Ballard Spahr
Legal Alert

Mortgage Banking Update - November 20, 2025

November 20, 2025

November 20 – Read the newsletter below for the latest Mortgage Banking and Consumer Finance industry news, written by Ballard Spahr attorneys. In this issue, our lawyers discuss the CFPB’s proposed changes to the Section 1071 Rule, the FDIC’s revised examination schedule, reauthorization of the National Flood Insurance Program included in the government reopening legislation, and much more.

 

Podcast Episode: A New Era for Banking—What President Trump’s Debanking Executive Order and Related State Laws Mean for Financial Institutions, Government, and Banking Customers—Part 2

This podcast features the second part of a recent webinar produced on September 24, 2025, titled, “A New Era for Banking: What President Trump’s Debanking Executive Order and Related State Laws Mean for Financial Institutions, Government, and Banking Customers.”

In Part Two, we discuss the following topics:

  1. What are the areas of uncertainty with respect to the executive order, including:
    • Defining an “unlawful business” or “religion” and why those definitions are important.
    • What regulator or regulators will issue regulations or other guidance?
  2. What is the role of the Small Business Administration (SBA)
  3. Intersection with AML/BSA
  4. Intersection with state debanking statutes and experience of the states
  5. Pending federal legislation
  6. What should financial institutions be doing now to prepare for regulator review?
  7. Is the executive order good or bad policy?
  8. Is there a proven need for the executive order? Is there any empirical evidence of need based on complaints submitted to states with debanking statutes, SBA or other federal banking prudential regulators or is it all anecdotal?

Our presenters, who hold diverse views on the wisdom of the executive order, are:

  • Jason Mikula
    Founder and Publisher, Fintech Business Weekly
    Jason Mikula is an independent fintech and banking advisor, consultant, and investor. He also publishes Fintech Business Weekly, a newsletter analyzing trends in banking and fintech. He opposes the executive order.
  • Brian Knight
    Senior Counsel, Corporate Engagement, Alliance Defending Freedom
    Brian Knight serves as Senior Counsel on the Corporate Engagement Team at Alliance Defending Freedom. His work focuses on issues of financial access, debanking, and preventing the politicization of financial services. He opposes the executive order.
  • Todd Phillips
    Assistant Professor of Law, J. Mack Robinson College of Business, Georgia State University
    Todd Phillips is an assistant professor of law at Georgia State University. His areas of expertise include bank capital and prudential regulation, deposit insurance, and the laws governing federal regulators. He opposes the executive order.
  • Will Hild
    Executive Director, Consumers’ Research
    Will Hild is the Executive Director of Consumers’ Research, the nation’s oldest consumer protection organization. He has led efforts to combat ESG and what he considers “woke capitalism,” including launching the Consumers First campaign. He supports the executive order.
  • Graham Steele
    Assistant Secretary for Financial Institutions, U.S. Department of the Treasury
    Graham Steele serves as the Assistant Secretary for Financial Institutions at the U.S. Department of the Treasury. He is an expert on financial regulation and financial institutions, with over a decade of experience working at the highest levels of law and policy in Washington, D.C. He opposes the executive order.

Alan Kaplinsky, the founder and first practice group leader and now senior counsel of the Consumer Financial Services Group at our firm, moderated the webinar.

We released Part One of this webinar on October 30, 2025.

To listen to this episode, click here.

Consumer Financial Services Group

Back to Top

Podcast Episode: Fair Lending Developments Under President Trump 2.0—Part 1

This episode marks the first of a two-part series, with Part Two scheduled for release on November 20. In this installment, we examine the sweeping changes in fair lending policy and enforcement under the second Trump administration.

The discussion is moderated by Senior Counsel Alan Kaplinsky, founder and former chair for 25 years of Ballard Spahr’s Consumer Financial Services Group, and features these distinguished experts in the field:

  • Bradley Blower, Founder of Inclusive Partners LLC.
  • John Culhane, Jr., Senior Partner and charter member of Ballard Spahr’s Fair Lending Team.
  • Richard Andreano, Jr., Practice Group Leader for Ballard Spahr’s Mortgage Banking Group and the head of Ballard Spahr’s Fair Lending Team.

Listeners will gain essential insights on how federal agencies are scaling back oversight, phasing out the use of statistical disparities, and disparate impact theory in fair lending cases. The conversation illuminates how redlining investigations are now driven by clearly expressed intent rather than just the numbers, and why states are stepping in as the federal role diminishes. The episode also tackles potential regulatory changes, the move back to the 1995 Community Reinvestment Act rule, and what these shifts mean for institutions and the communities they serve.

In addition, the hosts unpack high-profile cases like Townstone Financial, diving into the ongoing debate about whether discouraging would-be applicants is covered under the Equal Credit Opportunity Act. They also address the intersection of AI and the economy, examining the Trump administration’s focus on rapid innovation over regulatory restrictions and its implications for consumer protection. With actionable information for professionals in consumer financial services, banking, compliance, and advocacy, this episode keeps you informed on the latest policies shaping fair lending in 2025 and beyond.

