Compliance Update, Second Quarter 2025

Consumer Financial Protection Bureau (CFPB) Finalizes Rule to Remove Medical Bills from Credit Reports

The CFPB announced it has finalized a rule amending Regulation V, which implements the Fair Credit Reporting Act, that will remove an estimated $49 billion in medical bills from the credit reports of about 15 million Americans. The CFPB’s action will ban the inclusion of medical bills on credit reports used by lenders and prohibit lenders from using medical information in their lending decisions.

The CFPB said the rule will increase privacy protections and prevent debt collectors from using the credit reporting system to coerce people to pay bills they do not owe. The CFPB has found that medical debts provide little predictive value to lenders about borrowers’ ability to repay other debts, and consumers frequently report receiving inaccurate bills or being asked to pay bills that should have been covered by insurance or financial assistance programs.

The CFPB’s final rule brings regulations in line with Congress’s decision to safeguard consumers’ privacy by restricting lenders from obtaining or using medical information, including information about medical debts. Federal financial regulators later created an exception to this restriction, allowing creditors to consider medical debts. This carveout has enabled debt collectors to use the credit reporting system to coerce payments from patients for inaccurate or false medical bills.

The amendments to Regulation V will become effective 60 days after the final rule is published in the Federal Register.

Office of the Comptroller of the Currency (OCC) and Fed Adjust Civil Money Penalty (CMP) Maximums for 2025

OCC Bulletin 2025-1 announced publication [90 FR 1848] in the Federal Register of a schedule of maximum civil money penalties applicable to national banks and federal savings associations as adjusted for inflation. The adjusted maximum amount of civil money penalties in this announcement is applicable to penalties assessed on or after January 10, 2025, for conduct occurring on or after November 2, 2015.

The Federal Reserve Board (FRB) published [90 FR 2607] in the Federal Register a similar notice adjusting the maximum CMP’s for 2025 for violations by banks and holding companies for which the Federal Reserve System is their primary federal regulator.

CFPB Adds Electronic Fund Transfer (EFT) Frequently Asked Questions (FAQs) on Tips

The CFPB has updated its EFT FAQs New Transactions Coverage. Question 6 asks whether the compulsory use prohibition applies to tips and is directed to employers whose employees receive compensation in the form of tips or gratuities. After explaining its reasoning, the CFPB’s answer is: “… employers are prohibited by EFTA and Regulation E from requiring workers to establish an account with a particular financial institution to receive tips.”

Financial Crimes Enforcement Network (FinCEN) Updates Alert on Beneficial Ownership Information (BOI) Reporting

FinCEN has updated an alert on its BOI Reporting webpage to acknowledge the Supreme Court’s January 23, 2025, stay of a nationwide injunction issued by a federal judge in Texas (Texas Top Cop Shop, Inc. v. McHenry—formerly, Texas Top Cop Shop v. Garland).

Although various reports have suggested that the Supreme Court action would allow FinCEN to again require entities subject to the regulation to file reports, FinCEN’s Alert notes a separate nationwide order issued by a different federal judge in Texas (Smith v. U.S. Department of the Treasury) still remains in place, and reporting companies are not currently required to file BOI with FinCEN despite the Supreme Court’s action in Texas Top Cop Shop.

Reporting companies also are not subject to liability if they fail to file this information while the Smith order remains in force. However, reporting companies may continue to voluntarily submit BOI reports.

Agencies Announce Second Outreach Meeting on Regulations Review

The Federal Deposit Insurance Corporation (FDIC), OCC, and FRB issued a joint press release announcing a virtual public outreach meeting held on March 6, 2025, as part of their review of regulations, as required by law. The Economic Growth and Regulatory Paperwork Reduction Act requires the agencies, with input from the public, to review their regulations at least once every ten years to identify any outdated or otherwise unnecessary regulatory requirements applicable to their supervised institutions. The outreach meeting is an opportunity for interested stakeholders to present their views on the six categories of regulations listed in the first two Federal Register notices: Applications and Reporting; Powers and Activities; International Operations; Consumer Protection; Directors, Officers and Employees; and Money Laundering.

