An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing.
The targets are in the government, NGO, IT services and technology, defense, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.
Microsoft Threat Intelligence Center tracks the threat actors behind the device code phishing campaign as ‘Storm-237’, Based on interests, victimology, and tradecraft, the researchers have medium confidence that the activity is associated with a nation-state operation that aligns with Russia’s interests.
Device code phishing attacks
Input constrained devices – those that lack keyboard or browser support, like smart TVs and some IoTs, rely on a code authentication flow to allow allowing users to sign into an application by typing an authorization code on a separate device like a smartphone or computer.
Microsoft researchers discovered that since last August, Storm-2372 abuses this authentication flow by tricking users into entering attacker-generated device codes on legitimate sign-in pages.
The operatives initiate the attack after first establishing a connection with the target by “falsely posing as a prominent person relevant to the target” over messaging platforms like WhatsApp, Signal, and Microsoft Teams.
Source: Microsoft
The threat actor gradually establishes a rapport before sending a fake online meeting invitation via email or message.
Input constrained devices – those that lack keyboard or browser support, like smart TVs and some IoTs, rely on a code authentication flow to allow allowing users to sign into an application by typing an authorization code on a separate device like a smartphone or computer.
Microsoft researchers discovered that since last August, Storm-2372 abuses this authentication flow by tricking users into entering attacker-generated device codes on legitimate sign-in pages.
The operatives initiate the attack after first establishing a connection with the target by “falsely posing as a prominent person relevant to the target” over messaging platforms like WhatsApp, Signal, and Microsoft Teams.
Source: Microsoft
The threat actor gradually establishes a rapport before sending a fake online meeting invitation via email or message.
According to the researchers, victim receives a Teams meeting invite that includes a device code generated by the attacker.
“The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting,” Microsoft says.
This gives the hackers access to the victim’s Microsoft services (email, cloud storage) without needing a password for as long as the stolen tokens remain valid.
Source: Microsoft
However, Microsoft says that the attacker is now using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow, which allows them to generate new tokens.
This opens new attack and persistence possiblities as the threat actor can use the client ID to register devices to Entra ID, Microsoft’s cloud-based identity and access management solution.
“With the same refresh token and the new device identity, Storm-2372 is able to obtain a Primary Refresh Token (PRT) and access an organization’s resources. We have observed Storm-2372 using the connected device to collect emails” – Microsoft
Defending against Storm-2372
To counter device code phishing attacks used by Storm-2372, Microsoft proposes blocking device code flow where possible and enforcing Conditional Access policies in Microsoft Entra ID to limit its use to trusted devices or networks.
If device code phishing is suspected, immediately revoke the user’s refresh tokens using ‘revokeSignInSessions’ and set a Conditional Access Policy to force re-authentication for affected users.
Finally, use Microsoft Entra ID’s sign-in logs to monitor for, and quickly identify high volumes of authentication attempts in a short period, device code logins from unrecognized IPs, and unexpected prompts for device code authentication sent to multiple users.
Courtesy of Bill Toulas, Bleeping Computer
The regulator outlined his top priorities – including financial inclusion, technology, and cybersecurity – while speaking at a conference for community bankers.
Rodney Hood, the new acting head of the Office of the Comptroller of the Currency, outlined his priorities Tuesday and emphasized his commitment to reducing regulatory burdens on community banks and strengthening the financial system.
While speaking at the American Bankers Association’s Conference for Community Bankers in Phoenix, Hood touched on several topics, including financial inclusion, technology, cybersecurity and compliance with the Bank Secrecy Act.
Hood, the former chair of the National Credit Union Administration, was named acting comptroller this month. President Donald Trump has since tapped OCC vet Jonathan Gould to lead the agency, pending confirmation by the Senate.
Here are the five key takeaways from Hood’s first public appearance as the head of the OCC.
Financial inclusion
Hood noted that 40% of U.S. households cannot obtain a $400 emergency loan and estimated that 70 million people are “credit-invisible.”
“I continue … to believe that financial inclusion is undeniably the civil rights issue of our time,” Hood said.
