The rescission is consistent with the CFPB’s final rule published in April 2026, which implements revisions to Regulation B, including revising certain standards for SPCPs. Pursuant to the final rule, a for-profit SPCP may no longer use race, color, national origin or sex (or any combination of these characteristics) as eligibility criteria to participate in the program. The final rule also requires written plans to include evidence of the need for the program and an explanation of why the targeted class would not receive such credit absent the program. Finally, it adds a requirement that if a for-profit SPCP uses common characteristics beyond race, color, national origin or sex, it must provide evidence for each individual participant that, absent the program, the participant would not receive the credit as a result of those specific characteristics. The CFPB noted that it rescinded the 2020 advisory opinion “as it is now outdated and inconsistent with the[se] recent amendments to Regulation B.”

Background

Currently, TILA and its implementing Regulation Z require creditors to assess a borrower’s ability to pay before extending credit, including mortgages and credit cards. With respect to mortgages, creditors must make ‘‘a reasonable and good faith determination at or before consummation that the consumer will have a reasonable ability to pay the loan,” including considering the borrower’s current or reasonably expected income. Creditors relying on a consumer’s current income must consider current employment status. Similarly, before opening a new account or increasing a line of credit, credit card issuers must consider the borrower’s ability to make the required minimum periodic payments, including consideration of current or expected income or assets. When deciding whether to extend credit, lenders only need to assess a borrower’s ability to pay based on the information available at the time the credit decision is made – they are not required to predict future changes in income absent information suggesting a potential future change in payment ability.

The statement

In its statement, the CFPB provides that these requirements may require consideration of immigration status, particularly if “documentation in the consumer’s application or records indicates that the consumer’s repayment ability will change on account of their immigration status.”

Note that the statement does not have the force or effect of law. Further, the statement purportedly builds on existing authority and does not create new obligations for creditors. Existing Regulation B, which implements the Equal Credit Opportunity Act (ECOA), expressly permits a creditor to take into account an applicant’s immigration status and “any additional information that may be necessary to ascertain the creditor’s rights and remedies regarding repayment.” However, by clarifying when creditors may be affirmatively obligated to act on immigration status information already present or documented in the application file, the statement places immigration status considerations squarely within the ability-to-pay compliance obligations for creditors.

Looking forward

Based on the CFPB’s statement, creditors – particularly mortgage lenders and credit card issuers –should review and update their policies and procedures to address when and how immigration status may impact ability-to-pay determinations. Note that fair lending obligations have not diminished, and creditors should consider documenting their reasoning for credit decisions, as well as immigration status analysis tethered to income continuity risk.

Background

In August 2025, President Donald Trump signed an executive order, “Guaranteeing Fair Banking Access for All Americans,” which directed federal banking regulators, including the FDIC, OCC and Federal Reserve to take certain actions to combat debanking. These actions included:

1. Removing all considerations of “reputation risk” (and similar concepts) from guidance materials used to regulate or examine supervised financial institutions.
2. Issuing new, formal guidance to their examiners including these changes.

In response, in April 2026, the OCC and FDIC jointly published a final rule codifying the elimination of “reputation risk” from their supervisory activities. The Federal Reserve is expected to finalize a similar rule proposed in February 2026.

Revisions to the guidance documents

In announcing the revised guidance, the agencies stated that references to “reputation” could be “misused as a basis to restrict individuals’ and legal businesses’ access to financial services due to their constitutionally protected political or religious beliefs, speech, or conduct or lawful business activities.” Removing “reputation risk” from the documents is intended to refocus supervision on “material financial risks.”

The reissued documents cover a range of topics, including asset securitization, subprime lending programs, financial support to affiliated funds, bank-owned life insurance, customer identification program FAQs, home equity lending risk management, remote deposit capture, counterparty credit risk, ATM and card authorization, cyber threats, distributed denial-of-service attacks, cyber extortion, cyber insurance, operational resilience, elder financial exploitation and loan participation sales.

