States Filling Gaps in Federal Consumer Law

As federal banking regulators retreat from some areas of consumer protection oversight, states are moving decisively to fill the gap. The result is not less regulation for banks, but a more fragmented and, in many cases, more challenging compliance landscape.

States have always played a role in consumer financial protection. Attorneys general enforce state consumer laws, state banking regulators supervise local institutions, and state legislatures regularly pass financial statutes. Even national banks have historically faced state actions, often alongside federal enforcement. What has changed is the intensity and coordination of that activity, says Brian Hughes, a senior advisor at consultant BCG.

That incentive has grown as the Consumer Financial Protection Bureau (CFPB) has stepped back from some of its activities, creating space for state officials to act.

State action, Hughes explained, generally falls into three buckets: building regulatory agencies, passing new laws, and enforcing those laws.

Several states have focused first on capacity-building. California and Pennsylvania, in particular, have developed regulatory agencies modeled on the CFPB. California expanded its Department of Financial Protection and Innovation in 2020 with broad consumer oversight authority and has appointed former CFPB director Rohit Chopra to lead a new business and consumer protection “super agency.” Pennsylvania has maintained a CFPB-style unit for years.

“These are essentially mini‑CFPBs,” Hughes said. “They’re specifically stepping in and saying, ‘The CFPB is stepping back, and we’re taking charge.’”

Alongside agency-building, legislatures are strengthening the legal tools available to regulators. Hughes pointed to New York’s Fair Act as one of the most consequential examples. The law effectively brings the CFPB’s unfair, deceptive, or abusive acts or practices—known as UDAAP—standard into state law.

“That gives the New York attorney general a full‑blown UDAAP toolkit,” Hughes said. “UDAAP requirements are intentionally vague. It gives regulators a lot of discretion, and that’s what makes it such a powerful enforcement tool.”

That discretion is now being exercised. In recent months, New York and Pennsylvania joined more than a dozen other states in a multistate enforcement action against a nonbank lender, even though the company had already settled similar allegations with the CFPB.

“The response from the states was basically, ‘We don’t care,’” Hughes said. “We’ve got our own laws, and federal settlement doesn’t preempt state action.”

Consumer Focus

Despite the broad reach of this activity, it is concentrated primarily in consumer protection and, to a lesser extent, AML. When it comes to larger financial institutions, states have shown little interest in stepping into areas such as bank safety and soundness, which remain federal priorities.

Prudential regulation, he added, is an area where federal regulators have said they intend to be more assertive, not less.

States are also unlikely to pick up areas like reputational risk that federal regulators have deemphasized.  From a risk management perspective, he argued, reputational risk is better understood as a consequence of failures elsewhere. “It’s a consequential risk. It usually arises because of poor risk management in another area.”

Geographically, the most active states are clear. New York and California “are all over this,” Hughes said. Pennsylvania is close behind, with Massachusetts and Colorado also emerging as notable players, particularly around so‑called junk fees and consumer disclosures.

Complexity, Not Relief

For many banks, this proliferation of state activity has countered the regulatory relief some may have expected when federal oversight eased. Instead, it has introduced new complexity.

“You now have a fragmentation of regulation,” Hughes said. “As soon as a state does something, you have to analyze whether they have jurisdiction, whether preemption applies, and if it doesn’t, you have to comply. It makes things harder, not easier.”

That complexity is reflected in banks’ compliance budgets which, data from ProSight’s 2026 Compliance Outlook Survey show, are expected to rise in the year ahead. While some institutions have reduced spending, Hughes said those cuts are often tied to the completion of costly remediation efforts following enforcement actions, not to a belief that compliance is no longer necessary.

“There’s no clear trend of banks saying, ‘We don’t have to worry about this anymore,’” he said.

One reason is uncertainty. Priorities can change quickly with political shifts, and future federal leadership could restore the previous regulatory approach. Even rules that have been deprioritized federally can be revisited retrospectively.

“A lot of banks are saying, ‘We’re not changing,’” Hughes said. “A new CFPB director can still examine the period we’re in right now and put their own interpretation on what is required for compliance.”

That caution reflects a broader view of compliance as risk management rather than box-checking. It also reflects institutional values. Some banks, Hughes noted, maintain strong consumer protection practices not only to manage regulatory risk, but because they believe it benefits customers and the institution over the long term.

In that sense, current trends aren’t so much about deregulation as they are about redistribution. Federal oversight may ebb and flow, but regulation itself is not disappearing. It is shifting to the states and banks are being forced to adjust.