Hood also highlighted the need to provide wealth management and investment opportunities beyond basic checking and savings accounts to clients.
One size doesn’t fit all
Hood stressed the importance of tailoring regulations to bank size and complexity and advocated for a principles-based approach when fighting cyber fraud. He highlighted ongoing threats from malicious actors and urged banks to implement multifactor authentication while emphasizing the importance of operational risk management based on bank asset size.
Hood said the OCC would offer better clarity and guidance on regulatory frameworks that will contain differences between smaller banks with around $100 million in assets and larger institutions with more than $1 billion. Hood said it’s unfair to think that a $100 million-asset bank should use the same risk weights and level of due diligence as that of a multibillion-dollar bank.
In “my time as acting comptroller” – and not an “inactive” one, Hood said, “I will certainly be going through the rules to make sure that we are looking at appropriate opportunities to reduce regulatory burden by determining what needs to be adjusted, and again, not looking at everything through a one-size-fits-all approach.”
Raising the BSA reporting threshold
Hood said he wants to focus on the OCC’s efforts to police banks’ exposure to bad actors amid the greater use of digital assets and cryptocurrencies. Click here to read more
Courtesy of Rajashree Chakravarty, Banking Dive
According to a new report, the explosion of financial fraud – and its increasing sophistication and professionalization – will require a refreshed response from banks and credit unions, one that emphasizes upstream prevention in onboarding and identity verification in real time.
The report: 2025 State of Fraud Report
Source: Alloy
Why we chose this report: Fraud continues to blossom across the financial landscape, but its preferred targets and vectors are shifting rapidly. Understanding these changes is important in shaping effective responses from banks and credit unions.
Executive Summary
The 2025 State of Fraud Report reveals a critical inflection point in the financial industry’s battle against fraud, with 60% of institutions reporting increased fraud attacks affecting both consumer and business accounts. The landscape is dominated by sophisticated fraud rings, while digital channels (online or mobile banking) remain the primary vulnerability.
In the face of rising threats, financial institutions report they are responding by implementing AI-powered fraud detection and investing in identity risk solutions in 2025.
The report highlights a significant shift toward proactive fraud prevention, with organizations recognizing that reputational damage can be as devastating as direct financial losses.
Key Takeaways and Data Points
Fraud attacks continue to evolve and increase, with nearly two-thirds of financial institutions experiencing growth in fraud events, led by enterprise banks at 67%, while 31% of organizations faced total fraud losses exceeding $1M in the past year.
Professional fraud rings have emerged as the dominant threat, responsible for almost three-quarters of attacks, marking a shift from previous years when first-party fraud was more prevalent among top fraud types. AI adoption for fraud prevention has reached near-universal levels, with 99% of institutions now using AI tools and 93% believing machine learning will revolutionize fraud detection.
Financial institutions are prioritizing identity-based fraud prevention, with 64% planning to invest in identity risk solutions in 2025, acknowledging their effectiveness in reducing fraud rates. What we liked about this report: It’s a comprehensive look at the state of fraud in financial services, while pinpointing significant differences in both fraud patterns and fraud response among institutions of different types and sizes. The report also spotlights common points of failure (onboarding) and common operational shortfalls (real-time detection).
What we didn’t: The report doesn’t pass explicit judgement on which fraud prevention tactics are most effective and leaves a couple of intriguing ideas (such as “citizen fraudsters) relatively unexplored.
Courtesy of By David Evans, Chief Content Officer, the Financial Brand
State Regulators Step Up: Responding to the CFPB’s New Leadership — Regulatory Oversight Podcast
In this special joint edition of the Consumer Finance Podcast and the Regulatory Oversight Podcast, host Chris Willis is joined by colleagues Stephen Piepgrass, James Kim, Jesse Silverman, and Lane Page to discuss the ongoing changes at the Consumer Financial Protection Bureau (CFPB) and predict how state regulators and legislatures will react to fill the void. This episode explores the anticipated responses from state attorneys general, financial service regulators, and legislatures, and offers strategic insights for industry players to navigate this complex regulatory environment. Tune in to understand the proactive measures your organization can take to stay compliant and ahead of potential state enforcement actions.
