Headlines

1. CFPB Issues Filing Instructions Guide for Small Business Lending Data
2. FDIC Clarifies When Banks Must Apply for Permission to Establish an ITM
3. Federal Financial Regulatory Agencies Propose Joint Data Collection Standards Rule
4. CFPB Takes Aim at Predatory Solar Lending Practices
5. Other Developments: Quantum Safe Encryption and Cybersecurity Assessment

1. CFPB Issues Filing Instructions Guide for Small Business Lending Data

The CFPB has published instructions for banks and other covered financial institutions to submit small business lending data that is required to be collected and reported under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The filing instructions guide released on August 15 provides an overview of the process to file small business lending data collected in 2025 with the CFPB and details on what to enter into each data field in the small business lending application register. The instructions also explain the validation requirements that a register must meet before it can be filed with the CFPB. The CFPB is currently testing the beta platform for small business lending data reporting. The CFPB has invited covered financial institutions to upload small business lending data for testing purposes. Click here to access the filing instructions guide for small business lending data, and here to access the beta platform for small business lending data reporting.

Nutter Notes:  The CFPB issued its final rule amending Regulation B to implement Section 1071 of the Dodd-Frank Act on March 30, 2023. Under the rule, covered financial institutions, including banks, are required to collect and report data on applications for credit for small businesses, including those that are owned by women or minorities. Under the final rule, a covered origination generally includes any extension of credit under Regulation B to a small business. The CFPB has extended the compliance deadlines for its rule governing the collection of small business lending data following a recent Supreme Court decision and the lifting of a stay that delayed implementation of the rule. On August 26, the United States District Court for the Southern District of Texas rejected another challenger to the legality of the CFPB’s small business lending rule. Covered financial institutions, including banks, with the highest volume of small business loans (at least 2,500 covered originations) must begin collecting data by July 18, 2025; moderate volume lenders (at least 500 but less than 2,500 covered originations) by January 16, 2026; and the smallest volume lenders (less than 500 covered originations) by October 18, 2026.

2. FDIC Clarifies When Banks Must Apply for Permission to Establish an ITM

The FDIC has released guidance for state nonmember banks clarifying when an interactive teller machine (ITM) will be classified as a domestic branch office or is treated like an automated teller machine (ATM) that is exempt from branch application requirements. The guidance issued on August 9 explains that state nonmember banks that seek to operate an ITM with functionality beyond certain limited circumstances described in the guidance may be required to file a branch application. According to the guidance, the FDIC would not consider an ITM to be a branch if the ITM meets certain parameters. First, the ITM must be automated, unstaffed, owned or operated by, or operated exclusively for, the bank, and equipped to enable existing customers to initiate an interactive session with remotely located bank personnel. Second, if bank personnel have the ability to remotely assist a customer with the operation of the ITM to perform core banking functions, customers must be able to perform such transactions without the involvement of bank personnel and must have the sole discretion to initiate and terminate interactive session with bank personnel. ITMs that operate outside of these parameters may require a branch application according to the guidance. Click here for a copy of the guidance on the classification of ITMs.

Nutter Notes:  Section 18(d) of the Federal Deposit Insurance Act (FDI Act) requires that state nonmember banks obtain the consent of the FDIC before establishing a domestic branch. Section 3(o) of the FDI Act specifically excludes ATMs and remote service units (RSUs), such as automated loan machines, from the definition of a domestic branch. The FDIC’s new guidance clarifies that a separate application is not required for a bank to operate an ITM with functionality beyond that described in the guidance at an approved branch office location. National banks are subject to similar requirements for the establishment of branch offices, but the OCC has interpreted the exclusion for RSUs somewhat more broadly. For example, the OCC has permitted RSUs to be used by non-customers to apply to open a deposit account or apply for a loan. Federal reserve member banks are generally subject to the same limitations and restrictions that apply to the establishment and maintenance of national bank branches, ATMs, and RSUs. State nonmember banks considering whether to establish an ITM should consult their FDIC case manager to determine whether the ITM’s functionality will require that a branch application be filed.

