Alston & Bird Consumer Finance Blog

California

The California Financial Protection Bureau? California Moves to Fill the CFPB Void

By

What Happened?

On May 12, 2026, California Governor Gavin Newsom announced the appointment of former Consumer Financial Protection Bureau (“CFPB”) Director Rohit Chopra as Secretary of the newly created California Business and Consumer Services Agency (“BCSA”).

The BCSA is a cabinet-level reorganization that will officially launch on July 1, 2026, consolidating a wide range of licensing, regulatory, and enforcement functions across numerous consumer-facing sectors of the California economy. These include oversight bodies such as the Department of Financial Protection and Innovation (“DFPI”), Department of Consumer Affairs, and other key regulators impacting financial services, real estate, and technology markets.

Governor Newsom framed the move explicitly as a response to the federal government’s retrenchment in consumer financial protection under the Trump administration, positioning California to “strengthen the state’s efforts to protect consumers and honest businesses” as federal enforcement is scaled back.

Chopra, who previously led the CFPB and served as a Federal Trade Commission commissioner, is widely known for aggressive enforcement initiatives targeting “junk fees,” repeat offenders, and unfair or abusive practices in consumer finance.

Why Does It Matter?

The creation of the BCSA—and the selection of Chopra to lead it signals a deliberate effort by California to function as a state-level analogue to a weakened CFPB. As federal consumer protection oversight contracts, California is positioning itself to step into the resulting regulatory vacuum.

This mirrors broader state-level trends, where states are expanding their authority and enforcement posture to address unfair, deceptive, and abusive acts and practices (“UDAAP”) in the absence of robust federal oversight. For example, as we have noted in prior posts, New York has moved to modernize its UDAAP framework in anticipation of increased enforcement and oversight of the financial services industry. California now appears poised to follow a similar path, albeit through a different structural approach.

Unlike a single regulator the BCSA is structured as a coordinating “umbrella” agency that brings together dozens of previously fragmented entities. This consolidation is designed to align enforcement priorities, streamline supervision, and enable coordinated rulemaking across industries that increasingly intersect (e.g., fintech, payments, and digital platforms).

For financial services companies, the most significant implication is the integration of the DFPI into a broader enforcement framework. The DFPI already exercises expansive authority over mortgage banking and finance lending activities and, under the California Consumer Financial Protection Law (“CCFPL”), supervises a broad spectrum of nonbank financial products, including lending, payments, and emerging fintech offerings. The new structure allows California to pursue cross-sector enforcement strategies, particularly where financial products intersect with technology platforms, data practices, or broader consumer marketplaces.

Chopra’s appointment strongly suggests that California enforcement will reflect the priorities and philosophy that characterized his tenure at the CFPB. During that time, the Bureau emphasized:

  • Aggressive enforcement against “junk fees” and pricing practices;
  • Scrutiny of repeat offenders and systemic compliance failures;
  • Focus on unfairness and abusiveness theories, not just deception; and
  • Increased attention to digital platforms, data usage, and algorithmic decision-making.

Expect these same themes to shape California’s enforcement agenda, with a particular emphasis on identifying “pattern and practice” violations affecting broad segments of consumers, rather than isolated compliance issues.

What Do You Need to Do?

In light of California’s evolving regulatory posture, financial services companies should take proactive steps to reassess their compliance frameworks with an eye toward increased state-level scrutiny.

First, companies should assume that CFPB-style UDAAP standards will remain highly relevant and ensure that policies and controls are calibrated to address unfair and abusive practices, not just deception.

Second, institutions should evaluate their operations holistically, recognizing that California regulators may take a “full lifecycle” view of consumer interactions. This includes:

  • Product design and pricing;
  • Marketing and disclosures;
  • Servicing and communications; and
  • Complaint handling and remediation practices.

Third, companies should prepare for greater inter-agency coordination within California, which may lead to:

  • More complex and multi-dimensional investigations; and
  • Parallel scrutiny across licensing, conduct, and consumer protection regimes.

Finally, organizations should closely monitor developments from the BCSA and its component agencies, particularly the DFPI, as enforcement priorities and rulemaking agendas begin to take shape under Chopra’s leadership.

California Focuses on Large AI Models

By

What Happened?

On September 29, 2025, California Governor Gavin Newsom signed Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA), making California the first U.S. state to mandate standardized public safety disclosures for developers of sophisticated AI models that are made available to users in California. The law takes effect January 1, 2026, and it applies to:

  • Frontier Developers: Developers that train large-scale AI models using extremely high levels of computing power.
  • Developers: Frontier developers with annual revenue above $500 million (including affiliates), subject to additional reporting and governance obligations.

