Our Take: financial services regulatory update – April 18, 2025

• What happened? On April 14^th, the OCC sent a letter to CEOs disclosing a major data security incident caused by a breach of the OCC’s email system. On April 16^th, the OCC announced organizational changes, including elevating a new Senior Deputy Comptroller for Information Technology and Security (ITS) to the OCC Executive Committee. Separately, on April 17^th, Fed Governor Michael Barr spoke on the impact of AI on cybersecurity.
• What happened at the OCC? On February 11^th, the OCC was notified of suspicious activity involving a privileged service account and OCC user email accounts. By February 12^th, the OCC confirmed the access was unauthorized, disabled the service account, activated its incident response protocols, initiated third-party investigations, and hardened its cloud environment in line with CISA guidelines. The OCC disclosed to Congress and CEOs that an unauthorized user gained access to emails and attachments and it is in the process of determining “the extent to which highly sensitive information relating to the financial condition of federally regulated financial institutions was compromised.”
• What did Barr say? He discussed rise of GenAI-driven cybercrime, focusing on the rapidly evolving threat of deepfakes powered by generative adversarial networks (GANs). He described how GANs can create highly convincing synthetic voice and video impersonation to exploit high-trust channels like executive communications and customer service. Barr emphasized the asymmetry and potential impact of these threats, with attackers iterating faster than defenders and even a single failure carrying systemic cost. To enhance protections against these threats, Barr called for enhanced identity verification using biometrics and voice analytics, AI-driven monitoring of transactions, stronger customer authentication practices, and the use of AI tools to detect and defend against synthetic media threats.
• What’s next? The OCC committed to hosting ongoing briefings, notifying any institution if its information was directly accessed and providing all supervised firms with a list of affected email user domains. The elevation of the ITS function will be effective on June 2^nd.

Our take

Et tu, OCC? The OCC incident is a live case study in why firms must prepare for breaches of not only their own systems but also those of their regulators, cloud providers and third parties. Although financial institutions do not have much choice when it comes to sharing data with their regulators, this incident will prompt both sides to reconsider the methods and nature of their data sharing, including to what extent electronic transmission of sensitive data remains viable. As the OCC continues to identify the scope of information that was compromised and strengthen its data protections, financial institutions will look for full transparency and assurance before resuming electronic data transfers. Reassuring banks that the OCC has sufficiently addressed deficiencies that enabled the breach will also be important as the newly-elevated ITS function seeks to scrutinize banks’ data protection practices.

Identity is the new perimeter. Barr’s remarks on the rise of GenAI-enabled cyber threats highlight the imperative to integrate and continuously evolve identity management, fraud prevention, and cybersecurity threat monitoring. To effectively mitigate these attacks, identity and access management controls should be designed in concert with an overall omni-channel fraud risk management strategy that contemplates GenAI-enabled attackers and incorporates real time fraud decisioning leveraging signals across the customer lifecycle. Just as important are the response and recovery capabilities layered behind the prevention stack such as two-way messaging and AI-enabled fraud alert review.

What’s the bottom line? While the OCC works to restore trust in its protection of sensitive data, financial institutions should ensure all data sharing risk is identified, documented and mitigated (or accepted, depending on the scale and nature of the risk). When it comes to evolving AI-enabled threats, institutions that integrate their fraud and access management teams while utilizing AI for monitoring and defense will be better positioned to withstand the next wave of tech-enabled threats - whether they’re real, synthetic, or somewhere in between.

