MA DEBT COLLECTION AND SERVICING RULES REVISED
The Massachusetts Division of Banks has updated its debt collection and servicing regulation, which is now fully reorganized and incorporates key portions of CFPB Regulation F. Debt collectors who follow the specified sections of Regulation F will be considered compliant in Massachusetts, but the state is keeping stricter call limits, its existing rules on handling client funds, and its own requirements for electronic notices. The regulation also formally codifies the passive debt buyer exemption that had previously existed only through opinion letters. In addition, student loan servicers can now face a UDAP violation for failing to provide a substantive response to the Student Loan Ombudsman within 30 days. The update applies to third-party collectors and servicers, while the separate attorney general regulation governing creditors remains unchanged.
CA NEW ENFORCEMENT STRIKE FORCE TARGETSÂ DATA BROKERS
California has launched a new Data Broker Enforcement Strike Force within the California Privacy Protection Agency to intensify oversight of data brokers. The unit will investigate violations of the Delete Act and the California Consumer Privacy Act, including failures to register, pay required fees, or meet statutory deletion and disclosure obligations. The move builds on a 2024 investigative sweep that has already produced eight enforcement actions, including a $1.35 million penalty against a major retailer. Beginning January 1, 2026, the agency will also deploy its new DROP Platform, which will route consumer deletion and opt-out requests to more than 500 registered data brokers. The Strike Force signals a more aggressive approach toward data brokers operating in California, with daily fines and expanded enforcement resources.
NY CYBERSECURITY RISK AND THIRD-PARTY PROVIDERS
California Governor signed a slate of new bills expanding consumer protections and data privacy. The Opt Me Out Act (AB 566) makes California the first state to require web browsers to include an in-browser control that allows users to block websites from selling or sharing their personal data, effective January 2027. The Combating Auto Retail Scams (CARS) Act introduces strict disclosure requirements for vehicle dealers and grants consumers a three-day right to cancel certain used-car sales. In addition, the DFPI took enforcement action against an unlicensed crypto ATM operator under the Digital Financial Assets Law, reinforcing California’s commitment to stronger digital finance oversight.
WHITE PAPER: FIRST-PARTY DEBT COLLECTION LICENSING
What’s Included:
- State & municipal applications
- Application & renewal pitfalls (and fixes)
- Licensing triggers
- Multi-state roadmap
- How Cornerstone can help
CA NEW DRAFT RULES UNDER DEBT COLLECTION LICENSING ACT
California’s DFPI issued another round of proposed edits to the Debt Collection Licensing Act regulations. The draft adds new definitions, expands what counts as engaging in debt collection, and updates document-retention requirements. This continues the state’s multi-year effort to refine the DCLA. Comments are due December 12, and entities operating in California should review the proposal closely for changes that may broaden licensing obligations.
STATES TAKE DIVERGING PATHS ON CRYPTO OVERSIGHT
States continue to move in sharply different directions on digital-asset regulation, creating a fragmented compliance landscape for kiosk operators, miners, and fintech partners.
Oklahoma has adopted one of the country’s most prescriptive licensing regimes for digital-asset kiosks. Operators must now be licensed as money transmitters, maintain a $500,000 bond, provide advance notice for kiosk placement, submit quarterly location reports, and comply with strict disclosure, fraud-prevention, and customer-support obligations. The law also sets transaction and fee limits, significantly expanding compliance expectations for operators and their banking partners.
California is taking an enforcement-forward approach. Recent DFPI actions suggest heightened scrutiny of crypto-kiosk operations, including examinations focused on disclosures, fee practices, recordkeeping, and fraud-mitigation controls. These patterns indicate DFPI will continue treating cash-to-crypto activity as a high-risk segment requiring strong operational oversight.
By contrast, New Hampshire is exploring deregulation. Lawmakers advanced House Bill 639 to further interim study, a proposal that would prohibit municipalities from imposing local restrictions on crypto mining and bar unique state or local taxes on digital-asset transactions. Supporters argue the bill would position the state as crypto-friendly, while opponents cite concerns about energy consumption, noise, and strain on infrastructure. The bill’s progress could influence neighboring states evaluating their own digital-asset frameworks.
Taken together, these developments highlight the widening gap in state-level approaches to digital-asset activity, ranging from strict licensing and enforcement to active deregulation, creating new considerations for operators, lenders, servicers, and fintechs involved in crypto-enabled services.
MA NEW MONEY TRANSMISSION REGULATION
The Massachusetts Division of Banks has finalized a comprehensive regulatory framework to implement the commonwealth’s new Money Transmission Act, effective November 7. The updated regulation, 209 CMR 44.00, replaces older rules that applied only to check cashers, check sellers, and foreign transmittal agencies, and now establishes uniform licensing, net-worth standards, permissible investment requirements, and surety bond thresholds for all money transmitters. Licensees must submit detailed applications, maintain investments equal to transmission obligations, file annual and quarterly call reports, provide audited financial statements within 90 days of fiscal year-end, and keep records for at least three years. They must also notify the Division of Banks of ownership changes, key personnel changes, and other significant developments.
