(Subscribe to ABA Daily Newsbytes for news on recent changes and updates on regulatory issues. — The editors.)
By Carl Pry, CRCM, CRP
If there is one word that best describes what we can look forward to in the compliance world in 2025, it’s unpredictable. There is so much we don’t know about the banking environment next year, even though we have (some) clarity on the political environment. 2024 was a very interesting year in compliance, with focus on such issues as fair lending and UDAAP, junk fees, and new final rules under the Community Reinvestment Act (CRA) and Dodd-Frank Act Sections 1071 (Small Business Data Collection), and 1033 (Personal Financial Data Rights), among many others.
This article is from the January-February issue of ABA Risk and Compliance magazine. Subscribe here.
We can divide expected 2025 topics into various categories: what we know with a reasonable degree of certainty will happen; what we are fairly sure will happen but is contingent on certain events; and what we think is coming. But let’s start with the biggest issue that will impact regulatory change in 2025: the environment in Washington, DC after the 2024 election.
Events in DC and their impact on compliance
Presidential election aftermath. The results of the election are certain and will have a dramatic impact on not only the political environment, but also the regulatory atmosphere. This would be true no matter who won the presidential election; there will always be change when we have a new President. But the 2024 election saw a dramatic shift, resulting in Republican control over the Presidency as well as both houses of Congress.
The President will of course select his own leadership team, including who heads the various regulatory agencies. President Trump has sent strong signals that there will be significant changes, both in policy as well as leadership, starting on day one. However, it’s important to remember that changes to the laws and regulations that impact banks on a day-to-day basis move at a much slower pace.
Think about how long it’s taken to implement all the new regulations required by the Dodd-Frank Act. We still don’t have them all in place, even though three separate administrations have held office since the Dodd-Frank Act passed, with a fourth taking office in January 2025 (or is it a repeat of the second one?) The small business data collection rule required by Dodd-Frank Act Section 1071 and the personal financial data rights rule required by Dodd-Frank Act Section 1033 were issued in final form on March 2023 and October 2024, respectively. It’s not as though a new Trump administration will mean dramatic Day One changes in the regulations we follow every day. It is probable, if not almost certain, that the new administration will have different policy goals than what we’ve seen for the last four years, but we’ll have to wait and see how this turns out over the next few months and years.
The regulatory agencies. We expect President Trump to replace the director of the CFPB and the acting director of the OCC soon after his inauguration. Leadership changes at the FDIC and Federal Reserve will take longer. These changes are likely to bring recission of various agency guidance, which can be accomplished by the stroke of a pen.
New leadership may also bring changes in examination and enforcement priorities. When looking back at the last few changes in administration, where it seems the ideology pendulum swings more violently every time, there has not been as dramatic a change in the number of enforcement orders as some might think. The penalty amounts may change, but all in all the enforcement environment remains remarkably consistent. After all, issues such as consumer protection and fraud prevention are popular goals no matter who is in the White House or leading regulatory agencies.
Some existing final rules may be amended or re-written entirely, but this is a long process as it requires the agency to follow the Administrative Procedure Act’s notice and comment process. The first step, which we will all need to watch for, is for the agency to issue a proposal to extend the compliance dates of the rule being reconsidered. However, it’s premature to predict precisely which rules could be revisited or when those changes would be effective.
Congress. The real action to pay attention to is in Congress. When one party controls both houses of Congress, as we’ll experience for the next two years, the likelihood of significant legislation being advanced and passed increases substantially. When we have one-party rule across Congress and the Presidency, we end up with legislation such as the Dodd-Frank Act. But even if the new Republican Congress passes substantial new banking legislation (and it is signed into law), it won’t mean a slew of new regulations to follow right away. It normally takes years to implement Congress’ intent, again as evidenced by Dodd-Frank. Perhaps we see some more tinkering with the Dodd-Frank Act, similar to what happened in 2018.
A unified Congress also makes utilization of the Congressional Review Act (the “other” CRA) more possible, which could result in Congress voting to disapprove of recently issued final rules. And with a Republican President, we should expect the president to vote in favor of a Congressional Review Act resolution of disapproval passed by both houses of Congress, which means the final rule is revoked and cannot be rewritten in “substantially similar” form. However, only rules that were finalized in late July or August of 2024 or after are eligible for consideration under this CRA lookback period, making this a more limited option, although still one to monitor carefully.
One topic to monitor in 2025 is federal privacy legislation. There have been rumblings of a new federal privacy law for a few years now, and after many states have passed their own privacy legislation. It is becoming increasingly difficult to manage consumer privacy within a complicated patchwork of state laws. We are in need of a national standard that recognizes the data protection regimes that banks already have in place, and we may well see something like this in 2025.
