October brought a wave of regulatory changes that reshaped compliance priorities across the financial services sector. From new federal privacy protections for mortgage shoppers to conflicting court rulings on state consumer laws, financial institutions (FIs) continue to navigate a complex environment where regulatory standards are shifting as underlying legal and compliance risks persist.
Want a deeper dive into this month’s headlines? Our Reg Update podcast offers a detailed breakdown. For more resources and regulatory analyses, look no further than Ncomply.
President Trump signed the Homebuyers Privacy Protection Act (HPPA), which restricts how consumer reporting agencies sell and share trigger leads for residential mortgage transactions. A trigger lead occurs when an agency pulls a consumer's credit report for one lender's mortgage application and notifies other lenders about that application, providing them with the credit report so they can solicit the same customer.
The new law, set to take effect in March 2026, limits consumer reporting agencies to sharing consumer credit reports only when there's a legitimate firm offer — not for unsolicited marketing. Third-party lenders must provide documentation proving they have the consumer's explicit consent to access credit information, unless the third party is already the consumer's mortgage originator, current loan servicer, or has an established banking relationship with the consumer.
If your FI relies on trigger leads for mortgage pipeline generation, begin preparing alternative business development strategies. State laws in Arkansas, Georgia, Idaho, Iowa, Utah, and Texas already impose additional restrictions on using trigger leads — with different exemptions than federal law — and many require consumer notices about non-affiliation with the original lender.
Even where trigger leads remain permissible, FIs must still comply with the Fair Credit Reporting Act (FCRA) opt-out provisions for prescreened solicitations, Federal Do-Not-Call registry requirements, and prohibitions on deceptive practices in rate and term offerings.
Federal agencies released the 2025 Spring rulemaking agenda, which outlines planned regulatory activities from federal regulators and agencies, including the CFPB and FinCEN, as well as prudential banking regulators.
The CFPB lists 24 initiatives, including those focused on:
While some rulemakings include timelines, implementation dates are subject to change.
The FCC is updating its Telephone Consumer Protection Act (TCPA) rules after a federal appeals court struck down the one-to-one consent requirement, which would have forced consumers to give separate written consent for each seller making marketing calls or texts.
Under the revised approach, a single consent disclosure can still cover multiple affiliated entities or marketing partners, preserving the existing framework. FIs that use third-party vendors or lead generators should experience minimal operational impact.
This is good news for financial institutions that share consent with closely related affiliates. Consumer consent is no longer required for each affiliate contact. However, now is the time to review consent language, vendor contracts, and call scripts. Ensure disclosures clearly identify all potential callers and that telemarketing practices remain aligned with TCPA standards to reduce compliance risk.
California’s Office of Administrative Law has approved updated California Consumer Privacy Act (CCPA) regulations covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT), effective January 1, 2026. The California Privacy Protection Agency (CPPA) issued these amendments in response to rising data breaches and the growing use of algorithms that influence consumer outcomes in areas such as lending, employment, and insurance.
The regulations establish three key requirements: mandatory cybersecurity audits with certification of system security, documented risk assessments before processing sensitive or high-risk data, and ADMT disclosures when algorithms materially impact consumer decisions — including certain opt-out rights. Compliance deadlines are phased through 2030 based on business size and processing volume.
FIs already subject to Gramm-Leach-Bliley Act (GLBA) protections may see overlap, but the CCPA also covers non-financial data, including marketing information, website analytics, and other consumer interactions. Even where full compliance isn’t immediately required, consider reviewing privacy policies, cybersecurity audits, and risk assessment processes to ensure readiness and minimize compliance risk.
Related: California Privacy Protection Agency's New CPPA Rules for Financial Institutions
The Ohio Sixth District Court of Appeals affirmed a lower court ruling in favor of a bank in a dispute over Non-Sufficient Funds (NSF) and overdraft fees, giving banks a rare win in this contested area.
Two customers filed class actions challenging the bank’s practices on two fronts:
The customers said that account agreements were unclear, citing “holds” on funds and ambiguous fee disclosures. The bank maintained that its contracts clearly explained that fees are assessed when items are “presented for payment” (settlement) and distinguished between “available” and “actual” balances.
Courts nationwide are divided on these issues, with some siding with consumers due to ambiguous terms like “authorize” and “presented for payment,” as well as the potential for multiple fees on a single transaction.
A credit union suffered a data breach in September 2023, affecting over 187,000 customers. However, the breach wasn’t detected until January 2024, and customers weren’t notified until August 2025 — nearly two years later. While notification delays may have been influenced by law enforcement involvement, the incident highlights failures in detection controls and incident response.
The four-month detection lag suggests insufficient monitoring, while the prolonged notification highlights the risks associated with absent or poorly executed cyber incident management plans. Since disclosing the breach, the credit union has faced more than a dozen lawsuits.