We encourage listeners to subscribe to the podcast on their preferred platform for weekly insights into developments in the consumer finance industry.

To listen to this episode, click here.

Consumer Financial Services Group

Back to Top

Alan Kaplinsky Spotlighted on LexBlog’s Real Lawyers Podcast

Alan Kaplinsky, founder and former chair of Ballard Spahr’s Consumer Financial Services Group and founder, and host, of the award-winning Consumer Finance Monitor blog and weekly podcast, recently joined LexBlog’s Real Lawyers podcast hosted by Kevin O’Keefe. This is Alan’s second time on the program, which covers the role of publishing in the legal profession.

This comprehensive conversation opens by discussing the origins of the group’s blog, which launched on the very same day that the CFPB became operational. As an early adopter to blogging, the blog’s success hinged on commitment across the board: Firm leaders, partners, and associates, to ensure that the blog was able to provide valuable, timely content on a consistent basis. Kevin remarked, “there may only be a handful of the blogs on our platform that publish that much, but the ones that do have recognized the…return that they’re receiving.”

When talking about growing an engaged audience Alan remarked that, “You’ve got to look at it as a long-term investment…you’ve got to be patient and you’ve got to understand that you’re building a branding and you’re building something that’s new that…your group hasn’t done before.”

The same thoughts apply when Alan turns the conversation to provide the backstory to the group’s weekly podcast, also called Consumer Finance Monitor. The key to creating an engaging show, according to Alan, is to create a conversational environment with a diverse set of expertise and opinions.

After briefly touching on how the group produces webinars, Alan closes by stressing the importance of leveraging social media platforms such as LinkedIn as tools for thought leadership and seeing all these efforts as a mosaic to help position yourself as a trusted voice within your area of expertise. Summarizing the way that Alan’s foresight helped create a successful media strategy for the group, Kevin said “lawyers that will look at you as a mentor in that capacity that you can look at things differently in the way things have been, are being done by other people.”

Click here to listen to Alan’s full conversation with Kevin. Get the latest posts from the Consumer Finance Monitor blog by subscribing here. Listen to the latest weekly Consumer Finance Monitor Podcast here, or wherever you get your podcasts.

Consumer Financial Services Group

Back to Top

Justice Department Warns That CFPB Is Running Out of Funds to Operate

The CFPB is running out of money and has no legal way to replenish its coffers, absent Congressional appropriation, the Trump administration told a federal court.

The Bureau “anticipates exhausting its currently available funds in early 2026,” the Justice Department told the U.S. District Court for the District of Columbia as part of a lawsuit filed by the National Treasury Employees Union (NTEU).

Under Section 1017 of Dodd Frank, the CFPB is funded from the “combined earnings” of the Federal Reserve System. In the past, the Bureau has requested funds for the agency and the Fed has provided those funds. However, in a November 7 opinion interpreting Section 1017, the DOJ Office of Legal Counsel concluded that since the Federal Reserve System has no combined earnings, no funds are available for the Bureau.

The CFPB has not asked for funds from the Fed during the Trump administration and has been operating on funds it already had.

We and others have made the point that the CFPB cannot be funded, as the Federal Reserve System has no combined earnings and has been running a deficit for quite some time. See our posts, here, and here.

In addition, Professor Hal Scott of Harvard Law School has made that argument on our podcast. To read our blog about Professor Scott’s op-ed in the Wall Street Journal, which includes a link to the op-ed, click here. To read his two articles published on the website of the Committee on Capital Markets Regulation, click here and here.

The administration has long said it wants to shutter the CFPB. Most recently, Acting CFPB Director Russell Vought has said that he wants to close the agency within the next two or three months. That may now happen, with the Bureau running out of funds.

The administration already has attempted to lay off more than 1,400 agency employees.

The NTEU sued the administration, contending that the administration’s plan to lay off those employees amounted to an abolishment of the agency, something only Congress could do.

A divided three-judge panel of the D.C. Circuit had dissolved a lower court injunction blocking the firings, which it said the Trump administration could resume. However, when it dissolved the injunction, the panel withheld the mandate in the case to give the plaintiffs the opportunity to file a petition for a rehearing en banc. The plaintiffs subsequently did so.

DOJ attorneys said in their latest filing that, in light of the Legal Counsel’s opinion, Acting CFPB Director Vought anticipates preparing a report to the President and Congressional appropriations committees identifying the funding needs of the bureau.

“The Bureau does not know whether and the extent to which Congress will appropriate funding to pay the expenses of the Bureau,” the administration said. The Supreme Court found the CFPB’s funding mechanism constitutional, but Congressional Republicans have long said they believe the CFPB should be funded through the appropriations process. But they also have been outspoken critics of the bureau, so it is unclear how they might address the funding issue. Some Republicans have simply said the Bureau should be abolished.

