Regulatory Compliance Digest | Q3 2025

View Full Report

The Regulatory Compliance Digest’s Q3 issue provides a summary of the latest updates from FinCEN, CFPB, FDIC, OFAC and federal bank regulatory agencies. This issue also includes hot topics in the regulatory compliance space and guidance on how financial institutions can prepare for upcoming compliance challenges.

The Regulatory Compliance Digest is intended to keep you informed of regulatory changes in advance of their effective date, so your institution can evaluate changes or updates to necessary policies, procedures and processes in place to be compliant at the time of enactment.

“How To” Guide for Remediating Recent Examination Observations

On July 3, 2025, the Federal Deposit Insurance Corporation (FDIC) issued its Consumer Compliance Supervisory Highlights publication highlighting some hot topics observed across the industry and through recent examinations. Compliance is dynamic, making it a challenge for compliance officers and banking executives to manage. It is important to periodically review and update your compliance program to ensure it targets high-risk areas and hot topics that could impact your financial institution.

This edition highlighted the following violations:

Truth in Lending Act (TILA)/Regulation Z:

• Open End Credit Periodic Statements: 15 U.S.C. § 1637 and 12 CFR § 1026.7(b) require a creditor to provide the consumer with a periodic statement for certain openend credit plans that discloses information as outlined in § 1026.7(b) such as the previous balance, transaction details, credits, the balance on which finance charges are computed, periodic rates, annual percentage rates, grace period and other relevant information.
• Good Faith Estimates: 15 U.S.C. § 1638 and 12 CFR § 1026.19(e) require a creditor to provide the consumer with good faith estimates of the disclosures required by § 1026.37 for closed-end transactions secured by real property and provides specific timing requirements.
• Loan Cost Breakdown:15 U.S.C. § 1604 and 12 CFR §§ 1026.38(f) – (k) require a creditor to provide a detailed breakdown of all loan costs associated with closed-end credit transactions secured by real property, listed in a prescribed table format.

Take Action:

• Ensure that your current Loan Originations System (LOS) is properly mapped and the fees and costs are properly identified and hardcoded as applicable. We often see issues with fees and information that are not hard-coded and require manual input, increasing the potential for human error.
• Review and validate processes and outputs any time there is a software upgrade to ensure continued compliance. Implement a second review or quality control process for review of the closing disclosure before they are provided to the consumer to help detect isolated errors, as well as systemic issues resulting from changes to technology, staffing and process.

Subscribe and stay on top of it all.

Join our mailing list and be the first to receive alerts, newsletters and webinar invitations by email.

Subscribe

Flood Insurance:

• Failure to provide flood insurance, when required. Sections 42 U.S.C. § 4012(b) of the FDPA and 12 CFR § 339.3(a) require adequate flood insurance at the time a loan secured by a building or mobile home located in a special flood hazard area is made, increased, extended or renewed.

Take Action:

• Review your flood policy and procedures to ensure that they clearly indicate flood coverage requirements for all real estate secured loans (consumer and commercial). In addition, if you are taking real estate collateral as an abundance of caution, flood insurance is still required. If securing with a Uniform Commercial Code (UCC) on contents, flood insurance is required on the items named in the UCC.
• Remember that flood coverage is not just applicable to origination, but it must also be in place during the life of the loan. The institution has an obligation to force-place should coverage lapse for any reason during the life of the loan. Regulators are looking for continuity of coverage.

Electronic Fund Transfer Act (EFTA)/Regulation E:

• Error Investigation: According to 15 U.S.C. § 1693f and 12 CFR § 1005.11(c), a financial institution must investigate allegations of electronic fund transfer errors, determine whether an error occurred, report the results to the consumer and correct the error within certain timeframes.

