Last Week, This Morning

November 24, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Please note that we will not deliver "Last Week, This Morning" next week due to the Thanksgiving holiday. The next email will be delivered to your inbox on Monday, December 8. We wish you a very happy Thanksgiving with friends and family!

OCC Proposes Rule to Rescind Certain Data Collection Requirements for National Banks

On November 18, the Office of the Comptroller of the Currency published a proposed rule in the Federal Register that would rescind its "Fair Housing Home Loan Data System" regulation codified at 12 CFR part 27. Part 27 establishes recordkeeping requirements and a data collection system for monitoring national banks and their subsidiaries for compliance with the Fair Housing Act and the Equal Credit Opportunity Act. According to the notice of proposed rulemaking, part 27 "requires national banks to (i) engage in quarterly recordkeeping of certain home loan data if the national bank is required to report loans under the Home Mortgage Disclosure Act (HMDA reporters) or if the national bank is a non-HMDA reporter that receives 50 or more home loan applications a year ...; (ii) attempt to obtain all of the prescribed information for applications for home loans; (iii) maintain certain additional information in loan files; and (iv) collect certain information on a log, if the OCC orders the national bank to maintain a log of inquiries and applications."

The OCC has "determined that part 27 is obsolete because it is largely duplicative of and inconsistent with revisions to other legal authorities that require national banks to collect and retain certain information on applications for home loans. In addition, because part 27 only applies to national banks, national banks have more home loan data collection requirements than other depository institutions. Moreover, the burden the rule imposes on national banks is not justified by the limited utility of data collected under part 27. Also, when part 27 was promulgated, the OCC stated that the regulation's requirements were designed to assist agency examiners in performing full and complete fair housing examinations. However, since then, the OCC has found that agency examiners generally base their fair lending supervisory activities on data collected under other legal authorities that require national banks to collect and maintain information on applications for home loans. To the extent OCC examiners may consider part 27 data, it is most useful for assessing a national bank's fair lending risk; however, the OCC has other tools for identifying fair lending risk at national banks. The OCC believes that the proposed recission of part 27, therefore, would not have a material impact on the availability of data necessary for the OCC to conduct its fair housing supervisory activities."

Comments on the proposed rule are due by December 18, 2025.

Amicus Brief(ly): The OCC's ongoing pursuit of deregulation under the new administration this year has produced results in line with its stated goal of tailored supervision that focuses on safety and soundness and relieves national banks of unnecessary paperwork. National banks have justifiably not complained about this revised approach, looking back almost 20 years to the structured but not overly restrictive level of regulation that preceded the Dodd-Frank Act in 2010. We know that not all regulation is bad regulation, just as not all banking de-regulation efforts lead to a race-to-the-bottom banking and credit system. National banks will get some relief from the largely unnecessary burden of duplicative HMDA reporting but are still subject to fair housing and fair lending examinations and a regulatory scheme that prohibits discrimination against protected consumers. We anticipate arguments from consumer advocates that this proposed rule is wayward, but if we look to our Magic 8 Ball for a prediction, we get an "Outlook not so good" for those arguments to prevail given the OCC's current leadership.

FTC Announces Permanent Ban against Business Financing Company and CEO for Alleged Violations of FTC Act, Telemarketing Sales Rule, and Consumer Review Fairness Act

On November 17, the Federal Trade Commission announced that it entered into a stipulated final order with a business financing company and its founder, resolving allegations that the company deceptively advertised that it was able to secure business loans or lines of credit for small businesses without affecting the business owners' credit scores. Rather than providing these loans or lines of credit, the company was actually applying for credit cards on behalf of the business owners. After securing approval for the credit cards, the company would charge the business owners 10% of the credit card limit for each card, plus fees, despite claiming there were no upfront fees as part of the arrangement. The FTC alleged that the company collected over $37 million dollars in fees from thousands of business owners.

The final order follows a federal district court's summary judgment order issued against the company and its CEO in September 2025. In that decision, the court found that the company and its CEO violated the FTC Act and the Telemarketing Sales Rule by misrepresenting their relationships with lenders, their ability to obtain credit cards for customers with line of credit capability, financing terms, the fees that would be imposed, and the impact of using the company's services on customers' credit scores. The court also found that the company's contracts with customers, which prohibited negative online reviews, violated the Consumer Review Fairness Act. Finally, the court found that the company's billing practices relating to early termination fees violated the FTC Act.

