Last Week, This Morning

May 26, 2026

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)¹" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

On May 15, the Office of the Comptroller of the Currency issued a news release announcing two complementary final rules on national banks' and federal savings associations' real estate lending powers related to escrow accounts.

In the Real Estate Lending Escrow Accounts final rule, the OCC codified longstanding powers of national banks and federal savings associations to establish real estate lending escrow accounts and to exercise flexibility in maintaining those accounts. The final rule: (1) amends the OCC's real estate lending and appraisals regulations applicable to national banks and its lending and investment regulations applicable to federal savings associations to add a definition of "escrow account"; (2) expressly codifies national banks' and federal savings associations' power to establish and maintain escrow accounts; and (3) clarifies that the terms and conditions of escrow accounts, including the investment of escrowed funds, fees assessed for the provision of such accounts, and whether and to what extent interest or other compensation is calculated and paid to customers whose funds are placed in the escrow account, are business decisions to be made by each national bank or federal savings association in its discretion.

In the Preemption Determination: State Interest-on-Escrow Laws final rule, the OCC issued a preemption determination concluding that federal law preempts state laws that eliminate national banks' and federal savings associations' flexibility to decide whether and to what extent to pay interest or other compensation on funds placed in real estate escrow accounts and/or assess fees in connection with those accounts. Specifically, the final rule amends the OCC's real estate lending and appraisals regulations to provide that federal law preempts: (1) New York's interest-on-escrow law, which dictates a minimum interest that national banks must pay on funds held in escrow accounts and generally prohibits them from assessing related service charges; (2) similar laws in California, Connecticut, Maine, Maryland, Massachusetts, Minnesota, Oregon, Rhode Island, Utah, Vermont, Wisconsin, Guam, and the U.S. Virgin Islands; and (3) laws in other states that have substantively equivalent terms.

The final rules are effective on June 18, 2026.

Amicus Brief(ly): Once upon a time, these final rules from the OCC would be just about all a national bank needed to feel secure about taking a preemption position relative to escrow accounts. But in 2026, with the impact of the U.S. Supreme Court's Loper-Bright opinion that upended Chevron deference to agencies' interpretations of their statutes, and in light of more recent SCOTUS bank preemption decisions, national banks are not as comfortable relying on the OCC's positions relative to preemption. States are increasingly challenging national banks on the pivotal question of whether a state law actually interferes with a national bank's ability to exercise its rights under the National Bank Act - not just relenting, as they once often did, based on agency interpretations. In these rulemakings, with the SCOTUS decision in the Cantero case from 2024 fresh on the minds of national banks, the OCC is making its case again for federal preemption of state escrow laws. In the current regulatory environment, we anticipate challenges to these rulemakings, giving the parties another chance to argue for and against federal preemption for national banks in the context of escrow accounts for mortgage loans.

On May 19, the President issued an executive order titled "Restoring Integrity to America's Financial System," which directs federal financial regulators to review and strengthen anti-money laundering and customer due diligence/identification requirements with a focus on risks to the country's financial system posed by the extension of consumer credit to undocumented immigrants and by employers of undocumented immigrants that may be violating immigration law.

Specifically, the EO directs the Secretary of the Treasury to, within 60 days of the date of the EO, issue a formal advisory to financial institutions regarding the risks associated with the exploitation of the financial system by "non-work authorized populations and their employers." This advisory must identify red flags and suspicious activity patterns associated with: payroll tax evasion; concealment of true account ownership; the use of unregistered money services businesses, third-party payment processors, or peer-to-peer platforms to facilitate "off-the-books" wage payments; repetitive cash withdrawals or deposits that correlate with payroll cycles conducted outside of regulated payroll processing systems; labor trafficking or forced labor; and the use of individual taxpayer identification numbers to open accounts or obtain credit without verified legal presence.

In addition, within 90 days of the EO, the Secretary of the Treasury, in consultation with other federal financial regulators, must propose changes to Bank Secrecy Act regulations to strengthen customer due diligence requirements for covered financial institutions to ensure that institutions can identify the true owners of accounts in order to assess risks related to unlawful activity. Within 180 days of the EO, the Secretary of the Treasury and other federal financial regulators must consider changes to Bank Secrecy Act regulations to strengthen customer identification program requirements for covered financial institutions, including accounting for the risks that foreign consular identification cards pose to the U.S. financial system.

Within 60 days of the EO, the Consumer Financial Protection Bureau must consider clarifying that potential deportation and loss of wages are factors that could adversely affect a non-work authorized borrower's ability to repay an extension of credit under the "ability-to-repay" standards in Regulation Z and that lenders may consider such factors as part of a reasonable and good-faith underwriting determination.