Courtesy of JD SUpra and Troutman Pepper Locke
The Trump administration is reportedly considering plans to shrink one of America’s banking regulation bodies.
These talks propose folding the Federal Deposit Insurance Corp. (FDIC) into the Treasury Department, the Wall Street Journal reported late Tuesday (Feb. 11), citing sources familiar with the matter.
In another scenario — one that the report said would be carried out without Congressional involvement — the administration would combine the FDIC’s regulatory role with the Office of the Comptroller of the Currency (OCC), a division of the Treasury.
There’s also the possibility of having one person oversee both the OCC and the FDIC, sources told the WSJ. This would let the OCC take over all of the FDIC’s supervision efforts — including its role in shutting down failed banks — while the FDIC would handle deposit insurance.
As the report notes, banks have been hopeful that Trump would take a more open position on things like capital requirements, mergers and acquisitions and technology partnerships than the Biden White House.
“If you look at the last administration and the number of new, significant regulations, it was eight times the number of significant new regulations versus the prior Trump administration,” Mary Erdoes, head of wealth and asset management for J.P. Morgan, said during the World Economic Forum in Davos last month.
“With that comes multiple millions of man hours of paperwork. Work . . . that clogs up the system and stops the economy from continuing to have that very healthy flywheel. So we’re really looking forward to that.”
However, the WSJ report adds, banks would argue against any change that threatens the ability of the government to insure deposits, uncover risks and handle orderly bank closures. Some bankers have lobbied for the government to expand deposit insurance, especially after a series of banking failures in 2023.
Trump’s apparent efforts to consolidate/shrink the FDIC follow his targeting of another financial regulator, the Consumer Financial Protection Bureau (CFPB).
The president this weekend named Russell Vought, the head of the Office of Management and Budget, as acting director of the agency. Vought quickly moved to shut down the CFPB offices and instructed its workers to cease all enforcement efforts.
PYMNTS wrote earlier this week about what these changes could mean for recent CFPB rules on open banking.
“If future rulemaking is indeed dead in the water and existing rules could be cut back, the sweeping moves would presumably include the October issuance of the final rule that would shape how personal financial data is handled, and by extension, how open banking evolves,” that report said.
The CFPB’s future is uncertain. In fact, it may disappear altogether under the Trump administration. But one thing is clear: consumers demand greater control over their financial data. As the US government navigates the chaos of change, it’s time for credit unions and CUSOs to take control and give members what they want: access and control of their data. An acceleration toward open finance ecosystems—where transparency and convenience are at the forefront—will enable CUSOs and credit unions to tap into a seismic shift in member behavior.
Open finance is still the best and fastest path to growth. As evidence, in March 2024, Financial Data Exchange (FDX) announced that the number of consumers actively using its FDX API for secure open finance data sharing grew from 2 million in 2019 to 76 million in 2024. This increase demonstrates the widespread trust and acceptance of a standardized approach to accessing and sharing financial data. FDX anticipates this growth trajectory to persist and says the increasing numbers are a testament to the 230+ member organizations’ belief in the mission of secure, consumer-permissioned data sharing.
Granting consumers the right to access their financial information and request their financial institutions to share data from bank accounts, credit cards, mobile wallets, payment apps, and more makes good business sense. So does making this information available without charging fees. It is a catalyst for competition. Why not make it easier for consumers to switch providers, potentially lowering loan prices and enhancing the overall financial service experience? It’s also a catalyst for innovation and new ways to increase business when it’s done wisely.
It’s imperative for all financial institutions to consider pathways toward open finance ecosystem readiness if they are to remain viable and competitive in an increasingly connected financial marketplace. Here’s what financial providers and their partners need to know to stay ahead of these shifts and remain competitive.
A broad base of financial providers are preparing for open banking
Credit card issuers, non-depository institutions, consumer lending companies, investment banks, insurance providers, real estate credit companies, financial transaction processing firms, and payment apps are already seeking open finance ecosystems and partnerships. This shift indirectly affects smaller financial institutions that partner with these larger providers. All players, regardless of size, will be impacted by changes to the ecosystem.