At the risk of being repetitive, it seems that we wonder every year if this may be the year that cannabis banking is legalized on the federal level through some version of the SAFE Banking Act. Similar to privacy, there is a complex series of state laws on the legalization of cannabis in its various forms, and a resolution of the ongoing conflict between federal and states’ laws would be welcomed. Perhaps 2025 will be the year, although Republican legislators are normally more resistant to this idea than their Democratic counterparts, so it may be a harder sell.
The courts. 2024 saw resolution to the important question of the legality of the CFPB’s funding mechanism, which meant the potential chaos of a ruling by the U.S. Supreme Court that the bureau’s funding was unconstitutional was averted. Certainty is always welcomed.
There are decisions due in the spring of 2025 in several federal courts regarding regulatory overreach, which may, depending on the outcomes, impact the scope of several final regulations issued within the last few years. Depending on what happens (or doesn’t happen), some regulatory requirements may change. But again, at this early date, it is impossible to predict any specifics.
Another development to monitor is the fallout from the Supreme Court’s 2024 ruling which invalidated the Chevron doctrine. This was a longstanding doctrine which directed courts to defer to an agency’s interpretation of an ambiguous statute when it promulgated a regulation. As this no longer the case, we may see yet more challenges to regulations, which increases uncertainty.
In the meantime, let’s focus on specific events to look forward to in 2025. We’ll start with what we already know will happen.
Planning for final rules we know will be effective in 2025
Digital FDIC signage. The FDIC’s final rule on digital signage has been years in the making. The FDIC began the rulemaking process right at the onset of the pandemic, but it wisely paused its activities for a while as a result. In late 2024, the effective date for compliance was delayed to May 1, 2025 (from January 1, 2025), As of that date, banks must ensure they have proper FDIC signage on digital platforms, including their websites, apps, digital payment platforms, or ATMs, to fully comply with the new requirements.
Automated valuation models. The agencies issued their final rule on AVMs in July of 2024, with an effective date of October 1, 2025. The rule requires banks to design policies and procedures to ensure AVMs meet certain quality control standards, are designed to operate with a high level of confidence, that estimates should be produced to protect against data manipulation and avoid conflicts of interest, and are nondiscriminatory. Procedures must include conducting random sampling testing and reviews, and be designed to ensure compliance with nondiscrimination laws such as the Equal Credit Opportunity Act and Fair Housing Act. This likely means some sort of model validation must be performed to meet the requirements, so banks should use the time prior to October to ensure this is in place.
Dealing with rules that are final but are being litigated
Small business data collection. As stated above, we finally (we think) have resolution of the effective date of the CFPB’s amendments to Regulation B that will require lenders to collect and submit data regarding their small business loan applications under Section 1071 of the Dodd-Frank Act. Although all appeals are not resolved, best practices suggest that banks proceed assuming the effective dates announced by the CFPB in 2024 will remain, unless notified otherwise.
Litigation delayed the compliance date of the rule by more than nine months, with a result that on July 18, 2025, so-called Tier 1 filers (those that have at least 2,500 covered originations in both 2022 and 2023, or both 2023 and 2024) must begin collecting data (for submission on June 1, 2026). Covered lenders under Tiers 2 and 3 begin collecting data in 2026 for submission in 2027, but all covered lenders have much work to do to be ready to begin collecting the required data, and this time must be used wisely.
Community Reinvestment Act. Considering how the new final CRA regulations will affect your bank is one of the most important compliance considerations going right now. But we’re in a bit of limbo due to ongoing litigation. The regulation has a compliance date of January 1, 2026, but the court has stayed (i.e., paused) that date while the litigation proceeds, which is likely to extend well into 2025. We’re certainly hoping for some sort of resolution in 2025 so we can know what to do and when to do it, but the changes the new CRA regulations will require are so sweeping (particularly for large banks), banks can use every available moment to plan for the operational, as well as strategic, changes the new rules will demand, no matter what the eventual compliance date(s) will be.
This also presents the possibility of some banks having to simultaneously comply with the new small business data collection and reporting rules and existing CRA regulations.
Credit card late fees. The CFPB’s final rule restricting late fees on delinquent credit card payments to no more than $8 (for issuers with over 1 million open credit card accounts) is another that is currently tied up in the courts. Banks that service credit card portfolios will be carefully watching to see how this end up, and we will know what the maximum charge will be and when any change will take effect.
