.
The framework is designed as a complement to existing risk programs and scales across organizations of all sizes. It covers the full AI lifecycle from ingestion and model development through deployment, monitoring, and decommissioning, with particular attention to agentic AI systems that operate with greater autonomy and outpace the static governance frameworks most organizations have in place.
The accompanying AI Lexicon standardizes terminology (e.g., “hallucination,” “prompt injection,” and “third-party AI risk”) across technical, risk, legal, and operational functions. In vendor due diligence and contract negotiations, these definitions are increasingly being used as a baseline for what constitutes reasonable AI governance. Examiners won't ask whether a policy exists; they will ask for logs, ownership assignments, and evidence artifacts.
Related: Can Your AI Explain Itself? Black Box AI vs. Glass Box AI
The FS-ISAC Sector Risk Advisory
On April 20, the Financial Services Information Sharing and Analysis Center (FS-ISAC) published a sector risk advisory with a direct opening: "Traditional assumptions and approaches for vulnerability management no longer hold."
AI frontier models can rapidly detect and chain vulnerabilities, including ones previously considered low-priority, and generate working exploits immediately. Vulnerability backlogs that financial organizations have managed through compensating controls for years now function as a roadmap for targeted attacks. The window before threat actors gain broad access to these capabilities is unknown but limited.
The advisory's most urgent recommendations suggest a fundamental operational shift:
- Remediate aggressively. Treat vulnerability backlogs as operational risk, not compliance debt. Patch external systems first, eliminate long-standing exceptions where patches exist, and compress remediation SLAs from weeks to days.
- Harden the perimeter. Use content delivery networks, expand Web Application Firewall capabilities, and introduce controlled delay in adopting new open-source software or AI models to allow time to detect vulnerabilities before deployment.
- Realign vulnerability prioritization. Update scoring processes to assume active or imminent exploitation of every vulnerability by default. CVSS-only scoring was designed for a slower threat environment.
- Replace end-of-life technology. Outdated systems are pre-labeled targets. The advisory recommends staying no more than two major versions behind (N-2) for third-party software.
- Fight AI with AI. Use AI to triage, monitor, and respond to security alerts at machine speed. Empower defenders to use it for vulnerability detection, red teaming, and testing before code deployment.
- Align accountability. Build security metrics — including patch velocity and platform currency — into team objectives. Report remediation speed to governance committees and the board as part of operational risk.
Related: How Is Your Financial Institution Managing AI Cybersecurity Risks?
Revised Interagency Model Risk Management Guidance
On April 17, the Federal Reserve, FDIC, and OCC jointly issued revised interagency guidance on model risk management, replacing the SR 11-7 framework that had governed model risk practices since 2011. The revision reflects fifteen years of supervisory experience and significant advances in modeling technology.
The key changes to know:
- Principles-based, risk-tiered approach. Model risk management must now be tailored to an organization's size, complexity, and risk profile. Every model must sit in a tier reflecting its inherent risk, exposure, and purpose, with full lifecycle oversight for material models and proportionate lighter controls for lower-risk ones. The tiering itself must be evidenced.
- Lifecycle thinking required. Development, validation, deployment, monitoring, and retirement are now treated as one governed chain. Examiners will expect lineage across every link, not just snapshots at handoff points.
- Third-party and vendor models explicitly in scope. The guidance closes a gap many organizations had quietly exploited: vendor model risk is no longer the vendor's problem. Validation requirements apply to purchased models.
- Non-enforceable as written, but don't be misled. The guidance explicitly states it does not create enforceable standards. For community banks with limited, simple models and existing internal governance, the practical impact may be minimal. But supervisory action may still follow from unsafe or unsound practices stemming from insufficient model risk management.
- Generative AI and agentic AI explicitly excluded — for now. The agencies have committed to releasing a request for information (RFI) on AI-specific model risk management. That exclusion is not a gap to exploit. It is an active regulatory workstream, and organizations that haven't begun applying model risk principles to their AI deployments will be behind when that RFI shapes future expectations.
For community banks, the message is reassuring but nuanced. The guidance is most relevant to organizations with over $30 billion in total assets, and smaller institutions with limited, simple models and existing internal governance may already satisfy the revised framework. However, organizations with significant model risk exposure are in scope regardless of asset size.
Final Thoughts on AI Risk
The revised MRM framework, the FS AI RMF, and the forthcoming AI model risk RFI are forming the building blocks of what will become the examination scaffold for AI governance in financial services. Organizations that start aligning their AI deployments, including vendor-embedded AI, to model risk principles now will be materially better prepared when that scaffold takes shape.
Download: How to Identify, Assess, and Mitigate Vendor AI Risks
Evolving State Regulations: AI Oversight and Elder Financial Exploitation
As federal regulators pull back or shift priorities, state regulators are stepping up.
On the AI front, states are moving fast to govern algorithmic decision-making:
- California finalized sweeping CCPA regulations in July 2025 restricting automated decision-making, with mandatory annual cybersecurity audits beginning in 2028. California does not exempt financial organizations, so if you serve California customers, these rules apply regardless of where you’re headquartered.