Smaller credit unions should note that as members grow accustomed to controlling and sharing their financial data, they’ll soon expect this flexibility from all financial providers. Without it, consumers may look to competitors that offer a more open experience. It’s in the best interest of smaller institutions to start exploring open finance and consider steps to modernize legacy systems to stay competitive.
Legacy systems integration is possible
Financial institutions, brokerages, and insurers have historically moved cautiously with technology. Many face the daunting challenge of updating legacy systems that store critical member data. However, technological advancements are making integration more accessible and affordable. The next generation of credit union members won’t just prefer digital convenience, security, and innovation—they’ll expect and demand it.
But today’s digital offerings won’t cut it, and younger members will turn to institutions that deliver the seamless experiences they demand. The good news? With API platforms and developer portals, credit unions can unlock and share data from legacy systems faster and more cost-effectively than ever before. To reach the next generation of members, credit unions must explore these platforms and partners to find a fit for their member base.
Modernizing these systems brings benefits beyond compliance, enabling institutions to innovate rapidly, improve the member experience, and respond swiftly to market demands. If competitors are opening data, innovating, and using APIs to integrate, why wouldn’t your institution do the same? Embracing these advancements can accelerate time-to-market, uncover valuable data insights, and ultimately lead to more satisfied members who receive tailored products and services.
Insurance companies, for instance, are modernizing legacy infrastructure to forge partnerships with tech firms, expanding their offerings, and improving member choice. While these partnerships and examples of embedded insurance and Insurance as a Service are not exactly open finance, they are a way of preparing and taking a first step to lay essential groundwork for building a broader ecosystem of open financial services.
Will consumers flee to competitors?
Innovation is everywhere, and information flows freely. Consumers expect more from businesses in all industries and will go where they are best served, including the financial sector. While open banking can lead to attrition, it also provides information that, if used correctly, can actually help institutions keep members and drive ROI growth.
Sicredi, Brazil’s largest and oldest credit union service organization, knew its members kept accounts in multiple institutions. Despite risks of increased competition with large banks and possible membership exodus, Sicredi’s leadership decided to transition to open finance early. They understood quick adoption could lead to better member experiences and innovative products and services.
By connecting to the ecosystem and analyzing the rich data they accessed, Sicredi quickly tailored solutions and special offers, boosting member engagement. The institution grew with increased transparency and freedom of choice, particularly regarding competitive interest rates, instead of losing member accounts. Over time, 350,000 members shared their data. The institution launched over 300 new products, added $60 million in new branch account business, and $8 million in new funds from app users. Sicredi increased ROI—all while staying true to their cooperative values. BMG Bank in Brazil similarly experienced a 240% increase in its customer base within the first year of implementing open finance, highlighting the growth potential when data is leveraged effectively. These success stories underscore the growth opportunities open finance brings to financial institutions.
Open finance data benefits the sharing institution as much as the receiving one. It enables financial providers to enhance internal processes, develop new products, and refine existing ones. For instance, one of our Brazilian credit union clients reduced its account opening time from six days to just five hours. Another institution, as reported by the Brazilian Central Bank, cut onboarding time from 32 hours to 2 hours and 10 minutes by utilizing shared data. This transformation streamlines operations and elevates the member experience, inspiring financial institutions to strive for better services and overall satisfaction.
What about screen scraping?
There is a lot of buzz now around screen scraping—a less secure and highly controversial way to access consumer data. Screen scraping is a dangerous game for credit unions and their members. Screen scraping creates data security, fraud, and liability risks for data providers, particularly because the credentials shared to facilitate data access also typically can be used to move funds. Furthermore, screen scraping can gather data without data providers establishing relationships with third parties or assessing data security risks.
It’s not just good security to stop the practice; it’s good business. Third parties should also stop screen scraping for covered data from regulated data providers because screen scraping system maintenance is more costly than maintaining developer interface connections. In some circumstances, screen scraping may be the only practical way third parties can access consumer data. However, third-party screen scraping should never use the consumer’s credentials to access the account and retrieve data.
