To keep you informed of recent activities, below are several of the most significant federal events that have influenced the Consumer Financial Services industry over the past week.
Federal Activities:
On March 6, the White House released “President Trump’s Cyber Strategy for America,” a doctrine that frames cyberspace as central to U.S. economic and military strength and pledges an aggressive, America‑first posture against state and criminal cyber adversaries, backed by offensive and defensive operations across all instruments of national power. The strategy portrays prior approaches as inadequate and commits to “swift, deliberate, and proactive” action — disrupting foreign hacking networks, protecting critical infrastructure, and countering authoritarian surveillance technologies — while rolling back what it calls burdensome, ineffective regulations to enable rapid private‑sector innovation. Organized around six policy pillars, it aims to (1) shape adversary behavior through persistent operations and real consequences; (2) promote commonsense, streamlined cyber and data regulation with a strong emphasis on Americans’ privacy; (3) modernize and secure federal networks using zero‑trust, cloud, post‑quantum cryptography, and artificial intelligence (AI)‑enabled defenses; (4) harden critical infrastructure and supply chains, reducing reliance on adversary vendors; (5) sustain U.S. superiority in critical and emerging technologies, including AI, quantum, and blockchain, while protecting the AI “stack” from hostile platforms; and (6) build a robust national cyber workforce by breaking down barriers among government, industry, academia, and the military, underscoring that defending American freedom and prosperity in cyberspace is a shared national endeavor. For more information, click here.
On March 6, a federal judge in Manhattan dismissed a civil lawsuit brought by 535 plaintiffs seeking to hold Binance, the world’s largest cryptocurrency exchange, and its founder Changpeng “CZ” Zhao liable for transactions that allegedly enabled terrorist groups to carry out 64 attacks worldwide, finding the plaintiffs had not plausibly alleged that Binance or Zhao “culpably associated themselves” with the attacks, participated in them, or acted to ensure their success. For more information, click here.
On March 6, European Central Bank Executive Board member Piero Cipollone briefed the European Banking Federation Executive Committee on the status and next steps of the digital euro project, explaining that following the 2021–2023 investigation phase, the Eurosystem has since November 2025 moved into a preparation phase focused on advancing technical readiness, deepening market engagement, and launching a pilot in which a limited number of payment service providers, merchants, and Eurosystem staff will test four core use cases. He emphasized that the design aims to preserve banks’ customer relationships and prevent disintermediation by distributing the digital euro through supervised intermediaries, embedding robust safeguards such as holding limits, nonremunerated balances, reverse waterfall functionality, and a prohibition on business holdings, and establishing a “fair compensation” model in which banks are paid for distribution and benefit from scheme and settlement cost savings. Cipollone also highlighted the goal of creating synergies via a standardized acceptance network and co‑badging so that the digital euro can be seamlessly integrated into existing payment infrastructures and private-sector solutions, providing a pan‑euro-area public payment “rail” that supports innovation while maintaining financial stability and monetary sovereignty. For more information, click here.
On March 5, the Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board, and Office of the Comptroller of the Currency (OCC) (collectively, the agencies) jointly issued FAQs clarifying how tokenized securities are treated under the federal regulatory capital rules. “Tokenized” securities are instruments whose ownership rights are recorded using distributed ledger technology (DLT), rather than traditional systems such as central securities depositories. The agencies make clear that, where a tokenized security confers legal rights identical to its nontokenized counterpart, it should generally receive the same capital treatment as the traditional form of the security. The capital framework, in other words, is technology-neutral. Using DLT to issue or settle a security does not, by itself, change its risk-based capital treatment, including for derivatives referencing those securities. For more information, click here.
On March 4, Payward Financial’s Wyoming Special Purpose Depository Institution (SPDI), Kraken Financial, received a master account from the Federal Reserve Bank of Kansas City, giving it direct access to the Federal Reserve’s core payment infrastructure. The approval, initially for a one-year term, allows Kraken Financial to connect directly to Fedwire and other Fed payment rails, a capability traditionally limited to insured financial institutions. As a general matter, digital assets, fintech, and other firms that are not FDIC-insured have generally depended on correspondent banking relationships to move fiat funds over these payment rails. The Federal Reserve’s authorization is structured as a limited-purpose master account, with conditions and restrictions tailored to its business model and risk profile. For more information, click here.