3. Federal Financial Regulatory Agencies Propose Joint Data Collection Standards Rule

The federal banking agencies have joined the other federal financial regulatory agencies to issue a proposed rule that would establish data standards for certain information collections submitted to the agencies. The proposed rule announced on August 9 is meant to “promote interoperability of financial regulatory data across the agencies” through the establishment of standards for identifiers of legal entities and other common identifiers. Among other things, the proposed rule aims to render data submitted by banks and other financial institutions to their federal regulators fully searchable and machine-readable. The agencies have requested public input on all aspects of the proposed rule. Public comments will be due 60 days after the proposal is published in the Federal Register, which is expected shortly. Click here for a copy of the proposed rule.

Nutter Notes: The Financial Data Transparency Act of 2022 (FDTA) directs the federal financial regulatory agencies to jointly establish data standards. The FDTA also requires that the standards be consistent with, and that they implement applicable accounting and reporting principles. The FDTA requires the agencies to issue a final joint rule establishing data standards by December 23, 2024.

4. CFPB Takes Aim at Predatory Solar Lending Practices

In a move that may be a prelude to upcoming regulatory enforcement action, the CFPB has issued a nationwide consumer advisory warning of predatory solar lending practices. The CFPB’s advisory issued on August 7 highlights risks to consumers arising from solar-specific loans, including loans by banks and non-bank lenders, including fintech companies that have partnered with banks to offer loans to consumers to finance solar panels. The CFPB stated that it has found that some residential solar lenders are misleading homeowners about the terms and costs of their loans, misrepresenting the energy savings they will deliver, and including markup fees in borrowers’ loan balances. For example, the CFPB found that that some residential solar lenders build hidden fees into their loans by marking up the principals of the loans, which “often increase the loan cost by 30% or more above the cash price of a solar project.” The CFPB may exercise its authority to police unfair, deceptive, or abusive acts or practices in consumer financial products to bring regulatory enforcement action against lenders engaged in solar lending practices that the CFPB determines are predatory in nature. Click here for a copy of the CFPB’s advisory.

Nutter Notes:  The CFPB’s advisory gave several other examples of the types of predatory lending practices the agency has found in the solar lending market. The advisory stated that "consumer lelenders mislead homeowners about what they will pay. For example, some lenders present loan principal as a “net cost” that assumes the federal solar tax credit will be received. However, a tax credit is not guaranteed and is based on a number of factors. Homeowners may be led to believe that either the tax credit will subtract from the “net cost” or that the “net cost” is what will be paid regardless of whether they end up qualifying for and receiving the tax credit. The advisory also warned of ballooning monthly payment terms—solar loans that require a substantial prepayment by a certain date that is equal to the expected tax credit. If a homeowner does not qualify for the tax credit, they will be required to make the prepayment or face substantially higher monthly payments. The CFPB stated that it will work with the U.S. Treasury Department, the Federal Trade Commission, and other agencies to “crack down on abuses” in the solar lending market.

5. Other Developments: Quantum Safe Encryption and Cybersecurity Assessment

• NIST Releases Post-Quantum Encryption Standards

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released a set of encryption algorithms on August 13 that are designed to withstand a cyberattack from a quantum computer. The NIST is encouraging systems administrators at institutions that may be targeted by cyberattacks, such as banks, to start integrating these quantum safe encryption algorithms into their computer information systems immediately.

Nutter Notes: The NIST warned that researchers are attempting to build quantum computers that “would operate in radically different ways from ordinary computers and could break the current encryption that provides security and privacy for just about everything we do online.” The new NIST quantum safe standards contain the encryption algorithms’ computer code, instructions for how to implement them, and their intended uses. Click here for access to the NIST’s quantum safe standards.

• FFIEC to Discontinue its Online Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC) has announced that it will remove the Cybersecurity Assessment Tool from its website on August 31, 2025. According to the FFIEC, several new and updated government and industry resources are available that banks can use to better manage cybersecurity risks, such as the NIST Cybersecurity Framework 2.0.

Nutter Notes: The Cybersecurity Assessment Tool is designed to help banks identify their risks and determine their cybersecurity preparedness. The FFIEC’s announcement lists a number of alternative resources that banks can use to assess their cybersecurity preparedness. Click here for a copy of the FFIEC’s announcement.