Key obligations of TFAIA include:

  • Safety Framework Publication: Large developers must publish (and update annually, as appropriate) a publicly-accessible safety framework describing how the company has incorporated national standards, international standards, and industry-consensus best practices into its frontier AI framework.
  • Transparency Reports: All developers must issue reports when deploying or materially modifying models, detailing model capabilities, intended/restricted uses, risks identified, and mitigation steps. Large developers must submit quarterly summaries to California Office of Emergency Services (COES).
  • Critical Incident Reporting: Developers and the public can report safety incidents directly to COES.
  • Whistleblower Protections: Employees who report substantial public-safety risks are protected from retaliation; large developers must maintain anonymous internal reporting channels.

The California Attorney General may pursue civil actions with penalties up to $1 million per violation. Developers meeting federal AI standards deemed equivalent or stricter by COES may qualify for a safe harbor. TFAIA also creates CalCompute, a public-sector computing consortium under the Government Operations Agency, to advance safe, ethical, and equitable AI research statewide. The California Department of Technology will review and recommend annual updates to the law’s definitions and thresholds.

Why Is It Important?

For the private sector, TFAIA signals that AI risk-governance expectations are maturing beyond voluntary principles. Developers, investors, and enterprises deploying advanced AI should expect heightened scrutiny of model transparency, catastrophic-risk assessment, and cybersecurity practices. Governor Newsom described TFAIA as a “blueprint for balanced AI policy” and the Act positions California as a standard-setter at a time when comprehensive federal AI regulation remains uncertain.

What to Do Now?

As a first step, companies should assess whether TFAIA applies, that is, whether an organization qualifies as a frontier or large frontier developer based on computing thresholds or revenue. In the event it does, companies should update AI safety and governance policies and procedures, including reviewing and aligning internal risk-management, cybersecurity, and third-party assessment frameworks with TFAIA’s requirements. Companies should also plan for transparency reports and establish internal protocols for producing and publishing model-specific transparency documentation. Finally, companies in scope should continue to monitor COES guidance to track additional requirements, safe-harbor determinations, and annual reviews by the Department of Technology.

California Requires Interest on Hazard Insurance Proceeds Immediately to Protect Wildfire Victims

By ,

What Happened?

Effective immediately upon enactment on August 29 as an urgency measure, California Assembly Bill 493 (2025 Cal. Stat. 103) (the “Bill”) requires financial institutions making or purchasing residential mortgage loans to pay interest on hazard insurance proceeds in a loss draft account pending the rebuilding or repair of property.

Why Does it Matter?

Previously, California law required a financial institution to pay interest on amounts held in escrow for payment of taxes and assessments on the property, for insurance, or for other purposes relating to the property. The Bill’s goal is to provide critical safeguards to protect wildfire victims by extending that requirement to loss drafts.

Specifically, the Bill adds new Section 2954.85 to the Civil Code, which imposes new requirements on financial institutions. The Bill defines the term “financial institution” broadly as “a bank, savings and loan association, or credit union chartered under the laws of [California] or the United States, or any other person or organization making loans upon the security of real property containing only a one- to four-family residence.”

The new section requires any financial institution that makes or purchases such loans and holds hazard insurance proceeds in a loss draft account pending property rebuilding or repair to pay interest on those funds at a rate of at least 2% simple interest per year. The financial institution must credit that amount to the draft account annually or upon termination of the account (whichever is earlier). Further, the financial institution cannot impose any fee or charge for the maintenance or disbursement of hazard insurance proceeds held in a loss draft account pending the rebuilding or repair of the collateral property, if such fee will result in payment of a lower interest rate on such hazard insurance proceeds.

A financial institution may place loss draft funds in an interest-bearing account in a federally insured depository institution, federal home loan bank, federal reserve bank, or similar institution.

For any funds a financial institution holds in a loss draft account as of the Bill’s effective date, interest must begin accruing on such funds as of that date. However, the requirement to pay interest on such accounts does not apply to any hazard insurance proceeds held in a loss draft account required under federal or state law to be placed by a financial institution (other than a bank) in a non-interest-bearing account.

The Bill also amends Section 50202 of the Financial Code, which otherwise governs the maintenance of client trust accounts, to reference the new Civil Code section’s requirements for loss draft accounts.

What To Do Now?