What will open finance look like in 2030?
We still have many questions regarding open finance in the US. What will be the governing standards? The largest players will uncover ways to share data and connect for new opportunities securely, and many US consumers will share data with providers. Financial institutions that adapt early will have launched innovative products, secured new business partnerships, and gained valuable data insights, positioning themselves ahead in a highly competitive and sometimes collaborative landscape.
Open and new partnerships empower higher ROIs and new business. Why wait five years to get started? Use APIs to integrate. Use open data for insights that help grow consumers and give them a better experience. Join forces with other technology partners leading the way. And do it all faster.
Brazil’s experience offers a window into this future. Their Central Bank’s regulations focus on enhancing consumer experience by streamlining payment processes and simplifying app accessibility. Unlike the US, where smaller institutions face a delayed compliance timeline, many Brazilian providers proactively embrace open banking compliance to stay competitive. They realized easier payment processes and accessible apps keep consumers happy, impacting ROI and attrition. People expect agility and better services, and they will compare banking offers. Financial institutions that view open finance as a great opportunity will have an easier time maintaining end users and acquiring new members through shared data.
For smaller US institutions, there’s value in getting a head start. There are lots of cost-effective choices for starting an open finance journey. Instead of replacing an entire system, consider partnering with a provider offering options to work within, over, or outside the system to access the necessary data. The right partner can help organizations map and access open finance data, making it easier to work with legacy systems through APIs and modern data transformation.
Looking at 2025 and beyond
We don’t know exactly what’s coming down the regulation road, and the US is faced with more uncertainty than ever. But one thing is sure: expect this year to start a new era for open finance in the US. As we enter this new era, financial institutions should be ready to explore partnerships, modernize their systems, and embrace open finance as a path to innovation, consumer loyalty, and advocacy.
How can we work in partnership with legacy data regulations or not? It is possible with the right partners and the right strategy. Ultimately, financial institutions, fintechs, and consumers will be better off by modernizing legacy architecture and systems so it is easier to implement open finance. It’s the best growth path.
Courtesy of Natália Cruz, CUSO Magazine
The U.S. Department of the Treasury announced the appointment of Rodney E. Hood as Acting Comptroller of the Currency, effective February 10, 2025. U.S. Secretary of the Treasury Scott Bessent designated Mr. Hood pursuant to his authority in 12 U.S.C. 4.
“I am grateful for the trust of Secretary Bessent and will work diligently to promote a regulatory environment that is effective without being excessive,” said Mr. Hood. “I remain committed to a balanced framework—one that fosters innovation, expands financial inclusion, and ensures that all Americans have fair access to the financial services they need to thrive. I look forward to leading the dedicated career staff at the OCC, whose expertise and commitment are essential to maintaining a safe and sound banking system.”
Mr. Hood succeeds Acting Comptroller Michael J. Hsu, who has served in the role since May 10, 2021.
“I thank Mr. Hsu for his many years of dedicated public service and his commitment to strengthening the resilience of the U.S. banking system,” said Mr. Hood.
Mr. Hood was previously confirmed by the U.S. Senate in 2005 and again in 2019 to serve on the National Credit Union Administration Board (NCUA). In 2019, President Donald J. Trump designated him as Chairman of the NCUA Board, making Hood the first African American to lead a federal banking regulatory agency. While at the NCUA, Hood also served as a voting member of the Financial Stability Oversight Council, as the NeighborWorks America Board Chairman, and as Vice Chairman of the Federal Financial Institutions Examination Council.
Before public service, Mr. Hood held senior roles in retail finance, commercial banking, affordable housing, and community development in the private sector.
A North Carolina native, Mr. Hood holds a bachelor’s degree from the University of North Carolina at Chapel Hill.
At a JPMorgan townhall meeting on Wednesday, CEO Jamie Dimon was asked whether the Trump administration’s decision to abruptly stop work at the Consumer Financial Protection Bureau (CFPB) and question its existence was good news for the industry.
