Compliance Solutions quarterly newsletter — March 2026

General

NCUA Deregulation Project

In 2025, the National Credit Union Administration (NCUA) launched its Deregulation Project following the issuance of Executive Order 14192, Unleashing Prosperity Through Deregulation. The Deregulation Project is an initiative to review all NCUA regulations and policy statements and rescind or propose changes to those that are obsolete, duplicative, overly burdensome or intended to serve as guidance rather than requirements. This long-term project is intended to ensure the agency is focused on fulfilling its mission to enable access to financial services by facilitating safe, sound and resilient credit unions.

As of February 2026, the NCUA has issued six rounds of proposed regulatory changes. The proposals are open for public comment for 60 days following publication in the Federal Register.

Credit unions are encouraged to stay informed as proposed rules are issued, assess how changes may affect credit union policies, procedures, governance or compliance responsibilities and provide feedback during public comment periods.

Visit the NCUA's for additional background on this initiative, specific details of each proposed rule and a list of frequently asked questions.

Deposit

New guidance on non sufficient funds (NSF) fees in Maine

The Maine Bureau of Financial Institutions (Bureau) has issued guidance to state-chartered financial institutions which addresses the practice of charging multiple non sufficient funds (NSF) fees for withdrawal transactions. When a check or ACH transaction, for example, is returned because the balance in the consumer's account is not sufficient to cover the transaction, a merchant or other payee may represent the same transaction for payment one or more times. In some instances, financial institutions charge consumers an NSF fee each time a payment is presented.

The Maine Legislature asked the Bureau to review this practice and provide guidance to protect consumers. After reviewing supervisory guidelines of both the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) and consulting with the Maine Bankers Association and Maine Credit Union League, the Bureau issued Bulletin #83 in November 2025.

Bulletin #83 explains that the Bureau, pursuant to 9-B M.R.S. § 241, will treat the assessment of multiple NSF fees as an unfair practice under the following circumstances:

1. A state-chartered financial institution provides inaccurate disclosures of representment and NSF fee practices; or
2. even when its representment and NSF fee disclosures are accurate, a state-chartered financial institution has a policy of assessing NSF fees on each representment if the consumer is unable to reasonably avoid the NSF fees.
   The Bureau further explains that a risk of unfairness arises if the consumer is assessed multiple NSF fees in a short period of time without sufficient notice or opportunity to bring their account to a positive balance in order to avoid the assessment of additional NSF fees.

Both the Bureau and federal regulators will recognize a financial institution's efforts to self-identify and correct violations and, as a result, may not cite such violations in examination reports or pursue enforcement actions. However, financial institutions that do not fully correct such violations may face supervisory and enforcement actions, civil money penalties, and restitution orders.

The Bureau does recommend that financial institutions review federal guidance issued by the FDIC and the NCUA to ensure consumers are adequately protected and the institutions are properly managing the risks associated with multiple NSF fees.

IRS extends key retirement plan compliance deadlines

The IRS has recently signaled a broader pattern of deadline extensions affecting retirement accounts, particularly IRAs and employer sponsored arrangements. Through coordinated guidance, including Announcement 2026-07 and Notice 2026-9, the IRS is delaying several regulatory and amendment obligations to allow more time for institutions to update systems, governing documents and compliance processes tied to complex retirement plan changes. These moves reflect the agency's acknowledgment of industry concerns about tight timelines and operational hurdles surrounding evolving IRA related requirements.

Announcement 2026-07 specifically delays the applicability of several technical provisions within the proposed required minimum distribution (RMD) regulations issued under the SECURE 2.0 framework. Industry professionals reported that implementing the originally planned January 1, 2025 applicability date would be impractical due to extensive updates needed across systems and plan operations. This latest extension will require the future final regulations to apply to RMDs for the distribution calendar year that begins no earlier than 6 months after the date that final regulations are issued in the Federal Register. Practically, this delay may have little impact on the operations of those that work with retirement plans and IRAs. The IRS makes it clear that "for periods before the applicability date of these amendments [to the RMD rules], taxpayers must apply a reasonable, good-faith interpretation of the statutory provisions underlying the amendments." Presumably, using the IRS's own proposed RMD rules would be considered a good-faith interpretation of the SECURE 2.0 Act RMD provisions.

Notice 2026-9 grants a one year extension for amending IRAs and employer SEP and SIMPLE IRA plan documents to reflect provisions of the SECURE Act, section 2202 or 2203 of the CARES Act, section 302 of the Relief Act, the SECURE 2.0 Act and the applicable regulations from December 31, 2026 to December 31, 2027. This extended deadline applies to IRA plan agreements, employer SEP plan documents and employer SIMPLE IRA plan documents. As stated in the Notice, the amendment deadline has been extended due to stakeholders communicating the need for additional time in absence of model language. The Notice further states that the Treasury Department and the IRS are still developing model language that may be for these amendments.

