If you were hoping for a breather, let me be the first to apologize for your dashed hopes.  From enforcement policy shifts to leadership changes at NY DFS, the regulators have kept things moving. Here’s what credit unions need to know—and how these updates might reshape the compliance landscape heading into Q4.

NCUA Doubles Down on “No Regulation-by-Enforcement” Policy

• Chairman Kyle Hauptman issued a formal policy statement reaffirming that enforcement should focus on “clear and significant violations” of existing law
• The policy reinforces that examination findings should be based on established rules, not examiner interpretation or agency wish lists
• This means no more surprise policy changes buried in enforcement actions; a welcome relief for credit unions tired of regulatory whiplash

Multi-Agency SAR Guidance Gets an FAQ Refresh

• NCUA, FDIC, Federal Reserve, OCC, and FinCEN released updated FAQs on Suspicious Activity Reports and AML/CFT requirements
• The four FAQs clarify requirements relating to structuring, continuing activity reviews, and decisions not to file a SAR

CFPB Extends Small Business Lending Data Compliance Dates

• The CFPB finalized its rule extending Section 1071 compliance dates
• The new timelines are: Tier 1—July 1, 2026, with first filing due July 1, 2027; Tier 2—January 1, 2027, with first filing due June 1, 2028; and Tier 3—October 1, 2027, with first filing due June 1, 2028.
• Lenders are in Tier 1 if they originated at least 2,500 covered loans in the preceding two years, Tier 2 if they originated at least 500 covered loans, and Tier 3 if they originated at least 100 covered loans. 
• Lenders can choose their origination look back period: 2022-2023; 2023-2024; or 2024-2025.

New York Department of Financial Services Gets New Leadership

• On October 18, Superintendent Adrienne Harris steps down after four years leading the department
• Kaitlin Asrow, current Executive Deputy Superintendent of Research & Innovation, becomes Acting Superintendent
• Expect NYDFS to maintain its tech-forward regulatory approach; Asrow’s background in fintech and virtual currency regulation suggests continuity in the department’s innovation initiatives.

Looking Ahead

Keep your calendars marked for October 21, 2025, when the Federal Reserve hosts its “Payments Innovation Conference.” Expect discussions on stablecoin use cases, AI in payments, and the convergence of traditional and decentralized finance. It’s the kind of forward-looking conversation that could signal where regulatory attention heads next. You can see the live broadcast at https://www.federalreserve.gov/default.htm or The Fed’s YouTube channel.

Let’s Make This Useful

I want this blog to be as relevant as possible to the people reading it. So:

• Got a topic you’d like me to break down?
• Burning desire to know more about that headline you read the other day?
• Have an industry-related question you want addressed?

Reach out to me at jeremy.newman@nycua.org. Let’s talk.

Until Next Time

From the big picture to the fine print, we’ve got you covered. Thanks for reading, and CU in the next post.

Happy National Compliance Officer Day to those who celebrate!

Another week, another round of regulatory cliffhangers. With the federal government careening towards a shutdown, flood insurance authorization about to lapse, and the CFPB rolling out an aggressive regulatory agenda, credit unions have plenty on their plates.  Oh, and don’t forget about that little rate cut that got a bit of news.

So, grab that second cup of coffee or chai and let’s break down what’s mattered for your credit union radar over the past couple of weeks.

Potential Federal Government Shutdown

Let’s hope this one stays theoretical and on Wednesday morning we can talk about how Congress passed an appropriations bill in the nick of time. 

Congress has until September 30 to pass appropriations bills for FY2026 or enact a continuing resolution to avoid a government shutdown. The House passed a short-term funding measure, but the Senate rejected it before they headed home for a one-week recess, scheduled to return September 29. 

Non-essential federal operations would halt, furloughing thousands of federal workers nationwide, including many in New York.

As with prior shutdowns, credit unions may serve federal employees through special loan programs, payment flexibility, and financial counseling services. Branches in federal buildings may face access issues.

Essential services and mandatory programs will continue, but regulatory approvals and federal agency disbursements could face delays.

National Flood Insurance Program Authorization Expires September 30, 2025

The NFIP’s authorization expires the same day as the government funding deadline, a double whammy for real estate markets.