Within 60 days of the EO, federal financial regulators must issue guidance regarding the management of the potential credit risks posed by the extension of loans and financial services to the non-work authorized population.

Amicus Brief(ly): This EO seems superfluous for creditors with strong underwriting programs, but it reflects the consistent application of the current administration's plan to tighten up rules around banks working with immigrant customers. The EO does not cite any empirical evidence to suggest that banks have experienced losses of any scale from doing business with customers who are legally in the country but not U.S. citizens. It also lacks information about how a bank should quantify the credit risk it could incur by doing business with a customer who is gainfully employed but for whom there is some risk, however present or remote, of deportation. In our experience, banks with customer bases that include immigrant populations have built appropriate considerations into their underwriting and pricing models to measure and account for the ability to repay and risks attendant to working with non-citizens, so there may not be much to adjust unless the Treasury's advisory provides specific guidance about how to quantify and address the risks identified in the EO.

On May 21, the Federal Trade Commission announced a $930,000 settlement with a media company and two smaller marketing firms with which it worked, resolving allegations that the companies violated the FTC Act by deceiving customers about their artificial intelligence-powered "Active Listening"-branded marketing service and by falsely claiming that consumers had opted into the marketing service. The defendants claimed that the Active Listening service would allow small businesses to provide more targeted advertising to consumers.

Specifically, the FTC alleged that the defendants deceived customers by claiming that their Active Listening service could listen in on conversations overheard by consumers' smart devices in order to target advertisements to consumers within a specific geographic region. According to the FTC's allegations, the Active Listening service offered by the companies did not, in fact, listen to consumers' conversations or use voice data at all, and consumers had not, in fact, opted into the service. Instead, the FTC alleged that the Active Listening service consisted of reselling, at a significant markup, email lists obtained from other data brokers. In addition, according to the FTC, the defendants did not seek or obtain consumers' consent. Instead, the defendants claimed that consumers "opted in" by agreeing to the terms of service that they had to accept when downloading and using apps.

The FTC also alleged that the marketing firms violated the FTC Act by providing the media company with the "means and instrumentalities" to deceive customers through marketing materials and sales pitches that misled small businesses about the capabilities of the Active Listening service.

Under the terms of the proposed settlement, the media company must pay $880,000 in redress, and each of the marketing firms must pay $25,000 in redress to impacted customers. In addition, each defendant will be prohibited from making any misrepresentation about: (1) the qualities or features of its advertising or marketing services; (2) the collection and use of voice data and whether consumers have provided their consent to collect, use, or disclose their voice data; and (3) the geographic targeting capabilities of its advertising or marketing services.

Amicus Brief(ly): The issues in this settlement are familiar and consistent with other public enforcement actions over the past few years (stop us if you have heard this one before): companies must have actual, informed consent to use or sell a customer's data or personal information, like location; providers must ensure that the product or service they offer lines up with the advertisement of that product or service; and, if a provider's product or service is fully illusory, that will catch up to the provider. In this case, if the allegations are true, the product offered would snoop on consumers to provide small businesses with marketing information derived from private insights gained from non-consensual information gathering. The expensive settlement should send a message about these kinds of apparent scams, but history has shown that the message will not reach everyone, so the FTC and state attorneys general will likely bring similar allegations against other companies in the future.

On May 20, the Louisiana legislature unanimously passed Senate Bill 386, the Louisiana Data Privacy Act, which would establish a comprehensive state consumer privacy framework that largely mirrors other state privacy laws such as those in Virginia, Texas, and Colorado, while incorporating some California-style thresholds and opt-out mechanics. If signed by the governor, the law would apply to businesses operating in Louisiana that meet specified revenue or data-processing thresholds, including entities with more than $25 million in annual gross revenue, those processing the personal data of 75,000 or more consumers, households, or devices, or those deriving at least 50 percent of their annual revenue from selling personal data. The effective date would be January 1, 2027.

The bill grants Louisiana consumers core privacy rights, including the rights to access, correct, delete, and obtain portable copies of personal data, as well as opt out of targeted advertising, the sale of personal data, and certain automated profiling decisions producing legal or similarly significant effects. Controllers would be required to respond to verified consumer requests within 45 days, maintain appeal mechanisms, provide privacy notices, limit data collection to what is reasonably necessary, implement reasonable data security safeguards, and obtain consent before processing sensitive personal data. The bill also requires data protection assessments for higher-risk processing activities, including targeted advertising, profiling, sale of personal data, and processing of sensitive data.

