Mortgage Banking Update - May 21, 2026

May 21 – Read the newsletter below for the latest Mortgage Banking and Consumer Finance industry news, written by Ballard Spahr attorneys. In this issue, our lawyers examine a secondary ticketing website’s settlement for failing to disclose full ticket prices, the California Governor’s appointment of former CFPB Director to lead a new regulatory super agency, the OCC’s finalized rules on preemption of state mortgage interest-on-escrow laws, and other notable updates.

• Podcast Episode: The White House AI Framework — Ambition, Preemption, and Uncertainty Ahead
• Podcast Episode: Debt Sales 101 Mini-Series — Episode 6: After the Close: Compliance, Oversight, and Ongoing Risk
• Podcast Episode: White House Executive Order on Scams and Fraud Takes Center Stage
• Podcast Episode: CFPB Finalizes Sweeping ECOA Rule Changes — What Lenders Need to Know About Disparate Impact, Discouragement, and SPCPs
• OCC Finalizes Rules Confirming Preemption of State Mortgage Interest-on-Escrow Laws
• Second Circuit Reaffirms Preemption of New York’s Mortgage Escrow Interest Law, Setting Stage for Potential U.S. Supreme Court Rematch With First Circuit
• Seventh Circuit Hits Reset Button in Illinois Interchange Fee Litigation After OCC ‘Doubles Down’ on Federal Preemption Under the National Bank Act
• Washington Supreme Court: Lenders Need ‘Negotiable Instrument’ to Nonjudicially Foreclose Residential Real Estate-Secured Loans
• CFPB’s Final Rule Recalibrates Fair Lending Enforcement: A Return to Clarity and Core Statutory Principles
• NYDFS Says Disparate Impact Remains in Effect
• CFPB’s OIG Investigating Current Workforce and Contracting Developments Plus Interpretations Adopted and Enforcement Actions Taken Under Then Director Chopra
• CFPB Surprisingly Appeals Judge Davila’s Funding Decision to the Ninth Circuit
• Secondary Ticketing Website to Pay $10 Million for Failing to Disclose Full Price of Tickets
• Virginia Moves Toward State-Court Class Actions: A Major Shift With Significant Business Implications
• Maryland Targets ‘Surveillance Pricing’: Is It a Warning Shot for AI-Driven Pricing Across Industries, Including Consumer Financial Services?
• GLBA Modernization Legislation: Key Implications for Financial Institutions’ Data Practices
• U.S. House Committee Releases SECURE Data Act to Establish New Federal Privacy Framework
• Colorado Rewrites Its Landmark AI law: Unpacking SB 26-189 and What It Means for Businesses
• California Governor Newsom Taps Former CFPB Director Rohit Chopra to Lead Regulatory Super Agency
• SEPA SHRM and Ballard Spahr LLP 2026 HR Legal Summit

 

Podcast Episode: The White House AI Framework — Ambition, Preemption, and Uncertainty Ahead

In the episode of Consumer Finance Monitor Podcast, we explore the White House’s National Policy Framework for Artificial Intelligence published on March 20, 2026. This new framework represents the Administration’s most concrete attempt yet to shape the future of AI governance in the United States. While it does not carry the force of law, it offers a revealing look at the policy direction the Administration hopes Congress will take.

Joining our host, Alan Kaplinsky (founder, chair for 25 years and now senior counsel of the Consumer Financial Services Group), for this discussion were Charlie Bullock (Senior Research Fellow at The Institute for Law and AI), Kristian Stout (Director of Innovation Policy at the International Center for Law & Economics), and Greg Szewczyk, head of Ballard Spahr’s Privacy and Data Security Group. Below are the key takeaways from the conversation.

From Principles to Policy: A Clear Shift

One of the most striking aspects of the new framework is how sharply it departs from last year’s more principles-based “White House AI Action Plan.” That earlier effort emphasized risk awareness, governance principles, and a balanced approach to innovation and regulation. On October 30, 2025, we produced a webinar entitled: “AI in Financial Services: Understanding the White House Action Plan – and What It Leaves Out,” which featured the same speakers as the podcast being released today, plus Dean Ball, former White House senior advisor and one of the architects of the White House AI Action Plan. This webinar was then re-purposed into a two-part podcast series released on December 4 and 10, 2025.

By contrast, the new framework is short, just a few pages, light on detailed policy prescriptions, and heavily focused on limiting regulation, particularly at the state level.

As Charlie Bullock observed, the document is notable as much for what it doesn’t include as for what it does. Rather than proposing robust federal oversight, it largely outlines areas where the government should refrain from acting.

Federal Preemption Takes Center Stage

The framework’s most consequential and controversial feature is its strong endorsement of federal preemption of state AI laws.

It proposes broad preemption in areas such as:

• AI development
• Liability for third-party misuse of AI systems
• Restrictions on AI-enabled activities that would otherwise be lawful

At the same time, it preserves certain state authorities, including:

• Zoning and infrastructure decisions
• State use of AI
• “Generally applicable” laws (e.g., fraud, consumer protection, and child safety)

This raises a critical question: How meaningful are these carve-outs? As we discussed, broadly worded exceptions, particularly for state “police powers”, could significantly limit the practical reach of federal preemption and potentially preserve a patchwork of state regulation.

The Patchwork Problem Isn’t Going Away

Even with federal action, the reality is that state-level AI regulation is already underway. Laws like Colorado’s AI Act and emerging chatbot regulations illustrate how quickly states are moving.

Greg Szewczyk noted that, unlike privacy law, where states have largely converged around similar frameworks, AI regulation could diverge in more fundamental ways. Without a consistent federal baseline, companies may face:

• Increased compliance costs
• Operational complexity
• Uncertainty in deploying AI tools across jurisdictions

Interestingly, some state regulators (including democrats) may ultimately favor a well-crafted federal preemption regime if it provides clarity without sacrificing core protections.

Innovation First—But Who Benefits?

The framework strongly emphasizes:

• AI infrastructure buildout
• Faster permitting
• Regulatory sandboxes
• Access to federal datasets

Kristian Stout highlighted that these priorities could accelerate innovation but they are not automatically startup-friendly. Large incumbents may benefit disproportionately due to:

• Greater access to compute resources
• Established compliance capabilities
• Ability to absorb regulatory costs

This tension between promoting innovation and preserving competition remains unresolved.

Child Safety, IP, and Free Speech: More Questions Than Answers

The framework touches on several critical areas but leaves key details unsettled:

Child Protection

It endorses tools like age verification and parental controls but offers little guidance on implementation. Compared to proposals like the Kids Online Safety Act (KOSA), the framework appears less aggressive and more preemptive of state innovation.

Intellectual Property

Rather than legislating, the framework defers to the courts on issues like:

• Fair use in AI training
• Output infringement

This “wait and see” approach avoids premature policymaking but prolongs uncertainty.

Free Speech

A novel component aims to prevent government “jawboning” of AI providers; i.e., informal pressure to shape outputs. While rooted in legitimate First Amendment concerns, its ultimate scope and constitutionality remain unclear.

No New AI Regulator—For Now

The framework rejects the creation of a centralized AI regulator, instead relying on existing agencies.

This approach has clear advantages:

• Agencies already understand their sectors
• Avoids bureaucratic duplication

But it also raises concerns:

• Limited technical expertise
• Resource constraints
• Inconsistent oversight across agencies

As discussed, a hybrid model, combining agency expertise with centralized technical guidance, may ultimately emerge.

Will Anything Actually Pass?

Perhaps the most sobering takeaway: major AI legislation is unlikely in the near term.

As Charlie Bullock put it bluntly, companies should not invest significant resources preparing for this specific framework. The political reality is:

• Deep divisions within and between parties
• Limited legislative bandwidth before the midterms
• Competing proposals with very different philosophies

That said, elements of the framework may still surface incrementally in future bills.

The Anthropic ‘Mythos’ Moment: A Glimpse of What’s Coming

While not covered by the White House framework, our discussion closed with a timely real-world example: reports about Anthropic’s advanced AI model, “Claude Mythos,” capable of identifying and exploiting software vulnerabilities at scale.

Whether somewhat overstated or not, the episode highlights a broader truth:

• AI is accelerating existing capabilities, not inventing entirely new ones
• The pace of advancement is increasing rapidly
• Both risks and defensive tools are evolving simultaneously

As Kristian Stout noted, this is less a radical break than a compression of time and accessibility, making powerful capabilities available faster and to more people.

Final Thoughts

The White House AI Framework signals an important shift in U.S. policy thinking:

• Away from abstract principles
• Toward concrete (if still incomplete) legislative direction

It prioritizes innovation, federal uniformity, and limited regulation but leaves fundamental questions unresolved.

For industry participants, the key takeaway is not immediate compliance but continued vigilance. The direction of travel is becoming clearer, even if the destination remains uncertain.

We will closely continue to monitor developments closely on our blog, webinars, and podcast shows. We will soon be releasing podcast shows with (1) Professor Mark Geistfeld of NYU Law School about ALI’s relatively new project entitled “Principles of the Law Pertaining to Civil Liability for Artificial Intelligence” and (2) with Professor David Hoffman of the University of Pennsylvania Law School about an article he co-authored with the CEO of the American Arbitration Association entitled “Agentic Commerce Needs Legal Infrastructure, and the Courts are Coming.”

Consumer Finance Monitor is hosted by Alan Kaplinsky, senior counsel at Ballard Spahr, and the founder and former chair of the firm’s Consumer Financial Services Group. We encourage listeners to subscribe to the podcast on their preferred platform for weekly insights into developments in the consumer finance industry.

To listen to this episode, click here.

Consumer Financial Services Group

Back to Top

---

Podcast Episode: Debt Sales 101 Mini-Series — Episode 6: After the Close: Compliance, Oversight, and Ongoing Risk

In the final episode of our Debt Sales 101 mini-series, we focus on what happens after a debt sale closes and how sellers manage ongoing compliance, oversight, and risk. We discuss how regulators view debt sales as a managed activity rather than a clean exit and what that means for post-sale responsibilities.

From a regulatory perspective, sellers are expected to maintain reasonable oversight of buyers, particularly where consumer harm could arise. We discuss key post-close considerations, including monitoring complaints, credit bureau disputes, litigation trends, and regulatory developments, as well as the importance of maintaining an ongoing diligence process for repeat transactions.

We also address practical risk management issues, including handling buybacks, responding to buyer requests for documentation, and mitigating the impact of adverse court decisions. One important theme is that patterns in complaints and litigation can signal broader issues, and proactive monitoring can help prevent regulatory scrutiny or downstream risk.

The key takeaway from this final episode is that debt sales do not end at closing. They evolve over time. Successful programs treat debt sales as an ongoing process, with continuous feedback loops, documentation support, and compliance oversight. This approach helps protect brand, improve pricing, and strengthen long-term relationships with buyers.

To listen to this episode, click here.

Consumer Financial Services Group

Back to Top

---

Podcast Episode: White House Executive Order on Scams and Fraud Takes Center Stage

On this episode of the award-winning Consumer Finance Monitor Podcast we examine one of the most significant recent federal developments in the fight against scams and fraud: Executive Order 14390.

Hosted by Alan Kaplinsky (the founder, chair for 25 years and now senior counsel in the Consumer Financial Services Group), the episode features returning guests Kate Griffin and Nick Bourke of the Aspen Institute, who previously joined the podcast to discuss Aspen’s landmark report, United We Stand: A National Strategy to Prevent Scams.

Why This Episode Matters

Scams and fraud continue to impose staggering losses on American households, businesses, and financial institutions. As discussed in the episode, the Aspen report framed scams as a “whole-of-society” problem requiring coordination across government, financial institutions, technology companies, telecom providers, and civil society.

The new executive order appears to respond directly to that challenge by calling for:

• A coordinated federal anti-scam strategy
• Greater inter-agency cooperation
• Enhanced public-private information sharing
• Increased disruption of transnational scam networks
• Stronger victim restitution and recovery efforts
• More aggressive international enforcement tools, including sanctions and diplomatic pressure

In many respects, the executive order may represent the first serious federal attempt to build a national strategy to combat scams.

Key Themes Explored in the Episode

During the discussion, Kate Griffin described the executive order as the “starting gun” in the race against scams—an important signal that the federal government is now treating scams as a national priority.

Nick Bourke emphasized that success will require more than enforcement alone. He noted that regulators, financial institutions, telecom carriers, and digital platforms must be empowered to share information and intervene more effectively when suspicious activity is detected.

The conversation also examined:

1. Coordination Across Government

The executive order relies heavily on the federal government’s National Coordination Center framework to align agencies such as the Departments of Treasury, State, Justice, and Defense. Whether that coordination translates into meaningful operational change remains to be seen.

2. Information Sharing and Safe Harbors

The guests explained that one of the largest barriers to scam prevention is the inability of private-sector participants to share threat intelligence quickly because of privacy, litigation, or antitrust concerns. Legislative or regulatory safe harbors may ultimately be necessary.

3. Targeting the Scam Business Model

Rather than focusing solely on individual fraudsters, the discussion stressed the need to undermine the economics of scams—making them harder, riskier, and less profitable for criminal enterprises to operate.

4. Victim Restoration

A particularly notable feature of the executive order is its call for a victim restoration program, which could help return seized assets to scam victims more efficiently.

5. Modernizing Law Enforcement Tools

The guests also highlighted the need to modernize legacy federal databases such as FBI and FinCEN reporting systems, many of which were designed before today’s high-speed digital scam environment.

What Comes Next?

While the executive order is an important milestone, the guests agreed that additional action will be needed from Congress, regulators, and the private sector. A successful anti-scam strategy will likely require:

• Clearer legal pathways for data sharing
• Better consumer reporting systems
• Greater use of AI and analytics
• International cooperation
• Faster prosecutions and asset recovery
• Ongoing public education efforts

Bottom Line

This episode makes clear that scams are no longer simply a consumer-protection issue, they are now a national economic security issue. The White House has taken an important first step, but whether the executive order produces meaningful results will depend on execution, follow-through, and sustained cross-sector collaboration.

Consumer Finance Monitor is hosted by Alan Kaplinsky, senior counsel at Ballard Spahr, and the founder and former chair of the firm’s Consumer Financial Services Group. We encourage listeners to subscribe to the podcast on their preferred platform for weekly insights into developments in the consumer finance industry.

To listen to this episode, click here.

Consumer Financial Services Group

Back to Top

---

Podcast Episode: CFPB Finalizes Sweeping ECOA Rule Changes — What Lenders Need to Know About Disparate Impact, Discouragement, and SPCPs

This episode of the Consumer Finance Monitor Podcast features a wide-ranging and timely discussion about one of the most consequential fair lending developments in years: the CFPB’s final rule fundamentally reshaping enforcement under the Equal Credit Opportunity Act (ECOA) and Regulation B.

Hosted by Alan Kaplinsky (the Founder, Chair for 25 years and now senior counsel of the Consumer Financial Services Group at Ballard Spahr), the episode brings together an exceptional panel of fair lending authorities: our special guest Bradley Blower (the Principal and Founder of Inclusive-Partners LLC) along with John Culhane, Jr., and Richard Andreano, Jr., both senior counsel in the Consumer Financial Services Group at Ballard Spahr.

The discussion revisits a proposal first examined on the podcast last year when the CFPB under Acting Director Russell Vought proposed sweeping revisions to ECOA enforcement principles (you can find more on that episode here). Now, the Bureau has finalized the rule largely as proposed, marking a dramatic shift in federal fair lending policy.

The CFPB’s Three Major Changes

As discussed during the podcast, the final rule makes three major changes from the former Regulation B:

• Eliminates the use of disparate impact analysis under ECOA and Regulation B.
• Narrows discouragement liability by focusing primarily on spoken, written, or visual statements rather than broader conduct.
• Revises the framework governing Special Purpose Credit Programs (SPCPs), particularly for for-profit lenders.

The Bureau’s stated rationale is that ECOA does not authorize disparate impact liability and that fair lending enforcement should focus on intentional discrimination rather than statistical disparities alone.

Supporters of the rule argue that the changes provide lenders with clearer standards, reduce regulatory uncertainty, and create a more predictable environment for innovation, including AI-driven underwriting and algorithmic decision-making.

Critics, however, contend that the rule ignores the historical role disparate impact analysis has played in uncovering systemic discrimination and could make it substantially more difficult to identify discriminatory outcomes embedded in facially neutral policies or automated systems.

Disparate Impact: A Sea Change, But Not the End of Fair Lending

The panel devoted significant attention to the CFPB’s elimination of disparate impact liability under ECOA.

John Culhane described the move as a “dramatic shift” for non-mortgage lending, noting that disparate impact theories historically drove many federal fair lending actions involving indirect auto finance, student lending, and other consumer credit products.

At the same time, Rich Andreano emphasized that the mortgage industry remains subject to disparate impact claims under the federal Fair Housing Act because of the Supreme Court’s decision in Texas Department of Housing and Community Affairs v. Inclusive Communities Project. As a result, mortgage lenders still face substantial fair lending exposure notwithstanding the CFPB’s new ECOA position.

The panelists also stressed that disparate impact is far from dead at the state level. Several states, including Massachusetts, New Jersey, and New York, are expected to continue aggressive fair lending enforcement using disparate impact theories under state statutes, regulations, and consumer protection laws.

Indeed, the panel highlighted the growing role of state attorneys general and state regulators as federal enforcement narrows.

Discouragement Liability and the ‘Townstone Effect’

Another focal point of the discussion was the CFPB’s narrowing of discouragement liability.

The panel explored how the Bureau’s revisions appear heavily influenced by the CFPB’s controversial enforcement action against Townstone Financial, where the Bureau alleged that comments made during radio broadcasts and podcasts discouraged minority borrowers from applying for loans.

Rich Andreano characterized the final rule’s discouragement provisions as effectively “the Townstone rule,” reflecting the current CFPB leadership’s strong opposition to the prior Bureau’s enforcement theory in that case.

Nevertheless, both Brad Blower and John Culhane cautioned that courts and state regulators may continue to consider broader conduct, including branch placement, marketing strategies, and community engagement, when evaluating potential redlining or discouragement claims.

SPCPs Face New Uncertainty

The podcast also examined the CFPB’s revisions to Special Purpose Credit Programs.

Brad Blower explained that while SPCPs remain permissible, the new rule substantially complicates the use of race-conscious programs by for-profit lenders. Many institutions may now seek to redesign programs around race-neutral criteria such as first-generation homeownership, low- and moderate-income geographies, or majority-minority census tracts.

Rich Andreano warned that many financial institutions, especially banks, may scale back SPCPs due to litigation and regulatory uncertainty, particularly given the broader political and legal environment surrounding diversity, equity, and inclusion initiatives.

The Practical Message: ‘Stay the Course’

Despite the significance of the CFPB’s rule changes, the clearest takeaway from the discussion was remarkably consistent: lenders should not dismantle their fair lending compliance programs.

All three panelists emphasized that institutions should continue:

• Monitoring for disparate impact.
• Reviewing underwriting and pricing models.
• Evaluating marketing and branch strategies.
• Testing AI and algorithmic systems for bias.
• Maintaining robust fair lending compliance management systems.

As Brad Blower observed, institutions that “take their foot off the gas” risk state enforcement actions, private litigation, reputational harm, and future regulatory scrutiny under a different federal administration.

Rich Andreano summarized the prevailing industry guidance succinctly: “Stay the course.”

AI, Algorithmic Underwriting, and Future Litigation

The panel also explored how the rule intersects with AI-driven lending.

Although federal ECOA disparate impact enforcement may narrow, the panelists noted that state laws and private litigation could continue targeting algorithmic discrimination. Several states already are pursuing or considering laws specifically addressing AI bias and automated decision-making.

The panel further predicted that legal challenges to the CFPB’s final rule are highly likely. Potential claims could include:

• Administrative Procedure Act challenges.
• Arguments that the CFPB disregarded congressional intent underlying ECOA.
• Challenges arising under the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo, which eliminated Chevron deference to agency rules.

The panel suggested that litigation over the final rule could ultimately reach the Supreme Court, particularly on the unresolved question of whether ECOA itself authorizes disparate impact liability.

Conclusion

This episode provides an exceptionally practical and nuanced examination of one of the most important fair lending developments in recent memory.

While the CFPB has dramatically narrowed federal ECOA enforcement theories, the broader fair lending landscape remains highly active due to state enforcement, private litigation risk, the Fair Housing Act, and ongoing scrutiny of AI-based underwriting systems.

For lenders, the message from the panel was unmistakable: despite the CFPB’s final rule, fair lending compliance remains as important as ever.

You can listen to the full podcast on the Consumer Finance Monitor Podcast available through Ballard Spahr and major podcast platforms.

Consumer Finance Monitor is hosted by Alan Kaplinsky, senior counsel at Ballard Spahr, and the founder and former chair of the firm’s Consumer Financial Services Group. We encourage listeners to subscribe to the podcast on their preferred platform for weekly insights into developments in the consumer finance industry.

To listen to this episode, click here.

Consumer Financial Services Group

Back to Top

---

OCC Finalizes Rules Confirming Preemption of State Mortgage Interest-on-Escrow Laws

On Friday, May 15, 2026, the Office of the Comptroller of the Currency (OCC) issued two final rules on national banks’ and federal savings associations’ real estate lending powers related to mortgage escrow accounts. The actions codify a rule reflecting longstanding OCC precedent on mortgage escrow account powers and finalize the proposed preemption rule regarding interest-on-escrow laws, both of which the Second Circuit relied upon in its recent decision in Cantero v. Bank of America, N.A. Both the final rules are effective June 18, 2026.

The OCC finalized, without substantive changes, the rule affirming national banks’ and federal savings associations’ flexibility to establish and maintain escrow accounts and to make business judgments regarding their terms—including whether and to what extent to pay interest or other compensation or to assess related fees.

Concurrently, the OCC issued a preemption determination concluding that the National Bank Act and Home Owners’ Loan Act preempt state laws that restrict this flexibility. The determination specifically addresses New York’s General Obligations Law § 5-601 and substantively equivalent laws in 13 other states and territories (adding Guam and the U.S. Virgin Islands from the proposal).

The OCC commended the Second Circuit’s May 5, 2026, decision in Cantero (on remand from the Supreme Court), which held that New York’s mortgage interest-on-escrow law is preempted. That opinion cited the OCC’s then-proposed rules and applied the Supreme Court’s Barnett Bank nuanced comparative analysis.

This development strengthens the federal preemption position for national banks and federal savings associations amid ongoing circuit splits (e.g., with the First Circuit’s Conti decision and Ninth Circuit’s Kivett ruling). It is likely to influence further litigation, potential en banc review, and Supreme Court consideration.

National banks should consult with counsel regarding the implications for their mortgage escrow practices across jurisdictions as the legal landscape continues to evolve. The final rule and preemption determination rules are available here and here.

There still remains tremendous uncertainty with respect to the extent that the National Bank Act preempts other state consumer protection laws. We have been counseling many national banks with respect to these matters.

Richard J. Andreano, Jr., John L. Culhane, Jr., and Alan S. Kaplinsky

Back to Top

---

Second Circuit Reaffirms Preemption of New York’s Mortgage Escrow Interest Law, Setting Stage for Potential U.S. Supreme Court Rematch With First Circuit

In a decision issued May 5, 2026, a Second Circuit Court of Appeals panel in Cantero v. Bank of America, N.A., August Term 2024, Nos. 21-400, 22-403, once again held that New York’s General Obligations Law § 5-601, which requires mortgage lenders to pay at least 2% interest on escrow accounts is preempted by the National Bank Act (NBA) as applied to national banks like Bank of America. This ruling comes on remand from the Supreme Court’s 2024 unanimous decision in Cantero v. Bank of America, N.A., which vacated the Second Circuit’s earlier opinion for failing to apply the proper “nuanced comparative analysis” under Barnett Bank. The Second Circuit had held that the New York law “would exert control over” over a national bank’s power “to create and fund escrow accounts.”

The Second Circuit’s decision starkly conflicts with the First Circuit’s 2025 ruling in Conti v. Citizens Bank, N.A., Case No. 22- 1770 (Sept. 22, 2025) (which held that a similar Rhode Island interest-on-escrow law is not preempted). The Supreme Court recently denied a cert petition on April 20, 2026, Case No. 25-1004. Since the Cantero case reached the Supreme Court once before and the conflict with the First Circuit opinion in Conti and its arguable conflict with the Ninth Circuit’s recent opinion in Kivett discussed below, there is a high likelihood the Supreme Court will grant certiorari for a second time to resolve the ongoing uncertainty. (Plaintiffs may also seek rehearing en banc in the Second Circuit.) In the interim, national banks continue to face tremendous uncertainty regarding the applicability of myriad state consumer protection laws.

On remand from the Supreme Court after Cantero, the Ninth Circuit in Kivett v. Flagstar Bank (in a 2-1 decision issued October 2, 2025) reaffirmed its prior holding that California’s interest-on-escrow law is not preempted. The majority held it remained bound by its earlier precedent (Lusnak v. Bank of America) and declined to conduct a fresh Cantero analysis as required by the Supreme Court. In March of this year, the Ninth Circuit surprisingly denied a petition for rehearing en banc. It is likely that Flagstar will file a cert petition in the Supreme Court.

This outcome arguably conflicts with the Second Circuit’s May 2026 decision in Cantero (on remand), which applied the Supreme Court’s “nuanced comparative analysis” and held New York’s similar law is preempted. The Ninth Circuit’s refusal to fully engage with the Supreme Court’s blueprint adds to the growing circuit tension and uncertainty for national banks.

Case History

Plaintiffs Alex Cantero and Saul R. Hymes (and Ilana Harwayne-Gidansky) brought putative class actions alleging that Bank of America (BOA) violated New York law by failing to pay the required 2% interest on mortgage escrow accounts. The district court denied BOA’s motions to dismiss, rejecting preemption. In 2022, a Second Circuit panel reversed, holding the state law preempted because it would “exert control over” a banking power granted by federal law.

The Supreme Court granted certiorari and, in May 2024, vacated and remanded. Justice Kavanaugh’s unanimous opinion clarified that the Dodd-Frank Act codified the Barnett Bank standard: a state consumer financial law is preempted if it “prevents or significantly interferes with the exercise by the national bank of its powers.” Courts must conduct a “practical assessment of the nature and degree of the interference” through a “nuanced comparative analysis” with Supreme Court precedents, rather than applying bright-line rules. The Court left open the potential relevance of OCC views on remand.

On remand, after reargument in March 2025, the Second Circuit panel (Judges Livingston, Park, and Pérez) reaffirmed preemption in a decision authored by Judge Park, with Judge Pérez dissenting.

Majority Opinion: Preemption Under Nuanced Barnett Bank Analysis, Bolstered by Proposed OCC Determination

The majority conducted the required comparative analysis and concluded that the nature and degree of interference by GOL § 5-601 is “more akin” to preempted state laws in Supreme Court precedents than to non-preempted state laws.

The Court reasoned as follows:

• The law affects a core national banking power: the power to make real estate loans and exercise incidental powers, including offering and structuring mortgage escrow accounts as a risk-mitigation tool.
• It targets banks specifically and limits their broad discretion to set the terms of escrow accounts (including whether and how much interest to pay), akin to the preempted state laws in Fidelity Federal Savings & Loan Ass’n v. de la Cuesta (prohibiting use of due-on-sale clauses in mortgages) and Barnett Bank itself (prohibiting bank from selling insurance).
• The degree of interference is significant, comparable to the advertising restriction in Franklin National Bank v. New York (prohibiting the use of the word “savings” to describe deposit accounts) as it imposes ongoing costs that affect the efficiency and profitability of mortgage lending operations.

The majority sharply disagreed with the First Circuit’s Conti decision, criticizing its analysis as insufficiently attentive to the practical burdens on national banks’ lending powers and its divergence from the Supreme Court’s guidance on comparative precedent analysis.

The opinion also relied on a proposed OCC determination (not yet finalized) addressing real estate lending escrow accounts, which supported the view that such state mandates significantly interfere with national banks’ powers. This added weight to the preemption conclusion, consistent with the OCC’s longstanding regulatory position on escrow-related matters.

Dissent: Criticism of Majority and OCC Role

Judge Pérez dissented, arguing that the majority failed to faithfully apply the Supreme Court’s nuanced Cantero framework and gave undue weight to the proposed (unfinalized) OCC determination. The dissent contended that the burden imposed by a modest 2% interest requirement is not severe enough to “significantly interfere” with national banks’ powers, especially when weighed against consumer protection interests and precedents where minor state regulations were allowed.

The dissent criticized the majority for an overly broad view of banking powers and for effectively reviving aspects of the categorical “control” approach of the earlier Second Circuit opinion which the Supreme Court had rejected. It also questioned the propriety of relying on a non-final OCC proposal, noting limits on deference post-Loper Bright and Dodd-Frank’s framework, and suggested the majority’s approach undermines the balance Congress intended between federal banking authority and state consumer protections.

Ongoing Uncertainty for National Banks

This decision does not end the matter. With the First Circuit going the other way in Conti (and the Supreme Court having recently declined review there), the circuit conflict is real and consequential. A petition for rehearing en banc in the Second Circuit is possible, and Supreme Court review remains highly likely given the stakes for the dual banking system.

Before and after the Supreme Court’s Cantero opinion, our firm has counseled numerous national banks on these issues. With the exception of state laws that directly conflict with an express federal power granted to national banks, the conservative approach is to comply with applicable state laws while the legal landscape continues to evolve. The patchwork of decisions creates compliance challenges, potential litigation risk, and operational complexity across jurisdictions. Banks should monitor further developments closely, including any OCC finalization of its preemption determination and appellate next steps (plaintiffs filing a petition for rehearing en banc in the Second Circuit or filing a petition for a writ of certiorari in the U.S. Supreme Court.)

This case underscores the enduring tension in national bank preemption doctrine and the practical importance of obtaining clear guidance from the Supreme Court or Congress.

*******

We have been closely monitoring Cantero and related cases through our blog, webinars, and podcast shows and will continue to do so.

Alan S. Kaplinsky

Back to Top

---

Seventh Circuit Hits Reset Button in Illinois Interchange Fee Litigation After OCC ‘Doubles Down’ on Federal Preemption Under the National Bank Act

The U.S. Court of Appeals for the Seventh Circuit issued a highly significant order on May 8, 2026, in the closely watched litigation challenging the Illinois Interchange Fee Prohibition Act (IFPA), vacating the district court’s judgment and remanding the case for further proceedings in light of the OCC’s recently issued Interim Final Rule and preemption order.

The appeals arise from litigation brought by the Illinois Bankers Association and others challenging the IFPA, an Illinois statute that prohibits financial institutions, payment card networks, acquirer banks, and processors from charging or receiving interchange fees on the tax and gratuity portions of credit and debit card transactions. The statute has generated intense controversy because of its potential operational and economic impact on the intertwined payments ecosystem and because it raises substantial federal preemption questions under the National Bank Act (NBA) and related federal banking laws.

As previously discussed in our recent blog post, the Office of the Comptroller of the Currency recently issued both (1) an Interim Final Rule and (2) a formal order concluding that the IFPA is preempted as applied to national banks and federal savings associations. Those OCC actions were issued against the backdrop of the Supreme Court’s decision in Loper Bright Enterprises v. Raimondo eliminating Chevron deference and substantially reshaping administrative law and judicial review of agency action.

The Seventh Circuit’s May 8 order dramatically changes the procedural posture of the case. Rather than proceeding with oral argument scheduled for May 13, the panel vacated the district court’s judgment in its entirety (including not just the portion that applies to national banks and federal savings associations discussing NBA preemption but also the rest of the opinion that discusses other arguments that apply to other types of entities) remanded the matter to the district court “for appropriate further proceedings.” The panel explained that the OCC’s newly issued Rule and Order “bear[] on the state statute at issue in these appeals” and that the district court should address those developments, and any related issues, before the Seventh Circuit attempts to do so itself.

The order expressly notes the sharply divergent positions advanced by the parties in supplemental appellate briefing:

• the plaintiffs and the OCC contend that the OCC’s Rule and Order require judgment in favor of the plaintiffs;
• the Illinois Attorney General contends that the Rule and Order are procedurally and substantively invalid; and
• Illinois further argues that the OCC actions do not alter the proper merits analysis.

The Seventh Circuit’s decision comes after a significant district court ruling issued earlier this year by Judge Virginia M. Kendall. The district court concluded that portions of the IFPA were likely preempted as applied to national banks and federal savings associations, while declining to extend relief as broadly as the plaintiffs had sought. The court’s analysis relied heavily on the Supreme Court’s National Bank Act preemption jurisprudence, including Barnett Bank of Marion County, N.A. v. Nelson, and attempted to distinguish between entities and activities directly tied to national bank powers and those involving other participants in the payments ecosystem. Both sides appealed aspects of the ruling, resulting in the cross-appeals now before the Seventh Circuit.

The Seventh Circuit’s order is highly consequential for several reasons.

First, the order effectively wipes away the entire district court judgment and requires the district court to reconsider the case in light of the OCC’s formal preemption determinations. That alone is a major development because it places the OCC’s actions squarely at the center of the litigation.

Second, the remand tees up what may become one of the first major post-Loper Bright tests of the degree of judicial respect owed to OCC preemption determinations under the NBA. Although Chevron deference is gone, courts may still regard the OCC’s views as persuasive under traditional principles articulated in cases such as Skidmore v. Swift & Co.. The district court will now likely need to grapple with the following questions including:

• Whether the OCC complied with procedural requirements in issuing the Interim Final Rule and Order;
• Whether the OCC properly interpreted the NBA and related preemption standards;
• Whether the IFPA “significantly interferes” with national bank powers under the framework articulated in Barnett Bank; and
• Whether different aspects of the IFPA may be preempted as applied to different entities or activities.

Third, the timing pressures in the litigation are becoming increasingly acute because the IFPA is scheduled to take effect on July 1, 2026. As a practical matter, the district court will likely need to proceed on an expedited basis. Any new district court ruling will almost certainly generate another appeal to the Seventh Circuit, and the appellate court presumably would want sufficient time to consider the issues before the statute’s effective date arrives. Indeed, the Seventh Circuit’s order expressly provides that any subsequent appeals “will return to this panel,” suggesting the court anticipates further appellate proceedings in the near future.

The compressed timeline raises another important and unresolved procedural question: whether the district court has authority to postpone or effectively extend the IFPA’s effective date pending completion of the litigation. Federal courts unquestionably possess authority to enter preliminary or permanent injunctive relief barring enforcement of a statute under appropriate circumstances. But a court-ordered delay of a statutory effective date can present distinct remedial and federalism questions because courts generally do not formally rewrite state statutes or amend legislatively enacted effective dates. More commonly, courts temporarily enjoin enforcement while litigation proceeds.

Accordingly, one possibility is that the district court could enter additional interim injunctive relief preventing enforcement of the IFPA pending final resolution of the renewed proceedings and any subsequent appeal. Such relief would likely require renewed analysis of the traditional equitable factors, including likelihood of success on the merits, irreparable harm, balance of harms, and the public interest—issues that may themselves now be heavily influenced by the OCC’s preemption determinations.

The Seventh Circuit’s order also signals that the appellate panel intends to retain close control over the litigation going forward. The panel stated that any subsequent appeals “will return to this panel,” and that supplemental briefing in any future appeal will be limited to issues newly resolved by the district court.

The stakes in the litigation remain extraordinarily high. The IFPA has been viewed by many merchants and state policymakers as a model for potential state-level regulation of interchange fees and card processing economics. Conversely, banks, card networks, and payments industry participants have warned that the law is operationally unworkable and incompatible with nationally integrated payment systems.

The district court proceedings on remand will now likely become one of the earliest and most important tests of how federal banking preemption disputes are litigated in the post-Loper Bright era, particularly where the OCC has issued formal preemption determinations designed to satisfy the procedural and substantive requirements imposed by the Dodd-Frank Act.

Bills are pending or discussions have been had in the following states which prohibit charging an interchange fee on both taxes and tips or taxes only: Rhode Island, S. 2324 (taxes and tips); Colorado, SB 2344 (taxes only); Texas, SB 2026 ( taxes and tips); Iowa, SB 5070 (taxes and tips) ; and Iowa, discussions but no bill yet (taxes only).

We will continue to monitor developments in this case, and other state bills introduced in other states which would prohibit charging interchange fees on tips and/or taxes, very closely.

Alan S. Kaplinsky, Adam Maarec, Ronald K. Vaske, John L. Culhane, Jr., and Richard J. Andreano, Jr.

Back to Top

---

Washington Supreme Court: Lenders Need ‘Negotiable Instrument’ to Nonjudicially Foreclose Residential Real Estate-Secured Loans

The Washington Supreme Court issued an opinion on April 30, 2026, that deprives Washington state lenders of the right to nonjudicially foreclose residential-secured loans unless those loans are evidenced by a negotiable instrument—i.e., a promissory note with only basic payment terms that comports with RCW 62A.3-104.

The court further held that HELOCs and other types of multiple advance (e.g., construction loans) and revolving loans cannot qualify for nonjudicial foreclosure even if evidenced by a promissory note because such a promissory note cannot qualify as a “negotiable instrument” as a matter of law. The ruling may also prevent lenders from nonjudicially foreclosing traditional single advance residential mortgage loans to the extent the promissory notes evidencing those loans contain collateral-related covenants beyond an undertaking or power to give, maintain or protect collateral to secure payment, incorporate the terms of other loan documents, or otherwise fall outside the bounds of a “negotiable instrument” as defined by RCW 62A.3-104.

Notably, the statute at issue in the opinion, RCW 61.24.030(7)(a), requires that “for residential real property of up to four units, before the notice of trustee’s sale is recorded, transmitted, or served, the trustee shall have proof that the beneficiary is the holder of any promissory note or other obligation secured by the deed of trust” and is not expressly limited to consumer loans. As a result, the decision may prohibit the nonjudicial foreclosure of commercial loans secured by such residential real estate to the same degree as consumer loans that are not evidenced by a negotiable instrument.

Vargas v. RRA CP Opportunity Trust 1, et al. involved a HELOC evidenced by a loan agreement that had been originated by Countrywide and assigned several times before RRA CP Opportunity Trust 1 (RRA) became the owner of the obligation. RRA’s servicer commenced the nonjudicial foreclosure of the defaulted HELOC and submitted a beneficiary declaration to its trustee declaring that RRA was the “holder” of the HELOC agreement as required by RCW 61.24.030(7) in connection with the nonjudicial foreclosure of residential real estate of four units or less. The borrower challenged the validity of the beneficiary declaration, arguing that a lender cannot be the “holder” of anything other than a negotiable instrument, and the HELOC loan agreement did not qualify as a negotiable instrument.

The court ruled in favor of the borrower and agreed that the reference to “holder” in RCW 61.24.030(7) requires the beneficiary to be the “holder” of a negotiable instrument as defined in UCC Article 3, and RRA did not qualify because neither revolving loans, nor loans evidenced by loan agreements, can qualify as negotiable instruments. As a result, the court ruled that RRA could not satisfy the statutory prerequisites for nonjudicially foreclosing the deed of trust securing the HELOC and could only enforce the deed of trust judicially, in part relying on what it concluded was the legislature’s “clear purpose” in enacting RCW 61.24.030(7)(a) “to ensure the party with the authority to enforce and modify the note is the party engaging in mediation and foreclosure”—i.e., a right provided to homeowners under certain circumstances under the Deed of Trust Act.

The court reached its conclusion that only real estate-secured negotiable instruments can be “held” by a beneficiary of a residential deed of trust for purposes of the Deed of Trust Act, even though the relevant statute does not use the term “negotiable instrument” and, in fact, references a beneficiary’s status as the “holder” of a promissory note “or other obligation.” The court did not explain why the legislature would reference other obligations if only residential real estate-secured negotiable instruments qualified for nonjudicial foreclosure. The court also disregarded the fact that the Deed of Trust Act uses the term “holder” in other contexts and expressly contemplates the nonjudicial foreclosure of “obligations” rather than “promissory notes” or “instruments.”

The Supreme Court’s decision has wide-ranging implications for the enforcement of loans secured by residential real estate of four units or less and invites litigation as to the nonjudicial foreclosure of all types of real estate collateral. As the decision stands now, residential HELOCs and residential construction loans cannot be foreclosed nonjudicially. Nor can any residential real estate-secured loan evidenced by a loan agreement rather than a promissory note. Even residential real estate-secured loans evidenced by promissory notes may be barred from nonjudicial foreclosure if those promissory notes do not qualify as negotiable instruments.¹

The alternatives to nonjudicial foreclosure are problematic to both lenders and borrowers. The judicial foreclosure process is expensive, time consuming, and cumbersome. It can take months to get from the commencement of a lawsuit to the consummation of a sheriff’s sale, and the successful bidder generally receives possession but does not receive actual title to the real estate until the redemption period runs.

The parties to the Supreme Court case may move for reconsideration under applicable court rules. If a motion for reconsideration is not filed by the applicable deadline, or is unsuccessful, key constituencies will need to approach the Legislature about enacting a legislative fix. Unless and until the Supreme Court reconsiders its decision or a legislative fix is enacted, real estate-secured lenders should review their loan documentation for negotiability, evaluate whether future loans should be documented with negotiable instruments, and evaluate the alternatives to nonjudicial foreclosure when enforcing residential real estate-secured loans. The Ballard Spahr Bankruptcy, Creditors’ Rights, and Restructuring Team and Mortgage Banking Team are ready to assist real estate-secured lenders in navigating these developments.

1: “[A] ‘negotiable instrument’ means an unconditional promise or order to pay a fixed amount of money, with or without interest or other charges described in the promise or order, if it: (1) Is payable to bearer or to order at the time it is issued or first comes into possession of a holder; (2) Is payable on demand or at a definite time; and (3) Does not state any other undertaking or instruction by the person promising or ordering payment to do any act in addition to the payment of money, but the promise or order may contain (i) an undertaking or power to give, maintain, or protect collateral to secure payment; (ii) an authorization or power to the holder to confess judgment or realize on or dispose of collateral; (iii) a waiver of the benefit of any law intended for the advantage or protection of an obligor; (iv) a term that specifies the law that governs the promise or order; or (v) an undertaking to resolve in a specified forum a dispute concerning the promise or order.” RCW 62A.3-104(a) (emphasis added).

Gregory R. Fox, Joan Robinson, Richard J. Andreano, Jr., and Matthew A. Morr

Back to Top

---

CFPB’s Final Rule Recalibrates Fair Lending Enforcement: A Return to Clarity and Core Statutory Principles

On April 22, 2026, the Consumer Financial Protection Bureau (CFPB), under Acting Director Russell Vought, issued a significant final rule reshaping the agency’s approach to fair lending enforcement under the Equal Credit Opportunity Act (ECOA) and Regulation B. While early commentary has been sharply divided, a closer reading of the final rule itself reveals a thoughtful and disciplined effort to realign enforcement with statutory text, evidentiary rigor, and practical compliance realities.

This development is particularly important for banks, Fintechs, and other consumer financial services providers navigating increasingly complex regulatory expectation, especially in an era of rapid technological change and expanding use of algorithmic underwriting.

The CFPB published a notice of proposed rulemaking on November 12, 2025. The comment period ended on December 15, 2025, and it has been reported that more than 64,000 comments were received. The amended rule becomes effective on July 21, 2026. Stay tuned for another podcast show that we will soon release about the amended rule.

A Shift From Expansive Theories to Statutory Anchoring

At its core, the final rule narrows the CFPB’s reliance on expansive theories of liability that, while well-intentioned, often stretched beyond the clear language of ECOA.

Most notably, the rule eliminates the agency’s prior reliance on certain analytical tools used to identify “unintended bias,” particularly those grounded in broad disparate impact theories untethered to demonstrable causation. In doing so, the CFPB emphasizes a return to:

• Text-based enforcement grounded in ECOA
• Clear evidentiary standards for proving discrimination
• Predictable compliance expectations for regulated entities

For industry participants, this represents a meaningful course correction. The prior framework often created uncertainty, where lenders could face scrutiny even in the absence of intentional discrimination or clearly defined statutory violations.

Important Limitation: No Change to the Fair Housing Act (FHA)

The practical impact of eliminating disparate impact under ECOA and Regulation B should not be overstated. The final rule does not amend or affect the FHA.

Under Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc., 576 U.S. 519 (2015), the Supreme Court of the United States held that disparate impact claims remain cognizable under the FHA. That decision remains controlling law even though Housing and Urban Development (the agency with responsibility for interpreting and enforcing the FHA) has proposed to repeal a regulation it promulgated long ago about how to detect violations of the FHA by using “disparate impact.”

Because the FHA applies broadly to loans secured by residential real estate—including first-lien mortgages, subordinate-lien loans, refinancings, home equity loans, and other credit secured by residential real estate regardless of whether the proceeds are used to purchase the property, the continued availability of disparate impact under the FHA substantially limits the practical reach of the CFPB’s ECOA revision in the mortgage market.

Accordingly, the most significant effects of the CFPB’s change are likely to be felt in areas outside the FHA’s scope, including:

• Unsecured consumer lending
• Credit card lending
• Auto finance not secured by real estate
• Personal loans
• Loans secured solely by personal property
• Certain small business or commercial-purpose credit not tied to residential real estate

In short, for many residential mortgage lenders, disparate impact risk remains very much alive through the FHA.

No Change to State Laws

It is also important to recognize that the CFPB’s final rule affects only federal ECOA and Regulation B enforcement; it does not alter state anti-discrimination statutes or regulations that continue to recognize disparate impact as a basis for liability. Most notably, New Jersey recently adopted comprehensive regulations under the New Jersey Law Against Discrimination expressly providing that disparate impact theories apply in financial lending, housing, employment, and other contexts. Other states, including Massachusetts, California, New York, and Illinois, have robust state civil rights or fair lending regimes under which regulators and attorneys general may continue to pursue effects-based discrimination theories. As a result, creditors operating on a multi-state basis should not view the CFPB’s rule as eliminating disparate impact risk, but rather as shifting much of that risk to the state level.

Reframing ‘Discouragement’ Liability

The final rule also addresses one of the more ambiguous and challenging aspects of fair lending enforcement: claims that lenders “discouraged” applicants on a prohibited basis (e.g., race, gender, or national origin).

Historically, discouragement claims posed compliance difficulties because they could be inferred from subjective or indirect evidence, such as marketing practices, customer interactions, branch placement decisions, outreach strategies, or statistical disparities.

The CFPB’s revised approach raises the bar for such claims by:

• Requiring more concrete and demonstrable evidence of discouragement
• Focusing more heavily on spoken or written words, including visual images
• Limiting reliance on speculative or attenuated inferences
• Providing greater clarity on what constitutes actionable conduct

This refinement is likely to be welcomed by compliance professionals, who have long struggled to translate broad discouragement standards into operational controls.

Impact on the Seventh Circuit’s Townstone Decision

The final rule also has important implications for CFPB v. Townstone Financial, Inc., 2024 WL 3370023 (7th Cir. July 11, 2024). In that case, the United States Court of Appeals for the Seventh Circuit accepted the CFPB’s argument that Regulation B’s discouragement provisions could reach prospective applicants who had not yet submitted a formal application for credit.

That holding relied heavily on the prior regulatory definition of “applicant” and the broader scope of discouragement embedded in former Regulation B.

By revising the definition of “applicant” and narrowing discouragement liability, the CFPB appears to have substantially undercut the regulatory foundation of the Townstone decision for future cases. While an agency cannot literally overrule a judicial opinion, the amended regulation effectively supersedes the prior interpretive basis on which Townstone was decided. As a result, Townstone may retain significance for conduct governed by the prior rule, but its precedential force under the amended rule is likely sharply diminished.

Clarification and Refinement of Special Purpose Credit Programs

Another notable aspect of the CFPB’s final rule is its treatment of Special Purpose Credit Programs (SPCPs), a long-recognized but historically underutilized feature of ECOA.

Under prior CFPB guidance and enforcement posture, creditors often faced uncertainty in designing SPCPs intended to benefit economically or socially disadvantaged groups. While ECOA expressly permits such programs, ambiguity around eligibility criteria, documentation requirements, and potential fair lending scrutiny had a chilling effect on broader adoption.

The final rule addresses this uncertainty by refining and narrowing the regulatory language governing SPCPs, with several key changes:

More Defined Eligibility Parameters

The rule places greater emphasis on clearly articulated, evidence-based criteria for identifying the class of persons the program is intended to benefit. Creditors are encouraged to rely on objective, documented data, such as income levels, geographic indicators, or other demonstrable measures of disadvantage, rather than broader or more generalized categorizations.

Enhanced Documentation Expectations

While SPCPs remain permissible, the rule clarifies that creditors must maintain robust, contemporaneous documentation supporting the program’s purpose, structure, and ongoing justification.

Tighter Nexus to Statutory Language

The CFPB aligns its interpretation of SPCPs more closely with the text of ECOA, reinforcing that such programs must be carefully tailored and not serve as open-ended or loosely defined initiatives.

Reduced Reliance on Informal Guidance

The final rule moves away from prior, more expansive interpretive guidance that some stakeholders viewed as creating safe harbors.

From an industry perspective, these changes may initially introduce a higher degree of discipline in SPCP design and administration. However, they also offer greater legal clarity and defensibility.

Compliance Benefits: Certainty, Consistency, and Innovation

For financial institutions and Fintech companies, the practical implications of the final rule are substantial.

1. Greater Regulatory Certainty

By narrowing enforcement to well-defined statutory boundaries, the rule reduces ambiguity and the risk of unpredictable supervisory findings.

2. Improved Risk Management

Compliance programs can now be more precisely calibrated to identifiable legal standards, rather than evolving enforcement theories.

3. Support for Responsible Innovation

As AI and machine learning become more prevalent in credit underwriting, the prior emphasis on disparate impact created tension between innovation and compliance. The new ECOA framework allows institutions to:

• Deploy advanced models with greater confidence
• Focus on actual discriminatory outcomes rather than theoretical ones
• Continue investing in data-driven credit expansion

That said, lenders involved in residential real estate lending must still account for FHA disparate impact risk.

A Measured Approach to Fair Lending Enforcement

Importantly, the final rule does not eliminate fair lending enforcement. Rather, it refocuses it.

The CFPB retains robust authority to pursue:

• Intentional discrimination
• Clear violations of ECOA and related statutes
• Practices that demonstrably disadvantage protected classes where otherwise authorized by law

What changes is the methodology—shifting from broad, effects-based theories to a more disciplined, evidence-driven ECOA framework.

Broader Policy Context

The rule reflects a broader policy perspective within the Trump administration favoring:

• Regulatory restraint
• Clear rules over flexible standards
• Deference to statutory text rather than agency interpretation

Sharp Criticism from Consumer Advocates

Notwithstanding the CFPB’s effort to ground the final rule more firmly in statutory text and evidentiary rigor, the rule has drawn forceful criticism from prominent policymakers and consumer advocacy organizations.

Leading the opposition, Elizabeth Warren has characterized the rule as a fundamental weakening of fair lending protections.

Similarly, the National Consumer Law Center has raised concerns that the revised approach could significantly curtail enforcement in cases where discrimination manifests through neutral policies with disproportionate effects.

Other consumer advocacy groups have echoed these concerns, warning that:

• The elimination of certain analytical tools may limit regulators’ ability to detect emerging patterns of bias, especially in algorithmic decision-making
• A heightened evidentiary threshold for discouragement claims could discourage enforcement actions even where real-world access to credit is impaired
• The rule may shift too much risk onto consumers, requiring clearer proof of harm in contexts where information asymmetries already exist

Critics also point to the increasing use of artificial intelligence and complex underwriting models, arguing that a reduced emphasis on effects-based analysis may make it more difficult to identify unintended but consequential discriminatory outcomes embedded in automated systems.

We anticipate that one or more lawsuits may soon be filed by consumer advocacy groups challenging the validity of the amended Regulation B. We will report on any such lawsuit.

Key Takeaways

• The CFPB’s final rule represents a significant recalibration of fair lending enforcement—not a retreat from it.
• By eliminating certain tools used to detect unintended bias under ECOA, the Bureau is prioritizing clarity, causation, and statutory fidelity.
• The change does not alter disparate impact liability under the FHA for residential real estate-secured lending.
• The revised discouragement standard provides much-needed guidance for lenders navigating customer interactions and marketing practices.
• The Townstone decision’s relevance for future cases has likely been substantially narrowed.
• Financial institutions and Fintechs stand to benefit from greater predictability, particularly in unsecured and non-mortgage lending markets.

Conclusion

The CFPB’s final rule marks a pivotal moment in the evolution of fair lending enforcement. By grounding its approach more firmly in statutory text and evidentiary rigor, the Bureau has taken a step toward a more transparent and workable regulatory framework.

For industry participants, this is not merely a policy shift, it is an opportunity to align compliance strategies with clearer rules while continuing to expand access to credit through innovation and responsible lending practices.

If implemented thoughtfully, this recalibrated approach has the potential to strike a durable balance between fairness, accountability, and economic dynamism.

Alan S. Kaplinsky

Back to Top

---

NYDFS Says Disparate Impact Remains in Effect

Countering an executive order issued by President Trump and the adoption by the CFPB of its final rule revising Regulation B, the New York Department of Financial Services recently issued an Industry Letter warning the financial institutions that it regulates that they must consider disparate impact when lending.

“Regulated Entities are reminded that under Section 296-a, covered credit decisions that result in a disparate impact may constitute an unlawful discriminatory practice,” the agency wrote in a letter to financial institutions.

The department said that section “prohibits discrimination in, among other things, the granting, withholding, extending, or renewing, or in the fixing of the rates, terms, or conditions of any form of credit on the basis of statutorily established characteristics. N.Y. Exec. L. § 296-a(1)(b). Discrimination is prohibited on the basis of race, creed, color, national origin, citizenship or immigration status, sexual orientation, gender identity or expression, military status, age, sex, marital status, status as a victim of domestic violence, disability, or familial status.”

The letter runs counter to Executive Order 14281 issued by President Trump. In that order, President Trump wrote that “disparate-impact liability all but requires individuals and businesses to consider race and engage in racial balancing to avoid potentially crippling legal liability. It not only undermines our national values, but also runs contrary to equal protection under the law and, therefore, violates our Constitution.”

The letter also runs counter to the CFPB’s final rule revising Regulation B, which eliminated all references to disparate impact in the text of the rule and in the Official Staff Commentary. Having examined Regulation B, and the comments received on its proposed rule, the CFPB “determined that, under the best reading of the statute, disparate impact claims are not cognizable under [the Equal Credit Opportunity Act] (ECOA).”

In finalizing its revisions to Regulation B, the CFPB declined to provide guidance on how to comply with state antidiscrimination laws, noting that it has no authority over or expertise regarding state laws that include a disparate impact component. However, consistent with Section 705(f) of the ECOA and Section 1002.11(a) of Regulation B, which provide that state laws that provide greater protection for an applicant are not preempted, it did observe that creditors “are still liable” under applicable state antidiscrimination statutes, and, accordingly, that “the incentives for [creditors] to implement policies or engage in practices that lead to disparate impact may be restricted.”

By contrast, in the executive order President Trump addressed the existence of fair lending and fair housing provisions in state laws, saying that the administration would determine if federal law preempts state regulations, policies, or practices that impose disparate-impact liability based on a “federally protected characteristic such as race, sex, or age, or whether such laws, regulations, policies, or practices have constitutional infirmities that warrant Federal action, and shall take appropriate measures consistent with the policy of this order.”

John L. Culhane, Jr. and Alan S. Kaplinsky

Back to Top

---

CFPB’s OIG Investigating Current Workforce and Contracting Developments Plus Interpretations Adopted and Enforcement Actions Taken Under Then Director Chopra

The CFPB’s Office of Inspector General is still investigating the agency’s workforce and contracting moves to see what impact it has had on agency actions.

“We are reviewing the CFPB’s workforce and contracting actions to determine their high-level effects on mission-related activities and support functions,” the OIG said, in an update of its activities. “We are not assessing whether these actions complied with applicable laws, regulations, policies, or procedures because they are the subject of ongoing litigation.”

The office of Inspector General Michael E. Horowitz did not provide additional details of that probe.

The IG’s office had reported the investigation last summer in a letter to Senator Andy Kim, (D-N.J.).

The IG’s office, which also covers the Federal Reserve Board, reported last summer that it was investigating the bureau’s workforce reductions and its canceled contracts, according to a letter to Senator Kim, from then-Acting FRS/CFPB IG Fred Gibson.

Gibson said he already was investigating the workforce reductions at the Bureau in response to a letter from Senator Gary Peters, (D-Mich.) and 15 other Senators. Responding to a call from Kim and Senator Elizabeth Warren, (D-Mass.), Gibson now has expanded his work to include contracts that have been canceled by the Trump administration.

In February, the GAO issued a report that mainly detailed timelines of various actions at the CFPB related to the reorganization and downsizing of the agency. As noted by the GAO, the actual analysis of the effect of the actions will be set forth in a future report.

Separately, the OIG is investigating developments that occurred under the tenure of former Biden administration Director Rohit Chopra.

“We are assessing whether the CFPB, under former Director Rohit Chopra, adhered to relevant processes and procedures in its decisions to broaden its definition of ‘unfair, deceptive, or abusive acts or practices’ and its definition of ‘credit,’ under the Truth in Lending Act,” the OIG said.

The CFPB had directed its examiners to apply the Consumer Financial Protection Act’s unfairness standard to conduct considered to be discriminatory whether or not it is covered by the Equal Credit Opportunity Act, such as in connection with denying access to a checking account. (After losing in district court, the CFPB revised its exam manual to delete those directions. An appeal to the Fifth Circuit was dismissed, following the change in Administrations.)

While the OIG did not identify the interpretations of “credit” under the Truth in Lending Act that will be reviewed, they seem likely to include the interpretive rule on Buy Now Pay Later transactions, the proposed interpretive rule on Earned Wage Access transactions, the advisory opinion on Contract for Deed transactions, and the rule on PACE transactions. Although the rule on PACE transactions went into effect on March 1, 2026, under Acting Director Russell Vought, the CFPB withdrew the BNPL rule, the proposed EWA rule, and the Contract for Deed advisory opinion.

“We will also inquire whether the CFPB has available information that will enable us to assess the time and costs associated with the enforcement actions issued during then Director Chopra’s tenure in comparison to those issued during the tenure of prior directors,” the OIG said.

A probe into those developments had been requested by members of Congress, according to the OIG, which did not identify those members.

John L. Culhane, Jr., Richard J. Andreano, Jr., and Alan S. Kaplinsky

Back to Top

---

CFPB Surprisingly Appeals Judge Davila’s Funding Decision to the Ninth Circuit

Just when the conventional wisdom seemed to be that the CFPB was no longer going to assert that it could not request funding from the Federal Reserve because of combined losses at the Federal Reserve Banks, things have once again been thrown into a cocked hat. On May 11, 2026, the CFPB filed a notice of appeal to the U.S. Court of Appeals for the Ninth Circuit seeking review of U.S. District Judge Edward Davila’s March 13, 2026, decision holding that the Bureau must continue requesting funding from the Federal Reserve.

As previously discussed in our blog, Judge Davila ruled that Acting Director Russell Vought acted unlawfully when he concluded that the CFPB could no longer request transfers from the Federal Reserve because the Federal Reserve System allegedly lacked “combined earnings” within the meaning of Section 1017 of the Consumer Financial Protection Act. Judge Davila held that “combined earnings” means combined revenues (and not combined profits) of the Federal Reserve Banks.

The lawsuit was brought by Rise Economy, the National Community Reinvestment Coalition, and the Woodstock Institute. Judge Davila granted summary judgment in favor of the plaintiffs and held that the CFPB’s interpretation of “combined earnings” was arbitrary, capricious, and contrary to law under the Administrative Procedure Act. He ordered the CFPB to continue requesting from the Federal Reserve the funds “reasonably necessary” to carry out its statutory responsibilities. Judge Davila imposed no limit on the duration of the order

Judge Davila’s opinion was strongly worded. Among other things, he concluded that the CFPB’s position would undermine Congress’s intent to create an agency insulated from the annual appropriations process and would subject the Bureau to “intermittent defunding” based on fluctuations in the Federal Reserve’s balance sheet.

The appeal sets up yet another significant appellate battle over the CFPB’s structure and funding mechanism. Although the Supreme Court upheld the CFPB’s funding structure in Consumer Financial Protection Bureau v. Community Financial Services Association of America, Ltd., the Davila litigation presents a different issue — namely, whether the CFPB may refuse to seek funding from the Federal Reserve based on the Federal Reserve System’s combined operating losses.

The Ninth Circuit appeal also comes against the backdrop of separate litigation still pending in the D.C. federal courts involving the CFPB’s staffing reductions and funding issues. Judge Amy Berman Jackson previously rejected a similar CFPB argument concerning the Bureau’s authority to stop requesting Federal Reserve funding. The CFPB never appealed Judge Jackson’s order requiring the CFPB to request funding from the Federal Reserve and the CFPB seemed to throw in the towel on the funding question when Acting Director Vought requested funding for the second quarter of the Government’s fiscal year.

It will be interesting to see whether the CFPB aggressively pursues the appeal or whether the filing of the notice of appeal was primarily intended to preserve appellate rights while the Bureau evaluates its longer-term litigation strategy. As stated above, the CFPB already has been complying with court orders directing it to request Federal Reserve funding.

Until the CFPB files its opening brief in the Ninth Circuit, we don’t know whether the CFPB is directly appealing Judge Avila’s reasoning that “combined earnings” means combined revenues or whether the CFPB is limiting its appeal to the indefinite duration of the order.

The Ninth Circuit’s eventual decision could have major implications not only for the CFPB’s operational independence, but also for the broader question of how much discretion an agency head has to effectively suspend agency operations through funding decisions notwithstanding Congress’s statutory directives.

Alan S. Kaplinsky

Back to Top

---

Secondary Ticketing Website to Pay $10 Million for Failing to Disclose Full Price of Tickets

The nation’s largest ticket exchange and resale service, StubHub Holdings, Inc., will pay $10 million to settle Federal Trade Commission (FTC) allegations that the company violated the FTC Act and the agency’s trade regulation rule on Unfair or Deceptive Fees.

The FTC said the service advertised ticket prices on its website without “clearly and conspicuously disclosing up-front how much consumers actually would pay, including all mandatory fees” from May 12 through May 14, 2025. The FTC’s Fees Rule became effective on May 12, 2025. StubHub neither admitted nor denied any of the FTC’s allegations.

“The Commission’s Fees Rule makes it very clear that the total price of live-event tickets must be disclosed up-front to enable consumers to make fully informed purchasing decisions,” Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection said, in a statement.

The action follows the Trump administration’s Executive Order 14254, Combatting Unfair Practices in the Live Entertainment Market, which includes directions to the commission to “take appropriate action . . . to ensure price transparency at all stages of the ticket-purchase process, including the secondary ticketing market.”

The FTC’s complaint, filed in the U.S. District Court for the Southern District of New York, follows a warning letter the FTC sent StubHub on May 14, 2025, saying that multiple prices contained on its website appeared to violate the agency’s Fees Rule.

“We have identified instances in which StubHub’s displayed ticket prices do not include all mandatory fees and charges,” Serena Viswanathan, the FTC’s Associate Director for the FTC’s Division of Advertising Practices, wrote, in that letter. “Although the Fees Rule allows initial exclusions from total price for government charges, shipping charges, and fees or charges for optional ancillary goods or services, the mandatory fees and charges StubHub has omitted from its price displays, such as fulfillment fees and service fees, do not appear to be covered by any permissible exemption.”

The letter continued, “We strongly encourage you to immediately bring all of your company’s offers, displays, and advertisements into compliance with the Fees Rule.”

In the complaint, the FTC alleged that StubHub failed to provide the total price for tickets—including for high-demand National Football League tickets in the lead-in for when the NFL schedule was announced on May 14, 2025—in the first three pricing displays on its website. In those cases, the FTC asserted that StubHub failed to disclose the total price of the tickets.

The proposed order settling StubHub’s alleged violations of the FTC Act requires the company to provide monetary relief to eligible consumers through a settlement and consumer redress distribution program. The order also prohibits StubHub from misrepresenting the total price of any good or service and any fee or charge, including its nature, purpose, amount, or refundability, as well as why the fee or charge is being imposed. The purchase price also must include the final payment amount for any transaction; and any other material fact including those related to refunds or cancellations.

The proposed order also prohibits StubHub from:

• “[F]ailing to disclose the total price more prominently than any other pricing information.”
• “Failing to Clearly and Conspicuously disclose, before the consumer consents to pay for any Covered Good or Service:

1. The nature, purpose, and amount of any fee or charge imposed on the transaction that has been excluded from Total Price and the identity of the good or service for which the fee or charge is imposed; and

2. The final amount of payment for the transaction.”

The proposed order sets forth a detailed definition of “Clearly and Conspicuously.” In a press release issued in connection with the proposed order the FTC stated that “[w]ithin 90 days of the date of the order StubHub must provide redress to two groups of eligible consumers who bought tickets for live events in the U.S. between May 12 and 14, 2025. The first group includes those where the total price of tickets was not disclosed on the initial pricing display. The second group includes all other consumers who bought tickets during that period.”

FTC Chairman Andrew N. Ferguson issued a separate statement. “The Trump-Vance Commission will not tolerate ticket sellers taking advantage of fans’ excitement to attend football games and other live events,” he said. Ferguson continued, “Immediately upon learning of StubHub’s alleged noncompliance, I directed Commission staff to act. On May 14, 2025, staff promptly issued a warning letter to StubHub. By the next day, StubHub fixed the issue.”

Finally, while the FTC has not brought a “junk fee” enforcement action against any consumer financial services providers since adopting the Fees Rule, the industry should take careful note of these developments, as consumer advocates have previously urged regulatory agencies to take action against the pricing practices at issue in the StubHub settlement and states and municipalities continue to consider and enact laws and regulations targeting hidden fees and drip pricing.

Richard J. Andreano, Jr., John L. Culhane, Jr., and Ronald K. Vaske

Back to Top

---

Virginia Moves Toward State-Court Class Actions: A Major Shift With Significant Business Implications

Virginia is on the verge of making a consequential change to its civil justice system. Legislation now pending before Governor Abigail Spanberger would authorize private class actions in Virginia state courts and make significant amendments to the Virginia Consumer Protection Act (VCPA). If signed, Virginia would join virtually every other state in expressly permitting class action procedures in its own courts. Mississippi would then stand alone as the only state without a comparable state-court class action mechanism.

Supporters, in a letter urging Virginia Governor Spanberger to sign the bill, characterize the legislation as opening courthouse doors for consumers allegedly harmed by widespread corporate misconduct. But businesses should view the proposal more realistically: it would likely invite a substantial increase in class action litigation, create new settlement pressure, and enrich the plaintiffs’ class action bar far more than it benefits consumers.

Governor Spanberger is expected to sign the bill which would become effective on January 1, 2027.

Why This Matters

Although federal class actions have long been available nationwide under Rule 23 of the Federal Rules of Civil Procedure, many claims involving Virginia consumers are filed in state court or involve state-law causes of action. Most of those types of cases are not removable to federal court under federal question, diversity of citizenship, or the Class Action Fairness Act. By expressly permitting state-court class actions, Virginia would become a more attractive forum for consumer, privacy, fee, subscription, discrimination, and other class claims.

Coupled with amendments to the VCPA, the legislation could significantly expand litigation exposure for companies doing business with Virginia residents.

Key Changes to the Virginia Consumer Protection Act

The bill does more than authorize class actions. It also broadens aspects of the VCPA, potentially increasing both private litigation and enforcement risk.

The letter from the consortium of consumer groups to Governor Spanberger referred to above described these changes to the VCPA as follows:

This bill also modernizes the Virginia Consumer Protection Act (VCPA). The VCPA is Virginia’s key protection for its residents against deceptive business practices. SB229/HB449 makes modest but important amendments clarifying that damages may be recovered for every violation of the statute and that consumers can. stop deceptive practices without having to meet the hurdle of proving in each case that they relied on a misleading representation or omission. The bill brings the VCPA in line with federal and numerous other state consumer laws. The new provisions ensure that Virginians will have better access to enforce the VCPA’s rights and protections.

While described as “modernization,” businesses should recognize that such amendments frequently translate into more lawsuits, more aggressive demand letters, and higher settlement pressure.

The Reality of Consumer Class Actions

Proponents often claim class actions are the only practical remedy for small-dollar harms. That argument sounds compelling in theory, but decades of experience show that many consumers receive little or no meaningful recovery.

In numerous consumer settlements:

• Individual payouts are nominal—sometimes only a few dollars, coupons, or account credits. In a study done by the CFPB of putative class actions filed during a certain period of time in certain courts where information was available, most putative class members recovered nothing. Those members who participated in class action settlements involving a cash payment received an average cash payment of a paltry $32.35 each. Sometimes, it took more than 2 years to recover that amount. Class counsel in these cases, however, recovered a staggering $424,495,451.
• Claims rates are frequently very low, meaning most class members recover nothing at all.
• Attorneys’ fees can reach millions of dollars even when aggregate consumer participation is modest.
• Businesses face intense pressure to settle weak or marginal claims because the cost and risk of defending a certified class action can be enormous.

The primary economic beneficiaries are often plaintiffs’ lawyers, not consumers.

Increased Costs Ultimately Reach Consumers

Class action exposure is not cost-free. Companies facing heightened litigation risk often respond by:

• Raising prices
• Reducing product offerings
• Tightening credit standards
• Increasing compliance and legal costs
• Limiting innovation or new services

Those costs are ultimately borne by the very consumers the legislation purports to help.

Arbitration Clauses and Class Action Waivers: Now More Important Than Ever

If Governor Spanberger signs this bill, companies contracting with Virginia consumers should promptly review whether their customer agreements contain enforceable, state-of-the-art arbitration provisions with class action waivers.

The Supreme Court of the United States has repeatedly upheld properly drafted arbitration agreements under the Federal Arbitration Act, including provisions requiring individual arbitration rather than class proceedings. For many businesses, these provisions remain the most effective tool for managing runaway class action exposure while still providing consumers with an efficient forum for dispute resolution.

Companies should consider:

• Updating consumer-facing contracts and terms of use
• Reviewing assent mechanisms for digital enrollments
• Ensuring arbitration clauses are conspicuous and enforceable
• Including mass-arbitration management provisions, where appropriate
• Reassessing dispute resolution strategies for Virginia-facing operations
• Reviewing advertising, fee, privacy, and disclosure practices for VCPA compliance and compliance with other Virginia laws.

Bottom Line

Virginia’s proposed legislation may be marketed as a consumer-rights measure, but history suggests that class actions often produce outsized fee awards for plaintiffs’ lawyers and modest relief for consumers. Combined with broader amendments to the VCPA, the bill could materially increase litigation risk for companies operating in Virginia.

Businesses should closely monitor whether Governor Spanberger signs the bill and, if enacted, take immediate steps to evaluate arbitration agreements, compliance controls, and broader litigation-risk mitigation strategies.

Opening the door to more class actions may benefit the plaintiffs’ bar. Whether it benefits consumers is far less certain.

Thomas Burke, Alan S. Kaplinsky, and John Sadler

Back to Top

---

Maryland Targets ‘Surveillance Pricing’: Is It a Warning Shot for AI-Driven Pricing Across Industries, Including Consumer Financial Services?

On April 28, 2026, Governor Wes Moore of Maryland has signed into law the nation’s most aggressive state law aimed at so-called “surveillance pricing” and algorithmic price-setting. House Bill 895, titled the Protection From Predatory Pricing Act, will become effective on October 1, 2026. It restricts the use of personalized pricing, consumer data-driven pricing, and certain AI-enabled pricing practices, particularly in the food retail (operating establishments of at least 15,000 square feet) and delivery sectors. Although the statute expressly excludes financial institutions from portions of the law, it should be viewed as an important signal of where state lawmakers may be headed next.

While this legislation deals only with grocery stores of a certain size and third-party food delivery apps, it is an early indication that state regulators and legislatures are increasingly skeptical of individualized pricing models powered by consumer data and artificial intelligence. If that trend continues, other types of businesses, consumer financial services, may become future targets.

What the Maryland Law Does

The statute addresses two related concerns:

1. Restrictions on Dynamic Pricing for Food Retailers

The law prohibits certain food retailers and third-party food delivery platforms from using “dynamic pricing” to charge higher prices for tax-exempt food sold to specific consumers. The law broadly defines dynamic pricing as personalized pricing based on a consumer’s personal data, including pricing determined through AI systems or models that retrain or recalibrate in near real time.

The statute also bars those businesses from using surveillance personal data to charge higher prices to an individual or group of consumers.

At the same time, the law recognizes several exceptions, including:

• loyalty and rewards programs
• promotional discounts
• subscription pricing
• publicly disclosed group discounts (students, seniors, veterans, etc.)
• pricing based on geography, taxes, shipping, supply constraints, or inventory shortages
• voluntary data-for-discount arrangements
• general price changes based on supply and demand that do not use individualized consumer data

2. Disclosure Requirements for Other Merchants

For merchants outside the food-retail category, the law requires clear disclosures when prices are set using algorithms or personal data. Specifically, a merchant that uses dynamic pricing or personal data to set prices and then advertises those prices must disclose:

“THIS PRICE WAS SET BY AN ALGORITHM OR BY USING YOUR PERSONAL DATA.”

Why This Matters for Consumer Financial Services

The law excludes financial institutions and GLBA-covered entities from one section of the statute. But exemptions today do not guarantee exemptions tomorrow.

Indeed, many consumer financial products already rely on individualized pricing models that use data analytics and machine learning, including:

• credit card APR offers
• personal loan rates
• auto finance pricing
• mortgage pricing adjustments
• insurance-adjacent financial products
• overdraft alternatives and small-dollar credit
• targeted fee waivers or incentives
• marketing offers personalized through behavioral data

Traditionally, such pricing has been defended as risk-based pricing, which has long been accepted when tied to legitimate underwriting factors. But policymakers increasingly may ask a different question:

When does legitimate risk-based pricing become impermissible surveillance pricing?

That question becomes even sharper when models incorporate nontraditional data, geolocation, browsing behavior, device information, purchase history, or inferred behavioral traits.

Expect Fair Lending Theories to Expand

Maryland’s law also prohibits the use of “protected class data” where it has the effect of denying accommodations or privileges available to others. That language reflects a familiar anti-discrimination framework.

Consumer financial services companies should expect similar arguments under:

• The Equal Credit Opportunity Act
• The Fair Housing Act
• State Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) theories
• State mini-CFPB laws
• State privacy statutes regulating profiling and automated decision-making

Even where protected-class variables are not directly used, state regulators may challenge proxy discrimination, disparate impact, or opaque algorithmic outcomes.

The Coming Debate: Personalization vs. Fairness

Supporters of individualized pricing argue it can:

• improve efficiency
• match prices to risk
• expand access to credit
• offer discounts to price-sensitive consumers
• reduce losses and lower overall costs

Critics argue it can:

• penalize vulnerable consumers
• exploit urgency or desperation
• hide discriminatory outcomes
• undermine price transparency
• create a marketplace where every consumer pays something different

That debate is no longer theoretical. Maryland has now legislated in this area.

What Financial Institutions Should Do Now

Even though the law currently carves out many financial entities, banks, Fintechs, lenders, and servicers should not ignore it. They should begin evaluating:

• What data influences pricing decisions
• Whether pricing models use behavioral or surveillance-like inputs
• How explainable their models are
• Whether disparate impacts can be measured and mitigated
• Whether consumer disclosures about personalization are adequate
• Whether state legislatures could target their sector next

Final Thoughts

Maryland’s new law may be remembered as one of the first significant legislative attacks on surveillance pricing. While the immediate focus is food retail and merchant pricing, the broader principle is clear: lawmakers are increasingly uncomfortable with opaque AI systems using personal data to determine what each consumer pays.

Consumer financial services has historically relied on personalized pricing more than almost any other industry. That reality makes the sector a likely future battleground.

Today it is grocery prices. Tomorrow it could be loan pricing, fees, interest rates, or credit offers. Institutions that assume this debate will stop at the supermarket door may be making a serious mistake.

Alan S. Kaplinsky, Adam Maarec, and Joseph J. Schuster

Back to Top

---

GLBA Modernization Legislation: Key Implications for Financial Institutions’ Data Practices

The House Financial Services Committee recently advanced legislation to modernize the Gramm-Leach-Bliley Act (GLBA), reflecting a continued shift toward more prescriptive data governance obligations for financial institutions. The proposal, titled the GUARD Financial Data Act, is paired with the SECURE Data Act and is intended to establish a national framework for consumer data privacy while updating GLBA’s longstanding notice-and-opt-out regime.

While the path forward for the legislation remains uncertain, the proposal provides a useful window into how policymakers are approaching financial data privacy, and where expectations for institutions’ data practices may be headed.

Below are several of the most consequential elements.

A Shift Toward Data Minimization and Purpose-Based Constraints

At the center of the bill is a new data minimization requirement that would limit financial institutions’ collection and disclosure of nonpublic personal information (NPI) to what is “adequate, relevant, and reasonably necessary” for a specified purpose.

This represents a notable evolution from the current GLBA framework, which is primarily disclosure-driven. In practice, this requirement would push institutions toward:

• Defined, documented purposes for data use;
• Enterprise data mapping and inventorying; and
• Alignment of retention and sharing practices with those purposes.

The construct closely tracks “purpose limitation” concepts found in comprehensive state privacy laws and the GDPR, suggesting continued convergence between financial privacy regulation and broader data protection regimes.

Importantly, the bill retains GLBA’s existing exceptions and expressly permits disclosures required under Section 1033 of the Dodd-Frank Act and other established frameworks.

New Data Access and Deletion Rights

The legislation would introduce new consumer rights, including:

• A right to access nonpublic personal information (NPI) held by a financial institution; and
• A right for former customers to request deletion of their data.

The deletion right, while narrower than some state privacy laws given its focus on former customers and the breadth of GLBA exceptions, would nonetheless require institutions to operationalize:

• Identity verification procedures;
• Request intake and response workflows (generally within 45 days); and
• Appeals processes for denied requests.

These requirements move GLBA closer to the rights-based model seen in state comprehensive privacy statutes, even if the scope is more tailored to the financial services context.

Expanded Transparency and Governance Expectations

The bill would significantly expand privacy notice requirements, requiring disclosures regarding:

• Categories of purposes for data collection and disclosure;
• Data retention practices;
• Use of artificial intelligence; and
• Whether data is processed in certain foreign jurisdictions.

These additions reinforce the expectation that privacy disclosures reflect underlying governance practices, increasing the need for coordination among legal, compliance, and data management functions.

Limits on Use of Consumer Access Credentials—With Important Caveats

The proposal addresses the use of consumer access credentials (e.g., usernames and passwords) by data aggregators and third parties.

It would require:

• Clear disclosures regarding how credentials are used and shared;
• Notice of associated risks; and
• An opportunity for consumers to opt out of credential-based access.

However, the bill does not prohibit credential-based access. If a consumer receives the required disclosures and does not opt out, a financial institution may not deny the resulting data access request.

As a result, while the provision introduces greater transparency and consumer control, it could allow screen scraping practices to persist alongside API-based data sharing.

Interplay with Section 1033—and Tension with API-Based Data Access

The legislation explicitly incorporates Section 1033 of the Dodd-Frank Act, preserving disclosures required under that provision and requiring compliance with Section 1033 in connection with credential-based access.

This alignment signals that Congress intends GLBA modernization to operate alongside the emerging open banking framework. At the same time, the bill introduces a potential tension with how that framework is currently developing in practice.

In particular, Section 1033 rulemaking has been moving the market toward more secure, standardized, API-based data access—an approach broadly supported by banks, data aggregators, and Fintechs as a replacement for credential-based “screen scraping.” APIs are generally viewed as more secure, auditable, and controllable, enabling institutions to limit data sharing to defined data elements.

By contrast, the GLBA modernization bill preserves the viability of credential-based access so long as disclosure and opt-out requirements are satisfied—and, critically, prohibits financial institutions from denying such access in those circumstances.

This creates a structural inconsistency:

• On one hand, Section 1033 implementation is pushing the ecosystem toward APIs as the preferred (and in some cases required) method of data access;
• On the other hand, the proposed GLBA amendments would effectively entrench a pathway for continued credential-based access.

The result may be a hybrid environment in which:

• API-based access expands, particularly where bilateral agreements and technical standards are in place; but
• Credential-based access remains available as a fallback, potentially slowing full migration away from screen scraping.

For financial institutions, this dynamic could complicate data access strategies, vendor management, and risk controls, particularly where institutions are seeking to phase out credential-based access in favor of more secure alternatives.

Federal Preemption and Comparison to State Privacy Laws

A central feature of the bill is its establishment of a national standard for financial data privacy, coupled with preemption of state laws as applied to GLBA-covered financial institutions and data.

This approach would represent a significant shift from the current landscape, where financial institutions must navigate:

• GLBA requirements;
• Sector-specific rules (e.g., FCRA); and
• A growing patchwork of state comprehensive privacy laws (such as those in California, Colorado, and others).

Unlike those state laws, which generally apply across sectors and include broader consumer rights, such as correction rights, broader deletion rights, and opt-outs of targeted advertising, the proposed framework is more tailored to financial services but would displace those state regimes with respect to GLBA-covered entities and data.

From an industry perspective, this could reduce compliance fragmentation. At the same time, it would replace a more flexible, disclosure-based federal regime with a more prescriptive framework that incorporates elements of those same state laws, including data minimization and expanded individual rights.

Broader Takeaways

Regardless of the ultimate legislative outcome, the proposal highlights several clear trends:

• Movement toward substantive regulation of data practices. Data minimization and purpose-based use limitations are gaining traction.
• Rising expectations for operational privacy infrastructure. Data mapping, retention controls, and consumer rights workflows are becoming core compliance capabilities.
• Continued convergence across privacy regimes. The bill reflects increasing alignment between GLBA, 1033, state privacy laws, and global frameworks.

Taken together, these developments point toward a future in which financial institutions face more rigorous and granular expectations around the full data lifecycle, from collection through retention and deletion.

For a discussion of the SECURE Data Act, see a companion post from Ballard Spahr’s Privacy and Data Security Team here.

Adam Maarec

Back to Top

---

U.S. House Committee Releases SECURE Data Act to Establish New Federal Privacy Framework

On April 22, 2026, the House Energy & Commerce Committee released the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act). The SECURE Data Act seeks to establish a comprehensive federal framework for consumer privacy rights and the protection of personal data. Subject to certain exemptions, the SECURE Data Act applies to businesses subject to the FTC Act or common carriers subject to title II of the Communications Act of 1934 that either (a) collect and process personal data of more than 200,000 consumers annually and have an annual gross revenue of $25 million or more, or (b) collect and process personal data of 100,000 consumers annually and “derive[] 25 percent or more of the[ir] annual gross revenue . . . from the sale of such personal data.” The SECURE Data Act’s framework will require operational changes for many businesses, including those already complying with state privacy laws. Below is an overview of several material provisions of the SECURE Data Act.

