- Business solutions
- Compliance Solutions
- Compliance Solutions
Compliance Solutions quarterly newsletter — June 2026
Subscribe to the newsletter
Complete this form to sign up to receive the quarterly Compliance Solutions newsletter.
General
Stay ahead of change with Compliance Hub Alerts
In today's rapidly evolving regulatory environment, staying current with new and changing laws is more challenging, and more critical, than ever. Financial institutions are expected to keep pace with an overwhelming volume of regulatory updates while ensuring timely and accurate implementation across their operations.
Compliance Hub Alerts, a TruStage® solution, is designed to simplify that process.
From information overload to actionable insight
Rather than relying on manual tracking methods, Compliance Hub Alerts continuously monitors a vast regulatory landscape on your behalf. This includes:
- Approximately 17,000 laws and regulations
- Nearly 900 pending pieces of legislation
- Federal Register notices, case law and industry guidance
- Over 250 targeted keywords and phrases1
The result? Your compliance team receives timely, relevant updates, without the noise.
With customizable, multi-layer filtering, you can focus only on the states, federal agencies and topics that matter most to your institution, ensuring your team's time is spent where it has the greatest impact.
Clarity that drives action
Each alert is designed to go beyond simply notifying you of change — it helps you understand and act on it.
Compliance Hub Alerts provides:
- Plain-language summaries that make complex regulations easier to understand
- Impact analysis tailored specifically to financial institutions
- Guidance and recommendations to support implementation across business lines
- Sample customer or member communication templates when notifications are required
- Direct access to source materials and legal references for deeper review
This combination of clarity and context enables compliance teams to move quickly and confidently from awareness to action.
Built for collaboration and accountability
Managing regulatory change is a team effort — and Compliance Hub Alerts makes that process seamless. The platform includes built-in tools that allow teams to:
- Assign alerts and responsibilities to specific team members
- Create and track action items with defined due dates
- Document internal analysis and compliance decisions
- Monitor progress with customizable status updates
An intuitive, "at-a-glance" dashboard gives stakeholders across your institution visibility into what's being tracked, what actions are required and what has already been completed.
Audit-ready, always
In addition to streamlining day-to-day compliance activities, Compliance Hub Alerts supports your institution's broader governance and audit needs. Robust reporting capabilities allow you to:
- Generate reports based on specific dates or timeframes
- Maintain a clear record of regulatory alerts and actions taken
- Demonstrate compliance readiness during audits and exams
A proactive approach to compliance
By replacing manual processes with automation, insight and structured workflows, Compliance Hub Alerts empowers your organization to shift from a reactive stance to a proactive compliance strategy.
Instead of scrambling to catch up with regulatory changes, your team can stay ahead by reducing risk, improving efficiency and strengthening overall compliance performance.
Learn more
Ready to transform the way your team manages regulatory changes? Contact our team to learn more or request a demo.
Financial institutions and emerging AI regulation
What are AI regulations?
Artificial intelligence (AI) regulations govern how organizations develop, deploy and use AI systems, particularly those that influence consumer decisions, pricing or access to services. Across the United States, these regulations generally focus on three core areas:
- Transparency, including requirements to inform users when AI is used
- Risk management, especially for systems that impact financial, employment or other significant decisions
- Consumer protection, including preventing discrimination, unfair outcomes and misleading outputs
These requirements are especially relevant for pricing-related use cases where AI is used to:
- Influence loan approvals or pricing
- Personalize offers or rates
- Support customer eligibility or underwriting decisions
Why do AI regulations matter?
AI is increasingly embedded in core business processes. As adoption grows, regulators are placing greater emphasis on how these systems affect consumers, particularly financial services. Key themes currently driving regulation include:
- Preventing algorithmic discrimination
- Supporting fair pricing and lending practices
- Improving transparency into how decisions are made
- Aligning with existing frameworks like fair lending and consumer protection laws
For many financial institutions, AI is no longer just a technological consideration. It is now a core part of compliance and risk management.
How are AI systems regulated?
AI regulation in the United States is primarily driven at the state level with some additional activity at the federal level.
While approaches vary, most laws and proposed legislation fall into four broad categories:
Transparency and disclosure
These laws require businesses to disclose when and how AI is used. This may include notifying consumers when they are interacting with AI, labeling AI-generated content or providing information about how systems are trained and operate. These requirements are often the first layer of regulation and are intended to improve awareness and trust in AI systems.
