Last Week, This Morning

October 6, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

DOJ Settles SCRA Claims Against Vehicle Finance Company

On September 29, the Department of Justice announced that it entered into a settlement agreement with a vehicle finance company to resolve allegations that it failed to obtain the requisite court order before repossessing the vehicles of five active-duty servicemembers, in violation of the Servicemembers Civil Relief Act. Under the SCRA, a finance or leasing company may not repossess a vehicle on which it holds a lien from an active-duty servicemember unless it obtains a court order and the servicemember has made at least one payment on the financing contract before entering military service. In addition to alleging that the finance company failed to obtain a court order, the DOJ also alleged that the finance company took no steps to determine whether the vehicles' owners were active-duty servicemembers before repossessing their vehicles and, in some cases, allegedly went through with the repossession after being told that the owner of the vehicle was on active duty.

Under the terms of the settlement, the finance company will pay $60,000 in compensation to affected servicemembers, forgive any unpaid balance on their accounts, and take steps to repair damage to their credit. The finance company is also required to provide the DOJ with a list of all its repossessions between August 2023 and the effective date of the settlement agreement, and the DOJ will run that list through the Department of Defense Manpower Data Center database and undertake any independent investigations it deems appropriate to identify additional repossessions that violated the SCRA. Finally, the finance company is required to pay a $60,000 civil penalty, make changes to its policies and procedures for vehicle repossessions to avoid future violations of the SCRA, and provide training to employees who are involved in SCRA compliance or repossession activities.

Amicus Brief(ly): The DOJ has consistently been tough on companies that it perceives to have violated servicemembers' rights, as evidenced by the Servicemembers and Veterans Initiative highlighted on its website. Pursuant to that initiative, the DOJ has pursued claims against finance companies, towing companies, storage facilities, and others related to claims under the SCRA. This settlement is relatively minor, but the pursuit of it in the first place underscores the importance of servicemembers and veterans in the eyes of the DOJ. And this settlement was avoidable because this is not new law - any company involved in vehicle repossessions should have an SCRA scrub in its processes to help avoid taking servicemembers' cars without a court order.

FinCEN Seeks Information Concerning Costs of Anti-Money Laundering and Countering Financing of Terrorism Compliance

On September 29, the Department of the Treasury's Financial Crimes Enforcement Network invited the general public and federal agencies to comment on a survey of the costs of anti-money laundering and countering the financing of terrorism ("AML/CFT") compliance. The survey seeks to gather information on the direct costs incurred by certain non-bank financial institutions - specifically, casinos and card clubs, money services businesses, insurance companies, dealers in precious metals, stones, or jewels, operators of credit card systems, and loan or finance companies - in complying with the Bank Secrecy Act and related AML/CFT requirements and, to the extent these expenses overlap with those of other activities (for instance, fraud monitoring), the amount attributable to AML/CFT compliance. The survey states that responses will be used to shape deregulatory proposals consistent with the executive orders of the Trump administration. The responses will not be used for supervisory or enforcement purposes. Responses to the survey must be received by December 1, 2025.

Amicus Brief(ly): FinCEN purposefully casts a wide net with this request, seeking information about compliance costs across an array of business types where the potential for financial crimes is persistent. The survey focuses on the costs of compliance but also asks about other processes companies have in place to combat financial crimes that are not specifically required by BSA/AML or OFAC rules, likely in an effort to identify self-regulatory efforts by these companies that would support further deregulation in the space. Companies (even non-bank finance companies that are not currently subject to the BSA/AML rules) are encouraged to provide information to FinCEN in response to this survey to better inform the outcome.
Rhode Island Statute Requiring Lenders to Pay Interest on Mortgage Escrow Accounts Is Not Preempted by National Bank Act Where Lender Is National Bank

The U.S. Court of Appeals for the First Circuit recently held that a Rhode Island statute requiring lenders to pay interest on mortgage escrow accounts is not preempted by the National Bank Act where the lender is a national bank.

The facts of the case reveal that a homeowner brought a putative class action against his mortgage lender - a national bank - alleging that the bank breached his mortgage contract and was unjustly enriched by failing to pay interest on his mortgage escrow account as required by Rhode Island law. The lender moved to dismiss the claim on the grounds that the state statute is preempted by the National Bank Act, which does not include a requirement that national banks pay interest on mortgage escrow accounts. The trial court granted the motion to dismiss.

