Same Ad, Different State, Different Risk: A Multi-State Marketing Compliance Guide for Banks
Here is a scenario that should be uncomfortable for any bank running marketing across multiple states.
Your team launches a digital campaign for a new savings account. The headline: “High-yield savings. Your money, working harder.”
The rate is real: 4.5% APY. Disclosures are present. Legal reviewed it. Compliance signed off. No prohibited terms. By every measure your review process uses, the ad is clean.
What the headline doesn’t surface: the 4.5% rate applies only to balances under $10,000. Above that threshold, the rate drops to 0.5%. The tiered structure is in the terms and conditions, linked from the landing page.
Six months later, a state regulator opens an inquiry.
Nothing in the ad changed. The compliance problem wasn’t in the words. It was in where the words landed, who was reviewing them, and what standard that reviewer applied. In a multi-state marketing environment, those three variables are no longer uniform. They haven’t been for some time, and the gap is widening.
*The following scenario is illustrative and does not describe any specific institution, product, or enforcement action. The compliance dynamics it reflects are drawn from documented regulatory patterns and real enforcement activity.
The Patchwork Is the Problem
Most bank compliance programs are built around a federal baseline: OCC guidance, FDIC examination standards, the UDAAP handbook. That baseline is real, necessary, and still applies. The issue is that it now represents the floor of the compliance requirement, not the ceiling.
A bank running marketing across California, New York, New Jersey, and Texas is operating under four different enforcement frameworks simultaneously. Each state has its own consumer protection statute, its own interpretation of what “unfair” and “deceptive” mean in practice, and its own enforcement calendar that operates independently of federal examination cycles.
The practical consequence: an ad that clears federal-standard review can still produce enforcement exposure in one or more of the states where consumers see it. Not because the ad is misleading, but because the states where it runs apply different standards to the same claim.
That’s the patchwork. And it’s not static. Several developments in the past six months have made it significantly more complex.
What Changed and Where
New York: The FAIR Business Practices Act (effective February 2026)
For 45 years, New York’s primary consumer protection statute, General Business Law Section 349, prohibited only deceptive acts or practices. In December 2025, Governor Hochul signed the FAIR Business Practices Act, updating Section 349 for the first time in four decades.
The change is substantial. The New York AG can now pursue enforcement actions for conduct that is unfair or abusive, not just deceptive. An unfair act or practice is defined as one that causes or is likely to cause substantial injury to consumers that they cannot reasonably avoid and is not outweighed by countervailing benefits. An abusive act or practice is one that materially interferes with a consumer’s ability to understand the terms of a product or takes unreasonable advantage of their situation.
Neither definition requires a false statement. A marketing claim can be factually accurate, fully disclosed, and legally reviewed and still be challenged as unfair or abusive if the overall consumer experience produces substantial harm that wasn’t reasonably avoidable. It’s worth noting that the unfair and abusive enforcement authority under the FAIR Act belongs exclusively to the AG—the private right of action under GBL Section 349 remains limited to deceptive acts.
The AG has signaled enforcement priorities including auto lenders, mortgage servicers, student loan servicers, and marketing practices that take advantage of consumers with limited English proficiency. That last category is particularly relevant for banks running digital campaigns across diverse urban markets in New York.
California: SB 825 (effective January 1, 2026)
Before SB 825, state-chartered banks in California had a defensible argument that their state banking license exempted them from direct DFPI enforcement of UDAAP violations under the California Consumer Financial Protection Law. SB 825 removed that specific exemption.
To be precise about what changed: the broader CCFPL exemption for state-chartered banks otherwise remains in place. What SB 825 eliminated is the UDAP enforcement shield—meaning the DFPI can now independently pursue unfair, deceptive, or abusive marketing practices against state-chartered banks without a federal referral, even while those banks remain exempt from other CCFPL provisions. The DFPI opened 699 CCFPL-related investigations in 2024, a 12% increase over the prior year, and has explicitly stated it will expand enforcement wherever the federal government has pulled back.
For nationally chartered banks, the direct DFPI jurisdictional reach is more limited because OCC preemption still applies to core banking activities. But the DFPI’s enforcement authority extends to fintech partners and service providers regardless of charter type. A nationally chartered bank whose fintech partner markets the bank’s products in California may not be automatically insulated from DFPI scrutiny of that partner’s content—an area that continues to develop in practice.
New Jersey: AG Enforcement Statement (June 15, 2026)
On June 15, 2026, the New Jersey AG issued a comprehensive enforcement statement signaling an aggressive posture toward fee disclosure and pricing transparency under the state Consumer Fraud Act. The statement applies to consumer financial services broadly and advances an expansive interpretation of the CFA that goes beyond traditional disclosure issues—reflecting the same enforcement philosophy that state AGs have increasingly adopted as federal consumer protection activity has contracted. A tiered-rate product marketed with a headline rate and threshold conditions that aren’t prominently surfaced is consistent with the disclosure-first standard the NJ AG has articulated.
The Same Ad, Four Different Reviews
Return to the ad: “High-yield savings. Your money, working harder.”
