On November 5, 2025, a national debt collection trade group and one of its members filed a lawsuit against the state of Colorado’s in an attempt to block its 2023 medical debt credit reporting law, HB 23-1126. The complaint alleges that the law, which bars adverse medical debt information from consumer credit reports and restricts related collection communications, is preempted by the Fair Credit Reporting Act and violates the First Amendment.
Continue Reading Colorado’s Medical Debt Reporting Law Challenged in Federal Court

On October 31, the Ohio Division of Financial Institutions (DFI) issued updated Bank Partnership Guidance under the state’s Small Loan Act, reversing its earlier position from December 2024 and January 2025. The DFI had previously advised that any nonbank entity arranging consumer loans of $5,000 or less in exchange for compensation, including loans originated by federally insured banks, would be required to obtain a state license. The latest guidance withdraws that interpretation and pauses licensing and enforcement for the near term.
Continue Reading Ohio DFI Withdraws Prior Interpretation, Suspends Licensing for Bank Loan Arrangers Under Small Loan Act

On October 30, the California DFPI entered a consent order with a residential mortgage lender and servicer following a regulatory examination and a directed self-audit. The DFPI alleged violations of the California Residential Mortgage Lending Act and California Civil Code provisions governing when per diem interest may begin to accrue.
Continue Reading DFPI Orders Mortgage Lender to Pay $100,000 for Alleged Per Diem Interest and Recordkeeping Violations

On November 3, 2025, the Consumer Financial Protection Bureau terminated its 2023 consent order against a national consumer reporting agency. The original order, issued in October 2023, required more than three million dollars in consumer redress and a five million dollar civil money penalty and addressed alleged violations of the Consumer Financial Protection Act, the Fair Credit Reporting Act, and the Economic Growth, Regulatory Relief, and Consumer Protection Act.
Continue Reading CFPB Terminates 2023 Consent Order Against a National Consumer Reporting Agency for Alleged Security Freeze Violations

In a significant decision for bank partnership arrangements, the United States Court of Appeals held that Colorado may apply its state interest rate caps to loans made by out-of-state banks under the Depository Institutions Deregulation and Monetary Control Act (DIDMCA). The ruling reversed an earlier district court decision holding Colorado could not do so.
Continue Reading Tenth Circuit Allows Colorado to Enforce its Interest Rate Caps on Out-of-State Banks

On October 30, the California DFPI announced a consent order against a Nevada-based crypto kiosk operator for alleged violations of the Digital Financial Assets Law and the California Consumer Financial Protection Law. The action follows a DFPI investigation into widespread noncompliance among crypto ATM operators, which the agency has identified as a growing consumer-protection concern.
Continue Reading DFPI Fines Kiosk Operator $675,000 for Alleged Violations of the Digital Financial Assets Law

On October 24, 2025, the Massachusetts Division of Banks (DOB) finalized a suite of regulatory amendments implementing the Massachusetts Money Transmission Act. The final regulations, 209 Mass. Code Regs. §§ 44.00, 45.00, 48.00, and 801 Mass. Code Regs. § 4.02, take effect November 7. The changes establish a uniform licensing and compliance regime for all entities engaged in money transmission, replacing prior requirements that applied only to check cashers, check sellers, and foreign transmittal agencies.
Continue Reading Massachusetts Finalizes Comprehensive Money Transmission Regulations

On October 15, the Oklahoma State Banking Department issued a memo detailing new licensing and compliance obligations for digital kiosk operators. The memo details the requirements under Senate Bill 1083, enacted in May under the Oklahoma Financial Reporting Act, which became effecting on November 1, 2025.
Continue Reading Oklahoma Issues Memo Detailing New Digital Asset Kiosk Licensing Requirements

On October 29, the U.S. District Court for the Eastern District of Kentucky granted a preliminary injunction prohibiting the Consumer Financial Protection Bureau from enforcing its Personal Financial Data Rights Rule, also known as the open banking rule, until the Bureau completes its reconsideration of the rule. The court determined that the plaintiffs, a national bank and two banking associations, demonstrated a likelihood of success on several claims, including that the rule exceeds the Bureau’s authority under the Dodd-Frank Act and is arbitrary and capricious under the Administrative Procedure Act.
Continue Reading Federal Court Halts Implementation of CFPB’s Open Banking Rule

On November 3, the U.S. District Court for the Northern District of West Virginia granted class certification certified a statewide class of borrowers challenging a credit union’s alleged assessment of unauthorized “pay-to-pay” fees under the West Virginia Consumer Credit and Protection Act. The plaintiff alleged that the institution imposed a 5 dollar fee each time consumers made monthly payments by phone or other electronic means, even though neither the loan agreement nor any statute authorized the charge.
Continue Reading West Virginia Federal Court Certifies Class Action Challenging “Pay-to-Pay” Fees

On October 27, 2025, amendments to Delaware’s Medical Debt Protection Act took effect, establishing a total ban on the inclusion of medical debt in consumer credit reports. The amendments, enacted through Senate Substitute 1 for Senate Bill 156, revise Delaware’s consumer protection laws to prohibit both the furnishing and use of medical-debt information by consumer reporting agencies.
Continue Reading Delaware Bans Medical Debt from Consumer Credit Reports

On October 21, the NYDFS issued new cybersecurity guidance addressing the growing risks associated with regulated entities’ reliance on third-party service providers (TPSPs). The guidance clarifies compliance obligations under the New York Cybersecurity Regulation and outlines best practices for managing cybersecurity risk across the third-party relationship lifecycle.
Continue Reading NYDFS Issues Cybersecurity Guidance on Third-Party Service Provider Risk

On October 17, 2025, the California Department of Financial Protection and Innovation (DFPI) entered a consent order with a licensed consumer lender, alleging violations of the Fair Access to Credit Act, which amended the California Financing Law to cap interest rates and fees on consumer loans between $2,500 and $10,000. The DFPI alleged that the lender charged rates and administrative fees above those limits and continued the practice as recently as January 2023.
Continue Reading DFPI Orders Lender to Pay $1 Million for Alleged Violations of the Fair Access to Credit Act