Last Week, This Morning

March 30, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On March 20, the White House released a comprehensive national policy framework for artificial intelligence in which it makes several legislative recommendations including, in part:

(1) The U.S. must remove barriers to innovation, accelerate deployment of AI applications across sectors, and ensure broad access to the testing environments needed to build AI systems. In order to accomplish this goal, the policy states:

• Congress should establish regulatory sandboxes for AI applications that help unleash American ingenuity and further American leadership in AI development and deployment;
• Congress should provide resources to make federal datasets accessible to industry and academia in AI-ready formats for use in training AI models and systems; and
• Congress should not create any new federal rulemaking body to regulate AI and should instead support development and deployment of sector-specific AI applications through existing regulatory bodies with subject matter expertise and through industry-led standards.

(2) The federal government must establish a federal AI policy framework to protect American rights, support innovation, and prevent a fragmented patchwork of state regulations that would hinder our national competitiveness, while respecting federalism and state rights. In order to accomplish this goal, the policy states:

• Congress should preempt state AI laws that impose undue burdens to ensure a minimally burdensome national standard consistent with these recommendations, not 50 discordant ones.
• This national standard should respect key principles of federalism and not preempt: the traditional police powers retained by the states to enforce laws of general applicability against AI developers and users, including particular laws to protect children, prevent fraud, and protect consumers; state zoning laws, including state authorities, to determine the placement of AI infrastructure; and requirements governing a state's own use of AI, whether through procurement or services they provide like law enforcement and public education.
• Preemption must ensure that state laws do not govern areas better suited to the federal government or act contrary to the U.S.' national strategy to achieve global AI dominance. States should not be permitted to regulate AI development because it is an inherently interstate phenomenon with key foreign policy and national security implications. States should not unduly burden Americans' use of AI for activity that would be lawful if performed without AI. States should not be permitted to penalize AI developers for a third party's unlawful conduct involving their models.

Amicus Brief(ly): The White House sets lofty goals with this policy for a Congress that has not been able to agree on much or get a lot done legislatively over the past few years. Given the surge of AI use recently across industries and in the lives of consumers, the policy is timely and could (maybe) lead to a productive federal bill that includes a preemption provision that would allow providers and users to rely on a single set of AI rules. The states beat Congress to the punch on this subject, though, with several states having already adopted AI laws. We are skeptical that Congress will be able to accomplish the goals set forth in this policy, but we'll monitor this development.

On March 25, the Financial Stability Oversight Council requested public comment on proposed interpretive guidance on nonbank financial company designations. The FSOC was established by the Dodd-Frank Act to identify risks to U.S. financial stability, promote market discipline by reducing expectations of government bailouts, and respond to emerging threats to the financial system. The FSOC can designate nonbank financial companies for supervision by the Federal Reserve if the potential for their failure poses a risk to national financial stability.

According to the FSOC's news release, the proposed interpretive guidance would reinstitute a number of elements first introduced by the FSOC's 2019 interpretive guidance. Specifically, the proposed guidance would:

• incorporate economic growth and economic security into the FSOC's analysis of risks to financial stability;
• prioritize identifying, assessing, and addressing risks through an activities-based approach. Under the proposal, the FSOC would pursue entity-specific designations only if a potential risk or threat cannot be, or is not, adequately addressed through an activities-based approach. Prioritizing an activities-based approach would enhance the rigor of the FSOC's activities and facilitate the FSOC's efforts to consider impediments to economic growth and economic security when identifying potential risks to U.S. financial stability;
• enhance analytical rigor by committing to performing a cost-benefit analysis before a designation decision and making a designation only if the expected benefits justify the expected costs. The FSOC would assess the likelihood of the company's material financial distress as part of its analysis of potential benefits and costs of a designation; and
• provide a new pre-designation "off-ramp" and promote greater transparency. The FSOC would identify steps a nonbank financial company or financial regulators could take to address a potential threat to U.S. financial stability based on the FSOC's preliminary evaluation and allow time for the material risks to be addressed. Providing this opportunity to mitigate identified risks would enhance the transparency of the designation process and result in a more effective approach to addressing a potential threat to U.S. financial stability.

Comments on the proposed guidance must be submitted within 45 days of its publication in the Federal Register, which is expected shortly.