Lending

FHFA finalizes housing goals for Fannie Mae and Freddie Mac

On December 23, 2025, the Federal Housing Finance Agency (FHFA) published its final rule setting housing goals for Fannie Mae and Freddie Mac ("the enterprises") for the 2026 through 2028 period in the Federal Register.

The FHFA is required by law to set affordable housing goals covering Fannie and Freddie's purchases of single family and multifamily mortgages. The FHFA sets these housing goals every three years, and the goals target the percentage of mortgages serving targeted borrowers and communities that housing government sponsored entities (GSEs) must purchase each year.

FHFA final rule on housing goals (2026–2028)

The FHFA lowered single-family housing benchmarks due to persistent affordability challenges and higher interest rates, which have limited credit access for low-income borrowers. Multifamily benchmarks remain unchanged to ensure stability in rental markets. Public feedback regarding the rule was mixed with consumer advocates expressing concern about reduced access, and industry groups supporting simplification and predictability.

Key changes implemented by the final rule include reduced targets for low- and very-low-income home purchases and refinances, a new consolidated subgoal for low-income areas and continued compliance monitoring. Institutions are advised to adjust lending strategies, affordable housing programs and risk management to align with these updated benchmarks. For lenders, this means adjusting product offerings, pricing strategies and outreach programs to maintain competitiveness and meet revised benchmarks, while strengthening data tracking and risk management to avoid compliance gaps.

Key provisions

• Revised single-family housing benchmarks
• • Low-Income Home Purchase Goal: 21.0% (down from 25%).
  • Very Low-Income Home Purchase Goal: 3.5% (down from 6.0%).
  • Low-Income Refinance Goal: 21.0% (down from 26.0%).
  • Low-Income Areas Home Purchase Subgoal: 16.0% (new consolidated subgoal).
  • Removed temporary measurement buffers for simplification.
• Multifamily housing benchmarks (unchanged)
• • Low-Income Goal: 61.0%.
  • Very Low-Income Goal: 14.0%.
  • Small Multifamily Low-Income Subgoal: 2.0%.
• Civil money penalties
• • Inflation adjustments apply to penalties under section 1345 of the Safety and Soundness Act.
• Compliance process
• • FHFA will issue notices only if goals are not met.

Guidance for institutions

• Review benchmarks & lending strategy: Align products and underwriting standards with the new housing goals.
• Update affordable housing programs: Enhance outreach and partnerships to support low-income borrowers.
• Strengthen data tracking: Improve monitoring and reporting systems to ensure compliance.
• Assess pipeline & pricing: Adjust rate sheets and execution strategies to reflect revised benchmarks.
• Evaluate risk & capital impact: Model profitability and capital planning under the new goals.

Updates to Adverse Action Notice

Effective January 2026, the Adverse Action Notice was updated to remain compliant with state and federal rules and regulations.

First, Arkansas Senate Bill 240 amended the Credit Reporting Disclosure Act of 1989 to remove the requirement to supply the borrower’s social security number on the Adverse Action Notice.

Additionally, the Connecticut Department of Banking has moved and has a new address. The new address is 280 Trumbull Street, 16th Floor, Hartford, CT 06103. The purpose of the address is to allow the consumer/applicant the ability to file a complaint if they believe that they were a victim of unfair discrimination. This disclosure applies only to state-chartered credit unions in Connecticut.

The address in the Connecticut state disclosure on the Adverse Action Notice was updated, and the new document was sent to affected credit unions.

If there are any concerns about the changes made, please do not hesitate to contact us.

NCUA's 2026 supervisory priorities

The National Credit Union Administration (NCUA) released its 2026 supervisory priorities and other updates to the agency's examination program. These priorities focus on areas that pose the highest risk to credit union members, the industry and the National Credit Union Share Insurance Fund. Below are the NCUA's primary areas of supervisory focus in 2026.

Balance sheet management

NCUA's examinations will review lending, sensitivity to market risk and liquidity, and earnings and capital adequacy.

While loan growth has remained moderate over the last two years, delinquency rates have climbed to a 10-year high, prompting the NCUA to prioritize the evaluation of credit union lending and risk-management practices. Consequently, examiners will focus specifically on the robustness of underwriting standards and the effectiveness of credit loss mitigation strategies to ensure institutional stability. Furthermore, persistent high interest rates remain a primary concern as institutions replace low-yield legacy loans with higher-rate assets; this shift has driven up the cost of funds, necessitating a sharper focus on liquidity risk modeling and the robustness of Contingency Plans.

To evaluate earnings and capital adequacy, examiners will scrutinize the balance sheet — including policies, risk limits and capital planning — while utilizing forward-looking stress tests to assess the impact of these rates on asset valuations and borrowing capacity.

Beyond balance sheet management, the following areas have been identified as examiner key focus areas:

Operational risk management

Focus on payment system governance, security frameworks and fraud prevention/detection (including internal controls to guard against insider abuse).

