February 2026 brought mixed signals. Federal agencies are continuing to pull back — the CFPB is reducing exam activity, the Fed is formally removing reputation risk from its supervisory framework, and the NCUA is advancing another round of deregulation proposals. But that doesn’t mean enforcement has disappeared. The DOJ's whopping $68 million fair lending settlement is a reminder that regulators won't ignore egregious violations.
This month also brought new guidance and state-level activity. The Treasury released its AI Lexicon and Financial Services AI Risk Management Framework, FinCEN eased beneficial ownership collection requirements, and developments in Illinois are generating new compliance obligations for banks, credit unions, and mortgage companies alike.
Want a deeper dive into the latest headlines? Watch the March Reg Update podcast. For additional resources and regulatory analyses, check your Ncomply solution.
The Department of Justice reached a $68 million settlement with a Texas lender accused of targeting Hispanic borrowers through predatory land sales. The lender's marketing was conducted almost exclusively in Spanish, featuring national flags and Latin music across social media, and the land sold was frequently flood-prone and lacked basic infrastructure such as water, sewer, and electricity. Interest rates ranged from 10.9% to 12.9%, far above the 20-year fixed rate of 2.35% to 4.05% during the same period. The company failed to verify applicants' ability to repay, resulting in extremely high default and foreclosure rates.
What makes this settlement worth a closer look isn't just the conduct, but the structure of the penalty. $20 million of the $68 million settlement is dedicated to increased law enforcement presence in the area rather than borrower restitution. The Trump administration has signaled reduced regulatory scrutiny, but this settlement suggests that when violations are obvious, the price tag may be higher.
The administration isn’t suddenly prioritizing fair lending, but it’s still crucial to keep your program up to date. While the administration is focused on overt discrimination and comparative disparate treatment rather than disparate impact, lending data still matters, as statistical disparities can reveal conditions that lead to disparate treatment findings. Lending data analysis, overlap reviews, and exception tracking catch the unmonitored discretion that leads to those findings.
Document your process. If a violation occurs, your compliance program is your best defense.
Related: How to Leverage Enforcement Actions to Strengthen Your Compliance Program
A federal district court in the Northern District of Illinois dismissed a class action lawsuit alleging racial discrimination against a mortgage lender. The plaintiff claimed, supported by HMDA data, that she received less favorable loan terms and was denied a float-down option that would have reduced her interest rate. She cited violations of the Equal Credit Opportunity Act (ECOA) and the Fair Housing Act (FHA).
The court dismissed the suit on both disparate treatment and disparate impact grounds. On the disparate impact claim, the plaintiff didn’t show a specific policy or practice caused the statistical disparity between Black and white applicants. Simply pointing to the gap alone wasn't enough. This is the second recent dismissal on similar grounds, as courts are requiring plaintiffs to demonstrate causation tied to an identifiable policy, though the level of causation required varies by circuit.
Class action lawsuits face a different challenge. To achieve class certification, plaintiffs must show that the policy harmed all class members. Individual borrowers' circumstances often vary too widely, making it difficult to identify a single policy that covers all plaintiffs.
Courts require plaintiffs to connect statistical disparities to a specific policy, and class certification is a high bar when borrower circumstances vary. The level of causation required varies by circuit, so understanding the standard in your jurisdiction matters. That said, regulatory risk operates on a different track entirely since examiners don't need to clear the same bar class action plaintiffs do.
Related: 7 Fair Lending Risks Every Financial Institution Needs to Know
On February 13th, FinCEN issued relief from its 2016 Customer Due Diligence Rule, specifically the requirement to collect and verify beneficial ownership every time a legal entity customer opens a new account. For FIs that lived through the CDD Rule implementation, the frustration was familiar: a business opens a checking account, returns two weeks later for a CD, and the entire beneficial ownership process starts over — even if nothing had changed.
Under the new relief, collection and verification are only required when:
FIs that want to maintain their existing process are allowed, as the rule simply removes the mandate. FinCEN also signaled that this relief will inform a formal rulemaking to update the broader CDD Rule, so additional changes are expected.
Review your account-opening procedures to determine where beneficial ownership collection can be streamlined under the new relief. Update your policies to reflect the three triggering conditions and ensure your monitoring processes can flag information that might warrant re-verification.
Related: How to Build Better Governance with Stronger Policies
The U.S. Department of the Treasury released two new resources to guide financial services organizations in using AI: a shared AI Lexicon with common terminology and the Financial Services AI Risk Management Framework (FS AI RMF). Four additional resources covering governance, data integrity, fraud, and operational resilience are expected to follow.
Risks like algorithmic bias, limited model transparency, unique AI cybersecurity risks, and concentration risk are often overlooked in existing programs. The FS AI RMF was developed to close these gaps. For FIs mapped to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, it functions as a sector-specific layer, adding four areas that many programs currently lack:
These resources provide guidance only, but several states have already enacted AI consumer protection and transparency requirements for financial services, underscoring the growing importance of accountability, documentation, and governance around AI use.
FIs that build strong AI risk management now will be better prepared as expectations grow. Review the FS AI RMF against your AI governance program and identify gaps, particularly in documentation and ERM integration.
Related: Ready to assess your AI risk? An AI Risk Assessment template aligned to the NIST framework is available in Nrisk. Stay tuned for updates as we incorporate the FS AI RMF.