On March 3, the OCC issued two final rules aimed at reducing regulatory burden for community banks by tailoring supervision and allowing institutions to focus more on core lending and support for local economies. The first rule rescinds the Fair Housing Home Loan Data System regulation, eliminating obsolete and largely duplicative home loan application data requirements that applied only to national banks without materially affecting the OCC’s ability to conduct fair housing supervision. The second rule simplifies licensing requirements for corporate activities and transactions, broadening eligibility for expedited or reduced filing procedures for community banks, thereby lowering compliance costs and streamlining corporate approvals for these institutions. For more information, click here.
On March 3, at the Milken Institute’s Future of Finance conference in Washington, D.C., U.S. Securities and Exchange Commission (SEC) Chairman Paul Atkins and Commodity Futures Trading Commission (CFTC) Chairman Michael Selig used the opening plenary on “Modernizing Market Regulation” to outline a joint agenda to update U.S. market rules for digital assets, decentralized finance, and other emerging technologies while reinvigorating capital formation and reducing duplicative oversight. Atkins described a “new day” at the SEC, emphasizing withdrawal of registration-based crypto enforcement actions, broader use of exemptive and advisory tools, a clearer division of jurisdiction between tokenized securities and digital commodities under “Project Crypto,” and the need for congressional statutory clarity in a post-Loper Bright world. He also highlighted efforts to “make IPOs great again” by streamlining disclosure, curbing vexatious securities litigation, and refocusing corporate governance on economic rather than social agendas. Selig detailed parallel CFTC initiatives to develop a clear taxonomy for digital assets, bring perpetual crypto futures and on-chain markets back onshore, clarify when wallets and DeFi protocols trigger CFTC rules, and create innovation-friendly exemptions, while both chairs committed to unprecedented SEC-CFTC harmonization through mutual recognition, substituted compliance, shared surveillance, and an end to historic “turf battles.” Selig also defended the CFTC’s assertion of federal authority over prediction markets and event contracts as derivatives distinct from state gambling regimes, arguing that well-regulated U.S. markets are critical to counter disinformation and avoid driving activity offshore, and previewed forthcoming guidance and rulemaking to set clearer standards for these products. For more information, click here.
On March 2, the U.S. Supreme Court denied the petition for certiorari arising from the Consumer Financial Protection Bureau’s (CFPB) enforcement action against CashCall, Inc., WS Funding, LLC, Delbert Services Corporation, and their owner, J. Paul Reddam. The denial leaves in place a Ninth Circuit decision that affirmed a $134,058,600 restitution award and a $33,276,264 civil money penalty based on allegations that defendants collected interest and fees on loans that were void or uncollectible under borrowers’ state laws. After a 2017 trial, the district court initially imposed only a $10.28 million penalty and denied restitution, but on appeal the Ninth Circuit affirmed liability while vacating and remanding the remedies. In February 2023, the district court awarded restitution calculated on a net-revenues basis and increased the penalty. CashCall’s subsequent appeal challenged, among other things, whether a claim for legal restitution triggers the Seventh Amendment right to a jury trial and whether a litigant may validly waive a constitutional right where prevailing circuit precedent forecloses its exercise. The Ninth Circuit rejected those arguments and held that no form of restitution at issue triggered a jury trial right. The Supreme Court’s denial of certiorari leaves that ruling — and the restitution methodology — intact. For more information, click here and here.
In March, the U.S. Department of the Treasury submitted to Congress a report mandated by the GENIUS Act outlining how innovative technologies can be leveraged to counter illicit finance involving digital assets, combining a detailed risk assessment of threats — such as large-scale fraud schemes, cyber thefts, ransomware, sanctions evasion, and abuse of mixers and cross‑chain bridges — with an overview of key vulnerabilities, including regulatory arbitrage, noncompliant digital asset service providers, and identity fraud. The report reaffirms a technology‑neutral, risk‑based application of the BSA/AML framework and sets three overarching policy principles: promote responsible innovation in AML/countering the financing of terrorism (CFT), collaborate with supervisors to ensure examiners support innovation, and coordinate with National Institute of Standards and Technology (NIST) and international bodies on technical standards. It then focuses on four priority tools — AI, digital identity, blockchain monitoring/analytics, and application programming interfaces (APIs) — describing how financial institutions are already using them and adopting concrete steps such as issuing guidance and FAQs, convening public‑private forums, aligning with NIST’s AI Risk Management Framework and Digital Identity Guidelines, promoting interoperable verifiable credentials, enhancing examiner expertise on blockchain analytics, improving information‑sharing (including potential legislative changes and a digital‑asset “hold law”), and fostering standardized, open‑source APIs to reduce barriers for smaller institutions. Finally, the report addresses decentralized finance (DeFi), recommending that Congress clarify which DeFi actors should bear AML/CFT obligations, consider a new special measure under § 311 for certain digital asset transmittals, and potentially create digital‑asset‑specific financial institution categories under the BSA, so that innovation in stablecoins and digital assets can proceed while more effectively mitigating illicit finance risks. For more information, click here.