Lenders and purchasers of residential mortgage loans must ensure that any hazard insurance funds held in a loss draft account, pending the rebuilding or repair of the property securing the loan, began accruing interest at a rate of 2% per year as of the effective date of the new law. Further, given that it is common practice for the servicer who is acting as the agent of a “financial institution” to comply with the requirement regarding the payment of interest on escrow accounts, the same may become true for loss draft accounts; accordingly, servicers should be aware of the requirement.

Consumer Finance State Roundup

By , ,

The latest edition of the Consumer Finance State Roundup highlights recently enacted measures of potential interest from two states:

California:

Effective January 1, California Assembly Bill 3108 addresses mortgage fraud.  Previously, California law defined “mortgage fraud” to include, in connection with a mortgage loan transaction, filing with the county recorder any document that the person knows to contain a deliberate misstatement, misrepresentation, or omission, and with the intent to defraud.

Taking this a step further, the measure prohibits the filing of any document with the recorder of any county that a person knows to contain a material misstatement, misrepresentation, or omission. Further, the measure expressly provides that a mortgage broker or person who originates a loan commits mortgage fraud if, with the intent to defraud, the person takes specified actions relating to instructing or deliberately causing a borrower to sign documents reflecting certain loan terms with knowledge that the borrower intends to use the loan proceeds for other uses. For prosecution purposes, the alleged fraud value must be $950 or more (the threshold for grand theft).

A mortgage lender could unintentionally find itself guilty of mortgage fraud if it simply allows a borrower to use a business purpose loan for consumer purposes or makes a bridge loan that it knows will not be used for a dwelling. California’s Penal Code § 532f(b) makes it mortgage fraud for a mortgage broker or lender to allow mortgage-related documents to be formed and filed when the broker or lender has reason to know that the borrower intends on using the loan for purposes other than for what the loan is intended.

Although intent to defraud is an element to this crime, that element can only be determined through rigorous and time-consuming investigation. If a borrower, for example, uses a business loan for consumer purposes or does not apply the funds from a bridge loan towards a dwelling, the lender will be subject to additional scrutiny unless it can prove that all efforts were made to understand the borrower’s plans for the funds.

The measure also prohibits a person who originates a covered loan from avoiding, or attempting to avoid, the application of the law regulating the provision of covered loans by committing mortgage fraud. A “covered loan” means a consumer loan in which the original principal balance of the loan does not exceed the most current Fannie Mae conforming loan limit for a single-family first mortgage loan.

The measure also amends Section 4973 of the Financial Code, which imposes certain requirements ad restrictions (e.g., the inclusion of a prepayment fee or penalty after the first 36 months) in connection with covered loans and amends Section 532f of the Penal Code (as discussed above) in connection with the prohibition on committing mortgage fraud.

New York:

  • Effective June 11, Assembly Bill 424 amends Section 35 of the Banking Law, which relates to an information pamphlet that residential mortgage lenders must provide to applicants. In place of making a physical pamphlet available to lenders, the amended section requires the Department of Financial Services to notify mortgage bankers of the posting a digital version of the pamphlet on the Department’s website (and when it makes any changes thereto). The measure also amends the pamphlet contents to reflect that a lender may provide an applicant with a good faith estimate (instead of a loan estimate), depending on the type of loan for which the applicant is applying.
  • Effective May 15, Assembly Bill 2056 amends Section 283 of the Real Property Law, which limits the amount of flood insurance that a mortgagee may require a mortgagor to maintain. Under current law, that section provides that the maximum amount of coverage a mortgagee may require is the mortgage’s outstanding principal amount as of January 1 of the year the policy will be in effect. As amended, that section makes the maximum permitted amount of coverage the lesser of the outstanding principal amount or the residential property’s replacement. Additionally, AB2056 slightly alters the printed notice about flood insurance that a mortgagee must deliver to mortgagors, removing language referring to the fact that required coverage would only protect the interest of the lender or creditor in the property.
  • Effective March 21, New York Senate Bill 804 amends data breach notification requirements. Section 899-aa of the General Business Law requires a person or business to notify New York residents whose data is part of a breach, as well as to provide notice to certain governmental entities (including the Department of Financial Services). As amended, that section will require notification to the Department of Financial Services (in the form mandated by N.Y. Comp. Code R. & Regs. tit. 23, § 500.17) only by “covered entities.” A “covered entity” is any person who requires any type of authorization to operate under the Banking Law, Insurance Law, or Financial Services Law, and thus includes a mortgage banker or mortgage servicer.