Related regulations were revised to align with the new framework. 209 CMR 45.00 now governs only check cashers, and 209 CMR 48.00 and 801 CMR 4.02 were updated to incorporate money transmitters into recordkeeping rules and fee schedules.
MN EXPANDED DEFINITION OF DEBT COLLECTION AND WHO MUST BE LICENSED
The Minnesota Court of Appeals affirmed that the state’s debt collection licensing law applies broadly and covers out-of-state companies engaged in collection activity tied to Minnesota transactions. The case involved a Utah company that pursued rental-vehicle damage claims for Minnesota rental businesses and sent consumers letters stating it was attempting to collect a debt. Regulators determined the company was operating as an unlicensed collection agency, and the court agreed, holding that damage claims qualify as “any…other indebtedness” under state law and that collecting funds for others meets the definition of a collection agency, even when claims are assigned. The court also ruled that a company collecting on Minnesota-based claims is operating “in Minnesota” regardless of where the consumer lives. Finally, it rejected arguments that the statute is vague, finding that the company had clear notice its conduct required a license.
CORNERSTONE CAN HELP: SURETY BONDS
Surety Bonds can feel like just one more hassle standing in the way of your compliance. You want to close the loop on your licensing or permitting requirements and get back to what you do best – running your business. But the process can be slow, costly, and downright stressful. And while you’re waiting, you’re losing out on potential clients and revenue.
At Cornerstone, we understand and we’re here to help. Our team of experts work tirelessly to get you the surety bond you need quickly and at a fair price. No more lengthy waits for a response or being hit with hidden fees. Plus, our dedication to exceptional customer service ensures a stress-free experience from start to finish.
CFPB NOVEMBER SNAPSHOT
The CFPB faces significant operational uncertainty after DOJ concluded the Bureau cannot currently draw funds from the Federal Reserve, raising the risk of a shutdown in early 2026. Amid this instability, the White House submitted a procedural nomination designed to extend Acting Director Russ Vought’s tenure indefinitely while the administration continues efforts to wind down the agency. During this period, the Bureau has pulled back from several major regulatory initiatives.
Adding to the turmoil, the Bureau is preparing to transfer its remaining enforcement lawsuits and active litigation to the U.S. Department of Justice. The DOJ will assume control of CFPB enforcement matters in the coming weeks as the Bureau anticipates a funding lapse. It remains unclear whether existing cases will continue uninterrupted or whether schedules, strategy, and continuity will be affected. Internal concerns have also surfaced, with union leaders arguing the handoff exceeds the Director’s authority and could leave consumers without redress.
The CFPB formally withdrew two nonbank registry proposals — one requiring companies to register public enforcement orders and another requiring disclosure of “fine print” contract terms such as arbitration clauses, class-action waivers, and liability limits. The Bureau cited high compliance burdens and minimal consumer benefit. It also issued an interpretive rule asserting federal preemption over state medical-debt reporting laws under the FCRA, reversing its earlier 2022 position and centralizing authority over credit reporting standards. Additionally, the CFPB proposed major revisions to the Section 1071 small business lending rule, raising the reporting threshold to 1,000 loans, reducing required data fields, and delaying compliance until January 1, 2028.
These developments reflect the Bureau’s shrinking regulatory footprint, ongoing funding constraints, and heightened uncertainty surrounding long-term supervision, enforcement, and rulemaking.
MEDICAL DEBT ROUNDUP
States continue to pursue aggressive medical debt reforms, creating a rapidly shifting landscape for collectors, furnishers, lenders, and healthcare creditors. Delaware’s amended Medical Debt Protection Act is now in effect, fully prohibiting medical debt from appearing on consumer credit reports. North Carolina implemented one of the largest debt relief initiatives in the country, eliminating $6.5 billion in medical debt for 2.5 million residents and urging credit bureaus to expand limits on medical debt reporting.
Colorado’s 2023 medical-debt reporting ban is facing a federal lawsuit from ACA International and Creditors Bureau USA. The plaintiffs argue the law is preempted by the Fair Credit Reporting Act and violates the First Amendment by restricting truthful, coded reporting of medical debt. The challenge follows the CFPB’s recent reversal of its 2022 policy and its new interpretive rule asserting federal preemption over state medical-debt reporting laws.
In the debt collection space, Michigan lawmakers introduced a bipartisan Medical Debt Protection Act that would cap interest, restrict lawsuits and garnishments, regulate debt sales, and classify violations as unfair or deceptive acts enforceable by the Attorney General.
Collectively, these developments show states increasingly shaping medical debt rules even as federal standards remain in flux.
NY GOVERNOR DEFENDS STATE AI SAFEGUARDS AMID FEDERAL FUNDING DISPUTE
New York Governor Kathy Hochul issued a statement defending the state’s recently enacted AI safeguards aimed at protecting consumers, workers, and minors. According to the Governor, the White House is threatening to withhold broadband funding from rural communities in response to the state’s AI regulations, which she describes as basic protections against potential harm. Hochul emphasized that New York intends to remain a national leader in responsible AI governance and will continue to push for protections that balance innovation with consumer and worker safety.
