Last Week, This Morning

February 17, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

New York State Assembly Considering True Lender Bill

New York Assembly Bill 10133-A (the "True Lender Bill") was recently introduced to the State Assembly and would establish requirements for certain "personal loans" involving "lenders," while simultaneously exempting certain "short-term loans." The True Lender Bill would deem non-depository, unlicensed parties as "lenders" if they:

  • offer or make a "personal loan" (defined to mean an extension of unsecured or personal property-secured closed- or open-end consumer-purpose credit, other than credit cards, involving a "lender");
  • purchase or acquire a whole or partial interest in a personal loan or any receivables arising from a personal loan;
  • arrange, broker, or facilitate a personal loan for a third party; or
  • act as an agent for a third party in making a personal loan, regardless of whether approval, acceptance, or ratification by the third party is necessary to create a legal obligation for the third party.

Even if such a party acts as an agent or service provider for a third party exempt from the True Lender Bill (such as a bank or credit union), it would still be considered a "lender" if:

  • it holds, acquires, or maintains the predominant economic interest in the personal loan;
  • it markets, brokers, arranges, or facilitates the personal loan and holds the right, requirement, or right of first refusal to purchase or acquire such loan or any receivable or interest in such loan; or
  • the totality of circumstances indicate that such a party is the lender (e.g., indemnifying third parties for costs or risks associated with the personal loan, predominantly designing, controlling, or operating the personal loan, or holding intellectual property rights regarding the personal loan).

Personal loans involving such "lenders" made to persons who are residents of, or who are physically present in, New York would be subject to the state's civil and criminal usury limits. In addition to banks and certain New York licensed lenders, the True Lender Bill would also exempt parties making loans under certain federal lending programs, nonprofits engaged in certain federal or state low-income housing programs, and parties extending money on a nonrecourse basis in exchange for contingent rights to legal awards, judgments, and settlements.

The True Lender Bill would establish a limited exclusion for "short-term loans," defined as an unsecured closed-end personal loan of $3,000 or less with a scheduled repayment term of 3 to 12 months that is repayable in equal installments that will amortize the balance borrowed over the loan term. Short-term loans would be permitted to have interest up to 25% per annum, calculated inclusive of interest and virtually all fees. Limited administrative charges and late fees would be permitted but would be tiered based on dollar amount, and late fees would be subject to a lifetime cap. Among other things, prepayment penalties, increased default interest rates, default charges other than late fees, acceleration of the full balance, and fees for forbearance, payment deferrals, or extensions would be prohibited. The True Lender Bill would require lenders making short-term loans to offer them only after reasonable, risk-based underwriting.

Amicus Brief(ly): This bill just went to committee, and New York will have some work to do to pass the measure that seeks to corral certain unlicensed providers in the fintech and bank partnership spaces and regulate them. Like other states, New York is attempting to specifically and more closely regulate non-bank participants in these financing arrangements - not just by licensing them through very broad definitions of what activities constitute "true lender" activities but by imposing substantive limitations on the terms of loans originated by other entities, including banks, with lending authority that exceeds the authority described in this bill. Notwithstanding the exceptions built into this bill, we expect industry resistance to both the bill's licensing requirements and the substantive limitations that will make it difficult to offer certain personal loans to New York consumers through a partnership program. We will watch this one closely and report developments. New York is the fourth biggest state in the U.S. by population, and New York City has a population that is higher than 38 states and the District of Columbia. The affected market is big, so if it passes, this bill will be impactful.

Used Car Dealership Subject to Enhanced Penalties for Violations of New Jersey Consumer Fraud Act, Advertising Regulations, and Prior Consent Order

On February 9, the New Jersey Office of the Attorney General and Division of Consumer Affairs announced that they recently obtained a final judgment in their action against a used car dealership for engaging in conduct that violated the New Jersey Consumer Fraud Act, New Jersey's motor vehicle advertising regulations, and a 2018 consent order.

The 2018 consent order resolved allegations that the dealership failed to provide clear disclosures regarding "gray market" vehicles (vehicles imported without authorization and that may not meet U.S. safety or emissions standards), improperly advertised its vehicles, failed to provide or properly disclose warranty information, and conducted a deceptive promotional program promising consumers a TV set with the purchase of a car that was not delivered as promised. Since then, the DCA received additional consumer complaints about the dealership's practices, initiated another investigation, and filed a complaint in the Superior Court of New Jersey. The state contended that the dealership continued to commit similar deceptive sales and advertising practices despite the consent order's requirements. The complaint alleged that the dealership violated the CFA, the advertising regulations, and the 2018 consent order by:

  • failing to include dealer preparation fees in the list price in its online advertisements and failing to display on its website, in the required font size, the statement "price(s) include(s) all costs to be paid by the consumer, except for licensing costs, registration fees, and taxes," in violation of advertising regulations;
  • having consumers waive their right to purchase a used vehicle that meets New Jersey inspection standards, without providing consumers with a separate disclosure of known defects affecting the vehicle's ability to pass inspection at the time of the waiver, in violation of New Jersey's Motor Vehicle Certificate of Ownership Law;
  • failing to provide a copy of the signed odometer disclosure statement showing vehicle mileage upon transfer of vehicle ownership to the buyer, in violation of the Federal Odometer Act; and
  • failing to provide required disclosures regarding gray market motor vehicles, leading to potential high-cost repairs or incompatibility with local regulations.

Partial summary judgment was granted to the state in April 2025, and the remaining count was voluntarily dismissed. In January 2026, the court granted the state's request for final judgment and entry of injunctive and monetary relief. The court found that the dealership's volume of violations over a 2-month period (511 violations in all), particularly after the entry of a prior consent order, reflected a "pattern of non-compliance" and a "lack of good faith and observance of fair dealing" that supported the enhanced civil penalty of $793,500. The court also awarded attorneys' fees and costs in the amount of $49,276.

Amicus Brief(ly): The government stubbornly insists that companies subject to a consent order must comply with it, and when that did not happen in New Jersey, the AG convinced the court to enter judgment on the balance of its claims and to award a material civil penalty and attorneys' fees. While the primary lesson from this development is to track the requirements of your state and federal consent orders (if any, of course) closely and comply with them, the trailing lessons about allegedly deceptive vehicle advertising will sound familiar: no hidden fees and costs in price advertising, have advertised vehicles actually available for sale, and be truthful about used vehicle condition (including the required federal odometer statement). Those limitations are grounded in federal and state laws and appear pretty consistently in some shape or form in consent orders with vehicle dealers.

DOJ and Texas AG Announce Joint $68 Million Settlement with Private Land Developer for Allegedly Discriminating Against Hispanic Consumers

In December 2023, the Consumer Financial Protection Bureau and the Department of Justice filed a complaint in the U.S. District Court for the Southern District of Texas against a private land developer and its affiliates. The complaint alleged that the developer, among other things, unlawfully discriminated against applicants on the basis of their race or national origin in violation of the Fair Housing Act and unlawfully discriminated against applicants on the basis of their race or national origin in violation of the Equal Credit Opportunity Act and its implementing Regulation B. Specifically, the CFPB and the DOJ alleged that the developer misled borrowers about infrastructure on the lots it sold, targeted Hispanic consumers with "predatory loans" at rates approximately eight points higher than the average fixed loan, engaged in an above-average rate of foreclosures against borrowers, and only provided transaction documents in English, despite advertising and marketing to Hispanic consumers in Spanish.

The developer expressly denied all allegations, but, to resolve the matter, on February 10, the developer agreed to a $68 million settlement and several remedial measures. The settlement also resolves a similar March 2024 lawsuit brought by the Texas Office of the Attorney General against the developer.

In a sign of the shifting priorities under the Trump administration, many of the claims brought by the Biden-era administration were not addressed in the current settlement agreement. Rather, the DOJ focused on the developer's "support of illegal immigration" through the alleged practice of providing mortgages to Hispanic consumers without requesting any documentation or determining their ability to repay the loan. In the DOJ's press release announcing the settlement, Harmeet K. Dhillon, assistant attorney general in the DOJ's Civil Rights Division, said that "[t]his DOJ will go after all lenders, financiers, and land developers who participate in schemes which ultimately encourage illegal immigration."

Approximately one-third of the settlement, $20 million, will go to building, funding, and equipping law enforcement facilities and personnel to patrol the developer's subdivisions due to the allegations of increased crime there. None of the $68 million will be set aside for borrower restitution. However, as part of the settlement, the developer agreed to participate in a default avoidance program, albeit one with a high barrier of entry that effectively prevents the most at-risk borrowers from participating. Borrowers must have made 12 consecutive, full, on-time mortgage payments within the last five years, must have paid at least $10,000 for improvements to the property in the past 18 months, and must have installed utility taps to physically connect their property to water, sewer, or gas mains.

Amicus Brief(ly): This case took quite a turn from where it started to where it ended. Initiated as a fair lending claim, the DOJ focused the settlement on claims that the developer encouraged illegal immigration by marketing easy-to-get (but expensive) mortgage loans to Hispanic customers without underwriting them to confirm the ability to repay. We direct compliance professionals looking for fair lending takeaways to the consent order provisions related to the foreclosure avoidance plan that the DOJ required of the developer in an effort to reduce the number of foreclosures it initiated against borrowers. The developer had initiated foreclosure on more than 30% of its loans within three years after origination over a 5-year period, suggesting that its underwriting could use improvement. The consent order also requires the developer to hire a compliance person to focus on truthful advertising and to develop more complete underwriting standards that focus on creditworthiness.

New York DFS Issues Cybersecurity Guidance on Vishing

On February 6, the New York Department of Financial Services issued industry guidance to regulated entities outlining the steps they should take to mitigate risks relating to vishing, the fraudulent practice of making phone calls or leaving voice messages purporting to be from a reputable source in order to induce individuals to reveal personal information.

The DFS stated that it is aware of recent vishing attempts at regulated entities where hackers are posing as IT help desk staff in calls to employees, sometimes using spoofed caller IDs, and directing employees to use a malicious link that takes them to fake organization- or vendor-branded websites. The employees who follow these directions unknowingly provide their login credentials and multi-factor authentication codes to the hackers. The DFS is advising entities to review their cybersecurity programs to confirm compliance with its cybersecurity regulation (23 NYCRR Part 500) and take the following steps:

  • Identity Verification Procedures: Instead of relying on caller ID, implement procedures for personnel to confirm the identity of individuals requesting credential resets, remote access, or other activity associated with information system access.
  • Targeted Awareness Training: Train personnel on common social engineering tactics, including the vishing technique in which threat actors are impersonating IT help desk and service providers.
  • Access Management: Regularly review access permissions to confirm that account access is limited to what is necessary and appropriate for job functions.
  • Multi-Factor Authentication Enrollment: Review existing MFA controls, including permissions for MFA enrollment.
  • Continuous Monitoring and Detection: Employ monitoring and alerting mechanisms to detect anomalous authentication activity and behaviors as well as for indicators of credential compromise.
Amicus Brief(ly): Kudos to the New York DFS for targeting odious vishing practices and reminding industry providers to protect themselves from those practices. Larger regulated institutions almost certainly have the kinds of protections the DFS suggests in place - those suggestions are common but important data security procedures and have been required under New York's cybersecurity regulation for several years. But smaller providers and providers that are new to the space may have some work to do to fully implement the required protections. There is no time to waste. Scammers have been developing more and more sophisticated campaigns to get access to valuable consumer data, and with the help of artificial intelligence their vishing and other schemes are likely to be even more effective at deception. Protect that data!
1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.