Terminations and a Director Nomination at the CFPB

NPR’s Your Money website has reported that dozens of probationary employees at the CFPB lost their jobs according to the National Treasury Employees Union, which represents Bureau employees. The union has identified about six dozen terminated employees but is still working to confirm final numbers.

The reported firings were announced as President Trump nominated Jonathan McKernan to be the next director of the Bureau, replacing Russell Vought, who was previously named acting director. Mr. McKernan was previously on the board of the FDIC before resigning earlier this week. Previously, he was a counsel to
Pat Toomey, R-Penn., on the staff of the Senate Banking Committee. He also has served as a senior counsel at the Federal Housing Finance Agency and a policy adviser at the Treasury Department.

The Department of Housing and Urban Development (HUD) Launches Department of Government Efficiency (DOGE) Task Force

HUD announced it will launch its own DOGE task force to review how HUD is spending American taxpayer dollars. The task force will be composed of HUD employees who will examine how to best maximize the agency’s budget and ensure all programs, processes, and personnel are working together to advance the purpose of the department.

Interactive Suspicious Activity Reporting (SAR) Statistics Updated with 2024 Data

FinCEN has issued a notice to email subscribers that its Interactive SARs Stats webpage has been updated to include SAR data through calendar year 2024. Interactive SAR Stats is an application that enables users to view FinCEN’s trend data for aggregated counts of defined suspicious activities that financial institutions report to FinCEN.

OCC Stress Test Scenarios Released

The OCC has announced its release of economic and financial market scenarios for use in the upcoming stress tests for covered institutions.

The supervisory scenarios include baseline and severely adverse scenarios. Covered institutions are required to use the scenarios to conduct stress tests. The results of the company-run stress tests provide the OCC with forward-looking information used in bank supervision and assist the agency in assessing a covered institution’s risk profile and capital adequacy.

The 2025 scenario and background information can be found on the OCC’s Dodd-Frank Act Stress Test (Company Run) page.

https://www.occ.gov/publications-and-resources/forms/dodd-frank-act-stress-test/index-dodd-frank-act-stress-test.html

Barr Speech on Regulation and Supervision Risks and Challenges

FRB Vice Chair for Supervision, Michael S. Barr, spoke at the Georgetown University Law Center on “Risks and Challenges for Bank Regulation and Supervision.”

Barr addressed seven specific risks, saying that each will continue to be a risk in either the near- or long-term:

1. maintaining and finishing post-financial crisis reforms
2. maintaining the credibility of the stress test
3. maintaining credible, consistent supervision
4. encouraging responsible innovation
5. addressing cyber and third-party risk
6. risks in the nonbank sector
7. climate risk

Reminder on Nationwide Multi-State Licensing System (NMLS) Fee Increases 

The Conference of State Bank Supervisors, which operates the NMLS, has issued a reminder of NMLS processing fee increases affecting both its state licensure and federal registration processing. The increases were effective March 1, 2025.

Financial Action Tast Force (FATF) Identifies Countries with AML/CFT/CPF Deficiencies

FinCEN has reported that the FATF, an intergovernmental body that establishes international standards for anti-money laundering, countering the financing of terrorism, and countering the financing of proliferation of weapons of mass destruction (AML/CFT/CPF), updated its lists of jurisdictions with strategic AML/CFT/CPF deficiencies at the conclusion of its plenary meeting this month. U.S. financial institutions should consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies, procedures, and practices.

On February 21, 2025, the FATF added Laos and Nepal to its list of Jurisdictions Under Increased Monitoring and removed the Philippines from that list.

The FATF’s list of High-Risk Jurisdictions Subject to a Call for Action remains the same, with Iran, the Democratic People’s Republic of Korea (DPRK), and Burma subject to calls for action. Specifically, the FATF continues to call on jurisdictions to apply countermeasures on Iran and DPRK. Burma remains subject to the application of enhanced due diligence, but not countermeasures.

CFPB Drops Five Major Lawsuits

CFPB has dropped five major lawsuits it had underway — including a large suit against Capital One. Last month, the Bureau had accused Capital One of failing to pay more than $2 billion in interest to its customers by misleading them into thinking they would be getting higher rates. The CFPB also dropped its cases against Rocket Homes, Pennsylvania Higher Education Assistance Agency, Vanderbilt Mortgage and Finance, and Heights Finance Holding Company.

