Compliance Solutions quarterly newsletter — December 2025

General

A holiday message from TruStage Compliance Solutions

As 2025 comes to a close, we would like to take a moment to thank you for being a valued client and partner to TruStage Compliance Solutions. We look forward to our continued relationship in 2026. Wishing you a safe and happy holiday season!

Introducing Compliance Hub Alerts

Compliance Hub Alerts, a new TruStage product, directly notifies you through email of new or changed laws that may impact your business operations. With Compliance Hub Alerts, we do the heavy lifting for you by monitoring the ever-changing regulatory landscape, which includes tracking ~17,000 laws, ~900 pending legislation, ~250 keywords and phrases, federal register notices, pertinent case law and other industry updates and guidance¹. Does your team only want to track laws for specific states and federal agencies to reduce the noise? This web-based application has multiple layers of filtering so you can tailor alerts to those that apply to your institution.

Compliance Hub Alerts give your compliance teams access to:

• Plain language summary description of the regulatory changes.
• Description of its impact to financial institutions and guidance or recommendations that should be considered when implementing the changes within business operations and lines of business.
• Sample templates for customer or member notices that are required by a law .
• Access to the specific legal references and the source material that correlates with the changes.
• An "at-a-glance" dashboard for use by compliance teams, stakeholders and others within your financial institution to provide information on what is being tracked, who is responsible for its undertaking, action items that need to be implemented and action items that have been completed.
• Reporting and auditing capabilities that provides a report of alerts posted on a selected date or within a timeframe.

Compliance teams can also manage alerts for successful execution of the regulatory requirements by:

• Designating an alert to a specific team member
• Assigning action items to successfully implement the law to a specific team member and assign a due date for completion
• Including your institution's analysis or findings about the law in an alert
• Adding an optional status regarding the team's progress on execution
• Providing a completion due date to meet regulatory effective dates

Compliance Hub Alerts replaces your manual tracking mechanisms and devotes your institution's time to proactive, not reactive, compliance.

For more information or to request a demo, please reach out to us.

New California Consumer Privacy Act requirements to take effect starting in 2026

In September, the California Privacy Protection Agency², recently rebranded to CalPrivacy, announced that the California Office of Administrative Law approved the final text of its second rulemaking package under the California Consumer Privacy Act (CCPA). The regulations introduce new requirements for risk assessments, automated decision-making technology (ADMT) and annual cybersecurity audits. The regulations go into effect January 1, 2026, with phased compliance deadlines through 2030.

Mandatory risk assessments

Covered institutions must conduct risk assessments before engaging in data processing that regulators define as presenting "significant risk." This includes selling or sharing personal information (including for targeted advertising), processing sensitive personal data (such as account numbers, card details or precise location), using ADMT for significant decisions, profiling individuals in sensitive contexts or training AI systems for those purposes. Assessments must document the purpose of the activity, categories of personal information collected, retention periods, potential benefits and harms and safeguards to mitigate risks. Institutions must review assessments every three years or sooner if material changes occur. Beginning April 1, 2028, institutions must annually report the number of assessments conducted and certify compliance to CalPrivacy. Institutions subject to risk assessment requirements must begin compliance by January 1, 2026.

Cybersecurity audits

The regulations require annual, evidence-based cybersecurity audits for businesses meeting certain thresholds. These audits must evaluate technical and nontechnical safeguards across 18 control areas, including authentication, encryption, access management, incident response and third-party oversight. Reports must document weaknesses, corrective actions and timelines. Institutions must maintain records for five years and annually certify completion of the audit to CalPrivacy. Compliance deadlines for this requirement ranges from April 1, 2028, for institutions that make over $100 million, April 1, 2029, for institutions that make between $50 million and $100 million, and April 1, 2030, for institutions that make less than $50 million.

ADMT disclosures

Starting January 1, 2027, institutions that use automated decision-making technology (ADMT) to make significant decisions (such as those affecting financial services) must provide clear disclosures and in some cases offer consumers the right to opt out or appeal to a human review. Although the regulations avoid the term "artificial intelligence," they directly affect AI-related practices through expanded risk and audit obligations.

Pre-use notices must describe the purpose of ADMT, the logic behind outputs, categories of personal information used and consumers' rights. Consumers may also request explanations about how ADMT processed their data for specific outcomes. Institutions using vendor-provided ADMT must obtain destailed information from vendors to meet these requirements.