Personal Financial Data Rights. In October 2024 the CFPB issued a final rule under Dodd-Frank Act Section 1033, entitled “Personal Financial Data Rights.” On the same day the CFPB released the final rule, it was challenged in Federal district court, but the plaintiffs in that case did not seek a preliminary injunction, so the compliance dates established by the rule are not stayed.
This rule has been referred to as the “open banking” rules in various CFPB communications and speeches. This long-awaited rule would give consumers more control over their financial data. The rule would also offer new protections against companies misusing consumer data and require banks (and other entities) to make available to consumers and authorized third parties certain data relating to consumers’ accounts, establishing obligations for third parties accessing a consumer’s data, and providing basic standards for data access.
The rule requires that consumers be able to obtain their personal financial data at no cost and have a legal right to grant third parties access to information associated with their credit card, checking, prepaid, and digital wallet accounts. There are rights to share data, provide authorization and revoke consent, and require banks to implement policies and procedures to achieve the rule’s objectives. The first compliance date, which applies to the largest financial institutions, is April 2026, and there are many policy and operational impacts for banks to consider in the meantime, as the final rule becomes effective.
This is a major step in a broader effort by the CFPB to regulate the ever-growing amounts and types of data obtained and utilized by banks and other financial institutions.
Possible (or even expected) final rules to be issued in 2025
Strengthening anti-money laundering and countering the financing of terrorism (AML/CFT) programs. In mid-2024, both Treasury’s Financial Crimes Enforcement Network (FinCEN) as well as the regulatory agencies (OCC, Federal Reserve and FDIC) issued proposals “to strengthen and modernize financial institutions’ AML/CFT programs pursuant to a part of the Anti-Money Laundering Act of 2020 (AML Act).” The final rules, expected sometime in 2025, will alter current Bank Secrecy Act (BSA) program requirements for banks, including a requirement to consider, for the first time, the AML/CFT Priorities. This last requirement is a new one, and we’ve been waiting since the AML Act was signed into law for it to be included in BSA regulations. Banks will need to take a close look at their AML/BSA programs to ensure all the requirements are included.
Beneficial Ownership Information and Customer Due Diligence. For a few years now we’ve been dealing with the fallout from the creation of the new federal BOI database. Banks have been contending with beneficial ownership regulations since 2018, of course, but we’re now awaiting the final domino to fall: the integration of the BOI rules with existing CDD expectations. FinCEN in July of 2024 advised that the current CDD rule has a different definition of “beneficial owner” than that found in the beneficial ownership reporting rule. How these two regulatory regimes are aligned, and how FinCEN’s access rule is implemented for banks (likely in 2025), will impact banks’ practices regarding beneficial ownership. We’ll await the final rule to see how our programs and processes will be impacted.
Mortgage servicing. In July 2024 the CFPB issued a proposed rule under RESPA to “streamline the servicing process” for distressed borrowers. The proposal overhauls the existing default servicing framework by adding additional safeguards such as revised early intervention rules for delinquent borrowers, various foreclosure safeguards within the loss mitigation process, and changes to the loss mitigation application process. The proposal would also limit the fees a servicer can charge a borrower while the servicer is reviewing possible options to help the borrower, as well as provide borrowers with access to certain servicing communications in languages other than English. Notably, the proposal does not apply to “small servicers,” defined as those that service 5,000 or fewer mortgage loans that it or its affiliates owns or originated. That’s quite a bit to consider, but any bank that services mortgage loans will be looking carefully at the final rule when it’s issued, expected to be sometime in 2025.
Fees for instantaneously declined transactions. In early 2024, the CFPB proposed a new regulation under its UDAAP authority that would prohibit banks “from charging fees, such as nonsufficient funds fees, when consumers initiate payment transactions that are instantaneously declined.” Instantaneously (or near-instantaneously) declined transactions are defined as those processed in real-time with “no significant perceptible delay to the consumer when attempting the transaction.” One-time debit card, ATM, and certain person-to-person transactions would be covered under the new rule. While these are not the sorts of transactions for which banks typically charge fees, it is noteworthy that restrictions on fees for overdraft and nonsufficient funds (NSF) in any form are now finding their way into regulations.
Fair Credit Reporting Act. In July 2024, the CFPB issued a proposed rule around medical debt, which would require the removal of medical debt from credit reports. Banks already comply with Regulation FF, which restricts the consideration of medical debt in credit decisions, but potential new rules would go farther by prohibiting consumer reporting agencies from including information regarding medical bills in consumers’ credit reports, as well as prohibiting creditors from considering medical bills in their credit decisions. This would continue a trend we’ve been seeing for a few years now regarding the treatment of medical debt, and at some point (maybe 2025) the rule is expected to be finalized.
