Diverging state-level rules splinter bank regulatory compliance

DragonImages - stock.adobe.com

When regulators drafted guidance in the wake of the 2008 global financial crisis, establishing requirements for enterprise-wide compliance programs, they envisioned a relatively unified regulatory landscape where federal guidelines provided clear direction. That policy statement provided guidance for financial services firms on board culture, conduct, roles and responsibilities, and technology compliance. As one of the original authors, I can attest that we built it on the principles established by the Basel Committee on Banking Supervision, with the goal of creating standardized frameworks that institutions could implement consistently across their operations.

That world no longer exists.

According to Wolters Kluwer's 2024 Indicator survey, banks' concerns in managing regulatory change continue to persist at high levels as state rules diverge from federal standards and from each other. This splintering regulatory environment, combined with unprecedented political uncertainty now under a new presidential administration, is forcing institutions to fundamentally rethink compliance frameworks that were designed for a more standardized era.

Recent conversations with compliance officers reveal a striking new dynamic: Institutions are analyzing their regulatory exposure through the lens of "red state" versus "blue state" requirements. One bank compliance officer recently noted with relief that their regulatory footprint was "all in red states" — a consideration that would have been unthinkable just a few years ago.

This state-level divergence creates particular challenges as veteran compliance officers who shaped post-crisis frameworks retire in growing numbers. Recent months have seen the departure of multiple senior regulators who worked on everything from Community Reinvestment Act modernization to beneficial ownership requirements. Their exits remove crucial institutional knowledge just as the regulatory environment grows more complex.

The timing couldn't be more challenging. In 2025, institutions face unprecedented uncertainty about the direction of federal regulation while simultaneously managing diverse state-level requirements. Environmental, Social and Governance (ESG) standards, consumer protection requirements and privacy regulations vary dramatically by jurisdiction. Some states mandate considerations that others explicitly prohibit. Echoing (and, perhaps, amplifying) the growing unease across the industry, the Consumer Financial Protection Bureau recently issued guidance in which it urged state attorneys general and other regulators to strengthen consumer protections. The guidance signals potential for increased state-level regulation and enforcement to counter a likely decrease in consumer protection activity from federal enforcement agencies under the new administration.

Forward-thinking institutions are adopting three key strategies to manage this new reality.

The first is establishing enhanced monitoring. Traditional compliance frameworks struggle to track rapidly evolving state-level requirements. Modern systems must be capable of monitoring multiple jurisdictions simultaneously while flagging potential conflicts. Leading companies will supplement these traditional monitoring processes by including developing legislation, enforcement actions and ongoing investigations to ensure they are not caught flat-footed.

The second is to adopt flexible implementation. Rather than trying to maintain a single standardized approach, institutions are building frameworks that can adapt to different jurisdictional requirements while maintaining consistent risk management principles. This approach allows them to anticipate and adapt to uneven state-level development of "hot-button" issues, such as legislation addressing limitations on fees, consumer contract terms and personal financial data protections.

The third is to take a deliberate approach to knowledge transfer. With the "grey tsunami" of retiring compliance professionals accelerating, institutions must focus on capturing and transferring crucial regulatory knowledge before it walks out the door. Forward-thinking organizations have detailed succession plans across all lines of business and subject matter areas as part of their compliance training programs.

The coming years will likely bring even greater regulatory complexity. Political rhetoric aside, significant changes to the regulatory landscape take time to implement. The reality is that institutions must prepare for continued uncertainty while building more flexible compliance frameworks.

The era of unified federal compliance frameworks is ending. Success in this new regulatory environment requires institutions to build more adaptable programs capable of managing multiple, often competing jurisdictional requirements. 

The foundational assumptions of modern bank compliance programs — that institutions could build standardized frameworks around consistent federal rules — have quietly crumbled. As we enter a new era of regulatory fragmentation, the ability to manage diverse and sometimes contradictory requirements across jurisdictions will become a crucial competitive advantage.

For compliance officers and risk managers, the challenge is clear: Build frameworks flexible enough to handle diverging requirements while maintaining consistent risk management principles. Those that succeed will create more resilient, adaptive compliance programs capable of navigating an increasingly complex regulatory landscape.