Other notable disclosure changes

Previously, a California privacy policy required an institution to specify for each category of personal information disclosed to a service provider or contractor for a business purpose in the preceding 12 months, the categories of third parties to whom this personal information was disclosed must be identified. This is no longer a required disclosure.

Deposit

State rulemaking targets overdraft and NSF fees and related practices

As we shared earlier this year, President Trump signed a Congressional Review Act resolution into law, thereby overturning the Consumer Financial Protection Bureau's (CFPB's) overdraft rule which was slated to take effect in October 2025. The rule would have established limitations on overdraft fees assessed by financial institutions with at least $10 billion in assets. Even though the CFPB's rule was nullified, rulemaking activity in California and New York may signal a broader trend in attempting to combat overdraft and nonsufficient funds (NSF) fees and related practices at the state level.

California

Beginning January 1, 2026, state-chartered credit unions are prohibited from charging overdraft or nonsufficient funds (NSF) fees that exceed $14, or the fee amount set by the Consumer Financial Protection Bureau ("CFPB"), whichever is lower. Since the CFPB's overdraft rule has been overturned, the $14 fee cap will apply to state-chartered credit unions regardless of their size.

This is the second of the two key provisions of Senate Bill 1075 (SB 1075) to take effect. SB 1075's notice provision took effect on January 1, 2025. State-chartered credit unions are required to provide member notices each time an overdraft or NSF fee is assessed. Notices must be sent via a communication channel designated by the member on the same day the fee-generating transaction occurs (or next business day if the same day is not feasible) and include specific information prescribed by the rule.

Assembly Bill 2017 (AB 2017) also took effect January 1, 2025. It prohibits state-chartered banks and credit unions from charging NSF fees when a consumer's attempt to initiate a transaction is declined instantaneously or near instantaneously due to nonsufficient funds.

New York

In January 2025, the New York State Department of Financial Services (NYDFS) released pre-proposed amendments to Title 3 of the New York Codes, Rules and Regulation ("3 NYCRR"), Parts 6 and 32, for review and comment before being formally proposed. The amendments are intended to eliminate what the NYDFS refers to as "exploitative and deceptive banking fees," cap overdraft fees, strengthen customer communications and establish stricter transaction processing requirements." Specifically, the amendments would prohibit state-chartered banking organizations from:

• Charging overdraft fees on overdrafts of less than $20.
• Charging overdraft fees that exceed the overdrawn amount.
• Charging more than three overdraft or NSF fees per consumer account per day.
• Charging NSF fees for instantaneously declined electronic transaction.
• Charging multiple NSF or overdraft fees for the same transaction, including when a merchant resubmits a declined transaction.
• Charging a "sustained," "continuous" or "daily" fee for each day an overdraft balance is not repaid.
• Charging double fees to cover an overdraft, such as one fee for automatically transferring funds from another account and a second fee for the overdraft itself.
• Processing electronic debit transactions in a manner intended to maximize the number of overdraft and NSF fees.
• Charging an overdraft fee for an electronic transaction when the consumer's account indicates sufficient funds at the time the transaction was initiated (commonly referred to as an "authorize positive, settle negative" or "APSN" transaction).

In May 2025, the NYDFS announced that legislation signed by Governor Kathleen Hochul as part of the FY26 Enacted Budget would, in part, protect New York consumers by cracking down on exploitive overdraft fees. To date, however, the proposed amendments to 3 NYCRR Parts 6 and 32 have not yet been finalized.

We will continue to monitor further rulemaking activity.

Are SECURE Act IRA amendments actually coming… eventually?

As financial institutions continue preparing for the ever-evolving regulatory landscape, the long-anticipated IRA document amendments tied to the SECURE Act and SECURE Act 2.0 remain one of the industry's biggest "hurry up and wait" scenarios. The IRS has previously announced in Notice 2024-2³ that required amendments would not be mandated until December of 2026, at the earliest, which at the time felt both reassuringly distant and suspiciously optimistic, but now as we look to begin 2026, questions remain.

In the meantime, institutions are left balancing proactive preparation with the reality that specifications may continue to shift. The SECURE Act and SECURE 2.0 introduced significant changes from updated required minimum distribution (RMD) ages to new beneficiary distribution rules, but the absence of finalized amendment requirements has created a compliance limbo familiar to anyone who has ever implemented federal guidance before it's actually finalized. While it's wise for institutions to stay informed and assess internal processes now, there's also an industry-wide, unspoken acknowledgment: we may be doing this dance for a while.

