Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

The Empowerment of State Law and Regulation

Increasing Risk Amongst Discord

Download PDF
Share
June 2024 **Updated July 2024**
 
Regardless of administrations, expect continued discord and divergences across states and between state and federal regulations.  This “dueling banjos of legislation and regulation” can create incompatible approaches, strategies and requirements, and a great deal of work (and anxiety). Diverging regulations can touch every aspect of business, across such areas as AI, privacy, cybersecurity, and sustainability initiatives.

Companies must navigate this complex regulatory landscape, which can impact operational strategies and may require comprehensive reassessment of products, channels, and processes. To do so necessitates a coordinated effort across departments like Government Affairs, Marketing, Communications, Compliance, and Legal to adapt to state regulations, regardless of the federal landscape now and in the future; this is essential for maintaining competitiveness and ensuring business resilience in a rapidly evolving environment.

Key questions for companies to consider as they continue enhancing state law and regulation risk and compliance processes, impacts, and controls include: 

  1. How do we manage the compliance, reputational, and other risks of divergent state regulations?
  2. How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?
  3. How are companies managing the complexity (and potentially conflicting requirements and impacts) of different state regulations?
  4. Do we foresee increasing state regulatory scrutiny?
  5. Should we expect continued/expanded state regulatory enforcement activity?

Challenge 1: Divergent State Laws and Regulations

Key Question: How do we manage the compliance, reputational, and other risks of divergent state regulations?

KPMG Perspective

It's essential to develop and keep an up-to-date inventory of relevant state laws and regulations to forge a robust compliance strategy. Considering the diverse legislative and regulatory focuses across states, as well as unique methods of disseminating and structuring these laws and regulations, assembling a thorough and up-to-date catalog can be complex. Cataloging state laws and regulations is a component of a broader regulatory change management strategy within a company, which should also incorporate mechanisms for "horizon scanning" to detect, monitor, and organize upcoming state regulatory changes and official publications.

To better navigate the challenges posed by disparate state regulations, companies should refine their regulatory change management strategies through the following actions:

  • Impact Assessment: Improve collaboration among departments like Government Affairs, Legal, Compliance, Public Relations, and various business segments to evaluate the strategic, operational, and reputational effects of ‘likely-to-emerge' as well as new risks and changing state laws and regulations.
  • Jurisdictional Risks: Actively seek out and understand the interconnections within business operations, product offerings, and vendor relations that could be affected by differing state regulations, to anticipate jurisdictional risks.
  • Regulatory Awareness: Foster a company-wide understanding that state regulatory obligations are applicable across all business divisions, acknowledging that some areas might have previously only considered federal or international regulations. Where possible, use specific job-related examples and case studies to underscore their significance.

 

Examples of State Laws and Regulations

Artificial Intelligence (AI): Since 2020, at least forty (40) states have introduced and considered AI legislation, and several states have addressed AI through legislation and/or regulation (see KPMG’s Point of View, here). Select examples include:

  • California – Executive Order: Directing study of development, use, and risks of AI, and the development of a process for evaluating and deploying AI within state government. CPPA: Draft regulations for automated decision-making technology (ADMT) including AI, which would provide for consumers rights to opt out of, and access information about, businesses’ use of ADMT, as outlined in the California Consumer Privacy Act. A formal proposed rule is still forthcoming.
  • Colorado Division of Insurance: A new AI regulation, effective November 14, 2023, requires licensed life insurance companies that use external consumer data and information sources (ECDIS) and/or algorithms and predictive models to establish a risk-based governance and risk management framework to mitigate the risk of unfair discrimination based on race and remediate unfair discrimination, if detected. Reporting requirements include a compliance progress report on June 1, 2024, and an annual compliance attestation beginning December 1, 2024.
  • Connecticut - OLR Public Act Concerning AI, Automated Decision Making, and Personal Data Privacy: Requires the Department of Administrative Services to inventory all systems employing AI being used by state agencies. Effective February 1,2024, the department must also conduct ongoing assessments of such systems to mitigate risk of discrimination or disparate impact.
  • Illinois – AI Video Interview Act: Effective 2020, governs the use of AI on video interviews, including requirements for disclosure, consent, confidentiality, and deletion.
  • New York: NY DFS proposed guidance on the use of AI by insurers, including expectations for developing and managing the integration of external consumer data and information sources (ECDIS), AI systems, and other predictive models to mitigate potential consumer harm; covers anti-discrimination and risk management/governance framework. NYC law requiring AI and automated employment decision tools to be audited for bias and disclosed to prospective candidates/employees.
  • Tennessee – ELVIS Act: Effective July 1, 2024, adds “voice” (actual or simulation) to personal property rights of name, image, and likeness and adds protections against their unauthorized use in any medium and in any manner.
  • Utah – AI Policy Act: Consumer protection law effective May 1, 2024, requiring entities and individuals using AI/GenAI to disclose use of such tools when interacting with customers (establishing liability for inadequate/improper disclosure). Also creates an Office of AI Policy and a regulatory AI analysis program.

