Federal regulators spent April 2026 pulling back on prescriptive requirements, from rewriting AML/CFT programs and officially eliminating reputation risk from supervision to rescinding NSF fee guidance and continuing a steady drumbeat of deregulatory proposals.
But fewer requirements doesn’t mean less risk. The same month brought a fair lending settlement that bypassed court oversight, a consent order over VA loan marketing that echoed cases from five years ago, and state-level actions. These show that while regulations may be loosening federally, legal and reputational risks are still present and can shift or intensify due to enforcement or state-level initiatives.
For compliance officers, the message is consistent: the rulebook may be getting shorter, but the expectations around how you manage, document, and execute your program are only growing.
Want a deeper dive into the latest headlines? Watch the May Reg Update podcast. For additional resources and regulatory analyses, check your Ncomply solution.
The days of the annual BSA risk assessment — completed in January and filed away until next year — may be numbered. FinCEN has proposed a rule that would shift anti-money laundering and countering the financing of terrorism (AML/CFT) programs away from technical checkbox compliance toward a more demanding approach: results.
The proposal centers on a risk-based approach tied directly to your institution's profile. Your program needs to reflect the products you offer, the customers you serve, the states you operate in, and how those products are delivered. Under the proposal, changes to any of those factors, such as launching fully digital loan applications, or opening a branch in a new state, would trigger a risk assessment update. Institutions would also be required to incorporate FinCEN's published AML/CFT National Priorities, last updated in 2021, and map identified risks to those priorities.
On enforcement, FinCEN drew a clear line between establishing a program and running one. Significant supervisory action would be reserved for institutions with systemic or significant failures in implementing their programs. Examiners will assess whether an institution knew, or should have known, about resource issues affecting its controls and failed to act. The proposal also signals openness to technology, including artificial intelligence, as part of a well-designed program.
The FDIC, OCC, and NCUA issued a joint proposal to accompany FinCEN's release, and together the two actions tell a complete story.
The agencies' proposal codifies ongoing customer due diligence (CDD) as a required program component, mirroring FinCEN's existing CDD rule and reflecting what examiners have expected in practice for years. Both proposals would also require AML/CFT programs to be written and approved by the board or an equivalent governing body, with new flexibility to extend that authority to appropriate senior management.
The fundamentals of a sound BSA program aren't being rewritten. What's shifting is the weight placed on implementation and accountability.
Start thinking now about how your institution will map its risk assessment more frequently and who owns that process. Documented responsibility and rationale aren't just good practice under these proposals, they're the expectation.
Related: How to Create Dynamic BSA/AML/CFT Risk Assessments
The CFPB issued a final rule amending Regulation B, which implements the Equal Credit Opportunity Act (ECOA), effective July 21, 2026. The changes touch three areas: disparate impact liability, discouragement standards, and Special Purpose Credit Programs (SPCPs).
On disparate impact, the rule removes the "effects test" language from Regulation B and replaces it with new language stating that ECOA does not authorize disparate impact liability. The Bureau's rationale focuses on ECOA's statutory text, which lacks explicit effects-based language — though that reasoning will face scrutiny, as courts have found disparate impact claims permissible under similarly worded statutes.
The rule also narrows prohibited discouragement to statements — spoken, written, or visual — that a creditor knows or should know would cause a reasonable person to believe their application would be denied because of a protected characteristic. Routine business decisions such as branch location and advertising choices no longer constitute prohibited discouragement on their own.
The most significant operational changes involve SPCPs. For-profit programs may no longer use race, color, national origin, or sex as eligibility criteria for new extensions of credit on or after the effective date, though credit already extended is grandfathered. Programs relying on other permissible characteristics now require written plans documenting program need, why eligible participants wouldn't otherwise qualify, and where any prohibited basis is used, a per-participant showing that the characteristic itself is the barrier to access.
If your FI operates an SPCP, audit it against the new eligibility criteria before July 21. Regarding discouragement, document how routine business decisions are made — the rule narrows liability, but the underlying fair lending risk remains. Also, don't treat the disparate impact change as settled law; Fair Housing Act (FHA) claims and state-level actions are still available, and legal challenges to this rule are likely.
Related: 7 Fair Lending Risks You Need to Know
HUD's Office of Fair Housing and Equal Opportunity (FHEO) formally withdrew eight previously issued guidance documents as part of a broader deregulatory initiative. The withdrawn documents failed HUD's three-part review: whether the guidance was statutorily required, consistent with the FHA’s actual text, and reduced compliance burdens rather than added to them.
Six of the eight documents primarily affect housing providers and landlords. Two are directly relevant to lenders.