On February 27, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an exemptive relief order related to its Geographic Targeting Order (GTO) that imposes recordkeeping and reporting requirements on certain financial institutions in Minnesota, temporarily tailoring the scope and timing of compliance for banks. The order, which supports a broader Treasury initiative to combat large-scale government benefits fraud in Minnesota tied to international laundering of fraudulently obtained funds, exempts covered banks from the GTO requirement to report funds transfers where the originator falls within specified categories in 31 C.F.R. §§ 1010.230(e)(2)(i)-(xvi). It also grants covered banks until May 13, 2026, to begin recording and reporting certain additional information for account holder customers that is not already required under 31 C.F.R. § 1020.410(a)(1)–(2), while leaving in place the GTO’s core requirement that banks and money transmitters in Hennepin and Ramsey counties report qualifying international funds transfers of $3,000 or more through August 10, 2026. For more information, click here.
On February 26, FDIC Chairman Travis Hill testified before the Senate Banking Committee at a hearing titled “Update from the Prudential Regulators: Rightsizing Regulation to Promote American Opportunity,” outlining the FDIC’s efforts over the past year to make supervision less process-driven and more focused on core financial risks (including a proposed interagency definition of “unsafe or unsound” practices, creation of an independent Office of Supervisory Appeals, review of the CAMELS rating system, streamlined and less frequent exams for well-rated smaller banks, and greater tailoring of continuous examinations), while also revising capital, resolution, and policy frameworks to better support growth and financial stability. Hill highlighted capital initiatives such as recalibrating the enhanced supplementary leverage ratio, proposed changes to the community bank leverage ratio, and ongoing Basel implementation; resolution reforms including more targeted resolution plans, enhanced failed-bank marketing (with increased nonbank participation), and operational improvements to least-cost analyses and contract readiness; and adjustments to BSA/AML oversight emphasizing outcomes over technical compliance and expanding customer identification program (CIP) flexibility to support bank-fintech partnerships. He also described actions to rescind restrictive leveraged lending guidance, roll back and modernize merger and branching policies, encourage de novo bank formation, revert to the pre-2023 Community Reinvestment Act framework, simplify digital signage rules, and respond to a presidential directive on “debanking” by proposing to bar use of reputational risk and political or social views as a basis for supervisory criticism. In digital assets, Hill detailed rescission of prior constraints on bank crypto activities, the FDIC’s new role under the GENIUS Act in supervising insured depository institution stablecoin issuers (including a proposed application framework and forthcoming prudential standards), and work on guidance for tokenized deposits, while also noting the FDIC’s withdrawal from climate-focused supervisory initiatives, elimination of disparate impact from fair lending exams, interagency work on payment fraud, and a broad internal effort to improve workplace culture, accountability, and employee protections. For more information, click here.
On February 25, U.S. Senate Banking Committee Ranking Member Elizabeth Warren and several Senate Democrats sent letters to OCC Comptroller Jonathan Gould, FDIC Chairman Travis Hill, and National Credit Union Administration (NCUA) Chairman Kyle Hauptman criticizing their agencies’ removal of disparate impact references from supervisory materials and warning that eliminating disparate impact analysis would weaken longstanding civil rights safeguards and make it easier for banks, credit unions, mortgage originators, and other lenders to discriminate against borrowers on the basis of protected characteristics such as race and gender. The senators urged the regulators to immediately reinstate disparate impact analysis so examiners can fully detect and address discrimination in financial services and requested a briefing on efforts to do so by March 11, 2026. For more information, click here.