Dimon told his employees that it was hard for the bank when “policies flip back and forth” and that he preferred consistent policies. The CFPB had some good consumer protection rules, especially when it came to areas like payday lenders, he said, according to a recording of the meeting that Reuters reviewed, which has not been previously reported. Still, he was not mourning the dismantling of the agency.
“The only good I’ll say about the CFPB is there are consumer protection rules that are good,” said Dimon. He added that the agency had “massively overstepped their authority” and used an expletive to describe the former CFPB director, Rohit Chopra, a Democrat who led an aggressive enforcement campaign against the industry. JPMorgan was among three banks the CFPB sued in December, alleging “widespread” fraud on the Zelle payment service.
JPMorgan declined to comment. A spokesperson for Chopra declined to comment.
Established in 2010 to protect consumers after lax mortgage rules and other shoddy industry practices led to the financial crisis of 2008, the CFPB has been reviled by conservatives and the industry, which has accused it of overreach and overzealous enforcement actions.
Even so, its abrupt undoing over a weekend by the Trump administration, including by the Elon Musk-led Department of Government Efficiency (DOGE), is causing upheaval among those it regulates, according to half a dozen people who either advise or work at banks or financial technology firms regulated by the CFPB.
The sudden halt of work has a swath of consequences: it leaves much of consumer finance, from mortgage companies to payment apps, unsupervised, and removes a venue where consumers could file complaints about their providers. It also leaves many investigations hanging in the balance, according to the industry advisers as well as several current and former CFPB staffers.
In the industry, which has had a flurry of conversations to assess the impact of the CFPB’s neutering, concern is emerging that a patchwork of state regulators could take on issues the CFPB had led, potentially leaving them with even more onerous requirements, the industry insiders said.
Some executives also raised concerns during industry calls about DOGE’s access to their proprietary data that CFPB collects and questioned who Musk’s team was accountable to, given the billionaire entrepreneur’s plans for his own competing payments business, said one public policy executive at a fintech company.
Musk and President Donald Trump have both said the entrepreneur’s role at DOGE does not present any conflict of interest.
The CFPB holds vast amounts of data, including confidential supervisory reports, examination findings, investigative records and compliance records that include personal information for customers, their accounts, transaction histories and product preferences.
Industry executives said they were worried about the seeming lack of a plan in place.
“That’s something banks have always been concerned about — patchwork regulation as opposed to knowing who you are dealing with,” said James Ballentine, a former lobbyist with the trade group American Bankers Association who now runs his own consulting firm. “It’s easy to say, ‘Let’s get rid of something,’ but there has to be a plan in place.”
Spokespeople for the White House, CFPB, and DOGE did not respond to requests for comment. Musk did not respond to a request for comment.
REGULATORY VOID
Whether the agency continues to exist in some form and what its function would be is still to be seen. The White House nominated Jonathan McKernan, a former member of the Federal Deposit Insurance Corporation, as full-time director of the CFPB, leading some analysts to suspect the administration does not want to eradicate it entirely. McKernan did not respond to a request for comment.
The industry’s mixed feelings of relief and concern underscore how the Trump administration’s sweeping remake of the federal government is likely to lead to consequences that are not fully understood.
On Tuesday, Federal Reserve Chair Jerome Powell told Congress that no other federal regulator was enforcing several consumer finance laws in its absence. Some experts said the regulatory void could leave everyday Americans vulnerable to predatory practices, especially from the lightly regulated parts of the financial industry and erode trust overall.
“Banking is about trust, and it’s an industry that disfavors regulatory uncertainty,” said Matthew Biben, who co-heads law firm King & Spalding’s global financial services group. “So the longer-term question is, ‘What impact will the new direction have on consumer trust and regulatory certainty for market participants?’”
BOOKS CLOSED, LAPTOPS LEFT BEHIND
While the writing was on the wall for the CFPB, the speed of events has left the industry and staffers stunned.
