The letter follows closely on the heels of a final rule issued by the Consumer Financial Protection Bureau (CFPB) to eliminate the disparate impact standard from Regulation B, which implements the Equal Credit Opportunity Act. These developments reflect a coordinated shift across federal regulators away from disparate impact-based civil rights enforcement and toward a framework grounded in intentional discrimination.

Background

During the Biden administration, certain real estate brokerages and listing platforms restricted or discouraged the sharing of neighborhood-level information, invoking fair housing concerns as justification. The National Association of Realtors (NAR) also issued guidance suggesting that the FHA prohibited real estate professionals from discussing topics such as school quality and neighborhood safety, and warned that answering client questions about local schools could amount to “inadvertently steering” clients.

In the “Dear Colleague” letter, HUD traces this pullback to a 2021 Biden administration directive instructing the agency to prevent “practices with an unjustified discriminatory effect” and address racial bias across all stages of home buying and renting. The HUD letter notes that the Biden-era directive has been superseded by a subsequent executive order issued by President Donald Trump in April 2025 directing federal agencies to restore equality of opportunity and meritocracy.

The ‘Dear Colleague’ letter

HUD makes the following key points in its letter:

Sharing neighborhood data is not unlawful steering

HUD asserts that unlawful steering under the FHA requires intentional discrimination based on protected characteristics, and that providing prospective homebuyers with information about school quality and crime data is not a violation when shared consistently and without discriminatory intent. HUD notes that the US Supreme Court has defined racial steering as “directing prospective homebuyers interested in equivalent properties to different areas according to their race”. As interpreted by courts and HUD’s own regulations, a violation of the FHA’s prohibition on making a home unavailable or reusing to negotiate its sale or rental “because of race” or on statements expressing a racial preference requires an intent to direct clients based on race or the prevailing racial composition of a neighborhood.

First Amendment considerations

The letter takes the position that the FHA imposes no blanket prohibition on real estate agents discussing neighborhood safety or educational options with prospective clients, and that construing the statute to prohibit real estate professionals from discussing those topics would raise significant First Amendment concerns.

The fiduciary dimension

The letter states that the realtor-client relationship carries fiduciary obligations, and that the free exchange of nonracial information about purchasing and rental options is central to that relationship.

Directives for FHAPs and FHIPs

The letter states that Fair Housing Assistance Programs (FHAPs) should not issue findings of discrimination against real estate professionals who answer client questions on or provide school and crime data to clients on an equal and consistent basis. It also notes that Fair Housing Initiatives Programs (FHIPs) should not use federal funds to pursue complaints based on the sharing of such information equally with clients. Finally, it notes that neither FHAPs nor FHIPs should use or distribute materials that incorrectly treat the FHA as grounds for preventing real estate professionals from discussing nonracial information about neighborhood crime and schools.

Looking ahead

The HUD “Dear Colleague” letter sets forth a recalibration of fair housing compliance expectations for real estate professionals. HUD specifically calls on the industry to review its ethics trainings and reevaluate prior positions that “stifle” speech regarding nonracial neighborhood characteristics that are material to housing decisions. It also states that the real estate industry should reassess guidance it has received from diversity, equity and inclusion-focused advisors, noting that such programs have relied on the disparate impact theory to justify differential treatment.

Practitioners should note that the withdrawal of disparate impact enforcement does not alter the prohibition on disparate treatment, and that intentional discrimination remains fully prohibited under the FHA. Further, state law may impose independent obligations – that is, states may maintain disparate impact standards or impose additional requirements on real estate professionals. Practitioners should assess applicable state-level obligations separately from this federal guidance.

Effective July 21, 2026, the final rule:

1. Expressly eliminates the “effects test,” commonly referred to as disparate impact.
2. Clarifies and narrows the “discouragement” prohibition.
3. Includes new prohibitions and conditions for special-purpose credit programs (SPCPs).

The rule follows recent Trump administration actions to curb fair lending supervision and enforcement, including by eliminating references to disparate impact in the Office of Comptroller of the Currency guidance and deferring that office’s upcoming fair lending exams.

Effects test eliminated

Previously, Regulation B indicated that the ECOA authorized disparate-impact claims, which were evaluated using the “effects test.” In a disparate-impact claim, a facially neutral policy is challenged if it has a disproportionate effect on a protected class “along prohibited basis lines,” such as sex, national origin, race, color, age, religion, marital status, or the fact an applicant has exercised any rights under the Consumer Credit Protection Act (or state equivalents), unless the policy meets a legitimate business need that cannot reasonably be achieved, or by using means that are less disparate in their impact.