• What happened? On April 16^th, the CFPB’s Chief Legal Officer issued a memo setting out the CFPB’s supervision and enforcement priorities for 2025. On April 17^th, CFPB employees began to receive notices of their inclusion in a “reduction in force” (RIF) with reports that up to 1,500 will be cut and only around 200 will remain. On April 18^th, a U.S, District Judge issued an order barring the Trump Administration from proceeding with the RIF while she reviews a case brought by the CFPB workers’ union.
• How have the CFPB’s priorities changed?
  • Priorities include “actual fraud…where there are identifiable victims with material and measurable consumer damages,” particularly concerning mortgages, Fair Credit Reporting (Reg V) violations, Fair Debt Collection Practices (Reg F) violations, fraudulent overcharges and fees, and inadequate protection of consumer data resulting in actual losses.
  • Deprioritized areas include violations concerning loans for those with criminal records, medical debt, peer-to-peer lending, student loans, remittances, consumer data and digital payments. The CFPB will also reverse policies advanced under former Director Rohit Chopra, in part by not pursuing supervision under “novel legal theories.” It also will not base redlining or bias determinations “solely on statistical evidence and/or stray remarks” and instead “will pursue only matters with proven actual intentional racial discrimination and actual identified victims.”
  • Exam “events” will decrease by 50% with a focus on depository institutions. The CFPB will also deprioritize multi-state exams unless required by statute and will cede supervision where states “exercise ample regulatory and supervisory authority” or are already investigating a particular matter. It will also coordinate exams with other federal regulators and eliminate duplicative supervision.
  • Enforcement will focus on “conciliation, correction and remediation of harms subject to consumers’ complaints” by returning money to consumers instead of imposing fines on companies. Redress will focus on veterans, service members and their families. The memo also classifies disclosure statutes as the CFPB’s primary enforcement tools.
• What’s next? The next hearing in the case against the CFPB RIF will be on April 28^th.

Our take

The CFPB lives - with a dramatically diminished size and mission. While the CFPB remains intact, the combination of staffing cuts, continued litigation and the reduced mission outlined in the memo significantly reduce what actions it can and will take going forward. Particularly with respect to enforcement, it remains to be seen what kinds of “actual intentional” harm will prompt the agency to act. Perhaps consumer complaints publicized in the media or Congressional hearings – particularly those involving servicemembers or veterans – could provide such impetus. But investigation and enforcement require resource allocation, and particularly where other agencies can carry the ball, it is likely the CFPB will deprioritize the work involved.

The states are on deck but there may be challenges ahead. The memo formalizes expectations that the CFPB will cede supervision and enforcement to states and other regulators as much as possible. As the CFPB has been the primary authority for federal consumer protection examinations and violations for more than a decade, it will take some time, administrative effort and potential litigation for states or other agencies to pick up the mantle. Although states like New York are already pursuing expanded consumer protection statutes and enforcement, preemption challenges may still limit states’ ability to investigate and enforce existing or future consumer protection rules that affect lending, fees, and disclosures.

What’s the bottom line? The fact remains that financial institutions do not have free rein to abandon consumer protection policies, procedures and controls. Expectations around fairness, transparency, and consumer outcomes are still rising, with lapses in these areas having potential to damage firms’ competitive standing. Firms that maintain robust governance around fairness and bias will be better positioned for future swings in the policy pendulum.

• What happened? Recent notable actions from the SEC and DOJ regarding digital assets include:
  • On April 4^th, the SEC issued a statement on the application of federal securities laws to certain stablecoins;
  • On April 10^th, the SEC issued a statement on disclosure expectations for digital assets that are securities; and
  • On April 7^th, the DOJ released a memorandum stating that it will no longer take a “regulation by prosecution” approach to digital assets.
• What does the SEC stablecoin statement say? It explains the SEC will not consider “covered stablecoins” to be securities and that they are therefore not subject to registration requirements. It defines “covered stablecoins” as those which are (1) fixed at a one-to-one rate with the US dollar; (2) redeemable immediately upon request; and (3) fully backed by the US dollar with direct reserves of cash or high-quality liquid assets. It also notes that issuers should market these stablecoins for use in commerce and not as an investment.
• What does the SEC disclosure statement say? For digital assets that are considered securities, the statement notes that it is an effort to provide issuers with clarity around expectations for required disclosures. It reminds issuers to provide disclosures in clear and concise language and to avoid technical jargon. It also states that disclosures should include risks related to technology, cybersecurity, third-party reliance, price volatility, and liquidity as well as legal and regulatory risk.
• What does the DOJ memorandum say? The memorandum states that the DOJ will no longer pursue enforcement actions or litigation against digital asset exchanges, mixers and tumblers, and wallets in cases where their users violated the law unbeknownst to the provider. Instead, the DOJ will redirect its focus in this area to prosecute individuals that victimize digital asset investors or further offenses such as terrorism and organized crime. It also states that the National Cryptocurrency Enforcement Team is disbanded effective immediately.