On February 25, the Congressional Research Service issued an In Focus report examining how banks manage customer information in bank–fintech partnerships under the BSA/AML and CIP requirements, the Gramm-Leach-Bliley Act’s (GLBA) privacy and safeguarding standards, and the Bank Service Company Act’s third-party oversight framework, highlighting potential tensions and regulatory gaps as banking increasingly occurs through “banking as a service” models and other digital interfaces. The report explains that while banks must collect and verify core identity data under CIP, protect nonpublic personal information, and oversee fintech partners, fintechs themselves are not always explicitly covered, and evolving open banking rules now extend GLBA safeguard obligations to certain authorized third parties. It notes recent 2025 interagency exemptions allowing banks to obtain tax identification numbers from trusted third-party sources rather than directly from customers, reflecting a shift toward technology-enabled identity verification. The analysis flags key policy questions about remote onboarding, the security of data transmitted through fintech apps, regulators’ ability to examine partnership operations, and a possible gap in GLBA’s privacy regime because its protections apply to “customers” (with ongoing relationships) rather than “consumers” in the onboarding process — potentially leaving individuals who enter the banking system via fintech channels more vulnerable to misuse or exposure of sensitive data. For more information, click here.
On February 25, the Federal Reserve Bank of Kansas City’s Payments System Research Briefing reported that newly released 2023 data show card-present fraud rates for non-prepaid debit cards have declined on dual-message networks but risen on single-message networks, reversing earlier patterns, while card-not-present fraud rates continued to increase on both network types and now exceed those observed in regions like Australia and the European Economic Area. Counterfeit and lost-or-stolen trends diverged across networks, yet overall card-present fraud remains significantly higher on dual-message networks, and even the lower single-message rates are elevated by international standards. The allocation of fraud losses shifted as well. For card-present transactions, declining fraud on dual-message networks reduced losses for issuers and merchants but not for cardholders, whose losses kept rising, while increases on single-message networks raised loss rates for all three parties. For card-not-present transactions, higher fraud on dual-message and especially single-message networks increased loss rates most sharply for merchants but also for issuers and cardholders, underscoring a clear, ongoing upward trajectory in cardholder fraud loss rates and motivating further research into which consumers — particularly those who are financially vulnerable — are most at risk and why. For more information, click here.
State Activities:
On March 3, Wisconsin Attorney General (AG) Josh Kaul joined a coalition of 24 AGs and two governors in submitting a comment letter opposing a U.S. Department of Education proposed rule under the One Big Beautiful Bill Act (H.R. 1) that would cap federal student loans for graduate students in nursing, physician assistance, physical therapy, and other health fields by treating Congress’s illustrative list of 10 “professional degree” examples (plus clinical psychology) as an exclusive list eligible for higher loan limits. The coalition argues that this approach unlawfully contradicts Congress’s broad definition of “professional degree,” which was intended to encompass any degree signifying completion of the academic requirements to begin practice in a profession beyond the bachelor’s level, and that freezing a 1950s-era list ignores modern health professions and the emergence of graduate programs in nursing, physician assistance, and physical therapy. The letter contends that the rule would needlessly undermine the health care workforce, particularly in states already facing shortages, by restricting students’ ability to borrow enough to complete these programs, and urges the department to abandon its narrow definition and adopt a broader one consistent with congressional intent and the contemporary health care labor market. For more information, click here.
On March 3, the New York State Department of Financial Services issued an industry letter to chief information security officers of regulated entities warning of heightened cyber risks stemming from ongoing global conflicts, noting that while no specific coordinated campaign against the financial sector has been observed, firms must ensure their cybersecurity risk management aligns with the current threat environment and fully complies with 23 NYCRR Part 500. The department urges entities to promptly identify and remediate known vulnerabilities (including by monitoring the Known Exploited Vulnerabilities Catalog), prepare for disruptive and destructive incidents by testing operational resilience and recovery of critical systems and nonpublic information, and review personnel and customer communication plans for prolonged outages. It further highlights the need to enhance monitoring for suspicious activity, enforce least-privilege access for users and service accounts, protect against code injection through restricted and validated inputs, secure system and authentication configurations, and closely monitor financial and virtual currency transactions for sanctions and anti-money laundering compliance, stressing that these are best practices rather than new requirements and that entities should take additional steps tailored to their specific cyber risk profiles. For more information, click here.