In the final rule, the CFPB explicitly states that the ECOA does not authorize disparate-impact liability and removes all references to the “effects test.” The CFPB also added a comment stating that the ECOA does not prohibit practices that are facially neutral as to prohibited bases, except to the extent that facially neutral criteria are proxies for protected characteristics designed or applied with the intention of advantaging or disadvantaging individuals based on protected characteristics.

Discouragement narrowed and redefined

The rule finalizes revisions addressing:

1. What constitutes an “oral or written statement.”
2. What counts as a statement directed to an applicant or prospective applicant.
3. The applicable liability standard.

The new requirements apply to credit extended after the rule’s effective date.

Definition of ‘oral or written statement’

“Oral or written statement” is defined as “spoken or written words, or visual images such as symbols, photographs, or videos.” “Oral or written statements” include words in advertising and marketing campaigns, but do not extend to more general acts or practices. The final rule replaces the phrase “acts or practices” with “statements,” meaning that certain routine business practices, such as decisions about branch locations and where to advertise, will not be considered “oral or written statements,” and will not, by themselves, constitute prohibited discouragement.

The official interpretations include examples of prohibited statements (e.g., “don’t bother applying” after learning someone is retired; public statements expressing a discriminatory preference or policy of exclusion; or interview scripts discouraging application on a prohibited basis), along with nonprohibited statements (e.g., statements directed to and encouraging one group to apply for credit; financial literacy encouragement; or statements recommending research into a neighborhood before purchasing a home).

Liability standard

Creditors are prohibited from making oral or written statements directed at applicants or prospective applicants that the creditor “knows or should know” would cause a reasonable person to believe the creditor would deny credit or offer credit on less favorable terms because of a prohibited characteristic. Actual knowledge is not the standard.

Standard for discouragement

Under the rule, statements must be “directed at” applicants or prospective applicants, meaning that encouraging statements directed to one audience are not deemed prohibited discouragement as to others who were not the intended recipients. However, the final rule would not permit statements that express a discriminatory preference or policy of exclusion based on prohibited basis characteristics.

Restrictions on special-purpose credit programs

A for-profit SPCP may no longer use race, color, national origin or sex (or any combination of these characteristics) as eligibility criteria to participate in the program.

Written plans requirements

The final rule requires written plans to include evidence of the need for the program and an explanation of why the targeted class would not receive such credit absent the program. For SPCPs that require persons in the class served by the program to share a common characteristic that would otherwise be a prohibited basis, the written plan must also include an explanation of why using that basis is necessary and cannot be accomplished without using prohibited bases.

The final rule also adds a requirement that if a for-profit SPCP uses common characteristics beyond race, color, national origin or sex – i.e., other otherwise-prohibited bases (such as age, marital status, religion, etc.) – it must provide evidence for each individual participant that, absent the program, the participant would not receive the credit as a result of those specific characteristics.

Tightens ‘effectively denied credit’ standard

The rule removes the word “probably” and the “less favorable terms” alternative from the “would not receive such credit” standard, tightening the threshold for program justification.

Looking forward

The final rule makes significant changes to Regulation B, and creditors should review their existing compliance programs, marketing practices and existing SPCPs to ensure those programs and practices align with the new rule.

However, note that disparate treatment and intentional use of neutral criteria, such as proxies for prohibited characteristics, remain fully prohibited under ECOA and Regulation B. Further, disparate-impact liability is not broadly eliminated – creditors should be aware that state fair lending laws and the Fair Housing Act may still impose disparate-impact liability.

While the mortgage industry’s adoption of AI/ML has been subject to certain regulatory requirements since before the explosion of AI-specific regulations, the recent guidance from Fannie Mae and Freddie Mac indicates a new focus on governance and encompasses risks not only from underwriting but also from third parties.

Background

Regulators have long acknowledged the potential – and risks – of using AI/ML tools to improve the mortgage underwriting process. Model governance, transparency and efficacy are established focus areas, even before AI was part of the conversation. Thus, the government-sponsored enterprises’ (GSEs) shift toward governance aligns with AI trends outside of the mortgage industry, and regulatory expectations within it, with a wave of state legislative proposals and enacted laws zeroing in on governance as key for responsible AI/ML deployment.

The guidance

While the Fannie Mae letter and Freddie Mac updated guidance are aligned in purpose, they differ meaningfully in specificity.

Fannie Mae

The Fannie Mae letter provides that any seller or servicer that uses AI or ML in connection with origination or servicing activity must operate under a documented, actively maintained governance program.

Specifically, a seller or servicer must:

• Maintain written policies and procedures that cover the full life cycle of any AI/ML system, and that are reviewed and updated at least annually. The policies must be communicated to relevant staff, grounded in applicable legal and regulatory requirements, calibrated to the institution’s own risk tolerance, and assigned to a designated owner.
• Comply with information security obligations.
• Manage risks from vendor and subcontractor use of AI/ML tools and apply the same governance standards as are required of the seller or servicer.

