2018 has a tough act to follow, after a 2017 full of momentous developments—starting with a new Administration and wrapping up with a showdown over the right to serve as Acting Director of the Consumer Financial Protection Bureau (CFPB) (a fight that continues as of this writing, as discussed below).

But 2018 is unlikely to be a quiet year. In addition to developments in the CFPB leadership battle and other litigation, the year is expected to bring developments such as effective and compliance dates for major regulations on data protection, Bank Secrecy Act/anti-money-laundering (BSA/AML), mortgage servicing, and other topics, and could bring changes in supervisory focus at multiple federal agencies. 

Here, we break out some key highlights and milestones to plan for and watch throughout the year.


Jan 1: Dollar threshold adjustments for certain consumer regulations became effective. The dollar thresholds for exemption from Regulation Z, implementing the Truth in Lending Act (TILA), and Regulation M, implementing the Consumer Leasing Act, both increased from $54,600 to $55,800.

Certain changes to Home Mortgage Disclosure Act (HMDA) reporting requirements became effective.

Amendments to Maryland’s data breach notification law took effect, with an expanded definition of “personal information” to more broadly include biometric information.

Jan 4: Attorney General Jeff Sessions withdrew the Department of Justice (DOJ) guidance on federal law enforcement priorities regarding state-legal cannabis activities, throwing into question how federal prosecutors will approach such activities in the future. For financial institutions, as we also discussed here, Sessions’ action raises a particular question: the fate of the guidance issued by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) on meeting BSA/AML responsibilities while serving state-legal marijuana businesses. The FinCEN guidance, which directly references the DOJ guidance, remains in effect as of this writing; time will tell whether FinCEN withdraws or amends it.

Jan 16: The CFPB’s final small-dollar lending rule becomes effective. However, the mandatory compliance date for most of this regulation does not arrive until August 19, 2019.

Jan 19: Current deadline for Congress to pass a federal budget, which includes appropriations for many programs involving financial services.

For example, reauthorization of the National Flood Insurance Program (NFIP) is at issue; the NFIP is set to expire on that date unless reauthorized. What will this mean for flood insurance if it does lapse? The Federal Emergency Management Agency (FEMA) states: “In the unlikely event the NFIP’s authorization lapses, FEMA would still have authority to ensure the payment of valid claims with available funds. However, FEMA would stop selling and renewing policies for millions of properties in communities across the nation. Property owners who are required to have flood insurance would be unable to complete new mortgage transactions. The National Association of Realtors estimates that a lapse might result in the delay or cancellation of approximately 40,000 home sale closings per month nationwide.”

As we also discussed in a prior post, the Rohrabacher-Blumenauer Amendment, which restricts the ability of federal authorities to use Congressionally-appropriated funds to prosecute state-legal medical marijuana activities, also is set to expire January 19 unless passed as part of a new federal budget. Especially in light of Attorney General Jeff Sessions’ January 4 withdrawal of the DOJ’s marijuana guidance, the fate of this provision is relevant to any financial institution that serves (or is considering serving) the state-legal medical marijuana sector.


In its Fall 2017 rulemaking agenda, the CFPB stated that it expected to propose its long-anticipated debt collection regulations in February 2018, after issuing an advance notice of proposed rulemaking (ANPR) back in 2013.

Feb 15: First annual certification of compliance will be due regarding New York Department of Financial Services Cybersecurity Rule requirements. New York’s rule applies to any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of the state of New York. The rule is the first state regulation to impose such detailed and prescriptive cybersecurity requirements on entities in the financial space. It remains to be seen how the rule—and financial institutions’ compliance with it—will work in practice, and whether other states will follow suit with their own analogous laws or regulations.


March 1: Deadline for implementation of the following requirements for the New York Department of Financial Services Cybersecurity Rule: risk assessment, training program, Chief Information Security Officer (CISO) report to Board of Directors, multi-factor authentication (MFA) deployment, and penetration testing and vulnerability assessments.