If funding is not provided, the DOJ points out that the Anti-Deficiency Act restricts agencies from operating during a lapse in appropriations.

“The Act generally prohibits agency heads and their employees from making or authorizing expenditures or obligations in excess of or in advance of appropriations unless authorized by law, and from working, even on a voluntary basis, except in very limited circumstances involving ‘emergencies involving the safety of human life or the protection of property,’” according to the DOJ.

“The Bureau acknowledges that this Court’s injunction, which restricts the agency’s conduct regarding employment, contracting, and facilities, among other things, remains in effect,” the DOJ said.

However, the attorneys added, “Defendants do not understand any provision of the Court’s injunction to impose obligations on the agency that would violate the Anti-Deficiency Act.”

Sen. Elizabeth Warren, (D-Mass.), who helped create the Bureau, criticized the administration’s funding argument.

“This absurd maneuver by Russ Vought is plainly illegal, and federal judges have already rejected his fringe theory,” she said. “If the courts continue to uphold the law, Vought will fail again.”

John L. Culhane, Jr., Alan S. Kaplinsky, and Richard J. Andreano, Jr.

Back to Top

CFPB Proposes Changes to Section 1071 Rule

The CFPB is proposing major changes to its final rule that would require financial institutions to report information contained in loan applications submitted by small businesses, including women-owned and minority-owned small businesses.

The rule is better known as the “Section 1071 rule” after the section of the Dodd-Frank Act that required the CFPB to adopt it.

“The CFPB believes in retrospect that the approach it took in the 2023 final rule—a broad initial coverage of lenders, products, small businesses, and data points—was not conducive to the long-term success of the data collection regime under section 1071,” the Bureau said, in the November 13 Federal Register.

“The CFPB now believes that a better, longer-term approach to advance the statutory purposes of section 1071 would be to commence the collection of data with a narrower scope to ensure its quality, and to limit, as much as possible, any disturbance of the provision of credit to small businesses,” the Bureau said. “The CFPB believes that such an incremental approach would also comply with section 1071 and minimize any negative initial impact on small business lending markets and on data quality.”

In the rule, the CFPB proposes to:

  • Exclude merchant cash advances, agricultural lending, and loans of $1,000 or less (with period adjustments for inflation) from the definition of covered credit transaction.
  • Exclude the Farm Credit System lenders from the rule.
  • Increase the covered loan origination threshold to be subject to the rule from 100 to 1,000 covered credit transactions for each of the two preceding calendar years, starting with originations in 2026 and 2027.
  • Change the gross annual revenue threshold in the rule’s definition of small business from $5 million or less to $1 million or less.
  • Remove the LGBTQIA+-owned business data point from the rule.
  • Remove the application method, application recipient, denial reasons, pricing information, and number of workers data points from the rule.
  • Extend the compliance date provisions to January 1, 2028.

Comments must be received on or before December 15, 2025.

We are still assessing the proposal and will provide a more detailed analysis.

Richard J. Andreano, Jr. and John L. Culhane, Jr.

Back to Top

Section 1071 Rule Proposed Amendments—A Deeper Dive

As previously reported, the CFPB is proposing major changes to its 2023 final rule that would require financial institutions to report information contained in loan applications submitted by small businesses, including women-owned and minority-owned small businesses. The rule is better known as the “Section 1071 rule” after the section of the Dodd-Frank Act that required the CFPB to adopt it. Comments must be received by December 15, 2025.

The proposed amendments would reduce the number of financial institutions subject to the rule, the transactions that are covered by the rule, and the data points that must be collected and reported under the rule. Reflecting its overall approach to the proposed revisions, the CFPB states in the preamble to the proposal that it “preliminarily believes that [the] reaction to the 2023 final rule, practically speaking, was in part based on its expansive approach, appearing to seek broad coverage of lenders, products, and information collected. The CFPB does not believe that alignment with the statutory purposes of section 1071 requires the use of its discretionary authority to collect data with such a breadth of scope.” (Footnote omitted.)

Covered Financial Institutions. The 2023 final rule established three tiers of covered financial institutions based on the volume of covered transactions that they engaged in during each of the preceding two calendar years, with three different compliance dates. Based on lawsuits challenging the rule, which we have reported on previously, including herehere, and here, the CFPB has extended the original compliance dates twice. Based on the most recent extension, the compliance dates under the 2023 final rule are as follows:

Compliance Tier Original Compliance Date in the 2023 Final Rule Revised Compliance Date in the 2024 Interim Final Rule New Compliance Date New First Filing Deadline
Tier 1 Lenders October 1, 2024 July 18, 2025 July 1, 2026 June 1, 2027
Tier 2 Lenders April 1, 2025 January 16, 2026 January 1, 2027 June 1, 2028
Tier 3 Lenders January 1, 2026 October 18, 2026 October 1, 2027 June 1, 2028

Under the 2023 final rule as adopted originally, financial institutions are in Tier 1 if they originated at least 2,500 covered transactions in both 2022 and 2023, financial institutions are in Tier 2 if they originated at least 500 covered transactions in both 2022 and 2023 and were not in Tier 1, and financial institutions are in Tier 3 if they originated at least 100 covered transactions in both 2024 and 2025 and were not in Tiers 1 or 2.

