The regulatory landscape for financial organizations is shifting. Agencies are rescinding guidance, rewriting rules, and reinterpreting longstanding requirements. Whether you're responding to an examiner, updating your compliance program, or tracking a rule change, it matters whether you're looking at a law, a regulation, a rule, or supervisory guidance. The differences aren't just semantic — they determine what's enforceable, what's flexible, and what your organization is required to do.
Related: Get auditable, cited answers to your most complex regulatory questions in minutes with Nquiry, your AI-powered compliance expert. Learn more.
| Laws | Regulations and Rules | Industry Rules | Supervisory Guidance | |
| Definition | Statutes passed by legislative bodies that create binding legal obligations | Agency-developed directives that implement laws; "regulations" and "rules" are often used interchangeably | Directives issued by industry organizations that create binding obligations for participating institutions | Resources that clarify expectations or best practices |
| Authority | Enacted by Congress or state legislatures | Issued by regulatory agencies under statutory authority | Issued by industry bodies such as Nacha and card networks | Issued by agencies; not legally binding but influential |
| Enforcement | Enforced through courts and legal proceedings | Enforced by regulatory bodies through exams or enforcement actions | Enforced by the issuing organization through its own compliance and participation requirements | Not enforceable, but often considered in supervision or enforcement |
| Purpose | Establish broad legal frameworks and rights | Translate laws into enforceable operational requirements | Govern operational standards for a specific industry or network | Provide clarity on how to interpret or apply laws and regulations |
| Examples | Truth in Lending Act, Equal Credit Opportunity Act | Regulation Z (TILA), Regulation B (ECOA), Small Business Lending Rule under Section 1071 | Nacha ACH Operating Rules, Visa and Mastercard network rules | FFIEC cybersecurity guidance, OCC bulletins |
| Flexibility | Rigid; changes require legislative action | More agile; can be updated by agencies through rulemaking | Set and updated by the issuing organization | Most flexible; Can be revised or withdrawn at any time |
What are laws?
A law is a legal requirement enacted by a legislature, a governing body responsible for creating and passing laws. Laws are legally binding statutory mandates, meaning that FIs must follow them unless an express exception within the law applies. Only the U.S. Congress or a state legislature can repeal or amend a law.
Federal laws vs. state laws
Federal laws (also called statutes) are passed by both houses of Congress and then signed by the president. Examples of federal laws FIs must follow include the Truth in Lending Act (TILA), the Gramm-Leach-Bliley Act (GLBA), and the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank).
State laws function independently from federal ones. These laws can vary widely, especially in areas such as lending, data privacy, cybersecurity, and financial technology (fintech). For example, both the California Consumer Privacy Act and the New York SHIELD ACT aim to enhance consumer data privacy and security.
For FIs operating in multiple states, navigating each state’s laws and regulatory updates can be challenging. Following the attorneys general in the states where your FI operates and tracking updates using automated compliance management tools is crucial to ensure your FI doesn’t miss a new law or other regulatory update.
Related: How to Keep Up with State Regulations
What are regulations and rules?
A regulation is a binding directive issued by a federal or state agency to implement the specifics of a law. Agencies such as the Federal Reserve, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation (FDIC), and the Consumer Financial Protection Bureau (CFPB) take the broad concepts in a law and define how it will be carried out and enforced. Regulation Z implements and enforces the Truth in Lending Act (TILA), for example, while Regulation B does the same for the Equal Credit Opportunity Act.
In financial services, “rules” and “regulations” are often used interchangeably. A Notice of Proposed Rulemaking, for instance, is simply a notice that an agency is proposing a new or amended regulation. The terms mean the same thing in this context.
It’s also important to note that not all rules come from government agencies. Industry organizations also issue rules that financial organizations must follow. Nacha, which governs the Automated Clearing House (ACH) network, publishes operating rules that govern any institution sending or receiving ACH transactions. Card networks such as Visa and Mastercard also maintain their own rulebooks. These aren't regulations in the legal sense, but the obligations are binding for any institution participating in those networks.
Related: Emerging Risks in Banking
What is guidance?
Supervisory guidance is supplemental material published by an agency that helps clarify existing rules and expectations. It includes interagency statements, advisories, bulletins, policy statements, questions and answers, and frequently asked questions.
In 2018, federal banking agencies joined forces in an interagency statement clarifying the role of supervisory guidance:
- Outlines regulators’ supervisory expectations or recommended practices.
- Helps institutions understand how agencies view safety, soundness, and consumer protection principles.
- Promotes consistency in supervision across institutions.
Supervisory guidance does not have the force and effect of law, so there is no formal proposal or comment period, though an agency may seek public comment. While an FI can’t “violate” guidance, examiners can mention them as examples of best practices for complying with laws and regulations if deficiencies are noted.
Regulatory supervisory communication — consent orders, report of examination findings, or enforcement letters, for example — require action and can lead to formal action if ignored.
What are policies?
Policies are governance tools used by FI to interpret and implement regulations. Policies differ across institutions based on their size, complexity, location, services, and other factors.
There are two types of policies:
- Regulatory policies ensure compliance with laws, regulations, and regulatory guidance, such as the CAN-SPAM Act and Fair Lending Act policies.
- Operational policies direct internal processes to support efficiency, risk management, and daily operations, such as overdraft, branch closing, physical security, and remote deposit capture policies.
Some policies overlap and cover both areas, such as third-party risk management and incident response.
When followed, effective policies help reduce or manage risk. Ultimately, while it isn’t against the law to not follow policy, failing to follow policy could result in breaking a law.
Related: Policy Management Best Practices for Financial Institutions
FAQs
What is the difference between laws and regulations?
Laws are mandates passed by legislatures, and regulations are the detailed rules agencies draft to enforce those laws. A law answers the “what” and “why” of a statute, and regulations explain the “how.” Knowing both is crucial for FIs that must meet compliance standards in a highly regulated environment.
My FI received regulatory supervisory communication. What do we do now?
To respond effectively to regulatory supervisory communication, start by creating a comprehensive list of each issue, directive, or deficiency cited by regulators. Engage your leadership team to clarify expectations and ensure remediation efforts are aligned across your institution — not siloed.
Next, assign a responsible individual to each corrective action, and document roles, timelines, and deliverables using a master control document or project management tool. Track progress regularly and maintain detailed documentation to demonstrate to your leadership and examiners that issues are being actively addressed. As the saying goes, “if it’s not documented, it didn’t happen.”
My institution's policies are collecting dust. What can we do to maximize their potential?
Policies are governance tools, but too often FIs treat their policies as mere formalities. Keep these tips in mind as you revisit your policies:
- Define roles and responsibilities across all levels—staff, management, audit, and board.
- Use plain language and keep policies separate from procedures for clarity and easier updates.
- Ensure policies are communicated effectively through leadership messaging and staff training.
- Regularly review and update policies to keep them current, actionable, and aligned with your institution’s governance strategy.
Need a new policy but don’t know where to begin? Customize a sample policy to meet your organization’s needs and review the dozens of sample policies in Ncomply.
Understanding the difference between laws, regulations, rules, guidance, and policies is essential for financial organizations aiming to stay compliant and operate efficiently. A clear grasp of these terms helps institutions navigate an increasingly complex regulatory landscape — supporting both institutional success and consumer protection.
Navigating regulatory updates can be challenging. Get auditable, accurate, cited answers to your most complex questions in minutes with Nquiry.