RECORDED WEBINAR: YEAR-END LICENSING CHECKLIST & 2026 REGULATORY OUTLOOK
In case you missed it, our recent webinar brought Christy Barger joined with Hudson Cook partners Chuck Dodge and Anastasia Caton to break down what year-end readiness looks like for financial services companies. The panel discussed how to navigate overlapping renewal deadlines, evolving state expectations, and what to watch for in 2026 at both the state and federal levels.
We covered:
-
How to approach year-end licensing as a strategic “health check” on your entire licensing footprint
-
Why NMLS and non-NMLS renewals are especially high-risk if you start late (deficiencies, system issues, and short cure windows)
-
State-specific “surprises” at renewal time, including new activity reports, collector lists, and fingerprint refreshes
-
How mergers, acquisitions, ownership changes, and leadership moves impact renewal timelines and can trigger parallel filings
-
Recent examination and enforcement themes, including Georgia’s limited-scope exams and California DFPI’s new assessment model
-
Practical ways to prepare for increased state activity in areas like debt buying, student loans, mortgage servicing, and emerging products
-
Action steps to stay ahead in 2026: monitoring legislative trends, tracking NMLS/state changes, and staying engaged with trade associations and industry updates
We’ve recorded the entire session –Â it’s available for you to watch at your convenience.
WATCH NOW
NJ LICENSING FRAMEWORK INTRODUCED FOR EWA PROVIDERS
New Jersey lawmakers have introduced a bill that would create a full licensing and regulatory framework for earned wage access (EWA) providers. The proposal requires providers to obtain a license, meet net-worth and liquidity thresholds, undergo criminal background checks, and file annual reports detailing revenue, transaction volume, consumer usage, and fees or tips collected. The measure imposes operational requirements aimed at transparency and consumer protection, including mandatory no-cost access options, clear disclosures, voluntary-tip rules, cancellation rights, and compliance with privacy and security standards.
The bill also prohibits several practices, such as charging late fees or interest, reporting nonpayment to credit bureaus, initiating legal collections, or sharing fees or tips with employers. EWA services provided by licensed entities would not be considered loans, credit, or money transmission. If enacted, this legislation would create one of the more comprehensive state-level EWA frameworks, adding new licensing and compliance expectations for providers operating in New Jersey.
FRAUD SCHEME TARGETING LENDERS IN PHILADELPHIA
The National Private Lenders Association issued a warning about a coordinated fraud scheme affecting lenders in parts of Philadelphia, particularly around the Temple University area. The pattern involves artificially inflated purchase prices, manufactured comparable sales, and cash-out loans where the borrower has little or no real equity. Multiple transactions show repeated use of the same agents, appraisers, and title professionals, along with elevated deed recordings in ZIP codes 19121 and 19132. Industry experts have called the activity a significant red flag, noting similarities to past schemes that resulted in large lender losses. Lenders are encouraged to review transactions in the region carefully and flag any suspicious patterns before they escalate.
VIRTUAL SUGGESTION BOX
We’ve continued to hear great feedback from you, our clients, on how our newsletter provides value for your organization. To ensure we continue to research and provide the best data, we have created a virtual “suggestion box” for your ideas. Whatever topic you’d like to learn about, large and small, we will go research with our team and knowledgeable folks from our industry.
MN COLLECTION AGENCY FINEDÂ FOR UNLICENSED ACTIVITY
Minnesota regulators issued an enforcement action against CAC Financial for continuing to collect from state consumers after its collection agency license expired in 2018. Investigators also found that the company misrepresented itself to consumers as being licensed in the state, a violation of Minnesota law and the FDCPA’s prohibition on deceptive practices. Under the consent order, CAC must pay a $15,000 civil penalty, cover investigative costs, and cease further violations, with the stayed portion reinstated if additional issues occur before October 31, 2028. This case highlights the state’s increased scrutiny of unlicensed collection activity and the importance of maintaining accurate licensing status when operating across jurisdictions.
OH INTERPRETATION WITHDRAWN REQUIRING LICENSES FOR BANK LOAN ARRANGERS
The Ohio Division of Financial Institutions has reversed its 2024–2025 position that nonbank entities arranging small loans on behalf of banks must obtain a state license. The updated guidance pauses licensing and enforcement under the Small Loan Act for these arrangements and withdraws the earlier interpretation entirely. This shift reduces near-term regulatory pressure on fintech–bank partnership models operating in the small-dollar credit space. The DFI noted that it will continue evaluating the issue and may propose future rulemaking, meaning providers should monitor for potential changes as the state reassesses its approach.
BEYOND THE NEWSLETTER
Head to LinkedIn and give us a follow to tap into a stream of real-time updates, legislative changes, and great content tailored for ARM and Fintech professionals. Engage with thought leaders and peers in our community to enhance your expertise.
Follow Cornerstone on LinkedIn and transform the way you stay informed in our ever-evolving industry.
This information is not intended to be, nor is it, legal advice. It is intended for information purposes only. We make no warranty, express or implied, as to the accuracy or reliability of this information. We are not attorneys. You must retain your own attorney to receive legal advice. While Cornerstone strives to provide the most current and accurate state licensing information, the responsibility for any decision related to state licensing or agency compliance is solely yours.