Amicus Brief(ly): This interpretive guidance from the FSOC may be giving nonbank financial innovators mild whiplash given the way it has swayed among administrations. The current administration adheres to its pro-business approach to regulation in this version of the proposed guidance, providing opportunities for companies to explain their models to the FSOC and how they do not present the apparent risk. Conversations like that can lead to productive results if both sides are transparent and open-minded. Comments received during the 45-day period may or may not impact the final guidance. If past is prelude, comments objecting to the proposed guidance will likely be ineffective - the FSOC will stick to its convictions and adopt the guidance largely as it appears in the proposal. We can have optimism, though, that this guidance will allow for continued nonbank innovation, leading to positive results that do not threaten economic stability.

On March 20, Oklahoma Governor Kevin Stitt signed Senate Bill 546, which enacts Oklahoma's comprehensive privacy bill, effective January 1, 2027. The Oklahoma privacy law provides obligations and exceptions similar to other state privacy laws. However, small differences in these laws can have a large impact on a business's data processing. In particular, affected businesses should note the Oklahoma law's disclosure obligations, standards around purpose specification and secondary processing, and consent standards. Consumer financial services businesses should note differences in the scope of the terms "sensitive data" and "biometric data," the definition of "consent," and consumer opt-out rights.

Applicability

Entities are subject to the privacy law when:

• they conduct business in Oklahoma or produce products or services that are targeted at Oklahoma residents; and
• during a calendar year, they control or process the personal data of: (1) at least 100,000 consumers; or (2) at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The law does not apply to financial institutions under the Gramm-Leach-Bliley Act, entities covered under HIPAA privacy regulations, and other specified entities and also does not apply to, among other things:

• certain activities by consumer reporting agencies, furnishers, and consumer report users, as regulated by the Fair Credit Reporting Act;
• personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act;
• personal data on consumers in commercial or employment contexts;
• publicly available information (via exclusion from the definition of "personal data");
• deidentified data (via exclusion from the definition of "personal data") but not necessarily "pseudonymous data"; and
• personal data collected under other federal laws specified in the law.

Consumer Rights

By submitting a request to a controller, consumers have the right to:

• confirm whether the controller is processing their personal data and access such data, unless such confirmation or access would require the controller to reveal a trade secret;
• correct inaccuracies in their personal data, taking into account the nature of the information and the purposes of the processing of the information;
• delete their personal data;
• obtain a copy of their personal data held by the controller in a portable and, to the extent electronically feasible, readily usable format that allows them to transmit the data to another entity without hindrance; and
• opt out of the processing of their personal data for the purposes of targeted advertising, the sale of such data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.

The law defines "sale" more narrowly than other state laws, limiting it to exchanges for monetary consideration. Opt-out requirements under the law do not include the use of universal opt-out mechanisms.

Controller and Processor Obligations

The Oklahoma privacy law imposes separate obligations on controllers and processors of personal data, defining those terms based on providers' access to consumer data and assigning obligations accordingly.

The law requires that a contract between the controller and processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

Enforcement

The Oklahoma privacy law grants the Oklahoma attorney general the exclusive authority to enforce the law. Prior to initiating any action, the AG must issue a written notice to the controller or processor identifying the specific provisions of the law that the AG believes that the controller or processor violated. If the controller or processor fails to cure the alleged violation within 30 days after receiving notice of alleged noncompliance, an enforcement action may be brought. Each violation is punishable by a civil penalty of up to $7,500, plus reasonable attorney's fees and expenses.

Amicus Brief(ly): It has been a little while since a state adopted a comprehensive privacy law like this, but Oklahoma identified and addressed an apparent need for such a law. Fortunately, for the most heavily regulated financial services providers, the Oklahoma law (like privacy laws adopted in other states) includes an exception for providers subject to the GLB Act. For others, there is a fair amount to unpack in this new law that differs just enough from other states' privacy laws to require a good read of the bill. We issued an alert about this law last week and commend readers to its more detailed review of the statute. The new law underscores the ongoing, and arguably increasing, importance of consumer data privacy and security to state and federal regulators. We expect legislation and enforcement on these subjects to maintain a brisk pace from here.