Freddie Mac

The Freddie Mac updated guidance is more prescriptive than the Fannie Mae letter, mandating a more operationally demanding set of controls. Sellers and servicers must:

• Actively assess their AI/ML systems for specific attack vectors.
• Conduct regular internal and external audits measured against named industry standards (i.e., National Institutes of Standards and Technology 800-53 and International Organization for Standardization 27001).
• Maintain ongoing monitoring for performance degradation and bias.
• Implement segregation of duties with documented accountability structures and lines of communication.

Unlike the Fannie Mae letter, the Freddie Mac updated guidance includes a broad indemnification obligation since it is part of the Freddie Mac Seller/Servicer Guide, requiring sellers and servicers to hold Freddie Mac harmless from losses or liability arising from their use of AI/ML. The Freddie Mac updated guidance also expressly requires that AI/ML policies be approved by senior management (including, at a minimum, the chief information officer, chief technology officer, chief information security officer or chief risk officer).

What this means

While substantively similar, the Fannie Mae letter provides the bones of a governance program, while the Freddie Mac updated guidance operates more like an operational checklist. Sellers and servicers will need to assess whether their programs satisfy both GSEs’ expectations.

More broadly, Fannie Mae and Freddie Mac have signaled their increasing oversight over AI/ML, including reserving the right to ask sellers and servicers why AI/ML is being used, the purposes of such use, and what safeguards are in place to mitigate risks related broadly to AI/ML, not just bias or discrimination risks.

For many sellers and servicers, the requirements may feel familiar to governance frameworks they already have in place in response to fair lending laws. The significance of the documents, however, lies in their reach. The GSEs are no longer focused solely on discrimination and risk; they are now evaluating the broader set of risks stemming from AI/ML and a seller’s or servicer’s ability to manage those risks through governance.

The vendor oversight component is likely to be another operational challenge. Sellers and servicers will need to assess whether their existing vendor management programs are robust enough to satisfy at least the Fannie Mae letter and may need to evaluate their own oversight of third-party compliance.

As AI/ML use continues to proliferate in the mortgage industry, sellers and servicers should expect the GSEs to revisit and refine these standards over time and make AI/ML a new focal point of examinations and enforcement.

In announcing the rescission, the FDIC stated that its prior guidance, called Supervisory Guidance on Multiple Re-Presentment NSF Fees, was “overly broad in scope” and “raised uncertainty” about when disclosures concerning multiple attempts to initiate a payment after a failed transaction (re-presentments) may violate the prohibition on unfair or deceptive acts or practices (UDAP) under the Federal Trade Commission Act (FTC Act). The rescission is effective immediately.

The guidance

Background

A financial institution may charge an NSF fee when a customer initiates payment from an account with insufficient funds to cover the transaction. If a transaction is declined because of insufficient funds, banks may attempt to run the transaction again, which can result in customers being charged multiple NSF fees for the same transaction.

The FDIC’s NSF guidance was initially issued in 2022 amid the Biden administration’s push to curb so-called junk fees. It warned of potential compliance and litigation risks tied to the practice of charging an NSF fee upon each re-presentment of the same unpaid transaction. The FDIC suggested that charging multiple NSF fees on re-presented transactions could be unfair or deceptive should a financial institution fail to provide proper disclosures regarding re-presentment practices and fees, and encouraged institutions to review their practices and disclosures to reduce the risk of consumer harm and violations of law.

In 2023, the FDIC – and the Office of the Comptroller of the Currency (OCC), in a separate bulletin – revised the guidance, clarifying its supervisory approach for corrective action when a violation of law is identified. The updated guidance stated that the FDIC would “not request an institution to conduct a lookback review” of past practices unless there was a “likelihood of substantial consumer harm.”

Industry reaction

In July 2023, the Minnesota Bankers Association (MBA) sued the FDIC and OCC, arguing that the guidance violated the Administrative Procedure Act (APA) because it failed to conduct a proper notice-and-comment rulemaking process. A judge dismissed the suit in April 2024, finding that the guidance was not a rule subject to APA requirements. The MBA appealed that decision to the Eighth Circuit, which affirmed the lower court ruling in September 2025. Recent reporting suggests that while the MBA chose not to appeal the Eighth Circuit’s ruling, it communicated with the FDIC over the past several months about rescinding the guidance.

Rescission

Following a recent review, the FDIC rescinded the guidance, noting it was too broad and raised questions around how disclosures may violate the prohibition on UDAP.

The FDIC stated that supervised institutions should still review their disclosures to confirm they accurately reflect their NSF and re-presentment practices and comply with applicable laws.

Looking ahead

The rescission represents a meaningful shift in the FDIC’s supervisory posture on NSF fees and is part of a broader pattern of the current administration unwinding Biden-era regulatory measures targeting bank fees.