What’s next

The agencies have indicated they will continue to review their supervisory materials and may update additional documents as appropriate. Banks and other regulated institutions should review their examination preparation materials and internal risk frameworks to determine whether any remaining references to “reputation risk” require updating to reflect the agencies’ current posture – while keeping in mind that all safety-and-soundness expectations grounded in tangible financial risks remain fully intact.

Read more from our colleagues

SB 24-205 was significant in its potential impact to financial institutions, with a murky exemption for financial institutions subject to substantially similar obligations and regulatory oversight. However, SB 189 entirely eliminates that exemption.

While SB 189 will impose less burdensome obligations on financial institutions than those in the 2024 law, the fact that it pulls regulated entities into its scope unambiguously by eliminating the limited exemption from SB 24-205 marks a new era in state AI laws for financial institutions.

Key changes from the 2024 law

Terminology

The most noticeable change between the old and new Colorado bills is the terminology and framing.

The prior law applied to “high-risk artificial intelligence systems,” which were defined broadly to encompass any AI system that, when deployed, makes, or is a substantial factor in making, a consequential decision. SB 189 replaces this framework with a more technology-neutral concept and terminology lifted from privacy regulations: “automated decision-making technology” (ADMT), which is defined as a technology that processes personal data and uses computation to generate output (including predictions, recommendations, classifications, rankings, scores or other information) that is used to make, guide or assist a decision, judgment or determination concerning an individual. An ADMT is subject to SB 189 when it is used to materially influence a consequential decision, which is generally a decision that impacts a consumer’s access, eligibility or opportunity to receive, among other things, a financial or lending service or insurance pricing or coverage (covered domains).

A “consequential decision” includes decisions that relate to a differentiated price, cost sharing, compensation or other material terms in a manner reasonably likely to materially limit, delay, effectively deny or otherwise fundamentally alter the consumer’s access, eligibility or opportunity for a covered domain. Relevant to financial institutions, SB 189 includes a handful of narrow exemptions:

• Activities relating to technologies used for cybersecurity, spam and robocall filtering, system reliability, and anti-money laundering and counter-terrorist financing controls.
• Activities relating to technologies used for sanctions compliance, excluding facial recognition unless its sole purpose is to confirm an individual’s identity.
• Activities relating to technologies used for fraud prevention, including identity verification, consumer identification, monitoring and reporting controls required under state or federal law.

While these carve-outs may offer relief for certain core financial services activities, just as in the prior version of the law, there is no entity- or data-level exemption for the Gramm Leach Bliley Act (GLBA) under SB 189. This means that the use of ADMT as part of the offering of financial, lending or insurance products or services to consumers is likely to be within scope of SB 189.

Reduced compliance obligations

SB 189 eliminates several of the most operationally burdensome requirements from SB 24-205, including:

• Anti-discrimination duty. Developers and deployers were required to use “reasonable care” to protect consumers from known or reasonably foreseeable risks of “algorithmic discrimination.”
• Impact assessments. Deployers were required to complete a detailed impact assessment before deploying a high-risk AI system and at least annually thereafter.
• Risk management policy. Deployers were required to implement a formal risk management policy and program governing each high-risk AI system deployment.
• Public website disclosures. Deployers were required to post on their website a statement summarizing all deployed high-risk AI systems and how they managed algorithmic discrimination risks.
• Reporting to the Colorado attorney general. Deployers discovering algorithmic discrimination were required to notify the attorney general within 90 days of discovery.
• Bank/credit union exemption. Banks, credit unions and their affiliates could claim full compliance if subject to regulations or an examination by a state or federal prudential regulator under guidance substantially equivalent to or more stringent than SB 24-205’s requirements.

What’s new and relevant to financial institutions

Limited disclosure safe harbor

A financial institution that is required to provide, and does provide, a notice to a consumer under the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, and where applicable under the Fair Credit Reporting Act (FCRA), complies with the notice and disclosure requirements of SB 189 for the same decision or adverse outcome. Functionally, this means that financial institutions that provide adverse action notices under ECOA or FCRA can leverage those existing structures, rather than providing redundant or duplicative notices to satisfy SB 189.

