The ‘Empowerment’ of State Law and Regulation

Key Question: How do we manage the compliance, reputational, and other risks of divergent state regulations?

KPMG Perspective

A risk framework serves as a cornerstone to an  organization’s operations and is a foundational element to effective risk and compliance programs. Currently, the industry is struggling with what should be included in their ESG risk framework. In many cases, the question arises whether “another” policy is needed on top of existing policies that tie within the “umbrella” of ESG and sustainability.  An integrated ESG risk framework should coincide with the structure of ESG teams, in many cases a “hub and spoke” with ESG at the center. Frameworks should be inclusive of policies, governance structures, and how to measure and monitor ESG risk. Benefits of an ESG framework include having a clear and transparent strategy to communicate with investors, consumers, and others on the organization’s implementation of ESG/sustainability commitments and, perhaps most importantly, helping to ensure accountability across all lines of defense. Regulators expect organizations to:

• Develop a comprehensive ESG framework that is inclusive of ESG risk, lines of businesses, and lines of defense
• Integrate ESG-related risk into their policies and procedures.
• Integrate the ESG framework into areas such as business unit strategies, risk management, third-party monitoring, and Board accountability.
• Modify their policies when necessary to reflect changes in emerging risks, operating environments, or activities.

Companies should assess current regulatory change management actions to help more effectively manage the risks presented by divergent state laws and regulations:

• Impact Assessment: Enhance coordination between areas such as Government Affairs, Legal, Compliance, Public Relations, and business units to assess strategic, operational, and reputational impacts of emerging risks and evolving state laws and regulations.
• Jurisdictional Risks: Proactively identify interdependencies in business, product, and vendor processes and controls for potential jurisdictional risks between state regulations.
• Regulatory Awareness: Drive awareness across the organization that obligations under state regulations may apply to all business units, recognizing that certain lines of business historically may have considered requirements only under federal/global jurisdictions. Incorporate job-based examples and case studies, as feasible, to reiterate importance.

Key Question: How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?

KPMG Perspective

Establishing and maintaining a dynamic inventory of pertinent state laws and regulations is critical for building a strong compliance program. Given states’ varying legislative and regulatory priorities and differing means of distributing and formatting those laws and regulations, creating a comprehensive and dynamic inventory can prove to be challenging, albeit easier, perhaps, in states where the regulatory structure is more mature. State law and regulation inventories are one part of a company’s larger regulatory change management process and should also include “horizon scanning” capabilities to identify, track, and categorize applicable state regulatory changes and final issuances.

As companies look to enhance their state law and regulation inventories, it is important to consider and take action in these areas:

• Inventory: Establish a robust process to identify, track, and integrate state laws and regulations into a centralized repository.
• Organize and Analyze: Catalog and categorize state laws and regulations into “like” regulatory areas that affect the company, mapping rules to existing policies, procedures, and operational controls.
• Risk Assessment: Retool risk assessment processes to respond rapidly to evolving state laws and regulations.
• Update: Create and maintain an ongoing monitoring and review process to frequently assess and renew the inventory based on evolving state laws and regulations.

Key Question: How are companies managing the complexity of different state regulations, such as custodian/guardian orders, court orders, civil versus tax liens, etc.?

KPMG Perspective

Operationalizing effective controls that are adaptive to the varying complexities of state laws and regulations can be difficult. Detailed analysis is required to understand states’ requirements and their impacts on a company in terms of compliance, as well as to determine the adequacy of a company’s current policies, procedures, and controls.

To tackle the complexities around the myriad of state laws and regulations and operationalize effective controls, companies should address:

• State-Level Requirements: Analyze the details of states’ regulatory requirements, evaluating applicability enterprise-wide, including at the levels of business units and products.  Are any of the requirements superseded by federal pre-emption ?  How do state regulations mirror one another (or not)?  Is it possible to cluster like regulatory themes and like regulatory obligations together? Are state regulatory obligations/themes mapped to their counterparts at the federal level, as appropriate?
• Gap Assessments: After determining applicability and impact, assess state-level obligations and adequacy of existing policies, procedures, and controls, making adjustments as needed.
• Operational Framework: Set clear definitions and control/decision points for state-level requirements (e.g., types of guardian accounts; appropriate court documentation access/usage/storage; notification timing and messaging to affected customers/accounts). Create/amend necessary policies and procedures, resources (e.g., “centers of excellence” for state requirements/processes), systems, and trainings.

Key Question: Do we foresee increasing state regulatory scrutiny?

KPMG Perspective

State legislators and regulators have shown a willingness to pioneer new legislative and regulatory territory and expand regulatory focus (e.g., consumer privacy, cybersecurity, etc.), sometimes in the absence of (and sometimes in addition to) federal action. State regulators are expected to bring heightened scrutiny particularly in these areas, and this could lead to expanded examinations or increased volumes of supervisory matters for companies.

In anticipation of, and preparation for, increased state regulatory scrutiny across a variety of areas, companies should focus on:

• Engagement: Initiate and maintain ongoing dialogues with state regulatory authorities, as appropriate.
• Governance and Risk Management: Ensure that all public disclosures are accurate, and that processes and controls can be easily demonstrated/explained to state regulators, particularly those associated with governance and risk management structures and in emerging risk areas such as consumer data privacy and cybersecurity.
• Consumer Protection: In May 2022, the CFPB issued an interpretive rule that affirmed: (1) states can enforce any provision of federal consumer financial protection laws, (2) states can pursue claims and actions against a broader range of entities than the CFPB, and (3) CFPB enforcement actions do not preclude state actions. The FTC has separately indicated that partnering with states is an important part of its enforcement toolkit and it is actively engaging states in joint actions.
• Consumer “Voice”/Regulatory “Democratization”: Following the lead of federal regulators (e.g., CFPB, FTC), state regulators may pursue direct solicitation of consumers’ and investors’ experiences with specific products and services and their associated underlying regulations in areas such as disclosures, fees, and customer service interactions (live interactions, bots, accessibility, resolution). In addition, complaints portal activity could guide and/or confirm areas of state regulatory focus which may factor into supervisory practices and investigations.

Key Question: Should we expect continued expanded state regulatory enforcement activity?

KPMG Perspective

Increased state scrutiny of new regulatory priorities (e.g., data privacy, cybersecurity, etc.) or existing federal consumer protection laws and regulations (e.g., fraud, unfair or deceptive practices, etc.) could lead to an escalation in state regulatory enforcement actions. Companies should anticipate an increase in investigative letters, supervisory examinations, and potentially supervisory and enforcement actions.

In addition to updating policies, procedures, and controls to ensure that they adequately address regulatory enforcement priorities, companies should also assess:

• Coordination and Alignment: Understand state regulators’ coordination with other regulators, both state and federal, and alignment/divergence on enforcement priorities (e.g., state regulatory interpretation/ enforcement of federal consumer protection laws, ESG, etc.).
• Compliance: Ensure appropriate investment in compliance functions (people, processes, and technology) to prevent, detect, and timely respond to potential violations or misconduct resulting in state enforcement actions, as well as to provide state regulators with demonstrable issues identification, notification, escalation, and resolution/remediation.