By monitoring legislation across federal and state arenas, NASCUS ensures members stay informed on developments that shape the state credit union system—supporting smarter decisions and a stronger, more agile state system. This resource is continuously being updated.

2025 Federal Legislation Reports

• Nov. 6 Federal Legislation Report
• Nov. 6 Detailed Legislation Status Report, Beyond Introduction
• Oct. 10 Federal Legislation Report
• Oct. 10 Detailed Legislation Status Report, Beyond Introduction
• Sept. 3 Federal Legislation Report
• Sept. 3 Detailed Legislation Status Report, Beyond Introduction
• Aug. 7 Federal Legislation Report
• Aug. 7 Detailed Legislation Status Report, Beyond Introduction
• July 10 Federal Legislation Report
• July 10 Detailed Legislation Status Report, Beyond Introduction
• June 12 Federal Legislation Report
• June 12 Detailed Legislation Status Report, Beyond Introduction
• May 13 Federal Legislation Report
• May 13 Detailed Legislation Status Report, Beyond Introduction

---

2025 State Legislation Reports

• Nov. 6 State Legislation Report
• Nov. 6 Detailed State Legislation Status Report, Beyond Introduction
• Oct. 10 State Legislation Report
• Oct. 10 Detailed State Legislation Status Report, Beyond Introduction
• Sept. 3 State Legislation Report
• Sept. 3 Detailed State Legislation Status Report, Beyond Introduction
• Aug. 7 State Legislation Report
• Aug. 7 Detailed State Legislation Status Report, Beyond Introduction
• July 10 State Legislation Report
• July 10 Detailed State Legislation Status Report, Beyond Introduction
• June 12 Detailed State Legislation Status Report, Beyond Introduction
• May 13 State Legislation Report
• May 13 Detailed State Legislation Status Report, Beyond Introduction

NASCUS Legislative and Regulatory Affairs Department
September 2, 2025

Summary

On August 18, 2025, the Department of the Treasury (“Treasury”)  issued a request for comment on the use of innovative or novel methods, techniques, or strategies to detect and mitigate illicit finance risks involving digital assets. The notice was issued as a requirement of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) and supports the Administration’s policy of supporting the responsible growth and use of digital assets outlined in Executive Order 14178.  This request also aligns with the July 30, 2025 report from the Working Group on Digital Assets advocating enhanced AML/CFT measures through public-private collaboration.

Comments must be received on or before October 17, 2025.

---

Request for Comment

With this request for comment Treasury seeks to identify innovative methods that financial institutions currently use or could use to detect illicit activities, such as money laundering, involving digital assets. The GENIUS Act lists four specific technologies in which Treasury is seeking comment, which include:

• Application Program Interfaces (APIs): APIsserve as system access points or library functions that allow different software applications to communicate and interact, including those used for AML/CFT and sanctions compliance. APIs can be used to share data automatically and facilitate access to transaction information. Once deployed, they can also be used to help enforce strict access controls, monitor transactions, and enhance security for institutions handling digital assets.

• Artificial Intelligence (AI) Systems: AI, for purposes of this request, means a “machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments.” AI is used in financial institutions to help analyze significant amounts of data and more effectively identify illicit patterns, risks, trends, and typologies in money laundering.

• Digital identity verification mechanism: Digital identity verification, also known as “identity proofing,” involves confirming a person’s identity in a digital setting. Treasury is interested in portable digital credentials that can simplify compliance, protect user privacy, and reduce the burden on financial institutions.

• Blockchain monitoring tools: Blockchain technology and monitoring leverage the public ledgers of many digital assets, allowing observation and analysis of pseudonymous transactions that are on the blockchain’s public ledger. The U.S. government and financial institutions use blockchain analytics to trace illicit activity, evaluate risks, analyze cross-chain transactions, and detect patterns signaling potential illegal activities.

Treasury encourages commenters to help identify innovative or novel methods that regulated financial institutions can use to detect and mitigate illicit finance risks involving digital assets. For each method discussed when providing feedback, Treasury seeks comments on the following factors:

• Improvements in the ability of financial institutions to detect illicit activity involving digital assets;
• Costs to regulated financial institutions;
• The amount and sensitivity of information that is collected or reviewed;
• Privacy risk associated with the information that is collected or reviewed;
• Operational challenges and efficiency considerations;
• Cybersecurity risks; and
• Effectiveness of the methods, techniques, or strategies at mitigating illicit finance.