Take Action:

• Policies and procedures should clearly define a Regulation E error and specify a detailed timeline from error notification to investigation through remediation and final communication to the customer.
• Recordkeeping and documentation should be sufficiently detailed to ensure compliance timelines are met and should be retained to demonstrate compliance.
• Third parties used to facilitate error resolution and investigation must have adequate oversight.
• Consider implementing a second review or quality control process.
• Training is a must for staff with responsibilities for this process.
• Consider how error claims are received from customers (including branches, online banking, website, social media) and ensure that these avenues are incorporated into the process. Periodic training should be provided for those responsible for compliance with error resolution processes.

TISA/Regulation DD:

• Disclosures Form: 12 U.S.C. § 4303 and 4305, and 12 CFR §§ 1030.3 require an institution to make disclosures required by §§ 1030.4 - 1030.6 clearly and conspicuously, in writing.
• Disclosure Content: 12 U.S.C. §§ 4303-4305 12 CFR §§ 1030.4(a) and (b) which sets forth general requirements for providing disclosures to consumers before opening an account and details the specific information that must be included in the deposit account disclosures such as information on rates, compounding and crediting of interest, balance computation, fees, transaction limitations, features of time accounts and bonuses. Violations were split evenly between these two sections and together represented 68% of the total TISA violations cited in 2024.

Take Action:

• Review your account disclosures by product type for accuracy. Check that the disclosure matches the way the product is set up in your core.
• Be particularly alert to calculations used for annual percentage yield (APY), interest calculation methods (daily balance versus average daily balance) and fee assessment. Often, changes are made to a product that may or may not be reflected in either the disclosure or the core.
• Consider how you are opening new accounts and ensure that disclosures are provided timely and accurately. Train staff who will be opening accounts or discussing account features with a consumer in detail, including branch and call center staff. Consider implementing a “secret shopper” program to monitor branches and call centers for compliance.
• For disclosures provided electronically, E-SIGN requirements apply. Remember, any product changes negatively impacting the consumer require 30 days’ notice prior to the change.

Home Mortgage Disclosure Act (HMDA)/Regulation C:

• Data Accuracy: Failure to provide sufficient data for one or more of the required data fields. According to 12 U.S.C. § 2801 and 12 CFR § 1003.4(a), financial institutions must collect data regarding applications for covered loans received, originated and purchased for each calendar year.

Take Action:

• Ensure accurate procedures are in place regarding HMDA data collection and reporting requirements. Such procedures should address not only the operational aspects of entering data but also a description of the source documentation.
• Define a completed application for HMDA reporting purposes. We often note issues involving the accurate reporting of withdrawn and incomplete applications.
• Implement a second review process to reduce the potential for human input error or errors that may occur due to changing loan characteristics during the origination process.
• Train staff responsible for HMDA.

It is never too early to prepare for your next examination. Cherry Bekaert’s Risk Advisory team is available to help you navigate these areas as well as other regulatory compliance concerns.

Guidance on Referrals for Potential Criminal Enforcement

On June 27, 2025, the Consumer Financial Protection Bureau (CFPB) issued guidance on referrals for potential criminal enforcement. Where appropriate, CFPB may refer alleged violations of criminal regulatory offenses to the Department of Justice. In exercising discretion in making referrals of criminal regulatory offenses, bureau officials will consider the following factors, among others:

• The harm or risk of harm, pecuniary or otherwise, caused by the alleged offense;
• The potential gain to the putative defendant that could result from the offense;
• Whether the putative defendant held specialized knowledge, expertise, or was licensed in an industry related to the rule or regulation at issue; and
• Evidence, if any is available, of the putative defendant’s general awareness of the unlawfulness of his conduct as well as his knowledge or lack thereof of the regulation at issue.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Agencies Release List of Distressed or Underserved Nonmetropolitan Middle-Income Geographies

On June 25, 2025, federal bank regulatory agencies released the 2025 list of distressed or underserved nonmetropolitan middle-income geographies where certain bank activities are eligible for Community Reinvestment Act (CRA) credit.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Federal Reserve Board Announces Reputational Risk Is No Longer a Component of Examination Programs

On June 23, 2025, the Federal Reserve Board announced that reputational risk will no longer be a component of examination programs in its supervision of banks.

