Federal regulators are moving on several fronts this month. Executive orders are reshaping BSA/AML and lending obligations, federal agencies are asserting preemption over state interchange and escrow laws, and the OCC, FRB, and FFIEC are each recalibrating supervisory expectations while courts work through several of these questions in parallel.
Want a deeper dive into the latest headlines? Watch the June Reg Update podcast. For additional resources and regulatory analyses, check your Ncomply solution.
Executive Order 14406, "Restoring Integrity to America's Financial System," directs coordinated regulatory action across Treasury, the CFPB, FRB, OCC, FDIC, and NCUA targeting non-work authorized individuals and their employers.
On the compliance side, Treasury must propose Bank Secrecy Act (BSA) amendments strengthening risk-based customer due diligence (CDD) requirements, including explicit authority to collect immigration status and employment authorization information where risk indicators or supervisory concerns make it relevant. A companion directive asks Treasury and the agencies to consider Customer Identification Program (CIP) amendments, with particular attention to risks posed by foreign consular identification cards.
The CFPB is directed to consider Regulation Z guidance stating that deportation risk and associated wage loss are factors lenders may weigh in ability-to-repay assessments. The banking agencies are each directed to issue corresponding credit risk guidance covering mortgage, auto, and consumer loans to this population, framing such lending as a structural safety and soundness concern.
None of the implementing rules or guidance has been issued yet. When they arrive, FIs will need to factor these changes into their fair lending programs. Stay updated in Ncomply for the latest information.
The Department of Housing and Urban Development (HUD) has signaled a shift in how it will enforce the Fair Housing Act (FHA). The department is moving toward cases of intentional discrimination backed by strong evidence of disparate treatment and away from those built primarily on statistical disparities.
Special Purpose Credit Programs (SPCP) are drawing new scrutiny under that framework. HUD has opened an investigation into a Washington state SPCP for potential FHA compliance concerns, and the agency has advised lenders with potential past violations to take prompt corrective action.
That scrutiny arrives alongside legal pressure from another direction. Fair housing organizations have filed suit against the CFPB over its amended Regulation B rule, which removes disparate impact liability under the Equal Credit Opportunity Act (ECOA). Plaintiffs argue that the rule opens the door to lending discrimination against minority borrowers.
Section 1071 is scaled back but moving forward.
The CFPB finalized amendments to Regulation B implementing Section 1071 of the Dodd-Frank Act, narrowing the scope of covered institutions, trimming data collection requirements, and setting a single compliance date of January 1, 2028. The Bureau's approach is explicitly incremental, modeled on how HMDA data collection developed over time, with the expectation of expanding coverage in the future.
The most consequential change is the origination threshold. The 2026 rule raises it from 100 originations to 1,000. By the CFPB's own estimates, depository coverage drops by roughly 90 percent and non-depository coverage by about 95 percent. Roughly 2,000 institutions that were previously on the hook for this rule no longer qualify.
The definition of "small business" also tightened from $5 million to $1 million. Merchant cash advances, agricultural lending, and small-dollar business credit of $1,000 or less are now excluded. The Bureau also pulled back five discretionary data points, including pricing and denial reasons, and removed disaggregated race and ethnicity categories, though it has signaled both could return in a future update.
Less data doesn't mean less work. For FIs still within the rule’s scope, collection, firewall, reporting, quality control, and governance processes still need to be built. The trimmed dataset also means less built-in visibility into disparities, so institutions that planned to use 1071 data as a fair lending early-warning system should think carefully about what they collect internally to fill those gaps.
The first question for most institutions is whether they're still covered. Re-run the math on the 1,000-origination threshold and the new $1 million small-business definition. If you are still covered, start now. Legal interpretations, systems work, vendor changes, training, and governance signoffs all take time, and the threshold is calculated on prior-year volume.
Two bills in Congress could shift the timeline. The Small LENDER Act, which cleared the House Financial Services Committee in April, could push the compliance date and raise the exemption threshold. The 1071 Repeal to Protect Small Business Lending Act would eliminate the data collection requirement. Neither has moved beyond committee.
Related: Learn how Ncontracts' 1071 compliance solution can help your institution stay on top of small business lending data requirements as the rule takes shape.
Preemption is a recurring theme for depositories this month, with federal regulators and courts weighing in on two separate fronts.