Questions for commenters include:

1. What are the most significant illicit finance risks and vulnerabilities in the digital asset ecosystem, and what trends have financial institutions observed?
2. What innovative API-related strategies are financial institutions using to detect illicit activity, and what are the associated risks, benefits, and challenges?
3. How is AI being used to analyze transactional data and identify complex illicit financial networks? What are the key lessons learned, and what are the risks and benefits of using AI?
4. What are financial institutions using for digital identity verification, including portable digital credentials, and what are the related risks, benefits, and challenges?
5. How are financial institutions using blockchain monitoring tools to integrate on-chain and off-chain data? What are the challenges, such as obfuscation tools, that complicate tracing and attribution?

What other innovative technologies, such as cryptographic protocols, cloud-based solutions, oracles, or smart contract tools, are being used to combat illicit finance? What are their risks and benefits

2024 CFPB Rules and Summaries

2023 CFPB Rules and Summaries

---

L&R Committee Webinars

2025

The Debanking Executive Order

September 25, 2025
Click here to access the presentation.

Watch Here

2024

Fraud Trends

Watch Here

What Comes After Chevron?

Watch Here

Best Practices for Analyzing Returns with LoanStreet

Watch Here

CFPB Data Privacy Open Banking

Watch Here

2025

NASCUS Webinar Series: Responsible AI — Navigating Governance and Risk in Financial Services

Watch Here

NASCUS Webinar Series: The Most Important Responsibility of the Board ⎯ Governance

Watch Here

NASCUS Webinar Series: Investigating Human Trafficking as a Financial Crime

Watch Here

Navigating Today’s Fraud Landscape

Watch Here

Curbing Abusive Class Action Litigation

Watch Here

Introduction to Asset-Liability Modeling

Watch Here

Designing an Effective AML/CFT Risk Assessment

Watch Here

Human Trafficking Prevention for Credit Unions

Watch Here

Enterprise Risk Management as Your Strategic Advantage

Watch Here

Emerging Class Action Litigation Trends

Watch Here

Independent Agencies & the Executive Branch

Watch Here

---

2024

Class Action Litigation Outlook

Watch Here

---

2023

Cantero vs. BoA: Preemption and the NBA

Watch Here

NCUA Financial Innovation: Loan Participations and Eligible Obligations Final Rule

Watch Here

NCUA Summary: Decennial Notice of Regulatory Review and Request for Comment on “Agency Programs,” “Capital,” and “Consumer Protection”

NASCUS Legislative and Regulatory Affairs Department
July 15, 2025

On July 10, 2025, The NCUA Board (Board) approved a voluntary regulatory review and request for comment under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA). EGRPRA requires the FFIEC and federal bank regulatory agencies to review their regulations every ten years to identify any outdated, unnecessary, or unduly burdensome regulations applicable to insured depository institutions. While this statute does not apply to the NCUA, the agency is voluntarily participating in the review process.

Over two years, the NCUA has indicated it will publish four Federal Register notices, each requesting comment on multiple categories or regulations. The first notice requested comments on regulations concerning “Applications and Reporting” and “Powers and Activities.”

This second notice requests comments on regulations concerning “Agency Programs,” “Capital,” and “Consumer Protection.”  The NCUA will address the remaining five categories in the next two documents.

Comments on the voluntary regulatory review are due on or before October 8, 2025.

---

Summary

Due to the unique circumstances of federally insured credit unions and their members, the NCUA Board has once again issued a separate request from the other agencies, including issues unique to credit unions. In previous decennial reviews, the Board developed and published for comment ten categories of the NCUA’s regulations. The Board is following the previous reviews and is utilizing the same 10 categories in this multi-year review.

The NCUA is seeking comment on the following regulations, divided into three categories.

(You can find NASCUS comments on the first notice here.)

---

[kp_table table_title=”Category of Regulation: Agency Programs”]

Subject	Regulatory Citation	Applicability to FISCUs
Community Development Revolving Loan Fund Access for Credit Unions	12 CFR 705	741.207
National Credit Union Administration Central Liquidity Facility	12 CFR 725	741.210
Designation of Low Income Status; Receipt of Secondary Capital accounts by low-income designated credit unions	12 CFR 701.34	741.204

[/kp_table]

---

[kp_table table_title=”Category of Regulation: Capital”]

Subject	Regulatory Citation	Applicability to FISCUs
Capital Adequacy	12 CFR 702	741.226
Adequacy of Reserves	12 CFR 702 and 12 CFR 747	12 CFR 741.3(a)

[/kp_table]

[kp_table table_title=”Category of Regulation: Consumer Protection”]