In the near term, practitioners are encouraged to review their existing NSF fee practices and disclosures to confirm that they are properly grounded in applicable law independent of the now-withdrawn guidance. Note that the FDIC still expects compliance with applicable law, and the rescission does not alter underlying statutory or regulatory obligations under the FTC Act or other consumer protection frameworks. Institutions that modified their NSF fee practices or disclosure language in response to the guidance may reassess whether those changes remain appropriate considering current supervisory expectations.

It is also important to note that while the FDIC has rescinded its guidance, state banking agencies may have independent standards governing NSF fee practices, and institutions should ensure they have a clear view of applicable state-level requirements. Further, institutions supervised by the OCC should monitor whether the agency issues its own corresponding rescission or otherwise signals a change in its supervisory approach to multiple NSF fees on re-presented transactions.

Highlights of the proposals

Core framework: ‘Establish and maintain’ standard

The proposals introduce an explicit two-pronged framework. Institutions must (i) establish a compliant AML/CFT program, and (ii) maintain it by implementing it “in all material respects.”

Codified risk assessment processes

Under the proposals, institutions would be required to have risk assessment processes evaluating money laundering and the financing of terrorism (ML/TF) risks across products, services, channels, customers and geographies. Those processes must be updated promptly when the institution knows or has reason to know that its ML/TF risks have significantly changed – for example, upon adding new products, services or customer types, or completing a merger or acquisition. Critically, institutions must also review and, as appropriate, incorporate FinCEN’s governmentwide “AML/CFT Priorities”[1] into their risk assessments, with flexibility to determine applicability based on their risk profile and activities.

Risk-based resource allocation

The proposal adopts the statutory formulation requiring programs to direct more attention and resources toward higher-risk customers and activities rather than lower-risk ones – a meaningful shift away from a uniform approach and toward a risk-calibrated model.

CDD and board approval

The agencies’ proposal would add ongoing customer due diligence (CDD) as a required component of the program rule, mirroring FinCEN’s existing CDD requirement and reflecting long-standing supervisory expectations. Both proposals would also require programs to be written and approved by the board, an equivalent governing body or appropriate senior management – the latter being a new flexibility that expands options beyond board-only approval.

US-located AML/CFT officer

Under the proposals, the designated AML/CFT officer must be located in the United States and accessible to regulators, though institutions may still retain AML/CFT staff or operations outside the US to perform certain functions, subject to suspicious activity report (SAR) sharing limitations.

Enforcement changes

A significant aspect of the proposals is the proposed overhaul of how AML/CFT supervisory and enforcement actions are initiated, including a meaningfully elevated role for FinCEN.

Higher bar for enforcement actions

The NPRMs establish that once a bank has properly established its AML/CFT program, it generally would not face an enforcement action or significant supervisory action based solely on implementation deficiencies – unless those deficiencies amount to a “significant or systemic” failure to implement the program in all material respects. Minor deficiencies would not necessarily mean a bank has failed to implement its program in all material respects. However, this protection does not apply to a failure to establish an AML/CFT program in the first place. “Material” implementation failures include controls not being performed consistently due to inadequate resources, risk assessment gaps that cause monitoring systems to miss material volumes or types of transactions, and data weaknesses that materially affect the institution’s ability to mitigate risk.

Mandatory FinCEN consultation

Before initiating a significant AML/CFT supervisory or enforcement action, federal bank regulators would be required to provide FinCEN at least 30 days’ written notice and include relevant underlying AML/CFT information – such as relevant portions of draft exam reports, draft enforcement action materials, workpapers and bank-submitted AML/CFT information –with privilege carve-outs. This requirement would represent a meaningful structural expansion of FinCEN’s role in day-to-day bank supervision, requiring regulators to consult with FinCEN before penalizing institutions over AML/CFT issues.

Key takeaways

The two proposals from FinCEN and the OCC, FDIC and NCUA would revise AML/CFT program requirements for covered financial institutions and create a new framework for how enforcement risk is assessed. While not yet announced, we also expect to see a parallel AML rulemaking from the Federal Reserve.

Financial institutions can prepare for any changes by mapping their current AML/CFT policies and processes against the proposals, confirming whether and how the current risk assessment formally reviews and incorporates FinCEN’s published AML/CFT Priorities, verifying the employment of or plan to hire a AML/CFT officer that is US-based, and preparing for the new enforcement landscape. Covered entities should consider submitting comments ahead of the June 9 deadline.

In recent years, NYDFS has focused attention on novel and accelerating risks, including AI-enabled attacks, sophisticated vishing schemes and cyber threats linked to global instability.

Artificial intelligence

On October 16, 2024, NYDFS published a letter to covered entities (letter) detailing cybersecurity risks related to AI and NYDFS’ guidance on risk mitigation strategies. NYDFS indicated that AI-related cybersecurity risk is a material change for businesses, triggering requirements for a refreshed risk assessment.

