LENDERS COMPLIANCE GROUP®

AARMR | ABA | ACAMS | ALTA | ARMCP | IAPP | IIA | MBA | MERSCORP | MISMO | NAMB

Wednesday, July 1, 2026

Deregulation Doesn't Mean Lower Risk

QUESTION 

My main concern is that AI is about to take over my human responsibilities. It may come as a surprise, but I am a lawyer who serves as internal counsel for a lender in 35 states. You might think that a lawyer should have nothing to worry about when it comes to AI. I started here two years ago. The company continues to grow. There were four lawyers in our legal department. Yet, now there are three. One of them was fired, and in her place is an AI tool. I have a feeling that I am next to go! 

What are we doing to ourselves? Why are we allowing AI to put us out of work and take our livelihoods from us? These are not humans, yet they can take our human knowledge, pose as humans, and replace us. I see the downsizing of AI replacing humans. 

We are using your AI Policy Program to help us navigate AI’s compliance risks. It looks like AI is here to stay. AI regulations should protect consumers, and AI should not threaten our jobs! 

I see slow-to-no AI regulations and very little understanding of how it will adversely affect humans.   

What is being done to regulate artificial intelligence? 

OUR COMPLIANCE SOLUTION

AI POLICY PROGRAM FOR MORTGAGE BANKING™    

Our AI Policy Program aligns with Freddie Mac's and Fannie Mae’s requirements.   

Our AI Policy Program consists of the following policies:  

1.       AI Governance Policy 

2.       AI Use Policy  

3.       AI Workplace Policy  

4.       AI Credit Underwriting Policy  

5.       AI Do & Do Not Policy  

6.       AI Ethics Policy  

7.       AI Vendor Management Policy 

8.       AI Mortgage Fraud Policy 

9.       AI Anti-Money Laundering Policy

Contact us for Information! 

RESPONSE 

You say AI is not human, and it certainly isn't. Indeed, the Internet and its derivatives, such as social media, are not human. The Internet, social media, and AI are all inanimate, lifeless, insentient, spiritless, uninhabited, inorganic, labyrinthine, concatenating chains that are composed of winding strands of human meaning. 

These chains have no significance other than the understanding we invent for them. They are not our essence. We follow those chains, each of them like endless sands on a vast beach. The sands are unlimited, but the ones in our hourglass are finite. 

We are Hansel and Gretel, following breadcrumbs that lead to the cannibalistic witch. Inevitably, these brute, cold, insensate vessels into which we pour our being do not know we are there. They are numb, dumb, and oblivious, soullessly mimicking us, like an alien intelligence whose center is everywhere. 

Attempts to regulate AI technologies have not shown much foresight. Some of this negligence is by design and stems from an inability to recognize its implications. The mad dash into a new, unregulated, or semi-regulated technology is hubris borne of money, politics, and ego. AI technologies are expanding at a rate that outpaces the development of regulatory frameworks to mitigate their risks. 

The alien intelligence is ready for us. Are we ready for it? 

Over the past year, federal regulators have sharply pulled back on AI-related enforcement, including fair lending. The CFPB has scaled back liability for disparate impact under ECOA. Bank examiners are conducting fewer fair lending risk assessments. The administration has made deregulation its explicit policy goal. It would be easy to read this as a green light. It isn't. 

"Deregulation" Doesn't Mean Lower Risk 

What's actually happening is a shift in venue, not a reduction in exposure. Enforcement is moving from Washington to state attorneys general, private litigation, and a separate federal statute that nobody has rolled back. For mortgage originators and servicers using AI in underwriting, pricing, marketing, or servicing, the practical compliance burden hasn't gone away. It is just coming from different directions, and those directions are harder to predict than a single federal rulebook ever was.

The regulatory landscape is genuinely fractured at both the federal and state levels. The result is a compliance challenge that most financial institutions are not prepared for. My advice to you is to stay focused on reducing risk and not allow yourself to be lured into the "Deregulation Trap." 

I am going to give you some pointers that will help to serve your company well in the months and years to come.

The Deregulatory Push 

The Trump administration has taken a consistent "minimally burdensome" stance on AI since early 2025, revoking Biden's 2023 AI executive order and pursuing a strategy of limiting both federal and state regulation. Key developments for you to focus on are: 

·       December 2025 Executive Order[i] ("Ensuring a National Policy Framework for Artificial Intelligence"). It asserted broad federal authority to preempt state AI laws, established a DOJ AI Litigation Task Force to challenge state laws in court, and directed agencies to use funding leverage against states with "onerous" AI laws. Notably, the order's final text carved out child safety, AI infrastructure, and state government AI procurement from preemption efforts, thereby narrowing the scope from the version initially drafted. 

·       March 2026 National Policy Framework built on the foregoing order with legislative recommendations across seven policy pillars, again seeking broad preemption of state AI laws while preserving narrow categories of state authority. 

·       CFPB rollback: In April 2026, under Acting Director Russell Vought, the CFPB finalized a rule eliminating disparate impact analysis as grounds for ECOA enforcement actions, extending protections to all borrowers, including businesses, and barring for-profit special-purpose credit programs from using race or ethnicity as eligibility criteria. The effective compliance date is July 21, 2026. This rule marks a major shift from the Chopra-era CFPB, which had been actively focused on algorithmic AI fair lending risks (such as adverse action explainability for AI-driven denials, the AVM rule on appraisal algorithms, and "digital redlining" concerns). 