Climate: In 2023, California became “first-in-the-nation” to adopt broad climate reporting laws (see KPMG’s Regulatory Alert, here) that will require large businesses to report on greenhouse gas (GHG) emissions and climate-related financial risk:

  • SB-253 requires “reporting entities” to publicly disclose their GHG emissions on an annual basis. “Reporting entities” is defined to include i) a business (e.g., a corporation, partnership, limited liability company, or other business entity) formed under the laws of CA, any other U.S. state, or the District of Columbia, or through an act of Congress, ii) with total annual revenues in excess of $1 billion, and iii) that does business in California.
  • SB-261 requires “covered entities” to publicly disclose their climate-related financial risk and the measures adopted to reduce and adapt to those risks. “Covered entities” is defined in the same manner as “reporting entities” under SB-253 with the exception of a $500 million annual revenue threshold.
Consumer Protection: In May 2024, Florida enacted a law creating a new complaints process through which customers can submit complaints to the Florida Office of Financial Regulation (OFR) if they suspect that a financial institution acted in violation of an “unsafe and unsound practice” standard., where “unsafe and unsound practice” is defined as the denial, cancellation, suspension, or termination of a service based on a person’s political opinions or affiliations, religious beliefs, business sector engagement (e.g., firearms, fossil fuels) or ratings/scoring based on these factors. **Updated July 2024**

Cybersecurity: In November 2023, the New York State Department of Financial Services (NY DFS) announced adoption of final amendments to its cybersecurity regulations to include requirements around cybersecurity incident reporting, penetration testing, and mandatory controls. NOTE: Throughout 2023, thirty-nine (39) states, Puerto Rico, and Washington, D.C. adopted laws addressing cybersecurity in some capacity.

Pay Transparency: In August 2023, Illinois enacted a pay transparency law (effective January 2025) that will require employers with fifteen (15) or more employees to disclose pay scale and benefits for each job posting. NOTE: As of May 2024, nine (9) additional states and several localities in New York, New Jersey, and Ohio have enacted similar pay transparency laws.

Physical Security: In 2024, California codified a new law, effective July 1, 2024, that requires nearly all California employers to adopt and implement a Workplace Violence Prevention Plan, as well as conduct employee training and maintain incident logs (see KPMG’s Regulatory Alert, here).

Privacy: Eighteen (18) states, including California, Texas, Colorado, Connecticut, Virginia, among others have enacted comprehensive privacy laws that govern the use of consumers’ personal data. NOTE: Nine (9) additional states have legislation currently under consideration, and one (1) state (Vermont) has passed legislation that is awaiting the Governor’s signature (as of May 2024).

In March 2024, Florida passed legislation (Online Protection for Minors) that requires social media platforms, effective January 2025, to prohibit certain minors from entering into contracts to become account holders. **Updated July 2024**

Challenge 2: Inventory of State Laws and Regulations

Key Question: How can we better manage the completeness and volume of regulatory change at the state level, given the number of states and regulations?


KPMG Perspective

It's essential to develop and keep an up-to-date inventory of relevant state laws and regulations to forge a robust compliance strategy. Considering the diverse legislative and regulatory focuses across states, as well as unique methods of disseminating and structuring these laws and regulations, assembling a thorough and up-to-date catalog can be complex. Cataloging state laws and regulations is a component of a broader regulatory change management strategy within a company, which should also incorporate mechanisms for "horizon scanning" to detect, monitor, and organize upcoming state regulatory changes and official publications.

For businesses aiming to improve their catalogs of state laws and regulations, it's critical to focus on and implement steps in the following areas:

  • Inventory: Develop a solid system for identifying, monitoring, and incorporating state laws and regulations into a unified database.
  • Organize and Analyze: Systematically arrange and classify state laws and regulations into similar regulatory categories that impact the company, linking regulations to the company's policies, processes, and operational safeguards.
  • Risk Assessment: Renew risk assessment methodologies to quickly adapt to changes in state laws and regulations.
  • Update: Establish a continuous process for monitoring and updating the catalog to reflect changes in state laws and regulations.

Challenge 3: Complexity of State Laws and Regulations

Key Question: How are companies managing the complexity (and potentially conflicting requirements and impacts) of different state regulations?


KPMG Perspective

Implementing controls that are flexible enough to comply with the diverse and complex state laws and regulations can be challenging. It necessitates a thorough examination to grasp the specific demands of each state and how they affect a company's compliance posture, as well as to evaluate whether the company's existing policies, procedures, and controls are sufficient.