Key examples include:
| State | Law/Bill | Type | Summary | Applicability | Exemptions | Effective date |
|---|---|---|---|---|---|---|
| CA | Artificial Intelligence Training Data Transparency | Final law | Requires developers to disclose training data practices and system design transparency | Applies to financial institutions if they develop or substantially modify AI systems for the public | None specified | 01.01.2026 |
| CA | AI Transparency Act | Final law | Requires disclosures for large-scale generative AI providers | Applies to financial institutions if they develop public generative AI systems with 1M+ monthly users | Excludes nonuser-generated entertainment content (e.g., video games, TV, streaming) | 08.02.2026 |
| ME | Communications with Consumers via artificial intelligence | Final law | Requires disclosure for use of AI chatbots in commercial transactions | Applies to financial institutions if they use AI chatbots to engage in a commercial transaction or trade practice with a consumer | None specified | 07.28.2026 |
| NJ | Bots | Final law | Requires disclosure for use of online bots in commercial transactions | Applies to financial institutions if they use online bots to communicate or interact with consumers in connection with the sale or advertisement of merchandise or real estate | None specified | 07.19.2020 |
| UT | Generative AI Consumer Disclosure Law | Final law | Requires businesses to disclose when consumers are interacting with generative AI | Applies to financial institutions if they use generative AI while engaging in consumer transactions | None specified | 05.07.2025 |
| IL | HB 3021 | Active bill | Prohibits misleading consumers into thinking they are interacting with a human when they are engaging with AI, unless disclosed | Applies to financial institutions if they use chatbots, AI agents or avatars in commercial transactions or trade practices with a consumer | None specified | TBD |
| IL | SB 1792 | Active bill | Requires AI systems to disclose that outputs may be inaccurate | Applies to financial institutions if they own, license or operate generative AI | None specified | TBD |
| MN | SF 1886 | Active bill | Requires businesses to disclose when consumers are interacting with AI | Applies to financial institutions that use AI in the course of business | None specified | TBD |
| NY | AB 3411 / SB 934 | Active bills | Requires AI systems to disclose that outputs may be inaccurate | Applies to financial institutions if they own, license or operate generative AI | None specified | TBD |
| NY | AB 6540 / SB 6954 | Active bills | Requires clear disclaimers for generative AI outputs | Applies to financial institutions if they operate or provide a social media platform | None specified | TBD |
| NY | AB 6578 / SB 6955 | Active bills | Requires developers to disclose training data practices and system design transparency | Applies to financial institutions if they develop or substantially modify AI systems for the public | None specified | TBD |
High-risk and decision-making
These regulations apply to AI systems that make or significantly influence decisions about individuals. This includes areas such as lending, pricing, eligibility and access to services. They typically require organizations to implement risk management practices, monitor for bias, document system performance, and maintain appropriate oversight.
For most financial institutions, this is the most operationally significant category, as it directly affects underwriting, pricing strategies, and customer outcomes. Notable legislation includes:
| State | Law/Bill | Type | Summary | Applicability | Exemptions | Effective date |
|---|---|---|---|---|---|---|
| CA | Automated Decision-Making Technology (CCPA)* | Final regulations | Governs automated decision-making using personal data | Applies to financial institutions if they meet CCPA thresholds | Data-level exemption for GLBA-covered data | 01.01.2026 |
| CO | Artificial Intelligence Act | Final law | Governs high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop or substantially modify AI systems or if they deploy high-risk AI systems | Financial institutions deemed compliant if under prudential regulation | 06.30.2026 |
| CO | Automated Decision-Making Technology* | Final law | Governs automated decision-making technology impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop, substantially modify or deploy automated decision-making technology | Excludes low-risk tools (e.g., calculators, spam filters) | 01.01.2027 |
| CT | Automated Employment-Related Decision Technology* | Final law | Governs automated decision-making technology impacting employment decisions | Applies to financial institutions if they develop, substantially modify or deploy automated employment-related decision technology | Excludes decisions that result in nonmaterial changes (e.g., job tasks, hours, responsibilities) | 10.01.2026 |
| CT | Subscription-Based AI Providers* | Final law | Governs AI tools offered through subscriptions | Applies to financial institutions if they offer AI technology to a consumer under a subscription arrangement | None specified | 10.01.2026 |
| TX | Responsible Artificial Intelligence Governance Act | Final law | Establishes governance requirements for AI used in business operations | Applies to financial institutions if they develop or deploy AI systems | None specified | 01.01.2026 |
| AZ | HB 2489* | Active bill | Prohibits surveillance pricing based on personal information, including data collected through tracking, sensors or biometric monitoring | Applies to financial institutions if they offer or set a customized price for goods or services using personal information | Allows cost-based pricing, disclosed discounts, loyalty programs and group-based pricing; excludes certain credit products | TBD |
| CA | SB 420 | Active bill | Governs high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop, substantially modify or deploy high-risk AI systems | Excludes low-risk tools (e.g., calculators, spam filters) | TBD |
| CO | HB 1210* | Active bill | Prohibits surveillance-based price and wage setting using algorithms | Applies to financial institutions if they use surveillance data in price or wage setting algorithms | Excludes credit decisions and wage setting as a result of pay equity laws | 08.12.2026 |
