How to Keep Up with State Regulations

If keeping up with regulatory change at the federal level wasn’t enough work, financial institutions (FIs) must also navigate a complex web of state laws and regulations. State–level requirements can pose financial, compliance, and operational risks that vary by jurisdiction. The more states an institution operates in, the trickier it gets. Monitoring state-specific regulations and tracking enforcement actions is essential for remaining compliant and preparing for future challenges.

Before we discuss how compliance teams can better monitor state regulations, let’s explore the topics that are making waves at the state level.

Related: What New York’s Cybersecurity Regulation Means for Your FI in 2026

Emerging risks in state regulations

While federal and state regulations often overlap, there are some critical areas FIs should monitor on the state level:

Consumer protection

Consumer protection refers to laws, regulations, actions, and guidance focused on treating customers fairly in the financial marketplace. The Community Reinvestment Act (CRA), the Equal Credit Opportunity Act (ECOA), and the Home Mortgage Disclosure Act (HMDA) are just a few consumer protection laws federal regulators reference when examining compliance programs.

State regulators also evaluate and enforce consumer protection compliance. For example, New York legislators recently passed the Fostering Affordability and Integrity through Reasonable (FAIR) Business Practices Act, a significant update to its primary consumer protection statute. States such as Massachusetts and Illinois have their versions of CRA. Illinois is currently expanding its CRA rules for state-chartered banks, credit unions, and mortgage companies — including new illustrative lists of qualifying community development activities and an expanded service test for mortgage companies originating 200 or more home mortgage loans annually in the state. All three proposed rules are in the public comment period, so Illinois-chartered FIs should monitor these developments closely.

To combat consumer compliance risk, note the consumer protection laws your state(s) has passed and their specific issues, such as junk fees, payday lending, auto loans, and debt collection practices.

Related: Examiners Want to Know: Does Your CMS Ensure Consumer Protection & Compliance?

Data privacy and cybersecurity

Data privacy and cybersecurity have continued to be hot topics as FIs use emerging technology and work with more fintechs and other third parties. Under former Director Rohit Chopra's leadership, the CFPB highlighted data and privacy rights in its report, Strengthening State-Level Consumer Protections, which serves as a blueprint for states to implement stronger consumer protections through specific safeguarding measures. 

Some states have already implemented comprehensive laws focused on these issues. California's Consumer Privacy Act (CCPA) recently finalized sweeping regulations requiring mandatory cybersecurity audits, detailed risk assessments, and restrictions on automated decision-making technology. New York's cybersecurity regulation (Part 500) has evolved significantly since 2017, with final amendments requiring multi-factor authentication, comprehensive asset inventories, and stricter vendor incident reporting. However, regulations vary significantly state by state, presenting challenges for FIs operating in multiple jurisdictions. An FI based in South Carolina, where data protection laws are minimal, expanding into Massachusetts, California, or New York must carefully consider the compliance, operational, and financial risks involved.

Over the next several months, monitor the states where your FI operates for updates in these critical areas.

Related: A Cybersecurity Assessment Tool Designed for Financial Institutions

Mortgage lending

While the mortgage lending industry is regulated on the federal level, every state has its usury, mortgage disclosure, and fair lending laws, among other rules and regulations.

Each state also varies in its approach to issuing mortgage lending enforcement actions. In 2022, the Massachusetts Attorney General’s Office settled with a mortgage servicer who allegedly engaged in unfair and deceptive conduct through its mortgage servicing, debt collection, and lending practices. Under the settlement terms, the company must pay affected homeowners $2.7 million in direct borrow relief and $500,000 in state penalty fees.

In January 2025, the Texas Department of Savings and Mortgage Lending (SML) and 52 other state regulators announced a settlement with a mortgage banker for deficient cybersecurity practices and failure to cooperate with state regulators following a data breach impacting nearly 6 million customers. While unrelated to lending services, the $20 million penalty underscores the importance of FIs and lenders adhering to cyberactivity regulations and best practices.

To mitigate these risks, lenders should continue tracking state mortgage lending regulations and ensure effective complaint management processes are in place. Regulatory change management is also helpful for identifying, evaluating, and implementing new or amended rules.

Related: Mortgage Sellers and Servicers: Will You Be Ready to Comply with Freddie Mac’s AI Requirements by March 3?