Additionally, according to the CFPB’s Small Business Review Panel for Consumer Reporting Rulemaking web page , “[t]he CFPB is considering a rulemaking to address a number of consumer reporting topics under the Fair Credit Reporting Act (FCRA).” Among those topics are bringing so-called “data brokers” under the coverage of the FCRA, to enable regulation of the information these growing companies manage and sell to a variety of enterprises, including banks. They also include a proposal to extend the FCRA to cover categories of consumer-identifying information that are commonly included in the header of a credit report, such as name, social security number, date of birth, and so forth. Also on the table are potential rules on establishing steps to obtain a consumer’s written instructions to a obtain a consumer report, and addressing a consumer reporting agency’s obligation to protect consumer reports from a data breach or unauthorized access, among several others.
Expansion of Regulation Z: The CFPB has been quite active lately when it comes to expanding the scope of Regulation Z (Truth in Lending) to cover more and more scenarios. Start with the February 2024 proposal to recharacterize overdrafts as Reg. Z-covered extensions of credit. Notably, this would apply only to banks with assets of $10 billion or more (although the CFPB notes it will monitor the market’s response to the rule before deciding whether to apply it to smaller banks as well). We’ll wait to see whether a final rule providing for this comes to pass in 2025.
But that’s not the only area where we’re seeing Regulation Z expansion. In May 2024 the CFPB issued an interpretive rule opining that so-called “Buy Now, Pay Later” (BNPL) transactions (accessed through digital user accounts) fall within the definition of a “credit card” under the Truth in Lending Act (TILA) and Regulation Z. Even though BNPL transactions are generally payable in four installments, suggesting that they would be classified as closed-end credit (and therefore not covered since Regulation Z covers closed-end credit payable in more than four installments), classifying them instead as open-end credit products brings them under the coverage of the rule.
In August 2024 the CFPB issued an Advisory Opinion stating that “contract-for-deed” transactions, where a seller agrees to turn over a home’s deed only after the buyer completes a series of payments, are subject to TILA and Regulation Z, in order to protect consumers from “a series of traps that leave buyers in unlivable homes, on the hook for tax liens and expensive repairs, and at risk of losing their down payments and homes.”
This followed a July 2024 proposed interpretive rule stating that many paycheck advance products, or “earned wage” products, were consumer loans and therefore subject to TILA and Regulation Z. This interpretive rule cites many definitions of the term “debt,” to support a broader reading of the term as it is defined in Regulation Z. We’ll await finalization of this rule (as well as perhaps others furthering this expansive trend) in 2025.
Interchange fee cap. In October 2023, the Federal Reserve issued a proposed rule under Regulation II (also known as the Durbin Amendment) to lower the maximum interchange fee that a debit card issuer with at least $10 billion in total consolidated assets can receive for a debit card transaction. The current cap is 21 cents (the “base” component), plus .05% of the transaction (the “ad valorum” component), plus one cent (the “fraud prevention adjustment”). The new cap would be 14.4 cents, plus .04% per transaction, plus 1.3 cents. The Federal Reserve proposed the changes based on data reported to it by large debit card issuers as part of its biennial Debit Card Issuer Survey, which covers transactions in 2021. The changes reflect adjustments in allowable costs incurred by issuers covered under the rule since Regulation II was first implemented in 2011. This has been a hotly-debated topic ever since its inclusion in the Dodd-Frank Act, and we’ll have to wait and see how it plays out, and whether these changes come to pass in 2025.
Other regulatory trends expected to continue in 2025
Artificial intelligence, algorithms, models, and related technology issues. There have been countless commentaries, speech transcripts, guidance pieces, advisories, blog posts, and warnings on these topics published by the agencies in the past few years. Some themes have come to the fore, including proceeding with caution, taking consumer harm into account, and anticipating risk, to name a few.
For example, the CFPB called out the risk of over-reliance on chatbots several times over the past few years. We’re all familiar with chatbots – they’re the boxes that appears on the side or bottom of a website inviting visitors to ask questions and get quick answers. Of course, there is no person on the other end of the keyboard eagerly awaiting questions; it’s AI. While this technology is extremely helpful and efficient, the CFPB warned banks to not rely on a chatbot as the only means for a consumer to get answers. There should also be an option to have a question addressed by an actual person. The advancement of these technologies promises more guidance and similar warnings in the years to come.