On Feb 7, a Friday night, Trump appointed Russell Vought as the acting director of the CFPB. Vought, who is also Trump’s budget director, was one of the architects of Project 2025, a conservative manifesto published by the Heritage Foundation that called for the CFPB’s abolition. A spokesperson for the Office of Management and Budget, which Vought leads, did not respond to a request for comment.
Vought quickly ordered a temporary closure of the agency. One of the CFPB staffers said they had such little warning that many employees had left their laptops and personal effects, such as family photos, kids’ artwork and potted plants, on their desks.
Another staffer said hundreds of bank examiners who were set to go and examine the books at banks and other financial firms on Monday had to change travel plans. Enforcement attorneys turned off their computers mid-way through document reviews on investigations, this person said.
This week, those challenging or facing action from the CFPB were trying to figure out whether they would have to continue to pursue or defend against those cases. Cases are pending against companies including Capital One, which was accused of cheating customers in high interest accounts; Meta, which said it was being probed about advertising financial products; and Experian, which faces a lawsuit alleging it mishandled complaints.
Meta declined comment. Experian and Capital One did not respond to requests for comment.
“There are a lot of organizations that are currently under investigation that are wondering what it means … and if potentially, the investigations will be closed,” said Anastasia Stull, a partner at Stinson law firm, which represents financial clients including some involved in lawsuits with the CFPB.
Courtesy Douglas Gillison, Nupur Anand, Pete Schroeder and Isla Binnie, Reuters
On January 24, the FCC issued an order postponing the effective date of its one-to-one consent rule. The rule, which would have required companies to obtain individual consent for each marketing partner before sharing customer data, was originally slated to go into effect on January 27, 2025. However, the FCC’s order has put the rule on hold until at least January 26, 2026, unless a court ruling dictates an earlier implementation date.
The delay stems from a legal challenge filed in the Eleventh Circuit Court of Appeals. (previously discussed here). The lawsuit argues that the FCC exceeded its statutory authority by requiring individual consent, and that this interpretation conflicts with established understandings of “prior express consent.” The challenge also alleges that the FCC did not adequately consider the economic impact of the rule. Additionally, plaintiffs argued that the rule would “significantly increase the cost of compliance” and “disrupt the insurance marketplace.”
The FCC’s one-to-one consent rule is intended to protect consumers from unwanted telemarketing calls. However, industry critics assert that the rule is unnecessary and would place undue burden on businesses. The Eleventh Circuit Court of Appeals is expected to rule on this challenge in the coming months.
Putting It Into Practice: This delay, as well as the upcoming Eleventh Circuit decision, could significantly impact how financial institutions that rely on telemarketing and data sharing for marketing purposes obtain and manage customer consent. We will continue to monitor this and other one-to-one consent rule litigation for further developments.
The CFPB is releasing new recommendations to states on how they can update their laws and regulations to meet new risks and challenges.
Consumer protection law has long been a core part of keeping markets fair and competitive. And the consumer protection framework has always been a partnership between the federal government and the states. As our markets change, our federal and state laws must keep pace to deal with predatory practices, new actors, and other risks. Today, the CFPB released a report on how states can ensure their laws and regulations meet new consumer protection challenges, as well as a compendium of guidance documents that the CFPB has issued in recent years to address emerging challenges in the market for consumer financial products or services.
Many states have led the way on ensuring protections remain robust and relevant to modern schemes that take advantage of consumers, workers, small business owners, and others. For example, states have addressed large companies’ increased harvesting and monetizing of sensitive data and ensured that financial institutions’ lending, services, and investment activities meet the credit needs of their communities. It is critically important for policymakers to make sure that all state consumer protections are up to the task of dealing with new challenges.
Today’s report includes recommendations to states on how they can update their laws and regulations to meet evolving risks. The report includes potential legislative text to help states address common schemes in the modern economy, such as junk fees and abuse of sensitive personal data; authorize representative private claims to ensure viability of private enforcement; ban “abusive” practices in state law to prevent companies from obscuring product features or exploiting their market power; and more. Many of these suggestions mirror the recent work the CFPB has done to empower consumers and level the playing field for companies of all sizes.