To effectively manage the challenges posed by the vast array of state laws and regulations and implement responsive controls, businesses need to focus on:

  • State-Level Requirements: Conduct a detailed analysis of the regulatory requirements at the state level, assessing their relevance across the entire organization, including within specific business units and product lines. Consider whether any state regulations are overridden by federal laws. Evaluate the similarities and differences among state regulations. Explore the feasibility of grouping similar regulatory themes and obligations. Check if state regulatory obligations/themes are appropriately aligned with federal counterparts.
  • Gap Assessments: Once the relevance and impact are understood, evaluate the state-level obligations and the sufficiency of the company's existing policies, procedures, and controls, making necessary revisions.
  • Operational Framework: Define clear criteria and decision-making processes for handling state-level requirements (for example, defining types of guardian accounts; protocols for accessing, using, and storing court documents; and specifying the timing and content of notifications to impacted customers/accounts). Update or establish the required policies and procedures, resources (such as specialized teams or "centers of excellence" for navigating state regulations), systems, and training programs.

Challenge 4: Scrutiny Related to State Laws and Regulations

Key Question: Do we foresee increasing state regulatory scrutiny?

KPMG Perspective

State lawmakers and regulatory bodies are increasingly willing to explore and introduce new legislative and regulatory dimensions, including extending their oversight to areas like AI, consumer privacy, and cybersecurity. This proactive stance sometimes occurs both in the absence of and in conjunction with federal initiatives. It is anticipated that state regulators will intensify scrutiny particularly in these areas, potentially leading to broader examinations or a rise in regulatory oversight activities for businesses.

To prepare for and address the growing regulatory attention at the state level across various sectors, companies should concentrate on:

  • Engagement: Start and maintain continuous conversations with state regulatory authorities as appropriate.
  • Governance and Risk Management: Ensure the accuracy of all public communications and that the procedures and controls, especially those related to governance and risk management and in areas of emerging risk like data privacy and cybersecurity, are transparent and can be demonstrated/explained to state regulators.
  • Consumer Protection: Stay abreast of coordination between federal and state authorities. In April 2024, the Federal Trade Commission (FTC) issued a report to Congress detailing the FTC’s law enforcement cooperation with state attorneys general (AGs) nationwide on consumer protection initiatives. Likewise, in May 2022, the Consumer Financial Protection Bureau (CFPB) confirmed through an interpretative rule that: (1) states have the authority to enforce all aspects of federal consumer financial protection laws, (2) states have the capacity to initiate legal claims and actions against a broader array of entities compared to the CFPB, and (3) actions taken by the CFPB do not restrict state-level enforcement.
  • Consumer "Voice"/Regulatory "Democratization": Monitor complaints portals established by state authorities. State regulators may mirror the approach of federal agencies (for example, CFPB and FTC), to actively seek feedback from consumers and investors about their experiences with certain products and services and the associated underlying regulations, including issues related to disclosures, fees, and customer service encounters (including live support, automated bots, accessibility, and issue resolution). The activity within complaints portals may also help to highlight or verify focal points of state regulatory interest, influencing supervisory methods and investigations.

Challenge 5: Enforcement of State Laws and Regulations

Key Question: Should we expect continued expanded state regulatory enforcement activity?

KPMG Perspective

There is a rising supervisory focus from state authorities on both new regulatory concerns (such as AI, data privacy, and cybersecurity) and ongoing federal consumer protection regulations (for example, fraud and misleading practices). This could lead to more frequent state regulatory interventions. Businesses should prepare for an uptick in requests for information, audits, and possibly regulatory and enforcement actions.

To ensure compliance with evolving regulatory enforcement focuses, corporations should not only update their policies, procedures, and systems but also evaluate:

  • Coordination and Conformity: Grasp how state regulators collaborate and/or counter with other state and federal regulatory bodies, and how their enforcement priorities align or differ (e.g., state enforcement of federal consumer protection laws).
  • Compliance Infrastructure: Commit to bolstering compliance mechanisms (involving personnel, processes, and technology) to effectively prevent, identify, and quickly address any infractions or misconduct that could trigger state regulatory actions. This also includes demonstrating to state regulators capabilities for issue identification, notification, escalation, and thorough resolution/remediation.

State attorneys general have identified a variety of enforcement priorities including:

1

Data privacy, cybersecurity, data breaches, consumer opt-in/opt-out

2

AI, machine learning, automated decision making, algorithms, and other technologies 

3

Unfair, deceptive, or abusive acts or practices, including marketing/advertising

4

Consumer fees, loyalty programs

5

Antitrust, fair competition, merger activity

Dive into our thinking:

The Empowerment of State Law and Regulation

Increasing Risk Amongst Discord

Download PDF

Explore more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Michael Lamberth
Michael Lamberth
Partner, Advisory, FS Regulatory & Compliance Risk, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Michael Lamberth
Michael Lamberth
Partner, Advisory, FS Regulatory & Compliance Risk, KPMG US
Read bio

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Subscribe

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline