State Regulators Step into Perceived Gaps Left by Federal Agencies

Stephanie Lyon is senior vice president at Ncontracts, Brentwood, Tenn.

The regulatory ground is shifting beneath financial institutions, and compliance officers who aren’t paying attention to state-level enforcement are in for an unpleasant surprise.

As federal agencies recalibrate their priorities and enforcement approaches, state regulators and attorneys general are asserting authority with increasing confidence.

This isn’t speculation. In July 2025, the Massachusetts Attorney General secured a $2.5 million settlement with a lender over alleged unfair and deceptive lending and AI-related practices, requiring changes to underwriting and compliance processes. Two months earlier, a consortium of 53 state regulators, led by Texas, announced a $20 million settlement with a nonbank mortgage company over cybersecurity failures that affected 6 million customers. These actions signal a clear message: state regulators are not waiting for federal direction.

The fair lending landscape illustrates the shift most dramatically. When a 2025 Executive Order directed federal agencies to stop using disparate impact theory in civil rights enforcement, observers predicted a federal pullback. State regulators viewed it differently: an invitation to step up. Attorneys general in Illinois, New York, California, and Massachusetts began leveraging state discrimination laws that explicitly retain disparate impact standards. The risk hasn’t disappeared; it’s simply moved jurisdiction.

Section 1071 of the Dodd-Frank Act offers another case study in state regulatory independence. While the CFPB has proposed pushing the federal compliance deadline to January 2028 and adjusting requirements, New York implemented its own version that took effect in 2026. Financial institutions operating in New York now navigate state-specific data collection mandates regardless of federal timelines. What’s compliant in Texas may violate New York law, forcing institutions to maintain state-by-state compliance frameworks.

Data privacy demonstrates the pattern clearly. Without comprehensive federal legislation, California enacted its Consumer Privacy Act, and New York passed the SHIELD Act, among the nation’s most stringent data protection requirements. These laws expansively apply to institutions doing business and serving customers in those states, regardless of where they’re headquartered. A South Carolina bank expanding into Massachusetts must suddenly meet Massachusetts data privacy standards, even if South Carolina’s requirements are minimal. Previous CFPB leadership actively encouraged states to adopt consumer data protections, essentially backing state-level action where federal standards remain uncertain.

State enforcement extends into mortgage lending, consumer protection, and even account management. Following executive actions on “debanking,” the Small Business Administration sent letters to over 5,000 institutions demanding customer reinstatements and compliance reports by specific deadlines. State regulators reinforced these expectations through their own channels, requiring institutions to demonstrate fair banking practices with risk-based frameworks, detailed documentation, and consistent policy application.

The compliance challenge for multi-state operations has become genuinely complex. What Maryland regulators prioritize differs substantially from the expectations in Utah or Washington. State fair lending laws, usury caps, and consumer protection statutes vary widely. A practice that complies with one state’s laws may violate another state’s outright. States use different data-collection, reporting, and submission formats, and set different timelines, even for similar regulatory objectives. Federal rules establish hundreds of requirements. States may choose to heighten these standards in certain areas, creating conflicts. Ultimately, institutions must navigate change without timely or clear guidance.

This regulatory reality demands a fundamentally different compliance approach. Institutions need to comprehensively map their state regulatory exposure, identifying every jurisdiction in which they operate through branches, online services, or lending activities, and documenting applicable consumer protection laws, fair lending requirements, data privacy mandates, and recent enforcement actions. Monitoring state regulatory activity requires systematic tracking of attorney general enforcement priorities, new legislation, banking department guidance, settlements, and proposed rules.

Compliance management systems must accommodate state-level variation by updating policies to address federal and state requirements, training on state-specific obligations, monitoring state law compliance, complaint management, tracking issues by state, and regulatory change processes that identify and implement state regulatory changes. Risk assessments need state-by-state fair lending analysis, jurisdiction-specific complaint reviews, assessment of state enforcement trends, and evaluation of state data privacy compliance.

The institutions that underestimate this shift will pay for it, literally. State enforcement actions carry substantial financial penalties, reputational damage, and operational disruption. More importantly, they signal compliance weaknesses that federal regulators may also scrutinize. The institutions that thrive will be those that build robust multi-jurisdictional programs, invest in state compliance infrastructure, establish direct relationships with state regulators, and treat state requirements as strategic priorities rather than afterthoughts.

State regulatory efforts show no signs of reversing. Federal policy uncertainty creates ongoing openings for state action. State legislatures are actively considering financial services legislation on topics ranging from limiting “junk fees” to improving small-business lending transparency to regulating the use of AI decision-making models. Attorneys general increasingly view financial services enforcement as a consumer protection priority. Voters and advocates push state officials to act when they perceive gaps in federal policy. Courts have generally upheld the state’s authority to enforce consumer protection laws, even in areas subject to federal oversight.

The compliance landscape continues to change. State regulators aren’t just filling perceived federal gaps. They’re asserting independent authority with real enforcement teeth. Institutions operating in multiple states face a new reality in which compliance means navigating a patchwork of state requirements that may conflict, overlap, or simply differ, without a clear hierarchy. Technology can help manage this complexity through automated tracking, tailored updates, and jurisdiction-specific reporting, but there’s no substitute for strategic commitment to multi-state compliance.

The question isn’t whether the federal government will begin enforcement in 2026. It’s whether your institution is prepared to manage the emerging compliance risk you didn’t see coming from regulators you weren’t watching closely enough.

(Views expressed in this article do not necessarily reflect policies of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes submissions from member firms. Inquiries can be sent to Editor Michael Tucker or Editorial Manager Anneliese Mahoney.)