The CFPB now proposes to change the three-tier approach to a single-tier approach, with financial institutions being subject to the rule if they originate 1,000 covered credit transactions for each of the two preceding calendar years, starting with originations in 2026 and 2027. The new compliance date would be January 1, 2028. The new first filing deadline would be June 1, 2029. In the preamble to the proposal, the CFPB notes that it also considered thresholds of 200, 500, and 2,000 originations in each of the two preceding calendar years.

The 2023 final rule did not exclude any type of financial institution from the rule. The CFPB now proposes to exclude Farm Credit System (FCS) lenders from the rule. In the preamble to the proposal the CFPB explains it “believes that an exemption for FCS lenders would advance the statutory purposes of section 1071. FCS lenders have a unique mission-driven structure, and they operate in a specific regulatory environment.”

Covered Transactions. The 2023 final rule broadly defined a covered transaction as “an extension of business credit that is not an excluded transaction” and incorporated the definition of “business credit” from Regulation B section 1002.2(g). That section defines “business credit” as extensions of credit primarily for business or commercial (including agricultural) purposes, but excluding extensions of credit of the types described in [Regulation B sections] 1002.3(a)-(d).” Those sections set forth partial exemptions for public utilities credit, securities credit, and incidental credit, and a broad exemption for credit extensions to governments and government entities.

The 2023 final rule sets forth six types of excluded credit transactions:

  • Trade credit, which the rule defines as “[a] financing arrangement wherein a business acquires goods or services from another business without making immediate payment in full to the business providing the goods or services.”’
  • Transactions that must be reported under the Home Mortgage Disclosure Act.
  • Insurance premium financing, which the rule defines as “[a] financing arrangement wherein a business agrees to pay to a financial institution, in installments, the principal amount advanced by the financial institution to an insurer or insurance producer in payment of premium on the business’s insurance contract or contracts, plus charges, and, as security for repayment, the business assigns to the financial institution certain rights, obligations, and/or considerations (such as the unearned premiums, accrued dividends, or loss payments) in its insurance contract or contracts. Insurance premium financing does not include the financing of insurance policy premiums obtained in connection with the financing of goods and services.
  • Public utilities credit as defined in Regulation B section 1002.3(a)(1).
  • Securities credit as defined in Regulation B section 1002.3(b)(1).
  • Incidental credit as defined in Regulation B section 1002.3(c)(1), but without regard to whether the credit is consumer credit under the Regulation.

The final rule also excluded from being a covered transaction factoring, leases, and purchases of existing credit transactions.

The CFPB proposes to add three additional exclusions for:

  • A merchant cash advance (MCA), which the proposal defines as “[a]n agreement under which a small business receives a lumpsum payment in exchange for the right to receive a percentage of the small business’s future sales or income up to a ceiling amount.” (While the proposed regulatory text refers only to MCAs, in the preamble the CFPB refers to MCAs and other sales-based financing transactions, and the CFPB proposes to remove the references to such transactions from the 2023 final rule.)
  • Agricultural lending, which the proposal defines as “[a] transaction to fund the production of crops, fruits, vegetables, and livestock, or to fund the purchase or refinance of capital assets such as farmland, machinery and equipment, breeder livestock, and farm real estate improvements.”
  • A transaction in an amount of $1,000 or less. (This dollar amount will be subject to adjustment every five years starting in January 2035, using the January 2030 Consumer Price Index for All Urban Consumers (CPI-U) as the base for adjustments.)

Addressing MCAs in the preamble to the proposal, the CFPB notes that it intentionally decided not to exclude such advances from the 2023 final rule and has now reconsidered that decision. The CFPB states it “believes that at the onset of the data collection under section 1071 the focus should be on core lenders and products before the CFPB considers expanding the scope of the rule” and that “MCAs are structured differently from traditional lending products.” The CFPB also states it “believes it erred in prematurely determining that collection of data on MCA transactions would serve section 1071’s statutory purposes by concluding that all MCAs constitute credit.” However, the CFPB adds that it “will continue to monitor developments in the markets for MCAs and other sales-based financing to determine whether over time a subset might be appropriately included in the definition of “covered credit transaction” for purposes of data collection.”

Addressing agricultural lending in the preamble to the proposal, the CFPB states that “agricultural lending differs markedly from other types of commercial lending. Agricultural loans are often secured by biological-based assets such as crops or livestock, which are subject to variables and risk from weather and disease. These characteristics create unique underwriting challenges that make such loans difficult to compare to those in other industries. The 2023 rule did not adequately consider these distinctions and the quality of data stemming from such transactions.” The CFPB also observes that “agricultural lending is already subject to an existing federal data collection framework, [through the Farm Credit Administration (FCA),] one that is tailored to this particular sector.”