Subject	Regulatory Citation	Applicability to FISCUs
Nondiscrimination requirements (Fair Housing)	12 CFR 701.31
Truth in Savings	12 CFR 707	741.217
Loans In Areas Having Special Flood Hazards	12 CFR 760	741.216
Fair Credit Reporting; Duties of Users Consumer Report Regarding Address Discrepancies and Records Disposal.	12 CFR 717 Subpart I
Fair Credit Reporting; Identity Theft Red Flags	12 CFR 717, Subpart J
Share Insurance	12 CFR 745	741.212
Accuracy of Advertising and Notice of Insured Status	12 CFR 740	741.211
Disclosure of share insurance	12 CFR 741.10
Notice of termination of excess insurance coverage	12 CFR 741.5
Uninsured membership shares	12 CFR 741.9
Member inspection of credit union books, records, and minutes.	12 CFR 701.3

[/kp_table]

CFPB Summary re: Recission of State Official Notification Rules (Withdrawal)

12 CFR Part 1082

The Consumer Financial Protection Bureau (CFPB) is withdrawing a previously published direct final rule that would have rescinded procedures by which a State official must notify the Bureau when the official takes an action to enforce the Consumer Financial Protection Act.

The withdrawal of the rule was effective as of July 21, 2025 and can be found here.

Summary

The Bureau issued a final rule on May 21, 2025 that would have rescinded procedures that required State officials to notify the Bureau when the official takes an action to enforce the Consumer Financial Protection Act.  The Bureau noted that the May 2025 rule would be withdrawn if the Bureau received significant adverse comments by June 20,2025.   According to the rule withdrawal summary, the Bureau received significant adverse comments and is withdrawing the rule as a result.

The Bureau will address comments received in a subsequent rulemaking.

NASCUS Summary re: CFPB Policy Statement on Referrals for Potential Criminal Enforcement
June 27, 2025

The Consumer Financial Protection Bureau issued a policy statement describing its plan to address criminally liable regulatory offenses.

The policy statement became effective as of June 27, 2025 and can be found here.

---

Summary

President Trump issued Executive Order 14294 on May 9, 2025.  The order required each agency to publish guidance on how it planned to address criminally liable regulatory offenses.  The EO defines a “criminal regulatory offense” as a “Federal regulation that is enforceable by a criminal penalty.  The policy statement provides the Bureau’s plan to address criminally liable regulatory offenses.

A number of the Bureau’s regulations are enforceable by criminal penalty.  Where appropriate, the Bureau may refer alleged violations of the criminal regulatory offenses to the Department of Justice.   When exercising discretion in making referrals, Bureau officials will consider the following factors, among others:

• The harm or risk of harm, pecuniary or otherwise, caused by the alleged offense;
• The potential gain to the putative defendant that could result from the offense;
• Whether the putative defendant held specialized knowledge, expertise, or was licensed in an industry related to the rule or regulation at issue; and
• Evidence, if any, of the putative defendant’s general awareness of the unlawfulness of his conduct as well as his knowledge (or lack thereof) of the regulation at issue.

The Bureau also intends to take the following steps to address criminal regulatory offenses:

• The Bureau will provide a report to the OMB containing (i) a list of all criminal regulatory offenses enforceable by the Bureau or DOJ and (ii) the range of potential criminal penalties for a violation and the applicable mens rea standard for the criminal regulatory offense.
• The Bureau will consider whether a criminal regulatory offense is included in the OMB report when considering whether to make a criminal referral to the DOJ or, where applicable, to the Bureau’s Inspector General.
• The Bureau will examine the Bureau’s statutory authorities and determine whether there is authority to adopt a background mens rea standard for criminal regulatory offenses.

Request for Information: Potential Action To Address Payments Fraud

Department of Treasury, Office of the Comptroller of Currency, Federal Reserve System, and Federal Deposit Insurance Corporation

NASCUS Legislative and Regulatory Affairs Department
July 14, 2025

---

Summary

In June, the OCC, Treasury, FRB, and FDIC (agencies) issued a request for information (RFI) seeking public input on questions related to payment fraud.  The RFI offers stakeholders the opportunity to identify actions the agencies could take to assist consumers, businesses, and financial institutions in mitigating check, ACH, wire, and instant payments fraud.

The NCUA is not participating in this RFI. NASCUS intends to comment on the RFI and will share comments submitted with the NCUA.

Comments on the RFI are due to the agencies by September 18, 2025.

Request for Information

According to the FTC, noncard payments fraud losses increased by 271% from 2020 to 2024. Similarly, 2014 – 2024 Suspicious Activity Reporting data related to check, ACH, and wire fraud, showed an increase of 489%.  Notably, despite an overall decline in check usage, Treasury reports a 385% increase in check fraud since the COVID-19 pandemic.

