It’s autumn and the leaves are falling – but they’ve got nothing on the fresh pile of paperwork from the CFPB. Meanwhile, the Justice Department is going gangbusters on redlining enforcement.
Want to learn more? Check out the November Regulatory Update podcast by Ncontracts’ team of regulatory experts. Each month they break down the biggest regulatory compliance news and trends for financial institutions.
Here are the highlights. For a deep dive, listen to the podcast.
The Consumer Financial Protection Bureau (CFPB) issued its final Personal Financial Data Rights Rule, also known as the Open Banking Rule, implementing Section 1033 of the Dodd-Frank Act. This rule mandates that financial institutions, credit card issuers, and other financial providers make certain data (such as transaction history, account balance, and account information) accessible to consumers upon request and in a standardized electronic format. Consumers can also authorize third parties to access this data, provided those third parties obtain consent and protect the data's security.
The rule’s compliance deadlines are staggered based on institution size, ranging from April 1, 2026, for the largest institutions (assets of $250 billion or more) to April 1, 2030, for smaller institutions (assets under $1.5 billion). Institutions with assets of $850 million or less are exempt from the rule.
The CFPB issued a circular on opt in practices warning that banks and credit unions can violate the Electronic Fund Transfer Act (EFTA) and Regulation E if there is no proof that it obtained the customers affirmative consent to enroll in covered overdraft services. The CFPB is suggesting that examiners look for past evidence of opt-in consent.
The rule has many concerned that a lack of previous recordkeeping requirements will make it hard to comply with examiner requests for documentation. Listen to the podcast for more details on what this means for financial institutions.
The CFPB released Supervisory Highlights focused on illegal auto lending practices. This includes wrongful auto repossessions from borrowers who had paid on time or received extensions and difficulties with add-on products that are bundled into the cost of the loan, including extended warranties and GAP insurance. The CFPB announced it had taken action against companies that had engaged in these practices as well as those that incorrectly allocated payments or provided misleading or inaccurate disclosures.
The CFPB fined a $14 billion-asset credit union in Florida $1.5 million for unfair acts and practices in the conversion of its online and mobile banking services, violating the Consumer Financial Protection Act of 2010 (CFPA). The credit union didn’t have strong oversight over its vendor selection process and ended up selecting an inexperienced vendor. What should have been a two-day service interruption became a multi-month issue where members couldn’t access online banking.
The CFPB took action against Apple and Goldman Sachs for consumer protection failures stemming from a poor dispute investigation system that led to delayed reimbursements and negative credit reporting for some cardholders. They also misled consumers about interest-free payment plans. Apple faces a $25 million penalty while Goldman Sachs was ordered to pay $19.8 million in restitution and a $45 million penalty and is restricted from launching new credit cards without CFPB approval.
The Department of Justice (DOJ) took redlining enforcement to new heights in September and October, settling redlining cases with three institutions: a credit union, a bank, and a mortgage company. Meanwhile, the New Jersey attorney general also issued a report accusing a failed New Jersey bank of redlining and warned the bank that acquired the failed bank’s assets to be aware of any redlining risk it inherited.
In related news, the DOJ also sued Rocket Mortgage and its appraisal company for undervaluing a Black homeowner’s home by $200,000. When the borrower complained to HUD, the DOJ says the lender allegedly retaliated by canceling her application to refinance.
TD Bank pled guilty agreed to pay over $1.8 billion to resolve DOJ charges that between 2018 and 2024, the bank had an ineffective anti-money laundering (AML) program. The bank had been aware of the issue but did nothing to correct it. In a separate issue, the CFPB ordered the bank to The CFPB ordered TD Bank to pay $28 million in fines and restitution for repeatedly reporting inaccurate, negative information to credit reporting companies.
The SEC fined TD Securities over $15 million for engaging in a practice called “spoofing,” where fake orders are made to manipulate market prices. The company didn’t take action despite warnings that the head of the firm was using this trading strategy. Firms need systems to detect suspicious trading activity and investigate irregularities.
The Financial Crimes Enforcement Network (FinCEN) leveraged BSA data from the past six months for an in-depth analysis of check fraud related to mail theft. The top three ways criminals use stolen checks is to alter then negotiate stolen checks, use the check as a template to create counterfeit checks, and signing and depositing the checks. FinCEN also did a deep dive into specific scams (more in the podcast). The best way to use this information is to leverage it in fraud risk assessments to ensure you have the right controls in place.
The Office of the Comptroller of the Currency (OCC) released its Supervisory Priorities for 2025. For a rundown, listen to the podcast or check out our blog post: A Guide to the OCC’s 2025 Risk and Compliance Priorities.
70% of cyber incidents at credit unions were related to a third-party vendor, according to a letter issued by the National Credit Union Administration (NCUA) on cybersecurity risk. The agency has received 1,000 cyber incident reports since September 2023 and is reminding boards and senior management of the importance of annually approving a comprehensive security program. Training, incident management, and third-party risk management of vendors were also emphasized.