This change does not alter the board’s expectation that banks maintain strong risk management to ensure safety and soundness and compliance with law and regulation, nor is it intended to impact whether and how board-supervised banks use the concept of reputational risk in their own risk management practices.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Small Business Lending Under the Equal Credit Opportunity Act (Regulation B); Extension of Compliance Dates

On June 18, 2025, the CFPB amended Regulation B to extend the compliance dates set forth in its 2023 small business lending rule, as amended by a 2024 interim final rule, and to make other date-related conforming adjustments. The new dates are as follows:

Compliance Tier	Original Compliance Date in the 2023 Final Rule	Revised Compliance Date in the 2024 Interim Final Rule	New Compliance Date	New First Filing Deadline
Tier 1: Highest Volume Lenders	October 1, 2024	July 18, 2025	July 1, 2026	June 1, 2027
Tier 2: Moderate Volume Lenders	April 1, 2025	January 16, 2026	January 1, 2027	June 1, 2028
Tier 3: Smallest Volume Lenders	January 1, 2026	October 18, 2026	October 1, 2027	June 1, 2028

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

FDIC Approves Statement of Policy on Bank Merger Transactions

On May 20, 2025, the FDIC Board of Directors approved the rescission of the agency’s 2024  Statement of Policy on Bank Merger Transactions (2024 Statement of Policy) and the reinstatement of the Statement of Policy on Bank Merger Transactions (Bank Merger Statement of Policy) that was in effect prior to 2024. As noted in the March 11, 2025, Federal Register notice proposal to rescind the 2024 Statement of Policy, the agency plans to conduct a broader reevaluation of its bank merger review process.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Authority of States to Enforce the Consumer Financial Protection Act of 2010; Rescission

On May 15, 2025, the CFPB rescinded its May 2022 interpretive rule regarding the scope of State enforcement under section 1042 of the Consumer Financial Protection Act of 2010 (CFPA) and related provisions.

As of May 15, 2025, the interpretive rule published at 87 FR 31940 (May 26, 2022) is withdrawn. This interpretive rule is effective on May 15, 2025.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Agencies Issue Host State Loan-to-Deposit Ratios

On May 12, 2025, the Federal bank regulatory agencies jointly issued updated host state loan-to-deposit ratios, as required by law. Each respective host state loan-to-deposit ratio shows the ratio of total loans in a state to total deposits in the state for all banks that have that state as their home state. These ratios replace those issued in May 2024.

By law, a bank is generally prohibited from establishing or acquiring branches outside of its home state primarily for the purpose of acquiring additional deposits. This prohibition seeks to ensure that interstate bank branches will not take deposits from a community without the bank also reasonably helping to meet the credit needs of that community.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Interpretive Rules, Policy Statements, and Advisory Opinions; Withdrawal

On May 12, 2025, the CFPB announced it was withdrawing many guidance documents issued since the CFPB assumed its functions in 2011. The withdrawals are applicable as of May 12, 2025.

Impact: Informational
Responsible Department: Compliance
Action Needed: Review withdrawn documents and amend policies and procedures as required. Ensure staff awareness if impacts are noted.

Interpretive Letter on Outsourcing of Cryptocurrency Custody

On May 7, 2025, the Office of the Comptroller of the Currency (OCC) issued an interpretive letter to confirm that national banks and federal savings associations may provide and outsource cryptocurrency custody and execution services on behalf of customers.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Reminder Regarding Amendments to FDIC Official Signs and Advertising Requirements

Despite compliance date delays for sections 12 CFR 328.4 and 328.5, Amendments to FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo Rule, banks are reminded that there are major provisions for compliance required by May 1, 2025, regarding the following sections of the regulation:

Section § 328.3

• Additional requirements and options for displaying the current FDIC official sign in premises where deposits are received
• Signage requirements relating to the offering of non-deposit products
• Requirements to keep areas where non-deposit products are offered separate from those where deposit products are offered and received