The letter describes examples of AI risks specifically related to cybersecurity, stemming from either a threat actor’s use of AI to enhance their attacks or from a covered financial institution’s own use of AI.

Threat actors increasingly use AI to enhance attacks and obfuscate their actions. NYDFS highlights that threat actors may use AI in social engineering attacks in particular (for example, in phishing or vishing attacks, or by using deepfake videos or AI-enhanced or -created photos). The FBI has similarly flagged threat actor use of AI in social engineering attacks as an increased risk for companies. The NYDFS letter also reminds regulated entities that threat actors often use AI in the course of technical attacks. For example, threat actors can use AI to augment their ability to “scan and analyze vast amounts of information,” “quickly and efficiently … identify and exploit security vulnerabilities,” “conduct reconnaissance” once inside a system, and “bypass defensive security controls, thereby evading detection.”

NYDFS also warns that introducing new third parties and vendors, such as AI providers, into a covered financial institution’s supply chain introduces new opportunities for vulnerabilities and potential compromise of the covered entity’s nonpublic information.

According to the letter, covered entities should consider AI-related cybersecurity risks in risk assessments. Risk assessments required by Part 500.2 must be updated annually, as well as “whenever a change in the business or technology causes a material change” to the covered entity’s cybersecurity risk profile. NYDFS  indicates that it considers risks posed by AI to be a material change. The overall takeaway is not that covered entities must deploy AI-specific controls, but that their risk assessments, training, access controls and governance structures should reflect the reality of AI-driven threats within the context of the institution’s risk profile.

‘Vishing’ and advanced social engineering

In line with the focus on MFA, NYDFS has repeatedly emphasized the growing sophistication of social engineering attacks, including voice-based schemes targeting employees, executives and customer service functions. “Vishing” attacks are a type of attack where threat actors use voice-based phishing to bypass traditional technical controls by exploiting human trust. An advisory issued to covered entities on February 6, 2026, warns that vishing is an increasingly common tactic. NYDFS specifically warned about threat actors posing as IT or help desk workers and tricking employees into providing credentials, including MFA, over phone calls.

NYDFS clearly expects covered entities to review their cybersecurity programs in light of this risk and advises that appropriate risk mitigation steps include:

• Implementing procedures to help employees verify the identity of a caller.
• Tailored training for employees in frequently targeted roles regarding the risk of vishing.
• Reviewing access controls and permissions regularly to ensure that if employees are compromised, they do not have more access than necessary, thereby mitigating some of the potential impact of a successful vishing attack.
• Reviewing MFA and evaluating the process for enrolling new methods of MFA.
• Deploying continuous monitoring and detection capabilities.

NYDFS’ overall message is clear: Covered entities should consider whether their controls – such as authentication, employee awareness and incident response – are calibrated to address the risk of vishing and other increasingly sophisticated social engineering tactics, not just traditional malware or network intrusions.

Global conflicts and geopolitical cyber risk

On March 3, 2026, NYDFS issued a new industry letter reminding covered entities that ongoing global conflict has elevated cybersecurity risk across the financial sector. While NYDFS’ letter noted that it had not observed a specific, coordinated campaign targeting covered entities at the time of issuance, the US intelligence community warned law enforcement agencies and private companies that the US financial sector has historically been viewed as a priority target.

The advisory letter serves as a prompt for covered entities to audit their existing compliance with Part 500 – underscoring that the regulation’s requirements are intended to be dynamic, and covered entities are expected to take the current geopolitical situation into account when assessing and responding to risk. The advisory’s specific recommendations – including prompt vulnerability remediation, least privilege enforcement, enhanced monitoring and operational resilience testing – map closely to core requirements, reminding entities that NYDFS views geopolitical threat escalation as an examination-readiness moment, not merely a general warning. Previous guidance issued to covered entities in June 2025 remains responsive to current geopolitical-driven cyber threats. State-aligned actors, spillover attacks and opportunistic campaigns can all affect covered entities.

NYDFS recommends that institutions review their risk assessments to consider whether geopolitical events warrant updates to their cyber risk profile. Covered entities should also closely assess their third-party service providers to determine if they pose additional risks.

Guidance also highlights that reviewing, testing and updating both incident response plans and business continuity and disaster recovery plans are key in mitigating the potential impact of a geopolitical-related cyber event. The amendments to Part 500.16 mirror this guidance, requiring covered entities to have in place a business continuity and disaster recovery plan that is “reasonably designed to ensure the availability and functionality of the covered entity’s information systems and material services and protect the covered entity’s personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its normal business activities.” Business continuity and disaster recovery plans should be annually reviewed and tested, include procedures for timely recovering critical data and systems, address backup processes and offsite data storage, and be provided to employees with training.

