The Expansion of State-Level Regulation—and What It Means for Compliance

This episode of the ProSight Banking Strategies podcast explores how U.S. states are taking a more active role in financial services regulation as federal oversight shifts, creating a complex and evolving patchwork of rules for banks and credit unions. Lynne Johnston of Huron shares practical strategies for navigating this environment, from simplifying compliance approaches to building better monitoring and early-warning systems.

Subscribe to ProSight Podcasts: Apple, Spotify, Amazon Music, YouTube

TRANSCRIPT:

Frank Devlin: This is the ProSight Banking Strategies Podcast. We’re here to inform you on the top trends, challenges, and opportunities in banking today. ProSight is a leading, non-lobbying connector of people and information with deep expertise in risk, fraud, compliance, and retail and commercial banking. Our purpose is to empower financial services leaders, to strengthen and advance our industry through training and insights as well as tools and resources like this podcast.

Hello and welcome to this ProSight Banking Strategies Podcast. I’m Frank Devlin, a senior editor at ProSight. In recent years, something pretty significant has been happening in financial services regulation at the state level. As federal oversight has shifted and in some cases pulled back, states are stepping in. From adopting their own versions of consumer protection standards, to leveraging frameworks like Dodd-Frank, states are not just filling in gaps, they’re reshaping the regulatory landscape. For banks and credit unions, that raises a whole set of practical questions. How do you navigate a patchwork of state requirements that may overlap or even conflict? And are larger institutions better equipped to handle that complexity with smaller banks feeling the strain more acutely? And where is this headed?

Today, we’re going to unpack all of that and more with our guests, Lynne Johnston, a senior director at Huron. Before we get started, Lynne, I was wondering if you could share a little bit about your background in regulatory and compliance work.

Lynne Johnston: Sure, Frank, and thank you for having me. I started my career as a lawyer and I have worked for longer than I’m willing to acknowledge in financial services. I was with a regulator. I worked in-house at banks. And most recently I’ve been working as a consultant, and my focus throughout all of this has always been on regulatory compliance for financial services firms of all types.

Devlin: Great. Well, thank you. Sounds like we have the right person to help us understand what’s happening right now. So at a high level, how would you describe what’s happening right now with state involvement and bank regulation?

Johnston: Well, we’re certainly seeing, I don’t want to call it a flurry, but we are seeing a lot of new laws on the books, or rules, or regulations that really fit a consumer protection focus. And we’re also going to mention that there is going to be a new department in California dedicated to consumer protection. But I’ll start with the laws that are pretty interesting.

The first one is New York State enacted the FAIR Act earlier this year and that one adds unfair acts or practices and abuse of acts and practices as prohibited conduct to their existing consumer protection law. And the New York State Attorney General who sponsored this legislation said that she was sponsoring it specifically to protect consumers in response to the federal government’s retreat from protecting consumers. And so that law is now in effect and that very much expands New York’s ability to bring actions that are like a UDAAP action that had been brought by the CFPB.

In addition to that, there are at least 16 states have enacted measures to combat so called junk fees. And many of these have been enacted following the change in administration and the CFPB’s pullback from focusing on junk fees. And there are many more states that have pending legislation on junk fees. This one will be very complex for firms as well because the definition of what is a junk fee varies greatly from state to state. For example, if you look at Georgia, their junk fees are tied to fees related to people that are renting property. So there’s a lot of complexity to that.

And then focusing on California, California has established a new department called the Business and Consumer Services Agency that will launch on July 1. And Governor Newsom’s office stated in a press release that the department was specifically established in response to a, quote, “rollback of federal protections.” The other interesting thing about this new, it’s referred to in its title as an agency, but it apparently is a Department of California, is that Governor Newsom has tapped the former CFP director in the Biden administration, Rohit Chopra, to be the inaugural director for this agency.

So when we take into account all of those things, we’re certainly seeing a lot of activity happening that is impacting financial institutions that may either do business in those states or who have customers who reside in those states.

Devlin: So it’s pretty interesting when you think about it. So not only are some states recreating some practices of the CFPB, here we have a state that actually is bringing in the former CFPB leader. So there’s definitely a lot of interest in the states to fill in what they’re perceiving as a gap in consumer protection, for sure. You talked about several states taking this tech. Are they coordinating? Are they following each other’s leads? Is this more organic than that? Is it a little bit of both?

Johnston: I think it’s a bit of both really. One thing to understand, and I want to preface this, is that I do think states have always been very, state regulators and state attorneys general, have always been very focused on consumer protections, but I think the balance of focus has shifted, certainly for some states, based on the change in administration and the rollback of what the CFPB is being mandated to do.

But in terms of coordination, states have always had some very mature processes for coordinating, and these include there’s a conference of state bank supervisors, which acts as a central coordinating body for the state regulator, state banking regulators. There’s also a state examination system. There’s actually a platform that regulators can use to coordinate exams, coordinate document requests for some joint reporting for firms. And also if certain states want to coordinate on joint exams, it enables them to do so through that platform.

