CA DATA BROKER REGISTRATION AND DELETION RULES TIGHTENED
California’s Privacy Protection Agency has issued an enforcement advisory clarifying how data brokers must register under the Delete Act ahead of the launch of the state’s new Delete Request and Opt-Out Platform (DROP) on January 1, 2026. Any business that operated as a data broker in the prior year must register with CalPrivacy by January 31, listing all trade names, DBAs, and every website where it provides services, along with a clear link explaining how consumers can exercise their privacy rights. Each legal entity must register separately, so parent or affiliate registrations do not cover other entities. CalPrivacy has already used its authority to fine an out of state marketing firm for operating as an unregistered data broker, signaling that enforcement will accompany these registration duties. The advisory stresses that inaccurate, incomplete, or missing registrations can trigger administrative fines of $200 per day, plus registration fees and enforcement costs.
Given the broad definition of “data broker,” businesses that collect, sell, or share personal information should reassess whether they fall under the law and ensure they are prepared for DROP driven deletion requests and ongoing CCPA obligations.
MN SHARPENED DEBT COLLECTION LICENSING AND ENFORCEMENT
The Minnesota Court of Appeals has affirmed a cease and desist order against a Utah based company, holding that Minnesota’s collection agency statutes apply broadly to any entity collecting payment on behalf of others, even if the company is located out of state. Recovering rental vehicle damage claims for Minnesota businesses, sending collection letters, and forwarding proceeds to clients all counted as acting as a collection agency under state law.
Separately, the Minnesota Department of Commerce issued consent orders against two agencies, permanently barring one unlicensed company from ever obtaining a Minnesota collection agency license and penalizing a licensed agency for missing required nonprofit counseling disclosures. While much of the civil penalty amounts were stayed, both orders make clear that Minnesota is closely watching unlicensed activity and state specific disclosure requirements. Together, these developments signal that any collection work tied to Minnesota businesses or transactions can trigger licensing and oversight, regardless of where the agency is based.
WEBINAR: Buy, Build, or Sell? ARM M&A Outlook
The ARM industry continues to evolve, prompting agency leaders to consider whether now is the time to scale organically, pursue acquisitions, or prepare for a sale. This session explores the market forces shaping today’s M&A landscape, the factors that influence valuation, and the operational considerations that can strengthen or complicate a deal, giving owners clarity on the best strategic path forward.
What You’ll Learn:
How today’s M&A environment is shaping buyer and seller behavior
The operational and financial signals that influence valuation multiples
How licensing posture and change-of-control requirements affect deal speed and certainty
Strategic considerations for owners evaluating growth, acquisition, or exit
Why organizational readiness matters well before due diligence begins
Whether you’re exploring a sale, considering acquisitions, or deciding how to grow, you’ll walk away with a clearer framework for making smart strategic moves.
WATCH NOW
STUDENT LOAN WAGE GARNISHMENTS SET TO RESUME IN JANUARY
The Trump administration will restart wage garnishments for federal student loan borrowers in default beginning the week of January 7, 2026, the first time this tool has been used since early in the pandemic. The Education Department plans to send garnishment notices to about 1,000 defaulted borrowers in the initial wave, with additional batches to follow each month from a pool of roughly 5.3 million borrowers who have gone at least 360 days without a payment. Borrowers will receive 30 days’ notice before garnishment begins, during which they can dispute the action, pay the balance, or enter a repayment arrangement; once active, garnishments can take up to 15 percent of disposable income until the borrower exits default or repays the debt. The move follows the resumption of tax refund and Social Security offsets in May and comes as delinquencies rise after the end of the prior “on ramp” period, increasing the likelihood that more borrowers will slide into default and face involuntary collections.