Washington Governor Bob Ferguson recently signed Senate Bill 5720, which enacts the Uniform Consumer Debt Default Judgments Act. S.B. 5720 is intended to broaden the protections provided for in 2020 House Bill 2476 regarding debt buyers by: (1) expanding requirements and remedies previously applicable only to debt buyers to be applicable to all holders of purchased debt and any affiliates; and (2) imposing new disclosure requirements for consumer debt collection actions and new remedies when those requirements are not satisfied.

The Act applies to the award of a default judgment in an action for collection of: (1) an unsecured consumer debt; (2) a secured consumer debt if the action is brought solely to obtain a money judgment; or (3) a deficiency that remains after disposition of property that secured a consumer debt. The Act does not apply to: (1) an action to take possession of or dispose of real or personal property, even if the action includes a request for a money judgment; or (2) an action to collect a debt owed to a government, governmental subdivision, or agency in which the government, governmental subdivision, or agency is the plaintiff.

Under the Act, a default judgment may be entered only if the plaintiff's complaint or amended complaint includes certain specified information, includes certain specified attachments evidencing the debt, and provides a notice to the consumer warning that a default judgment may be awarded against the consumer and containing specified information. The Act provides a form "Consumer Notice" that satisfies the notice requirements.

Violations of the Act are considered unfair acts or practices or unfair methods of competition under Chapter 19.86 of the Revised Code of Washington, and penalties can be imposed.

The Act is effective on January 1, 2027.

Amicus Brief(ly): Washington is the first state to adopt the Uniform Law Commission's recent consumer credit-related model Act, published by the ULC in 2023 in response to reports that more than half of the judgments against consumers in consumer debt-related lawsuits were obtained by default. Virginia and Pennsylvania have also introduced the model Act in their legislatures, and Virginia has sent its version to its governor. So, Washington, which passed the bill almost unanimously, will not likely be the last to adopt a version of the model Act, which the ULC designed to give courts and consumers more information about the debts that are the subject of collection lawsuits. Both Washington's and Virginia's versions of the Act include the new consumer notice requirement for collection firms to incorporate in their pleadings to alert consumer defendants to the potential consequences of not responding to the complaint. For many years, the state legislatures and sometimes their courts have been adding procedural and substantive requirements on debt buyers and other creditors pursuing litigation collection strategies. It might be nice to have wide adoption of the model Act and normalization of those requirements.

On March 23, Utah Governor Spencer Cox signed Senate Bill 230, which amends the Utah Consumer Credit Code to prohibit creditors from charging a prepayment penalty to a debtor that prepays the unpaid balance of a closed-end consumer credit debt. The new law defines "prepayment penalty" as "a contingent fee that a creditor assesses against a debtor for paying all or any portion of an outstanding debt before the debt's scheduled due date." "Prepayment penalty" does not include a prepaid finance charge. "Prepaid finance charge" is given the same definition as in 12 C.F.R. Section 1026.2.

S.B. 230 also provides that a prepaid finance charge that the creditor charges on closed-end consumer credit debt is nonrefundable if the debtor prepays unless the parties expressly agree otherwise. In addition, if a creditor accelerates the maturity of a closed-end consumer credit debt for any reason and obtains a judgment, the creditor must calculate the unpaid balance of the debt as if the debtor had paid the debt in full on the date of the judgment. The judgment will accrue interest at the rate the parties agreed to for the debt.

S.B. 230 takes effect on May 6, 2026.

Amicus Brief(ly): Utah's UCCC amendment makes sense to us because it is good for both consumers and creditors. For consumers with closed-end credit accounts, it makes what was effectively a prohibition against prepayment penalties clearer. Increasingly fewer creditors impose prepayment penalties, so that change is not likely to have a material impact on creditors. The clarification that prepaid finance charges are not refundable unless the parties to a closed-end consumer credit agreement specifically agree that they will be, however, is a good clarification for creditors. Given that prepaid finance charges usually compensate originating creditors for the costs related to preparing credit documents, booking new accounts to their system of record, setting up servicing, and more, creditors are not likely to agree to a refund requirement for any charges that are earned at consummation. These useful changes do not impact credit agreements too dramatically, so the effective date of May 6 should not present compliance or programming headaches.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.