And then there’s also just a traditional one company, one exam program. This really applies to the largest banks that are doing business in many, many states. And what that happens is that the state bank regulators collaborate on doing a single exam of that institution so that bank is not subject to a large number of different states coming in to look at a lot of similar things.

And in addition to that, we haven’t talked about the actions much of state attorneys general, but they are typically the enforcement body in states for violations of consumer protection. There is a National Association of Attorneys General who are very, very active together. And for example, they coordinate on joint actions. On the more informal side, there was a coalition of Democrat Attorneys General who had actually retained Rohit Chopra as an advisor, and this is on a more informal basis, but the reporting is that based in part on his advisory work was part of the reason that the New York Attorney General sponsored the FAIR Act, which is the expansion to the New York State Consumer Protection Law.

Devlin: So even though there is cooperation and coordination, you also mentioned how things can differ from state to state. And bigger banks, international banks have the same kind of issue with different countries and that sort of thing and different trading blocks. But what kind of problems or challenges does that create for someone in compliance, someone who’s making sure that banks are following regulations? How do they deal with that patchwork? Are there best practices? What do you talk to clients about?

Johnston: Sure. So it is a patchwork, and certainly I think one of the challenges is that the patchwork is really expanding. One of the benefits of having a strong federal regulator is that there tends to be sort of a single voice about this is what needs to be done on these things, and it applies across the board. And the patchwork that is occurring is complex. I mean, junk fees is an example, laws, which several states have on their books are different.

One of the best practices that we, and certainly something that we advise clients to do is when there is a patchwork of laws, sometimes the easier thing to do is to say, what is the most stringent law? Can we comply with this most stringent law across the board to limit operational risk with trying to comply? And one of the mistakes we often see is where firms spend a lot of time saying, “I only have to send this disclosure to this one quickly, but other people, other groups, they can get it later,” and that just creates a lot of operational complexity. So our first issue is always try to find the way and that minimum standard that is the simplest way to comply.

When that’s not possible, then we always recommend having sort of modular policies and say, “For this particular law, it’s so specific and stringent.” And it could be a disclosure law to include that separately so that you’re not making the same representation to everybody. But again, even with disclosures, we recommend if you can send one disclosure that lists … And I’m sure you’ve seen it, you receive a disclosure of like, “If you’re a resident of these states, here’s your disclosure. If you’re a resident of these states, here’s your disclosure.” But again, anything that firms can do to reduce their operational complexity, we always recommend when there’s not legal reason or another specific reason why you just don’t want to apply that across the board.

I think one of the other things that just we’re following on that, I think the traditional ways that firms would have of monitoring for these changes in laws usually focus on is it a new law, rule, or a proposed law or rule, and enforcement actions were the ways you would typically monitor and could get ahead of issues. I think now you actually have to, we’re advising clients, focus on monitoring speeches being made by the governor’s office about what’s a priority. Focus on press releases that are being issued. The attorney general is speaking, they usually give you a hint of what they’re focused on. Use that as your early warning system. And most firms don’t have that in place, but it’s something that you can build. A little bit painful. But I think in this sort of fragmented environment, having an early notice is helpful so you don’t find yourself caught unawares and like, “Oh, I didn’t realize that this was a new interpretation.”

Devlin: Yeah, painful. That’s a good word because I’m thinking, “Boy, that sounds expensive. That sounds cumbersome.” Personally, we just had a compliance survey that the respondents, quite a few of them said that the state regulations are what’s keeping them from streamlining their compliance functions as much as maybe they could otherwise if we were just talking about federal regulations and how a lot of compliance budgets are still going up regardless of federal deregulations, listening to speeches, press releases. It also sounds like a lot of things that maybe might not come about. So maybe you’re getting ready for a law or something and it ends up not going through. So, oh, geez, I’ve just put a lot of effort into that, but I guess you’re still better off not being caught unaware of like you’re saying. So it’s a very interesting situation.

Johnston: To me, I always want to avoid surprises. So I think people have focused on there’s new legislations moving through, maybe gets enacted, maybe it doesn’t. But once you see a lot of energy behind an area, I think junk fees is one that you can see a lot of momentum around it.

Devlin: Okay.

Johnston: That would be an area for me, for example, where I would be paying attention to states where there’s commentary about things like junk fees, because I’d be like, there may not be anything formal or public yet, but there’s probably something that is percolating in the background and we want to be paying attention to it, particularly if you have significant business there. For me, it’s a bit of a change in terms of how you monitor and I agree it is not easy.

Devlin: But I mean, I guess like you’re saying, you can become somewhat of a student of it or someone at your bank can become a student of it. And there are times when there’s critical mass and so maybe you could just use your own sort of common sense and you could sense where something is going and it makes it worthwhile to actually prepare for something. So that’s super interesting.

The next question I wanted to ask, this kind of leads into this. If you’re talking about resources that are needed or personnel to do this kind of monitoring in addition to other compliance work, is this a situation where certain kinds of institutions are hit harder and lighter by the state patchwork? Just like a thesis, is it easier or less expensive for a large institution if they’ve got bigger budget and they’re not going to feel it as much? That’s what I intuitively think, but is that wrong or is there something to that? Who’s feeling this most?