Notably, S.B. 386 contains broad exemptions common to other state privacy statutes, including exemptions for Gramm-Leach-Bliley Act-regulated financial institutions and data, Health Insurance Portability and Accountability Act-covered entities and health data, Fair Credit Reporting Act-regulated activity, Family Educational Rights and Privacy Act-covered data, employment data, nonprofits, higher education institutions, and state agencies. It also expressly prohibits the use of dark patterns to obtain consent and recognizes technology-based opt-out requests submitted through authorized agents, browser settings, or device-level signals, so long as the consumer affirmatively elects the setting.

Enforcement authority would rest exclusively with the Louisiana attorney general. Violations would constitute unfair and deceptive trade practices, but the bill does not create a private right of action. The bill includes a temporary cure period from January 1, 2027, through July 31, 2027, requiring written notice and an opportunity to cure before the AG may initiate an investigation. Overall, S.B. 386 would place Louisiana in line with the growing number of states adopting broad consumer privacy statutes, while reinforcing controller accountability, consent requirements for sensitive data, and AG-led enforcement.

Amicus Brief(ly): Having a national standard for information privacy has not been enough to keep the states from enacting comprehensive information privacy laws to cover the bases that federal law does not cover. The familiar GLBA carve-out for financial institutions means that most banks, credit unions, sales finance companies, licensed lenders, and insurers will not have to comply with this Louisiana bill. Other companies in scope will have to develop policies and procedures to receive, track, and honor consumer requests related to their data, putting them in a position to comply not just with the Louisiana bill, but with other state laws trending toward increased consumer control of their data. Perhaps there will be a federal law with respect to this issue one day, and, with some preemptive power behind it, we might look forward to a uniform standard for consumer data protection.

On May 19, the Superior Court of California, County of Los Angeles, issued a Statement of Decision granting Opportunity Financial, LLC's motion for summary judgment in a case in which OppFi challenged the Commissioner of the California Department of Financial Protection and Innovation's ability to apply the true lender doctrine in connection with enforcement of the California Financing Law's interest rate restrictions. The court concluded that the commissioner could not establish that OppFi is the true lender of the "OppLoans" consumer installment loans at issue.

The action arises from the commissioner's threatened enforcement of the Fair Access to Credit Act (Assembly Bill 539) against OppFi. A.B. 539, which became effective on January 1, 2020, amended the CFL to cap interest rates at 36% per year for covered loans between $2,500 and $10,000 made by finance lenders. OppFi is a fintech operating a bank partnership program with FinWise Bank, an FDIC-insured Utah state-chartered bank. FinWise originates consumer installment loans ("OppLoans") to California borrowers at rates that exceed California's 36% yearly interest rate cap.

The court decided the case solely based on OppFi's argument that the commissioner failed to raise a triable issue of material fact that FinWise is "merely a dummy" lender and expressly declined to reach the other two grounds (i.e., CFL statutory exemption and OppFi not a "finance lender"). Applying Janisse v. Winston Investment Company and Forte v. Nolfi, the court found that usury must exist at inception of the loan, and a contract valid at inception cannot become usurious through subsequent events. OppFi's evidence showing that FinWise funds loans with its own money, independently underwrites, retains title and 2-5% of receivables, bears 100% credit risk at origination, controls marketing, and oversees legal compliance was sufficient to demonstrate that FinWise is not a sham lender. The commissioner's three proffered fact disputes (receivables structure, loan title, and underwriting) each failed. With respect to receivables and title, the court found that California law does not restrict loan assignments and the California Constitution exempts successors in interest. With respect to underwriting, the commissioner's evidence showing that OppFi owns the credit model intellectual property and that 82% of decisions are automated did not contradict undisputed evidence that FinWise approves the credit criteria, independently underwrites each loan, and can reject applications, thereby distinguishing FinWise's role from the Janisse dummy lender, which had no involvement in underwriting whatsoever and no financial stake in the loans.

Amicus Brief(ly): Kudos to OppFi for seeing this important case through litigation to this point. The decision is a clear industry win on the true lender question under California law. The court explicitly refused to adopt the DFPI's substance-over-form test as a basis for liability, finding that the commissioner produced no triable evidence that the OppFi-FinWise arrangement was a sham at inception. And it's not, by the way - federal and state laws impose requirements, limitations, and potential liability on the creditor at inception, all of which require material attention from that creditor (i.e., the bank in a bank partnership lending program) even if the creditor plans to sell all or part of the longer-term financial yield of that transaction to someone else. Congress has the option to act if it finds that bank partnership lending arrangements are too risky for banks, but it is clear from the guidance they have issued that bank regulators do not feel that way. For now, a bank partner lending relationship that allows a state or national bank and its non-bank partner to lean into their relative strengths, and that complies with federal and state law as written, should pass tests like the one presented in this important case.

---

¹ For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.