The Seventh Circuit remanded the ABA's lawsuit against Illinois' Interchange Fee Prohibition Act (IFPA) back to district court, vacating a prior ruling that had partially upheld the law. The IFPA prohibits FIs from charging interchange fees on the sales tax and gratuity portions of credit and debit card transactions.
The remand followed an OCC interim final rule asserting federal preemption for national banks and federal thrifts. The NCUA has submitted a similar rulemaking to the Office of Information and Regulatory Affairs (OIRA) for credit unions. The district court will ultimately decide whether interchange fees fall within protected national bank powers, whether the IFPA significantly interferes with those powers, and whether the OCC's interpretation is persuasive.
While that plays out, the Illinois legislature passed a bill delaying the IFPA's effective date until July 1, 2027. Several other states have similar laws in the works, some going further than Illinois' restrictions. How the district court rules could set the stage for preemption battles well beyond Illinois.
Whether national banks must pay interest on mortgage escrow accounts depends, for now, on where you live. The courts are working through a circuit split, and the OCC is pressing its own preemption position in parallel.
The Second Circuit recently found New York's interest-on-escrow law preempted by the National Bank Act, concluding it directly affects national banks' mortgage lending powers and escrow administration. The First and Ninth Circuits reached the opposite conclusion. That circuit split has been appealed to the Supreme Court, which has yet to decide whether to take the case.
The OCC issued two final rules codifying national banks' and federal savings associations' authority over escrow account terms and issued a preemption determination covering New York's law and 13 other substantively equivalent state and territory laws. The courts are not bound by the OCC's reasoning, so the Supreme Court will have the final word.
Federal credit unions face less exposure. The Federal Credit Union Act (FCUA) gives NCUA authority to regulate lending operations, and a 1996 legal opinion holds that federal credit unions are not bound by state law on dividend rates. With 13 states carrying interest-on-escrow laws on the books, the outcome matters significantly for national banks.
Related: For more on how state-level regulations are creating compliance blind spots, watch our recent webinar.
The FFIEC is requesting comment on proposed revisions to the Uniform Financial Institutions Rating System (UFIRS), the first update to the CAMELS framework since 1996. As a reminder, CAMELS isn't just an exam scorecard; it shapes supervisory posture, expansion opportunities, and how regulators perceive an FI’s overall safety and soundness.
The most significant change targets the Management component, which has long drawn industry criticism for carrying outsized weight. The proposal would remove the instruction that examiners give "special consideration" to Management when assigning the composite rating, signaling a more balanced look across all six components. A rating of 3 or worse on Management would generally need to be tied to risk management weaknesses that produce material financial risk, not just process or documentation gaps.
The proposal also clarifies when specialty review findings should affect CAMELS. Compliance, IT, and trust exam results would only factor in when they impact overall financial condition, create material financial risk, or reflect significant noncompliance, narrowing the path from an operational finding to a rating consequence.
Other changes include revised and modernized composite rating definitions, tightened examiner discretion so that factors beyond the listed evaluation criteria could only be considered in exceptional circumstances with documented justification, and removal of all references to reputation risk from the framework. This is consistent with recent actions by the FRB, OCC, FDIC, and NCUA.
The comment deadline is August 17, 2026. FIs that want to weigh in on how these changes would affect their supervisory relationship should submit comments before that date.
Now is also an ideal time to confirm how your organization maps exam findings to actual financial condition and whether board reporting distinguishes procedural issues from those with material safety and soundness implications.
The OCC and the Federal Reserve updated their supervisory outlooks this month.
The OCC's Spring 2026 Semiannual Risk Perspective identifies four key risk areas. Cyber threats remain elevated, with state-sponsored actors and sophisticated criminal groups actively targeting FIs, and the current geopolitical environment compounding that pressure. Attackers are using AI to accelerate social engineering and deploy malware that can evade traditional defenses. The OCC specifically calls out multifactor authentication and timely patch management as baseline expectations, while also noting that AI is increasingly available as a defensive tool.
Fraud continues to drive operational losses, with impersonation scams via text and social media as a particular concern. FinCEN has issued fresh alerts on this, and the OCC's message is direct: fraud controls that aren't evolving are falling behind.