The potential for geopolitical cyber events reinforces NYDFS’ emphasis on resilience: incident response planning, business continuity and the ability to respond quickly to evolving threats. While Part 500 does not require covered entities to predict specific geopolitical events, NYDFS expects them to recognize that global instability can increase cyber risk and adjust their cybersecurity programs accordingly.

Final thoughts

The annual cybersecurity certification process sits at the intersection of law, technology and risk management. As NYDFS’ enforcement of Part 500 evolves – and as the threat landscape grows more complex – financial institutions should view the certification process as an opportunity to assess whether their cybersecurity programs truly align with Part 500 and regulatory expectations. By understanding how NYDFS views key updates to Part 500 within the broader cybersecurity threat landscape, including its focus on MFA and emerging threats, institutions can approach certification with greater confidence and resilience.

Background

Developed by CSBS with input from industry and regulators, the MTMA aims to standardize the regulation of companies subject to state money transmission laws by setting forth a uniform state-level licensing framework. To date, money transmission laws based in whole or in part on the MTMA have been enacted by 31 states.

Under the MTMA, licensees must maintain a certain net worth, generally calculated as total assets minus liabilities minus intangible assets, and must exceed a tiered percentage of total assets. The current MTMA definition of ”tangible net worth“ does not expressly include or exclude stablecoins, which has created uncertainty for licensees.

Interpretive guidance

This latest guidance clarifies that an on-balance sheet fiat-backed stablecoin qualifies as a tangible financial asset for TNW purposes if a contract exists between the issuer and holder that conveys the holder’s legally enforceable, unconditional right to redeem the stablecoin for cash (i.e., fiat currency) at par from the issuer. Stablecoins that do not satisfy that standard, including non-fiat-backed stablecoin, should instead be treated as intangible assets and excluded from aggregate assets in the TNW calculation. The guidance further notes that payment stablecoins issued in compliance with the Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act convey a contractual right to receive cash from the issuer and therefore should meet the fiat-based financial asset standard.

What this means

By clarifying how stablecoins factor into the TNW calculation, the CSBS guidance can potentially resolve a gap in the MTMA framework – and give state banking departments a clear standard for classifying these assets on licensees’ balance sheets.

As more states adopt the MTMA, interpretive positions will continue to play an increasingly important role in ensuring the model law keeps pace with evolving business models. For money transmitters that hold or transact in stablecoins, the immediate takeaway is the need to review the redemption terms and supporting documentation for each stablecoin currently carried on their balance sheets, confirming whether the instrument conveys an unconditional, legally enforceable right to redeem for cash at par. Even if licensees’ holdings are consistent with this guidance, however, companies still need to consider the willingness of state banking departments to embrace it.

Looking ahead, additional asset-specific guidance from the CSBS is likely as digital assets become more prevalent in payment flows and new product structures test the boundaries of existing definitions. The advancement of the GENIUS Act will further shape the landscape at the federal level; as federal standards for payment stablecoins take form, we expect state supervisors to calibrate their frameworks to maintain supervisory relevance and mitigate conflict between state and federal requirements and standards.

MFA is a baseline requirement, but not a one-size-fits-all control

Under the amendments to Part 500, MFA is now required for any person accessing a covered entity’s information systems, unless an exemption is approved in writing by the chief information security officer (CISO), or senior-most executive responsible for cybersecurity if the covered entity does not have a CISO. To comply with the requirements, the MFA must consist of at least two distinct authentication factors drawn from three different categories: knowledge (something you know), possession (something you have) or inherence (something you are). Using two factors from the same category (for example, a password and a security question – both something you know) does not satisfy the requirement.

While NYDFS stated that it is agnostic on specific MFA solutions, it reiterated that covered entities are expected to select MFA solutions and vendors appropriate for their specific risk profile. NYDFS’ “Let’s Talk MFA” presentation emphasized that simply deploying an MFA solution is not sufficient to meet the requirements if the configuration is weak or can be bypassed.

Specific use cases: Single sign-on, cloud platforms and external-facing websites

NYDFS highlighted a few specific use cases drawn from industry questions it received regarding Part 500’s updated MFA requirements. First, NYDFS confirmed that single sign-on (SSO) solutions are permitted under Part 500, provided that MFA is enforced and cannot be effectively bypassed through SSO.

NYDFS also made explicit that cloud-based email, document hosting and other software as a service (SaaS) platforms are considered part of a covered entity’s “information systems” for purposes of Part 500, even when provided or managed by third parties. The entity must comply with Part 500 with respect to these platforms, and MFA must be enforced consistently on these platforms, including for privileged users. NYDFS stated that covered entities may not rely solely on a provider’s default MFA settings to satisfy Part 500 obligations. Instead, institutions are expected to evaluate whether those controls are compliant with Part 500 and appropriate to the covered entity’s risks, information systems and data.