FDIC Withdraws Four Proposed Rules

The FDIC has issued FIL-6-2025 to announce it is withdrawing three proposed rules relating to brokered deposits, corporate governance, and the Change in Bank Control Act (CBCA). The FDIC is also withdrawing the authority previously approved by the FDIC Board of Directors to publish a proposed rule on incentive-based compensation arrangements.

The FDIC is withdrawing these Notices of Proposed Rulemaking because it no longer intends to issue final rules with respect to these proposals. If the FDIC pursues regulatory action on these matters in the future, it will do so by publishing new proposed rules or other issuances consistent with the requirements of the Administrative Procedure Act.

FDIC Postpones Compliance Date for Sections of Part 328 Rule

The FDIC has issued FIL-5-2025 to announce it is postponing the compliance date from May 1, 2025, to March 1, 2026, for the requirements under 12 CFR 328.5 related to the display of the FDIC official digital sign on an insured depository institution’s (IDI’s) digital channels, as well as analogous requirements related to IDI’s automated teller machines (ATMs) and like devices under 12 CFR 328.4. This delay will allow the FDIC to propose changes to the regulation with the opportunity for public comment to address implementation concerns and potential sources of confusion.

This delay does not apply to the other amendments made by the final rule to subpart A, such that compliance for those requirements remains unchanged and is required by May 1, 2025.

Office of Foreign Assets Control (OFAC) Issues Venezuela General License and Adds a Designation and FAQ

OFAC reported it has issued Venezuela General License 41A, “Authorizing the Wind Down of Certain Transactions Related to Chevron Corporation’s Joint Ventures in Venezuela.”

Additionally, OFAC has updated its Specially Designated Nationals and Blocked Persons (SDN) List, designating an Iranian national under its Counter-narcotics sanctions program.

Bureau Extends Comment Period on Advance Notice of Proposed Rulemaking (ANPR)

The CFPB has published a Notice [90 FR 11495] in the Federal Register extending the comment period on the Bureau’s ANPR on Identity Theft and Coerced Debt. The comment period was scheduled to end March 7, 2025. The notice extended the comment period to end April 7, 2025.

OCC Rescinds Issuances Addressing Some Crypto-Asset Activities

The OCC has issued Interpretive Letter 1183 to rescind OCC Interpretive Letter (IL) 1179 (November 18, 2021). [Interpretive Letter 1179 outlined a supervisory nonobjection process for banks that seek to engage in the activities addressed in Interpretive Letters 1170, 1172, or 1174.] In a related Press Release, the OCC said its actions are intended to “reaffirm that a range of cryptocurrency activities are permissible in the federal banking system.”

The OCC also withdrew from two interagency statements as they apply to national banks and federal savings associations—the “Joint Statement on Crypto-Asset Risks to Banking Organizations” (January 3, 2023), and the “Joint Statement on Liquidity Risks to Banking Organizations Resulting from Crypto-Asset Market Vulnerabilities” (February 23, 2023) (together, the interagency statements).

These actions are intended to reduce burden, encourage responsible innovation, and enhance transparency. The OCC will examine the activities described in IL 1170 (addressing crypto-asset custody services), 1172 (addressing holding deposits that serve as reserves backing stablecoins), and 1174 (addressing the use of stablecoins and distributed ledger technology to facilitate payments) as part of its ongoing supervisory process.

As with all activities, banks must conduct crypto-asset activities in a safe, sound, and fair manner, in compliance with applicable law. New activities should be developed and implemented consistently with sound risk management practices and alignment with banks’ overall business plans and strategies.

Senate Passes Disapproval Resolution on CFPB Rule

The U.S. Senate has passed S.J.Res. 28, a resolution under the Congressional Review Act disapproving the rule [89 FR 99582, December 10, 2024] submitted by the CFPB relating to “Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications.”

The House of Representatives has introduced a related bill, H.J.Res. 64, which has been referred to committee. If the House resolution is passed, and the President approves the joint resolution, the CFPB rule will be nullified, and the Bureau will not be able to issue a substantially similar rule in the future.