The first is HUD's 2024 digital advertising guidance, which put institutions on notice that algorithm-driven advertisement delivery could produce discriminatory outcomes and that the FHA applied. The guidance is gone, but the underlying prohibition on discriminatory advertising is not. The FHA’s text hasn't changed, state fair housing laws still apply, and private litigation remains a risk.
The second is HUD's 2021 statement on SPCPs, which stated that programs structured under ECOA and Regulation B would generally not violate the FHA. With that guidance withdrawn, any compliance documentation, fair lending policies, or marketing materials that cited it should be updated.
Withdrawing guidance doesn't rewrite the statute. Ground your fair lending framework in the FHA’s actual text rather than documents that may no longer reflect HUD's enforcement posture, especially as both the Reg B amendments and this withdrawal reshape the landscape simultaneously.
The Department of Justice (DOJ) will implement its $68 million settlement with a Texas development company as a private agreement after a federal judge raised concerns about the deal's structure. The settlement resolves reverse redlining and predatory lending claims covered in our earlier post, requiring $48 million in infrastructure improvements and $20 million in law enforcement and public safety spending.
The judge's objections centered on several gaps. The $20 million law enforcement allocation — earmarked primarily for law enforcement and public safety spending — bore no connection to the original lawsuit, which never sought additional police activity. The settlement also imposed no civil monetary penalties and provided no direct monetary relief to affected borrowers. The development company offered up to four months of interest-free forbearance for buyers experiencing financial hardship, but eligibility remains undefined and direct recovery for harmed borrowers is not guaranteed.
By bypassing the court, the parties are left to monitor compliance on their own terms, and the agreement carries no force of law, leaving the door open for residents to mount a challenge.
The structure is worth watching because it pulls apart something enforcement actions are designed to do together: punish past violations, require corrective action, and make harmed individuals whole. When that last piece disappears, the question of who the resolution serves becomes harder to answer.
The OCC entered into a consent order with a Chicago savings bank over its marketing of Veteran Affairs (VA) cash-out refinance loans, which are products that allow eligible veterans and servicemembers to tap home equity through a refinance.
Between 2022 and 2024, the bank sent advertisements telling customers they had "available funds" and should contact the bank to access them. The letters were solicitations for new loans, not notifications of existing funds, and a new loan was required to access anything.
Bank employees also told customers the institution had a special relationship with the VA and that refinancing would significantly lower their interest rate and monthly payment. Neither was true. Customers ended up paying higher rates than before.
The OCC cited violations of Section 5 of the Federal Trade Commission (FTC) Act, which prohibits deceptive acts and practices. No penalty was assessed, but the bank must hire an independent third-party restitution consultant to identify affected consumers and determine appropriate restitution, with quarterly progress reports to the OCC.
The fact pattern isn't new. In 2020, the CFPB ran a formal enforcement sweep and issued nine consent orders against VA mortgage lenders for false and misleading advertising — nearly identical to what the OCC found here. That the same issues are surfacing five years later suggests this is a persistent weak spot in VA loan marketing, not an isolated lapse.
If your FI offers VA mortgage loans, review your current marketing materials against UDAAP standards before the OCC or another regulator does it for you.
The OCC issued an interim final rule asserting that federal law preempts the Illinois Interchange Fee Prohibition Act (ILFPA), which bars financial institutions from charging interchange fees on the sales tax and gratuity portions of credit and debit card transactions. The move came after a federal district court ruled in February that Illinois could regulate those fees — a decision that put national banks and federal savings associations in an uncertain position.
The OCC is invoking its authority under 12 U.S.C. § 25b to declare that the ILFPA significantly interferes with national banks' exercise of their powers under the National Bank Act. Simultaneously, the OCC issued a separate interim final rule clarifying that national banks have broad authority to charge non-interest fees — including interchange fees set by the bank or third parties — reinforcing that position against state-level restrictions.
Litigation is likely on both fronts. The OCC has authority to make preemption determinations but must apply the same analysis a court would use. Since the Supreme Court's 2024 decision overturning Chevron deference, courts give significantly less weight to agencies' interpretations of their own statutory authority. The OCC's reasoning will face scrutiny, and its conclusions could ultimately be overturned.
Related: How to Keep Up with State Regulations
Oregon signed House Bill 4116 into law this month, making it the third state — behind Iowa and Colorado — to opt out of federal interest rate exportation rules under the Depository Institutions Deregulation and Monetary Control Act (DIDMCA). The law reimposed Oregon's interest rate cap of generally 36% on consumer finance loans of $50,000 or less made to Oregon residents and expands the definition of where a loan is "made" to include the borrower's location.