STATE ENFORCEMENT AND LICENSING PRESSURE EXPECTED TO RISE NATIONALLY
Democratic state attorneys general have launched a new Consumer Protection and Affordability Initiative, with former CFPB Director Rohit Chopra advising on coordinated multistate strategies in consumer finance and emerging technology. The effort is designed to fill gaps as federal policy shifts, and to support more aggressive state level approaches on pricing, servicing, marketing, and use of advanced analytics. At the same time, regulators such as Washington’s Department of Financial Institutions continue to use traditional tools, moving to revoke the license of a virtual currency kiosk operator and issuing a consent order against a mortgage company and broker over advertising, disclosure, reporting, and compensation issues. For lenders, collectors, servicers, and fintechs, the message is that state examinations and enforcement will remain active and increasingly coordinated, particularly where licensing status or product design sits close to the line.
WHITE PAPER: MORTGAGE LICENSING
Navigating mortgage licensing across multiple states is complex—each jurisdiction has its own rules, documentation standards, and review timelines. As the whitepaper explains, a single error in NMLS submissions, misclassified activity, outdated financials, or late reporting can trigger delays, deficiencies, or lost business opportunities. This resource breaks down the core elements of licensing, the top pitfalls companies encounter, and how to build a strong foundation for multi-state growth.
What’s Included:
- Mortgage licensing step-by-step guide
- Application & renewal pitfalls (and fixes)
- State nuances and licensing map
- How Cornerstone can help
NY CLAMP DOWN ON UNLICENSED FINANCIAL SERVICES ACTIVITY
New York has enacted S.8408, expanding the Department of Financial Services’ power to investigate and impose civil penalties for “prohibited unlicensed acts” in the financial services marketplace. The law allows DFS to pursue entities that engage in activities requiring a license or other authorization without having one, with penalties that can match or even double those applied to licensed firms when consumer harm occurs. New York also adopted Uniform Commercial Code updates that modernize rules for virtual currencies and other digital assets, clarifying control, perfection, and priority for security interests in controllable electronic records, which affects secured lending and digital asset financing. These changes raise expectations that financial services providers will verify both their own licensing footprint and that of vendors handling data, marketing, or portfolio activity on their behalf.
BILLS AIM TO TIGHTEN MEDICAL DEBT RULES
Massachusetts lawmakers have introduced House Bill 4809, a proposed Medical Debt Protection Act that would reshape how medical debt is collected, reported, sold, and enforced in the state. The bill would prohibit healthcare creditors and medical debt collectors from selling medical debt to debt buyers, bar furnishing medical debt to consumer reporting agencies, restrict extraordinary collection actions such as liens and foreclosures, and impose waiting periods and notice requirements before lawsuits. It would also cap interest on medical debt judgments issued after January 1, 2026 and expand exemptions that protect certain income and assets.
In Indiana, proposed HB 1051 would bar healthcare providers from reporting an individual’s medical debt to consumer reporting agencies after June 30, 2026 and would prohibit bureaus from maintaining medical debt records reported after that date. The Indiana bill also creates a mechanism for consumers to request deletion of existing medical debt records at no cost, with bureaus required to remove them within five days, which would materially change how medical debt appears in credit files.
Taken together, these developments highlight the widening gap in state-level approaches to digital-asset activity, ranging from strict licensing and enforcement to active deregulation, creating new considerations for operators, lenders, servicers, and fintechs involved in crypto-enabled services.
STATES BUILD AI GUARDRAILS
Washington’s Artificial Intelligence Task Force has released an interim report calling for broad state level AI regulation, including transparency requirements for training data, governance expectations for “high risk” systems, and limits on fully automated decision making in areas like healthcare and employment. The recommendations stress disclosure of data sources, quality controls, and bias mitigation, and point toward stricter expectations for any AI used in credit, collections, customer interaction, or fraud tools that affect consumers’ rights or access to essential services.
In Utah, the governor has announced a “pro human AI initiative” that will evaluate whether AI tools support human wellbeing or create new risks, building on existing laws that restrict deepfakes and require medical chatbots to disclose that users are interacting with a machine. Utah officials have signaled forthcoming legislation around AI “companions” and metadata requirements so AI generated video can be clearly identified as synthetic. For financial services, call centers, and fintechs, these efforts preview a patchwork of state AI standards that will sit alongside traditional consumer protection and licensing regimes.