Artificial intelligence and vendor oversight

As FIs use AI for underwriting, fraud detection, customer service, and other tasks, oversight of these technologies is becoming a regulatory priority — especially when AI is embedded in vendor systems.

In March 2025, Freddie Mac introduced new AI and machine-learning governance requirements for mortgage sellers and servicers, with a March 3, 2026, deadline. The new section in the Seller/Service Guide focuses on transparency, accountability, and ethical stewardship, though ambiguity remains about what qualifies as AI — particularly when capabilities are embedded in vendor tools.

Multiple states are accelerating AI legislation, with over 300 bills tracked across 38 state legislatures. For example, California introduced comprehensive requirements through the Transparency in Frontier Artificial Intelligence Act, requiring developers and enterprises to adapt their internal processes and vendor relationships to ensure AI compliance. 

The challenge for most FIs is vendor visibility. AI is often embedded in document automation, income verification, fraud detection, and payment processing — frequently without a clear understanding of how those models work or how vendors govern them, creating black box risk. 

To manage AI-related compliance risks, FIs should create an AI inventory to identify where these systems touch customer data, strengthen vendor due diligence to assess AI governance practices, implement continuous monitoring as models evolve, and prepare for varying state requirements for algorithmic accountability and bias testing.

Related: Managing Your Vendors' AI Risk Checklist

Crypto and digital assets

Cryptocurrency has been a hotly debated topic over the past few years, but it’s gaining steam in regulatory discussions. In February 2025, the Securities and Exchange Commission (SEC) launched the Crypto Task Force to clarify how federal securities laws apply to digital currencies and to support innovation while protecting investors. The Office of the Comptroller of the Currency (OCC) also reaffirmed that national banks and federal savings associations can participate in certain activities, such as crypto-asset custody and stablecoins.

Many states have passed or proposed crypto regulations – some more “crypto-friendly” than others. For instance, Wyoming has passed several laws, including the Special Purpose Depository Institutions Act, which allows approved banks to house digital currencies. The state also doesn’t require cryptocurrency businesses to get money transmitter licensing. In contrast, Connecticut requires the same companies to obtain licenses from the Connecticut Department of Banking.

If your FI plans to integrate crypto or blockchain-related services and products, follow your state regulators, FinCEN, and the SEC for updates.  

Related: Top 5 Takeaways from the SEC’s 2026 Exam Priorities

4 ways to stay compliant with state regulations

With these hot topics in mind, let’s explore some best practices for staying updated on state financial regulations:

• Follow your state’s Attorney General Office. State attorneys general can prosecute state law violations, and they also have the authority to enforce federal consumer protection laws. It’s crucial to know which specific issues they are focusing on. Are they concerned with consumer protection, junk fees, or cybersecurity? Knowing what your attorney general considers important should influence your institution’s compliance management program and broader risk management strategy.
• Track enforcement actions. Your state’s enforcement actions indicate the topics, regulations, and institutions government officials care about. Document every notable enforcement action released, especially if the cited institution shares similar products, services, and customers.
• Refer to regulatory guidance. Guidance refers to supplemental information published by regulatory agencies to clarify existing rules. These documents are a goldmine of information for FIs. For instance, the CFPB's report on Strengthening State-Level Consumer Protections helps both state regulators and FIs by outlining industry best practices.
• Know your market. Does your FI operate in more than one state? If so, you must take the appropriate measures to receive updates everywhere your FI is registered. For example, if your institution is registered in New York and California, follow the New York Department of Financial Services and the California Department of Financial Protection and Innovation for state-specific information.
• Use technology to streamline tasks. Compliance officers often spend hours checking regulatory updates. FIs that don’t have dedicated support will shift this work to already busy team members. Automated compliance management software alleviates these issues by providing tailored updates and exam-ready reports, saving FIs time and resources.

Related: Access a real-time database of 6,000+ U.S. and state rules and laws with Ncomply.

Stay the course and stay informed

Keeping up with state regulations may seem like just another task on top of a busy task list, but as the federal government aligns its focus, we can expect to see states react in kind. Simply put, expect more compliance opportunities and challenges.

Want more regulatory news and updates? 

Register for our 2026 Regulatory Expectations & Enforcement Update webinar.