During a lapse, borrowers will not be able to purchase new flood insurance contracts, but existing policies remain valid and claims—funds permitting—continue to be paid.

Credit unions must still conduct flood determinations and should provide required disclosures.

CFPB Releases Its Regulatory Agenda

The CFPB unveiled its Spring Unified Agenda with 24 regulatory initiatives. Here are some highlights:

Key Proposed and Pre-Rule Initiatives for Credit Unions:

• Personal Financial Data Rights (Section 1033): Open banking rule under reconsideration after being paused in July 2025.
• Small Business Lending Data Collection (Section 1071): Compliance dates already extended, but further revisions may be coming.
• UDAAP Rulemaking: Potential redefinition of unfair, deceptive, or abusive practices under Section 1031.
• Equal Credit Opportunity (Regulation B): Potential clarification of obligations imposed by the Equal Credit Opportunity Act.
• Mortgage Servicing Streamlining: Final rules expected to ease servicing for borrowers with payment difficulties.
• Fair Credit Reporting (Regulation V): Proposals addressing identity theft and coerced debt.

Wrapping It Up

Between a possible federal government shutdown, flood insurance uncertainty, and some ambitious rulemakings, credit unions have plenty to track before the calendar turns to October.  Add a dash of pumpkin spice and you’ve got a recipe for a Fall full of moving pieces.

Let’s Make This Useful

I want this blog to be as relevant as possible to the people reading it. So:

• Got a topic you’d like me to break down?
• Burning desire to know more about that headline you read the other day?
• Have an industry-related question you want addressed?

Reach out to me at jeremy.newman@nycua.org. Let’s talk.

Until Next Time

From the big picture to the fine print, we’ve got you covered. Thanks for reading, and CU in the next post.

Last week proved compliance news does not run on summer hours. Between the NCUA’s town hall, the CFPB’s ambitious (if blink-and-you-missed-it) rulemaking agenda, new AI guidance from NCUA, and NY DFS cracking down on cybersecurity lapses, the docket is full. Think of this roundup as your compliance espresso shot: strong, focused, and exactly what you need to stay alert.

NCUA Town Hall

The National Credit Union Administration (NCUA) will host a Strategic Plan Town Hall on Tuesday, September 9 from 2-3 p.m. Eastern.  The event invites credit union industry stakeholders to provide input on the NCUA Strategic Plan and the upcoming priorities of the agency.

Here is the link to register: Strategic Plan Town Hall registration – WebEx Enterprise Site

Now You See Me-CFPB Spring 2025 Regulatory Agenda

The CFPB published, and then quickly unpublished, its Spring 2025 Rulemaking Agenda. So, while there is not yet an official version of the Agenda, what we did see is plan with twice as many items as the Fall 2024 Agenda with a paradoxical focus on consumer protection and deregulation.

NCUA Launches AI Resource Webpage for Credit Unions

Following on its discussion of Artificial Intelligence at its July Board meeting, the NCUA unveiled a brand-new webpage packed with AI resources designed specifically for credit unions exploring or expanding AI usage. The hub covers areas like AI implementation, risk management, data security, use cases, and cyber-risk considerations.

The site is meant to guide credit unions through the often tricky terrain of vendor vetting, algorithmic transparency, fair lending safeguards, and privacy protections as you explore or enhance AI risk management practices.

NY DFS Enforces $2 Million Cybersecurity Settlement

The New York Department of Financial Services secured a $2 million settlement via consent order with Healthplex, Inc. for cybersecurity regulation violations, highlighting failures in phishing-resistant multi-factor authentication, risk assessments, and timely breach reporting.

While Healthplex is not a credit union, the message is crystal clear even if the DFS does not directly regulate your institution: regulators continue to focus on cybersecurity vulnerabilities and take an aggressive enforcement approach to compliance. 

Looking Ahead

With enforcement actions highlighting the importance of internal controls and cybersecurity compliance, new resources to help explore AI solutions, this is an excellent time for credit unions to review their risk management programs and ensure robust oversight of both employees and third-party partnerships.