• Examiners will be reviewing payment systems and fraud prevention and detection policy and procedures.
• As the population continues to shift to more efficient methods of payment, NCUA examiners will continue to look at whether credit unions have assessed their risk management system, vendor management system and security frameworks.

Compliance risk management

In 2026, the NCUA is shifting toward a risk-focused and tailored examination of Bank Secrecy Act (BSA) and Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) programs. The primary expectation is that credit unions align resources with their specific risk profiles rather than following a "one-size-fits-all" approach. Additionally, the NCUA has identified the following as critical risk assessment areas:

• Tailored Training: Programs must move beyond generic modules to provide role-specific training that reflects recent legislative developments, such as the GENIUS Act regarding stablecoins.
• Dynamic Risk Assessments: These must serve as "living documents" that accurately reflect current products, services and member transaction profiles.
• Emerging Technology Management: Examiners are beginning to ask about Artificial Intelligence (AI) use, policies and oversight.
• Enhanced Monitoring Systems: Surveillance systems will be reviewed to ensure they are calibrated to detect and escalate suspicious activity within the current threat landscape, particularly involving evolving fraud and digital assets.
• Validated Internal Controls: There will be increased scrutiny on the testing and validation of controls to ensure they effectively mitigate identified illicit financial risks in practice.

These supervisory priorities and other updates can be found here: NCUA's 2026 Supervisory Priorities | NCUA

Colorado Artificial Intelligence Act and its impact on financial institutions

On May 17, 2024, Colorado Governor Jared Polis signed Senate Bill 24‑205 into law. Generally referred to as the Colorado Artificial Intelligence Act (CAIA), this new law amends the Colorado Consumer Protection Act by regulating developers and deployers of "high‑risk artificial intelligence systems" (AI systems) used to make "consequential decisions" affecting consumer transactions.

Financial institutions as "deployers" of high-risk AI systems

Under the CAIA, financial institutions operating in Colorado that use AI to make decisions affecting the availability, cost, or terms of a financial service or loan are considered deployers of high‑risk AI systems and therefore must comply with the CAIA requirements. Specifically, beginning June 30, 2026, financial institutions are subject to the following general requirements:

1. Notice of interaction

Inform consumers when they are interacting with an AI system — whenever it is not obvious to a reasonable person.

2. Standard of care

Exercise reasonable care to protect consumers from algorithmic discrimination, including leveraging recognized risk-management frameworks, the use of which creates a rebuttable presumption of compliance.

3. Risk management program

Implement a written risk‑management policy that:

• Identifies and documents risks of algorithmic discrimination
• Establishes measures to mitigate risks of algorithmic discrimination
• Is reviewed and updated regularly

4. Impact assessments

Conduct an AI impact assessment prior to deploying an AI system and annually thereafter; and with 90 days following any intentional and substantial modification to the AI system. The impact assessments must address:

1. The system's purpose
2. Foreseeable risks of algorithmic discrimination and mitigation measures
3. Categories of data used, including data used for customization
4. Methods for evaluating system performance and identifying limitations
5. Transparency practices and post‑deployment monitoring plans

5. Consumer disclosure requirements

Notify consumers that AI is used to make decisions about their requested financial service or loan. Disclosures must include:

• Institution-contact information
• The nature of the data used
• A plain‑language explanation of the AI system
• Instructions for accessing more information online
• A process allowing the consumer to opt out of AI‑based data processing

6. Adverse action notice

If an adverse decision is made using an AI system, the institution must provide:

1. Principal reasons for the adverse decision
2. Explanation of how the AI contributed to the decision
3. Description and source of data in making the decision
4. Notice of the consumer's right to correct any incorrect personal information
5. Information about the consumer's right to appeal the decision, including a "human review" to the extent technically feasible

7. Summary statement

Publish a statement summarizing the financial institution's use of AI systems, including:

• A description of the types of AI systems deployed
• An explanation of how known or foreseeable risks of algorithmic discrimination are managed
• Nature, source, and extent consumer information is used by the AI system

Factors potentially affecting implementation

While the CAIA takes effect June 30, 2026, its implementation may be impacted by several factors, including:

Attorney General rulemaking

The Act authorizes the Colorado Attorney General to establish rules necessary to administer the law. Future regulations promulgated in the Administrative Code may modify or expand compliance obligations for financial institutions.

Federal preemption considerations

On December 11, 2025, President Trump signed the executive order titled "Ensuring a National Policy Framework for Artificial Intelligence." This order, which specifically references the CAIA, seeks to mitigate the inefficiencies created by a "regulatory patchwork" resulting from disparate state-level legislation, and to streamline AI governance across states. Note, however, that the impact of the order on the CAIA and its implementation has not yet been determined.

Looking ahead

TruStage^® Compliance Solutions will continue monitoring developments related to the Colorado Artificial Intelligence Act and other state and federal initiatives affecting financial institutions and their use of AI technologies.

For questions or assistance, or to learn how TruStage can help navigate the new AI requirements, please contact your TruStage representative.