Weekly Regulatory Audit Report — May 11, 2026

Please find below the key highlights from this week's Weekly Regulatory Audit Report, covering the 90-day look-back period of February 10 – May 11, 2026. This report is generated weekly for Privacy Officer's, Compliance Officers, and other regulatory compliance monitoring programs.

KEY HIGHLIGHTS:

CFPB Final Rule — ECOA / Regulation B [HIGH | Deadline: July 21, 2026] On April 22, 2026, the CFPB finalized its elimination of disparate impact ("effects test") from ECOA enforcement and imposed new restrictions on special-purpose credit programs. Institutions using AI/algorithmic underwriting must reassess fair lending compliance frameworks before the July 21 effective date. Note: state attorney general enforcement of disparate impact under state law remains fully intact.

FTC COPPA Enforcement Now Active [HIGH | Already Effective: April 22, 2026] The FTC began enforcing its sweeping 2025 COPPA Rule amendments, covering expanded biometric data definitions, mandatory separate parental consent for third-party data sharing and AI training, and strict data retention/deletion requirements. Penalties reach $51,744 per violation per day.

FinCEN Dual NPRMs — Comment Deadline June 9, 2026 [HIGH] FinCEN issued two major proposed rules: (a) the GENIUS Act NPRM bringing stablecoin issuers (PPSIs) under BSA/OFAC frameworks as financial institutions, and (b) a fundamental AML/CFT program modernization proposal under the AML Act of 2020. Both comment deadlines are June 9, 2026.

NYDFS — Delta Dental $2.25M Cybersecurity Settlement [HIGH | April 30, 2026] NYDFS imposed a $2.25M penalty against Delta Dental for MOVEit zero-day exploitation, citing failures in data retention policies (§500.13), incident response plans (§500.16), and 72-hour notification (§500.17). Third-party vendor software patch management and supply-chain risk controls are enforcement priorities.

FTC Data Broker Ban — Kochava [HIGH | May 4, 2026] The FTC banned Kochava and its successor Collective Data Solutions from selling sensitive location data without affirmative consumer consent — the largest data broker enforcement action of 2026. Organizations should audit data broker relationships and location data practices immediately.

New State Privacy Laws Now in Effect [HIGH | Effective: January 1, 2026] Indiana (ICDPA), Kentucky (KCDPA), and Rhode Island (RIDTPPA) comprehensive privacy laws are now enforceable, bringing the total to 20+ state regimes. Penalties range from $7,500 (IN/KY) to $10,000 (RI) per violation. Rhode Island provides no cure period.

NAIC Spring Meeting — AI Systems Evaluation Tool Pilot [HIGH | Ongoing] NAIC launched a 12-state pilot of its AI Systems Evaluation Tool for insurer AI/ML models. Twenty-four states have adopted the NAIC AI Model Bulletin. Market conduct exams assessing AIS Program compliance and bias testing are already underway.

NAIC — Third-Party Data & Models Registry Framework [HIGH | Ongoing] The Third-Party Data and Models (H) Working Group aligned on a Risk-Based Regulatory Framework and registry for third-party pricing/underwriting data and model providers. Insurers should begin inventorying all relevant vendor relationships.

The complete report — including the full Regulatory Log Table (20 entries, sorted by date descending) and the Audit Trail documenting search methodology, sources, and search terms — is available as a Word document on request.

Please do not hesitate to reach out with any questions or to discuss the implications of any of these developments for your organization.