Lastly, NYDFS addressed external-facing resources, a common question regarding the expansion of Part 500’s requirements. External websites intended solely for public consumption do not require MFA because they do not provide access to nonpublic information (NPI). However, NYDFS cautioned that if an external-facing system hosts NPI or poses a material risk to the covered entity or its customers, MFA to access those pages would be required. In practice, this means customer portals that provide access to NPI or other account information must have compliant MFA.

Privileged access remains a supervisory focus

NYDFS noted in the webinar that it continues to observe weaknesses where privileged or administrative users are not consistently subject to MFA. Because privileged access is inherently higher risk, NYDFS expects covered entities to address it explicitly in their risk assessments and consider appropriate MFA. The MFA used for standard access, NYDFS warned, may not be considered compliant for privileged access if privileged access poses significantly more risk to the covered entity’s information systems or NPI.

What NYDFS will look for in examinations

In the presentation, NYDFS noted that its supervisory exams will focus on:

• Whether MFA is implemented where required.
• Whether high-risk systems and users are appropriately protected through the use of MFA.
• The configuration of MFA and its effectiveness.
• The MFA’s ability to prevent phishing, replay attacks and technical bypasses.
• How MFA integrates with the covered entity’s incident detection and response.

In short, NYDFS expects MFA to function as a meaningful security control and not a check-the-box exercise.

Practical takeaways

For covered entities, the “Let’s Talk MFA” presentation reinforces that MFA is now a foundational cybersecurity control under Part 500. Covered entities should ensure that their MFA programs are risk-based, well-documented, consistently enforced (particularly for privileged users and cloud platforms), and supported by strong governance and monitoring.

As NYDFS continues to refine its guidance and enforcement posture, covered entities that can demonstrate thoughtful design and substantive risk analysis will be best positioned in examinations and supervisory inquiries.

Stay tuned for the final installment of our Part 500 refresher series, where we’ll explore how NYDFS has tackled emerging and novel cybersecurity issues.

Most frequently cited violations identified in examinations

In 2025, the FDIC identified 1,155 violations of consumer protection statutes and regulations through exams of supervised institutions. The top five most frequently cited violations accounted for almost 75% of total violations cited and related to the following areas, all of which were also the top cited categories of violations in 2024[1]:

• Truth in Lending Act (TILA)/Regulation Z (462 violations): The most common TILA violations involved institutions failing to provide required information in disclosures about the cost of credit to borrowers, as set forth in Regulation Z.
• Electronic Fund Transfer Act (EFTA)/Regulation E (136 violations): The bulk of EFTA violations, which climbed to the second-most frequently cited issue from the year prior, stemmed from how institutions handled investigations of EFT errors.
• Flood Disaster Protection Act (FDPA) (131 violations): The most frequently cited FDPA violation involved institutions’ extension of loans secured by properties in designated flood hazard zones without ensuring that adequate flood insurance was in place at closing.
• Truth in Savings Act (TISA)/Regulation DD (74 violations): Examiners found that some institutions failed to provide accurate disclosures regarding the terms and costs of consumer deposit accounts.
• Home Mortgage Disclosure Act (HMDA)/Regulation C (72 violations): The most common HMDA violations involved institutions failing to provide sufficient data for one or more required data fields, including borrower information and loan information.

Enforcement actions

In 2025, the FDIC brought 16 formal enforcement actions and 11 informal enforcement actions to address  examination findings. The FDIC issued orders totaling approximately $150 million against institutions to address flood insurance violations under the FDPA and unfair acts or practices under Section 5 of the Federal Trade Commission Act. The FDIC also required approximately $1.2 billion in restitution through formal orders while supervised institutions also provided voluntary restitution payments totaling $4.7 million to 47,902 consumers.

Consumer complaint trends

The FDIC’s Consumer Response Unit (CRU) closed more than 32,000 complaints in 2025, an increase of 21% from 2024. Of the complaints investigated by the FDIC, the CRU identified 280 errors made by financial institutions, 108 federal consumer protection violations and 76 cases requiring further review by an FDIC regional office. Fair lending complaints decreased by 37%, from 62 in 2024 to 39 in 2025.

Complaints received centered around a handful of financial products, with credit cards, checking accounts, installment loans and consumer lines of credit drawing the highest complaint volume. Across all complaints, the top issue raised related to credit reporting, which accounted for 35% of all issues identified. Of note, third-party service providers were cited in more than 6,300 consumer complaints, representing a nearly 48% increase compared to 2024.