·       Bank regulators have generally followed suit: the OCC, for instance, deferred fair lending exams and removed the requirement that examiners perform fair lending risk assessments every supervisory cycle for community banks, while the CFPB scaled back data requests. 

The Deregulation Trap 

In my view, the ECOA mandate is a lure in the Deregulation Trap! The CFPB's rule change affects only ECOA enforcement. The Fair Housing Act continues to apply broadly to residential real estate-secured loans and permits disparate impact claims. Indeed, they were upheld by the Supreme Court in Texas Dept. of Housing v. Inclusive Communities Project,[ii] a precedent that can't be undone by agency rulemaking alone. So mortgage lenders specifically are losing one federal theory of liability but retaining another. 

And there's more bait in the Deregulation Trap: preemption. This preemption gambit is a classic example of trying to build a plane while it is already in flight. When you get past the Executive Order’s puffery and pompous verbiage, it becomes clear that federal preemption faces real legal headwinds. The Senate voted 99-1 to strip a state preemption provision from earlier legislation, and Congress separately declined to enact a similar moratorium through the NDAA. I am skeptical that this Executive Order alone has teeth, because an executive order standing alone lacks preemptive force. It is neither a statute nor an authorized regulation, and agency rules generally preempt only where Congress has provided a clear statutory basis, meaning FTC or FCC preemption actions could themselves be challenged as exceeding agency authority. What do you do? You keep complying with existing state laws! 

A recent Executive Order regarding artificial intelligence is definitely another booby trap. It's called "Promoting Advanced Artificial Intelligence Innovation and Security." This Executive Order adds cybersecurity mandates and a voluntary frontier-model security framework. However, it explicitly avoids licensing and preclearance requirements! In other words, go ahead and build the infrastructure (such as benchmarks, pre-release access, "trusted partner" tiers), and somehow, in some magical way, a highly capable, general-purpose artificial intelligence system that sits at the absolute cutting edge of current technology will inevitably evolve into the resolution of de facto compliance expectations. Sure thing! Oh Really?

Enforcement Migrating to States 

Former CFPB Director Rohit Chopra joined the Democratic Attorneys General Association in late 2025 to lead a Consumer Protection & Affordability Working Group, meaning states are now coordinating enforcement strategies and sharing theories that used to live at the federal level. He is the inaugural Secretary of California's newly created Business and Consumer Services Agency.  

New Jersey, for instance, has codified disparate impact under state law, with explicit guidance on algorithmic decisioning and AI explainability, and requirements for governance documentation that exceed current federal demands. Massachusetts reached a $2.5 million settlement over underwriting practices tied to model overrides and inadequate explanations of adverse actions. 

I think Colorado may be a bellwether state, although it has recently watered down some of its AI regulatory mandates. Colorado's AI Act was the first comprehensive state AI law specifically covering lending and financial services as a "consequential decision" category.[iv] After years of delays and a contentious special session, the legislature in May 2026 repealed and replaced the original Act, stripping out the duty of care, risk management programs, and impact assessments in favor of a lighter disclosure-based framework. It's effective January 1, 2027. 

Still, in my view, the state responses to AI come at the cost of an increasingly complex regulatory patchwork, such as California's Automated Decisionmaking Technology regulations,[v] Illinois's Human Rights Act for AI in employment and healthcare,[vi] Texas's Texas Responsible Artificial Intelligence Governance Act,[vii] and AI consumer-interaction laws passed by over a dozen states. 

Summing it Up! 

First, the controversial

·       CFPB has stepped back from disparate impact enforcement and reduced exam intensity,

·       Colorado softened its law considerably before taking effect, and

·       Federal posture is explicitly deregulatory and litigation-averse toward state AI rules. 

Second, the ongoing risks

·       Fair Housing Act disparate impact liability is untouched and applies broadly to mortgage lending,

·       State AGs are increasingly active and coordinated, effectively replacing CFPB enforcement,

·       The state patchwork keeps growing even as individual states like Colorado retreat,

·       Private litigation risk is unaffected by any of this; for instance, the ECOA and FHA both have private rights of action,

·       Federal preemption is asserted but legally untested, so relying on it as a compliance strategy is premature, and

·       The regulatory direction itself is unstable; a future administration or Congress could reverse course quickly. 

Jonathan Foxx, PhD., MBA

Chairman & Managing Director
Lenders Compliance Group
  

This article, Deregulation Doesn't Mean Lower Risk, published on July 1, 2026, is authored by Jonathan Foxx, PhD, MBA, the Chairman & Managing Director of Lenders Compliance Group. Founded in 2006, Lenders Compliance Group is the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in residential mortgage compliance.

__________

[i] Executive Order 14365, December 11, 2025, The White House
[ii] Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc., 576 U.S. 519 (2015)
[iii] Executive Order 14409, June 2, 2026, The White House
[iv] Artificial Intelligence Act (Senate Bill 24-205) with a narrower and less restrictive transparency framework known as the Automated Decision-Making Technology Act (SB 26-189)
[v] Enforced by the California Privacy Protection Agency (CPPA)
[vi] HB 3773
[vii] HB 149