The current final order imposed a monetary judgment of $48,280,328 on the company and its CEO. However, the order suspended all but $250,000 of this judgment amount based on the defendants' inability to pay the full judgment. In addition, the company and its CEO have been permanently banned from:

  • marketing, promoting, or offering credit, loans, or other business financing, debt relief services, or credit repair services;
  • making misrepresentations, including misleading statements related to their business affiliations, their offerings' impact on consumers' credit scores, and upfront fees;
  • billing consumers without obtaining and documenting consumers' expressed informed consent;
  • violating the Telemarketing Sales Rule; and
  • prohibiting or restricting consumer reviews of their products or services.
Amicus Brief(ly): If we could put an emoji here, we would use the "grimacing face" one that reflects the feeling we get reading these allegations. As readers have seen in these pages many times, the FTC is not shy about coming down hard on companies it finds to be engaged in deceptive marketing. The $48 million judgment is attention-getting, but if the FTC's math is correct on the $37 million the company allegedly collected from business owners based on deceptive advertising, it's difficult to argue with that outcome. The important takeaway from this case is that business owners should read all fine print and shop around for credit or services when, for example, they read an agreement that says they cannot write negative public reviews about the provider. That type of restriction does not inspire confidence.
California Privacy Protection Agency Intensifies Investigations of Data Brokers and Finalizes Rules Implementing Data Deletion Mechanism for Consumers

On November 19, the California Privacy Protection Agency announced that it is creating a "Data Broker Enforcement Strike Force" within its enforcement division to investigate compliance with California's Delete Act and its more comprehensive privacy law, the California Consumer Privacy Act. The CPPA's head of enforcement stated: "For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry."

The Delete Act requires data brokers to register with the CPPA and pay an annual fee, which funds the data broker registry and the development of a deletion mechanism called the Delete Request and Opt-Out Platform that allows a consumer to, in a single request, direct all registered data brokers to delete any non-exempt personal information related to that consumer held by the data broker or its associated service provider or contractor. In addition, the Delete Act requires data brokers to disclose the number of consumer deletion requests and the average response time to the requests, report if they collect the personal information of minors, reproductive health care data, and precise geolocation data, and provide a link on their website informing consumers of their rights under the CCPA.

In addition, the CPPA recently amended existing data broker registration rules and adopted new rules to establish Delete Request and Opt-Out Platform requirements. The final rules are effective on January 1, 2026.

Amicus Brief(ly): California has been busy on data issues this year, which alone would let us know that the state is taking data privacy and security seriously, but the creation of a "Strike Force" to look after compliance with the Delete Act underscores the relative importance of these privacy rules. Recall that this is one of several instances across the country in 2025 where we saw legislatures and regulators attempt to give consumers more control over what, if anything, companies can do with their data. This data protection and consumer empowerment initiative extends beyond consumer financial information, and it is not slowing down. January 1 will be here before we know it, and with that date comes the effective date of California's "DROP" registration requirements and the potential for a lot more enforcement action from the state.

California Reaches $1 Million Settlement with Lender for Issuing Loans at Unlawful Rates

On November 17, the California Department of Financial Protection and Innovation announced a consent order with a lender for violating the California Financing Law (California Financial Code § 22000 et seq.) and the Fair Access to Credit Act (Assembly Bill 539 (2019)), which added Section 22304.5 to the CFL. Section 22304.5 provides that, for any loan with a principal amount between $2,500 and $10,000, a lender may contract for or receive charges at a rate not exceeding an annual simple interest rate of 36% per annum plus the Federal Funds Rate. In addition to the charges authorized under Section 22304.5, Financial Code Section 22305 authorizes a CFL licensee to contract for and receive an administrative fee of up to $75 with respect to a loan of a principal amount in excess of $2,500. (Section 22305 does not apply to a loan of a principal amount of $5,000 or more.)

In December 2019, the DFPI issued a notice titled "New Requirements for Licensees Making Consumer Loans of $2,500 to $10,000 California Financing Law." The notice stated: "For loans of $5,000 or more, any administrative fee charged is included in the calculation of charges and subject to the interest rate limitation. For loans in excess of $2,500 but less than $5,000, an administrative fee not to exceed $75 may be charged in addition to the maximum rate of charges."

The DFPI's consent order resolves allegations that the lender made multiple consumer loans with charges that exceeded the maximum rate provided for in Section 22304.5 of the CFL. The lender has taken corrective action for some of the alleged violations by providing approximately $218,000 in refunds to affected borrowers and has agreed to refund additional amounts to borrowers that have paid amounts in excess of what the CFL permits.

The consent order requires the lender to pay a penalty of $1 million and a portion of the Commissioner's investigative costs and immediately cease any attempts to receive payment on or collect any charges in excess of what the CFL permits.

Amicus Brief(ly): When a negotiated civil penalty from a state regulator is more than four times the consumer redress amount, it feels like the regulator is trying to make a point. The published consent order and accompanying documentation are not clear about how the lender was allegedly violating the maximum rate and fee provisions, so we do not know whether the DFPI found in its examination that the company was charging interest rates higher than 36% per year, charging an administrative fee that exceeded $75, or both. And it is not clear whether the company simply did not know about the 2019 changes to the fee rules for loans in the $2,500 to $10,000 range. Either way, the DFPI took the company to task for it, and the best lesson we can take from this settlement (because we imagine that the law changes slipped by this company when they happened) is to monitor state law for changes and take the steps necessary to adjust systems, policies, and procedures to reflect those changes.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.