No mandatory disclosure where prohibited by law

SB 189 does not require a disclosure, explanation or furnishing of information to a consumer to the extent doing so would be prohibited by federal law (including the GLBA) or would compromise the confidentiality or integrity of cybersecurity, fraud prevention, anti-money laundering, counter-terrorist financing or economic sanctions compliance programs. Functionally, this means that the content of disclosures and notices can be limited in terms of level of detail or the provision of personal data, where these countervailing obligations take over.

Broader exemptions

While AI-assisted decisions involving financial or lending services fall within the law’s covered domains, SB 189 offers practical exemptions for tools used for anti-money laundering compliance, sanctions screening, fraud prevention and identity verification.

Practical takeaways for financial institutions

For financial institutions, the compliance burden under SB 189 generally is substantially lighter than under SB 24-205. The new statute eliminates several of the prior regime’s most demanding features, including mandatory risk management policies, annual impact assessments and reporting obligations to the attorney general. In their place is a more targeted set of requirements focused on consumer-facing obligations, including website disclosures, post-adverse outcome notices within 30 days, meaningful human review upon request and record retention for three years. However, due to the elimination of SB 24-205’s narrow bank and credit union exemption, regulated financial institutions can no longer assume that existing examination or regulatory frameworks may place them outside the law’s reach.

With the January 1, 2027, effective date approaching, financial institutions should begin preparing now. The attorney general is required to issue rules clarifying post-adverse outcome disclosure requirements and consumer rights by that date, and those rules may provide important sector-specific direction. In the meantime, institutions can begin identifying and mapping the AI tools they use in consequential decisions that may be within scope of SB 189.

The AI Input Zone: Shaping what ‘good’ looks like

The AI Input Zone was launched in November 2024 as the feedback platform component of the FCA’s AI Lab. Its reopening signals that the FCA is now actively building its evidence base ahead of a dedicated good and poor practice publication on AI, expected later in 2026.

The FCA is asking for specific examples and views on what allows firms to develop and deploy AI use cases safely and responsibly; what is stopping firms from developing and deploying AI; and what themes and topics the FCA should address in its good and poor practice publication.

The deadline for responses is 19 June 2026.

The joint statement: Frontier AI as a cyber threat

On 15 May, the Bank of England, FCA and HM Treasury published a joint statement on frontier AI models and cyber resilience. The statement was directed at all regulated firms and financial market infrastructures (FMIs) and, although it does not introduce new requirements, serves as a timely reminder of existing obligations and regulatory expectations.

The statement highlights that firms need effective protective, detective, threat containment and cyber response capabilities. In line with operational resilience rules and expectations, regulated firms and FMIs need to take action to plan for and mitigate cybersecurity risks posed by frontier AI.

The statement identifies five key domains for action: governance and strategy; identification and risk management of vulnerabilities; managing risks from third parties; protection; and response and recovery.

Key takeaways

These developments give a clear message that UK regulators are thinking seriously about responsible deployment of AI and the associated advantages and risks. In practice, this means:

• Firms should consider responding to the AI Input Zone consultation: The FCA’s good and poor practice publication will matter. Firms – particularly those in fintech, payments and consumer-facing financial services where AI deployment is most active – should consider submitting views before the 19 June deadline. This is a chance to shape expectations before they are set.
• Board-level ownership of AI cyber risk is important: The joint statement is explicit that boards and senior management should have sufficient understanding of frontier AI risks to set strategic direction.
• Third-party and supply chain risk is squarely in scope of regulatory consideration: Firms should effectively manage frontier AI cyber risks from third parties and supply chains, including open-source software – particularly relevant for fintechs and technology-led firms where third-party and open-source dependencies are common.
• There are no new rules yet: But the direction of travel is clear. Both publications reinforce existing expectations rather than introducing new ones. The FCA’s evidence-gathering process is, however, a likely precursor to more formal guidance or rules down the line.

We will continue to monitor the UK regulators’ AI roadmap and are happy to advise on AI governance frameworks, operational resilience obligations and engagement with the regulators.

The order stops short of requiring firms to verify each customer’s citizenship status – a controversial move that was reportedly under consideration as part of the administration’s immigration crackdown.