That last piece is the crux of the legal dispute. For decades, state-chartered FDIC-insured banks have operated under the same interest rate exportation authority as national banks. For example, a bank chartered in West Virginia can apply West Virginia's interest rate to a loan made to a borrower in Virginia. Oregon's law challenges that by asserting a loan is also made in the borrower's state, giving states authority to cap rates charged by out-of-state lenders. Colorado's law is currently awaiting appeal in the Tenth Circuit, and a ruling there — eventually perhaps at the Supreme Court — could reshape standard practice for state-chartered banks that have held for four decades.
If courts uphold these laws, state-chartered banks could face a patchwork of rate caps across state lines, pressure to exit certain markets, or a structural disadvantage against national banks that aren't subject to DIDMCA opt-outs — with charter decisions following. The American Lending Fairness Act of 2026, recently introduced federally, would remove states' ability to pass opt-out laws altogether.
The OCC and FDIC jointly issued a final rule codifying the elimination of reputation risk from their supervisory programs. Under the rule, neither agency may criticize an institution, formally or informally, or take adverse action based on reputation risk, including examination findings, supervisory rating downgrades, and licensing denials. The rule defines reputation risk as any risk that an institution's actions could negatively impact public perception for reasons unrelated to its financial or operational condition, preserving the agencies' authority to address risks that directly affect solvency or service delivery.
The rule also prohibits agencies from requiring, instructing, or encouraging institutions to close accounts or refuse service based on a party's political, social, cultural, or religious views, constitutionally protected speech, or involvement in a lawful but politically disfavored business activity.
No new compliance requirements are imposed on FIs, but state regulators retain authority to examine for reputation risk, so maintaining a strong compliance posture still matters.
The OCC, Federal Reserve, and FDIC issued updated interagency guidance on model risk management, establishing a more risk-based approach. The agencies noted the guidance is most relevant for institutions with over $30 billion in assets, but sound model risk management principles don't shift based on asset size alone.
The updates introduce a materiality framework to distinguish higher-risk models, broaden monitoring expectations to include performance and limitations, and remove the explicit minimum annual validation review cycle. References to specific testing, change management, and approval requirements were also pulled, and the guidance no longer places specific expectations on boards, management, or committees for model risk management oversight.
It’s worth noting that the agencies explicitly excluded generative and agentic AI from the guidance's scope — a gap that will likely need to be addressed as AI-driven models become more central to banking operations.
The FDIC rescinded its supervisory guidance warning of compliance and litigation risks tied to charging multiple non-sufficient funds (NSF) fees on re-presented unpaid transactions. The rescission doesn't give institutions a green light to reinstate fees they previously eliminated. The FDIC was explicit: banks should ground their NSF fee practices in current law, not the withdrawn guidance, and institutions that changed their practices in response should reassess whether those changes still make sense.
State law adds another layer. Many states have independent NSF standards and their own unfair and deceptive acts and practices laws, so a federal rescission doesn't clear the path at the state level. The compliance risk hasn't disappeared — it's just shifted.
Related: UDAAP Compliance: Defining Unfair, Deceptive, Abusive Acts, Practices
NCUA's deregulation initiative continues to move methodically through its regulatory library. The ninth round proposes changes to the associational common bond provisions of its Chartering and Field of Membership (FOM) rules. Under current rules, an association that requires members to purchase a product or service as a condition of joining is automatically disqualified from eligibility in a federal credit union's field of membership. The proposed rule removes that automatic disqualifier — NCUA would instead evaluate the association's overall structure to determine whether the client-customer relationship is incidental to the group's primary purpose or the core reason it exists. A fraternal order that offers but doesn't require members to purchase insurance, for example, could qualify under the proposed standard. The comment period has closed and is pending finalization.
The tenth round targets the rules governing credit union conversions and mergers into banks under 12 CFR 708a, proposing six changes aimed at reducing administrative burden and giving boards more flexibility. The proposals would remove the "clear and conspicuous" definition to allow credit unions to design disclosures that work for their members, replace newspaper notice requirements with website posting, streamline due diligence reporting, and eliminate prescriptive formatting and voting guidelines. The comment period closes on June 22.
As with prior rounds, more flexibility on paper means greater responsibility to document how your institution is managing the decisions that prescriptive rules used to make for you.
Regulatory change is moving fast, and the direction isn't always consistent. Federal agencies are stepping back from prescriptive rules while state regulators, courts, and enforcement actions continue to fill the space. Staying current isn't just about tracking what changed — it's about understanding what those changes mean for your program.
Log in to Ncomply to stay ahead of what's next. And if you have questions about how any of these developments apply to your institution, Nquiry delivers auditable, cited answers to complex regulatory questions in minutes.