-min.png)
If keeping up with regulatory change at the federal level wasn’t enough work, financial institutions (FIs) must also navigate a complex web of state laws and regulations. State–level requirements can pose financial, compliance, and operational risks that vary by jurisdiction. The more states an institution operates in, the trickier it gets. Monitoring state-specific regulations and tracking enforcement actions is essential for remaining compliant and preparing for future challenges.
Before we discuss how compliance teams can better monitor state regulations, let’s explore the topics that are making waves at the state level.
Related: March 2025 Regulatory Update: 1071, CFPB overdraft rule, and enforcement trends
Emerging risks in state regulations
While federal and state regulations often overlap, there are some critical areas FIs should monitor on the state level:
Consumer protection
Consumer protection refers to laws, regulations, actions, and guidance focused on treating customers fairly in the financial marketplace. The Community Reinvestment Act (CRA), the Equal Credit Opportunity Act (ECOA), and the Home Mortgage Disclosure Act (HMDA) are just a few consumer protection laws federal regulators reference when examining compliance programs.
State regulators also evaluate and enforce consumer protection compliance. For example, New York legislators recently introduced a bill to expand the state’s consumer protection laws by prohibiting unfair and abusive business practices, adding to its existing bans on deceptive tactics. States such as Massachusetts and Illinois have their versions of CRA.
To combat consumer compliance risk, note the consumer protection laws your state(s) has passed and their specific issues, such as junk fees, payday lending, auto loans, and debt collection practices.
Related: Examiners Want to Know: Does Your CMS Ensure Consumer Protection & Compliance?
Data privacy and cybersecurity
Data privacy and cybersecurity have continued to be hot topics as FIs use emerging technology and work with more fintechs and third parties. The CFPB highlighted data and privacy rights in its report, Strengthening State-Level Consumer Protections, which recommends that states adopt specific measures to safeguard consumers.
Some states have already implemented laws focused on these issues, including the California Consumer Privacy Act (CCPA) and the New York SHIELD ACT. However, regulations vary at the state level, presenting challenges for FIs operating in multiple states. For instance, if an FI based in South Carolina, where data protection laws are minimal, decides to expand into Massachusetts, known for its stringent data privacy regulations, it must carefully consider the compliance, operational, and financial risks involved.
Over the next several months, monitor the states where your FI operates for updates in these critical areas.
Related: A Cybersecurity Assessment Tool Designed for Financial Institutions
Mortgage lending
While the mortgage lending industry is regulated on the federal level, every state has its usury, mortgage disclosure, and fair lending laws, among other rules and regulations.
Each state also varies in its approach to issuing mortgage lending enforcement actions. In 2022, the Massachusetts Attorney General’s Office settled with a mortgage servicer who allegedly engaged in unfair and deceptive conduct through its mortgage servicing, debt collection, and lending practices. Under the settlement terms, the company must pay affected homeowners $2.7 million in direct borrow relief and $500,000 in state penalty fees.
In January 2025, the Texas Department of Savings and Mortgage Lending (SML) and 52 other state regulators announced a settlement with a mortgage banker for deficient cybersecurity practices and failure to cooperate with state regulators following a data breach impacting nearly 6 million customers. While unrelated to lending services, the $20 million penalty underscores the importance of FIs and lenders adhering to cyberactivity regulations and best practices.
To mitigate these risks, lenders should continue tracking state mortgage lending regulations and ensure effective complaint management processes. Regulatory change management is also helpful for identifying, evaluating, and implementing new or amended rules.
Related: 10 Best Practices for a Better Lending Compliance Program in 2025
Crypto and digital assets
Cryptocurrency has been a hotly debated topic over the past few years, but it’s gaining steam in regulatory discussions. In February 2025, the Securities and Exchange Commission (SEC) launched the Crypto Task Force to clarify how federal securities laws apply to digital currencies and to support innovation while protecting investors. The Office of the Comptroller of the Currency (OCC) also reaffirmed that national banks and federal savings associations can participate in certain activities, such as crypto-asset custody and stablecoins.
Many states have passed or proposed crypto regulations – some more “crypto-friendly” than others. For instance, Wyoming has passed several laws, including the Special Purpose Depository Institutions Act, which allows approved banks to house digital currencies. The state also doesn’t require cryptocurrency businesses to get money transmitter licensing. In contrast, Connecticut requires the same companies to obtain licenses from the Connecticut Department of Banking.
If your FI plans to integrate crypto or blockchain-related services and products, follow your state regulators, FinCEN, and the SEC for updates.
Related: Enforcement Actions Roundup: February 2025
4 ways to stay compliant with state regulations
With these hot topics in mind, let’s explore some best practices for staying updated on state financial regulations:
- Follow your state’s Attorney General Office. State attorneys general can prosecute state law violations, and they also have the authority to enforce federal consumer protection laws. It’s crucial to know which specific issues they are focusing on. Are they concerned with consumer protection, junk fees, or cybersecurity? Knowing what your attorney general considers important should influence your institution’s compliance management program and broader risk management strategy.
- Track enforcement actions. Your state’s enforcement actions indicate the topics, regulations, and institutions government officials care about. Document every notable enforcement action released, especially if the cited institution shares similar products, services, and customers.
- Refer to regulatory guidance. Guidance refers to supplemental information published by regulatory agencies to clarify existing rules. These documents are a goldmine of information for FIs. For instance, the CFPB's report on Strengthening State-Level Consumer Protections helps both state regulators and FIs by outlining industry best practices.
- Know your market. Does your FI operate in more than one state? If so, you must take the appropriate measures to receive updates everywhere your FI is registered. For example, if your institution is registered in New York and California, follow the New York Department of Financial Services and the California Department of Financial Protection and Innovation for state-specific information.
- Use technology to streamline tasks. Compliance officers often spend hours checking regulatory updates. FIs that don’t have dedicated support will shift this work to already busy team members. Automated compliance management software alleviates these issues by providing tailored updates and exam-ready reports, saving FIs time and resources.
Related: Access a real-time database of 6,000+ U.S. and state rules and laws with Ncomply.
Stay the course and stay informed
Keeping up with state regulations may seem like just another task on top of a busy task list, but as the federal government aligns its focus, we can expect to see states react in kind. Simply put, expect more compliance opportunities and challenges.
Want more regulatory news and updates?
Watch our 2025 Regulatory Expectations & Enforcement Webinar on demand.
Subscribe to the Nsight Blog
Share this
Regulatory Brief for February 2023: Court cases, RESPA and Junk Fees
March 2025 Regulatory Update: 1071, CFPB overdraft rule, and enforcement trends