Nonetheless, the order requires the US Department of the Treasury and federal financial regulators[1] to examine those regulations that could be used to surface customer citizenship status, including through changes to regulations governing customer due diligence (CDD) and customer identification program (CIP) requirements for covered financial institutions, identification of risks to the financial system posed by “non-work authorized populations,” and guidance on managing potential credit risks posed by that population.

What the order requires

Treasury advisory on suspicious activity

Within 60 days of the order, the secretary of the Treasury Department is required to issue a formal advisory to financial institutions describing “red flags and typologies” associated with certain categories of suspicious activity, including:

• Patterns of payroll tax evasion by employers, including the failure to withhold or remit federal employment taxes for non-work authorized individuals.
• Attempts to hide the identity of ultimate beneficial owners or the true nature of payroll disbursements, such as through use of foreign identity documents, nominee accounts or shell companies.
• Use of unregistered money services businesses, third-party payment processors or peer-to-peer platforms to facilitate off-the-books wage payments to avoid Bank Secrecy Act (BSA) reporting thresholds or tax obligations.
• Patterns of repetitive cash withdrawals or deposits correlated with payroll cycles conducted outside of regulated payroll processing systems.
• Financial activity suggesting labor trafficking or forced labor.
• Use of an Individual Taxpayer Identification Number (ITIN) to obtain credit products or open deposit accounts where the applicant lacks verified lawful immigration status. Note that the order specifically flags ITIN use as a potential risk factor that may warrant enhanced due diligence.

BSA regulatory amendments: CDD and CIP requirements

Within 90 days, the secretary of the Treasury, in consultation with federal financial regulators, must propose changes to BSA regulations to strengthen risk-based CDD requirements for covered financial institutions. The changes should ensure that institutions collect and verify customer identity information to identify account owners and retain the authority, as warranted, to obtain additional information to resolve material compliance concerns, including information relevant to whether account holders possess lawful immigration status and employment authorization, as part of their CDD programs.

Within 180 days of the order, the secretary of the Treasury and federal financial regulators must also consider changes to enhance CIP requirements for covered financial institutions, with any changes expected to account for the risks foreign consular identification cards pose to the “integrity” of the US financial system.

Ability to repay and credit risk guidance

Focusing on what it describes as “structural credit risks,” the order also directs the Consumer Financial Protection Bureau (CFPB) to consider within 60 days whether to clarify that the risk of deportation and associated loss of wages are factors that could impact a non-work authorized borrower’s ability to repay credit under the standards set forth in Regulation Z – and that lenders may take such factors into account as part of a reasonable, good-faith underwriting determination. The order specifically notes that financial institutions should be aware of the risks associated with extending credit to the “inadmissible and removable alien population,” for example due to loss of wages following their removal.

Separately, each financial regulator must issue guidance regarding the management of the potential credit risks posed by the non-work authorized population.

We note that this is not the first push to consider such issues in credit determinations.  Earlier this year, the CFPB and Department of Justice formally withdrew their October 2023 joint statement addressing creditors’ consideration of immigration status under the Equal Credit Opportunity Act and its implementing Regulation B. The agencies reminded industry that Regulation B allows creditors to consider immigration or citizenship status, as well as any additional information needed to secure repayment obligations, provided the creditor does not use that information to discriminate on a prohibited basis.

Looking forward

The “Restoring Integrity to America’s Financial System” order creates a rolling series of regulatory deadlines that will require significant engagement from financial institutions. Although the order does not currently impose new customer-facing requirements, the guidance and rulemaking it sets in motion could materially affect how institutions approach CDD, customer identification and consumer credit underwriting. Institutions that already maintain robust know-your-customer, CDD and enhanced due diligence programs will be better positioned to absorb any incremental requirements, but close monitoring of the implementation timeline will be essential for compliance planning.

The order comes on the same day as the White House’s release of a second executive order to promote the “integration of digital assets and innovative technology into traditional financial services and payment systems.” Under the order, federal financial regulators must review existing regulations and processes to identify barriers that may hinder fintechs from partnering with financial institutions or applying for bank charters and other licenses. Separately, the Federal Reserve Board must evaluate the legal framework governing access to Reserve Bank payment accounts and services for uninsured depository institutions and nonbank financial companies, including those dealing in digital assets, and submit a report with findings and recommendations to the president.