While the appeal to the First Circuit was pending, the U.S. Supreme Court decided Cantero v. Bank of America, N.A., which clarified the legal standard for preemption under the NBA in a case involving New York's interest-on-escrow law. The Dodd-Frank Act of 2010 provides that if a state law does not discriminate against national banks compared to state-chartered banks, then preemption exists only if the state law "prevent[s] or significantly interfere[s] with the exercise of national bank-powers 'in accordance with the legal standard for preemption in the decision of the Supreme Court of the United States in [Barnett Bank].'" According to the appellate court, Cantero requires a court to "make 'a practical assessment of the nature and degree of the interference caused by a state law'" and "perform a 'nuanced comparative analysis' of the preemption cases relied on in Barnett Bank." In his post-Cantero brief, the homeowner argued that the trial court did not apply the proper test for preemption and that, applying that test, the lender has not shown that the Rhode Island statute significantly interferes with federal banking powers. The First Circuit agreed with the homeowner that the trial court did not comply with Cantero's requirement to assess the degree of the interference with national banking powers and then compare the interference against the banking preemption precedents identified in Barnett Bank.

Because the trial court did not apply the approach required by Cantero, the First Circuit turned to the issue of whether the lender has nevertheless shown that the Rhode Island statute is preempted under Cantero. The lender argued that the Rhode Island law significantly interferes with its express power to engage in mortgage lending and its incidental power to offer escrow accounts. The First Circuit considered Barnett Bank and the various cases identified in that case and determined that the most relevant precedents were those that involved state laws that were banking-specific and did not expressly conflict with federal law. Those cases, according to the appellate court, require a court to consider "whether the state law was generally consistent with the federal-banking scheme that Congress intended and the likely practical effect of the state law's enforcement on a national bank's exercise of federal-banking power as informed by generally understood economic principles." The First Circuit concluded that the Rhode Island law is not "out of step with the federal regulatory scheme," relying on the fact that at least 12 states have interest-on-escrow laws and Congress, in Truth in Lending Act Section 1639d, has mandated compliance with state interest-on-escrow laws for certain categories of mortgages. The First Circuit rejected Citizens' argument that preemption exists when a state statute "impairs a bank's 'flexibility' or 'efficiency'" or when states have "a patchwork of varying and conflicting regulations."

Therefore, the First Circuit vacated the trial court's decision dismissing the homeowner's complaint and remanded the case.

Amicus Brief(ly): The courts are making it difficult for national banks to know where the lines are on what felt like, for a long time, generally-accepted preemption positions when it comes to state lending laws. The Office of the Comptroller of the Currency has adopted, reviewed, and re-adopted (after the enactment of the Dodd-Frank Act 15 years ago) regulations that describe the kinds of state laws that are preempted and the kinds that are not. Among the state laws that the OCC's regulations clearly stated were preempted are state law limitations concerning "escrow accounts, impound accounts, and similar accounts" (see 12 C.F.R. § 34.4(a)(6)). The Cantero holding and this one have us yearning for the pre-Loper-Bright years when a national bank could point to the OCC's regulations and expect the courts to give some deference to its interpretations. We're past that now, and it appears that national banks will have to wrestle more regularly and deliberately with state laws to determine whether they cross the poorly-defined threshold of "significant interference" with the exercise by a national bank of its statutory lending authority.

FTC Announces $2.5 Billion Settlement with Large Online Retailer over Deceptive Subscription and Cancellation Practices

On September 25, the Federal Trade Commission announced a $2.5 billion proposed settlement with the world's largest online retailer, resolving allegations that the company enrolled consumers in a subscription program without obtaining express informed consent and failed to provide a simple cancellation mechanism, in violation of the FTC Act and the Restore Online Shoppers' Confidence Act.

The proposed consent order resolves allegations that the retailer violated the FTC Act and the ROSCA by engaging in deceptive subscription enrollment and cancellation practices. Under the consent order, the retailer is prohibited from making misrepresentations about material terms in a transaction involving a negative option feature - a contractual provision that allows the seller to interpret the consumer's silence as an acceptance of a renewed offer. In the future, the retailer is required to provide simple mechanisms for a consumer to cancel any negative option feature, which "must not be difficult, costly, confusing, or time consuming." Notably, the consent order also provides that, if the FTC "promulgates an amended rule or regulation governing negative options or subscriptions," the requirements of that rule will supersede the relevant requirements of the consent order. Additionally, the retailer is required to submit a compliance report one year following the settlement that, among other things, details the activities of each negative option feature related to its subscription service and whether and how it is in compliance with the settlement order.

