Regulatory Changes in Privacy and Data Security in the FinTech space: Key Highlights from the Last 90 Days

The last 90 days have brought major shifts in regulatory policies affecting privacy, data security, and insurance compliance. Federal and state agencies have introduced new rules and guidance that will reshape how organizations manage risk and protect consumer information. This post summarizes the most important developments from February 3 through May 4, 2026, highlighting what businesses need to know to stay compliant and ahead of enforcement trends.

This is your Weekly Regulatory Audit Report covering the 90-day regulatory change look-back period from February 3 through May 4, 2026. The full auditor-ready Word document can be shared with you on request.

EXECUTIVE SUMMARY

The past 90 days have seen transformative regulatory activity across federal and state agencies with significant implications for privacy, data security, and insurance compliance. The most consequential development is FinCEN's April 7, 2026 Notice of Proposed Rulemaking to fundamentally reform AML/CFT programs under the Bank Secrecy Act, with public comments due June 9, 2026. This proposal would shift compliance expectations toward risk-based effectiveness, empower institutions to allocate resources toward higher-risk activities, and introduce a coordination requirement between banking regulators and FinCEN before significant enforcement actions. Simultaneously, the FTC has escalated AI enforcement across three active tracks — deceptive AI marketing claims under Section 5, undisclosed automated decision-making, and AI-generated fake content — with consent orders carrying real financial penalties. The NYDFS completed the final phase of its 23 NYCRR Part 500 cybersecurity regulation amendments (all provisions now fully enforceable), issued new MFA guidance (FAQs 18-23), and has accumulated $63.3 million in Part 500 penalties across 2024-2025, signaling aggressive examination cycles ahead.

At the state level, three new comprehensive privacy laws became effective on January 1, 2026 (Indiana ICDPA, Kentucky KCDPA, and Rhode Island RIDTPPA), expanding the privacy patchwork to 20 states. Colorado's landmark AI consumer protection statute (SB 24-205) has an effective date of June 30, 2026. The NAIC Spring 2026 National Meeting (March 22-25) advanced proposals for a third-party AI vendor registry, launched AI Systems Evaluation Tool pilot programs, and continued revisions to Model #672. State insurance regulators in New York, California, Texas, Florida, and Colorado are actively examining carrier AI underwriting algorithms, with formal inquiry letters issued in Q1 2026.

KEY REGULATORY DEVELOPMENTS (sorted by date, most recent first):

1. April 22, 2026 — FTC AI Enforcement Actions (HIGH): Active enforcement across three tracks targeting deceptive AI claims, undisclosed automated decisions, and AI-generated fake reviews. Action: Review all AI marketing claims and automated decision practices immediately.

2. April 15, 2026 — NYDFS 23 NYCRR 500 Annual Certification Deadline (HIGH): Annual CEO/CISO certification for 2025 cybersecurity compliance. Action: Confirm timely filing and retain records for 5 years.

3. April 7, 2026 — FinCEN AML/CFT Program Reform NPRM (HIGH): Fundamental reform of AML/CFT programs under BSA. Action: Prepare comments by June 9, 2026.

4. April 3, 2026 — State Insurance AI Underwriting Examinations (HIGH): NY, CA, TX, FL, CO regulators examining carrier AI underwriting algorithms. Action: Audit AI models and document bias testing protocols immediately.

5. March 22-25, 2026 — NAIC Spring Meeting (HIGH): Third-party AI vendor registry proposal advanced; AI evaluation tool pilots launched; Model #672 revisions ongoing. Action: Monitor developments and prepare for Fall 2026 adoption.

6. March 4, 2026 — Colorado AI Act SB 24-205 (HIGH): First-in-the-nation comprehensive AI anti-discrimination law effective June 30, 2026. Action: Complete compliance readiness assessments.

7. February 25, 2026 — FTC COPPA Age Verification Policy (MEDIUM): Enforcement flexibility for age verification technology adoption. Action: Review digital platform age verification practices.

8. February 13, 2026 — FinCEN CDD Rule Amendment (MEDIUM): Eased beneficial ownership re-identification requirements. Action: Update CDD/KYC procedures.

9. January 20, 2026 — NYDFS Part 500 Final Phase and MFA Guidance (HIGH): All amendments fully enforceable; new FAQs 18-23 on MFA; $63.3M in penalties 2024-2025. Action: Validate MFA implementation and third-party risk documentation.

10. January 1, 2026 — New State Privacy Laws Effective (MEDIUM): Indiana, Kentucky, Rhode Island comprehensive privacy laws in effect. Action: Confirm compliance and update privacy notices.

11. 
    

IMMEDIATE ACTION ITEMS:

• Prepare comments on FinCEN AML/CFT NPRM (due June 9, 2026)

• Complete Colorado AI Act compliance readiness (effective June 30, 2026)

• Validate NYDFS Part 500 MFA compliance and certification

• Audit AI underwriting models and document bias testing protocols

• Review FTC AI marketing claim substantiation

• 
  

A full report document with the complete 20-entry regulatory log table and detailed audit trail can be shared separately. To request a copy, click here.

Best regards,

Ralph Browning

Browning Risk Consulting