Many companies are well aware of the differences between various states’ laws and regulations – for instance in the areas of licensing, insurance or tax—and most companies have established processes to help comply with the multiplicity of state requirements. Yet, state laws and regulations increasingly diverge from one another, and from requirements at the federal level—making it very complex to track, determine strategy, and operationalize the business’s path forward. Regulatory differences impact functional areas (e.g., compliance, tax, IT) as well as products and processes (e.g., courts and liens) – and range across evolving issues such as privacy, cybersecurity, and ESG. In some cases, state regulatory issuances can necessitate full corporate strategic reconsideration of products, channels, and processes, involving assessment from Government Affairs, Marketing, Communications, Compliance, and Legal.
Some key questions that companies need to consider as they continue to enhance state law and regulation risk and compliance processes, impacts, and controls include:
- How do we manage the compliance, reputational, and other risks of divergent state regulations?
- How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?
- How are companies managing the complexity of different state regulations (e.g., custodian/guardian orders, court orders, civil versus tax liens, etc.)?
- Do we foresee increasing state regulatory scrutiny?
- Should we expect continued/expanded state regulatory enforcement activity?
Challenge 1: Divergent State Laws and Regulations
Key Question: How do we manage the compliance, reputational, and other risks of divergent state regulations?
A risk framework serves as a cornerstone to an organization’s operations and is a foundational element to effective risk and compliance programs. Currently, the industry is struggling with what should be included in their ESG risk framework. In many cases, the question arises whether “another” policy is needed on top of existing policies that tie within the “umbrella” of ESG and sustainability. An integrated ESG risk framework should coincide with the structure of ESG teams, in many cases a “hub and spoke” with ESG at the center. Frameworks should be inclusive of policies, governance structures, and how to measure and monitor ESG risk. Benefits of an ESG framework include having a clear and transparent strategy to communicate with investors, consumers, and others on the organization’s implementation of ESG/sustainability commitments and, perhaps most importantly, helping to ensure accountability across all lines of defense. Regulators expect organizations to:
- Develop a comprehensive ESG framework that is inclusive of ESG risk, lines of businesses, and lines of defense
- Integrate ESG-related risk into their policies and procedures.
- Integrate the ESG framework into areas such as business unit strategies, risk management, third-party monitoring, and Board accountability.
- Modify their policies when necessary to reflect changes in emerging risks, operating environments, or activities.
Companies should assess current regulatory change management actions to help more effectively manage the risks presented by divergent state laws and regulations:
- Impact Assessment: Enhance coordination between areas such as Government Affairs, Legal, Compliance, Public Relations, and business units to assess strategic, operational, and reputational impacts of emerging risks and evolving state laws and regulations.
- Jurisdictional Risks: Proactively identify interdependencies in business, product, and vendor processes and controls for potential jurisdictional risks between state regulations.
- Regulatory Awareness: Drive awareness across the organization that obligations under state regulations may apply to all business units, recognizing that certain lines of business historically may have considered requirements only under federal/global jurisdictions. Incorporate job-based examples and case studies, as feasible, to reiterate importance.
|Examples of state laws and regulations|
|ESG||In August 2022, the California Air Resources Board approved a rule establishing a year-by-year roadmap so that by 2035 100% of new cars and light trucks sold in California will be zero-emission vehicles, including plug-in hybrid electric vehicles. NOTE: Seventeen additional states and Washington, D.C. have laws or regulations tying their standards to California’s. However, some of these states have indicated they may pursue their own roadmaps and emissions standards given California’s new rule.|
|ESG||In June 2021, Texas enacted a law prohibiting state agencies, local governments, and state pension funds from contracting with or investing in (as well as requiring them to divest from) companies that “boycott” or divest from fossil fuel energy companies. Under the law, the state comptroller regularly provides state agencies and local governments a list of companies that “boycott” energy companies. NOTE: Seventeen additional states have proposed or passed laws prohibiting state agencies from doing businesses with companies that incorporate ESG into investments.|
|Privacy||The California Consumer Privacy Act (CCPA) (enacted in 2018) and the California Privacy Rights Act (CPRA) (effective 2023) established consumers’ rights over personal data collected by businesses. NOTE: Four additional states have enacted similar consumer data privacy laws and sixteen states have legislation under consideration as of February 2023.|
|Cybersecurity||In November 2022, the New York State Department of Financial Services (NYSDFS) proposed amendments to its 2017 cybersecurity regulations to ensure cybersecurity risk is integrated into companies’ business planning, decision-making, and ongoing risk management. NYSDFS notes that its regulations have “established a regulatory model that is now used by both federal and state financial regulators.”|
|Pay Transparency||In December 2022, New York State enacted a pay transparency law (effective September 2023) requiring employers to disclose compensation or range of compensation to applicants and employees upon issuing an employment opportunity. NOTE: As of January 2023, seven additional states and several localities have enacted similar pay transparency laws.|
|Garnishment||Each state has laws and regulations governing bank account garnishments, including out-of-state garnishments. CFPB has issued an enforcement order related to garnishment practices, which clarifies that banks are obligated to (1) determine a state’s laws and regulations on out-of-state garnishments and (2) apply state-specific garnishment exemptions.|
|Custodial and Guardian Accounts||Each state has laws and regulations governing when control over custodial accounts, such as UTMA or UGMA accounts, must be transferred to beneficiaries. Prior FINRA sanctions have made clear that account custodians must establish, maintain, and enforce internal systems and procedures to ensure: (1) timely transfer of account control as required by state law and (2) compliance with court orders regarding account guardianship or conservatorship (which could supersede state law).|
Challenge 2: Inventory of State Laws and Regulations
Key Question: How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?
