The Empowerment of State Law and Regulation

June 2024 **Updated July 2024**

Regardless of administrations, expect continued discord and divergences across states and between state and federal regulations.  This “dueling banjos of legislation and regulation” can create incompatible approaches, strategies and requirements, and a great deal of work (and anxiety). Diverging regulations can touch every aspect of business, across such areas as AI, privacy, cybersecurity, and sustainability initiatives.

Companies must navigate this complex regulatory landscape, which can impact operational strategies and may require comprehensive reassessment of products, channels, and processes. To do so necessitates a coordinated effort across departments like Government Affairs, Marketing, Communications, Compliance, and Legal to adapt to state regulations, regardless of the federal landscape now and in the future; this is essential for maintaining competitiveness and ensuring business resilience in a rapidly evolving environment.

Key questions for companies to consider as they continue enhancing state law and regulation risk and compliance processes, impacts, and controls include:

1. How do we manage the compliance, reputational, and other risks of divergent state regulations?
2. How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?
3. How are companies managing the complexity (and potentially conflicting requirements and impacts) of different state regulations?
4. Do we foresee increasing state regulatory scrutiny?
5. Should we expect continued/expanded state regulatory enforcement activity?

Key Question: How do we manage the compliance, reputational, and other risks of divergent state regulations?

KPMG Perspective

It's essential to develop and keep an up-to-date inventory of relevant state laws and regulations to forge a robust compliance strategy. Considering the diverse legislative and regulatory focuses across states, as well as unique methods of disseminating and structuring these laws and regulations, assembling a thorough and up-to-date catalog can be complex. Cataloging state laws and regulations is a component of a broader regulatory change management strategy within a company, which should also incorporate mechanisms for "horizon scanning" to detect, monitor, and organize upcoming state regulatory changes and official publications.

To better navigate the challenges posed by disparate state regulations, companies should refine their regulatory change management strategies through the following actions:

• Impact Assessment: Improve collaboration among departments like Government Affairs, Legal, Compliance, Public Relations, and various business segments to evaluate the strategic, operational, and reputational effects of ‘likely-to-emerge' as well as new risks and changing state laws and regulations.
• Jurisdictional Risks: Actively seek out and understand the interconnections within business operations, product offerings, and vendor relations that could be affected by differing state regulations, to anticipate jurisdictional risks.
• Regulatory Awareness: Foster a company-wide understanding that state regulatory obligations are applicable across all business divisions, acknowledging that some areas might have previously only considered federal or international regulations. Where possible, use specific job-related examples and case studies to underscore their significance.

Key Question: How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?

KPMG Perspective

It's essential to develop and keep an up-to-date inventory of relevant state laws and regulations to forge a robust compliance strategy. Considering the diverse legislative and regulatory focuses across states, as well as unique methods of disseminating and structuring these laws and regulations, assembling a thorough and up-to-date catalog can be complex. Cataloging state laws and regulations is a component of a broader regulatory change management strategy within a company, which should also incorporate mechanisms for "horizon scanning" to detect, monitor, and organize upcoming state regulatory changes and official publications.

For businesses aiming to improve their catalogs of state laws and regulations, it's critical to focus on and implement steps in the following areas:

• Inventory: Develop a solid system for identifying, monitoring, and incorporating state laws and regulations into a unified database.
• Organize and Analyze: Systematically arrange and classify state laws and regulations into similar regulatory categories that impact the company, linking regulations to the company's policies, processes, and operational safeguards.
• Risk Assessment: Renew risk assessment methodologies to quickly adapt to changes in state laws and regulations.
• Update: Establish a continuous process for monitoring and updating the catalog to reflect changes in state laws and regulations.

Key Question: How are companies managing the complexity (and potentially conflicting requirements and impacts) of different state regulations?

KPMG Perspective

Implementing controls that are flexible enough to comply with the diverse and complex state laws and regulations can be challenging. It necessitates a thorough examination to grasp the specific demands of each state and how they affect a company's compliance posture, as well as to evaluate whether the company's existing policies, procedures, and controls are sufficient.