Consumer Privacy Rights

Section 2 of the SECURE Data Act grants consumers the right to access, correct, delete, and obtain a copy of their personal data. It further grants consumers the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, and “[r]eliance on profiling to make a decision that had a legal or similarly significant effect on the consumer.” Controllers must establish and disclose in a privacy notice the means by which a consumer may submit a request to exercise these rights.

Further, the SECURE Data Act prohibits controllers from processing sensitive data of a consumer without first obtaining the consumer’s consent.

Controller Data Use and Minimization Obligations

Section 3 of the SECURE Data Act requires controllers to provide a privacy notice to consumers that identifies, among other things, “[e]ach category of personal data processed by the controller,” “[e]ach purpose for processing personal data,” and “[e]ach category of personal data the controller shares with any other controller or any governmental entity.” Controllers also are required to disclose to consumers the sale of their personal data.

Section 3 further requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in relation to the controller’s disclosed data processing purposes. The SECURE Data Act also restricts the processing of personal data for purposes beyond those originally disclosed unless the controller first obtains the consumer’s consent.

State Preemption

The SECURE Data Act preempts all state laws that “relate[] to the provisions of this Act.” The SECURE Data Act, however, permits state attorneys general to bring civil actions on behalf of their residents in federal court to enjoin violations of the act, enforce compliance with the act, and seek damages and equitable relief.

Key Takeaways

The SECURE Data Act, if enacted, would represent a significant shift in the U.S. data privacy landscape by establishing a single federal standard that preempts the current patchwork of state privacy laws. If enacted, businesses that have already invested in compliance with state frameworks such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act, should evaluate whether their existing programs satisfy the SECURE Data Act’s requirements, particularly with respect to data broker registration requirement, data use and minimization obligations, and the consumer rights provisions.

Hayley Steele and Gregory P. Szewczyk

Back to Top

---

Colorado Rewrites Its Landmark AI law: Unpacking SB 26-189 and What It Means for Businesses

After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.

SB 26-189 replaces the original law’s broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data used to “materially influence” a “consequential decision.” The bill also shifts compliance obligations away from broad governance and impact assessments and toward targeted consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.

However, whereas the original AI Act contained conditional exemptions for some federally regulated entities, the new version has eliminated those exemptions—thereby bringing into scope many additional entities that have thus far avoided state regulation of ADMT.

A Long and Tortured History

Signed in May 2024, SB 24-205 was the nation’s first comprehensive state AI law. It imposed obligations on developers and deployers of “high-risk artificial intelligence systems” used in “consequential decisions”—including employment, housing, health care, insurance, education, lending, legal services, and essential government services. Key features included reasonable care requirements to avoid algorithmic discrimination, mandatory implementation of risk-management programs, impact assessments, consumer notices, correction and appeal rights, and enforcement by the Attorney General under the Colorado Consumer Protection Act. While there was no private right of action, many feared that there would be attempts to exploit alleged ambiguities for private litigation.

When Governor Polis signed the AI Act into law in 2024, he did so with reservations, asking the legislature to revisit the law during the 2025 session before it was scheduled to go into effect in February 2026. The legislature could not come to an agreement during the general 2025 session, and, during the 2025 special session, it could agree only to extend the law’s effective date to June 2026.

In an effort to break the logjam, a working group consisting of lawmakers, the Governor’s office, the Attorney General’s office, and other stakeholders convened in fall of 2025, prior to the 2026 legislative session. The working group released its proposal on March 17, 2026, but even its members stated that the proposal needed further work. However, that proposal gave the legislature a new framework from which it could negotiate a consensus bill.

On May 1—with the close of the legislative session nearing—SB 26-189 was released. It moved quickly after introduction, advancing through the Senate Business, Labor, and Technology Committee, Senate Appropriations, the full Senate, House Judiciary, and House Appropriations, before the House passed it on third reading on May 9, 2026.

Key Updates and SB 26-189

For most businesses that operate as deployers of AI, SB 26-189 is meaningfully narrower than SB 24-205. Key differences include:

• Scope of covered technology. SB 24-205 regulated “high-risk artificial intelligence systems,” while SB 26-189 focuses on “covered ADMT” that process personal data used to materially influence consequential decisions in sectors including employment, housing, lending, insurance, health care, education, and essential government services.
• Eliminated Exemptions. Whereas the original AI Act had limited and conditional exemptions for various federally regulated entities, the new bill does not.
• Governance obligations. SB 24-205 required broader reasonable-care, risk-management, impact-assessment, annual-review, and public-summary obligations for deployers. SB 26-189 shifts deployers’ obligations toward targeted disclosure, explanation, correction, and the right to request human-review, although it still maintains the three-year record-retention obligations.
• Litigation and enforcement risk. SB 26-189 makes clear that the Colorado AI Act does not create a private right of action, and it closes alleged ambiguities that some argued existed in the prior law. Nonetheless, companies can still be held liable for discrimination under existing laws.
• Three-Year Cure Period. A 60-day right-to-cure provision allows developers and deployers to remedy violations before enforcement action—but this provision expires January 1, 2030.
• AG Rulemaking. Unlike the original AI Act where rulemaking was permissive, rulemaking under the new bill is mandatory. Further, rulemaking must be completed by January 1, 2027.

What Businesses Can Do Now

Even though we will see AG rulemaking, companies developing or deploying decision-support tools in Colorado should reassess their compliance roadmaps now. Mapping covered ADMTs and developing the general framework for compliance do not need to wait, and operational changes to implement consumer rights may take several months to execute. Further, based on the Attorney General’s approach to the Colorado Privacy Act rulemaking, we can expect that the rules will clarify, rather than change, the scope of the AI law.

In other words, while we have waited for years for the changes, we now have a sprint for the finish line.

Gregory P. Szewczyk, J. Matthew Thornton, Mudasar Khan, Lexi Chapman, and Kelsey Fayer

Back to Top

---

California Governor Newsom Taps Former CFPB Director Rohit Chopra to Lead Regulatory Super Agency

California Governor Gavin Newsom has appointed former CFPB Director Rohit Chopra to be the inaugural Secretary of a new cabinet-level agency that he created last year—the Business and Consumer Services Agency (BCSA). Although the appointment must be confirmed by the California Senate, the move is already generating significant attention within the financial services industry because it may signal California’s intent to assume a substantially larger role in consumer financial regulation and enforcement at a time when many expect reduced federal regulatory activity.

Chopra’s appointment is not for a particular term; rather, he will serve at the will of the Governor.

The BCSA, spun off from the Business, Consumer Services, and Housing Agency (BCHS) in July 2025, along with the California Housing and Homelessness Agency (CHHA), will officially become operative on July 1, 2026, and will oversee a broad collection of California regulatory departments, including the Department of Financial Protection and Innovation (DFPI), Department of Consumer Affairs, Department of Real Estate, Department of Alcoholic Beverage Control, and the Department of Cannabis Control. While its exact staffing and budget are unclear, the BCHS employed over 8,000 employees and had an operating budget of over $4.6 billion before being split into the BCSA and CHHA.

While some early press coverage has characterized the BCSA as a “California CFPB,” the actual structure is somewhat more nuanced. The DFPI is not being merged into the new agency or stripped of its existing authority. Rather, the BCSA will function as an umbrella cabinet agency sitting above several existing departments, with Chopra serving in a strategic supervisory role.

That distinction matters because the DFPI already possesses extensive powers under the California Consumer Financial Protection Law (CCFPL), including authority to regulate, supervise, investigate, and bring enforcement actions against a wide range of financial services providers. The DFPI also already has substantial rulemaking authority.

As a result, Chopra’s influence may prove highly consequential even though BCSA itself does not possess standalone substantive rulemaking authority comparable to the CFPB.

What Powers Will Chopra Have?

Based on the Governor’s announcement and the current statutory structure, Chopra will likely exercise significant influence over:

• Statewide consumer protection priorities;
• Interagency coordination;
• Regulatory initiatives;
• Enforcement strategy;
• Licensing and supervisory priorities;
• Multi-agency investigations;
• Online privacy and consumer data protection; and
• California’s response to perceived federal regulatory retrenchment.

Although formal rulemaking authority will remain with the underlying departments, especially the DFPI, Chopra is expected to play a central role in shaping which regulations are proposed and aggressively pursued.

In practical terms, the financial services industry should expect continued California activity involving:

• Fintech regulation;
• Earned wage access products;
• Buy now/pay later products;
• Algorithmic decision-making and AI;
• Consumer data practices;
• Junk-fee initiatives; and
• UDAAP-style enforcement theories under California law.

Enforcement Authority

The DFPI already possesses extensive enforcement authority, including the ability to investigate entities, issue administrative orders, seek civil penalties, pursue restitution, and file civil actions.

Accordingly, even though Chopra will not personally function as the direct enforcement official, his appointment almost certainly signals a more coordinated and potentially more aggressive statewide enforcement posture.

Indeed, one of the most important practical consequences of the reorganization may be the increased coordination among agencies that historically operated more independently. The creation of a cabinet-level structure above the DFPI and related departments may facilitate broader cross-industry investigations and policy initiatives.

Why This Matters Nationally

The significance of this development extends well beyond California.

Because California’s economy is so large, actions taken by California regulators frequently shape national business practices. Financial services providers often choose to implement California-compliant practices nationwide rather than maintain separate operational systems.

Moreover, Chopra’s appointment comes at a time when many observers anticipate a less aggressive federal regulatory environment. California may therefore increasingly position itself as a leading state-level counterweight in consumer protection regulation and enforcement.

For banks, Fintechs, payment companies, marketplace lenders, and other consumer financial services providers, the practical takeaway is straightforward: California’s regulatory influence is likely to expand greatly.

The combination of the DFPI’s already broad statutory authority and Chopra’s aggressive regulatory philosophy will likely make California an even more consequential consumer financial regulator in the country over the next several years.

Although there has been no official announcement, it appears that Chopra will no longer head the new Consumer Protection and Affordability Group which was organized by the Democratic Attorneys General Association.

Chopra’s appointment is not for a particular term, rather, he will serve at the will of the Governor. Since Governor Newsom’s term expires early in January of next year, Chopra could be removed by the next Governor. If the next Governor is a Democrat, Chopra would likely be able to continue serving in 2027.

This appointment establishes Chopra as someone who will be close to Newsom if and when he runs for President. If Newsom were to be elected as the next President, Chopra might be well-positioned to be appointed to a cabinet or other senior position in Newsom’s administration.

Alan S. Kaplinsky and John L. Culhane, Jr.

Back to Top

---

SEPA SHRM and Ballard Spahr LLP 2026 HR Legal Summit

As HR professionals face increasingly complex legal challenges, having a reliable “compass” is critical. Join us for the 14th Annual HR Legal Summit, co-hosted with Ballard Spahr’s Labor and Employment Group, to learn how to navigate the law in an era where workplace regulations shift faster than ever.

Attendees will take part in interactive sessions led by Ballard Spahr attorneys and industry experts, who turn complex legal topics into clear, actionable guidance for HR professionals. The summit’s dynamic networking environment fosters meaningful conversations, sparks fresh ideas, and builds lasting professional relationships to support your career well beyond the event. Don’t miss this opportunity to elevate your skills and expand your network for the year ahead.

Thursday, September 17, 2026
8:00 AM – 4:30 PM ET

Presidential Caterers
2910 Dekalb Pike
East Norriton, Pennsylvania 19401

REGISTER HERE

BECOME A SPONSOR OR EXHIBITOR

ADDITIONAL INFORMATION

For more information about the conference, sponsorship, or exhibitor opportunities, please contact Laurie Sample at sepa-administrator@sepashrm.org or visit the 2026 HR Legal Summit Webpage.

Approval for CLE Credits in CA, NJ, NY, & PA is pending. HRCI & SHRM Credits are also pending. Uniform Certificates of Attendance will be provided for the purpose of applying for CLE credit in other jurisdictions.

Brian D. Pedrow

Back to Top

---

Copyright © 2026 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.