Key Takeaways from the 2026 MBA Legal Issues and Regulatory Compliance Conference

A group of our Hinshaw colleagues had a front-row seat as the Diamond Sponsor firm at last week’s Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference in Miami from May 4–7, 2026. Several of our team members presented on panels throughout the conference.

Conversations across the sessions highlighted recurring themes, including the significant restructuring of the Consumer Financial Protection Bureau (CFPB) and its priorities, the rising role of state regulators, the rapid adoption of AI, and evolving litigation trends. Keep reading below for our key takeaways from the conference.

What Were the Core Themes at This Year’s Conference?

The following themes surfaced in nearly every session:

Big Shift in the Federal Regulatory Environment

The most common theme was the shift in the federal regulatory environment. Much discussion centered on changes in resources and priorities at key agencies, particularly the CFPB and Federal Trade Commission (FTC).

The corresponding increase in activity by state regulators also received significant attention. Panelists stressed that this shift does not mean that the industry will be less regulated, just that the risks will be less predictable.

Artificial Intelligence

AI was another connective thread linking many sessions. Panelists discussed best practices for adopting and monitoring AI tools, as well as approaches to risk management in a highly unpredictable, rapidly developing regulatory environment.

These discussions stressed the importance of effective testing and monitoring of the tools’ performance and activity logs, carefully negotiating vendor agreements, ensuring sufficient documentation is retained, and staying abreast of legislation and new regulatory guidance.

What Emerging Litigation Trends Should the Industry Be Watching?

Key themes that mortgage industry participants should be watching are the surge in consumer class action filings, the increase in claims under the Real Estate Settlement Procedures Act (RESPA) and Telephone Consumer Protection Act (TCPA), and the observation that, just like state regulators, private plaintiffs are stepping into the void left by retrenchment at the federal level.

Several emerging theories were mentioned across sessions:

Bootstrapping UDAAP Claims

• • Plaintiffs are attempting to repackage violations of federal statutes that lack a private right of action as “unfair” or “deceptive” acts under state unfair, deceptive, or abusive practice (UDAAP) laws. These claims have involved anti-competition theories, junk fees, and negative-option practices.

Proliferating RESPA Class Actions

• • Panelists discussed recent, notable suits alleging illegal referral and kickback schemes and improper steering. These cases often include additional UDAAP and racketeering claims and allege increased prices as a result of the challenged practices.

New TCPA Theories

• • Plaintiffs are making use of the US Supreme Court’s decision in McLaughlin v. McKesson, which opened the door for district courts to challenge FCC interpretations and created exposure around text messages and “quiet hours” provisions, to bring new species of TCPA claims.

A Surge in False Claims Act Qui Tam Filings

• • The Department of Justice (DOJ) just announced a record-breaking year for false claims settlements and judgments. Panelists predict the surge will continue this year.

Where are State Regulators Focusing Their Attention?

State regulators and attorneys general are coordinating closely and increasingly using multi-state exams to leverage their resources. Panelists noted that several cases dropped by the CFPB have already been picked up by state AGs.

Some observed that state regulators have been less willing than in years past to resolve seemingly minor issues through non-public channels, and have instead insisted on issuing public consent orders.

Key Areas of Increased State Activity

• • RESPA and anti-referral payment laws, with states pressing a more expansive reading of “thing of value” and scrutinizing arrangements long considered compliant with the statute’s safe-harbor, including Marketing Service Agreements( MSAs), desk rentals, and co-marketing agreements.
  • Loan originator compensation, with states closely scrutinizing compensation structures where multiple mortgage loan originators (MLOs) are involved in the same transaction, as well as the bundling of credit report-related services, and state AGs picking up actions that were dropped by the CFPB.
  • State Community Reinvestment Act (CRA) requirements for nonbank mortgage lenders, with Illinois, Massachusetts, and New York enacting or proposing CRA-style obligations for independent mortgage banks.
  • Servicing issues, including heightened scrutiny of fraud prevention practices, escrow management, borrower communication issues, and Servicemembers Civil Relief Act (SCRA) compliance.

What About Data Privacy and Cybersecurity?

State privacy laws are proliferating, enforcement activity is gearing up, and the mortgage industry remains a high-value target for bad actors. Mortgage industry participants who are unfortunate enough to suffer a cybersecurity incident should prepare for regulatory scrutiny and class action lawsuits.

Panelists discussed California’s CCPA regulations, which include new cybersecurity audit requirements, risk assessment obligations, and Automated Decision-Making Technology regulations that require pre-use notice and opt-out mechanisms. Some also observed that regulators are viewing mortgage marketing as a privacy issue, with trigger leads now restricted under the Homebuyers Privacy Protection Act.

Private plaintiffs continue to be active in this area, too, with litigation increasingly targeting ordinary website tools, such as tracking pixels, cookies, and analytics, for allegedly capturing and sharing user data without consent.

What Practical Advice Did Panelists Offer for Navigating the Evolving Industry Environment?

Conference presenters offered the following guidance for navigating the mortgage industry’s changing environment:

Shift to a Multi-jurisdictional Posture

• • View states as primary regulators, not backstops.
  • Establish systems to monitor legislation and proposed regulations, make efforts to know your key state regulators, and engage with state-specific trade associations to anticipate enforcement trends.

Consider the Strictest Standard as a Baseline

• • As part of this multi-jurisdictional posture, panelists observed that it may make sense to build policies that comply with the most demanding jurisdiction in which you operate.
  • This may be the best approach to demonstrate compliance in high-risk areas where leading states are enacting statutes such as AI, privacy, and cybersecurity. This could also help reduce compliance headaches as additional states adopt rules and during multi-state examinations.

Understand the Importance of Documentation

• • Panelists across multiple sessions mentioned maintaining robust documentation as a key way to prepare for unexpected regulatory scrutiny in the future.

Commission Proactive Audits or Self-assessments

• • Contemporaneous audit results can be strong evidence of compliance with a particular requirement. Some state regulators, including California’s Department of Financial Protection and Innovation (DFPI), are increasingly requiring independent audits as a condition for resolving consent orders.
  • At a minimum, companies should maintain a self-assessment program that assesses the effectiveness of risk controls.

Build a Robust Cybersecurity Program

• • Examiners are looking for regular risk assessments, updated policies, sufficient audits, and comprehensive documentation.

We are Here to Help

If you would like to discuss any of these developments or their potential implications for your business, please contact the authors or your Hinshaw attorney.