In this Expert Analysis series, attorneys provide quarterly recaps discussing the biggest developments in California banking regulation and policymaking.
The first quarter of 2025 saw the initiation of the new 2025-2026 legislative session in California, along with the implementation of a number of bills signed by the governor in the prior session.
For example, the new year brought a ban on ATM fees charged by banks and number of changes to existing Homeowner Bill of Rights statutes.
The new session has brought a host of newly introduced bills, ranging from a prohibition of so-called swipe fees charged by credit card companies on taxes and tips, to providing mortgage relief for victims of the recent wildfires.
While widespread cuts to federal agencies like the Consumer Financial Protection Bureau have had major effects on rulemaking and enforcement actions,[1] the first quarter has been a very active period for California’s state regulatory agencies.
The state Department of Financial Protection and Innovation, or DFPI, issued final regulations interpreting the Debt Collection Licensing Act, or DCLA, required registration of earned wage access providers, and stepped up enforcement actions.
The first quarter also included the first enforcement action taken by the California Privacy Protection Agency, or CPPA, with wide-ranging implications for all businesses in the state, including the financial sector.
Legislative Updates
On Jan. 1, a host of new statutes was enacted. Notably, a new statute took effect banning banks and credit unions from charging so-called junk fees for attempting to overdraw their accounts at ATMs.[2]
Furthermore, there were several revisions to California’s Homeowner Bill of Rights. These revisions added requisite disclosures to borrowers before recording notices of default and provided borrowers with the ability to stall foreclosure proceedings by listing their property for sale[3] — provisions that are likely to lead to an increase in mortgage-related litigation.
While the 2025-2026 legislative session is in its infancy, a number of notable bills are being considered by the Assembly Banking and Finance Committee.
First is A.B. 1065, which would require credit card issuers to omit state and local taxes and tips from the so-called swipe fees they charge merchants.[4] The bill also prohibits credit issuers from increasing the rate or amount of fees applicable to circumvent the purposes of the act.
Another notable bill is A.B. 238, which would permit borrowers to stop their mortgage payments for up to 180 days with no fees, penalties or interest simply by attesting, without documentation, that the recent wildfires caused them financial hardship.[5]
The relief could be extended for another 180 days at the property owner’s request, subject to documentation requirements from the servicer.
While serving a noble purpose, without further amendments, the bill could provide unscrupulous borrowers with an automatic six-month forbearance on their loan payments without requiring any verification.
A third notable bill is A.B. 83.
This brief bill was introduced to “require companies to submit to the DFPI an elder abuse prevention plan.”[6]
However, the bill fails to define: what constitutes an elder abuse prevention plan, whether the bill institutes a one-time requirement or an ongoing requirement to submit renewed plans, whether there are any penalties for failing to implement such a plan (and if so, the amount), and whether this would apply to companies not currently subject to the DFPI’s requirements.
A final notable bill is A.B. 493, which would affect mortgage loans originated on Jan. 1, 2026, or later.[7] Under this bill, lenders would be required to pay at least 2% interest on escrow advancements for insurance proceeds held in escrow following property damage or loss.
This requirement would also apply to loans originated before 2026, but only if the property is located in a federally or state-declared disaster area.
If implemented, these requirements will further complicate the process of calculating insurance proceeds held in escrow by loan servicers.
Regulatory Developments
California’s DFPI Licensing Regulations Finalized
On March 4, the DFPI finalized regulations under the DCLA. These finalized regulations will take effect on July 1.[8] They clarify licensing and reporting requirements for debt collection licensees.
The DCLA requires debt collectors operating in California to be licensed by the DFPI. It also requires debt collectors to submit annual reports and pay an assessment to fund the DFPI’s oversight of the industry.[9]
The DFPI’s final regulations clarify several definitions and provide specific reporting requirements for license holders.
The final regulations specify how debt collectors must calculate net proceeds generated by California debtor accounts, making distinctions between debt buyers, debt owners and what they call “other debt collectors.”[10]
The finalized regulations require licensees to report: the total number of California debtor accounts collected, in full or in part; “the total number of California debtor accounts where
collection was attempted” but no payments were received; and “the total number of California debtor accounts in the licensee’s portfolio” at year-end.[11]
License holders will need to implement these new requirements to remain in compliance with their annual DCLA assessments and reporting obligations.
Earned Wage Access Providers Required to Register With the DFPI
Due to DFPI regulations issued in 2024 defining earned wage access transactions as loans,[12] providers were required to register with the DFPI before Feb. 15.
The newly implemented regulations additionally require earned wage access providers to provide annual operational and financial information to the DFPI,[13] follow state lending laws to clearly disclose all fees to consumers before offering services, and prohibit marketing fees as “voluntary” to consumers.[14]
These new regulations demonstrate that the DFPI will not hesitate to redefine nontraditional lending activities to fall within its regulatory purview.
DFPI Announces Consent Order Against Credit Union Victim of Cybersecurity Breach
On Feb. 4, the DFPI announced that it had entered into a consent order with Patelco Credit Union, which was the victim of a ransomware attack in June and July of 2024.[15]
As a result of the attack, the credit union’s members were unable to access their account information lines, and the cybercriminals were able to access the personal identifying information of 500,000 members.
The consent order will require the credit union to implement what it calls an “adequate” cybersecurity program and “maintain a qualified individual responsible for overseeing and implementing the cybersecurity program.”
It also requires the credit union to “have and maintain a written risk assessment,” perform tests, implement updated security policies and procedures, and engage an independent third-party compliance consultant to perform quarterly reviews of its cybersecurity policies and report them to the commissioner of financial protection and innovation.