WEBINAR: LEVERAGING TECH & AI FOR RISK-SMART DEBT COLLECTION
What you’ll learn:
- Concrete use cases where automation and generative AI can support agents, improve QA, and streamline back-office processes
- How to structure internal policies, approvals, and documentation to keep AI-enabled workflows aligned with regulatory and client expectations
- Practical guardrails for scripting, digital communications, and self-service tools to reduce the risk of misleading or inconsistent consumer interactions
- Key questions to ask technology partners about data use, security, transparency, and auditability
- How to prioritize and test AI initiatives so your team can learn, measure impact, and adjust without disrupting day-to-day operations
WATCH NOW
DIGITAL ASSETS: SAFE CRYPTO ACT AND CALIFORNIA DFAL
At the federal level, the bipartisan SAFE Crypto Act has been introduced in the U.S. Senate to create a dedicated task force focused on crypto related scams, bringing together Treasury, FinCEN, law enforcement, and private blockchain experts. The task force would use blockchain analytics and regulatory tools to intervene in real time against investment fraud, phishing, ransomware, and money laundering involving digital assets, with the goal of preventing losses rather than only acting after the fact.
In California, the Department of Financial Protection and Innovation is preparing to implement the Digital Financial Assets Law, which will require many crypto and digital asset firms serving California residents to obtain a DFAL license by July 1, 2026. Applicants will need to demonstrate sound financial condition, strong governance, a risk based AML program covering BSA, OFAC, KYC, enhanced due diligence, and fraud prevention, and cyber and operational security programs aligned with the NIST Cybersecurity Framework.
Together, these developments show both federal and state regulators tightening expectations around digital asset risk management, enforcement, and licensing for platforms, custodians, and fintech partners.
CORNERSTONE CAN HELP: NEW HIRE BACKGROUND CHECKS
Cornerstone offers background screening services that are accurate and prompt so you can spend less time worrying about compliance and more time on your business. Most criminal searches are completed in less than a day. We provide screenings for new hires as well as for statutory requirements. We can perform domestic screenings as well as international screenings.
STATE AGS TARGET BNPL CONSUMER PROTECTIONS
Attorneys general from seven states, led by Connecticut and North Carolina with participation from California and several others, have sent detailed information requests to the largest Buy Now, Pay Later providers in the U.S. The letters seek data on pricing, default rates, ability to repay practices, customer service wait times, dispute handling, refunds, subscriptions, and how providers are aligning with Truth in Lending concepts. The AGs say they are concerned that BNPL users may not receive protections comparable to those available with traditional credit products, especially around billing errors, undelivered goods, and refund processing.
This initiative follows a pullback in federal BNPL rulemaking and indicates that states are prepared to step in with their own expectations. Lenders, debt buyers, and fintechs offering or partnering on BNPL programs should anticipate closer scrutiny of disclosures, repayment assessments, dispute practices, and contract terms.
NY COERCED DEBT PROTECTIONS EXPANDED
New York has enacted a new coerced debt law focused on debts arising from intimate, family, or household relationships, adding to but not replacing the state’s existing coerced debt protections. The new statute takes effect 90 days after December 19, 2025 and applies only to debts incurred on or after the effective date. It creates a separate framework from the 2022 coerced debt law, with different triggers, more rigorous obligations for creditors and debt collectors once a claim is raised, and a private right of action for consumers if those obligations are not met. The two laws now operate in parallel, which means creditors, debt buyers, and collection agencies handling New York accounts will need clear procedures to identify coerced debt scenarios, apply the correct set of protections, and update training and documentation accordingly.
MA DEBT COLLECTION RULES UPDATED AND REG F INCORPORATED
The Massachusetts Division of Banks has revised its regulation governing third party debt collectors, student loan servicers, and loan servicers, now tying many conduct standards to the CFPB’s Regulation F. Collectors that comply with specified Reg F provisions are deemed compliant with corresponding sections of the state rule, but Massachusetts has retained stricter limits on call frequency, allowing no more than two calls in a seven day period for a particular debt and keeping this cap after a successful contact. The regulation also preserves detailed rules on handling and segregating client funds and does not adopt Reg F’s framework for electronic delivery of required notices. A codified “passive debt buyer” exception now aligns with prior Division interpretations and excludes qualifying passive buyers from the definition of “debt collector” for purposes of this rule.