Johnston: Look, if you’re very large institutions … And typically very large institutions have very effective government affairs people who are on the ground with states and what is federal, and I’m not saying it’s easy, but they already have an infrastructure in place where they sort of know what’s happening, what the mood is, what’s likely to happen. Because of their size and because of their footprint in those areas, they have that more early warning system. And I think if you’re a very small institution that you really only do business in one or two states and your customers are really concentrated in those areas, I think it’s probably a little bit easier.

I think where it’s most difficult is for those banks that have branches in not a lot of different states, but a few different states, and particularly if it’s sort of a varied region. And we certainly know that there’s a lot of banks who have, through acquisition and other things, have some branches in a lot of different states and also customers who are residents of different states. For example, if you look at the California privacy law, that protection applies to any California resident. And given that California is one of the largest states and certainly one of the most populous in the United States, chances of having a California resident is pretty high for a lot of banks. But others, it may be less of an issue.

I think those where you just have fewer compliance resources and they don’t have the same need to have a large staff on government relations, those are the ones that are really trying to figure out, how do I do this in a way that is risk-based and balanced? I’m a believer in there’s always been notifications that you can set up on the internet and that’s now enhanced by various AI tools. I think leveraging those is another way to monitor. But make no mistake, it’s a painful process.

Devlin: Not easy.

Johnston: Because there’s a lot of judgment involved. Is this something to pay attention to?

Devlin: Exactly. Exactly.

Johnston: Or not.

Devlin: And that’s something where AI maybe can’t tell you and you do need that human judgment. I’ve got all this data. Okay, so where do I think things are really going to land here? It sounds also maybe if you have a, as an institution, if you have a patchwork of branches spread over states, a patchwork of business lines, maybe that’s not the best match for the patchwork of state regulations because it’s not as easy to focus in on one thing and be on top of it. I don’t know if that’s an accurate assessment, but it’s an interesting thing to think about.

Johnston: I think it’s hard. I will say this, some of this goes back to fundamentals. I think it’s so important for firms to maintain good relationships with all of their regulators, and certainly with the state bank regulators, and I think it’s important. It’s just another opportunity to say, “We should just make sure that we are staying in touch with our state bank regulators as appropriate.” Obviously you want to balance that, particularly if you don’t have a very large branch set network in a state. The state bank regulators are good about sharing information. They often have information about what’s happening and they can share it and want to share it with the banks that they regulate. And so something like that is worth making sure you do that. And they typically have a dedicated examiner in charge that you can just check in with and make sure you know what we’re doing, letting you know about something that’s happening, and those kinds of things are worthwhile.

Devlin: Right. I know that just talking to folks who have been on both sides, it’s not really a different side’s philosophy most of the time. It is a lot of times the bank and the regulator want what’s in the best interest for that institution and the industry. And so certainly they are very interested in cooperating and making sure that the financial institution is on best footing it can be on. It is a difficult situation to keep up with, this patchwork, and maybe states have become even more active. Maybe the trend has even become more pronounced. Sometimes it has to do with something of a red state, blue state dynamic where I know that certain states were kind of cutting against the grain in the former administration under President Biden, and now, under President Trump, we’ve got a different dynamic. A lot of indications are that’s where the country is going and polarization could become more pronounced.

So where do you think we might be headed? Final question, what should we be prepared for in coming years? Is this something that banks are just going to have to learn because there’s not going to be a relief? It’s not going to be a day where everyone’s in agreement and every state’s the same and everyone’s happy.

Johnston: Yeah, I don’t have a crystal ball on that, but I do think the one thing I observe is that, regardless of the political, whoever is the dominant political party in a state, one of the things we certainly see is that across the board, there are consumer protection actions happening in all kinds of states and there are always what that state sees as the most significant trend. And I think frankly, my perspective always as a compliance person and somebody in legal was that institutions want to treat consumers fairly and appropriately. That is always part of the core mission of the banks. And I think leading with that and then trying to think about, well, okay, how do we manage to address these things, this complexity? This is the complexity we have of living in this federal and state system.

But my crystal ball is the complexity will continue. I am grateful to AI, which I do think is going to help us both identify these issues upcoming, assess them more easily, and try to get ahead of them more quickly.

Devlin: Well, thank you so much. You shared some really practical advice, really good ideas for our members and audience who are trying to think of how to handle this increasingly complex situation. So I’d like to thank you so much, Lynne, for sharing your perspectives on this ProSight Banking Strategies Podcast today.

To our listeners, thanks for spending your valuable time with us. If you liked it, please spread the word. I’m Frank Devlin.

The views expressed by the speakers are the speakers’ own and do not reflect the views of ProSight Financial Association, BAI, or RMA. The views expressed and information shared are of a general nature and are not intended to address the circumstances of any particular individual or entity. No one should act upon any such views or information shared during this podcast without appropriate professional advice after a thorough examination of the particular situation.