It also required Patelco to prepare a “corrective action plan” and to report its findings to its board of directors. The credit union was also required to pay a monetary penalty of $100,000 due to these breaches.[16]
This action demonstrates the DFPI’s apparent intention to take actions against businesses that have been victims of cybersecurity breaches, thus exacerbating the need to ensure cybersecurity compliance.
CPPA Issues its First Enforcement Decision
In March, the CPPA issued its first order of decision to American Honda Motor Co. in an enforcement action under the California Consumer Privacy Act.
The CPPA found that Honda had: required consumers to provide “excessive personal information” to exercise their rights to opt out of or limit information sharing, used an online privacy management tool that “failed to offer Californians their privacy choices in a symmetrical or equal way,” made it difficult for authorized agents to submit privacy rights requests, and failed to provide the CPPA with copies of its contracts with advertising technology providers.[17]
The CPPA issued a $632,500 fine against Honda, calculated on a per-violation basis, for a relatively small number of identified violations.[18]
Under the California Consumer Privacy Act, the CPPA is permitted to impose fines of $2,500 per violation and $7,500 for each intentional violation.
This action demonstrates the need for all companies to step up their compliance efforts with the CCPA or risk stiff penalties.
Case Notes
Debt Buyers Act Claim: No Actual Damages Required
The Fair Debt Buying Practices Act requires buyers of charged-off consumer debt to have the following before writing to the consumer to collect the debt: sufficient records of the debt, the consumer’s liability for that debt, and the debt buyer’s entitlement to collect instead of the original creditor.
Under the California Civil Code, Section 1788.62(a), a consumer may sue for a violation of this requirement and recover the sum of actual damages and statutory damages of between $100 and $1,000.
In Chai v. Velocity Investments Inc. in February, California’s Sixth Appellate District held that the Fair Debt Buying Practices Act does not require the consumer to prove any actual damage to have standing to sue and collect statutory damages or bring a class action if the debt buyer engages in a pattern and practice of violating the statute.
No Duty Owed to Noncustomers
In Harding v. Lifetime Financial Inc., an impostor posing as an investment adviser for the defendant was scamming money from the plaintiff.
California’s Fourth Appellate District this year held that the actual securities broker did not owe the noncustomer plaintiff a duty to post a warning on its website or report the scammer to the Financial Industry Regulatory Authority.
In reaching this decision, the court cited and reinforced the line of authorities holding that banks do not owe duties to noncustomers, particularly to protect nonborrowers against fraud by depositors or others.
No Actual Damages Required to Maintain FDCPA Claim
In Six v. IQ Data International Inc. the U.S. Court of Appeals for the Ninth Circuit in February held that a plaintiff has Article III standing to sue even without a showing of actual damages.
The plaintiff in the case had received a debt validation letter the same day IQ received a letter from the plaintiff stating that all future communications regarding his debt should be sent only to his attorney.
The court affirmed that this communication violated the Fair Debt Collection Practices Act, and that even without actual harm, the plaintiff had been conferred the right to sue by Congress.
The court analogized an unwanted mail claim to the traditional common law tort of invasion of privacy by intrusion on seclusion to reach this decision.
Key Takeaways
While federal agencies are making and facing drastic and wide-ranging cuts at the hands of the new administration, California regulatory agencies have taken the reins to fill the vacuum left by their federal counterparts.
While the state legislative session is in its infancy, several bills have been introduced to expand consumer protections in response to recent natural disasters plaguing the state. Finally, courts are reaffirming the right to sue for statutory penalties, regardless of any actual harm suffered by consumers.
Financial institutions, therefore, must continue to be vigilant regarding federal and state compliance or risk the wrath of these state agencies and individual consumers. Stephen D. Britt is special counsel at Severson & Werson APC.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] Frank Gargano, Trump’s CFPB shake-up sparks mortgage industry concerns, National Mortgage News (Mar. 17, 2025), available at: https://www.nationalmortgagenews.com/news/trumps-cfpb-shake-up-sparks-mortgageindustry-concerns.
[2] Cal. Fin. Code § 530, available at: https://legiscan.com/CA/text/AB2017/id/2962619.
[3] See: https://www.law360.com/articles/2284136/california-s-new-homeowner-lawcould-hamper-foreclosures.
[4] Assembly Bill 1065 (2025-2026), available at: https://legiscan.com/CA/text/AB1065/id/3134766.
[5] Assembly Bill 238 (2025-2026), available at: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB238.
[6] Assembly Bill 83 (2025-2026), available at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB83&search_keywords=financial+code.
[7] Assembly Bill 493 (2025-2026), available at: https://abnk.assembly.ca.gov/media/1359.
[8] See, 10 CFR §§ 1850-1850.70, available at: https://dfpi.ca.gov/wpcontent/uploads/2025/03/Text-of-Final-Rules.pdf.
[9] Cal. Fin. Code §§ 100001, 100021(a).
[10] 10 C.F.R. § 1850(p).
[11] 10 C.F.R. § 1850.70.
[12] 10 C.F.R. § 1461.
[13] See, 10 C.F.R. §§ 1021-1026.
[14] See, 10 C.F.R. §§ 1461-1467.
[15] See: https://dfpi.ca.gov/wp-content/uploads/2025/02/Consent-Order-Patelco-CreditUnion.pdf.
[16] Id. at p. 3-6.
[17] Honda Settles With CPPA Over Privacy Violations (Mar. 12, 2025), available at: https://cppa.ca.gov/announcements/2025/20250312.html.
[18] Id.