If keeping up with regulatory change at the federal level wasn’t enough work, financial institutions (FIs) must also navigate a complex web of state laws and regulations. State–level requirements can pose financial, compliance, and operational risks that vary by jurisdiction. The more states an institution operates in, the trickier it gets. Monitoring state-specific regulations and tracking enforcement actions is essential for remaining compliant and preparing for future challenges.
Before we discuss how compliance teams can better monitor state regulations, let’s explore the topics that are making waves at the state level.
Related: March 2025 Regulatory Update: 1071, CFPB overdraft rule, and enforcement trends
While federal and state regulations often overlap, there are some critical areas FIs should monitor on the state level:
Consumer protection refers to laws, regulations, actions, and guidance focused on treating customers fairly in the financial marketplace. The Community Reinvestment Act (CRA), the Equal Credit Opportunity Act (ECOA), and the Home Mortgage Disclosure Act (HMDA) are just a few consumer protection laws federal regulators reference when examining compliance programs.
State regulators also evaluate and enforce consumer protection compliance. For example, New York legislators recently introduced a bill to expand the state’s consumer protection laws by prohibiting unfair and abusive business practices, adding to its existing bans on deceptive tactics. States such as Massachusetts and Illinois have their versions of CRA.
To combat consumer compliance risk, note the consumer protection laws your state(s) has passed and their specific issues, such as junk fees, payday lending, auto loans, and debt collection practices.
Related: Examiners Want to Know: Does Your CMS Ensure Consumer Protection & Compliance?
Data privacy and cybersecurity have continued to be hot topics as FIs use emerging technology and work with more fintechs and third parties. The CFPB highlighted data and privacy rights in its report, Strengthening State-Level Consumer Protections, which recommends that states adopt specific measures to safeguard consumers.
Some states have already implemented laws focused on these issues, including the California Consumer Privacy Act (CCPA) and the New York SHIELD ACT. However, regulations vary at the state level, presenting challenges for FIs operating in multiple states. For instance, if an FI based in South Carolina, where data protection laws are minimal, decides to expand into Massachusetts, known for its stringent data privacy regulations, it must carefully consider the compliance, operational, and financial risks involved.
Over the next several months, monitor the states where your FI operates for updates in these critical areas.
Related: A Cybersecurity Assessment Tool Designed for Financial Institutions
While the mortgage lending industry is regulated on the federal level, every state has its usury, mortgage disclosure, and fair lending laws, among other rules and regulations.
Each state also varies in its approach to issuing mortgage lending enforcement actions. In 2022, the Massachusetts Attorney General’s Office settled with a mortgage servicer who allegedly engaged in unfair and deceptive conduct through its mortgage servicing, debt collection, and lending practices. Under the settlement terms, the company must pay affected homeowners $2.7 million in direct borrow relief and $500,000 in state penalty fees.
In January 2025, the Texas Department of Savings and Mortgage Lending (SML) and 52 other state regulators announced a settlement with a mortgage banker for deficient cybersecurity practices and failure to cooperate with state regulators following a data breach impacting nearly 6 million customers. While unrelated to lending services, the $20 million penalty underscores the importance of FIs and lenders adhering to cyberactivity regulations and best practices.
To mitigate these risks, lenders should continue tracking state mortgage lending regulations and ensure effective complaint management processes. Regulatory change management is also helpful for identifying, evaluating, and implementing new or amended rules.
Related: 10 Best Practices for a Better Lending Compliance Program in 2025
Cryptocurrency has been a hotly debated topic over the past few years, but it’s gaining steam in regulatory discussions. In February 2025, the Securities and Exchange Commission (SEC) launched the Crypto Task Force to clarify how federal securities laws apply to digital currencies and to support innovation while protecting investors. The Office of the Comptroller of the Currency (OCC) also reaffirmed that national banks and federal savings associations can participate in certain activities, such as crypto-asset custody and stablecoins.
Many states have passed or proposed crypto regulations – some more “crypto-friendly” than others. For instance, Wyoming has passed several laws, including the Special Purpose Depository Institutions Act, which allows approved banks to house digital currencies. The state also doesn’t require cryptocurrency businesses to get money transmitter licensing. In contrast, Connecticut requires the same companies to obtain licenses from the Connecticut Department of Banking.
If your FI plans to integrate crypto or blockchain-related services and products, follow your state regulators, FinCEN, and the SEC for updates.
Related: Enforcement Actions Roundup: February 2025
With these hot topics in mind, let’s explore some best practices for staying updated on state financial regulations:
Related: Access a real-time database of 6,000+ U.S. and state rules and laws with Ncomply.
Keeping up with state regulations may seem like just another task on top of a busy task list, but as the federal government aligns its focus, we can expect to see states react in kind. Simply put, expect more compliance opportunities and challenges.
Want more regulatory news and updates?
Watch our 2025 Regulatory Expectations & Enforcement Webinar on demand.