New York's FAIR Act Expands Consumer Protection Law with Federal UDAAP Standards

New York just handed its Attorney General (AG) a powerful new tool — and if your financial institution (FI) operates in the state, you need to prepare. The Fostering Affordability and Integrity through Reasonable Business Practices Act (FAIR Act), enacted on December 19, 2025, and effective on February 17, 2026, is the first major expansion of its primary consumer protection statute in more than four decades. It adds unfair and abusive practices to the state's existing prohibition on deceptive conduct, using the federal Unfair, Deceptive, and Abusive Acts or Practices (UDAAP) standards you already know — now with state-level enforcement. And the bar for action is lower: one transaction is enough to trigger enforcement, rather than requiring a pattern.  

The law is in effect, so let’s break down what changed, why it matters for FIs in and outside of New York, and what you can do about it.    

Related: What New York’s Cybersecurity Regulation Means for Your FI in 2026 

What changed under the FAIR Business Practices Act?

For more than 40 years, New York's primary consumer protection statute prohibited only deceptive acts or practices. Courts added guardrails over time, requiring that conduct be "consumer-oriented" or affect the public at large before the AG could take action. 

The FAIR Act removes those guardrails and adds two new categories of prohibited conduct:

• Unfair acts or practices, including conduct that causes or is likely to cause substantial injury that is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition.
• Abusive acts or practices, including conduct that materially interferes with a person's ability to understand a product or service, or that takes unreasonable advantage of a person's lack of understanding, inability to protect their interests, or reasonable reliance on a business.

If these definitions sound familiar, it’s because New York has effectively adopted the federal UDAAP standards used by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). New York’s AG can now enforce those same rules at the state level, complete with its own penalties and remedies for FIs.  

Related: 3 Tips for Avoiding UDAAP Violations 

The "consumer-oriented" requirement is gone

For decades, New York courts required that challenged conduct be "consumer-oriented" or affect the public at large before Section 349 applied. That meant the AG typically needed to show a pattern of misconduct or broad public impact. However, the FAIR Act eliminates that limitation, which means:

• Individual transactions may be actionable.
• Business-to-business conduct may fall within the statute's scope.
• The AG no longer needs to prove a pattern or show harm to multiple consumers.

This development substantially expands the potential reach of enforcement actions. A single transaction involving unfair or abusive conduct could trigger an investigation — no pattern required.

Enforcement authority is centralized with the Attorney General

The FAIR Act draws a line between public and private enforcement. The New York AG can bring actions for unfair, deceptive, or abusive acts or practices, with available remedies including injunctive relief, restitution, and civil penalties. Private plaintiffs, however, can only bring actions for deceptive practices, not for unfair or abusive conduct. Private remedies remain unchanged: actual damages or $50 (whichever is greater), discretionary treble damages up to $1,000 for willful violations, and reasonable attorneys' fees. 

By limiting private enforcement to deceptive conduct, the legislature gave the Attorney General exclusive authority over unfair and abusive standards. That means there’s more potential for strategic, coordinated enforcement — and significantly broader reach than under the old framework. 

Related: How to Leverage Enforcement Actions to Strengthen Your Compliance Program 

Federal compliance defense remains

The FAIR Act preserves an existing statutory defense: if your FI’s conduct is subject to and complies with applicable federal law, as administered and interpreted by federal agencies or courts, that compliance provides a defense.  

For federally regulated institutions, documented federal compliance is your strongest defense. 

Where will FAIR Act enforcement focus?

Public statements from the New York AG suggest heightened attention to practices that cause substantial harm or take advantage of consumer vulnerability. If your FI operates in any of these areas, expect increased scrutiny:  

• Mortgage servicing: Loss mitigation, foreclosure processes, escrow handling 
• Student loan servicing: Payment processing, forbearance communications, collection practices 
• Auto lending: Payment processing, repossession practices, and add-on products
• Debt collection: Communication practices, validation procedures, payment processing
• Products targeting vulnerable consumers: Limited English proficiency, elderly consumers, consumers with limited financial literacy

What FAIR Act compliance means for NY FIs

If your FI operates in New York and must meet FAIR Act compliance requirements, consider some of these best practices to ensure you’re prepared:  

1. Audit for individual transaction risk. Patterns are no longer required for enforcement. A single transaction involving unfair or abusive conduct could trigger an investigation, which means FIs must track, review, and document risks accordingly. 
2. Strengthen federal compliance documentation. The statutory defense requires demonstrating that your conduct is subject to and complies with federal law. Ensure your compliance program clearly documents adherence to federal consumer protection requirements. 
3. Review business-to-business (B2B) relationships. The "consumer-oriented" limitation is gone, which means B2B conduct may fall within the statute's scope. 
4. Evaluate products and services affecting vulnerable populations. Practices that cause substantial injury, limit understanding, or take unreasonable advantage of consumer vulnerability are likely to receive heightened attention under the FAIR Act's abusive practices standard. 
5. Assess vendor and third-party risk. Review third-party agreements and vendor conduct for practices that could expose your FI to liability under the expanded definitions, particularly in collections, marketing, and servicing. 

Related: 6 Must-Have Elements of an Effective Audit Program 

Not in NY? How the FAIR Act framework could still impact your FI

The FAIR Act reflects a broader trend we’re seeing in the financial services space: states are stepping in to fill perceived gaps in federal regulation. 

By adopting federal UDAAP definitions, New York provides a ready-made framework that other state legislatures can reference. If you operate in multiple states, build compliance programs to the highest standard you'll face in any jurisdiction and continue to monitor state-specific enforcement trends to ensure you stay compliance-ready.  

Does your FI have the right tools to manage expanded state consumer protection requirements? Learn how Ncomply can help your FI navigate regulatory changes and updates.