States Impose Commercial Financing Disclosure Requirements

By , ,

What Happened:

In a little-noticed development, eight states have enacted legislation that requires specific disclosures for commercial non-real estate secured financing transactions.

Why is it Important:

Recently, California, Connecticut, Florida, Georgia, Kansas, New York, Utah, and Virginia have enacted laws that require or will require certain commercial financing “providers” to furnish burdensome consumer-like disclosures prior to the consummation of commercial financing transactions. Notably, all these state commercial loan disclosure requirements exempt banks.

California

The California disclosure requirements took effect on December 9, 2022, the effective date of final implementing regulations adopted by the California Department of Financial Protection and Innovation (“DFPI”).

Persons providing commercial financing (including small business loans and sales based financing) to small businesses “whose business is principally directed or managed from California” are required to provide borrowers with consumer-like disclosures, after the DFPI issued final regulations in June 2022 to implement SB 1235, otherwise known as the California Commercial Financing Disclosure Law (“CCFDL”). Commercial financing providers must disclose to the recipient at the time of extending a specific offer of commercial financing specified information relating to the transaction and to obtain the recipient’s signature on that disclosure before consummating the commercial financing transaction.

Notably, the CCFDL does not apply to transactions greater than $500,000 or to real estate-secured commercial loans or financings. The California law otherwise applies to, among other things, commercial loans, certain commercial open-end plans, factoring, sales based financing, and commercial asset-based lending.  Under the California law “provider” is primarily limited to entities extending credit, such as lender/originators, but also includes a non-bank partner in a marketplace lending arrangement who facilitates the arrangement of financing through a financial institution.

Connecticut

On June 28, 2023, Connecticut enacted “An Act Requiring Certain Financing Disclosures,” which: (a) requires lenders offering certain types of commercial purpose “sales-based financing” in amounts of $250,000 or less to provide specified consumer-like disclosures to applicants; and (b) mandates that lenders offering such credit to register annually with the Connecticut Department of Banking starting October 1, 2024. The Connecticut law authorizes the state banking commissioner to adopt promulgating regulations, and the law took effect on July 1, 2023.

The Connecticut law applies to providers of commercial financings and defines “provider” as “a person who extends a specific offer of commercial financing to a recipient and includes, unless otherwise exempt . . . a commercial financing broker.” “Commercial financing” means any extension of sales-based financing by a provider not exceeding $250,000. Under the statute, “sales-based financing” is a

transaction that is repaid by the recipient to the provider over time” (1) as a percentage of sales or revenue, in which the payment amount may increase or decrease according to the recipient’s sales or revenue, or (2) according to a fixed payment mechanism that provides for a reconciliation process that adjusts the payment to an amount that is a percentage of sales or revenue.

Notably, the Connecticut law exempts the following entities and transactions: (a) banks, bank holding companies, credit unions, and their subsidiaries and affiliates; (b) entities providing no more than five commercial financing transactions in a 12-month period; (c) real estate-secured loans; (d) leases; (e) purchase money obligations; (f) technology service providers acting for an exempt entity as long as they do not have an interest in the entity’s program; (g) transactions of $50,000 or more to motor vehicle dealers or rental companies; and (h) transactions offered in connection with the sale of a product that the person manufactures, licenses, or distributes.

Florida

On June 26, 2023, Florida enacted the Florida Commercial Financing Disclosure Law, which requires covered providers to furnish consumer-oriented disclosures to businesses for certain commercial non-real estate-secured financing transactions exceeding $500,000. The Florida law took effect July 1, 2023, and is mandatory for transactions consummated on or after January 1, 2024.

The Florida law applies to providers of commercial financing transactions and defines “provider” as a “person who consummates more than five commercial financings” in Florida during any calendar year.  “Commercial financing transactions” include commercial loans, open-end lines of credit, and accounts receivable purchase transactions.  The Florida law exempts the following entities and transactions: (a) federally insured depository institutions, their subsidiaries, affiliates, and holding companies; (b) licensed money transmitters; (c) real estate-secured loans; (d) loans exceeding $500,000; leases; and (e) certain purchase money transactions.

Georgia

On May 1, 2023, Georgia amended its Fair Business Practices Act to require certain providers of commercial financings of $500,000 or less to furnish various disclosures to small-business borrowers before the consummation of the transactions. The statute applies to covered commercial financings consummated on or after January 1, 2024.

The Georgia law requires providers of commercial credit in amounts of $500,000 or less to provide TILA-like disclosures to small-business borrowers before the consummation of the transaction but does not specify the time period. The Georgia law defines “provider” as “a person who consummates more than five commercial financing transactions” in Georgia during any calendar year, including participants in commercial purpose marketplace lending arrangements. “Commercial financing transactions” include both closed-end and open-end commercial loans as well as accounts receivable purchase transactions but do not include real estate-secured transactions.  The Georgia law exempts: (a) federally insured depository institutions and their subsidiaries, affiliates, and holding companies; (b) Georgia-licensed money transmitters; (c) captive finance companies; and (d) institutions regulated by the federal Farm Credit Act. The law also exempts purchase money obligations.

Kansas

On April 19, 2024, the Kansas Legislature enacted the “Commercial Financing Disclosure Act”, which requires “providers” (defined as entities that consummate more than five commercial financings transactions with businesses located in Kansas in a calendar year), to provide certain TILA-like disclosures to debtor business counterparties prior to consummation.

The legislation exempts from its coverage financings greater than $500,000 and real estate-secured transactions. Further, the statute also exempts depository institutions, their parents, and their owned and controlled subsidiary or service corporation if regulated by a federal banking agency. The Kansas law took effect on July 1, 2024.

New York

The New York disclosure requirements (which are substantively similar to those passed in California) took effect August 1, 2023, six months from the date of the promulgation of final implementing regulations, which were issued February 1, 2023.

The New York Commercial Financing Disclosure Law (“NYCFDL”) requires “providers” of commercial credit to provide Truth in Lending Act-like disclosures to applicants at the time it extends a specific offer of the commercial financing in amounts of $2,500,000 or less. “Providers” include both lenders and brokers.

The New York law applies to closed end financing, open-end financing, sales-based financing, including merchant cash advances and factoring transactions. The NYCFDL provides a de minimis exemption, “for any person or provider who makes no more than five commercial financing transactions in [New York] in a twelve-month period.”  Further, “financial institutions,” which include banks, and certain other chartered depository institutions authorized to conduct business in New York, are also exempt from the commercial loan disclosure law, including the subsidiaries or affiliates of such exempt financial institutions.  Commercial financings over $2,500,000 are exempt from the law as are transactions secured by real property. The obligation to provide disclosures applies if the financing recipient’s business is “principally directed or managed from New York.”

Utah

Effective January 1, 2023, the Utah law requires “providers” to register with the Utah Department of Financial Institutions and maintain such registration annually. Further, prior to consummation of the commercial financing, “providers” must, among other things, disclose to borrowers: (a) the total amount of funds provided to the business; (b) the total amount of funds disbursed to the business; (b) the total amount paid to the “provider” under the financing; (d) the manner, frequency and amount of each payment (or if the amount of each payment may vary, the manner, frequency and estimated amount of the initial payment); (e) information regarding prepayment of the financing; and (f) the amount the “provider” paid to the broker, if applicable.

The Utah law does not apply to consumer purpose transactions, real estate-secured transactions or transactions with loan amounts greater than $1 million—or if the “provider” makes five or fewer Utah commercial financings in any calendar year.

Virginia

Effective July 2, 2022, the Virginia law also contains some of the same disclosure obligations as the California, New York, and Utah laws.  However, the scope of Virginia’s disclosure requirements is limited to sales-based financing contracts (as opposed to the obligations imposed by the new laws in California, New York, and Utah which apply more broadly to commercial financing providers and various commercial finance products) and applies to contracts entered into on or after July 1, 2022.

Notably, the Virginia law requires sales-based financing providers to make disclosures of the financing terms at the time the provider offers sales-based financing to a recipient.  Virginia has issued implementing regulations that prescribe the form of disclosure for sales-based financing transactions, which became effective January 19, 2023. The Virginia law also requires providers to register with the Virginia State Corporation Commission as of November 1, 2022.

The law exempts sales-based financings in amounts over $500,000 and contains a de minimis exemption for a person that enters into no more than five “sales-based financing” transactions in any 12-month period.

What to Do Now:

California, Connecticut, Florida, Georgia, Kansas, New York, Utah, and Virginia all require commercial financers to provide certain disclosures to borrowers as part of the transaction—all of which would be applicable to small business purpose non-real estate secured loans.  Lenders must either comply with these nettlesome laws or structure their transaction to avoid triggering them. It is anticipated that other states will enact similar laws in the future that will impact small balance commercial lending.