Will the required IRA amendments and new model forms actually land in 2026? Or will the IRS gift us with another extension? Only time will tell. For now, we continue monitoring developments while keeping one eye on the clock and the other on the IRS website and maintaining a blend of patience and preparedness.

Lending

House of Representatives introduces H.R. 5484

On September 18, 2025, the House of Representatives introduced H.R.5484, the National Flood Insurance Program (NFIP) Reauthorization and Reform Act of 2025.

As of September 30, 2025, NFIP has lapsed and one of the many provisions of H.R. 5484 is to extend NFIP through September 30, 2030. This bill will provide changes to improve the cost of the flood insurance, update outdated maps and update its financial sustainability.

Key provisions of the bill include:

1. Reauthorization and affordability
   • Caps annual premium increases at 9%.
   • Introduces means-tested assistance for low-and moderate-income households.
   • Allows monthly installment payments with an optional annual fee up to $15.
   • Mandates studies on business interruption coverage and participation rates.
   • Adjusts coverage limits based on mortgage thresholds.
   • Clarifies the Write Your Own (WYO) program structure.
2. Mitigation and mapping
   • Funds mitigation for high-risk properties.
   • Expands compliance coverage and mitigation grants up to $120,000 per property.
   • Supports urban mitigation and mapping modernization.
   • Establishes a Community Rating System Regional Coordinator.
   • Creates a mitigation loan program and revolving loan funds.
   • Enhances appeals processes for flood maps and premium rates.
   • Recognizes levee-protected areas and community-wide mitigation efforts.
   • Requires a premium calculator tool and public disclosure of mitigation credits.
3. Solvency and transparency
   • Suspends interest payments on NFIP debt for 5 years.
   • Caps WYO company compensation at 22.46% of premiums.
   • Requires transparency in third-party service provider costs.
4. Policyholder protection and fairness
   • Introduces a 90-day grace period for renewing lapsed policies.
   • Improves standards for engineer reports and claim processing.
   • Enhances training for floodplain managers and agents.
   • Strengthens policyholder rights, including appeals and disclosures.
   • Establishes an Agent Advisory Council.
   • Requires flood risk disclosure prior to property transfers.

TruStage Compliance Solutions will continue to monitor the movement of this bill.

View the full text of H.R. 5484.⁴

Section 1071 rule reimagined

The CFPB has proposed revisions to the Section 1071 Small Business Loan Data Collection Rule, informally known as the "Section 1071 rule." The CFPB contends these proposed changes will streamline the rule, reduce complexity, improve data quality and comply with recent executive directives. The CFPB further explains that a more modest approach focusing on core lending products, lenders and data collection will ensure its quality and limit disruption to small businesses and their ability to obtain credit. Precedent for an incremental approach is being taken from the gradual development of data collection under the Home Mortgage Disclosure Act (HMDA) and Regulation C.

The proposed changes include:

• The definition of covered credit transaction would exclude merchant cash advances (MCAs), agricultural lending and small dollar loans to focus on the core lending products of small businesses like loans, lines of credit and credit cards.
• The definition of covered financial institution would exclude Farm Credit System (FCS) lenders and increase the origination threshold of covered transactions from 100 to 1,000 for each of two consecutive years to focus on larger core lenders. Removal of FCS lenders would avoid imposing requirements on specialized lenders that are subject to other regulatory reporting requirements. The change to covered transactions threshold is comprised of evaluation of stakeholder comments, focus on larger core lenders and aligning with executive directives to review regulations for regulatory burden.
• The definition of small business would change the gross annual revenue threshold from $5 million or less to $1 million or less to narrow the scope and focus on true small businesses. The CFPB is proposing to change the gross annual revenue threshold to $1 million or less across industries and is seeking approval from the Small Business Administration (SBA) for this alternate small business size standard.
• Data collection would focus on core data points and align with executive agency directives. The proposed changes remove the discretionary data points for application method, application recipient, denial reasons, pricing information and number of workers.

The proposed rule extends the compliance date to January 1, 2028, for all financial institutions that remain covered by the rule.

Comments on the proposed rule must be submitted on or before December 15, 2025.

View more information regarding Section 1071.⁵