The CFPB has worked closely with states in the last few years to ensure they have the information and support they need to carry out their duties and enforce the law. The CFPB has filed suits with state attorneys general against companies whose illegal practices cross state lines. The CFPB has pushed back on unwarranted preemption of state laws, including in credit reporting and small business lending. The CFPB has ensured that state enforcement agencies can make greatest possible use of their authority to directly enforce the Consumer Financial Protection Act. The CFPB also shares consumer complaints with cities, counties, and states.
Today’s report builds on decades of federal government work with state and local law enforcement to police unfair and deceptive acts or practices and directly assisting states in developing their own legislation and enforcement programs. For instance, the FTC released a model Unfair Trade Practices and Consumer Protection Act in 1967, which was rapidly adopted by states.
The compendium that the CFPB issued today contains guidance documents regarding the federal consumer financial protection laws that the CFPB has released in the last several years due to the evolution in the consumer financial markets. Congress spread enforcement responsibility for these laws among a large set of federal and state government agencies, including state law enforcement and regulators. These guidance documents reflect the considered judgment, reasoning, knowledge, and expertise of the CFPB.
- On January 20, 2025, President Donald Trump signed a memorandum titled, “Regulatory Freeze Pending Review,” imposing a regulatory freeze on all federal agencies.
- The key points of the regulatory freeze are as follows:
- Do not Propose or Issue Any New Rules: Agencies cannot propose or issue any new rules in any manner, including sending them to the Office of the Federal Register (OFR), until they are reviewed and approved by a department or agency head appointed by the President.
- Automatically Withdrawing Unpublished Rules: Any rules that have been sent to the OFR but have not yet been published must be immediately withdrawn to be reviewed by a department head or agency head appointed by the President.
- Delay Effective Date of Already Published Rules: For rules that have been published but have not yet taken effect, agencies are to consider postponing their effective date for 60 days to review any questions of fact, law, or policy. During this period, agencies may open a comment period for public input and consider further delaying the rules if necessary.
- The freeze applies not only to rules but also to any substantive agency action, including Advanced Notices of Proposed Rulemaking (ANPR), Notice of Proposed Rulemaking, notices of inquiry, and any agency statement of general applicability that sets forth a policy on any regulatory or technical issue.
- This freeze will impact all recently proposed rules by requiring them to undergo a review process, which may lead to the rules being withdrawn, modified, or delayed in implementation. The following recently proposed rules or finalized but not yet effective rules issued by FDA include:
- Revoking the use of red dye No.3 in food and ingested drugs;Proposed rule regarding front-of-package nutrition labeling;Final rule on the nutrient content claim “healthy”; and
- Final rule on requirements for additional traceability (FSMA 204).
- Alongside the regulatory freeze, President Trump has directed federal agencies to temporarily stop all public communications. This includes press releases, social media updates, and other public statements. The pause is in effect through February 1.
- Keller and Heckman will continue to closely monitor any changes made to pre-existing proposed or finalized rules and any new executive orders or rules promulgated by the new administration.
Courtesy of Keller and Heckman LLP; National Law Review; February 06, 2025; Volume XV, Number 37
South Carolina State House
The South Carolina Financial Freedom Act has been introduced in the South Carolina Senate. The legislation, S.60, and its companion bill in the South Carolina House of Representatives, H.3221, permit local governments to deposit taxpayer dollars into credit unions, the Post and Courier reported.
Under current state law, local governments can only deposit taxpayer funds into traditional banks. The legislation was introduced in the Senate by Sean Bennett (R).
“As of 2023, this outdated restriction has funneled more than 78% of all deposits in South Carolina into out-of-state banks. As banks continue to leave South Carolina and close branches in local communities across the state, taxpayers are at risk of more of their dollars leaving South Carolina for New York City and Chicago,” the Post and Courier said.
The effort to give local governments the financial freedom and flexibility to bank where they can deliver the highest rate of returns on taxpayer dollars is spearheaded by the Palmetto Public Deposits Coalition (PPDC). PPDC coalition supporters include the Municipal Association of South Carolina (MASC) and the Carolinas Credit Union League (CCUL), the Post and Courier noted.