In addition, the regulation makes it a UDAP violation for student loan servicers to knowingly or willfully fail to provide a substantive response to the Student Loan Ombudsman within 30 days and requires them to include the Ombudsman’s web address in borrower communications.
CFPB SAYS CERTAIN EARNED WAGE ACCESS PRODUCTS ARE NOT CREDIT UNDER TILA
The CFPB issued an advisory opinion stating that certain earned wage access (EWA) products fall outside the definition of “credit” under Regulation Z, shifting away from a prior proposal that treated all EWA offerings as loans. The opinion focuses on employer based programs that give workers early access to accrued wages with defined structural safeguards. For providers that fit within this framework, TILA and Reg Z disclosure and cost of credit rules would not apply, easing some regulatory burden. At the same time, the opinion does not cover every EWA model, and products that charge fees or look more like advances still face legal and supervisory risk. Lenders, payroll providers, and embedded finance players should review their EWA designs and contracts to confirm whether they fit the advisory or require a more conservative compliance approach.
VIRTUAL SUGGESTION BOX
We’ve continued to hear great feedback from you, our clients, on how our newsletter provides value for your organization. To ensure we continue to research and provide the best data, we have created a virtual “suggestion box” for your ideas. Whatever topic you’d like to learn about, large and small, we will go research with our team and knowledgeable folks from our industry.
NEW FINCEN REPORTING FOR CERTAIN REAL ESTATE TRANSFERS
FinCEN has finalized a rule requiring certain parties involved in non financed residential real estate transfers to legal entities and trusts to file a new Real Estate Report. The rule applies nationwide and focuses on all cash or non financed transfers where the transferee is an entity or trust, capturing information on the reporting person, beneficial owners, the property, and payment details within roughly 30 days of closing. Transfers to individuals are not covered, and financial institutions that already maintain anti money laundering programs are generally excluded as reporting persons, but closing and settlement professionals will often carry the new obligation. The rule is designed to curb money laundering through opaque ownership structures and is particularly relevant for private credit, hard money, and investment transactions that use entities or trusts in place of individual buyers. Lenders, servicers, and fintech partners that rely on nonbank closing agents should clarify who will be treated as the reporting person in their deals and how beneficial ownership and transaction data will be gathered and retained.
NY AG AUTHORITY EXPANDS UNDER FAIR BUSINESS PRACTICES ACT
New York has enacted the FAIR Business Practices Act, amending General Business Law 349 to let the Attorney General bring actions for “unfair” and “abusive” practices in addition to deceptive acts. The law was signed on December 19, 2025, and will take effect 60 days after that date. “Unfair” conduct is defined using a standard similar to the Federal Trade Commission, requiring substantial injury that is not reasonably avoidable and not outweighed by benefits to consumers or competition. “Abusive” conduct follows the federal Consumer Financial Protection Act, covering practices that interfere with a person’s ability to understand terms or that take unreasonable advantage of a consumer’s lack of understanding, inability to protect their interests, or reasonable reliance on the provider. Financial services firms, collectors, and fintechs serving New York consumers should review products, disclosures, and collection practices now in light of these broader state enforcement standards.
BEYOND THE NEWSLETTER
Head to LinkedIn and give us a follow to tap into a stream of real-time updates, legislative changes, and great content tailored for ARM and Fintech professionals. Engage with thought leaders and peers in our community to enhance your expertise.
Follow Cornerstone on LinkedIn and transform the way you stay informed in our ever-evolving industry.
This information is not intended to be, nor is it, legal advice. It is intended for information purposes only. We make no warranty, express or implied, as to the accuracy or reliability of this information. We are not attorneys. You must retain your own attorney to receive legal advice. While Cornerstone strives to provide the most current and accurate state licensing information, the responsibility for any decision related to state licensing or agency compliance is solely yours.
