Last Week, This Morning

March 2, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On February 26, the Federal Reserve Board issued a proposed rule that would codify the removal of reputation risk from the Board's supervisory programs. The proposal would prohibit the Board from "encourag[ing] or compel[ling] Board-supervised banking organizations to deny or condition the provision of banking or other financial products or services to an individual or business based on their constitutionally protected political or religious beliefs, associations, speech, or conduct, or based on involvement by the individual or business in politically disfavored but lawful business activities perceived to present reputation risk. The decision regarding whether or not to make a loan or to open, close, or maintain an account, provide any other financial product or service, or modify the terms of any financial product or service rests with the banking organization, acting in accordance with applicable law." The Board has defined "reputation risk" as "the potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions."

Comments on the proposed rule are due by April 27, 2026.

Amicus Brief(ly): This proposed rule curiously removes what, for about 30 years, was one of a small handful of risk channels the Board identified as impactful to a "safety and soundness" review of a bank. The Board cites concerns that banks have misused the reputational risk factor to hold a person's or company's religious or political beliefs against them and turn away their banking business. The Board is seeking comments on nine specific questions directed at the substance of the proposed rule and potential unintended consequences of finalizing it as proposed. In the proposal, the Board sounds convinced that considering reputational risk in certain customer relationships is inappropriate and indicates that it will continue to focus on core, material risks that derive from "credit risk, market risk, liquidity risk, operational risk, and legal risk." There is clarity in removing the "reputational risk" component, which seems less objective than credit and liquidity risk. At a minimum, if the Board finalizes this rule as proposed, it will not examine for reputational risk factors, and it will not compel a supervised bank to deny bank services to a person or company based on political or religious beliefs or associations.

On February 23, the U.S. Department of Justice announced a settlement with a large retailer of used cars to resolve allegations that it repossessed vehicles in violation of the Servicemembers Civil Relief Act.

Specifically, the DOJ alleged that the company repossessed the vehicles of 28 servicemembers without obtaining the required court order. The DOJ alleged that many of these violations occurred as a result of the company's policies, which: (1) did not require the company to search the Defense Manpower Data Center website to determine an owner's military status prior to repossessing a vehicle that was in a "charge off" status, and (2) did not prohibit the company from repossessing vehicles owned by reservists who had received orders to report for military service at a future date. In addition, the DOJ alleged that the company repossessed some vehicles even after the borrowers told the company that they were in military service.

Under the settlement, the company will provide $15,000 in compensation to each of the 28 affected servicemembers, as well as any lost equity in the repossessed vehicle and any interest accrued on this lost equity. The company will also pay a civil penalty of $79,380. Finally, the company is required to revise its SCRA policies and procedures for vehicle repossessions.

Amicus Brief(ly): The DOJ's servicemembers' initiative has been going on for more than 10 years and continues to result in consent orders or judgments against finance companies, vehicle towing companies, municipalities, and others that it suspects of violating SCRA provisions. As is commonly the case in consent orders, the retailer did not admit the allegations but, by the express terms of the consent order, settled the case to avoid expensive, inconvenient protracted litigation. We cannot learn much from this consent order because it does not detail the factual allegations, but the affirmative compliance requirements for the retailer include useful reminders about checking the DMDC database before repossession and reacting quickly to information from consumers indicating that they are servicemembers. The success of the DOJ's initiative suggests that it is not going anywhere, so providers should confirm the efficacy of their SCRA policies and procedures.

On February 26, the New York City Department of Consumer and Worker Protection officially announced the adoption of amended debt collection rules. The updated regulations will be effective September 1, 2026.

The DCWP started down this road with a proposal in 2022. Some of its rulemaking efforts have resulted in rules that went into effect in April 2025, but this most recent effort at a broader and more ambitious rule has been delayed numerous times, most recently in July 2025, as a result of industry comments requesting further clarity. Based on the most recent comments received on its last proposed rule, the DCWP made the following changes, among other less notable changes, to the rules:

