Many companies are well aware of the differences between various states’ laws and regulations – for instance in the areas of licensing, insurance or tax—and most companies have established processes to help comply with the multiplicity of state requirements. Yet, state laws and regulations increasingly diverge from one another, and from requirements at the federal level—making it very complex to track, determine strategy, and operationalize the business’s path forward. Regulatory differences impact functional areas (e.g., compliance, tax, IT) as well as products and processes (e.g., courts and liens) – and range across evolving issues such as privacy, cybersecurity, and ESG. In some cases, state regulatory issuances can necessitate full corporate strategic reconsideration of products, channels, and processes, involving assessment from Government Affairs, Marketing, Communications, Compliance, and Legal.
Some key questions that companies need to consider as they continue to enhance state law and regulation risk and compliance processes, impacts, and controls include:
A risk framework serves as a cornerstone to an organization’s operations and is a foundational element to effective risk and compliance programs. Currently, the industry is struggling with what should be included in their ESG risk framework. In many cases, the question arises whether “another” policy is needed on top of existing policies that tie within the “umbrella” of ESG and sustainability. An integrated ESG risk framework should coincide with the structure of ESG teams, in many cases a “hub and spoke” with ESG at the center. Frameworks should be inclusive of policies, governance structures, and how to measure and monitor ESG risk. Benefits of an ESG framework include having a clear and transparent strategy to communicate with investors, consumers, and others on the organization’s implementation of ESG/sustainability commitments and, perhaps most importantly, helping to ensure accountability across all lines of defense. Regulators expect organizations to:
Companies should assess current regulatory change management actions to help more effectively manage the risks presented by divergent state laws and regulations:
Examples of state laws and regulations
|ESG||In August 2022, the California Air Resources Board approved a rule establishing a year-by-year roadmap so that by 2035 100% of new cars and light trucks sold in California will be zero-emission vehicles, including plug-in hybrid electric vehicles. NOTE: Seventeen additional states and Washington, D.C. have laws or regulations tying their standards to California’s. However, some of these states have indicated they may pursue their own roadmaps and emissions standards given California’s new rule.|
|ESG||In June 2021, Texas enacted a law prohibiting state agencies, local governments, and state pension funds from contracting with or investing in (as well as requiring them to divest from) companies that “boycott” or divest from fossil fuel energy companies. Under the law, the state comptroller regularly provides state agencies and local governments a list of companies that “boycott” energy companies. NOTE: Seventeen additional states have proposed or passed laws prohibiting state agencies from doing businesses with companies that incorporate ESG into investments.|
|Privacy||The California Consumer Privacy Act (CCPA) (enacted in 2018) and the California Privacy Rights Act (CPRA) (effective 2023) established consumers’ rights over personal data collected by businesses. NOTE: Four additional states have enacted similar consumer data privacy laws and sixteen states have legislation under consideration as of February 2023.|
|Cybersecurity||In November 2022, the New York State Department of Financial Services (NYSDFS) proposed amendments to its 2017 cybersecurity regulations to ensure cybersecurity risk is integrated into companies’ business planning, decision-making, and ongoing risk management. NYSDFS notes that its regulations have “established a regulatory model that is now used by both federal and state financial regulators.”|
|Pay Transparency||In December 2022, New York State enacted a pay transparency law (effective September 2023) requiring employers to disclose compensation or range of compensation to applicants and employees upon issuing an employment opportunity. NOTE: As of January 2023, seven additional states and several localities have enacted similar pay transparency laws.|
|Garnishment||Each state has laws and regulations governing bank account garnishments, including out-of-state garnishments. CFPB has issued an enforcement order related to garnishment practices, which clarifies that banks are obligated to (1) determine a state’s laws and regulations on out-of-state garnishments and (2) apply state-specific garnishment exemptions.|
|Custodial and Guardian Accounts||Each state has laws and regulations governing when control over custodial accounts, such as UTMA or UGMA accounts, must be transferred to beneficiaries. Prior FINRA sanctions have made clear that account custodians must establish, maintain, and enforce internal systems and procedures to ensure: (1) timely transfer of account control as required by state law and (2) compliance with court orders regarding account guardianship or conservatorship (which could supersede state law).|
Key Question: How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?
Establishing and maintaining a dynamic inventory of pertinent state laws and regulations is critical for building a strong compliance program. Given states’ varying legislative and regulatory priorities and differing means of distributing and formatting those laws and regulations, creating a comprehensive and dynamic inventory can prove to be challenging, albeit easier, perhaps, in states where the regulatory structure is more mature. State law and regulation inventories are one part of a company’s larger regulatory change management process and should also include “horizon scanning” capabilities to identify, track, and categorize applicable state regulatory changes and final issuances.
As companies look to enhance their state law and regulation inventories, it is important to consider and take action in these areas:
Key Question: How are companies managing the complexity of different state regulations, such as custodian/guardian orders, court orders, civil versus tax liens, etc.?
Operationalizing effective controls that are adaptive to the varying complexities of state laws and regulations can be difficult. Detailed analysis is required to understand states’ requirements and their impacts on a company in terms of compliance, as well as to determine the adequacy of a company’s current policies, procedures, and controls.
To tackle the complexities around the myriad of state laws and regulations and operationalize effective controls, companies should address:
Key Question: Do we foresee increasing state regulatory scrutiny?
State legislators and regulators have shown a willingness to pioneer new legislative and regulatory territory and expand regulatory focus (e.g., consumer privacy, cybersecurity, etc.), sometimes in the absence of (and sometimes in addition to) federal action. State regulators are expected to bring heightened scrutiny particularly in these areas, and this could lead to expanded examinations or increased volumes of supervisory matters for companies.
In anticipation of, and preparation for, increased state regulatory scrutiny across a variety of areas, companies should focus on:
Key Question: Should we expect continued expanded state regulatory enforcement activity?
Increased state scrutiny of new regulatory priorities (e.g., data privacy, cybersecurity, etc.) or existing federal consumer protection laws and regulations (e.g., fraud, unfair or deceptive practices, etc.) could lead to an escalation in state regulatory enforcement actions. Companies should anticipate an increase in investigative letters, supervisory examinations, and potentially supervisory and enforcement actions.
In addition to updating policies, procedures, and controls to ensure that they adequately address regulatory enforcement priorities, companies should also assess: