ANAYLSIS: As we all know, federal agencies under the Trump administration are now pulling back many recently issued regulations. If you’re having trouble keeping up with news about regulatory changes lately, you’re not alone.
Those who attended the breakout session titled “What’s ahead on the compliance horizon” last week at The League’s annual convention heard me discuss the status of several federal rules that are important for credit unions. As I promised the group, today’s Compliance Courier summarizes that material. For those who couldn’t make it to the breakout session, this Courier should help get you up to date.
As always, if you have any questions (about this Courier or any compliance issue), please reach out to The League’s Compliance Hotline at (608) 640-4050 or email.
Overdraft fees
Background: The rule, which was set to take effect Oct. 1, 2025, applied only to “very large financial institutions,” meaning insured credit unions and other depository institutions with total assets of more than $10 billion.
The rule would have given those large institutions three options when charging fees to pay items that otherwise would have caused an overdraft:
- Capping their overdraft fee at $5;
- Capping their fee at an amount that covered their costs and losses, calculated by using a standard found in the rule; or
- Disclosing the terms of their overdraft loan, using Truth in Lending disclosures.
The League commented in opposition to this rule when it was proposed, stressing that credit unions of every size would face market pressure to comply with the rule, even though it only directly applied to very large financial institutions.
Status: The President recently signed a joint congressional resolution that officially repeals this rule, as explained in this Compliance Courier. Not only has the rule been nullified (meaning that credit unions don’t have to comply with it), regulators cannot enact a “substantially similar” rule without congressional authorization.
Medical information & credit reports
Background: The CFPB’s medical debt rule was finalized in January 2025. It amended Reg. V, the Fair Credit Reporting Act regulation. We summarized the rule in this Compliance Courier, explaining that it does two key things:
- It prohibits creditors (including credit unions) from using medical debt information to determine credit eligibility, with a few limited exceptions.
- It bars credit bureaus from including medical debt information on consumer reports and credit scores they send to lenders.
The League commented on this rule when it was proposed. We told the CFPB that the rule would artificially mask consumer’s debt levels and undermine the accuracy and reliability of credit reports.
Status: Two lawsuits are pending in federal court to stop this rule. One was filed by the Cornerstone Credit Union League and the other by the American Collectors Association.
On April 30 in the Cornerstone case, the CFPB joined the plaintiffs in asking the court to vacate the rule on the grounds that it exceeds the CFPB’s statutory authority. In other words, the CFPB asked the court to vacate the CFPB’s own rule.
In their joint motions, the two sides agreed that:
- Creditors may report medical debt information to credit bureaus;
- Credit bureaus may include that information in credit reports, if it is properly coded; and
- Credit bureaus may furnish credit reports with such properly coded information to creditors for purposes permissible under the Fair Credit Reporting Act.
We’re still waiting for the court to rule on whether it will grant the joint motion. In the meantime, the CFPB filed a motion (which was unopposed) to stay the rule’s compliance date for 90 days, until June 15.
In addition, the U.S. Senate and the House are both considering resolutions to nullify the rule (as they did with the overdraft fees, discussed earlier in this Courier).
“Open banking”
Background: The CFPB finalized its “open banking” rule last fall, and we published a Compliance Courier about it at the end of October.
In a nutshell, the rule requires credit unions, other financial institutions, credit card issuers, and third-party fintech providers to make consumers’ personal financial data available to transfer to other providers for free.
The goal behind the rule is to let consumers add or switch providers to access better rates, receive better terms, and find services that best suit their needs. The CFPB said that the rule promotes competition and consumer choice and will ultimately help improve customer service.
The rule provides for compliance dates to be phased in over time. Larger providers are required to comply by April 1, 2026, while smaller providers have until April 1, 2030.
When the rule was proposed, The League submitted a comment letter to the CFPB on behalf of Wisconsin’s credit unions, voicing concerns about the privacy of members’ information and the impact the would have on credit unions’ operations.
Status: Compliance with this rule is stayed, for now.
The Kentucky Bankers Association and other parties filed a federal lawsuit to stop the rule. They and the CFPB have jointly asked the court to stay the case and the rule’s compliance dates for 30 days “to allow the CFPB and the Acting Director time to consider” the rule. The court granted the motion the day it was filed. We are waiting for additional developments. The parties have a few months yet to file briefs on their request for an injunction.
According to American Banker, experts expect that the CFPB will amend, or rescind and reissue, the rule. “It remains to be seen how the CFPB intends to balance the different concerns and lobbying of large banks, Big Tech players, fintechs, data aggregators and consumers,” they wrote.
Credit card late fees
Background: Last March, the CFPB finalized a rule on credit card late fees. We summarized it in a Compliance Courier on March 5, 2024.