• "Engaged in Debt Collection Procedures." The new rules amend the definition of "debt collector" and Section 5-77 (Unconscionable and Deceptive Trade Practices) to clarify that debt collector conduct is governed once "engaged in debt collection procedures." The previous version of the proposed rules applied "after the initiation of debt collection procedures." The DCWP noted that this revision does not change the applicability of the rules and is meant to provide clarity that the rules only apply to debt collection procedures and not day-to-day business practices. Importantly, with this change, the DCWP removed the provision that would have made assignment of a debt (at any time, not just after default) "initiation" of debt collection procedures, which would have made finance companies and non-banks in bank partnerships subject to the rules from the time of assignment (not after default, as intended). The DCWP clarified that it intended the collection rules to apply to servicing accounts in default, when the creditor, servicer, or debt collector servicing the debt is actually "engaged in debt collection procedures."
• "Debt Collector" Definition. The new rules amend the definition of "debt collector" to make it clear that the rules apply to any person collecting debt, whether for another person or for the person collecting the debt (i.e., the rules apply to both "first-party" and "third-party" collection).
• Communication Frequency. The rules have been updated to permit debt collectors to make up to three communications per seven-day period for each account of a consumer rather than per consumer (that distinction is consistent with the federal Fair Debt Collection Practices Act rule on telephone call frequency, though a debt collector is allowed seven attempts, not three, under the FDCPA). The DCWP further amended the rules to exclude certain communications from the three-communication limit, including mailed communications and attempted communications. However, the final rules retain the restriction that limits communication attempts by any means, not just by telephone (another distinction from the FDCPA).
• Communication Timing. The prohibition on contacting a consumer during the consumer's working hours was removed from the Unconscionable and Deceptive Trade Practices section.
• Notice Before Consumer Reporting. The notice required prior to furnishing negative information to a consumer reporting agency has been separated from the validation notice and is now only required to be sent when a debt collector intends to furnish negative information when engaged in debt collection procedures.
• Itemization of Debt. The new rules clarify that a debt collector is only required to provide the expanded itemization of the debt once, and if the debt collector receives a dispute from the consumer, a copy must be sent only once.

Amicus Brief(ly): We have been following this rulemaking closely as the DCWP finalized and proposed new provisions over the past several years. The last proposal, issued almost a year ago, met with industry resistance, not just because it was onerous but because the proposal was internally inconsistent and would have resulted in odd discrepancies in the treatment of similarly situated creditors. The DCWP delayed the effective date of the final rule a couple of times along the way both because of its complexity (designed specifically to be more protective of consumers than the FDCPA) and to address industry concerns about compliance with the rule. Given the broad scope of the rule and the significant consumer base in the country's largest city, there is no avoiding this rule. We - creditors, servicers, and debt collectors alike - now have six months to digest and operationalize its requirements.

On February 23, New York Governor Kathy Hochul announced that the Department of Financial Services issued a pre-proposed version of regulations (the "BNPL Reg") to implement the state's Buy-Now-Pay-Later law enacted in 2025. Comments on the BNPL Reg are due soon - on March 5.

Clocking in at nearly 30 pages, the BNPL Reg covers significant ground. Some highlights include:

Definitions. Two definitions lie at the center of the BNPL Reg. Both track the definitions in the statute.

• Buy-Now-Pay-Later Loan. A BNPL loan is closed-end credit provided to a consumer to purchase goods other than a motor vehicle and/or services. The definition excludes credit where the creditor is the seller of the goods and/or services, meaning that a credit sale is generally excluded unless it is a transaction where a consumer requests that a creditor purchase a good or service and then resell it to said consumer. BNPL loans are defined to generally fall into interest-bearing and interest-free categories. The definition is not limited to "pay in four" transactions.
• Buy-Now-Pay-Later Lender. A BNPL lender is a person who "offers" a BNPL loan or a person to whom a BNPL loan is transferred. As used in this definition, the term "offer" means either extending credit directly to a consumer or operating a platform, software, or system with which a consumer interacts directly or indirectly and a substantial purpose of the consumer's interaction is to obtain a BNPL loan from a third party. As such, the definition appears to include brokers, arrangers, or lead generators of BNPL loans.

Licensing and Authorization. Non-depository BNPL lenders must be licensed by the DFS. The BNPL Reg would require such parties to maintain, at a minimum, capital in a surety bond (or other form acceptable to the DFS) in an amount sufficient to cover all outstanding consumer obligations. Licensed BNPL lenders, as well as parties licensed under the New York Licensed Lender Act and banks and credit unions that are not "exempt organizations" (defined to exclusively mean federally chartered depository institutions or foreign banking corporations licensed by the Office of the Comptroller of the Currency to transact business in New York) must receive a "category permission" from the DFS. Category permissions will specify if the BNPL lender is authorized to offer interest-free or interest-bearing BNPL loans (or both). BNPL lenders other than exempt organizations must maintain records specified by the pre-proposed regulation, with such records being subject to review and examination by the DFS.