Federal baseline (OCC/FDIC): The review asks whether the rate claim is accurate and whether Regulation DD disclosures are present. The 4.5% rate is real. The tiered structure is disclosed in linked terms. The ad passes.
California (DFPI, SB 825): The DFPI evaluates the full consumer experience — not just whether a disclosure exists, but whether a reasonable consumer would encounter it in a way that meaningfully informed their decision. A consumer depositing $50,000 based on a “high-yield savings” headline who earns a rate significantly lower than the headline figure on most of their balance raises questions that regulators evaluating the full consumer experience may not consider resolved by a linked disclosure alone. The DFPI now has independent authority to pursue that question without a federal referral.
New York (FAIR Act): The NY AG can now pursue conduct that is unfair, defined as causing substantial injury consumers cannot reasonably avoid, not just conduct that is deceptive. A consumer who opened the account based on the “high-yield” headline, deposited above the $10,000 threshold, and earned a rate significantly lower than the headline figure suggested has a plausible unfairness argument even if nothing in the ad was technically false.
New Jersey (AG Enforcement Statement): The NJ AG’s June 2026 statement signals an aggressive enforcement posture toward pricing transparency and fee disclosure under the Consumer Fraud Act. A tiered-rate product marketed with a headline rate and threshold conditions that aren’t prominently surfaced is consistent with the disclosure-first standard the NJ AG has articulated—and with the enforcement philosophy state AGs have increasingly adopted as federal activity has contracted.
Four regulators. Four different questions. Four different enforcement timelines. One ad that cleared compliance review every time it ran.
The Compounding Problem: Content You Don’t Control
The patchwork problem is difficult enough for owned marketing channels. It becomes significantly harder when partner content, affiliate placements, and third-party publisher pages are factored in.
PerformLine’s benchmark analysis of the top leading U.S. banks reveals web pages promoting those banks’ products across the open web, the majority of channels the compliance team didn’t publish and may not have known existed. State regulators don’t limit their review to a bank’s owned website. They evaluate the consumer experience wherever it occurs, including comparison sites, affiliate pages, and partner marketing materials.
AI-generated content adds another layer to this problem. A loan officer using an AI tool to draft social posts, a partner bank generating product descriptions with a large language model, or a comparison site auto-generating rate summaries from a data feed—none of that content goes through a compliance review queue. It surfaces on channels your team isn’t monitoring, in states with standards your review process wasn’t built for, often before anyone knows it exists. The multi-state patchwork doesn’t get easier when content is being generated at scale outside your review workflow.
A compliance program that reviews content before it goes live on owned channels doesn’t address any of this. The content that created the exposure may have gone live on a partner’s site six months ago, in a state the bank’s team wasn’t tracking, under a standard they didn’t know applied.
Do you know what AI is saying about your brand? Learn more about AI Response Monitor
What Multi-State Compliance Actually Requires
The gap isn’t intent or effort. It’s architecture. A compliance program designed around federal examination readiness has a different structure than one designed around continuous multi-state enforcement risk. Three things distinguish the latter:
Jurisdiction-aware review. Content reviewed only against OCC or FDIC standards will miss exposure in states with more expansive standards. Review processes need to account for where content will run, not just what it says.
Continuous discovery alongside pre-publication review. Pre-publication review is where compliance programs should start; it’s the clearest opportunity to stop a problem before it reaches consumers. But reviewed and approved doesn’t mean monitored. Content evolves after publication, surfaces on third-party channels, and reaches consumers in states with standards the original review didn’t account for. The compliance programs best positioned for state AG scrutiny combine pre-publication control with ongoing discovery of what’s actually in market across every channel where the brand appears.
Documentation that survives an inquiry. State AG investigations are not scheduled examinations. They don’t follow predictable calendars or published guidance documents. When an inquiry arrives, the first question is whether the institution can demonstrate a functioning compliance program: review records, remediation history, monitoring cadence, across the period under review. Banks that can produce that documentation are in a materially different position than those that can’t.
The Honest Assessment
Building a federal-standard compliance program is not a mistake. That investment is real, necessary, and still required. The issue is that it no longer covers the full scope of marketing risk for a bank operating across multiple states.
The CFPB’s pullback didn’t reduce that risk. It redistributed enforcement authority to state regulators who are actively filling the gap, hiring former federal enforcement staff, coordinating across state lines, and pursuing cases the federal government has deprioritized. The bank that was optimized for OCC examination is now being evaluated by a different set of standards, on a different timeline, by regulators it may not have been tracking.
The banks best positioned for this environment can answer two questions with confidence: Do we know everywhere our brand appears? And can we demonstrate, on demand, how we identified and addressed compliance issues across all of it?
If the answer to either is uncertain, that’s where to start.
See Where Your Bank’s Marketing Actually Appears
PerformLine’s Marketing Compliance Risk Snapshot shows you exactly where your institution’s brand is being promoted across the web, on channels you own, channels you partner with, and channels you may not know exist, along with which issues are most prevalent for banks in your market.