| HI | SB 59 | Active bill | Governs algorithmic eligibility decisions similar to high-risk AI systems impacting consequential decisions | Applies to financial institutions if they control personal information on 25K+ residents, have $15M+ in average gross receipts for the past three years, are data brokers or are service providers | None specified | TBD |
| HI | HB 2500* | Active bill | Governs algorithmic decision systems used to assist, inform or replace human decision-making | Applies to financial institutions if they develop or deploy algorithmic decision systems | Excludes low-risk tools (e.g., calculators, spam filters) | TBD |
| HI | SB 2967* | Active bill | Governs AI systems used in consumer interactions and high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they deploy AI systems or high-risk AI systems | None specified | TBD |
| IL | HB 4248* | Active bill | Regulates algorithmic and surveillance-based pricing using consumer personal data | Applies to financial institutions if they sell or offer to sell goods or services online | Excludes pricing based on supply chain factors, time-based pricing and models that do not rely on personal data | TBD |
| IL | SB 2203 | Active bill | Governs automated decision tools impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they use an automated decision tool to make consequential decisions | Some compliance exemptions | TBD |
| LA | SB 362* | Active bill | Prohibits surveillance-based price discrimination | Applies to financial institutions if they use automated decision systems for pricing | Allows cost-based pricing, broadly available discounts and insurance pricing based on risk-relevant data | 08.01.2026 |
| MA | HD 4827* | Active bill | Governs automated decision systems impacting consequential decisions (e.g., lending, employment) | Applies to all financial institutions | None specified | TBD |
| MA | HB 94 | Active bill | Governs AI systems used in consumer interactions and high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop or substantially modify AI systems, or deploy high-risk AI systems | None specified | TBD |
| MA | HB 97 | Active bill | Governs AI systems used in consumer interactions and high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop or substantially modify AI systems, or deploy high-risk AI systems | None specified | TBD |
| MI | SB 991* | Active bill | Prohibits personalized algorithmic pricing in online commerce | Applies to financial institutions if they engage in online commerce | Excludes insurers | TBD |
| MI | HB 5771* | Active bill | Prohibits individualized pricing based on personal data collected through surveillance technologies | Applies to financial institutions if they engage in trade or commerce | Allows cost-based differences, loyalty programs, disclosed discounts, certain insurance uses and credit decisions based on consumer reports | TBD |
| MN | SF 4233/HF 3794* | Active bills | Prohibits surveillance-based price and wage discrimination using automated decision systems | Applies to financial institutions if they use automated decision systems to assist or replace human decision-making | Allows cost-based pricing, group discounts, insurance risk modeling and credit decisions based on consumer reports | 08.01.2026 |
| MN | SF 3098/HF 2452* | Active bills | Prohibits surveillance-based price and wage discrimination using automated decision systems | Applies to financial institutions if they use automated decision systems to assist or replace human decision-making | Similar exemptions as above for cost-based pricing, discounts, insurance and credit decisions | 08.01.2026 |
| NY | AB 768/SB 1962 | Active bills | Governs high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop or substantially modify AI systems, or deploy high-risk AI systems | Conditional exemptions based on contracts and data usage | TBD |
| NY | AB 9654* | Active bill | Governs covered algorithms used in consequential actions (e.g., lending, employment) | Applies to financial institutions that develop, substantially modify or develop covered algorithms | None specified | 01.01.2027 |
| NY | AB 3265 | Active bill | Governs automated systems affecting civil rights and access to services | Applies to financial institutions if they develop AI impacting residents' civil rights, privacy, equal opportunities or access to critical resources | None specified | TBD |
| NY | AB 3356 | Active bill | Governs high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they distribute and control development of high-risk AI systems | None specified | TBD |
| NY | AB 8884/SB 1169 | Active bills | Governs AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop, substantially modify or deploy AI systems | Excludes internal-use systems not used in consequential decisions | TBD |
| NY | AB 773/SB 8115* | Active bills | Governs automated lending decision-making tools | Applies to all financial institutions | Exempts federal banks and credit unions | TBD |
| RI | SB 2428* | Active bill | Prohibits dynamic pricing and surveillance pricing, including algorithm-driven price variation | Applies to financial institutions if they sell goods or services | None specified | TBD |
| VA | HB 999* | Active bill | Governs AI systems and automated decision systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they deploy, use or rely on AI systems or automated decision systems | Safe harbor via compliance with AI frameworks (e.g., NIST, ISO) | TBD |
| WA | SB 6120/HB 2157* | Active bills | Governs high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop, substantially modify or deploy high-risk AI systems | Safe harbor via compliance with federal credit laws | 01.01.2027 |
| WA | HB 2667 | Active bill | Governs high-risk AI systems impacting consequential decisions (e.g., lending, employment) | Applies to financial institutions if they develop, substantially modify or deploy high-risk AI systems | Limited small-business exemptions for deployers | 07.01.2026 |
| Fed | S 3387* | Active bill | Prohibits differential pricing based on surveillance data | Applies to financial institutions if they use consumer surveillance data for pricing | Excludes insurance and credit products | TBD |
General governance
These laws and proposed bills establish broader frameworks for how AI systems are developed and used. They often define key terms, assign responsibilities to developers and deployers and set baseline expectations for governance.