Establishing and maintaining a dynamic inventory of pertinent state laws and regulations is critical for building a strong compliance program. Given states’ varying legislative and regulatory priorities and differing means of distributing and formatting those laws and regulations, creating a comprehensive and dynamic inventory can prove to be challenging, albeit easier, perhaps, in states where the regulatory structure is more mature. State law and regulation inventories are one part of a company’s larger regulatory change management process and should also include “horizon scanning” capabilities to identify, track, and categorize applicable state regulatory changes and final issuances.
As companies look to enhance their state law and regulation inventories, it is important to consider and take action in these areas:
- Inventory: Establish a robust process to identify, track, and integrate state laws and regulations into a centralized repository.
- Organize and Analyze: Catalog and categorize state laws and regulations into “like” regulatory areas that affect the company, mapping rules to existing policies, procedures, and operational controls.
- Risk Assessment: Retool risk assessment processes to respond rapidly to evolving state laws and regulations.
- Update: Create and maintain an ongoing monitoring and review process to frequently assess and renew the inventory based on evolving state laws and regulations.
Challenge 3: Complexity of State Laws and Regulations
Key Question: How are companies managing the complexity of different state regulations, such as custodian/guardian orders, court orders, civil versus tax liens, etc.?
Operationalizing effective controls that are adaptive to the varying complexities of state laws and regulations can be difficult. Detailed analysis is required to understand states’ requirements and their impacts on a company in terms of compliance, as well as to determine the adequacy of a company’s current policies, procedures, and controls.
To tackle the complexities around the myriad of state laws and regulations and operationalize effective controls, companies should address:
- State-Level Requirements: Analyze the details of states’ regulatory requirements, evaluating applicability enterprise-wide, including at the levels of business units and products. Are any of the requirements superseded by federal pre-emption ? How do state regulations mirror one another (or not)? Is it possible to cluster like regulatory themes and like regulatory obligations together? Are state regulatory obligations/themes mapped to their counterparts at the federal level, as appropriate?
- Gap Assessments: After determining applicability and impact, assess state-level obligations and adequacy of existing policies, procedures, and controls, making adjustments as needed.
- Operational Framework: Set clear definitions and control/decision points for state-level requirements (e.g., types of guardian accounts; appropriate court documentation access/usage/storage; notification timing and messaging to affected customers/accounts). Create/amend necessary policies and procedures, resources (e.g., “centers of excellence” for state requirements/processes), systems, and trainings.
Challenge 4: Scrutiny Related to State Laws and Regulations
Key Question: Do we foresee increasing state regulatory scrutiny?
State legislators and regulators have shown a willingness to pioneer new legislative and regulatory territory and expand regulatory focus (e.g., consumer privacy, cybersecurity, etc.), sometimes in the absence of (and sometimes in addition to) federal action. State regulators are expected to bring heightened scrutiny particularly in these areas, and this could lead to expanded examinations or increased volumes of supervisory matters for companies.
In anticipation of, and preparation for, increased state regulatory scrutiny across a variety of areas, companies should focus on:
- Engagement: Initiate and maintain ongoing dialogues with state regulatory authorities, as appropriate.
- Governance and Risk Management: Ensure that all public disclosures are accurate, and that processes and controls can be easily demonstrated/explained to state regulators, particularly those associated with governance and risk management structures and in emerging risk areas such as consumer data privacy and cybersecurity.
- Consumer Protection: In May 2022, the CFPB issued an interpretive rule that affirmed: (1) states can enforce any provision of federal consumer financial protection laws, (2) states can pursue claims and actions against a broader range of entities than the CFPB, and (3) CFPB enforcement actions do not preclude state actions. The FTC has separately indicated that partnering with states is an important part of its enforcement toolkit and it is actively engaging states in joint actions.
- Consumer “Voice”/Regulatory “Democratization”: Following the lead of federal regulators (e.g., CFPB, FTC), state regulators may pursue direct solicitation of consumers’ and investors’ experiences with specific products and services and their associated underlying regulations in areas such as disclosures, fees, and customer service interactions (live interactions, bots, accessibility, resolution). In addition, complaints portal activity could guide and/or confirm areas of state regulatory focus which may factor into supervisory practices and investigations.
Challenge 5: Enforcement of State Laws and Regulations
Key Question: Should we expect continued expanded state regulatory enforcement activity?
Increased state scrutiny of new regulatory priorities (e.g., data privacy, cybersecurity, etc.) or existing federal consumer protection laws and regulations (e.g., fraud, unfair or deceptive practices, etc.) could lead to an escalation in state regulatory enforcement actions. Companies should anticipate an increase in investigative letters, supervisory examinations, and potentially supervisory and enforcement actions.
In addition to updating policies, procedures, and controls to ensure that they adequately address regulatory enforcement priorities, companies should also assess:
- Coordination and Alignment: Understand state regulators’ coordination with other regulators, both state and federal, and alignment/divergence on enforcement priorities (e.g., state regulatory interpretation/ enforcement of federal consumer protection laws, ESG, etc.).
- Compliance: Ensure appropriate investment in compliance functions (people, processes, and technology) to prevent, detect, and timely respond to potential violations or misconduct resulting in state enforcement actions, as well as to provide state regulators with demonstrable issues identification, notification, escalation, and resolution/remediation.
State attorneys general have identified a variety of enforcement priorities in 2023 including:
- Data privacy, cybersecurity, data breaches, consumer opt-in/opt-out
- Antitrust, fair competition, merger activity
- ESG, ESG investing, DE&I protections
- Automated decision making, algorithms, artificial intelligence/machine learning
- Unfair, deceptive, or abusive acts or practices, including marketing/advertising
- Consumer fees, loyalty programs