Addressing small dollar transactions in the preamble to the proposal, the CFPB noted that it had rejected requests by stakeholders to include an exemption in the 2023 final rule with, parties suggesting amounts ranging from $25,000 to $10 million, and that at the time “[t]he CFPB explained that it was not adopting an exemption because of the significant volume of small business lending involving credit amounts below the threshold levels proposed by commenters.” The CFPB added that it “now believes that an exclusion for the smallest loans—well under the thresholds suggested by commenters in the 2023 final rule—is necessary or appropriate to carry out the purposes of section 1071.”

Small Business. Under the 2023 final rule a business is considered a small business if its gross annual revenues in the preceding fiscal year were $5 million or less, subject to periodic adjustment for inflation. The CFPB proposes to lower the amount to $1 million or less. The amount would be subject to adjustment every five years starting in January 2035, using the January 2030 CPI-U as the base for adjustments, with the result rounded to the nearest multiple of $100,000. The 2023 final rule provides for adjustments starting in January 2025, and the rounding of the result to the nearest $500,000.

Addressing the proposed reduction in small business revenue amount, the CFPB refers to Executive Order 14192, Unleashing Prosperity Through Deregulation, which seeks to reduce burdens imposed by federal regulations. The CFPB states that “[a]s part of the CFPB’s review of the 2023 final rule under this order, the CFPB identified that a $1 million threshold would help reduce regulatory burden on financial institutions because it would better align with other existing financial regulatory requirements and standard financial industry practices related to small businesses.” However, the CFPB invites comments on whether revenue thresholds of $500,000, $2 million, $3 million, or some other amount would be appropriate.

Data Points. Dodd-Frank specifies the following data points for inclusion in the 1071 rule:

  1. Whether the business is women-owned or minority-owned.
  2. The application number and the date on which the application was received.
  3. The type and purpose of the loan or other credit being applied for.
  4. The amount of the credit or credit limit applied for, and the amount of the credit transaction or the credit limit approved for such applicant.
  5. The type of action taken with respect to such application, and the date of such action.
  6. The census tract in which the principal place of business is located.
  7. The gross annual revenue of the business in the last fiscal year preceding the date of the application.
  8. The race, sex, and ethnicity of the principal owners of the business.

Dodd-Frank permits the CFPB to add data points that it determines would aid in fulfilling the purposes of section 1071. The CFPB added many data points, including:

  1. Whether the business is LGBTQIA+-owned.
  2. The application method.
  3. Whether the application was received directly by the financial institution or its affiliate, or was received through a third party.
  4. For applications that are denied, the denial reasons.
  5. The following pricing information: the type of interest rate; the term of any initial rate period; for a fixed rate loan, the interest rate; for a variable rate loan, the margin, index value, initial rate period expressed in months (if applicable), and index name.
  6. The total origination charges.
  7. The total broker fees.
  8. The total amount of all non-interest charges that are scheduled to be imposed over the first annual period.
  9. For a merchant cash advance or other sales-based financing transaction, the difference between the amount advanced and the amount to be repaid.
  10. Whether the financial institution could have provided for a prepayment penalty, regardless of whether the transaction includes a prepayment penalty.
  11. Whether the transaction has a prepayment penalty.
  12. The number of non-owners working for the small business.
  13. The type(s) of guarantees for the credit.
  14. The term to maturity.
  15. The address used to determine the census tract of the principal place of business.
  16. The type of small business, using a three-digit North American Industry Classification System (NAICS) code.
  17. The time that the small business has been in business.
  18. The number of principal owners, which would be limited to four given that a person must directly own 25% or more of the business to be a principal owner.

While the CFPB could have proposed the removal all of the additional data points from the 1071 rule, it took a more limited approach, proposing the removal of the first 12 data points.

The CFPB proposes modifying the data field for the sex of the principal owners by replacing the free form text field with Male and Female check boxes. The CFPB advises in the preamble that it “now believes, based on feedback from stakeholders of all kinds, that a free-form text field would likely result in poor data quality, given the variety of possible responses to the sex question even for a single type of answer.”

While the CFPB does not propose to change the approach under the 2023 final rule of requiring the collection of both aggregate and disaggregated race and ethnicity information on the principal owners, it observes that section 1071 does not expressly provide for the collection of disaggregated data. The CFPB then adds that “[g]iven its concern about commencing a long-term data collection regime by asking for potentially complex and costly data points, the Bureau seeks comment on whether it should revise the rule’s data collection requirements to require collection only of aggregate ethnicity and race categories.”

Addressing in the preamble the approach taken by the CFPB in the 2023 final rule with regard to the addition of data points, the CFPB states that:

“[T]o be included as a discretionary data point, a data point implicitly must satisfy two independent tests: (1) whether the data point would aid in fulfilling the purposes of section 1071, and (2) whether the CFPB believes based on the record before it that it is appropriate to adopt as a discretionary data point given factors such as operational cost and regulatory complexity. Accordingly, if the Bureau now believes that the relative utility of the data is not strong enough to justify the additional operational complexity for financial institutions, that is sufficient reason to propose removing the discretionary data point, even if the discretionary data point would otherwise advance the purposes of the statute.”

The CFPB then refers to Executive Order 14192, which is addressed above, and Executive Order 14219, Ensuring Lawful Governance and Implementing the President’s ‘‘Department of Government Efficiency’’ Deregulatory Initiative, which provides that it is the policy of the Trump administration “to focus the executive branch’s limited enforcement resources on regulations squarely authorized by constitutional Federal statutes, and to commence the deconstruction of the overbearing and burdensome administrative state. Ending Federal overreach and restoring the constitutional separation of powers is a priority of [the] administration.”

The CFPB states that it believes removing certain of the discretionary data points would meet the goals of the executive orders. The CFPB then adds that:

“[S]ubsequent to the publication of the 2023 final rule and through the implementation process, the Bureau received additional feedback about the number of data points total, and the logistical challenges associated with implementing some or all of the discretionary data points. The implementation feedback provided by stakeholders further supports reconsideration of certain discretionary data points, and the Bureau now believes that the 2023 final rule did not adequately consider the extent to which the value of the data point justifies the additional operational complexity in obtaining it.”

Discouragement Provisions. The 2023 final rule includes provisions prohibiting a covered financial institution from discouraging applicants from responding to requests for information. In particular, the final rule provides that “[a] low response rate for applicant-provided data may indicate discouragement or other failure by a covered financial institution to maintain procedures to collect applicant-provided data that are reasonably designed to obtain a response.” The provisions sparked ire from stakeholders, as it appeared that the CFPB assumed financial institutions would impede the goals of the rule by deliberately discouraging small businesses from providing information. Also, experience with the Home Mortgage Disclosure Act reveals that many individuals opt not to provide demographic data, which made it appear that the low response rate provision was designed to allow the CFPB to unjustly accuse many institutions of the prohibited discouragement. The CFPB proposes to remove the discouragement provisions, as it believes the provisions “are redundant and add unnecessary regulatory complexity.”

Lawsuits. Presumably, activity in the three lawsuits challenging the 2023 final rule will pause during the rulemaking process. The effect on the lawsuit seeking to force the CFPB to implement the rule is less clear. In that lawsuit, the CFPB must file its motion to dismiss and opposition to the plaintiffs’ revised motion for summary judgment on or before November 21, 2025. The plaintiffs then must file their opposition to the CFPB’s motion to dismiss and any reply in support of their revised motion for summary judgment on or before December 18, 2025. After that, the CFPB must file any reply in support of the motion to dismiss on or before January 16, 2026. Whether the CFPB will have funding at the time to do so remains to be seen.

The Ballard Spahr Consumer Financial Services group will be recording a podcast on the proposals to be released in the future.

Richard J. Andreano, Jr. and John L. Culhane, Jr.

Back to Top

Judge Delays Effective Dates of CFPB’s Open Banking Rule

A federal judge has issued an injunction delaying the compliance dates of the CFPB’s open banking rule (Rule).

In issuing the injunction, U.S. District Judge Danny C. Reeves of the U.S. District Court for the Eastern District of Kentucky said the Bureau has said it is rewriting the Rule that was issued during the Biden administration. However, the compliance dates of the Rule remain in effect.

The first compliance deadline for the Rule would have been June 30, 2026, and banking plaintiffs said they would have to incur significant costs in meeting the compliance deadlines for a Rule that will never go into effect. And, they said, the administration will not be able to finalize a new Rule by that date and has done nothing to delay that effective date.

“It is unlikely that the CFPB will issue a new Rule before [the first compliance deadline], and it remains unclear whether or when the CFPB will extend the compliance deadlines,” Reeves wrote, in issuing the injunction. “The CFPB has stated that it intends to ‘comprehensively reexamine’ the Rule and ‘envisions’ adopting a ‘new final Rule that substantially revises the Rule under review.’”

The Rule would have had far-reaching implications for financial institutions, fintech companies, and consumers. This previously untapped legal authority would have given consumers the right to control their personal financial data and assign the task of implementing personal financial data sharing standards and protections to the CFPB.

When the Rule was issued on October 22, 2024, it was immediately met with criticism from industry groups. Forcht Bank, the Bank Policy Institute, and Kentucky Bankers Association filed a lawsuit the day the Rule was released, seeking injunctive relief, alleging that the CFPB exceeded its statutory authority.

When the Trump administration took office, the CFPB withdrew the Rule, citing the President’s directive to review existing regulations. The CFPB said that the agency had determined that the Rule exceeded the CFPB’s statutory authority and was arbitrary and capricious.

Subsequently, the administration decided to issue a new Rule and requested comments on what that rule should include. However, the CFPB did not extend the compliance deadlines for the original Rule.

Kristen E. Larson and Ronald K. Vaske

Back to Top

CFPB Inspector General Says Bureau’s Information Security Program Is Ineffective

The quality of the CFPB’s information security program “has decreased since last year, leading us to conclude the program no longer is effective,” the Bureau’s Inspector General (IG), said in a report.

The Bureau’s overall security program has decreased from “manageable and measurable” to “defined,” the IG said in an annual audit conducted between April 2025 and October 2025, which is only one step above the lowest security rating. This is significant, as data maintained by the CFPB includes personally identifiable information on consumers and confidential supervisory information on companies.

“The CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” according to the report.

The current problem has been exacerbated by the Trump administration’s efforts to downsize the agency, the IG said. According to several news reports, Acting CFPB Director Russell Vought recently said on the “Charlie Kirk Show” that he thinks he will be successful in shutting down the CFPB in the next two or three months.

Problems at the CFPB have been compounded by the loss of contractors supporting information security monitoring and testing activities, according to the IG. About 65% of the individuals supporting the CFPB’s information security program at the start of 2025 were contractors, according to the IG. By the end of February, that figure had dropped to 25%.

The CFPB’s Enterprise Risk Management (ERM) Program has been placed on hold since the agency’s chief risk officer and other individuals in the ERM office left the agency in March 2025, according to the report. Those positions have not been filled and their responsibilities are not being fully performed, the IG said.

The IG also reported that:

  • The CFPB is not maintaining its authorizations to operate for many systems and is using risk acceptance memorandums without a documented analysis of cybersecurity risks.
  • The CFPB continues to use outdated software on its network for which vendors are no longer providing security updates and patches, according to the IG. The main reason for that is the delay in modernizing, researching, and retiring legacy applications. That problem also had been pointed out to Bureau officials in the past. “Continued Use of End-of-Life Software Increases the Risk to Sensitive CFPB Data and Systems.”
  • The CFPB could strengthen its information security program by using cybersecurity profiles to evaluate, tailor, and prioritize its cybersecurity approach. “Specifically, we believe that the use of profiles can help the agency align its cybersecurity program and control structure with the future state of the agency and the sensitive data it maintains.”
  • Despite constraints, the CFPB was able to update its processes to respond to potential ransomware and transitioned toward a continuous vetting model for employee background checks. In addition, the senior information security employee continued to meet with system owners on a weekly basis, while the bureau also is decommissioning and modernizing its legacy technology systems.

The IG made several technical recommendations. While the CFPB agreed with the IG recommendations, it disputed the notion that it has a lax information security posture.

Gregory P. Szewczyk

Back to Top

FDIC Revises Examination Schedule

The FDIC has announced that its Consumer Compliance Examination Manual has been revised to reflect an updated examination schedule for financial institutions. As a result, agency consumer compliance examinations and Community Reinvestment Act (CRA) evaluations will occur less frequently for most institutions, according to the FDIC.

Institutions will generally be on an examination cycle of 66-78 months, 54-66 months, or 24-36 months, depending on the asset size of the institution and its Consumer Compliance Rating. Previously, Consumer Compliance exams could be as frequent as every 12 months, although under the revised schedules institutions with 4 or 5 Consumer Compliance ratings can be examined for compliance on a one-to-12 month schedule, and also examined on such schedule for CRA purposes if they have a Needs to Improve or a Substantial Noncompliance CRA rating. Additionally, institutions with a 3 Consumer Compliance rating and a Substantial Noncompliance CRA rating can be examined on a one-to-12 month schedule for CRA purposes. The FDIC noted that examination cycles are based on the date of the last joint Consumer Compliance/CRA evaluation.

The agency said that Section II-12.1 of the manual has been revised to reflect the changes. The updated manual also establishes a new compliance mid-point risk analysis for certain institutions.

“For institutions on an examination cycle of 66-78 months or 54-66 months, with no targeted Consumer Compliance examination or CRA evaluation, examiners will conduct a mid-point risk analysis of the institution and determine if an intervening supervisory activity, such as a targeted visitation, is needed,” the FDIC said.

Those institutions rated adversely (institutions not rated a “1” or “2” for Consumer Compliance and “Outstanding” or “Satisfactory” for CRA) will encounter more frequent supervisory examinations, evaluations, or visitations, according to the agency.

Consumer Financial Services Group

Back to Top

NFIP Reauthorization Included in Spending Bill

The legislation reopening the government signed by President Trump, H.R. 5731, also reauthorizes the National Flood Insurance Program (NFIP) until January 30, 2026, the same day the spending measure lapses. The reauthorization is retroactive to October 1 the beginning of the fiscal year and the day the NFIP authorization expired.

Once again, the short-term reauthorization was included in a short-term spending bill, since Congress has been unable to pass a comprehensive NFIP reauthorization bill. This is the 34th time that Congress passed a short-term NFIP reauthorization, according to the Congressional Research Service (CRS).