Effective cyber incident management requires a structured, pre-established framework — not reactive scrambling. This breach highlights the importance of FIs establishing clear detection and escalation procedures, assigning specific roles, defining severity criteria, and incorporating compliance timelines for state and federal notifications. Proactive planning and robust monitoring controls help mitigate legal risk, safeguard reputations, and ensure regulatory compliance in the event of a breach.
Related: 4 Steps to Update Your Institution’s Incident Response Plan
The OCC released a bulletin implementing President Trump’s executive order on fair banking, targeting “debanking” practices where accounts are closed or services denied based on political beliefs, religion, or industry rather than objective risk criteria. The guidance addresses high-profile concerns about account closures normally justified by reputation risk and allegations of inappropriate sharing of political transaction data.
Examiners are now directed to evaluate whether banks have avoided politicized account decisions when assessing community credit needs under CRA exams. Banks must base account openings, monitoring, and closures on documented, risk-based criteria that can withstand regulatory scrutiny.
Review your account management policies to ensure that decisions are based on measurable risk factors, rather than subjective or ideological considerations. Maintain detailed records justifying account denials or closures and refresh staff training on the Right to Financial Privacy Act to prevent misuse of suspicious activity reports (SARs) for political data. Be prepared to demonstrate that both historical practices and current policies align with OCC guidance and the executive order during licensing or examinations.
The Wisconsin Supreme Court will review Riffard v. Bank of America, in which an appellate court held that the National Bank Act does not preempt Wisconsin’s Consumer Act requirement for right-to-cure notices before accelerating debt or filing suit. Under state law, creditors must notify customers of default and provide them with 15 days to cure. If the account is cured, it is treated as if no default had occurred. The bank argued this interfered with its lending powers, but the appellate court found that debt collection is a traditional state regulatory area that doesn’t impose conditions on lending itself. The Supreme Court’s decision will determine whether this ruling remains in effect.
Separately, the First Circuit ruled in Conti v. Citizens Bank that the National Bank Act does not preempt Rhode Island’s requirement that banks pay interest on mortgage escrow accounts. Applying the “significant impairment” test from Barnett Bank and clarified in the Supreme Court’s 2024 Cantero decision, the court found the law does not meaningfully interfere with national banks’ lending or escrow powers. This ruling now binds Rhode Island, Massachusetts, and New Hampshire, requiring national banks operating in these states to comply with interest-on-escrow obligations.
Preemption disputes are on the rise nationwide, with similar interest-on-escrow cases pending in the Second and Ninth Circuits. National banks must monitor charter-specific obligations across states and adjust policies, procedures, and documents accordingly. State laws can impose additional requirements on federally chartered banks if they don’t conflict with federal authority or significantly impair bank operations — a standard that varies by court and continues to evolve through litigation.
The NCUA released an updated Automated Cybersecurity Evaluation Tool (ACET) that aligns with the NIST Cybersecurity Framework 2.0, giving credit unions a structured way to assess cybersecurity readiness and control maturity. The update follows the FFIEC’s discontinuation of support for its Cybersecurity Assessment Tool in August, leaving ACET as the primary self-assessment framework for credit unions.
Ncontracts’ Ncyber platform supports ACET assessments and offers the flexibility to transition to the Cyber Risk Institute framework — both designed to meet the unique cybersecurity and regulatory needs of the financial services industry.
Related: What Examiners Will Expect After the FFIEC CAT Retires
The NCUA announced two significant supervisory changes, implementing recent executive orders: removing all references to disparate-impact liability from its Fair Lending Guide and related materials, and eliminating reputation risk as a supervisory concept. Examiners will no longer request disparate-impact analyses, and issues formerly categorized as reputation risk will now be evaluated as measurable safety and soundness concerns, such as litigation exposure or insider abuse. These changes align the NCUA with similar updates by other federal banking regulators earlier this year.
That said, removing these concepts from federal exam frameworks does not eliminate the underlying risks. Courts continue to uphold disparate-impact claims, and state regulators — particularly in Massachusetts, New York, Illinois, and California — remain active enforcers of these claims. Massachusetts, for example, recently secured a $2.5 million settlement against a student lender involving concerns about AI-driven lending and disparate impact.
Beyond regulatory risk, social media can amplify perceptions of unfairness, competitive pressure keeps reputation central to member retention, and politicized account decisions may now be considered unlawful debanking under federal policy.
Don’t abandon reputation risk monitoring. Treat these risk issues as measurable safety-and-soundness exposures and maintain fair lending controls, including disparate impact testing. Account decisions should be based on neutral, risk-based criteria with clear documentation. Ensure you also monitor state regulations and evolving case law, adjusting policies and vendor oversight to manage cross-jurisdictional risk.
See how Ncomply simplifies compliance management.
Take a quick 5-minute tour to discover how Ncomply centralizes regulatory updates, streamlines task tracking, and helps keep your institution ready for exams.