On BSA/AML, geopolitical tensions are straining compliance programs, particularly regarding sanctions exposure. FinCEN recently flagged Chinese money laundering networks being used by transnational criminal organizations to move funds through the U.S. financial system. Community banks may find some relief in recent changes, as the OCC streamlined BSA/AML exam procedures, dropped the Money Laundering Risk data collection requirement, and FinCEN issued exceptive relief on customer due diligence earlier this year.
On AI and digital assets, banks are moving carefully into generative and agentic AI, mostly in productivity and customer experience applications with human oversight in place. The OCC supports that direction, but governance must keep pace. Updated model risk guidance — OCC Bulletin 2026-13 — was covered in last month's update, though it's worth noting that generative and agentic AI remain explicitly outside its current scope. A formal request for information on AI-specific model risk is forthcoming. The OCC is actively working on implementation of the GENIUS Act stablecoin framework.
The Federal Reserve updated its Supervisory Operating Principles, shifting emphasis toward material financial risk and away from procedural findings.
On the risk side, the Fed is developing quantitative tests to determine what constitutes significant harm to a supervised banking organization. Two thresholds were previewed: an estimated loss that would cause the organization to fall below well-capitalized status on a historical cost or fair-value basis, or an outflow of a significant amount of cash or liquid assets within a short time period.
On internal audit, examiners are instructed not to perform duplicative validations unless internal audit is rated unsatisfactory, but that only holds for FIs whose audit function is operating effectively. If your third line has had recent staffing changes or hasn't been focused on the highest-risk areas, now is the time to assess whether it's positioned to earn that reliance. The Fed is looking for sound methodology, clear escalation paths, and findings that drive actual change.
Self-identified deficiencies addressed with prompt remediation will be treated as supervisory observations rather than formal matters requiring attention (MRAs) or matters requiring immediate attention (MRIAs). The threshold for enforcement actions has also been raised. Institutions that can identify, investigate, and demonstrate remediation of potential problems before examiners do will be in a materially better position.
The Second Circuit has affirmed that Federal Reserve Banks have broad discretion over master accounts, not just to deny access but to terminate it, joining the Tenth Circuit in that position.
A Federal Reserve master account is essentially a bank account for banks, providing direct access to the Fed's payment and settlement systems, including Fedwire and FedNow, without relying on an intermediary. Access has been one of the most contested issues in banking law, particularly for nontraditional or higher-risk models like fintechs and crypto-focused firms.
The case involved a Puerto Rican offshore bank whose master account was terminated by the Federal Reserve Bank of New York over AML compliance deficiencies. The court rejected the institution's statutory entitlement arguments, reading the relevant statutes as discretionary rather than mandatory. Being eligible, the court held, does not mean being entitled.
The case went beyond denial of access. The plaintiff argued that once access was granted, it could not simply be revoked. The court disagreed, rejecting related due process, APA, and contract theories alongside it. Discretion runs through the full lifecycle of the account.
Eligibility is the starting line, not the finish line. FIs seeking or holding a master account should expect ongoing scrutiny of AML programs, sanctions controls, governance, and risk management, not just at the point of application. Nontraditional models should pressure-test their control environment for ongoing reassessment, not just initial review.
With the Second and Tenth Circuits aligned, statutory entitlement arguments are on increasingly shaky legal ground. Boards and senior management should think carefully about concentration risk if direct Fed access is central to the business model. Contingency planning for potential termination is a business continuity issue, not just a legal one.
The NCUA's eleventh deregulation round proposes two rule changes. The first would increase the Depository Institution Management Interlocks Act (DIMIA) major assets prohibition threshold to $10 billion and remove the presumption-against-monopoly provision under 12 CFR 711. The second would streamline share insurance regulations by removing duplicative sections that refer Federally Insured State-Chartered Credit Unions (FISCUs) to other NCUA rules under 12 CFR 741.
No final rules have emerged from the previous ten rounds, and comment periods are closing. The coming months should clarify whether these proposals translate into actual regulatory change.
The regulatory environment this month reflects something compliance officers know well: federal and state actors don't always move together, and the courts are often left to sort out the difference. Keeping up means tracking not just what changed, but how the pieces interact.
Log in to Ncomply to stay current on the latest developments. Have specific questions about how any of these changes apply to your organization? Nquiry delivers auditable, cited answers to complex regulatory questions in minutes.