Section § 328.6

• An added “short title” — “FDIC-Insured” — that can be used in advertisements in lieu of the official advertising statement
• A prohibition on using the official advertising statement or a short title like “FDIC-Insured” in ads for non-deposit products

Section § 328.8

• Perhaps most importantly, there is a new requirement that IDIs have written policies and procedures for compliance with Part 328

On March 3, 2025, the FDIC postponed the compliance date from May 1, 2025, to March 1, 2026, for the requirements under 12 CFR 328.5 related to the display of the FDIC official digital sign on an insured depository institution’s (IDI’s) digital channels, as well as analogous requirements related to IDI’s automated teller machines (ATMs) and like devices under 12 CFR 328.4. This delay will allow the FDIC to propose changes to the regulation for public comment to address implementation concerns and potential sources of confusion.

Impact: FDIC Official Signage Requirements
Responsible Department: Compliance
Action Needed: Awareness of Compliance Date Extension

Agencies Withdraw Joint Statements on Crypto-Assets

On April 24, 2025, the FDIC, together with the Board of Governors of the Federal Reserve System (collectively, the agencies), withdrew two joint statements regarding banking organizations’ crypto-asset-related activities. This action is intended to provide clarity that banking organizations may engage in permissible crypto-asset activities and provide products and services to persons and firms engaged in crypto-asset-related activities, consistent with safety and soundness and applicable laws and regulations.

The withdrawn joint statements, issued on January 3, 2023, and February 23, 2023, addressed crypto-asset risks and liquidity risks to banking organizations resulting from crypto-asset market vulnerabilities.

The agencies, along with the Office of the Comptroller of the Currency (OCC), are exploring issuing additional clarity with respect to banking organizations’ crypto-asset and related activities in the coming weeks and months.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

OCC Announces Notice Changes Regarding Names and Addresses

On April 8, 2025, the OCC published a bulletin informing banks of the appropriate names and addresses for notices required by the Community Reinvestment Act (CRA) and Equal Credit Opportunity Act, as well as for posters required by the Fair Housing Act. Banks should make the appropriate changes to their notices and posters, if necessary, within 90 days of this bulletin’s date of issuance.

Impact: Updated Notice Requirements
Responsible Department: Compliance
Action Needed: Review referenced notices to ensure that names and addresses have been updated

OCC Withdraws Principles for Climate-Related Financial Risk Management for Large Financial Institutions

On March 31, 2025, the OCC withdrew its participation in the interagency principles for climate-related financial risk management for large financial institutions.

Impact: Informational
Responsible Department: Compliance
Action Needed: Awareness

Children’s Online Privacy Protection Rule Amendments

On April 22, 2025, the Federal Trade Commission (FTC) amended the Children’s Online Privacy Protection Rule (the Rule), consistent with the requirements of the Children’s Online Privacy Protection Act. The amendments to the Rule, which are based on the FTC’s review of public comments and its enforcement experience, include one new definition and modifications to several others, as well as updates to key provisions to address changes in technology and online practices.

The amendments are intended to strengthen protection of personal information collected from children, and, where appropriate, to clarify and streamline the Rule since it was last amended in January 2013.

The amended Rule is effective June 23, 2025.

Impact: Changes to privacy requirements if collecting information on children under 13 years of age
Responsible Department: Compliance, Digital Banking, Information Technology
Action Needed: Review current practices in light of changes, update policies and procedures and provide training to impacted personnel.

BSA AML OFAC Update

FinCEN Permits Banks to Use Alternative Collection Method for Obtaining TIN Information

On June 30, 2025, to provide banks with greater flexibility in fulfilling compliance obligations, the Financial Crimes Enforcement Network (FinCEN) issued an order permitting banks to collect Tax Identification Number (TIN) information from a third party rather than from the bank’s customer.

