Laws vs. Regulations vs. Rules vs. Guidance: What Are the Differences?

If you work at a financial institution (FI), you know the words that shape the industry: laws, regulations, rules, guidance, and policies. While they may seem like interchangeable jargon, each term has a distinctive significance. Grasping these differences is crucial not only for upholding a strong compliance posture but also for making informed decisions that can impact your institution’s success.

On-Demand Webinar: Mid-Year Compliance Check-In: What 2025’s Regulatory Shifts Mean for You

What are laws?

A law is a legal requirement enacted by a legislature, a governing body responsible for creating and passing laws. Laws are legally binding statutory mandates, meaning that FIs must follow them unless they provide exceptions. Only the U.S. Congress or a state legislature can repeal or amend a law. 

Federal laws vs. state laws

Federal laws are passed by both houses of Congress and then signed by the president. Examples of federal laws FIs must follow include the Truth in Lending Act (TILA), the Gramm-Leach-Bliley Act (GLBA), and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank).

State laws function independently from federal ones. These laws can vary widely, especially in areas such as lending, data privacy, cybersecurity, and financial technology (fintech). For example, the California Consumer Privacy Act and the New York SHIELD ACT aim to enhance consumer data privacy and security. 

For FIs operating in multiple states, navigating each state’s laws and regulatory updates can be challenging. Following the attorneys general in the states where your FI operates and tracking updates using automated compliance management tools is crucial to ensure your FI doesn’t miss a new law or other regulatory update.

Related: How to Keep Up with State Regulations

What are regulations?

A regulation is a binding rule issued by a federal or state agency to implement the specifics of a law. Agencies such as the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau (CFPB) take the broad concepts in a bill (the proposal) and define the details of how it will be carried out and enforced through regulations. For example, Regulation Z implements and enforces the Truth in Lending Act (TILA), while Regulation B does the same for the Equal Credit Opportunity Act (ECOA).

An agency can amend or rescind a regulation, but it must go through a formal process. 

What are rules?

Rules are the specific components within a regulation that make it enforceable. While regulations cover a topic broadly, rules get into the nitty-gritty. 

Regulations are often comprised of many individual rules. For example, Dodd-Frank includes nearly 400 rule mandates, including the Open Banking Rule under Section 1033, which mandates that FIs provide consumers with access to their financial data (such as in a standardized electronic format upon request and the Small Business Lending Rule under Section 1071, which requires lenders to collect demographic and application data from small business borrowers.

Rules can be rescinded, but in many cases, the relevant agency would have to replace the rule with a new one that still fulfills the law’s requirements. 

What is guidance?

Supervisory guidance is supplemental material published by an agency that helps clarify existing rules and expectations. It includes interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions. 

In 2018, federal banking agencies joined forces in an interagency statement clarifying the role of supervisory guidance: 

• Outlines regulators’ supervisory expectations or recommended practices.
• Helps institutions understand how agencies view safety, soundness, and consumer protection principles.
• Promotes consistency in supervision across institutions.
  

Supervisory guidance does not have the force and effect of law, so there is no formal proposal or comment period, though an agency may seek public comment. While an FI can’t “violate” guidance, examiners can mention them as examples of best practices for complying with laws and regulations if deficiencies are noted.

Direct regulatory guidance — consent orders, report of examination findings, or enforcement letters, for example — do require action and can lead to formal action if ignored.

What are policies?

Policies are governance tools used by FI to interpret and implement regulations. Policies differ across institutions based on their size, complexity, location, services, and other factors. 

There are two types of policies: 

• Regulatory policies ensure compliance with laws, regulations, and regulatory guidance, such as the CAN-SPAM Act and Fair Lending Act policies.
• Operational policies direct internal processes to support efficiency, risk management, and daily operations, such as overdraft, branch closing, physical security, and remote deposit capture policies.

Some policies overlap and cover both areas, such as third-party risk management and incident response. 
When followed, effective policies help reduce or manage risk. Ultimately, while it isn’t against the law to not follow policy, failing to follow policy could result in breaking a law.

Related: Policy Management Best Practices for Financial Institutions

FAQs

What is the difference between laws and regulations?

Laws are mandates passed by legislatures, and regulations are the detailed rules agencies draft to enforce those laws. A law answers the “what” and “why” of a statute, and regulations explain the “how.” Knowing both is crucial for FIs that must meet compliance standards in a highly regulated environment. 

My FI received direct regulatory guidance. What do we do now?

To respond effectively to direct regulatory guidance, start by creating a comprehensive list of each issue, directive, or deficiency cited by regulators. Engage your leadership team to clarify expectations and ensure remediation efforts are aligned across your institution —not siloed. 

Next, assign a responsible individual to each corrective action, and document roles, timelines, and deliverables using a master control document or project management tool. Track progress regularly and maintain detailed documentation to demonstrate to your leadership and examiners that issues are being actively addressed. As the saying goes, “if it’s not documented, it didn’t happen.”

My institution's policies are collecting dust. What can we do to maximize their potential? 

Policies are governance tools, but too often FIs treat their policies as mere formalities. Keep these tips in mind as you revisit your policies:

• Define roles and responsibilities across all levels—staff, management, audit, and board.
• Use plain language and keep policies separate from procedures for clarity and easier updates.
• Ensure policies are communicated effectively through leadership messaging and staff training.
• Regularly review and update policies to keep them current, actionable, and aligned with your institution’s governance strategy.
  

Need a new policy but don’t know where to begin? Customize a sample policy to meet your organization’s needs and review the dozens of sample policies in Ncomply. 

Understanding the difference between laws, regulations, rules, guidance, and policies is essential for financial institutions aiming to stay compliant and operate efficiently. A clear grasp of these terms helps institutions navigate an increasingly complex regulatory landscape — supporting both institutional success and consumer protection.

The right compliance management software can help your FI streamline compliance, improve performance, and stay exam-ready. Learn what to look for in a CMS in our buyer’s guide.