Let’s Make This Useful

I want this blog to be as relevant as possible to the people reading it. So:

• Got a topic you’d like me to break down?
• Burning desire to know more about that headline you read the other day?
• Have an industry-related question you want addressed?

Reach out to me at jeremy.newman@nycua.org. Let’s talk.

Until Next Time

From the big picture to the fine print, we’ve got you covered. Thanks for reading, and CU in the next post.

Well, credit unioners, last week proved that even in the dog days of summer impactful activities never take a vacation. From federal courts shaking up interchange fee structures to state attorneys general taking aim at payment platforms, there’s plenty to keep your teams busy. Let’s dive into some of what happened while you were hopefully enjoying some summer downtime.

In other words, CU throughout the week. (Folks, I’m workshopping puns here. They can’t all be winners.)

Corner Post Strikes Again: Interchange Fee Regulation II Overturned and Stayed

• U.S. District Judge in North Dakota vacated the Federal Reserve’s Regulation II debit card interchange fee cap
• In short, the Court ruled the Fed unlawfully expanded allowable cost categories beyond statutory limits
• The decision is stayed pending appeals to prevent market disruption
• The ruling does not impact the Fed’s separate October 2023 proposal to further lower the cap

“Debanking” Gets the Executive Treatment

• President Trump signed the Guaranteeing Fair Banking for All Americans Executive Order, directing federal agencies, including NCUA and CFPB, to investigate “politicized or unlawful debanking” practices and regulations that could lead to account closures
• Emphasizes risk-based assessments should be “reasonable and apolitical”
• The EO mandates removal of “reputation risk” language from regulatory guidance

CFPB Reverses Course on Open Banking Rule

• CFPB announced it will issue a revised Section 1033 open banking rule rather than withdrawing it entirely as it previously announced
• It plans on an accelerated rulemaking process with advanced notice expected within three weeks
• Original compliance deadlines starting April 1, 2026, for largest institutions remain in flux

New York AG Sues Zelle Over Fraud Failures

• NY Attorney General Letitia James sued Early Warning Services (Zelle’s operator) alleging inadequate security measures enabled over $1 billion in consumer fraud losses between 2017-2023
• The suit alleges EWS prioritized rapid expansion over user security, leading to surge in unauthorized access and deceptive payment schemes
• AG seeks restitution for affected New Yorkers and demands implementation of stronger anti-fraud measures
• This lawsuit follows on the CFPB’s March 2025 dismissal of similar federal lawsuit

Mortgage Trigger Leads Bill Passes Congress

• On August 2nd, the Senate passed H.R. 2808, the Homebuyers Privacy Protection Act, will take effect 180 days after President Trump signs the bill into law, will significantly curtail the consumer offensive practice of mortgage trigger leads.
• Currently, when a consumer applies for a mortgage loan, the fact that they have done so is sold to other creditors by consumer reporting agencies. These other creditors then inundate the consumer with mortgage solicitations via call, text message, and/or e-mail. In many instances, the consumer is furious with their original creditor because they assume the fact that they applied for a mortgage loan was information that was shared by the creditor.
• Under the Act, a creditor will only be able to obtain a mortgage trigger lead from a consumer reporting agency if:
  • The creditor will be making a firm offer of credit to the consumer, and
  • The creditor submits documentation to the consumer reporting agency that it
    • Has authorization from the consumer to obtain his/her consumer report,
    • Originated the consumer’s residential mortgage loan,
    • Services the consumer’s current residential mortgage loan, or
    • Is an insured depository institution that holds a current account for the consumer.

Looking Ahead

Next week, keep an eye on the Federal Reserve’s response to the interchange fee ruling. The CFPB’s promised “accelerated” open banking rulemaking should also provide more clarity on data sharing timelines. And with the NY AG’s Zelle lawsuit making waves, expect increased scrutiny of P2P payment platform partnerships.

Let’s Make This Useful

I want this blog to be as relevant as possible to the people reading it. So:

• Got a topic you’d like me to break down?
• Burning desire to know more about that headline you read the other day?
• Have an industry-related question you want addressed?

Reach out to me at jeremy.newman@nycua.org. Let’s talk.

Until Next Time

From the big picture to the fine print, we’ve got you covered. Thanks for reading, and CU in the next post.