Our Take: financial services regulatory update – August 22, 2025

August 22, 2025

Change remains a constant in financial services regulation

Read "our take" on the latest developments and what they mean.

CFPB revisits open banking

What happened? On August 21^st, the CFPB issued an advance notice of proposed rulemaking (ANPR) on its "open banking” rule that would require firms to transfer user data to other providers at the consumer's request, to implement Section 1033 of the Dodd-Frank Act.

Following the CFPB’s finalization of the open banking rule in October of last year, industry groups filed a lawsuit claiming that the rule exceeds the CFPB’s authority and jeopardizes customer privacy and data security. While new CFPB leadership previously declined to defend the rule and sought to have it vacated, the most recent filing stated that it would instead explore revising the rule.

What does the ANPR ask? The ANPR asks 36 questions across the following areas, including:

Focus area	Illustrative questions
1. Definition of a “Representative” (i.e., third party) making a request on behalf of the consumer	Should “representative” be limited to those with fiduciary duties (e.g., agents, trustees)? How should “agent,” “trustee,” and “representative” be distinguished in practice?
2. Fees for providing data access	Should data providers be permitted to charge fees for data access? Would fees obstruct the statutory right to access? Should there be a cap on fees? How do costs differ across financial institution sizes?
3. Information security risks	Are current standards sufficient to protect consumer data? What are the fixed and variable costs of securing consumer data? Does fiduciary status affect security practices or accountability?
4. Privacy risks	How can consumers be protected from unintended data resale? Do current disclosures ensure informed consent? Should there be further limits on data use or sharing beyond express consent?

What’s next? The comment period will be open until October 21st. The ANPR states that the CFPB will issue a proposal to extend the compliance dates of the 2024 rule while it considers modifications. The existing rule remains stayed based on the lawsuit against the rule and the parties will have to report on status to the court every 45 days.

Our Take

Setting the stage for renewed tension between banks and fintechs

The ANPR reopens several foundational elements of the 2024 open banking rule, most notably whether data providers should be permitted to charge fees to offset the costs of API-based access. Those questions alone marks a potential shift toward a more bank-friendly framework – and fintechs are expected to strongly oppose any move that introduces friction into consumer-authorized data flows. The coming comment cycle is likely to deepen that divide, with traditional financial institutions pushing for stricter access controls and cost recovery, while data recipients argue for broad, no-fee access. This core tension – between operational burden and data portability – will shape not only the next version of the rule, but likely future litigation if and when a revised rule is finalized. Aside from fees, the CFPB’s focus on representative eligibility, data security, and privacy controls points to a rulemaking process centered on risk and accountability. But one notable omission is any discussion of how liability will be allocated in the event of data misuse or breach – a gap that leaves institutions with continued uncertainty about whether this key issue with the 2024 rule will be addressed.

Regardless of how the rule is revised, the underlying shift toward consumer-permissioned data access is accelerating. Business models that depend on customer data – whether as a provider or a recipient – should be reassessed for resiliency under multiple regulatory outcomes. Firms should evaluate how their APIs, data-sharing governance, customer authorization processes would be impacted by different fee and security models. Open banking may arrive in a more measured form, but it is coming – and the firms best positioned to adapt will be those building with flexibility and security top of mind.

What’s the bottom line? This ANPR reopens a protracted battle over who controls access to consumer financial data – and under what terms. As banks and fintechs prepare to reassert competing priorities through comments, lobbying, and likely litigation, institutions should stay focused on building the capabilities and controls needed to navigate whatever version of open banking emerges.

Digital assets: Fed signals supervision shift, Treasury focuses on illicit finance innovation

What happened? The past two weeks have seen the following significant developments regarding digital assets:

On August 15^th, the Fed announced that it will sunset its novel activities supervision program, which it established in 2023 to meet the stated goals of keeping up with the rapid change of financial innovation, address new risks created by innovation and enhance the supervision of novel activities.
Going forward, the Fed will monitor banks’ novel activities through the normal supervisory process.
On August 18^th, the Treasury Department released a request for comment on innovative methods to detect illicit activity involving digital assets pursuant to a mandate from the GENIUS Act.

What does the Treasury request for comment contain? The request seeks feedback on:

APIs (Application Program Interfaces) that allow different applications to communicate with each other. The request asks how they can be used to enforce strict access controls, monitor transactions and bolster security as well as related risks and challenges;
AI, including how firms are using AI for AML and sanctions compliance and to analyze large amounts to data to identify financial crime patterns, risks and typologies. Treasury also asks whether there are regulatory roadblocks to firms implementing AI to prevent financial crime;
Digital identity verification, including tools that validate government-issued forms of identification and biometrics. The request asks how firms are using these tools, whether they decide to use them according to certain risks, and how the US government can further facilitate effective digital identity verification; and
Blockchain monitoring, including how firms decide whether to employ blockchain monitoring tools and whether there are regulatory obstacles to using them.

What’s next? The request for comment will be open until October 17th, 2025.

Our Take

The novelty has worn off

The Fed’s decision to sunset its “novel activities” program underscores both the Administration’s more permissive approach toward digital assets and the mainstream adoption of digital assets within the financial ecosystem. While this move signals a shift away from “regulation by enforcement,” the Fed will still keep a watchful eye to ensure that firms do not pose a threat to safety and soundness, consumer harm or illicit finance. Fed-supervised banks – whether they are directly offering crypto products and services or whether they are exposed to them through customers, vendors and financial infrastructure – should prepare to demonstrate that they understand their crypto exposures and associated risks, have adequate capital and liquidity programs to withstand periods of market stress, and have strong third party risk management capabilities that include the expertise to understand and challenge vendors providing crypto services such as custody, blockchain monitoring, and other infrastructure.

