The Federal Deregulatory Cycle Creates Challenges and Opportunities

Introduction

In the spirit of fintech’s “move fast and break things” mantra, President Donald J Trump’s second term has kicked off with a rapid and sweeping deregulatory shift that seeks to reduce Washington’s oversight over the economy and open the door to investment and innovation, with no industry sector more profoundly impacted than fintech.

While the installation of new leadership at federal financial regulators and a shift away from Biden-era initiatives was predictable, the first 100 days of Trump’s second term have proved to be far more ambitious. The goal does not appear to be temporary relief from enforcement or loosening of regulation, but a permanent reduction of the so-called “administrative state”, including the Consumer Financial Protection Bureau (CFPB or “Bureau”), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (“Fed”), the Federal Trade Commission (FTC), and other financial regulators that are front and centre to the fintech sector.

Spearheaded by Elon Musk’s Department of Government Efficiency (DOGE), the Trump Administration has already conducted mass terminations of federal employees and cancelled contracts. While the outcome of this strategy remains to be seen, there have already been lasting reductions of long-time staff, rescission or nullification of Biden-era regulations, and other actions that appear to effect lasting change.

What does this mean for the fintech sector? As this article explores, the fintech industry thrives on innovation and always welcomes more regulatory flexibility, but a pendulum shift too far toward the “wild west” can create long-term challenges and risk that will need to be carefully balanced against speed to market and innovation. Further, sweeping deregulatory initiatives at the federal level can, and have already begun to, prompt states to take aggressive actions of their own.

Regulatory changes

The CFPB

The CFPB, with a single-director structure that gives immense power to the director, has seen the most immediate and profound changes. Targeted by Republicans and accused of regulatory overreach since its inception, the Bureau quickly came under attack during Trump’s second term, with former director Rohit Chopra replaced by Project 2025 architect Russel Vought as acting director, a stop-work order, and attempted shutdown of the Bureau and mass terminations of career CFPB staff. A lawsuit filed by the union that represents CFPB employees has halted most of these actions, at least temporarily, and Jonathan McKernan, a former Federal Deposit Insurance Corporation (FDIC) board member, has been nominated to act as full-time director and is expected to be confirmed by a Senate vote in the coming weeks, but between lay-offs, departures of long-time staff, and possible relocation, the CFPB is likely to be a much different agency when McKernan takes charge, assuming he is confirmed.

In addition, Chopra’s agenda is being rolled back, with several of the new rules passed towards the end of Chopra’s term, including Overdraft Fees, Digital Payment Applications and supervision of larger participants in digital use payment applications, in the process of being nullified under the Congressional Review Act, while others, like the Data Broker rule, will likely not be finalised. The CFPB has also issued press releases stating that it will rescind a controversial interpretive rule that deemed “buy now pay later” (BNPL) products to be credit cards subject to various provisions of Regulation Z, and will not prioritise compliance with remaining provisions of the Payday Lending rule that have now taken effect, but will instead prioritise “supporting hard-working American taxpayers, servicemen, veterans, and small businesses”.

With respect to enforcement, new enforcement actions have ground to a halt, and the new CFPB leadership has publicly dropped several lawsuits the agency filed against several regulated companies. The new Bureau leadership has also rebuked the agency’s aggressive enforcement of fair lending laws under the Equal Credit Opportunity Act (ECOA) and has signalled a move away from scrutiny of alternative data-drive algorithmic underwriting and the targeted marketing practices that drive innovative lending in the fintech space.

As we explore in this article, the weakening of the CFPB in the short term removes a potential barrier to innovative fintechs that might have found their way into the CFPB’s crosshairs, as well as some of the more ambitious rule-making the CFPB had undertaken that directly relates to fintech. However, given the broad scope of law that the CFPB administers, their enforceability by states and other regulators, and normal political cycles, presents challenges of a “race to the bottom” that could lead to even greater market risks down the road.

Prudential banking regulators

Meanwhile, for the last several years the federal banking regulators have been in the midst of an industry-wide crackdown on Banking as a Service (“BaaS”) partnerships, digital assets, and the increased reliance on data and sophisticated, but often difficult to understand, loan decisioning algorithms.

The BaaS crackdown was intertwined with a heavy emphasis by the agencies on third-party risk management (TPRM). Some of the concern from the agencies was premised on the 2023 Interagency Guidance on Third-Party Relationships: Risk Management, which was mostly an interagency adoption of the OCC’s long-standing TPRM guidance. However, the agencies followed the 2023 TPRM guidance with another joint statement specific to third-party bank deposit products, which was directed squarely at the BaaS market. Additionally, the malleability of TPRM, agencies’ increasing reliance on their “supervisory experience” to find additional risk, and dozens of enforcement actions against supervised banks have left the banking industry exceedingly wary of BaaS partnerships.

