On January 12, the California Department of Financial Protection and Innovation (DFPI) issued a second invitation for comments on potential regulations under the California Consumer Financial Protection Law (CCFPL) that would require registration and reporting by firms engaged in consumer reporting and related data activities. Comments are due by February 26.
On December 22, the National Credit Union Administration (NCUA) updated its Artificial Intelligence (AI) resource page to consolidate key technical and policy references for federally insured credit unions. The page sits within NCUA’s broader cybersecurity and financial technology resources and is explicitly framed as support for evaluating and performing due diligence on third‑party AI vendors. It links AI oversight back to existing NCUA guidance on third‑party relationships, including 07‑CU‑13 (Evaluating Third Party Relationships) and 01‑CU‑20 (Due Diligence Over Third Party Service Providers).
In this episode of The Consumer Finance Podcast, Chris Willis is joined by Ted Augustinos and Kim Phan to introduce The Money Matrix, an upcoming webinar series helping financial institutions navigate privacy, data security, and AI in today’s complex digital landscape. The teaser highlights strategies to secure financial data, overcome barriers to adopting AI, and stay ahead of regulatory trends. Each session offers practical guidance to help teams like Neo, Trinity, and Morpheus remain innovative, compliant, and trusted. The series explores how financial institutions can balance innovation with data privacy while leveraging AI responsibly.
On December 11, the White House issued an Executive Order (EO) titled Ensuring a National Policy Framework for Artificial Intelligence (AI). The EO states a federal policy to sustain and enhance U.S. AI leadership through a minimally burdensome national policy framework and to limit conflicting state requirements. It directs rapid actions by multiple federal entities to evaluate, challenge, or preempt state AI laws viewed as inconsistent with that policy and to use federal funding and standard-setting to influence state approaches.
In two recent litigation status reports, the Consumer Financial Protection Bureau (CFPB or Bureau) indicated that it is working to issue interim final rules for both Section 1071 and Section 1033 in light of an opinion from the U.S. Department of Justice’s Office of Legal Counsel (OLC) concluding that the Bureau cannot lawfully draw funds from the Federal Reserve Board at this time. Specifically, as discussed here, the OLC concluded that the Federal Reserve System presently has no “combined earnings” from which the CFPB may lawfully draw funds under the Dodd‑Frank Act, and the CFPB has publicly stated it anticipates having sufficient funds to continue normal operations through at least December 31, 2025.
On this episode of FCRA Focus, Kim Phan is joined by Rachel Kelley and Alisha Sears from the Mortgage Bankers Association to discuss the Homebuyers Privacy Protection Act, which amends the Fair Credit Reporting Act to address residential mortgage trigger leads with the goal of curbing abusive calls while preserving meaningful competition. This law now requires both a firm offer of credit and documented consumer authorization, with limited exceptions for current originators, servicers, and depository institutions/credit unions holding an account. They discuss how the law places the primary obligations on consumer reporting agencies, what lenders should expect around consent certifications, the Government Accountability Office study on trigger-leads, and the upcoming effective date.
In this episode of FCRA Focus, co-hosts Dave Gettings and Kim Phan are joined by partner Stefanie Jackman to unpack the Consumer Financial Protection Bureau’s (CFPB) evolving interpretation of Fair Credit Reporting Act (FCRA) preemption. They trace the timeline from the CFPB’s July 2022 interpretive rule, through its withdrawal in May 2025, to the October 2025 confirmation and new guidance embracing a broader view of preemption under 15 U.S.C. § 1681t(b)(1). The team discusses how the CFPB’s latest stance could impact state laws regulating consumer reports beyond “credit” — including medical debt, rental information, and criminal background checks — and why interpretive rules, despite being helpful and persuasive, are not binding on courts. They also explore practical implications for litigation and compliance, the current judicial environment for agency deference, and the ongoing tension between the need for nationwide uniformity and the growing patchwork of state-by-state mini-FCRA laws.
On October 28, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a new interpretive rule replacing its 2022 interpretive rule (withdrawn in May 2025) concerning the scope of preemption under the Fair Credit Reporting Act (FCRA). This new interpretive rule clarifies that the FCRA broadly preempts state laws related to consumer reporting, reinforcing Congress’s intent to establish national standards when information is used to determine a consumer’s eligibility for credit, insurance, employment and the like. This move replaces the previous rule, which was criticized for its potential to create regulatory confusion.
Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.
On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.
In this crossover episode of Payments Pros and The Consumer Finance Podcast, Carlin McCrory is joined by colleague Kim Phan to discuss the Consumer Financial Protection Bureau’s (CFPB) recent developments regarding Section 1033 of the Consumer Financial Protection Act (CFPA). This summer, the CFPB initiated a new rulemaking process, inviting industry comments on its final rule concerning personal financial data rights. With a deadline of October 21 for public comments, industry participants are encouraged to weigh in on access to consumer financial information.