Sitemap

Yesterday, the National Credit Union Administration (NCUA) announced that it has removed all references to disparate impact liability from its Fair Lending Guide and other materials. Furthermore, the agency contends that its examination and supervision processes will no longer review for disparate impact. This was done in response to President Trump's executive order - Restoring Equality of Opportunity and Meritocracy. That order directed the heads of all federal agencies to eliminate the use of disparate impact liability in their regulations, policies, and practices. While the executive order and the NCUA's subsequent actions has lessened the compliance risk associated with disparate impact, credit unions must not lose sight of the other types of fair lending risk. For example, in a case from 2015, the United States Supreme Court held that disparate impact claims are cognizable under the Fair Housing Act. As a result, the legal risk associated with this theory of discrimination is very much alive and well.

On July 29, 2025, the Consumer Financial Protection Bureau (CFPB) indicated in a court filing that it planned to engage in an "accelerated rulemaking process" to rewrite its personal financial data rights rule, finalized in October 2024. That process has now begun. The agency published an advance notice of proposed rulemaking (ANPR) in the Federal Register on August 22 nd seeking comment on four specific issues it plans to address in the rewrite: The Dodd-Frank Act permits a consumer and/or representative acting on behalf of the consumer to request covered data from a financial institution. The CFPB seeks comment on who should be allowed to serve as a representative acting on behalf of the consumer. Under the final rule in its current form, a financial institution is prohibited from imposing any fee and/or charge on a consumer when fulfilling an information request. The ANPR asks whether the Dodd-Frank Act specifically requires this, and if so, what steps a financial institution should be allowed to take to defray some of its costs associated with fulfilling the information request. The final rule requires financial institutions to have appropriate safeguards in place to protect against malicious actors in the use, retention, and transmission of consumer financial data. The CFPB seeks comment as to whether the final rule’s information security standards go far enough. The final rule requires a financial institution to obtain express informed consent from the consumer before making his/her consumer financial data available to a third-party. The ANPR seeks comment as to whether the rule, in its current form, provides adequate consumer privacy protection. Comments on the ANPR, available here , must be received by October 21, 2025.