Many of these proposals are still evolving, but they signal where regulation is heading and are likely to influence future requirements:
| State | Law/Bill | Type | Summary | Applicability | Exemptions | Effective date |
|---|---|---|---|---|---|---|
| TN | Curbing Harmful AI Technology (CHAT) Act | Final Law | Governs AI products and generative AI | Applies to FIs if they deploy covered products (AI systems, companion chatbots, or generative AI systems) | None specified | 01.01.2027 |
| CA | AB 412 | Active Bill | Governs generative AI systems | Applies to FIs if they develop or substantially modify generative AI systems | None specified | TBD |
| IL | HB 4988 | Active Bill | Governs generative AI systems | Applies to FIs if they own, license, or operate generative AI systems | None specified | TBD |
| IL | SB 3180 | Active Bill | Governs AI deployment | Applies to FIs if they deploy AI to users | None specified | 01.01.2027 |
| IL | SB 2995 | Active Bill | Restricts AI use cases | Applies to FIs if they use AI to communicate with consumers in a way that could make them think they are interacting with a human, or if they use AI to market or sell goods or services. | None specified | TBD |
| IL | HB 3506 | Active Bill | Governs foundation models (AI models that are trained on broad data sets, use self-supervision in training, and can apply across many contexts) | Applies to FIs if they develop foundation models with certain computing power | None specified | TBD |
| IA | HF 406 | Active Bill | Governs restrictions on the use of AI | Applies to FIs if they develop or substantially modify AI, or if they manufacture smart devices | None specified | TBD |
| MO | SB 1012* | Active Bill | Governs restrictions on the use of AI | Applies to FIs if they develop or deploy AI systems | None specified | 08.28.2026 |
| NH | HB 1725* | Active Bill | Governs AI deployment and development and establishes a regulatory sandbox | Applies to FIs if they conduct business in NH, offer products or services to state residents or develop or deploy AI systems | None specified | 01.01.2027 |
| OK | HB 1916 | Active Bill | Governs AI deployment obligations | Applies to FIs if they deploy AI systems for operational use | None specified | TBD |
| VT | HB 340 | Active Bill | Governs automated decision systems | Applies to FIs if they develop, substantially modify, or deploy automated decision systems | Excludes low-risk tools (e.g., calculators, spam filters) | TBD |
| VT | HB 341 | Active Bill | Governs AI systems | Applies to FIs if they develop, substantially modify, or deploy AI systems | Exempts small businesses as defined by the SBA | TBD |
| VT | HB 821 | Active Bill | Governs generative AI | Applies to FIs if they use generative AI to interact with consumers | None specified | 07.01.2026 |
| Fed | HR 6356* | Active Bill | Governs covered algorithms (AI systems that make decisions) | Applies to FIs if they develop, substantially modify, or deploy covered algorithms | None specified | TBD |
Specialized and sector-specific
These regulations focus on specific AI technologies or use cases, such as generative AI, chatbots, synthetic content or voice-based systems. Although narrower in scope, they can introduce targeted requirements depending on how these technologies are used within an organization. Examples include:
| State | Law/Bill | Type | Summary | Applicability | Exemptions | Effective date |
|---|---|---|---|---|---|---|
| UT | Artificial Intelligence Policy Act | Final Law | Establishes a regulatory sandbox for AI innovation | Applies to FIs if they apply for participation in the regulatory learning laboratory | None specified | 05.01.2024 |
| Fed | S 3062* | Active Bill | Governs AI chatbots | Applies to FIs if they own, operate or provide AI chatbots | None specified | TBD |
| Fed | S 3354* | Active Bill | Governs AI robocalls | Applies to FIs if they make robocalls using AI to emulate human beings | None specified | TBD |
| Fed | S 3495* | Active Bill | Governs artificial or prerecorded voices | Applies to FIs if they use technological representations of speech or conduct that is AI generated | None specified | TBD |
*Legislation marked with an asterisk denotes that it has been covered in a Compliance Hub Alert. Legislation not covered in a Compliance Hub Alert was either introduced or enacted before Compliance Hub Alerts existed or will be covered in the future if it is sent to the governor for consideration.