The RFI seeks input on five specific areas to enhance collaboration among State and Federal agencies and to mitigate payment fraud. The agencies also seek comments on a handful of general questions.  These areas in which they are seeking comment include:

• External Collaboration – Questions 1 through 4
• Consumer, Business, and Industry Education – Questions 5-8
• Regulation and Supervision – Questions 9-15
• Payments Fraud Data Collection and Information Sharing – Questions 16-20
• Reserve Banks Operator Tools and Services – Questions 21-22; and
• General Payments Fraud – Questions 23-26

For purposes of this summary, NASCUS highlights the following questions.

External Collaboration

• What actions could increase collaboration among stakeholders to address payments fraud?
• Which organizations outside of the payments or banking industry might provide additional insights related to payments fraud and be effective collaborators in detecting, preventing, and mitigating payments fraud?
• Could increased collaboration among Federal and State agencies help detect, prevent, and mitigate payments fraud? If so, how?

Consumer, Business, and Industry Education

• What types of payments fraud education are most effective, and why? Which approaches could make existing payments fraud education more effective?
• Would additional education informing consumers and businesses about safe payment practices be helpful to reduce payments fraud and promote access to safe, secure payment options? 

Regulation and Supervision

• What potential changes to regulations could address payments fraud and mitigate the harms from payments fraud to consumers, businesses, and supervised institutions?
• Is existing supervisory guidance related to payments fraud sufficient and clear? If not, what new or revised supervisory guidance should the Board, FDIC, and OCC consider issuing on this topic within the respective authorities?
• There were several questions around “holds on depositors’ funds.” (What is the experience of consumers and businesses around ‘holds’? How frequently are consumers and businesses affected by holds, delays, or account freezes, and how responsive are supervised institutions to inquiries from consumers and businesses regarding these issues?
• Regulators have received complaints from financial institutions regarding challenges the FI face when resolving disputes about liability for allegedly fraudulent checks.
• What is the experience of supervised institutions when trying to resolve these types of interbank disputes regarding allegedly fraudulent checks?
• What potential amendments to Regulation CC would support timely access to funds from check deposits while providing depository institutions with sufficient time to identify suspected payments fraud?
• Have technological advancements in check processing reduced the time it takes for depository institutions to learn of nonpayment or fraud such that funds availability requirements for local checks and nonproprietary ATMs should be shortened?)
• Regulation CC provides six exceptions that allow depository institutions to extend deposit hold periods for certain types of deposits, including deposits for which the depository institution has reasonable cause to doubt the collectability of a check. Is this exception effective in allowing depository institutions to mitigate check fraud while also allowing timely access to funds?

National Credit Union Administration Summary: Agencies Issue Exemption Order to Customer Identification Program (CIP) Requirements

NASCUS Legislative and Regulatory Affairs Department
June 2025

On June 27, 2025, the FDIC, OCC, and the NCUA (Agencies), with the concurrence of FinCEN, issued an order granting an exemption from a requirement of the Customer Identification Program (CIP) Rule implemented under Section 326 of the USA PATRIOT Act.

The order applies to “banks”, as defined in 31 CFR §1010.100(d) and their subsidiaries, which are subject to the jurisdiction of the OCC, Federal Reserve, FDIC, or NCUA.  The definition of “bank” under this section includes “credit unions organized under the law of any State or of the United States.”

---

Background

In March 2024, FinCEN, in consultation with staff at the Agencies, issued a Request for Information (RFI) seeking information on CIP requirements to understand the potential risks and benefits, as well as safeguards, that could be established, if banks were permitted to obtain part or all of a customer’s TIN information from a third-party source before opening an account rather than from the customer.

After considering both comments submitted in response to the RFI and the advances made in identity verification tools available to banks and credit unions, FinCEN and the Agencies are granting this exemption from one aspect of the CIP TIN collection requirements.

Summary of Order

The order permits credit unions to use TIN information obtained  from a third-party rather than from the member, if the credit union otherwise complies with the CIP Rule, which requires written procedures that:

1. Enable the credit union to obtain TIN information before opening an account;
2. Are based on the credit union’s assessment of the relevant risks; and
3. Are risk-based to verify the identity of each customer to the extent reasonable and practicable, enabling the credit union to form a reasonable belief that it knows the true identity of each member.

FinCEN, the administrator of the BSA, agrees that the use of an alternative collection method to obtain TIN information, when used appropriately, is consistent with the purposes of the BSA. Furthermore, the Agencies, together with FinCEN, believe the appropriate use of alternative collection methods for TIN information is consistent with safe and sound banking practices.