March 31: Call report forms reflect several recent changes made by the Federal Financial Institutions Examination Council (FFIEC).


Expected release of final rule addressing the “black hole” problem in the TILA-RESPA Integrated Disclosure (TRID) rule—a potential conflict in the timing requirements for the Loan Estimate and Closing Disclosure under the rule—as reported in the CFPB’s Fall 2017 rulemaking agenda.

April 1: The compliance date for the final rule in the CFPB’s perpetually-extended prepaid accounts rulemaking would have been April 1, but will be extended to a date to be determined. The CFPB stated in December that it expected to issue a new final rule “amending certain aspects of its 2016 rule governing prepaid accounts soon after the new year” and that, as part of that issuance, the compliance date will be changed to a future date.

April 14: Delaware’s amended data breach notification law takes effect. The law expands the definition of “personal information”; requires notification to affected individuals within 60 days (and to the Attorney General if the breach affects more than 500 Delaware residents) unless, after an appropriate investigation, the affected company reasonably determines that the breach is unlikely to result in harm to affected individuals; and requires one year of free credit monitoring to affected individuals if the breach includes a Delaware resident’s Social Security number.

April 16: Deadline to submit an application to the CFPB for preliminary approval for registration of information systems under the small-dollar lending rule.

April 19: Effective date of provisions of the CFPB’s final rule under the Real Estate Settlement Procedures Act (RESPA) relating to successors in interest and borrowers in bankruptcy.


May 11: Mandatory compliance date for FinCEN’s final rule regarding collection of beneficial ownership information. The rule amends existing BSA/AML regulations to augment customer due diligence (CDD) requirements regarding legal entity customers. The rule requires covered financial institutions (federally regulated banks and federally insured credit unions; mutual funds; brokers or dealers in securities; futures commission merchants; and introducing brokers in commodities) to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions. The rule provides an optional certification form for financial institutions to use. FinCEN issued a list of FAQs on the rule, but a number of practical questions remain on how to implement the rule. Covered financial institutions should stay vigilant for any additional clarifications FinCEN may publish. In the meantime, questions can be directed to FinCEN at its phone and email hotlines.

May 25: The European Union (EU)’s General Data Protection Regulation (GDPR) becomes enforceable. The GDPR is a wide-ranging set of requirements regarding the treatment of personal data of individuals in the EU. Despite the focus on EU persons, the GDPR can impose obligations on financial institutions based in the U.S. in certain circumstances, such as, potentially, where the financial institution solicits customers in the EU. A number of issues remain to be worked out in practice, such as how European authorities might enforce the GDPR against entities that have no EU presence but whose activities subject them to GDPR coverage.

The EU is also expected to implement a new regulation regarding electronic privacy issues—the ePrivacy Regulation—to replace its current ePrivacy Directive. A draft version was released by the European Commission in January 2017, and it had been anticipated that a final ePrivacy Regulation might be released in time to take effect along with the GDPR; however, given the passage of time, that is all but certain not to happen. The release date remains unknown at this time.


June 30: Call report forms reflect further changes made by the FFIEC.


Sept 1: Deadline for implementation of the following requirements for the New York Department of Financial Services Cybersecurity Rule: audit trail capabilities, monitoring program, application security, limitations on data retention, and encryption of non-public information at rest and in motion.

In addition to the scheduled events mentioned here, there are a number of issues that merit watching but that do not have a fixed date for developments to take place:

ACA Internat’l v. FCC: This Telephone Consumer Protection Act (TCPA) case is currently in the U.S. Court of Appeals for the D.C. Circuit. It contests a 2015 declaratory ruling by the Federal Communication Commission (FCC), in particular its expansive definition of an “automatic telephone dialing system,” also known as an “autodialer.” Oral argument took place in October 2016, but the court has yet to issue an opinion.

