All Entries

Subscribe to All Entries via RSS

Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.

In a significant development for lenders and borrowers alike, on October 6, the U.S. Supreme Court declined to review the Fox decision, leaving unresolved questions about the retroactive application of the Foreclosure Abuse Prevention Act (FAPA). This decision has shifted the focus to the New York State Court of Appeals where oral argument was heard on October 16, and potentially to the U.S. Court of Appeals for the Second Circuit.

On October 10, California Governor Newsom signed Assembly Bill 483 (AB 483) into law, introducing new regulations on early termination fees in fixed term installment contracts. This legislation applies to contracts entered into or modified on or after August 1, 2026, and prohibits the use of termination fees unless specific conditions are met.

Last week, the U.S. District Court for the Northern District of California denied Empower Finance’s motion to compel arbitration in a class action lawsuit concerning its earned wage access (EWA) product, Cash Advance. In Vickery v. Empower Finance, Inc., the court found that Empower’s Cash Advance product was “credit” under the Military Lending Act (MLA) making Empower’s arbitration agreement unenforceable under the MLA, which prohibits arbitration agreements for consumer credit extended to active-duty service members and their dependents.

In an unpublished case, the U.S. Court of Appeals for the Third Circuit held that actions to obtain a judgment and enforce that judgment in a collection lawsuit filed outside the statute of limitations do not create a continuing violation under the Fair Debt Collections Practices Act (FDCPA).

On October 6, Governor Gavin Newsom signed into law the California Combating Auto Retail Scams (CARS) Act. This legislation aims to fortify consumer protections and enhance transparency in the car-buying process. The enactment of this law follows a series of discussions and amendments, as highlighted in our previous blog and podcast, which traced the bill’s evolution and its alignment with the Federal Trade Commission’s (FTC) vacated CARS Rule.

On October 2, the Consumer Financial Protection Bureau (CFPB or Bureau) published a final rule in the Federal Register, officially extending compliance dates for its 2023 small business lending data collection and reporting rule under the Equal Credit Opportunity Act (ECOA) and Regulation B, which implements Section 1071 of the Dodd-Frank Act. The final rule replaces an interim rule released in June 2025 that pushed back compliance deadlines. This extension was issued by the CFPB in response to ongoing litigation by both industry and consumer advocacy groups, as well as court orders, to create a uniform timeline for financial institutions to comply with data collection and reporting requirements for women-owned, minority-owned, and small businesses.