The Agencies emphasize that this exemption is not required, and FIs may continue to collect TIN information directly from the customer at the time of account opening. Additionally, this exemption does not change the overall purpose of the CIP Rule. Credit unions must still implement a CIP Program that includes risk-based verification procedures that enable the credit union to form a reasonable belief that it knows the true identity of its members. These requirements exist regardless of whether the credit union establishes this relationship directly with the customer or through an intermediary.

NASCUS Summary re: CFPB Interim Final Rule re: Small Business Lending Extension of Compliance Dates

12 CFR Part 1002

The CFPB issued an Interim Final Rule with Request for Comments that amends Regulation B to extend the compliance dates set forth in the 2023 Small Business Lending Rule and to make other date-related conforming adjustments.

The Interim Final Rule becomes effective on July 18, 2025, and comments are due on July 18, 2025. The rule can be found here.

Summary

Section 1071 of Dodd Frank requires financial institutions collect and report to the CFPB certain data regarding applications for credit for women-owned, minority-owned, and small businesses. The purpose of this requirement is to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of these types of businesses.

Legal challenges to the rule remain ongoing in three jurisdictions. Courts in those jurisdictions have stayed the rule’s compliance deadlines for certain plaintiffs. To facilitate consistent compliance requirements for all covered financial institutions, the Bureau is extending the compliance dates set forth in the 2024 interim final rule by approximately one year. The Bureau has indicated that it intends to issue a new small business reporting proposed rule. The Bureau believes this extension should provide sufficient time to account for the court-ordered stays and to issue a new proposal.

As a result, Tier 1 institutions now have a compliance date of July 1, 2026. Tier 2 institutions now have a compliance date of January 1, 2027, and Tier 3 institutions now have a compliance date of October 1, 2027.

In addition, Section 1002.114(c)(1) of Regulation B permits a covered financial institution to collect protected demographic information required under the 2023 rule from small business applicants beginning 12 months prior to its compliance date.

The interim final rule revises Section 1002.114(c)(3) of Regulation B to permit a financial institution to use its number of originations of covered credit transactions for the following years – 2022 and 2023, or 2023 and 2024 or 2024 and 2025.

Finally, covered financial institutions are required to submit their small business lending application registers to the CFPB on or before June 1 following the calendar year for which the data are compiled and maintained. As a result, Tier 1 institutions will make their first data submission by June 1, 2027; Tier 2 and Tier 3 institutions will make theirs by June 1, 2028.

NASCUS Summary re: CFPB Interim Final Rule re: Small Business Lending Extension of Compliance Dates

12 CFR Part 1002

The CFPB issued an Interim Final Rule with Request for Comments that amends Regulation B to extend the compliance dates set forth in the 2023 Small Business Lending Rule and to make other date-related conforming adjustments.

The Interim Final Rule becomes effective on July 18, 2025, and comments are due on July 18, 2025. The rule can be found here.

Summary

Section 1071 of Dodd Frank requires financial institutions collect and report to the CFPB certain data regarding applications for credit for women-owned, minority-owned, and small businesses. The purpose of this requirement is to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of these types of businesses.

Legal challenges to the rule remain ongoing in three jurisdictions. Courts in those jurisdictions have stayed the rule’s compliance deadlines for certain plaintiffs. To facilitate consistent compliance requirements for all covered financial institutions, the Bureau is extending the compliance dates set forth in the 2024 interim final rule by approximately one year. The Bureau has indicated that it intends to issue a new small business reporting proposed rule. The Bureau believes this extension should provide sufficient time to account for the court-ordered stays and to issue a new proposal.

As a result, Tier 1 institutions now have a compliance date of July 1, 2026. Tier 2 institutions now have a compliance date of January 1, 2027, and Tier 3 institutions now have a compliance date of October 1, 2027.

In addition, Section 1002.114(c)(1) of Regulation B permits a covered financial institution to collect protected demographic information required under the 2023 rule from small business applicants beginning 12 months prior to its compliance date.

The interim final rule revises Section 1002.114(c)(3) of Regulation B to permit a financial institution to use its number of originations of covered credit transactions for the following years – 2022 and 2023, or 2023 and 2024 or 2024 and 2025.

Finally, covered financial institutions are required to submit their small business lending application registers to the CFPB on or before June 1 following the calendar year for which the data are compiled and maintained. As a result, Tier 1 institutions will make their first data submission by June 1, 2027; Tier 2 and Tier 3 institutions will make theirs by June 1, 2028.