OCC fintech charter: In 2016 and 2017, the Office of the Comptroller of the Currency (OCC) proposed a potential new type of national bank charter aimed at non-depository financial technology (fintech) companies. Controversy ensued, including lawsuits by state regulators challenging the OCC’s authority to offer such a charter. Now that the OCC is under new leadership, it remains to be seen what approach the agency will take to the idea, and whether the charter will go live in 2018, or at all (and what else its still-new Office of Innovation, which has led this initiative, may have in store).

State regulation of virtual currency: In recent years, a number of states have enacted or considered legislation on activity related to virtual currencies such as Bitcoin, whether as part of their money transmitter laws or otherwise. In July 2017, the National Conference of Commissioners on Uniform State Laws voted to approve a model law on the subject, the Uniform Regulation of Virtual Currency Businesses Act (URVCBA). On January 11, Nebraska became the first state to consider passage of this law. It remains to be seen which other states may consider and/or pass versions of the URVCBA, or other measures on virtual currency, in 2018.

Regulators’ view of the role of independent directors: In August 2017, the Federal Reserve issued a request for comment on a corporate governance matter: whether to recast its view of the appropriate role of non-management directors of bank holding companies and Fed-supervised banks, to place more responsibilities on management rather than the board. After several years of increasingly detailed and onerous expectations on directors, curtailing some of these expectations would mark a significant shift in supervisory approach. To date, though, the Fed has not issued anything further, and it remains unclear what, if any, action the agency will take — and whether its fellow banking agencies might take action on this subject.

CFPB leadership fights and the future of the CFPB as a whole: The latter part of 2017 brought the resignation of the CFPB’s Director, Richard Cordray, soon followed by the warring of Leandra English and Mick Mulvaney, each claiming to be the rightful acting CFPB Director. That case continues to unfold in federal court in Washington, D.C.

Notably, the fight is for a position that is time-limited; President Trump has not yet named a permanent nominee for the CFPB directorship. It is possible that a permanent CFPB Director will be in place before the English-Mulvaney litigation is resolved. This nomination is, to state the obvious, one to watch; whoever leads the CFPB will presumably have a significant impact on the direction of the agency. The CFPB’s most recent regulatory agenda, from Fall 2017, was published by the Office of Management and Budget (OMB), but it is unclear how the CFPB will proceed on any of the items now that it is under new leadership (or leaderships).

Meanwhile, the PHH vs. CFPB case remains pending in the U.S. Court of Appeals for the D.C. Circuit. That case, which started life as a RESPA enforcement action, questions the Constitutionality of the CFPB’s structure — led by a single director, not removable at will by the President. En banc oral argument took place in May 2017, but no opinion has yet issued. While PHH addresses a different issue than does the English-Mulvaney litigation, the outcome of PHH will be relevant to any permanent Director of the CFPB, as it will impact that person’s job security.

Leadership developments at the other federal banking agencies: The high drama surrounding control of the CFPB should not obscure the impending leadership changes at other federal banking agencies. An FDIC Chair has been nominated — longtime bank regulatory attorney Jelena McWilliams—but not confirmed; the term of current FDIC Chair Martin Gruenberg extends through November 2018, and his separate term as a general board member of the FDIC extends through December 2018. Acting Comptroller of the Currency Keith Noreika returned to his post as a law firm partner after a brief but colorful tenure as Acting Comptroller (in which, among other things, he engaged then-CFPB Director Cordray in a biting correspondence over the CFPB’s arbitration rule), once permanent Comptroller Joseph Otting was confirmed and took office. Federal Reserve Governor Jerome Powell has been nominated to succeed Fed Chair Janet Yellen.

As we have previously noted, these banking agencies consist mainly of career employees with fewer political appointees than some agencies (such as the DOJ, main Treasury, or even, potentially, the CFPB) and thus are somewhat more insulated from drastic changes in direction brought solely by a change in the persons at the top. However, they are not completely insulated, and these leadership changes are among the most significant to watch for in 2018.