The rule, which applied to card issuers with at least one million open accounts, set a ceiling of $8 per incident for credit card late fees. Covered card issuers could charge higher fees if they could prove the amount was necessary to cover their actual collection costs.
The League submitted a comment letter when the rule was first proposed in 2023, telling the CFPB that “this kind of one-size-fits-all regulatory price-fixing is unfair to credit unions and will harm consumers across the United States.”
Status: A federal judge has voided the rule, based on an agreement reached by the CFPB and the U.S. Chamber of Congress, which had joined several other groups in suing the CFPB over the rule’s legality in federal court. This Compliance Courier summarized the court’s order.
This means that card issuers can continue to charge late fees under the previous regulatory framework, which permitted significantly higher “safe harbor” amounts – up to $30 for the first late payment and $41 for subsequent late payments within a specified period (subject to state law limitations and other previously-applicable federal guidelines).
Small business lending data collection
Background: As explained in The League’s ii Release No. B083, the CFPB’s small business lending rule required certain credit unions (those doing a certain amount of lending to small businesses) to collect and report to federal authorities data about loans to small businesses – those with less than $5 million in gross revenue in their last fiscal year.
The data included basic information about the business and the loan, something like a HMDA reporting requirement but for small business lenders. It also required covered lenders to ask if the business applying was minority-owned, women-owned, or LGBTQ+-owned, as well as the applicant’s principal owners’ ethnicity, race, and sex. The rule was intended to help authorities enforce fair lending laws. The CFPB finalized the rule in 2023, but compliance was not required until July 18, 2025.
The League commented on the CFPB’s proposed rule in 2022, suggesting several changes to it.
Status: Last week, The League published a Compliance Courier to report that the CFPB announced in a press release that it “will not prioritize enforcement or supervision” of the rule.
Also, in a recent court filing, the CFPB wrote that it plans to start a new rulemaking process to revise the rule “as expeditiously as reasonably possible.” This Compliance Courier covered that development.
This rule is still on the books – it hasn’t been repealed – and so one major law firm has warned that states could still take steps to enforce the rule. It is unknown whether state regulators plan to do that in Wisconsin or elsewhere.
Payday lending
Background: This rule has already taken effect, as of March 30, 2025. We summarize what this rule requires in The League’s ii Release No. B080.
The rule was issued back in November 2017, but it was substantially revised in 2020. The CFPB rescinded the original rule’s provisions that required lenders to conduct an ability-to-repay analysis before making a short-term loan that meets their definition of a “payday loan.” That term includes loans that mature within 45 days, or longer-term loans with certain balloon provisions, or certain longer-term loans with APRs of more than 36%. Some kinds of loans are exempt. For example, loans that fit the NCUA’s definition of a “payday alternative loan” (PAL) are exempt.
When the CFPB made its 2020 changes, it kept two provisions about repayment of those types of loans. Credit unions still must comply with those provisions, which say that covered lenders must:
- Obtain a new and specific automatic payment authorization for a covered loan after two consecutive automatic payment attempts have failed, and
- Provide specific disclosures and notices in connection with a covered loan.
Status: As we reported in a recent Compliance Courier, the CFPB has said that it will not prioritize enforcement of this rule. The CFPB said that it “is further contemplating issuing a notice of proposed rulemaking to narrow the scope of the rule.”
In the meantime, compliance is still required, so credit unions should review the ii Release and the CFPB Compliance Guide that is attached to it. Be sure that your credit union follows the two provisions mentioned earlier. The CFPB isn’t “prioritizing” enforcement, but examiners still could cite your credit union for a violation.
Beneficial ownership information
Background: The beneficial ownership information (BOI) rule does not directly impact credit union operations, but it applies to organization members, who may be confused about its requirements. We’ve published several Compliance Couriers on this rule, and this one summarizes it in some detail.
The BOI rule has required corporations, LLCs, and other organizations to file documentation with FinCEN identifying the individuals who own and control them. FinCEN enacted the rule because “shell companies,” with multiple layers of ownership, can be used for money laundering or other crimes. FinCEN wanted to be able to identify the individuals behind those companies.
The BOI is separate from the Customer Due Diligence (CDD) requirements that banks and credit unions must follow. CDD regulations require your credit union to identify the “beneficial owners” of its business members, keeping that information (as opposed to submitting it to FinCEN). That CDD rule has been in place for quite a few years. We cover it in The League’s ii Release No. 0159. Credit unions are still required to comply with CDD; that has not changed.
Status: As we reported in this Compliance Courier, FinCEN has issued an interim final rule that removes the requirement for U.S. companies and U.S. persons to report BOI to FinCEN. The rule narrows the BOI reporting requirements to force only entities previously defined as “foreign reporting companies” to report BOI. Entities previously defined as “domestic reporting companies” formed in the U.S. are now exempt and do not have to report BOI to FinCEN or update or correct BOI previously reported to FinCEN.