As Treasury clears roadblocks around innovation, firms will be expected to innovate

The request for comment from Treasury signals that the agency is dedicated to removing roadblocks and partnering with the industry to support innovative ways to detect and prevent financial crime through knowing customers’ identities, monitoring for suspicious behavior and improving overall controls. Firms have the ability to shape Treasury’s views of what works, what doesn’t, and how to eliminate barriers, but they should also be preparing to adopt and deploy these tools as FinCEN and OFAC will likely consider them essential parts of a risk-based program.

What’s the bottom line? The US is no longer debating whether digital assets will be integrated into the financial system – it’s working out how. As the Fed and Treasury take steps to further mainstream adoption of crypto, firms should plan accordingly to adapt to the increase in crypto activity while complying with regulatory expectations.

Colorado expands AI rules for insurers

What happened? On August 20^th, the Colorado Division of Insurance finalized amendments to Regulation 10-1-1, establishing governance and risk management framework requirements for insurers that use external consumer data and information sources (ECDIS) and algorithms or predictive models that rely on ECDIS.

Who is affected? The final rule expands beyond life insurers – which were covered under the original rule – to include private passenger automobile insurers and health benefit plan insurers authorized to do business in Colorado.

What does the rule require? Auto and health insurers will need to:

Implement board or committee oversight of ECDIS and model use
Establish cross-functional governance groups (e.g., actuarial, compliance, legal, data science)
Maintain policies and procedures for testing, monitoring, and remediation of unfair discrimination
Keep an inventory of all ECDIS and models, with documentation of material changes
Address consumer complaints and provide explanations for adverse decisions involving ECDIS or AI
Submit annual compliance reports signed by an officer to the Division

What’s next? The amended regulation becomes effective October 15th. Auto and health insurers must report beginning July 1st, 2026.

Our Take

AI oversight moves beyond life

By extending requirements to auto and health, Colorado is signaling that regulators see potential for disparate impacts across all major lines of business, from credit-based auto insurance pricing to algorithms used in health benefit authorizations. Boards and senior executives of these insurers will need to ensure that governance, risk management, and consumer protection considerations are embedded into strategy and operations – keeping in mind that third-party relationships and vendors cannot serve as a shield from regulatory accountability. They must also be sure to not only consider new AI-based processes but also review legacy models that use ECDIS. Colorado has been clear that noncompliance will not be tolerated – insurers that fall short should expect enforcement actions.

A new baseline for insurers everywhere?

Colorado’s framework may serve as the reference point for NAIC activity and other state initiatives, meaning that all insurers, not just those writing business in Colorado, should be preparing to meet this standard. The regulation is not just about the models; carriers also need a demonstrable, risk-based view of the data they rely on. Both inputs and outputs must stand up to scrutiny and being able to prove that models are fair could become as valuable as price or product features in a world where consumers are increasingly skeptical of data-driven decisions. Governance should not be viewed as red tape – it is the guardrail that enables faster AI adoption, lowers risk, and builds confidence with regulators and policyholders alike. Algorithmic fairness is becoming as foundational as solvency and capital. Carriers that act early will not only satisfy regulatory expectations but also position themselves as industry leaders – it is an opportunity to design and operationalize governance frameworks that balance innovation with trust.

What’s the bottom line? Colorado is setting the pace on AI oversight. Insurers that invest early in governance and fairness will be best positioned to earn consumer trust and meet escalating expectations.

On our radar

These notable developments hit our radar recently:

SEC names Judge Margaret Ryan as Director of Enforcement. On August 21st, the SEC announced that Judge Margaret Ryan, a senior judge on the U.S. Court of Appeals for the Armed Forces and former law clerk to Justice Clarence Thomas, will serve as the new Director of the Division of Enforcement, effective September 2nd, 2025.

FDIC proposes update to digital signage requirements. On August 19th, the FDIC Board of Directors approved a proposed rule to amend requirements for displaying the FDIC official digital sign and non-deposit signage across digital banking channels. The revisions would simplify signage placement on bank websites, mobile apps, ATMs, and similar interfaces by focusing on screens where such disclosures are most relevant to consumers. The proposal updates the 2023 Final Rule and reflects feedback on usability and clarity. Comments will be accepted for 60 days following publication in the Federal Register.

Treasury to end paper checks for federal payments by September 30th. On August 14th, the U.S. Department of the Treasury announced that the federal government will phase out paper checks for most federal benefit payments effective September 30th, 2025.

CFTC launches next crypto sprint focused on policy implementation. On August 21st, Acting CFTC Chairman Caroline Pham announced the launch of the agency’s next crypto sprint initiative, expanding efforts to implement the recommendations of the President’s Working Group on Digital Asset Markets. Public comments are due by October 20, 2025, and will inform CFTC rulemaking on issues such as leveraged and margined retail crypto trading.

Wyoming launches stablecoin. On August 19^th, the state of Wyoming launched the Frontier Stable Token, a stablecoin pegged 1:1 with the US dollar and backed by cash and certain US Treasuries and repurchase agreements. Press materials state that the stablecoin will reduce fees and offer instant settlement, while revenue generated will support the Wyoming school system. The token will operate across seven blockchains.

Bowman speaks on innovation. On August 19th, Fed Vice Chair for Supervision Michelle Bowman called for a more opportunity-focused regulatory approach to blockchain and tokenization. She urged the development of a clear, proportional framework to support bank adoption of digital asset use cases such as real-time payments and tokenized custody. Bowman also reiterated the Fed’s removal of reputational risk from supervisory evaluations and encouraged industry engagement to advance innovation while maintaining safety and soundness.