- Massachusetts announced a $2.5 million settlement for AI-model-related disparate impact outcomes, even as federal regulators stepped back from disparate impact supervision. State enforcement risk on AI-driven decisions is real and independent of federal posture.
- New York's 23 NYCRR Part 500 amendments, effective November 1, 2025, impose mandatory multi-factor authentication, data asset inventories, board oversight, and 72-hour vendor-breach reporting. AI-driven systems that touch customer data fall within scope.
When it comes to elder financial exploitation, many states now impose mandatory reporting requirements, including obligations to delay or hold transactions, notify adult protective services, and document the basis for suspicion. These vary significantly by state and aren't always aligned with federal guidance. As AI and automation increasingly handle transaction monitoring, ensuring those systems to detect exploitation patterns and escalate appropriately is a compliance obligation.
Compliance risk is no longer determined solely by where your organization is chartered. It follows your customers. State enforcement and private litigation are filling the gaps left by federal agencies, making tailored regulatory updates by jurisdiction crucial.
Related: Stay on top of state regulatory changes with Ncomply.
AI in Third-Party Risk Management: The Governance Gap in Your Vendor Stack
TPRM has been a compliance focus for years, but the integration of AI into vendor products has created a new governance gap. Often, the exposure isn't the AI your organization chose to deploy; it’s what your vendors embedded without telling you.
With Freddie Mac AI governance requirements now in effect and similar expectations spreading across the industry, financial organizations must be able to answer four questions about every vendor: which vendors use AI, how it is deployed, what data feeds it, and who is accountable when it produces an error or a biased outcome.
The risk surfaces are multiplying:
- Loan origination systems. Model risk exposure is now embedded in standard LOS features. AI-driven document extraction, workflow optimization, and automated underwriting assistance each require validation, monitoring, and fair lending impact assessment.
- Fraud detection and transaction monitoring. When a vendor's AI model incorrectly blocks account access, your organization owns the Regulation E and customer service consequences.
- Agentic AI in vendor platforms. As vendors deploy systems that act autonomously to complete tasks, most governance frameworks haven't kept pace. When an agent embedded in a vendor platform takes an action on your customer's behalf, your organization takes on that risk.
- BSA/AML and sanctions risk. If your payment processor uses AI-driven transaction monitoring and that system misses suspicious activity, your organization bears the regulatory consequences.
The 2024 interagency guidance on third-party relationships is clear: organizations are responsible for the actions of their vendors, including their AI use. Build an AI inventory that captures what systems use it, how it's deployed, and what decisions it influences, and ensure your AI governance framework covers vendor-embedded tools.
Related: Using AI in Financial Services: Best Practices and Red Flags
Nacha ACH Fraud Monitoring
If your organization originates or receives Automated Clearing House (ACH) transactions, take note: Nacha's new fraud monitoring rules are already in motion. Phase 1 took effect March 20 for large-volume participants, and Phase 2 takes effect June 22 for all remaining institutions.
The core shift is from reactive to proactive fraud monitoring. Prior ACH fraud controls focused primarily on unauthorized debits. The 2026 rules require all covered participants to establish risk-based processes reasonably intended to identify ACH entries initiated through fraud, including "false pretenses" cases where payments are technically authorized but induced through deception. Business email compromise and payroll redirection fraud are the primary examples.
Coverage by phase:
- Phase 1 (March 20, 2026): Large originators with 6 million or more ACH originations in 2023, large third-party service providers and senders, and large Receiving Depository Financial Institutions (RDFIs) must implement fraud monitoring on originated and received ACH credits.
- Phase 2 (June 22, 2026): All remaining Originating Depository Financial Institutions (ODFIs), non-consumer originators, third-party senders, third-party service providers, and RDFIs must comply, regardless of volume.
New labeling requirements also took effect March 20: originators must use "PAYROLL" in the Company Entry Description field for wage and salary credits and "PURCHASE" for e-commerce consumer debit transactions, enabling targeted fraud monitoring and anomaly detection across the network.
Nacha doesn’t mandate a specific fraud monitoring system, but the standard is firm. Monitoring should account for transactional velocity, account characteristics, and patterns consistent with known fraud typologies, including business email compromise (BEC) and payroll redirection. Noncompliance carries significant consequences: fines up to $500,000 per month for repeated violations and potential suspension from originating ACH entries.
If compliant monitoring isn't yet in place, perform a gap analysis, verify Company Entry Description labeling, and connect your Nacha program to your broader BSA/AML monitoring ahead of the June 22 deadline.
Related: How to Create Dynamic BSA/AML/CFT Risk Assessments
Looking Ahead: What’s next for banks in 2026?
The deregulatory signals coming out of Washington don't reduce compliance risk — they redistribute it. The banks and financial organizations that navigate this environment well will resist the temptation to scale back and instead use the moment to build compliance programs that are durable, well-documented, and risk-based.
“The return on investment is knowledge, data, and being able to figure out where we spend our time.” See how First Community Bank of Tennessee built a compliance program that performs without adding headcount.