According to reports, the CFPB is planning to resume examiner activity by April 2026, but the process will look significantly different. Fewer than 70 exams are planned for the entire year, compared to over 600 supervisory events annually under the prior administration. All exams will be virtual, with a narrower focus on tangible consumer harm, particularly for servicemembers, military families, and veterans.
Also, this month, the CFPB updated its consumer complaint portal for credit reporting disputes, adding new disclosures and an attestation requirement. Consumers must now dispute directly with a credit reporting agency and wait up to 45 days before filing with the Bureau.
The change is aimed at curbing bot activity and mass dispute filings, as credit reporting complaints exceeded two million in 2024, up 180% in two years. However, the portal change doesn't cover core dispute obligations: indirect disputes from a CRA still require investigation, and direct consumer disputes still require a response within 30 days.
Fewer exams don't mean fewer risks. UDAAP, fair lending, TILA, and RESPA remain fully enforceable by state attorneys general, private plaintiffs, and prudential regulators. Also, the Federal Credit Reporting Act (FCRA) furnisher obligations remain. FIs can’t label disputes frivolous to avoid them, and private plaintiffs can still sue for failure to investigate or correct inaccurate information.
The Illinois Department of Financial and Professional Regulation published proposed amendments to its Community Reinvestment Act rules on February 13th. The changes would apply to state-chartered banks, credit unions, and covered mortgage licensees.
The most significant update is the introduction of illustrative lists of qualifying CRA activities, from affordable housing loans and small business financing to financial literacy programs, opportunity zone investments, and partnerships with minority depository institutions and CDFIs. The lists also include activities related to tribal and native lands, climate resilience, and digital equity.
It's important to note that inclusion on a list doesn't mean an activity is automatically appropriate for every FI. Each institution still needs to assess whether a listed activity fits within its specific circumstances.
For covered mortgage licensees, the proposed amendments would also expand the service test to include a broader range of community development services — a meaningful shift for companies that have historically had fewer levers to demonstrate CRA performance in Illinois.
The comment period is open for 45 days following the February 13th publication date, allowing FIs to weigh in before these rules are finalized. In the meantime, review the new illustrative lists against your current community development activity tracking. Understanding where your existing program aligns and where there may be gaps or new opportunities will position your institution ahead of examination when the changes take effect.
Related: How to Keep Up with State Regulations
A federal district court upheld the Illinois Interchange Fee Prohibition Act (IFPA), finding its restriction on interchange fees on the tax and gratuity portions of electronic transactions is not preempted by the National Bank Act. The court reasoned that card networks, not banks, charge interchange fees, so the statute doesn't directly regulate bank powers.
Under the IFPA, merchants have up to 180 days to submit tax and gratuity documentation, which triggers a 30-day window for card issuers to credit excess interchange fees. The ABA and America's Credit Unions plan to appeal the upheld provisions.
On a more positive note, the court struck down the IFPA's data usage limitation, which had restricted FIs from using transaction-associated data for any purpose beyond processing the payment, finding it conflicted with the powers of national banks, out-of-state state-chartered banks, and federal credit unions under federal law.
Card issuers and payment card networks have up to 30 days to credit excess interchange fees once they receive the merchant's tax and gratuity documentation. Missing that window carries a civil penalty of $1,000 per transaction. There is no automated submission process, so FIs should expect manual filings.
The Federal Reserve formally proposed removing reputation risk from bank supervision, reaffirming that it will not pressure banks to restrict services based on customers' political or religious beliefs or other lawful activities. The proposal follows similar actions by the OCC, FDIC, and NCUA, which have all removed reputation risk from their examination handbooks. The shared rationale: reputation risk is too vague, subjective, and susceptible to examiner discretion.
The question many FIs may be asking is whether they should stop using reputation risk altogether. For example, if your institution has been using reputation risk to exit relationships with gun dealers, payday lenders, or crypto firms, regulators may view that as precisely the politically-motivated debanking they are trying to eliminate. That said, the underlying risks reputation risk was designed to capture — deposit runoff, increased funding costs, loss of key relationships from association with fraud or scandal — are still real and worth tracking.
Map your reputation risk to the underlying financial risks it creates. FIs using it loosely as a catch-all to exit industries or customers without rigorous analysis face heightened regulatory risk right now. Those who can demonstrate that decisions were grounded in documented financial risk will be on a much stronger footing.
The NCUA's deregulation initiative continued with two new proposals. The first would remove the requirement for credit union directors to have — or obtain within six months — expertise in finance and accounting, reducing burden on volunteer boards. However, the NCUA noted it will still assess board and management capabilities as part of safe and sound operation.
The second proposal gives federal credit unions more flexibility to incorporate lending metrics, such as loan growth or loan performance, into broader compensation plans. This is not a change to loan officer compensation rules tied to loan terms and conditions, as those remain in place.
Related: The Top Four Credit Union Member Complaints Report
With so many proposals in circulation, it can be difficult for credit unions to track which proposals have been finalized and what remains pending. Check Ncomply to stay updated.
The regulatory landscape is shifting, but the risk isn't going away. Hear what our compliance experts say about how FIs should navigate regulatory requirements in our 2026 Regulatory Outlook webinar.