The rule in question established the CFPB’s supervisory authority over nonbank covered persons that are larger participants in a market for “general-use digital consumer payment applications.” Included are providers of funds transfer and payment wallet functionalities through digital payment applications for consumers’ general use in making payments to other persons for personal, family, or household purposes. Examples include consumer financial products and services that are commonly described as “digital wallets,” “payment apps,” “funds transfer apps,” “peer-to-peer payment apps,” “person-to-person payment apps,” “P2P apps,” and the like.

Money Services Businesses (MSBs) on Southwest Border Get Geographic Targeting Order (GTO)

FinCEN has announced it has issued a GTO that will require all MSBs located in 30 ZIP codes across California and Texas near the southwest border to file Currency Transaction Reports (CTRs) with FinCEN at a $200 threshold, in connection with cash transactions.

The terms of the GTO are effective beginning 30 days after the date on which the order is published in the Federal Register. The terms are effective for 179 days thereafter.

The order covers the following ZIP codes across seven counties in California and Texas:

• Imperial County, California: 92231, 92249, 92281, 92283
• San Diego County, California: 91910, 92101, 92113, 92117, 92126, 92154, 92173
• Cameron County, California: 78520, 78521
• El Paso County, Texas: 79901, 79902, 79903, 79905, 79907, 79935
• Hidalgo County, Texas: 78503, 78557, 78572, 78577, 78596
• Maverick County, Texas: 78852
• Webb County, Texas: 78040, 78041, 78043, 78045, 78046

FDIC Formally Withdraws Proposed Rules

The FDIC has published a notice [90 FR 12115] in the Federal Register that it is withdrawing notices of proposed rulemaking relating to brokered deposit restrictions, corporate governance and risk management, and the Change in Bank Control Act. If the FDIC decides to pursue future regulatory action in any of these areas, it will issue a new proposed rule.

FinCEN Removes Beneficial Ownership Reporting Requirements for U.S. Companies and U.S. Persons, Sets New Deadlines for Foreign Companies

Consistent with the U.S. Department of the Treasury’s March 2, 2025, announcement, FinCEN is issuing an interim final rule that removes the requirement for U.S. companies and U.S. persons to report BOI to FinCEN under the Corporate Transparency Act.

In that interim final rule, FinCEN revises the definition of “reporting company” in its implementing regulations to mean only those entities that are formed under the law of a foreign country and that have registered to do business in any U.S. State or Tribal jurisdiction by the filing of a document with a secretary of state or similar office (formerly known as “foreign reporting companies”). FinCEN also exempts entities previously known as “domestic reporting companies” from BOI reporting requirements.

Thus, through this interim final rule, all entities created in the United States — including those previously known as “domestic reporting companies” — and their beneficial owners will be exempt from the requirement to report BOI to FinCEN. Foreign entities that meet the new definition of a “reporting company” and do not qualify for an exemption from the reporting requirements must report their BOI to FinCEN under new deadlines, detailed below.
These foreign entities, however, will not be required to report any U.S. persons as beneficial owners, and U.S. persons will not be required to report BOI with respect to any such entity for which they are a beneficial owner.

Upon the publication of the interim final rule, the following deadlines apply for foreign entities that are reporting companies:

• Reporting companies registered to do business in the United States before the date of publication of the Interim Final Rule (IFR) must file BOI reports no later than 30 days from that date.
• Reporting companies registered to do business in the United States on or after the date of publication of the IFR have 30 calendar days to file an initial BOI report after receiving notice that their registration is effective.

FinCEN is accepting comments on this interim final rule and intends to finalize the rule this year.

OCC Ends Exams for Reputation Risk

The OCC has announced it will no longer examine its regulated institutions for reputation risk and is removing references to reputation risk from its Comptroller’s Handbook booklets and guidance issuances.

“The OCC has never used reputation risk as a catch-all justification for supervisory action. Focusing future examination activities on more transparent risk areas improves public confidence in the OCC’s supervisory process and makes clear that the OCC has not and does not make business decisions for banks,” said Acting Comptroller of the Currency, Rodney E. Hood.

The removal of references to reputation risk from OCC handbooks and guidance issuances does not alter the OCC’s expectation that banks remain diligent and adhere to prudent risk management practices across all other risk areas. The OCC expects to complete its efforts to update its public documents in the coming weeks.