The FDIC’s review and resolution of consumer complaints led to $1.67 million in voluntary restitution and compensation to consumers, which was less than provided to consumers in 2024. More than 600 cases were resolved through corrected credit reports, debt forgiveness, suspension of collection activity, loan modifications and other non-monetary actions.

Looking ahead

The examination findings and consumer complaint trends highlighted in the report shed light on where the FDIC may focus its supervisory and examination efforts moving forward.

However, the report comes as federal financial regulators, including the FDIC, have generally scaled back certain enforcement and supervisory efforts amidst staff reductions. In particular, the FDIC’s workforce has dropped by about 20%. Just last week, the Office of the Inspector General cited concerns as to whether the reduction in personnel could impact the “FDIC’s capacity to maintain sufficient skilled personnel for statutorily required examinations and to execute the resolution and receivership activities.”

Nonetheless, in light of the report findings and complaint trends, supervised institutions should continue to monitor disclosures, electronic fund transfer error resolution procedures and flood insurance requirements, in addition to assessing their third-party provider oversight programs.

[1] The FDIC report focuses on the five most frequently cited Level 3 or Level 2 violations and does not include Level 1 violations, which are the “lowest level of concern.”

Every year by April 15, financial entities subject to the New York Department of Financial Services (NYDFS) oversight (covered entities) are required to certify their compliance with the NYDFS’ cybersecurity regulations, 23 NYCRR Part 500 (Part 500). This year’s deadline will be the first time covered entities must certify compliance with all of the amendments to Part 500 that were phased in from November 2023 through November 2025 (Part 500 amendments).

This series will highlight key aspects of Part 500’s amendments, as well as recent NYDFS guidance, and provide insight into how NYDFS may assess compliance with Part 500.

Part 1 addresses asset inventories and risk assessment amendments, Part 2 details updated requirements for multifactor authentication and Part 3 explores the emerging cybersecurity issues that NYDFS has identified as key priority areas.

Certification requirements

Certifications of compliance are affirmative representations by a covered entity’s chief information security officer (CISO) or senior most executive responsible for cybersecurity, attesting that the covered entity is in compliance with Part 500, and that the certification has been made upon the certifying individual’s review of the documents and controls upon which the certification is based. Certifications must be accurate, as making false statements to NYDFS itself is actionable, in addition to any substantive violations of Part 500. Additionally, the certifying individual could be held personally liable for certifying false statements to NYDFS. NYDFS has made clear through examinations, consent orders and explicit guidance that it expects certifications to be accurate, supportable and grounded in documented controls.

With the Part 500 amendments now in effect, NYDFS provides covered entities with two options: Submit a certification of material compliance, or submit an acknowledgement of noncompliance. An acknowledgement of noncompliance must contain:

• An acknowledgment that the covered entity did not materially comply with Part 500.
• An identification of all sections of Part 500 that the entity is not in material compliance with.
• A description of the nature and extent of noncompliance.
• A remediation timeline or confirmation that remediation has been completed for the areas of noncompliance.

Part 500.13: Asset inventories

One of the most significant developments under the amended Section 500.13, effective November 2025, explicitly requires covered entities to maintain an inventory of all assets, not just those that are material to the covered entity or contain nonpublic information (NPI). This reflects NYDFS’ position that institutions cannot protect systems, devices and data they do not know they have. Numerous other Part 500 requirements rely on functional asset inventories, including risk assessments, access controls, vulnerability management and incident response planning. Deficiencies in asset inventories can cascade into compliance gaps with these provisions of Part 500 as well.

An asset management policy should cover the entire asset life cycle – from onboarding and classification to tracking, support and eventual deprecation. The policy should also document a cadence for reviewing, updating and validating the asset inventory. The asset inventory itself should identify owner, location and recovery time objectives for each asset.

The Part 500 amendments make clear that covered entities cannot treat asset inventories as a static list of systems, devices and data; the inventory is meant to be a living record.

Part 500.9: Risk assessments

Risk assessments have always been central to Part 500, but the amendments reinforce their role as the driver of the cybersecurity program and the basis on which a program is evaluated. NYDFS now requires covered entities to conduct risk assessments at least annually and whenever material business or technology changes occur, which could include geopolitical events.

This reflects NYDFS’ position that a risk assessment cannot be static, generic or disconnected from operational reality. A risk assessment serves as the evidentiary bridge between hypothetical risk and implemented controls. A covered entity that cannot demonstrate how its cybersecurity measures are appropriate in the context of assessed risks may face questions about the sufficiency of its overall compliance and certification with Part 500.

Looking ahead

For covered entities, the annual certification should be approached as a governance exercise, not a formality. Individuals responsible for preparing for certifications should take care to review the institution’s compliance posture holistically, building on the asset inventory and risk assessment controls as the key components underpinning compliance.

In our next post, we turn to one of the most heavily scrutinized areas of the amended Part 500: multifactor authentication.