Last Week, This Morning

August 25, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On August 22, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemaking seeking comments and data concerning the implementation of Section 1033 of the Dodd-Frank Act and its implementing Personal Financial Data Rights rule. Section 1033 provides that covered data providers must make available to a consumer, upon request, data in the control or possession of the data provider concerning the consumer financial product or service that the consumer obtained. The Personal Financial Data Rights final rule, issued in October 2024, implements Section 1033 by providing specificity to the scope of data providers subject to the rule, the data that must be provided to consumers upon request, the interfaces through which data is to be made available, and how third parties may access such information through the consumer's access right.

The ANPR sets forth a list of questions for comment, which generally address issues concerning: who may make a request on behalf of a consumer; how the costs of effectuating consumers' rights under Section 1033 should be shared between the consumer and the "covered person" providing the data; information security concerns when consumers exercise their rights under Section 1033; privacy concerns when consumers exercise their rights under Section 1033, where the data contains information that the consumer may not want disclosed but the consumer does not fully understand that the data may be disclosed by the third party through which it has made a request; and the appropriateness of the compliance dates in the Personal Financial Data Rights rule.

Comments must be received by October 21, 2025.

Amicus Brief(ly): The end result of this announced rulemaking will likely involve material changes to the open banking rule that was effective earlier this year. At that time, the rule had compliance dates beginning in 2026, though the CFPB has extended those dates with this current rulemaking in mind, alongside some rethinking of key provisions of the rule. One of those provisions is the prohibition on consumer fees. We expect industry to ask the CFPB to allow data providers to pass some of the cost of compliance with this rule along to consumers. Providers should spend some time over the next two months preparing comments to help the CFPB craft sensible changes to the open banking rule.

The Federal Reserve Board recently announced that it will end its Novel Activities Supervision Program and return to monitoring banks' novel activities through the normal supervisory process. The FRB established the program on August 8, 2023, "to enhance the supervision of novel activities conducted by banking organizations supervised by the Federal Reserve. The Program ... focus[ed] on novel activities related to crypto-assets, distributed ledger technology, and complex, technology-driven partnerships with nonbanks to deliver financial services to customers. The Program [was] risk-focused and complement[ed] existing supervisory processes, strengthening the oversight of novel activities conducted by supervised banking organizations." According to the FRB's current press release, "the Board has strengthened its understanding of ... [crypto and fintech] activities, related risks, and bank risk management practices. As a result, the Board is integrating that knowledge and the supervision of those activities back into the standard supervisory process and is rescinding its 2023 supervisory letter creating the program."

Amicus Brief(ly): This change to the FRB's oversight of novel activities and products may be early in the regulatory cycle, given the pace of innovation in the market. But per its announcement, the FRB is going to shift supervision of the activities it now better understands into its regular supervision process. That, of course, is subject to change for any number of reasons in the future, including upon the introduction of new financial or fintech products or if there is a change in administration in 2028. Industry only suffers from this change if the FRB's understanding of crypto and fintech is not as strong as it lets on, but there is no reason to believe that at this point. For now, the shift to regular supervision is a welcome change that means that the FRB will not apply heightened attention to what are pretty well-tread activities and increasingly common financial products.

President Trump recently issued a new executive order - "Guaranteeing Fair Banking For All Americans." The EO states that "[f]inancial institutions have engaged in unacceptable practices to restrict law-abiding individuals' and businesses' access to financial services on the basis of political or religious beliefs or lawful business activities," resulting in unlawful discrimination against individuals and businesses in credit transactions and undermining public trust in banking institutions and their regulators. The EO states that "[i]t is the policy of the United States that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views, and to ensure that politicized and unlawful debanking is not used as a tool to inhibit such beliefs, affiliations, or political views. Banking decisions must instead be made on the basis of individualized, objective, and risk-based analyses."

The EO requires federal banking regulators to eliminate "reputation risk or equivalent concepts that could result in politicized or unlawful debanking" from their guidance documents, manuals, and other materials used to regulate or examine financial institutions. Federal banking regulators must also conduct reviews to identify financial institutions that have had any past or current policies or practices that have influenced the financial institution to engage in politicized or unlawful debanking and to take remedial action, including levying fines and issuing consent decrees. During reviews of their supervisory data, federal banking regulators must also identify any financial institution that has engaged in unlawful debanking based on religion and refer the matter to the attorney general.

Financial institutions subject to the Small Business Administration's jurisdiction and supervision must "make[] reasonable efforts to identify and reinstate any previous clients of the institution or any subsidiaries denied service through a politicized or unlawful debanking action."

Amicus Brief(ly): Banks are between a rock and a hard place in this ongoing "cancel culture" saga. Over the past few years, in an apparent effort to remain mindful of safety and soundness principles, the banks allegedly "debanked" certain customers whose controversial business models, statements, or political positions appeared to trouble other customers and caused them to complain or leave the banks. The Trump administration is seemingly worried that its members and supporters may have effectively been debanked because of political or religious positions. The result is this EO, which has the impact of requiring bank examiners not to consider reputational risk as a safety and soundness concern. It will be interesting to see whether the bank regulators make any attorney general referrals based on this EO and, if so, whether the Department of Justice can make a case that debanking a customer over concerns about reputational risk is "unlawful." In the interim, banks will have to do a careful dance as they seek to maintain and increase their customer bases for deposit and credit products while continuing to provide services to some customers who might draw negative attention to the banks.

Illinois Governor JB Pritzker recently signed House Bill 3352, which takes effect on January 1, 2026, into law. The new law amends the Illinois Collection Agency Act to protect debtors from liability for so-called "coerced debt." "Coerced debt" is defined as debt, other than debt secured by real property, that was incurred by the debtor because of fraud, duress, intimidation, threat, force, coercion, undue influence, or the non-consensual use of the debtor's personal identifying information between family or household members, as a result of abuse or exploitation, or due to human trafficking.

The new law allows debtors to assert that a debt is a coerced debt by providing a written statement to the collection agency. The statement must satisfy certain statutory requirements and be supported by a police report, a court order finding the debt to be a coerced debt, a written verification from a third party on a form to be published by the Department of Financial and Professional Regulation, or other documents that demonstrate that the debtor was subject to a coerced debt. If the debtor notifies the collection agency orally that the debt it is pursuing is a coerced debt, the collection agency must notify the debtor that the debtor's claim must be in writing. In addition, if the debtor's written statement of coerced debt is incomplete, the collection agency must notify the debtor.

The collection agency must complete a review of whether the debt is a coerced debt within 90 days of receipt of the debtor's complete statement of coerced debt. If the collection agency determines that the debt is coerced, it must discontinue collection activities and notify the debtor that it has done so. The collection agency must also contact any consumer reporting agency to which it furnished information about the coerced debt and request that it delete such information.

In any lawsuit or arbitration to collect a debt, the debtor can raise the affirmative defense that the debt is coerced. The collection agency has the burden to disprove the debtor's defense by a preponderance of the evidence.

A person found by a court or arbitrator to be a perpetrator of coerced debt is civilly liable to the collection agency for the debt and to the debtor for actual damages.

Amicus Brief(ly): States are increasingly considering legislation like this Illinois law to recognize the potential for, and impact from, coerced debt. It is reminiscent of the legislative reaction years ago to the increase in occurrence of identity theft and more recently to the increase in reported instances of elder financial abuse. States recognize that burdensome debts can chase certain customers around through no fault of their own. The requirements of this new law are familiar - a written statement alleging that the debt was coerced puts the onus on the collection agency to review the statement and establish (when the agency believes it to be the case) through evidence that the debt was not coerced. As prefiling for the next state legislative sessions begins in the next several months, we will be watching for other states to consider similar bills.

On August 19, Massachusetts Attorney General Andrea Campbell announced that her office obtained a $795,000 proposed settlement with a residential property management company for failing to implement adequate data security measures, in violation of the Massachusetts data security regulations (201 CMR 17.00), resulting in the exposure of Massachusetts consumers' personal information during data breaches experienced by the company, and failing to timely notify the AG and affected consumers of two data security breaches impacting the company, in violation of the Massachusetts Consumer Protection Act and the Massachusetts data security law (Massachusetts General Laws Chapter 93H).

Between November 2019 and September 2021, hackers gained access to the company's network through phishing emails, leading to five separate data breaches of consumer's personal information, including social security numbers, driver's license numbers, and bank account information. The first two data breaches were not reported to the AG or impacted consumers until almost seven months after the breaches occurred.

In addition to the monetary penalty, the settlement requires the company to implement certain security measures for all company laptops and desktops, including phishing protection software, a vulnerability management program, multi-factor authentication, an asset inventory, an intrusion detection/prevention system, a security incident and event management platform, and security software. The company is also required to conduct an annual security assessment for three years.

Amicus Brief(ly): "SMH" (as the kids say). Financial services providers must have data breach policies and procedures designed to cause a quick response and comprehensive investigation of and reaction to identification of a data breach event involving non-public consumer information. This is not new law for companies that hold sensitive consumer data; the Massachusetts regulations at issue are 16 years old. The costly proposed settlement no doubt reflects that fact and the impact of the 7-month delay in reporting the data breach - that time should have been considerably shorter, suggesting that the company was just not ready. It will be next time, assuming the company complies with the proposed settlement with the state.

Illinois Governor JB Pritzker recently signed Senate Bill 1537, which amends the Illinois Student Loan Servicing Rights Act to establish a framework for regulating educational income share agreements ("EISAs"). The new law defines an EISA as an agreement under which an EISA provider credits or advances a sum of money to a consumer, or to a third party on the consumer's behalf, for postsecondary educational expenses and the consumer makes periodic payments to the provider based on the consumer's future income.