To effectively manage the challenges posed by the vast array of state laws and regulations and implement responsive controls, businesses need to focus on:

• State-Level Requirements: Conduct a detailed analysis of the regulatory requirements at the state level, assessing their relevance across the entire organization, including within specific business units and product lines. Consider whether any state regulations are overridden by federal laws. Evaluate the similarities and differences among state regulations. Explore the feasibility of grouping similar regulatory themes and obligations. Check if state regulatory obligations/themes are appropriately aligned with federal counterparts.
• Gap Assessments: Once the relevance and impact are understood, evaluate the state-level obligations and the sufficiency of the company's existing policies, procedures, and controls, making necessary revisions.
• Operational Framework: Define clear criteria and decision-making processes for handling state-level requirements (for example, defining types of guardian accounts; protocols for accessing, using, and storing court documents; and specifying the timing and content of notifications to impacted customers/accounts). Update or establish the required policies and procedures, resources (such as specialized teams or "centers of excellence" for navigating state regulations), systems, and training programs.

Key Question: Do we foresee increasing state regulatory scrutiny?

KPMG Perspective

State lawmakers and regulatory bodies are increasingly willing to explore and introduce new legislative and regulatory dimensions, including extending their oversight to areas like AI, consumer privacy, and cybersecurity. This proactive stance sometimes occurs both in the absence of and in conjunction with federal initiatives. It is anticipated that state regulators will intensify scrutiny particularly in these areas, potentially leading to broader examinations or a rise in regulatory oversight activities for businesses.

To prepare for and address the growing regulatory attention at the state level across various sectors, companies should concentrate on:

• Engagement: Start and maintain continuous conversations with state regulatory authorities as appropriate.
• Governance and Risk Management: Ensure the accuracy of all public communications and that the procedures and controls, especially those related to governance and risk management and in areas of emerging risk like data privacy and cybersecurity, are transparent and can be demonstrated/explained to state regulators.
• Consumer Protection: Stay abreast of coordination between federal and state authorities. In April 2024, the Federal Trade Commission (FTC) issued a report to Congress detailing the FTC’s law enforcement cooperation with state attorneys general (AGs) nationwide on consumer protection initiatives. Likewise, in May 2022, the Consumer Financial Protection Bureau (CFPB) confirmed through an interpretative rule that: (1) states have the authority to enforce all aspects of federal consumer financial protection laws, (2) states have the capacity to initiate legal claims and actions against a broader array of entities compared to the CFPB, and (3) actions taken by the CFPB do not restrict state-level enforcement.
• Consumer "Voice"/Regulatory "Democratization": Monitor complaints portals established by state authorities. State regulators may mirror the approach of federal agencies (for example, CFPB and FTC), to actively seek feedback from consumers and investors about their experiences with certain products and services and the associated underlying regulations, including issues related to disclosures, fees, and customer service encounters (including live support, automated bots, accessibility, and issue resolution). The activity within complaints portals may also help to highlight or verify focal points of state regulatory interest, influencing supervisory methods and investigations.

Key Question: Should we expect continued expanded state regulatory enforcement activity?

KPMG Perspective

There is a rising supervisory focus from state authorities on both new regulatory concerns (such as AI, data privacy, and cybersecurity) and ongoing federal consumer protection regulations (for example, fraud and misleading practices). This could lead to more frequent state regulatory interventions. Businesses should prepare for an uptick in requests for information, audits, and possibly regulatory and enforcement actions.

To ensure compliance with evolving regulatory enforcement focuses, corporations should not only update their policies, procedures, and systems but also evaluate:

• Coordination and Conformity: Grasp how state regulators collaborate and/or counter with other state and federal regulatory bodies, and how their enforcement priorities align or differ (e.g., state enforcement of federal consumer protection laws).
• Compliance Infrastructure: Commit to bolstering compliance mechanisms (involving personnel, processes, and technology) to effectively prevent, identify, and quickly address any infractions or misconduct that could trigger state regulatory actions. This also includes demonstrating to state regulators capabilities for issue identification, notification, escalation, and thorough resolution/remediation.