<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Laws vs. Regulations vs. Rules vs. Guidance: What Are the Differences?

author
5 min read
Aug 21, 2025

If you work at a financial institution (FI), you know the words that shape the industry: laws, regulations, rules, guidance, and policies. While they may seem like interchangeable jargon, each term has a distinctive significance. Grasping these differences is crucial not only for upholding a strong compliance posture but also for making informed decisions that can impact your institution’s success.

On-Demand Webinar: Mid-Year Compliance Check-In: What 2025’s Regulatory Shifts Mean for You

Category Laws Regulations Rules Supervisory Guidance
Definition Statutes passed by legislative bodies that create binding legal obligations Agency-developed directives that implement laws Prescriptive procedures or methods tied to regulations Resources that clarify expectations or best practices
Authority Enacted by Congress or state legislatures Issued by regulatory agencies under statutory authority Created by agencies or self-regulatory organizations Issued by agencies; not legally binding but influential
Enforcement Enforced through courts and legal proceedings Enforced by regulatory bodies through exams or enforcement actions May be enforced as part of a regulatory exam or operational review Not enforceable, but often considered in supervision or enforcement
Purpose Establish broad legal frameworks and rights Translate laws into enforceable operational requirements Define specific compliance processes or standards Provide clarity on how to interpret or apply laws and regulations
Examples Truth in Lending Act, Equal Credit Opportunity Act  Regulation Z (TILA), Regulation B Open Banking Rule under Section 1033, Small Business Lending Rule under Section 1071 FFIEC cybersecurity guidance, OCC bulletins
Flexibility Rigid; Changes require legislative action More agile; Can be updated by agencies through rulemaking Moderately flexible depending on agency discretion Most flexible; Can be revised or withdrawn at any time

 

What are laws?

A law is a legal requirement enacted by a legislature, a governing body responsible for creating and passing laws. Laws are legally binding statutory mandates, meaning that FIs must follow them unless they provide exceptions. Only the U.S. Congress or a state legislature can repeal or amend a law. 

Federal laws vs. state laws

Federal laws are passed by both houses of Congress and then signed by the president. Examples of federal laws FIs must follow include the Truth in Lending Act (TILA), the Gramm-Leach-Bliley Act (GLBA), and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank).

State laws function independently from federal ones. These laws can vary widely, especially in areas such as lending, data privacy, cybersecurity, and financial technology (fintech). For example, the California Consumer Privacy Act and the New York SHIELD ACT aim to enhance consumer data privacy and security. 

For FIs operating in multiple states, navigating each state’s laws and regulatory updates can be challenging. Following the attorneys general in the states where your FI operates and tracking updates using automated compliance management tools is crucial to ensure your FI doesn’t miss a new law or other regulatory update.

Related: How to Keep Up with State Regulations

What are regulations?

A regulation is a binding rule issued by a federal or state agency to implement the specifics of a law. Agencies such as the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau (CFPB) take the broad concepts in a bill (the proposal) and define the details of how it will be carried out and enforced through regulations. For example, Regulation Z implements and enforces the Truth in Lending Act (TILA), while Regulation B does the same for the Equal Credit Opportunity Act (ECOA).

An agency can amend or rescind a regulation, but it must go through a formal process. 

What are rules?

Rules are the specific components within a regulation that make it enforceable. While regulations cover a topic broadly, rules get into the nitty-gritty. 

Regulations are often comprised of many individual rules. For example, Dodd-Frank includes nearly 400 rule mandates, including the Open Banking Rule under Section 1033, which mandates that FIs provide consumers with access to their financial data (such as in a standardized electronic format upon request and the Small Business Lending Rule under Section 1071, which requires lenders to collect demographic and application data from small business borrowers.

Rules can be rescinded, but in many cases, the relevant agency would have to replace the rule with a new one that still fulfills the law’s requirements. 

What is guidance?

Supervisory guidance is supplemental material published by an agency that helps clarify existing rules and expectations. It includes interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions. 

In 2018, federal banking agencies joined forces in an interagency statement clarifying the role of supervisory guidance: 

  • Outlines regulators’ supervisory expectations or recommended practices.
  • Helps institutions understand how agencies view safety, soundness, and consumer protection principles.
  • Promotes consistency in supervision across institutions.

Supervisory guidance does not have the force and effect of law, so there is no formal proposal or comment period, though an agency may seek public comment. While an FI can’t “violate” guidance, examiners can mention them as examples of best practices for complying with laws and regulations if deficiencies are noted.

Direct regulatory guidance — consent orders, report of examination findings, or enforcement letters, for example — do require action and can lead to formal action if ignored.

What are policies?

Policies are governance tools used by FI to interpret and implement regulations. Policies differ across institutions based on their size, complexity, location, services, and other factors. 

The differences between regulatory policies and operational policies. Regulatory policies include CAN-SPAM Act compliance, Community Reinvestment Act, Regulation C, UDAAP, and Fair Lending policies. Operational policies include overdraft, branch closing, physical security, and remote deposit capture policies. Some policies, including BSA/AML/CFT, Business Continuity Management, Incident Response, TPRM, and Acceptable Use, are regulatory and operational policies.

There are two types of policies: 

  • Regulatory policies ensure compliance with laws, regulations, and regulatory guidance, such as the CAN-SPAM Act and Fair Lending Act policies.
  • Operational policies direct internal processes to support efficiency, risk management, and daily operations, such as overdraft, branch closing, physical security, and remote deposit capture policies.

Some policies overlap and cover both areas, such as third-party risk management and incident response. 
When followed, effective policies help reduce or manage risk. Ultimately, while it isn’t against the law to not follow policy, failing to follow policy could result in breaking a law.

Related: Policy Management Best Practices for Financial Institutions

FAQs

What is the difference between laws and regulations?

Laws are mandates passed by legislatures, and regulations are the detailed rules agencies draft to enforce those laws. A law answers the “what” and “why” of a statute, and regulations explain the “how.” Knowing both is crucial for FIs that must meet compliance standards in a highly regulated environment. 

My FI received direct regulatory guidance. What do we do now?

To respond effectively to direct regulatory guidance, start by creating a comprehensive list of each issue, directive, or deficiency cited by regulators. Engage your leadership team to clarify expectations and ensure remediation efforts are aligned across your institution —not siloed. 

Next, assign a responsible individual to each corrective action, and document roles, timelines, and deliverables using a master control document or project management tool. Track progress regularly and maintain detailed documentation to demonstrate to your leadership and examiners that issues are being actively addressed. As the saying goes, “if it’s not documented, it didn’t happen.”

My institution's policies are collecting dust. What can we do to maximize their potential? 

Policies are governance tools, but too often FIs treat their policies as mere formalities. Keep these tips in mind as you revisit your policies:

  • Define roles and responsibilities across all levels—staff, management, audit, and board.
  • Use plain language and keep policies separate from procedures for clarity and easier updates.
  • Ensure policies are communicated effectively through leadership messaging and staff training.
  • Regularly review and update policies to keep them current, actionable, and aligned with your institution’s governance strategy.

Need a new policy but don’t know where to begin? Customize a sample policy to meet your organization’s needs and review the dozens of sample policies in Ncomply

Understanding the difference between laws, regulations, rules, guidance, and policies is essential for financial institutions aiming to stay compliant and operate efficiently. A clear grasp of these terms helps institutions navigate an increasingly complex regulatory landscape — supporting both institutional success and consumer protection.

The right compliance management software can help your FI streamline compliance, improve performance, and stay exam-ready. Learn what to look for in a CMS in our buyer’s guide.

Download the Guide


Subscribe to the Nsight Blog