The new law caps monthly payments under an EISA to 8% of a consumer's income, with the total obligation limited to a maximum of 15% of the consumer's income over the agreement's duration. An EISA must state that when a consumer has income that is equal to or below the income threshold set forth in the EISA, the consumer's payment obligation is zero dollars; the income threshold must be equal to or greater than $47,000, adjusted for inflation each year beginning on January 1, 2026. An EISA must specify that the maximum amount that a consumer could be required to pay under the agreement will not result in a consumer ever being required to pay an effective annual percentage rate that is greater than 9% or the high yield of the 10-year U.S. Constant Maturity Treasury Notes auctioned at the final auction held before the current calendar year in which the EISA is originated plus 6%, whichever is greater.

In addition, the new law limits the duration of EISAs. An EISA may not exceed 180 monthly payments and may not exceed 240 months total, excluding any months in which a consumer has requested and received a payment relief pause. The law requires an EISA to offer at least three months of voluntary payment relief pauses for every 30 income-determined payments required under the EISA.

The new law also sets limits on covered income that is used to calculate a consumer's payment obligation; limits fees a provider may contract for and receive; prohibits a provider from taking a security interest in any collateral in connection with an EISA; sets limits on refinancing a consumer's existing loan with an EISA; provides for the automatic discharge of an obligation in cases of total and permanent disability or death; prohibits cosigners; prohibits a provider from taking an assignment of wages of the consumer for payment or as security for payment; places limitations on garnishment of a consumer's wages; and mandates extensive disclosure requirements.

The new law also requires an EISA to include early completion options that allow the consumer to extinguish obligations under the EISA before the end of the EISA's duration.

Finally, the new law gives the Illinois attorney general enforcement powers under the Illinois Consumer Fraud and Deceptive Business Practices Act.

Amicus Brief(ly): With the passage of this law, Illinois became the first state to adopt a comprehensive statute specific to an income share agreement product for student loans. The law appears to provide appropriate consumer protections in that it requires a student's income to hit a threshold ($47,000, adjusted annually) under which the student has no payment obligation, limits the recovery of an EISA provider with index-based rate caps, and requires disclosures designed to ensure that student borrowers understand the unique terms of this non-traditional credit arrangement. The bill passed with unanimous votes in the Illinois House and Senate, suggesting that the bill struck an appropriate balance between protecting consumers and fostering product innovation by recognizing the product as something new instead of using a metaphorical crowbar to make it fit into existing regulation of traditional student loans. If students take to this alternative product, we expect other states to follow Illinois' lead and specifically regulate it with substantive terms and limitations appropriate to its unique structure.

On August 18, Texas Attorney General Ken Paxton announced the opening of an investigation into two artificial intelligence developers for allegedly engaging in deceptive trade practices and misleadingly marketing AI platforms as mental health tools. According to the AG's press release, the developers created consumer-facing chatbot platforms marketed as offering conversational and emotional support to users. The AG alleged that these platforms may present themselves as professional therapeutic tools without proper medical oversight or credentials, potentially misleading vulnerable individuals, including children. The AG further alleged that the chatbots go beyond offering generic advice and have impersonated licensed mental health professionals, fabricated qualifications, and claimed to offer private counseling services.

The AG alleged that although the platforms promise confidentiality, their terms of service disclose that user interactions are logged and exploited for targeted advertising and algorithmic development. The AG issued civil investigative demands to the companies to determine whether they violated Texas consumer protection laws through deceptive marketing, misrepresentations of privacy practices, and concealment of material data use. The AG's news release highlights concerns that the AI platforms may mislead children into believing that they are receiving legitimate therapy when, in fact, the responses may be generic and driven by data harvesting.

This investigation follows the AG's ongoing investigations into AI developers for potential violations of the Securing Children Online through Parental Empowerment Act ("SCOPE"). The AG's recent investigations and settlements reflect his broader efforts to regulate AI technologies, particularly as the state's comprehensive AI law is set to take effect on January 1, 2026.

Amicus Brief(ly): The Texas AG's investigation is in its infancy, but the issuance of civil investigative demands indicates that he believes there to be something amiss with the AI chatbots and how they interact with patients, including underage users. Texas's SCOPE law imposes specific limits on what companies can do with data they obtain from minors. It also requires platforms to offer tools that allow parents to manage the privacy settings of their children's accounts. These CIDs and the other recent AI-related investigations and settlements by the Texas AG underscore the state's focus on protecting minors from harm as the internet provides them with increasingly powerful tools and providers gather data about them. Moreover, state AGs have unfair and deceptive acts and practices enforcement authority and are vigilant about services they consider misleading or deceptive, as evidenced by the claims described in the AG's news release. We'll watch for more on this from Texas in the coming months.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.