Important considerations
The applicability of AI regulations depends heavily on how systems are used.
Financial institutions that develop their own AI systems may be subject to different requirements than those that only deploy third-party solutions. In addition, obligations may vary depending on the use case, the type of data involved and the impact on consumers. Because of this, financial institutions should consider:
- Evaluating how AI is used across business functions
- Monitoring both enacted laws and pending legislation
- Assessing whether existing compliance frameworks already address some requirements
What's next for AI?
AI regulation is expected to expand significantly over the next several years. Key trends to watch include:
- Continued expansion of state-level regulation
- Greater consistency around risk-based frameworks
- Increased focus on lending, pricing and eligibility decisions
- More coordination at the federal level
Financial institutions should begin preparing now by:
- Establishing formal AI governance structures
- Maintaining documentation and audit trails
- Aligning AI use with existing compliance programs
Modernizing financial privacy: What the GUARD Financial Data Act would change
For more than twenty-five years, the Gramm-Leach-Bliley Act (GLBA) has formed the backbone of U.S. financial sector privacy law. While the GLBA establishes baseline safeguards and notice obligations, it was drafted long before mobile banking, data aggregation, artificial intelligence and modern consumer data expectations. The GUARD Financial Data Act ("Act")2 serves to expand and modernize the GLBA privacy framework for today's data environment.
The Act, which was introduced in Congress in April 2026, would amend Title V of GLBA by incorporating modern privacy protections. The goal of the proposed legislation is to strengthen consumer control over their financial data and establish a national standard for financial privacy.
How the act strengthens consumer privacy protections
The following is a summary of the key elements of the Act:
- Data minimization — GLBA currently requires that financial institutions explain how a consumer's nonpublic personal information (NPI) is shared and gives consumers limited opt-out rights, but the law imposes few constraints on how much data institutions may collect or disclose. The Act changes that by requiring institutions to limit the collection and disclosure of NPI to what is adequate, relevant and reasonably necessary for each defined purpose, subject to existing regulatory and statutory exceptions
- Requests for access, disclosure or deletion of financial data — The Act allows current or former financial institution customers to request access to their NPI held by that institution and, subject to existing GLBA exceptions, to receive a list of categories of nonaffiliated third parties to whom their NPI has been disclosed. In addition, former customers would have the right to request deletion of NPI held by a financial institution with whom they no longer have a relationship, subject to exceptions for regulatory obligations, fraud prevention, credit reporting and other lawful uses
- Consent for collection and disclosure of sensitive financial data — The proposed legislation strengthens protections on consumers' sensitive NPI. Under the Act, institutions would be required to provide notice and obtain affirmative opt-in consent before collecting or disclosing to nonaffiliated third parties sensitive NPI such as biometric identifiers, precise geolocation data and certain highly personal demographic information. Consumers would be able to revoke their consent at any time
- Limits on use of consumer access credentials — One of the most operationally significant sections of the Act addresses financial data aggregators and credential-based access. Before using a consumer's username or password to access an account, aggregators and nonaffiliated third parties would need to provide detailed notice explaining how credentials would be used, shared and protected, along with the associated risks. Consumers must also be given an opportunity to opt out of use of their access credentials. Financial institutions are prohibited from blocking data access when these notice and opt-out conditions are met
- Additional information in notices to consumers — The Act provides that financial institutions must notify consumers of the following before disclosing their NPI to a nonaffiliated third party:
- Categories of purposes for collecting and disclosing NPI
- Categories of practices with respect to retention of NPI
- Categories of practices with respect to the use of artificial intelligence for collecting, processing and using NPI
- Whether NPI is processed in, retained in or disclosed to certain countries
- An explanation of how a consumer can exercise their continuing opt-out right
- An explanation of how a customer can access copies of a financial institution's privacy disclosures
- An explanation of how a customer or former customer can request disclosure or deletion of their NPI
- Uniformity through federal preemption — The Act would preempt state financial and nonfinancial data privacy and security laws as applied to GLBA-covered institutions and GLBA-covered data
What does this mean for financial institutions?
If signed into law, the Act would not only impact the information to be included in privacy notices — it would require financial institutions to reassess how they collect, justify, retain, share and delete consumer data. Financial institutions may wish to begin evaluating how the new requirements would impact their privacy and data management policies and practices.
NCUA deregulatory project update
We first highlighted the NCUA's Deregulation Project in our March 2026 newsletter. The NCUA launched the project following the issuance of Executive Order 14192, Unleashing Prosperity Through Deregulation.3 It is an initiative to review all NCUA regulations and policy statements and rescind or propose changes to those that are obsolete, duplicative, overly burdensome or intended to serve as guidance rather than requirements. This long-term project is intended to ensure the agency is focused on fulfilling its mission to enable access to financial services by facilitating safe, sound and resilient credit unions.
In May 2026, the NCUA released its 11th round of proposed regulatory changes. A total of 31 proposed rules have been issued since the project's inception, but none of the rules have yet been finalized. Credit unions are encouraged to:
- Stay informed as additional proposed or final rules are issued
- Assess how changes may affect credit union policies, procedures, governance or compliance responsibilities
- Provide feedback during public comment periods
Visit the NCUA's Deregulation Project webpage for additional background on this initiative, specific details of each rule and a list of frequently asked questions.4
Deposit
FDIC rescinds supervisory guidance on multiple re-presentment NSF fees
The Federal Deposit Insurance Corporation (FDIC) has rescinded prior supervisory guidance on the practice of assessing multiple non-sufficient funds (NSF) fees for transactions that are re-presented for payment. Rather than prescribing detailed expectations, the agency will focus on transparency, accuracy and compliance with existing consumer protection laws.
Background
The FDIC has issued a series of Financial Institution Letters ("FIL") pertaining to multiple re-presentment NSF fees. In August 2022, the FDIC issued FIL-40-2022, entitled "Supervisory Guidance on Multiple Re-Presentment NSF Fees" to ensure that financial institutions were aware of consumer compliance risks associated with this practice and the agency's supervisory approach for violations of law and related corrective action.
The following year, the guidance was updated to further clarify the FDIC's supervisory approach for corrective actions. FIL-32-2023, issued in June 2023, rescinded and replaced FIL-40-2022. However, after further review and assessment, the FDIC determined that the updated guidance introduced unintended ambiguity.
Key change
On April 10, 2026, the FDIC issued FIL-14-2026,5 immediately rescinding FIL-32-2023 and the agency's supervisory guidance on re-presentment NSF fees in its entirety. The FDIC concluded that the guidance was overly broad in scope and created uncertainty about whether a financial institution's disclosures describing re-presentment practices could trigger "unfairness" concerns under Section 5 of the Federal Trade Commission (FTC) Act.
By withdrawing its guidance, the FDIC is stepping back from a prescriptive supervisory position on this fee assessment practice.
Considerations for financial institutions
While the FDIC has rescinded its supervisory guidance, the agency emphasizes that institutions should still ensure their consumer disclosures accurately reflect their practices and are provided in accordance with applicable laws, regulations and other current legal requirements.
Lending
Emerging divorce-related mortgage assumption laws
Recent legislative activity across several states marks a meaningful shift in how lenders must handle mortgage debt in divorce proceedings. Laws enacted in Maryland, Virginia and California now require mortgage lenders to permit the assumption of a mortgage by one spouse following a divorce under certain conditions. These changes represent a significant departure from the longstanding norm, which often required either refinancing the mortgage into one spouse's name (often at a higher interest rate) or selling the marital home altogether in order to release one party from liability.
At their core, these laws mandate that certain residential mortgage loans include a provision allowing one borrower to assume the existing loan in connection with a divorce. While the statutory details vary, the framework is largely consistent across jurisdictions. Lenders must include a contractual assumption clause permitting one spouse to take over the loan and buy out the other's interest following a divorce decree. The assuming borrower is still required to meet standard underwriting criteria, including creditworthiness, income and debt‑to‑income ratios. Once approved, the departing spouse can be formally released from liability on the loan. Importantly, the assuming borrower is typically allowed to retain the original loan terms, including the interest rate, amortization schedule, and outstanding balance, thereby avoiding the need to refinance at current market rates. These requirements generally apply to conventional (non‑government‑backed) residential mortgages, which historically were not required to be assumable. In addition, the statutes impose consumer disclosure obligations, requiring lenders to inform borrowers at application or origination that the loan includes a divorce‑related assumption provision.
