Weekly Regulatory Audit Report — May 18, 2026

Good morning,

This is your weekly regulatory compliance monitoring report for the week of May 18, 2026, covering a 90-day look-back period from February 17 through May 18, 2026, across all monitored regulatory domains: CFPB, FTC, SEC, FinCEN/Treasury, state privacy law, NYDFS, DOI, NAIC, and AI/ML underwriting guidance.

The full auditor-ready report (Word document) is available on request.

KEY HIGHLIGHTS FROM THIS WEEK'S REPORT:

1. CFPB — ECOA/Regulation B Final Rule (HIGH | Deadline: July 21, 2026) On April 22, 2026, the CFPB issued a final rule eliminating disparate impact liability under ECOA, narrowing fair lending enforcement to intentional acts only, and revising Special Purpose Credit Program conditions. Effective July 21, 2026. Fair lending compliance programs, algorithmic underwriting model documentation, and SPCP eligibility criteria require immediate review. Note: FHA disparate impact liability is unaffected.

2. FinCEN — AML/CFT Program Overhaul NPRM (HIGH | Comment Deadline: June 9, 2026) On April 7, 2026, FinCEN (jointly with OCC, FDIC, NCUA) issued a sweeping Notice of Proposed Rulemaking to fundamentally reform BSA AML/CFT program requirements. Key reforms: effectiveness-based compliance standard, elevated risk assessments, flexibility in program design, significant enforcement actions limited to "material" or "systemic" failures, and 30-day advance notice to FinCEN before regulatory enforcement. Public comments are due June 9, 2026. Begin gap analysis and prepare comment letter now.

3. NYDFS — Delta Dental Enforcement Action — $2.25M Penalty (HIGH | Immediate) On April 30, 2026, NYDFS issued its first 2026 cybersecurity enforcement action — a $2.25 million Consent Order against Delta Dental Insurance Company and Delta Dental of New York for Part 500 violations arising from the 2023 MOVEit Transfer breach. Key findings: inadequate incident response policies, failure to timely report the cybersecurity event to DFS within 72 hours, and excessive data retention. Immediate action: review incident response plans, data minimization policies, and 72-hour notification procedures.

4. NAIC — AI Systems Evaluation Tool Pilot — 12 States (HIGH | Pilot: March–September 2026) The NAIC Big Data and AI Working Group launched its AI Systems Evaluation Tool pilot on March 2, 2026, with 12 participating state insurance departments (including CA, FL, PA, WI). The four-exhibit framework requests AI model inventories, governance documentation, bias testing evidence, and third-party vendor oversight details from domestic insurers. Insurers should immediately build AI inventories and prepare governance documentation, as documentation requests may be imminent.

5. State Privacy Laws — Indiana, Kentucky & Rhode Island Now In Effect (HIGH | Already Effective) Three new comprehensive consumer data privacy laws became effective January 1, 2026 (ICDPA, KCDPA, RIDTPPA), expanding the U.S. state privacy patchwork to 20+ states. Penalties range from $7,500/violation (IN, KY) to $10,000/violation (RI). Critical note: Rhode Island's law includes NO cure period — proactive compliance is essential. Verify that gap remediation is complete.

6. FTC — Shutterstock $35M Consent Order (MEDIUM | Immediate Review) On May 13, 2026, the FTC announced a $35 million settlement with Shutterstock for illegal subscription and auto-renewal practices. Reinforces the FTC's negative option rule enforcement posture. Review all subscription/auto-renewal terms and cancellation flows for clear disclosure and express informed consent.

7. FinCEN — CDD Rule Exceptive Relief (MEDIUM | Immediate) On February 13, 2026, FinCEN granted exceptive relief from the requirement to re-verify beneficial owners of legal entity customers at each new account opening. Update CDD/KYC policies and AML program documentation accordingly.

8. NAIC Spring National Meeting (MEDIUM | Ongoing) At the March 22–25, 2026 Spring Meeting in San Diego: Plenary adopted the insurance restructuring white paper; the Market Conduct Regulation Modernization Working Group was established; and the Third-Party Data and Models Working Group is developing a new Risk-Based Regulatory Framework and vendor registry for pricing/underwriting AI providers. Monitor exposure drafts.

   
   

AUDIT TRAIL SUMMARY:

• Report Period: February 17, 2026 – May 18, 2026 (90 days)

• Sources Consulted: CFPB, FTC, SEC, FinCEN, State AG offices, NYDFS, Texas DOI, NAIC, Federal Register, JD Supra, Debevoise Data Blog, Willkie Farr, Fenwick & West, PwC regulatory updates, DLA Piper

• Report Generated: Monday, May 18, 2026 at 7:07 AM EDT

• Next Report Due: May 25, 2026