None of the foregoing guidance has been rescinded or withdrawn. But there are already signs of the agencies pulling back. Since the start of the Trump Administration, both the OCC and the FDIC have issued statements indicating that the agencies will no longer consider reputational risk in bank examinations, as well as statements that each agency is removing all references to reputational risk in its applicable examination manuals and handbooks.

Reputational risk has long stood as yet another check on industry, particularly against partnerships with industries that the federal regulators were sceptical of (ie, cryptocurrency) or products that the agencies believed to be predatory (ie, higher-cost online consumer lending). The abandonment of reputational risk as an examination tool is a fairly explicit indication to the industry that all of the old, ethereal, judgment-based examination practices are gone.

On the face of it, this new regulatory environment looks like a dream for innovative fintechs. However, it also comes with significant risk and uncertainty, particularly if the regulatory winds shift back in the other direction in four years’ time.

Artificial intelligence and machine learning

The federal regulatory landscape has also begun to shift dramatically regarding the intersection of machine learning and AI and target advertising and fair lending and other consumer protection laws. Fintech products that harness alternative data and use proprietary decisioning algorithms have revolutionised credit decisioning and expanded access to credit to “credit invisibles”, but they have come under fire in recent years as potentially discriminatory and difficult to understand, with federal agencies issuing cautionary guidance against the use of “black box” algorithms that may be difficult for consumers and regulators to understand and could lead to disparate outcomes for protected class borrowers. For example, a joint statement on AI by the FTC, Department of Justice (DOJ), CFPB and Equal Employment Opportunity Commission (EEOC) expressed concerns that AI can “automate and turbocharge discrimination”, while CFPB guidance circulars from 2022 and 2023 detail the regulatory hazards of potentially discriminatory algorithms and adverse action notice requirements.

Enforcement actions by the CFPB, the Department of Housing and Urban Development (HUD) and the FDIC have reflected this trend. The FDIC’s enforcement against BaaS providers for lax oversight of their fintech partners’ compliance with fair lending laws adversely affected the ability of supervised banks to enter into new BaaS lending partnerships in the absence of additional testing and oversight to ensure that decisioning algorithms were not discriminatory. HUD and the CFPB both pursued enforcement actions under ECOA and the Fair Housing Act (FHA) arising from the use of AI and data-based “target” advertising engines that could unfairly suppress or tailor credit or housing ads based on protected class status, leading large digital advertising platforms like Meta and Google to more closely scrutinise and impose controls on target advertising for credit and housing offers that may fall under ECOA and the FHA.

While concerns about discriminatory outcomes based on technology and alternative data are valid, the Trump Administration is rapidly scaling back these efforts, freezing the CFPB’s enforcement actions, reducing HUD’s funds to enforce the FHA, and deprioritising the DOJ’s Biden-era initiatives against redlining and discrimination in lending and housing. The CFPB, under Acting Director Russell Vought, has also moved to vacate a settlement with Townstone Mortgage, which arose from allegedly discriminatory marketing practices, with Vought stating in a press release that “DEI-driven CFPB bureaucrats” had abused the agency’s authority in pursuing the action.

With federal enforcement shifting away from close scrutiny of AI and alternative data models and fair lending enforcement, there will likely be more opportunity to launch new, innovative products in the coming years, but it is important to remember that any such products will still come with legal risk. First, the federal regulator shifting enforcement priorities during a four-year term is not a change in law, and statutes like ECOA and the FHA prohibit discrimination in lending and housing the same way now as they did in 2024, and to date there have been no developments to remove disparate impact as the basis for a cause of action under these statutes. As has been seen, federal regulatory priorities can shift on a dime, and bad factual records left during deregulatory periods can easily come back to haunt market participants. Moreover, statutes like ECOA can be privately enforced and carry statutes of limitation that can last as long as five years.

Decreased risk can present more options and opportunity to innovate, but where use may leave a trail of disparate impact in credit decisioning or pricing, this could translate into risks for years to come. Developers and users of AI and alternative data models should continue to diligently manage fair lending risk by:

• reviewing inputs and removing protected class characteristics or proxies thereto;
• testing the models or their outcomes for disparate treatment and disparate impact;
• maintaining a robust compliance management system;
• conducting fair lending analyses at least once per year; and
• reviewing marketing materials (if any) for fair lending compliance.

As fintechs continue to reap the benefits of AI and alternative data modelling as regulatory clouds part, it will be as important as ever for market participants to “self-police” and arm themselves with these tools, as risk tolerance increases across the board and new technologies are quickly released without regulatory scrutiny.

Fintech banking and BaaS

Fintech banks: years of unrealised promise

Realistically, the trend in BaaS Agreements will be an increased willingness on the part of banks to enter into these partnerships with fintechs, discussed below. However, on 17 March 2025, the OCC provided conditional approval for the fintech company SmartBiz Loans to acquire CenTrust Bank, NA, and change the business model of the bank to a platform that engages in small business lending activities on a nationwide basis.

The OCC’s willingness to provide conditional approval to a fintech in the first two months of the Trump Administration could be a sea change in the fintech industry if the OCC continues this practice.

The FinTech Bank Charter has always held great promise for both fintechs and the banking agencies, who would like to bring more parties into their regulatory perimeter. But the original FinTech Charter Bank became mired in litigation with the states, and obtaining a full-service banking charter emerged as the only realistic option for fintechs.

If the OCC under the Trump Administration intends to more freely grant approvals for fintechs to acquire and operate existing national banks, the charter that has seemed too far out of reach for many fintechs may now seem tantalisingly closer.

The BaaS thaw: regulatory posture, reputational risk, innovation and TPRM

As alluded to above, there has been no executive order from the Trump Administration and no interpretative letter from the OCC that has explicitly changed the regulatory environment on this. Yet, a substantial thawing of the frozen BaaS Agreement market is foreseen.

The BaaS Agreement market was essentially frozen due to regulatory scrutiny in the following areas:

• a general scepticism surrounding whether financial innovation provided any true consumer benefits;
• concerns related to the reputational risk exposure associated with banks partnering with fintechs on novel products and delivery platforms; and
• very real concerns around bank TPRM, and related safety and soundness risks.

The solution to scepticism of financial innovation is simply a policy shift. The entire posture of the Trump Administration suggests that, if given the (potentially false) dichotomy between financial innovation and consumer protection, the Trump Administration would choose financial innovation. The solution to reputational risk exposure issues seems to be to deprioritise them, which both the OCC and the FDIC did recently, as described above.

The Trump Administration may believe that the solution to TPRM issues is also to deprioritise them. However, on this issue, banks would be advised to be cognisant of the possibility that regulatory priorities may swing back, and banks that are overexposed to unreasonable third-party risk may find themselves still subject to the type of scrutiny that has characterised the last few years in the BaaS market.

That said, for banks than can appreciate the longer time horizon risk, manage that risk, and still find ways to participate in innovative and profitable partnerships, this is good news. For fintechs seeking a bank partner, a warming market is anticipated, but those same fintechs should still expect to undergo extremely rigorous due diligence, and should expect to comply with ongoing TPRM audits and reviews. 

Digital assets and cryptocurrencies

Speeches at cryptocurrency conferences, a cryptocurrency donor base, Trump meme coins… Cryptocurrencies were a signature issue of the Trump campaign. Has this carried over to the Trump Administration, and what more remains to be seen?

Executive orders

Amid the flurry of executive orders at the beginning of the Trump Administration, Executive Order 14178 – Strengthening American Leadership in Digital Financial Technology, which was issued on 23 January 2025 (the “Trump EO”) – was widely seen as the Trump Administration’s first attempt to make good on the promises of the Trump campaign.

The Trump EO rescinded a Biden Administration executive order (the “Biden EO”) on digital assets, but its direct, immediate impacts on the banking and financial services industries will likely be minimal. The Biden EO had previously established a working group to review and provide recommendations on Central Bank Digital Currencies (CBDCs). The Trump EO rescinded the Biden EO, and then established an almost identical working group made up of representatives from largely the same agencies, but with the caveat that the agencies were prohibited from establishing CBDCs. Similar to the Biden EO, none of the prudential bank regulators are represented on the Trump EO working group.

The rescission of the Biden EO does remove previous Biden Administration policies prioritising consumer protection and anti-money laundering in connection with digital assets, which will be viewed favourably by the cryptocurrency industry. But, perhaps most importantly, despite its limited substance, the Trump EO has been seen as a positive signal by the industry.

OCC and FDIC guidance

In contrast to the Trump EO, recent twin actions by the OCC and the FDIC have substantially eased the compliance barriers to entry for banks interested in engaging in digital asset-based activities.

At the OCC, the issue was an OCC interpretative letter that effectively required banks to obtain preapproval from the OCC in order to engage in certain cryptocurrency-related activities (the “Preapproval IL”). The recent interpretative letter from the OCC, issued on 7 March 2025, rescinds the Preapproval IL and allows banks to engage in cryptocurrency-related activities without notice or preapproval from the OCC. The FDIC had a similar Preapproval IL, and the FDIC rescinded its Preapproval IL on 28 March 2025.

Green-lighting cryptocurrency-related activities for banks without preapproval from the OCC or the FDIC is the first real accelerant in the banking industry for cryptocurrency-related activities, and the rescission of the Preapproval ILs can reasonably be understood not just as a means of streamlining the compliance regime but also encouraging banks’ participation in the ecosystem.

However, even in rescinding the Preapproval ILs, both the OCC and the FDIC remind banks that all activities, cryptocurrency-related and otherwise, must be conducted in accordance with sound risk management practices. Banks that are too eager to dive into digital assets without sufficient understanding of the risks and sufficient controls will likely pay the price in a few years’ time if the pendulum swings back and their CAMELS ratings take the hit.

We expect that banks will be presented with increasing opportunities related to digital assets, and great opportunity exists, but, even without preapproval requirements, banks should carefully consider and document the risk management activities conducted before engaging in these activities. Careful consideration and diligent documentation will be the difference between banks that are left regretting their haste and banks that are judged to be safe, sound and extremely well capitalised.

Other areas to watch

• Easing Federal Reserve membership – Like fintech banks, crypto banks have always been a less-than-fully realised opportunity. The wholescale agency rejection of Custodia Bank’s applications, and Custodia Bank’s recent losses in federal court seemed to be another substantial setback for Wyoming Special Purpose Depository Institutions (SPDIs) and other crypto banks. If the rescission of the Preapproval ILs is the first step in a softening of regulators’ views on cryptocurrencies’ place in the banking industry, it is possible regulators could also reconsider their position on SPDIs’ access to the privileges of the federal banking system.
• Stablecoins – These seem to be having a moment, perhaps partially because they are uniquely positioned to calm regulators’ unease. Understandable use cases, a lack of volatility, extreme promise in facilitating international transfers, and decreased money-laundering risk all suggest that stablecoins will increase in prominence and adoption over the next few years. If there is any movement from regulators easing restrictions and compliance burdens on stablecoins, this could be an additional accelerant for the industry.

State developments

While the CFPB may be taking a step back from supervision and enforcement, it is important to keep in mind that states also have the authority to enforce federal statutes and regulations, as well as their respective consumer protection laws and regulations. Most states independently regulate financial products such as mortgage loans, instalment loans, payday loans, and retail instalment contracts, among others. State laws and regulations address the content of contractual agreements, the amounts of finance charges and other fees that may be imposed, and licensing requirements for certain financial service providers (eg, lenders, brokers, servicers, debt collectors, money transmitters). In addition, most states have enacted their own Unfair and Deceptive Acts and Practices (UDAP) laws.

Note that state laws and regulations may encompass a financial product’s whole life cycle, including marketing, underwriting, origination and servicing. In addition, states may also have heightened consumer privacy protections.

Further, in preparation for an administration transition, the CFPB issued a report listing recommendations to states on how to strengthen state-level consumer protection laws, including:

• bans on abusive practices;
• giving attorneys general adequate authority to investigate and pursue remedies;
• authorising forms of private enforcement that can remain viable in the face of forced arbitration; and
• bans on junk fees.

States Actively Filling the Void

The New York State Department of Financial Services (NYDFS) and the California Department of Financial Protection and Innovation (DFPI) are known to be two of the most aggressive state departments in terms of financial regulation. These states, among others, will likely amp up their enforcement efforts to fill the void left by the CFPB.

Using New York as an example, the CFPB has already withdrawn from a lawsuit against MoneyGram International Inc. and a brief it had filed in support of the New York Attorney General (NY AG) against Citibank. The NY AG will continue to move forward with its suit against MoneyGram.

With respect to the DFPI, the department recently expanded registration and annual reporting requirements to include debt settlement services, student debt relief services, private post-secondary education financing, and income-based advances (earned wage access (EWA) products). The DFPI has also been very active in the BNPL space, entering into consent orders with big market players, including Afterpay and Klarna. It is expected that the DFPI will continue to be very active in its enforcement efforts across different types of financial products.