Our take

Crypto clarity continues but questions remain. The statements from the SEC are meaningful steps to provide clarity for issuers of digital assets but questions remain:

• For stablecoins, the statement aligns with proposed legislation in Congress that would create a regulatory framework for them to fall under the jurisdiction of bank regulators and exempt them from SEC supervision (see our previous Our Take for more information). While we expect this legislation to eventually be signed into law, details still need to be worked out between both chambers of Congress, particularly with regard to state supervision and nonbank issuers. Further, regulatory expectations around stablecoins that do not meet the criteria of the SEC statement such as commodity-backed stablecoins or algorithmic stablecoins remain unclear.
• Regarding digital assets generally, without clear definitions as to whether a digital asset is a “security” or “commodity” issuers will remain uncertain as to whether the SEC’s statement on disclosures applies to them. While the recently-established President’s Working Group on Digital Asset Markets may provide some clarity on which digital assets are “securities” in its upcoming report due in June, the SEC’s statement does not contain any interim measures or guidelines for issuers to follow.

The DOJ shifts crypto enforcement priorities. By refocusing its attention on end users themselves rather than services, the DOJ is easing any chilling effect stemming from the threat of enforcement in areas where the platform did not act willingly. However, firms should remain aware that FinCEN, state attorneys general and other regulatory agencies and law enforcement will still be holding firms accountable for Bank Security Act and AML violations, and FinCEN in particular expects that digital asset platforms have risk-based AML programs. Further, while the DOJ is deprioritizing its focus on platforms, we do not expect that they will turn a blind eye to any platform that becomes a haven for illicit activity or is used in furtherance of a high-profile crime.

What’s the bottom line? The SEC and DOJ have kept the momentum going toward more crypto clarity, but it will take some time for official frameworks around asset classification and stablecoin regulation to emerge. While the DOJ may be relaxing its focus on crypto platforms, the need for focus on BSA/AML compliance remains; banks will still need to perform know-your-customer and customer due diligence on their clients and platforms will still need to be approved as customers for banking services.

These notable developments hit our radar recently:

Hood reiterates OCC priorities. On April 16^th, Acting Comptroller Rodney Hood spoke about four strategic focus areas for the OCC: 1) reducing regulatory burden by tailoring oversight to each bank, 2) promoting financial inclusion, 3) embracing bank-fintech partnerships through innovation spaces like regulatory sandboxes, and 4) expanding responsible bank activities involving digital assets.

NCUA board members removed. On April 15^th, the Trump Administration removed two Democratic members of the National Credit Union Administration (NCUA), former Chairman Todd Harper and member Tanya Otsuka. Harper was appointed to the board during the first Trump Administration and was named chairman by President Biden in 2021. Otsuka was nominated by President Biden in 2023. Their Senate-confirmed terms were to end in 2027 and 2029, respectively.

OCC announces reorganization changes. On April 16^th, the OCC announced changes to its organizational structure, including Combining Large, Midsize and Community Bank Supervision to be a consolidated Bank Supervision and Examination function; reinstating the Chief National Bank Examiner office which will include the existing divisions of Bank Supervision Policy as well as Supervision Risk and Analysis; and elevating the Information Technology and Security (ITS) function to be led by a new Senior Deputy Comptroller who will be a member of the OCC’s executive committee. The changes are set to take effect on June 2^nd.

Regulation review coming due. April 20^th marks the deadline for agency heads to provide the White House’s Office of Information and Regulatory Affairs (OIRA) with an inventory of federal regulations categorized by classes described in a February 19 Executive Order. April 20^th also marks the deadline for a number of other reports to the White House across several topics, including federal workforce reduction and immigration.