On February 26, the New York City Department of Consumer and Worker Protection (NYC DCWP) adopted a comprehensive set of amendments to its debt collection rules, effective September 1, 2026. The final rule clarifies that New York City’s consumer protection framework applies not only to traditional third‑party debt collectors and debt buyers, but also to original creditors once they engage in defined “debt collection procedures.” It also tightens limits on collection communications, expands validation and verification obligations, and adds targeted protections for medical and time‑barred debt. NYC DCWP will withdraw its prior August 2024 Notice of Adoption and treat this new rule as the governing framework going forward. For more information, click here.
On February 25, Connecticut AG William Tong released a memorandum to Connecticut officials, agencies, and the public outlining how existing state laws — including civil rights, privacy and data security statutes, the Connecticut Unfair Trade Practices Act, and antitrust laws — apply to the development and use of AI to protect residents. The memorandum highlights both the opportunities and serious risks posed by AI, citing harms such as nonconsensual sexual abuse imagery, discrimination, bias, disinformation, and adverse decisions in areas like housing, employment, credit, insurance, and targeted advertising, and stresses the importance of transparency about how consumer data is used to train AI tools. It provides guidance to consumers on their rights and to businesses on their obligations to responsibly administer AI systems, reiterates the Office of the AG’s commitment to enforcing existing laws against those who misuse algorithms and evolving technology, and notes the need for ongoing legislative and enforcement efforts to safeguard Connecticut families, while inviting consumers and businesses who believe they have been harmed by unlawful AI use to file complaints with the office. For more information, click here.
On February 24, the Texas Banking Commissioner issued a consent order against GPD Holdings LLC dba CoinFlip, an Illinois-based fintech operating virtual currency kiosks and an online platform, finding that through its merged affiliate CF Preferred LLC and its “Order Desk” platform it conducted unlicensed money transmission in Texas by selling stablecoins between February 13, 2024, and October 2025 in violation of Chapter 152 of the Texas Finance Code, notwithstanding a prior July 19, 2023 consent order addressing similar unlicensed activity. Without admitting or denying the findings, CoinFlip waived its hearing and appeal rights, agreed that the Commissioner had concluded it was not licensed, exempt, or an authorized delegate, and acknowledged that violations of the order could lead to further enforcement. The order requires CoinFlip to pay an administrative penalty of $40,839.75 within 30 days, to continue making a good-faith effort to obtain a Texas money transmission license, and to refrain from further unlicensed money transmission until licensed, while preserving the Department’s authority to pursue additional actions for any other violations. For more information, click here.
On February 20, the Washington State Department of Financial Institutions (DFI) issued a consent order against Luminate Home Loans, Inc. requiring the company to pay a $100,000 fine (with $50,000 stayed through February 20, 2031 contingent on full compliance), an investigation fee of $2,522.31, and to cease participating in the mortgage broker or consumer loan industry in Washington and not apply for any DFI license until February 20, 2031. Under the order, Luminate voluntarily surrendered its consumer loan license, agreed to cease and desist from violating the Consumer Loan Act, related rules, and applicable federal laws, admitted to the allegations in Section One of the Statement of Charges as they pertain to the company (including violations tied to unlicensed personnel, prior orders, and documentation and disclosure failures), and acknowledged that noncompliance could lead to additional legal action and imposition of the stayed portion of the fine. For more information, click here.
On February 10, the Connecticut Banking Commissioner issued a final Order to Cease and Desist and Order Imposing Civil Penalty against Zions Debt Holdings, LLC, and its control persons Christopher Thayne Carter and Brian Scott Fuller, after they failed to request a hearing on a 2025 temporary order, thereby deeming the allegations admitted. The Commissioner found that Zions acted as an unlicensed consumer collection agency in Connecticut, used harassing and abusive email communications, employed false and deceptive representations while holding itself out as a licensed collection agency, violated a 2024 Consent Order, and failed to establish and maintain adequate compliance policies and procedures, all in violation of multiple provisions of the Connecticut General Statutes and regulations governing consumer collection agencies. The order requires Zions to cease and desist from further violations, imposes a $100,000 civil penalty on Zions and $20,000 civil penalties on each of Carter and Fuller, and confirms that a prior Order to Make Restitution against Zions remains in effect and became permanent in October 2025. For more information, click here.