The top data breaches of September 2025 brought significant incidents across diverse sectors, from automotive and luxury fashion to aviation and fintech. Every event has shown that attackers are focusing on vendor ecosystems and shared platforms, creating ripple effects that extend beyond a single organization.
On September 29, 2025, FinCEN issued a Notice and Request for Comment (the “Notice”) on a proposed information gathering exercise – A Survey of the Costs of Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Compliance (the “Survey”). Specifically, the Survey is intended to gather information on direct compliance costs incurred by non-bank financial institutions in AML/CFT compliance and, to the extent those costs overlap with other obligations, the amount directly attributable to AML/CFT compliance.
When it comes to oversight of third-party collection vendors, most creditors naturally focus on the standards: compliance, data security, and proper payment processing. These are critical boxes to check—no question. But while compliance ensures safety, it doesn’t guarantee success.
To truly understand whether your collection partner is working effectively on your behalf, you need to look beyond compliance. You need to evaluate performance.
On September 22, the U.S. Court of Appeals for the 3rd Circuit affirmed a lower court’s decision to sanction two attorneys and their law firm for allegedly orchestrating a scheme to manufacture FDCPA violations. The court found that the attorneys sent fabricated, handwritten dispute letters to debt collectors, intending to provoke technical violations of the statute and collect attorney’s fees. The attorneys purportedly directed their firm’s lawyers and paralegals to send obfuscating, handwritten letters designed to be difficult for debt collectors’ automated systems to recognize, increasing the likelihood that the debts would not be marked as disputed. If a debt collector failed to respond appropriately, the attorneys would file lawsuits seeking statutory damages of up to $1,000 per violation, plus costs and attorney’s fees.
On September 23, the CPPA announced that the California Office of Administrative Law approved final regulations covering cybersecurity audits, risk assessments, automated decision-making technology, insurance companies, and updates to existing California Consumer Privacy Act (CCPA) regulations. The regulations are set to take effect January 1, 2026, but businesses have additional time to comply with certain requirements, including those related to cybersecurity audits, risk assessments, and automated decision-making technologies. As previously covered by InfoBytes, the CPPA initially released its regulations in July 2025 following the expiration of the 45-day comment period.
.jpg)
.jpg)