Fintech 5 Newsletter - September 2025
1) Data Privacy Laws Impact Fintechs
As noted in our client alert on August 5, Montana and Connecticut enacted data privacy laws which apply to nonbank mortgage companies, fintechs, online lenders, and many other non-depository GLBA financial institutions. This means many companies will soon be subject to privacy laws that previously exempted them, as both states amended their data privacy regimes to remove GLBA entity-level exemptions while leaving in place GLBA data-level exemptions. This approach aligns Montana and Connecticut’s data privacy regulations with California, Minnesota, and Oregon. As a result, impacted entities will need to understand what personal data they collect from residents of these states and ascertain whether they trigger relevant thresholds for additional disclosures and obligations.
2) GENIUS ACT Signed into Law
On July 18, the President signed the “Guiding and Establishing Innovation for U.S. Stablecoins Act” (“GENIUS Act”) into law. The GENIUS Act sets forth a regulatory framework for stablecoin issuers. While the law imposes requirements related to the maintenance of appropriate operational, compliance and information technology risk management standards, including BSA/AML compliance, it concentrates oversight power in the Office of the Comptroller of the Currency rather than subjecting stablecoin issuers to the jurisdiction of the more traditional consumer protection regulators, the CFPB and the FTC. Specific requirements include monthly public disclosures of reserve compositions, annual audited financial statements, and marketing restrictions. In particular, the marketing prohibitions prohibit issuers from making misleading claims that stablecoins are backed by the government, are federally insured, or are legal tender.
3) America’s AI Action Plan Released
On July 23, the White House released “Winning the AI Race: America’s AI Action Plan” outlining this administration’s plan to support AI development with the goal of advancing American AI innovation and competitiveness. Specifically, the plan has three pillars: Accelerating Innovation, Building American AI Infrastructure, and Leading in International Diplomacy and Security. The plan encourages the use of open-source and open-weight AI to ensure access to large-scale computing power by improving the financial market for this power. The plan encourages the Department of Treasury to issue guidance clarifying that AI literacy and AI training programs may qualify as Section 132 employee fringe benefits under the IRS code and receive favorable tax treatment. This regulatory attitude may encourage fintech companies to utilize AI when developing new products and services, but fintechs should be mindful to retain strong governance and risk management structures in alignment with the federal plan and existing state regulations such as those in Colorado and Texas.
4) CFPB Confirms It Will Not Issue New BNPL Interpretive Rule
On June 2, the CFPB filed a status report in Financial Technology Association v. CFPB, Case No. 1:24-cv-2966-ACR announcing that it would not issue a revised Buy Now, Pay Later (“BNPL”) interpretive rule after withdrawing the previously issued rule. The prior rule interpreted certain BNPL products accessible through browser extensions or other digital interfaces as meeting TILA and Regulation Z’s definition of a credit card, thus making entities offering BNPL loans card issuers or creditors subject to Regulation Z despite being repayable in four or less installments and imposing no finance charges. Within the status report, the CFPB stated that it “… has determined that it does not intend to reissue the BNPL Interpretive Rule because it was procedurally defective and the interpretation included therein applied ill-fitting open-end credit regulations to BNPL products, which are generally structured as closed-end loans.”
5) State Prosecutors and Agencies Step Up Fraud and Consumer Protection Investigations of Fintechs as Federal Enforcement Pulls Back
In May 2025, the U.S. Department of Justice announced a new white-collar crime enforcement policy that scaled back traditional areas of prosecution and offered crypto, fintech, and other companies expanded opportunities to avoid charges by proactively cooperating with law enforcement. State prosecutors quickly pledged to fill the void left by the federal pullback—and have since begun to deliver on that commitment. For example, in June 2025, California regulators entered into a consent order and imposed a $300,000 fine on crypto exchange Coinme—the first enforcement action under the state’s new Digital Financial Assets Law. Likewise, the New York Attorney General filed a civil action against Capital One alleging unfair and deceptive practices related to its savings account product after the CFPB withdrew similar claims. And Oregon's Attorney General filed suit against Coinbase, alleging the sale of unregistered securities, following the SEC’s decision to scale back comparable charges.
This article is for general information purposes and is not intended to be and should not be taken as legal advice.
Download a PDF copy of our monthly Fintech 5 Newsletter here.
Questions?
If you’d like to discuss any of these issues or have any questions, please reach out to Partner and head of the Fintech group, Chris Napier.
SIGN UP FOR UPDATES
Never miss our news, insights or events.
FEATURED NEWS