[1] The order refers to “Federal functional financial regulators,” which include the Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation and National Credit Union Administration.

National trust charters versus national banks

The crux of Warren’s inquiry relates to the legal distinction between national trust companies and full-service national banks, and the activities in which each type of financial institution may lawfully engage.

The OCC is empowered to grant national trust charters to companies whose operations are “limited to those of a trust company and activities related thereto.” National trust companies face less regulatory oversight and restrictions as compared to national banks, which face a slew of restrictions under the NBA. For example, unlike national banks, national trust companies are not generally required to obtain federal deposit insurance, face less stringent safety and soundness requirements, and are not subject to the Community Reinvestment Act, and their parent companies are exempt from Bank Holding Company Act oversight. In exchange, national trust companies are permitted to engage in only a narrow set of fiduciary activities, such as acting as trustee, executor or administrator, and are generally prohibited from engaging in the business of banking (e.g., accepting deposits and making loans).

Warren, however, asserts that the business plans of the newly chartered trust companies suggest that the companies intend to operate beyond the narrow set of permitted activities by engaging in nonfiduciary custodial activities, facilitating payments and lending activities, and conducting stablecoin activities related to deposit-taking. The letter claims that the OCC’s approval decisions pose risks to consumers, financial stability and the separation of banking and commerce. The letter also notes that the Guiding and Establishing National Innovation for US Stablecoins (GENIUS) Act did not amend the NBA’s trust charter provisions – and therefore, in Warren’s view, does not expand the permissible activities of national trust companies.

Information requested

By June 1, Warren requests that the OCC provide the following with respect to each of the nine recently approved trust companies:

• Full charter applications, including a list of each company’s intended activities, a designation of which activities are those of a trust company or are “related” to those of a trust company, and legal analyses regarding compliance with the NBA. She further asks the OCC to address whether it is considering terminating any of the charters.
• Communications between OCC officials and President Donald Trump, members of his immediate family, employees, or individuals acting on Trump or his family’s behalf, and White House officials regarding the trust charter approvals.
• Responses and applicable legal analyses related to the NBA, fiduciary and nonfiduciary activities, and the relationship of the GENIUS Act to the NBA.

What’s next?

The letter signals heightened congressional scrutiny of the OCC’s approach to digital asset regulation and may foreshadow legislative or oversight action. We will continue to monitor developments as the June 1 response deadline approaches.

The response confirms that the government will introduce primary legislation to reform the legislative framework around how the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA) operate. These reforms will include shortening statutory deadlines for determining authorisation applications, detailing long-term regulatory strategy, streamlining the need to have regards to certain regulatory principles in decision-making and reducing procedural requirements.

Shortening statutory deadlines for determining authorisation applications

For firms seeking or expanding their regulatory licence, the commitment to shorten statutory deadlines is the most significant reform.

The FCA and PRA have made efforts to improve their performance against existing statutory deadlines in recent years, but stakeholder feedback identified continued concerns that processing times for applications remain too long relative to other jurisdictions.

The government will legislate to shorten the statutory deadlines for new firm authorisations, variations of existing regulatory permissions, and Senior Manager and Certification Regime (SMCR) approvals. The proposed new deadlines are:

In addition, the government identified additional statutory deadlines to shorten, including for financial promotion approvals and SMCR variations. For example, the statutory deadline for a complete financial promotion approval application would reduce from six to four months.

The government has committed to keeping these statutory deadlines under review and will have the power to amend them through secondary legislation, particularly if regulators harness technology to process these applications faster.

While the legislation has yet to be passed, the regulators are already working towards these proposed targets.

Long-term regulatory strategy

A consistent theme arising from the government’s Financial Services Growth and Competitiveness Strategy is that the regulatory system lacks a driving, long-term strategy with clear goals, and that the cumulative impacts of regulators’ policies were not consistently considered.