Maryland was among the first states to act, with House Bill 1018 taking effect on October 1, 2025. The law requires most conventional mortgage loans to include an assumption provision tied to divorce and is notable for its asserted retroactive effect, meaning that even certain existing loans may be treated as subject to these requirements if a divorce occurs after the effective date. Virginia followed with House Bill 304, effective July 1, 2026, mandating that new conventional mortgages allow assumption in the event of divorce or annulment, provided the remaining borrower individually qualifies. California has also adopted similar legislation through 2024 Assembly Bill 3100, effective January 1, 2027, requiring lenders to permit assumption of conventional mortgages for divorcing borrowers on loans originated beginning in 2027. California lawmakers have explicitly positioned the statute as a response to rising interest rates and the financial burden associated with refinancing historically low rates at current market rates.
These legislative efforts have been driven by a combination of market conditions and sustained advocacy from financial professionals, family law practitioners, and housing policy groups. During the COVID‑19 pandemic, borrowers secured historically low mortgage rates—often in the 2% to 3% range—which created a significant disparity as interest rates rose sharply in the years that followed. In many cases, refinancing a mortgage during divorce would result in dramatically higher monthly payments, making it financially unfeasible for either spouse to retain the home. This "rate lock‑in" effect has been a central catalyst for reform, as policymakers increasingly recognized that existing mortgage structures were forcing unnecessary home sales and placing additional strain on already difficult divorce proceedings.
Advocacy groups have highlighted the structural challenges divorcing borrowers face when working with mortgage servicers. Testimony supporting these laws has emphasized that, in the absence of clear statutory requirements, servicers have often defaulted to refinancing at higher rates as the primary method to release a divorced borrower. These practices, combined with affordability concerns and the goal of promoting housing stability (particularly for families with children), have helped build bipartisan support for legislative change.
The emergence of divorce‑related mortgage assumption laws signals a broader policy shift at the intersection of housing finance and family law. By embedding divorce-related assumption rights into mortgage contracts, these statutes provide a more flexible for dividing property while preserving access to favorable loan terms. As additional states consider similar measures, these provisions are likely to become an increasingly standard feature of the consumer mortgage landscape, with meaningful implications for borrowers, lenders, and the broader housing market. Lenders and servicers should expect increasing operational and compliance considerations as these provisions become more widely adopted.
Section 1071 final rule
The Consumer Financial Protection Bureau (CFPB) has issued the final Section 1071 Small Business Loan Data Collection Rule or "Section 1071 rule."
The CFPB states that these changes are intended to simplify the rule, reduce complexity, enhance data quality and align with executive directives. It also notes that adopting a more focused approach centered on core lending products, key lenders and essential data collection will help maintain data quality while minimizing disruption for small businesses and preserving their access to credit. The Bureau points to the phased evolution of data collection under the Home Mortgage Disclosure Act (HMDA) and Regulation C as a model for this incremental approach.
Key changes
- The definition of covered credit transaction excludes merchant cash advances (MCAs), agricultural lending, and small dollar loans in an amount of $1,000 or less, to be adjusted for inflation over time
- The definition of covered financial institution excludes Farm Credit System lenders altogether. It also increases the origination threshold of covered transactions from 100 to 1,000 for each of two consecutive years
- The definition of small business changes the gross annual revenue threshold from $5 million to $1 million
- The final rule removes the discretionary data points for application method, application recipient, denial reasons, pricing information, and number of workers
- Inquiries about a principal owner's sex was revised from a free-form text field to a static binary response of male/female
- The LGBTQI+-owned business data point is no longer a collection point under the final rule
- The final rule eliminates collection of disaggregated categories of race and ethnicity
- A revised comment clarifies that financial institutions retain a general expectation to request demographic data before a credit decision, while the final rule allows collection at a time reasonably designed to obtain a response
- The final rule replaces the tiered compliance schedule and moves the compliance date to January 1, 2028, for all covered financial institutions
There is a 12-month grace period for data collected in 2028.
Lawsuits have been a steady part of the 1071 journey. Some may be dismissed as the underlying controversy is no longer applicable with the narrowed scope of the 2026 final rule. However, others will likely challenge the new 2026 final rule as an effort to compel compliance with the broader 2023 rule.