FinCEN issued this order in coordination with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the National Credit Union Administration (collectively, the agencies). The order permits a bank subject to the jurisdiction of the agencies to use an alternative collection method to obtain TIN information from a third party rather than from the customer, provided that the bank otherwise complies with the Customer Identification Program (CIP) rule.

The CIP rule requires written procedures that:

1. Enable the bank to obtain TIN information prior to opening an account
2. Are based on the bank’s assessment of the relevant risks
3. Are risk-based for the purpose of verifying the identity of each customer to the extent reasonable and practicable, enabling the bank to form a reasonable belief that it knows the true identity of each customer.

The use of this exemption by banks is optional, and they are not required to use an alternative collection method for TIN information.

Impact: Review change and determine whether to implement
Responsible Department: Compliance, BSA
Action Needed: Implement and train staff on risk-based procedures if opening accounts collecting TIN from third party source.

Financial Action Task Force Identifies Jurisdictions with Anti-Money Laundering, Countering the Financing of Terrorism and Counter-Proliferation Finance Deficiencies

On June 23, 2025, the Financial Action Task Force (FATF) updated its lists of jurisdictions with strategic AML/CFT/CPF deficiencies. FinCEN is advising U.S. financial institutions to consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies and procedures. Important updates include:

• Adding the British Virgin Islands and Bolivia to the list of Jurisdictions Under Increased Monitoring
• Removing Croatia, Mali and Tanzania from Jurisdictions Under Increased Monitoring
• Iran, Korea and Burma remain on the list of High-Risk Jurisdictions Subject to a Call for Action

Impact: Informational
Responsible Department: Compliance, BSA
Action Needed: Awareness.

Updated Geographic Targeting Order Involving Certain Money Services Businesses in California and Texas on the Southwest Border

On April 16, 2025, FinCEN announced an updated FAQ regarding money service businesses in California and Texas on the Southwest border.

Impact: Informational
Responsible Department: Compliance, BSA/AML/OFAC
Action Needed: Awareness.

Geographic Targeting Order Covering Title Insurance Companies

On April 14, 2025, FinCEN announced it was renewing the GTO covering Title Insurance Companies.

Impact: Informational
Responsible Department: Compliance, BSA/AML/OFAC
Action Needed: Awareness.

FinCEN Alert on Bulk Cash Smuggling and Repatriation by Mexico-Based Transnational Criminal Organizations

On March 31, 2025, FinCEN issued an alert to financial institutions, urging them to ”be vigilant in identifying and reporting transactions potentially related to the cross-border smuggling of bulk cash from the United States into Mexico and the repatriation of bulk cash into the U.S. and Mexican financial systems by Mexico-based transnational criminal organizations (TCOs).”

Impact: Informational
Responsible Department: Compliance, BSA/AML/OFAC
Action Needed: Awareness.

FinCEN Advisory on the Financing of the Islamic State of Iraq and Syria (ISIS) and its Global Affiliates

In April, the FinCEN issued an advisory to assist financial institutions in “identifying and reporting suspicious activity related to the financing of the Islamic State of Iraq and Syria (ISIS).”

The U.S. Department of the Treasury’s (Treasury) 2024 National Terrorist Financing Risk Assessment notes that ISIS remains a regional and global threat, with numerous affiliates now operating around the world.

Impact: Informational
Responsible Department: Compliance, BSA/AML/OFAC
Action Needed: Awareness.

Have Questions?

If you would like to discuss any compliance matters for your institution, please contact your Cherry Bekaert advisor or reach out to the Firm’s Risk Advisory regulatory compliance team today.

Connect With Us

DISCLAIMER

External links to other websites outside of www.cbh.com are being provided as a convenience and for informational purposes only. The links do not constitute an endorsement or an approval by Cherry Bekaert of any of the information, products, services, or opinions of the organization or individual. Cherry Bekaert bears no responsibility for the accuracy, legality, or content of the external websites or for that of subsequent links. Contact the external website for answers to questions regarding its content.