Consumer Financial Services Group

Back to Top

CFPB Restores CSI Treatment of ‘Pose Risk’ Decisions

Effective October 27, 2025, the CFPB rescinded the amendments to the Procedures for Supervisory Designation Proceedings that it adopted in April 2022, November 2022, and April 2024, with the exception of some limited process adjustments.

Section 1024(b)(7) of the Consumer Financial Protection Act authorizes the CFPB to “prescribe rules to facilitate supervision” of the nonbank covered persons described in section 1024(a), i.e., those that are deemed to have engaged in or to be engaging in conduct that poses risks to consumers, as well as to facilitate the “assessment and detection of risks to consumers.” In 2013, the CFPB issued procedural rules to govern these supervisory designation proceedings, under which information regarding the proceedings was treated as confidential supervisory information and not publicly disclosed. Those rules were codified at 12 C.F.R. Part 1091. In April 2022, November 2022, and April 2024, the CFPB issued a series of rules (collectively, the 2022-2024 rules) that, among other changes, amended the 2013 rules to enable the Director to publicly release the Director’s final decisions and orders designating respondents for supervision.

The rescission eliminates the Hobson’s choice in “pose risk” supervisory designation proceedings, caused by the 2022-2024 rules, between (1) contesting the designation, in which case the CFPB would make its determination public or (2) consenting to the designation, in which case the CFPB would treat everything as nonpublic confidential supervisory information. This “choice” caused many entities to consent to the designation in order to avoid a public decision and order discussing alleged risks to consumers from their consumer financial products or services, even in situations where they had meritorious responses to the initiating official’s notice of reasonable cause. The CFPB concluded that the harm caused by reputational pressure leading to unmeritorious designations was not outweighed by benefits in disclosure.

In May 2025, the CFPB issued a notice of proposed rulemaking that requested public comment on rescinding the 2022-2024 rules and restoring the 2013 rule. The CFPB received eight comment letters (four from industry trade associations, two from consumer groups, and two from individuals). After considering the comments, the CFPB decided to rescind the 2022-2024 rules, except that the Bureau retained some limited process adjustments that were contained in the 2024 rule.

The final rule also included the following process changes:

  • Reinstating a process for a recommended decision by an intermediate “recommending” official;
  • Providing the opportunity for a reply by the initiating official;
  • Permitting a supplemental response by video (in addition to supplemental responses in-person and by phone); and
  • Providing for the possibility of additional supplemental briefing by the parties.

The CFPB has separately published a notice of proposed rulemaking to better define the legal standard applicable to supervisory designation proceedings.

Kristen E. Larson and John L. Culhane, Jr.

Back to Top

CFPB Withdraws Proposed Registry of Nonbank Contract Terms

On October 29, 2025, CFPB withdrew its proposed rule titled, “Registry of Supervised Nonbanks That Use Form Contracts To Impose Terms and Conditions That Seek To Waive or Limit Consumer Legal Protections,” which was published on February 1, 2023. The proposed rule would have required nonbanks to submit annual reports on the terms and conditions in their form contracts and on related court or arbitrator decisions on the enforceability of those terms and conditions. The proposed rule would have required the Bureau to publish such information and registrants’ identifying information. See our prior blog about the proposed rule.

The notice stated two specific reasons for the withdrawal. First, the need for a registry was speculative and did not justify the regulatory burden. Specifically, the CFPB stated, “Moreover, the Bureau believes, after consideration of comments, that, as a policy matter, the Proposed Rule’s attempt to disincentivize conduct through the collection of vast amounts of data regarding typically lawful contract terms amounts to regulatory overreach, and is a misguided use of the Bureau’s authorities that dilutes the Bureau’s ability to identify true risk to consumers.”

Second, the speculative benefit to the public for publication did not justify the regulatory burden. Specifically, the CFPB stated, “The Bureau nevertheless believes, as it does with the registration requirement discussed above, after consideration of comments, that the Proposed Rule’s publication requirement was a misguided attempt to stigmatize regulated entities into changing form contracts that, by and large, contain lawful terms with little, if any, evidence to justify such aggressive regulatory overreach.”

The CFPB also considered four alternatives to the proposed rule that it determined were not appropriate or viable, including requiring registration of all supervised nonbanks regardless of their use of covered terms and conditions, limiting the definition covered terms and conditions to those prohibited by law, collecting additional data to help support any potential benefits, and eliminating the publication requirement.

On this same date, the CFPB rescinded its final rule on Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders.

Kristen E. Larson and John L. Culhane, Jr.

Back to Top 

Looking Ahead

CaMBA – Legal Issues and Regulatory Compliance Conference

December 8-9, 2025 | Irvine Marriott Hotel, Irvine, CA

Employment Law Updates – How to Protect Yourself

December 9, 2025 – 11:00 AM PT

Speaker: Richard J. Andreano, Jr.

Back to Top

Subscribe to Ballard Spahr Mailing Lists

Get the latest significant legal alerts, news, webinars, and insights that affect your industry. 
Subscribe

Copyright © 2025 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.