Pricing. Interest-bearing BNPL loans would be subject to New York usury limits. BNPL lenders would also be limited in the amount of penalty fees they may charge for violating the terms of the loan agreement (e.g., a late fee). The BNPL Reg provides a safe harbor amount of $8 for such fees. Alternatively, a BNPL lender would be permitted to establish its own penalty fee amount, but it would have to be cost-justified in accordance with the requirements specified in the BNPL Reg and would have to receive the approval of the DFS for such amount(s). Penalty fees may not exceed the dollar amount associated with the violation and would be limited to one fee per violation. The maximum cumulative amount of penalty fees would be limited to no more than the original amount financed under the BNPL loan. Prepayment penalties and the solicitation of tips and gratuities would be prohibited. "Pay to pay fees" would be prohibited unless the payment method involves an expedited service by a customer service representative of the BNPL lender.

Consumer Protections. The BNPL Reg would impose a number of specific consumer protection requirements on BNPL loans. Among them, the BNPL Reg would:

• require reasonable risk-based underwriting before a BNPL loan may be made;
• require pre-transaction and post-transaction confirmatory disclosures;
• prohibit cross-default;
• limit payment representment to one follow-up try via the same payment method absent new and specific payment authorization;
• require periodic statements;
• require BNPL lenders to make reasonable efforts to ensure refund credits are provided by retailers and credited to the BNPL loan on a timely basis;
• require BNPL lenders to establish a process for billing error disputes and limit consumer liability for unauthorized BNPL loans to no more than $50;
• impose data privacy restrictions;
• require BNPL lenders to staff a customer service telephone line for at least 10 hours per day, Monday through Friday (other than federal holidays); and
• require BNPL lenders to establish and maintain written policies and procedures to resolve consumer complaints.

The DFS's Regulatory Activity webpage provides instructions on how interested parties may submit comments.

Amicus Brief(ly): Time is of the essence for providers that want to get early comments in on the draft New York rule - we have until the end of Thursday. There will be a 60-day comment period to follow, so if Thursday is too soon, providers will have some time to refine their comments. The biggest concern with this draft rule appears to be how much like credit cards it treats transactions that are not credit cards. Providers understand that regulators are going to impose rules around BNPL products, but they want those rules to address BNPL products as the unique products that they are. The National Consumer Law Center has praised the underlying law and the approach taken in this draft rule as a model for other states. We will be tracking this rulemaking closely and recommend that providers do as well. All indications from the governor and the DFS tell us that they want to establish strong consumer protections around the BNPL product. As is the case with the NYC debt collection rule referenced above, there is a lot going on in this draft rule that will keep providers and their compliance professionals busy once it is finalized.

On February 25, Connecticut Attorney General William Tong released a memorandum to provide guidance on the application of certain existing Connecticut laws to a business's use of artificial intelligence for multiple purposes, including, among other things, credit risk and loan decisions, stating that "[b]usinesses and individuals should exercise caution when deploying and utilizing AI systems in commercial decision-making to ensure compliance with state and federal laws." The AG states that the memo "is not comprehensive and other state or federal laws [and regulations] may apply depending on the particular use or impact of AI," does not constitute "legal advice or a formal legal opinion," and is "neither binding nor precedential."

Specifically, the memo highlights the application of Connecticut's antidiscrimination laws, the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Connecticut's Safeguards Law (Conn. Gen. Stat. § 42-471), Connecticut's Breach Notification Law (Conn. Gen. Stat. § 36a-701b), and the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. § 42-110b et seq.) and how a business's use of AI may be subject to these statutes and potentially violate their provisions.

Amicus Brief(ly): This sort of pronouncement from the Connecticut AG has become fairly standard. Regulators and enforcement agencies want to make sure businesses understand that AI is imperfect and that using it for efficiency and cost savings does not absolve the businesses of their obligations to comply with federal and state law. As is typical from Connecticut, the AG provides a fair amount of detail in the memo about how existing Connecticut laws affect AI developers and businesses. To add some gravitas to the memo, the AG references actions taken against five large, national companies (e.g., Amazon, Apple) based on alleged misuse of algorithms. Providers using AI and doing business in Connecticut would do well to review this 11-page memo to see how the state is thinking about the interaction of its laws with AI.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.