The $1 billion civil penalty is the largest ever imposed for an FTC rule violation. The $1.5 billion in consumer restitution is the second-highest restitution amount the FTC has obtained to date. The consent order will remain in effect for 10 years against the retailer and for three years with respect to two individual executives who joined the settlement.

Amicus Brief(ly): If this one doesn't get your attention, nothing will. Those are big numbers, based on claims related to signing consumers up for services that they did not request and making it hard for them to cancel those services. It has been apparent for a long time that neither the federal regulators nor the state regulators are fans of those tactics, so the fact that they came down hard on the retailer is not shocking or surprising, but the penalties certainly are.

California Privacy Protection Agency Updates CCPA Regulations

The California Privacy Protection Agency recently updated existing California Consumer Privacy Act regulations by specifying requirements for businesses to conduct cybersecurity audits and risk assessments, specifying consumers' rights to access and opt out of businesses' automated decision-making technology ("ADMT"), and specifying when insurance companies must comply with the CCPA. The final regulations go into effect on January 1, 2026. However, there is additional time for businesses to comply with some of the new requirements.

Businesses required to complete cybersecurity audits must submit certifications to the CPPA by:

  • April 1, 2028, if the business makes over $100 million;
  • April 1, 2029, if the business makes between $50 million and $100 million; or
  • April 1, 2030, if the business makes less than $50 million.

Businesses subject to risk assessment requirements must begin compliance by January 1, 2026. By April 1, 2028, they must submit to the CPPA:

  • an attestation that required risk assessments were completed; and
  • a summary of their risk assessment information.

Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.

Amicus Brief(ly): The CCPA continues to provide work for companies doing business in California. This update appears to have an AI-related twist (though the definition of ADMT does not specifically limit it to AI systems), with the CPPA adding protections for consumers related to their potential interactions with systems not staffed by people, including the right to opt out of such interactions. The updates in this rulemaking are plentiful, and we commend privacy professionals to a cup of coffee and some quiet time to ingest them.

FTC and DOJ Settle Unlawful Telemarketing Claims

On September 30, the Federal Trade Commission announced a proposed settlement with a company and its subsidiary that assist consumers in applying for social security disability benefits, resolving allegations that they violated the FTC Act and the Telemarketing Sales Rule when facilitating millions of phone calls marketing their services.

The complaint, filed by the Department of Justice upon referral from the FTC, alleged that the defendants' telemarketers falsely claimed that they were calling consumers in response to the consumers' inquiries about their eligibility for social security disability benefits. However, according to the complaint, the defendants were not in fact responding to consumer inquiries but had contracted with lead generators to obtain lists of consumers to call. The call lists were created by obtaining personal information that consumers had provided to certain websites offering prizes, online coupons, or a quote for home insurance, which the FTC dubbed "consent farms," i.e., websites that primarily exist to generate leads for sale. The complaint alleged that those websites did not disclose that the personal information collected would be used for telemarketing calls. Finally, the defendants' telemarketers allegedly called millions of numbers on the National Do Not Call Registry.

The proposed settlement imposes a $2 million civil penalty, which will be partially suspended upon payments totaling $1 million within the year after the order is entered. The proposed settlement also prohibits the defendants from telemarketing using prerecorded robocalls, prohibits them from making calls to numbers on the DNC Registry, prohibits them from making misrepresentations, and requires them to conduct due diligence and monitoring of their lead generators to ensure that the lead generators do not make misrepresentations to consumers.

Amicus Brief(ly): Despite appearances, some parts of the federal government are operating as intended. This proposed settlement from the FTC and DOJ reflects a coordinated effort to stop some objectionable tactics. We have seen these bad facts in other federal litigation and settlements over the past couple of years, and we expect more as the federal and state governments focus on giving consumers control over what happens with their personal data. The penalty amounts involved in this proposed settlement are not outrageous but should help serve as a deterrent for future actors tempted to run "consent farms" and sell consumer data to telemarketers. The Telemarketing Sales Rule and its prohibitions are not new law - this settlement was avoidable.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.