What else can we expect here in 2025? Most likely more of the same, but we may be at an inflection point where we start to see some proposed regulation. But what would it even say? This is a fascinating question to consider, and hopefully any new rulemaking would not unnecessarily discourage advancement of these valuable technologies. But we may very well see something more formal around issues like digital redlining and algorithmic discrimination, for example.
Digital currency. At this point it’s still a challenge to explain what exactly bitcoin is and how it works, much less offer it as a product. How would it be disclosed? But it’s coming; there are already banks that offer digital asset-related products, and others are working with third parties to offer them to a public eager to find out more or even sign up. But there risks here are substantial, and the agencies are just now starting to pay attention to how this may play out in the retail banking environment. Perhaps 2025 is the year we start to see some guidance on how banks may approach this inevitable evolution of financial investments.
Fair lending. This is an issue at the forefront of regulatory attention no matter the year, and 2025 will be no different. In addition to concerns about technology and its impact on fairness, redlining continues to be chief among regulatory concerns when it comes to fair lending. This is seen in the number of enforcement actions centered around redlining. There is every expectation we’ll see even more in 2025.
More on UDAP/UDAAP. Another evergreen topic, but there are some particular areas in which we can expect to see some activity in 2025. Both the banking agencies and the Federal Trade Commission (FTC) have been commenting on the existence of so-called “dark patterns” on websites and other digital media (even though it sounds like the latest sci-fi series on Netflix, doesn’t it?). This primarily impacts marketing and advertising, and addresses the way marketers use various techniques to coerce consumers into clicking a link, look at a particular part of the advertisement, or make it difficult to opt out of certain information, among others. We can expect to see more publications and guidance on this point, which is welcome. UDAP/UDAAP is a difficult concept to identify, and any information calling out exactly what may be problematic is helpful.
Junk fees. This is the term du jour over the past few years, receiving mentions in the President’s State of the Union address, signaling that the regulatory focus on fees the agencies feel to be excessive will continue. This is one of the more frustrating aspects of regulatory guidance, as there are legitimate reasons fees are being charged (as well as very carefully disclosed), but in 2025 we can expect more opinions and statements around stamping out so-called junk fees in various industries, banking included.
What might be the focus of such opinions in 2025? It is clear that costs associated with mortgage loans are the next frontier of junk fees scrutiny. The CFPB has identified credit report fees, origination fees and discount points, title insurance and related costs, and appraisal fees as those that may be excessive or unnecessary. At this point we don’t know what exactly may happen here (will there be warnings? Regulatory guidance? New regulations setting caps?), but banks that originate mortgages would be wise to take a close look at their charges (particularly those established by the bank rather than set by a third party) and cast a wary eye toward what the CFPB and other regulators have to say.
When the CFPB announced its cap on credit card late fees, it also mentioned it would potentially be looking at other fees in the credit card market. Perhaps we see some more discussion, or maybe even guidance or regulations, limiting other fees (annual fees? Transaction fees? Balance transfer fees?) on credit cards.
Appraisal bias. This is another topic where we’ve seen significant movement over the last few years, and 2024 saw the implementation of final guidance on reconsiderations of value for appraisals, and other commentaries on appraisal bias. These new rules are accompanied by real enforcement, as the Department of Justice recently brought action against a large mortgage lender alleging undervaluation of a home based on the consumer’s race. It’s likely we’ll continue to see more in this area, affecting both the appraiser industry as well as how lenders manage and evaluate appraisals.
Final thoughts
As always, we can expect the unexpected, meaning there will always be happenings that were completely out of left field, or otherwise impossible to predict at the beginning of the year. It’s these surprises that keeps the compliance field interesting, and as a result compliance professionals must always keep on their toes.
Carl Pry, CRCM, CRP, is a senior advisor for Asurity Advisors in Washington, D.C., where he advises clients on a wide variety of compliance, fair lending, corporate treasury, and risk management issues. Over the last 30-plus years, Pry has held senior leadership positions including senior vice president and compliance manager for Compliance and Control Department at KeyBank in Cleveland, Ohio; vice president of regulatory services at Kirchman Corp. in Orlando, Fla; and manager in the finance and performance management service line at Accenture in Chicago. Most recently, he served as managing director at Treliant LLC. He also serves as Chair of the editorial advisory board for ABA Risk and Compliance magazine. Reach him via email at [email protected] or at (440) 320-4662.
Endnotes:
I. FinCEN Press Release of June 28, 2024
II. Federal Register of Jan. 31, 2024, at pg. 6031.
II. https://www.consumerfinance.gov/rules-policy/small-business-review-panels/small-business-review-panel-for-consumer-reporting-rulemaking/
IV. CFPB Press Release, Aug. 13, 2024.