The government will therefore legislate to require the FCA and PRA to produce long-term strategies at least once every five years, setting out their strategic priorities, including with respect to their objectives and supervision. They must provide an annual update on delivery against these strategies and update their strategy (or explain why no update is required) if HM Treasury issues new recommendations.

In producing these strategies, the FCA and PRA will be required to have regard to the Financial Services and Markets Act (FSMA) 2000 regulatory principles, recommendations by HM Treasury, principles in the Legislative and Regulatory Reform Act 2006 and the associated Regulators’ Code, as well as their general duties. The FCA will also receive an additional “have regard” consideration related to payment systems, reflecting its new responsibilities following the consolidation of the Payment Systems Regulator into the FCA.

Streamlining the impact regulatory principles have on regulator decision-making

Currently, the FCA and PRA must consider and document their analysis of each of the eight regulatory principles in section 3B of FSMA 2000, as well as HM Treasury recommendations and other principles, each time they discharge any of their day-to-day functions. The government concluded that this creates a disproportionate burden on the regulators, reducing their agility, while producing information that can be too granular to effectively support an overall assessment of regulatory performance.

The government will legislate to remove the requirement to consider each of these principles when carrying out day-to-day functions and instead require regulators to consider the regulatory principles and HM Treasury recommendations when producing their long-term strategies, with an obligation to report on implementation in their annual reports.

Cutting procedural requirements

Over time, a large number of reporting and procedural requirements have accumulated on the FCA and PRA.

The government will legislate to remove a small, but impactful, number of prescriptive requirements, including removing obligations to consult on guidance and minor rule changes – meaning firms should be aware that regulatory changes may come into force more rapidly going forward.

Key takeaways

The government’s response represents a step towards a more streamlined UK regulatory framework. Key practical implications include:

• Authorisations and permissions: Firms in the authorisation pipeline – or planning applications, variations of permissions (VoPs), financial promotion approvals or SMCR approvals – should factor the new timelines into their planning. The regulators are already publishing metrics against more ambitious voluntary targets.
• Reduced procedural friction: The removal of obligations to consult on minor rule changes and guidance may mean that regulatory changes happen more quickly and with less advance notice. Firms should maintain close monitoring of FCA and PRA publications.

To note, formalising these changes still requires primary legislation. Firms should not expect the new statutory deadlines to be formally binding immediately but should note that regulators are already moving in that direction voluntarily.

We will continue to monitor developments in this area as the legislative process advances.

Set to launch on July 1, 2026, the new cabinet-level agency is designed to strengthen consumer protection and fairness through the coordination of licensing, enforcement and rulemaking efforts across various state departments and bureaus. The BCSA’s launch comes as California and other states stepped up to fill the void as federal consumer protection and fair lending efforts were scaled back.

Structure and expected priorities of the BCSA

The BCSA was created as part of a broader reorganization of California state government that Newsom initiated last summer, which separated the former Business Consumer Services and Housing Agency into two distinct successor agencies.

The BCSA will consolidate under a single administrative umbrella a number of state departments and regulatory bodies that oversee consumer-facing industries – including the Department of Financial Protection and Innovation (DFPI) and Department of Real Estate (DRE), in addition to the Department of Alcoholic Beverage Control (ABC), Alcoholic Beverage Control Appeals Board (ABC AB), Department of Cannabis Control (DCC), Cannabis Control Appeals Panel (CCAP), California Horse Racing Board (CHRB) and Department of Consumer Affairs (DCA).

According to the press release, the BCSA intends to further a number of existing California initiatives through improved oversight and coordination across departments, including:

• Eliminating junk fees and hidden charges.
• Strengthening online privacy and consumer data protection.
• Enhancing enforcement against scams and predatory practices.
• Increasing oversight and accountability for oil companies.
• Launching CalRx to lower prescription drug costs.
• Increasing corporate transparency and accountability.

Looking forward

Chopra’s appointment to the top role at the BCSA will likely build on the state’s aggressive posture toward supervision of nonbank financial services entities and enforcement of California’s consumer financial protection statutes. Regulated entities should prepare for a continued, if not heightened, focus on junk fees, fraud and fairness as Chopra (upon state Senate confirmation) assumes the helm of the new agency.