For additional information, please visit the Small Business Lending under the Equal Credit Opportunity Act (Regulation B).6
Colorado Artificial Intelligence Act repealed and replaced
Important: The original Colorado Artificial Intelligence Act (SB 24-205) has been repealed and replaced by Colorado Senate Bill 26-189, signed by Governor Polis on May 14, 2026. The new law takes effect January 1, 2027.
Background
In 2024, Colorado Senate Bill 24-205 was signed into law, adding Part 17 to Colorado's Consumer Protection Code (C.R.S.A. § 6-1-1701, et seq.). That law adopted a risk-based approach to regulating artificial intelligence and established consumer disclosure and notice obligations for entities deploying "high-risk artificial intelligence systems" to make "consequential decisions." TruStage Compliance Solutions developed two documents, the Artificial Intelligence Disclosure and the Artificial Intelligence Adverse Decision Notice, to help financial institutions comply with SB 24-205's requirements, which were set to take effect June 30, 2026.
What has changed
On May 12, 2026, the Colorado legislature passed SB 26-189,7 which was signed by the Governor on May 14, 2026. SB 26-189 repeals the original Colorado Artificial Intelligence Act (SB 24-205) in its entirety and replaces it with a new regulatory framework. Key changes include:
- Terminology: From "AI Systems" to "Automated Decision-Making Technology"
The law replaces references to "artificial intelligence systems" with "automated decision-making technology" (ADMT), defined as a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual. The law expressly excludes certain technologies from the ADMT definition, including anti-malware, calculators, databases, spell-checking, spreadsheets requiring manual human analysis and tools used solely to summarize, organize or present information for human review.
- Revised Disclosure Framework
The original law required four categories of disclosures. SB 26-189 streamlines and refocuses the disclosure requirements:
- Point-of-Interaction Notice: Before using a covered ADMT to materially influence a consequential decision, a deployer (i.e., financial institution) must provide clear and conspicuous notice to the consumer that ADMT is being used and instructions on how to obtain additional information. A deployer may comply by maintaining a prominent public notice reasonably accessible at points of consumer interaction.
- Post-Adverse Outcome Disclosure: Within 30 days after a consequential decision that results in an adverse outcome, the deployer must provide:
- A plain language description of the consequential decision and the role the covered ADMT played;
- Instructions and a simple process to request additional information about the covered ADMT, including the ADMT name, version number, developer (i.e., the vendor or company that created the ADMT), and types, categories, and sources of personal data used;
- An explanation of the consumer's rights and how to exercise them.
- Consumer Rights
SB 26-189 grants consumers who experience an adverse outcome from a consequential decision materially influenced by a covered ADMT the right to:
- Request personal data and correction of factually incorrect or materially inaccurate personal data used in the decision;
- Request meaningful human review and reconsideration of the consequential decision, to the extent commercially reasonable. "Meaningful human review" is defined as review by a designated individual who has authority to approve, modify, or override the decision, considers relevant primary evidence, is trained to conduct the review, and does not default to the system output.
- Developer Obligations
SB 26-189 introduces new obligations for developers of covered ADMT, requiring them to provide deployers with technical documentation describing the ADMT's intended uses, categories of training data, known limitations, instructions for appropriate use and human review, and notice of material updates. Both developers and deployers must retain compliance records for at least three years.
- Enforcement
The Colorado Attorney General has exclusive authority to enforce the new law through the Colorado Consumer Protection Act. A violation is deemed a deceptive trade practice. Before initiating enforcement, the Attorney General must provide a 60-day notice and opportunity to cure (unless the violation was knowing or repeated). The law does not create a private right of action. Beginning in January 2028, the Attorney General must report annually on enforcement actions.
Impact to TruStage Compliance Solutions
TruStage® Compliance Solutions is analyzing SB 26-189 to determine what changes need to be made to the lending and deposit solutions for compliance with the new law and any forthcoming rules from the Colorado Attorney General.
Financial institutions should note that the original June 30, 2026, compliance deadline no longer applies. The new effective date is January 1, 2027. No immediate action is required regarding the previously developed AI disclosure documents. TruStage Compliance Solutions will communicate updated documents and guidance once the analysis of SB 26-189 is complete and the Colorado Attorney General's implementing rules are issued.
For questions or assistance, or to learn how TruStage can help navigate the new AI requirements, please contact your TruStage representative.
Thank you for choosing TruStage® Compliance Solutions. Please know that we value your continued partnership with us.