California has never waited for Washington to set the pace. State regulators here tend to develop their own positions, and by the time formal guidance arrives, expectations are often already well-established in examination practice. For compliance officers at California banks, that pattern matters. It means the most useful question is not what the rule says today, but where regulatory attention is already pointing.
Five areas warrant attention right now. None of them are surprises. But all five are moving, and each one has practical implications for how California banks structure their compliance work.
Fee Practices Are Under a Governance Microscope
Overdraft and NSF fees have drawn sustained scrutiny in California, and the conversation has continued even as the federal approach has shifted. A recent and concrete example is the restriction on charging a fee when an ATM withdrawal is immediately declined due to insufficient funds. The transaction never completed. There was no value delivered to the consumer. The fee did not hold up.
That specific rule is narrow, but the principle it reflects is broader. California regulators are increasingly asking whether fees are defensible, not just disclosed. The question compliance officers should be comfortable answering is simple: if a consumer challenged this fee, or if a regulator asked us to explain it, what would we say? If the answer requires significant preparation, that is a signal worth taking seriously.
Fee governance works best when it is not treated as a compliance exercise after the fact. Product, compliance, legal, and operations need to be aligned on the rationale before scrutiny arrives, not after.
DFPI Is Not the Regulator It Used to Be
The Department of Financial Protection and Innovation has expanded significantly in both scope and expectations. California banks that still think of DFPI primarily as a state licensing agency are underestimating it. Today, DFPI examination work reflects strong emphasis on consumer protection, complaint trends, third-party oversight, and fintech-related activity.
One practical distinction: DFPI tends to focus on patterns, not just individual errors. An isolated mistake is different from a pattern of mistakes. The question examiners are often trying to answer is whether the bank's controls are functioning consistently, and whether management has visibility into where they are not.
That framing should shape how banks prepare. Complaint management processes, escalation pathways, and third-party governance programs deserve the same attention given to federal examination readiness. And boards and senior management benefit from understanding DFPI's current priorities, because those priorities shape the questions that will be asked.
Digital Asset Partnerships Require More Than a Contract
California's Digital Financial Assets Law expanded the compliance landscape for banks, including those that have no direct crypto offering. The connection point is often a fintech partner. Many banks have relationships with companies operating in payments, digital wallets, or adjacent spaces, and California is clear that the bank is expected to understand what those partners are actually doing, not just what the contract says they are doing.
Compliance officers should be able to answer a basic set of questions about each relevant partnership: Which vendors have direct contact with California consumers? What activities do they perform on the bank's behalf? How are consumer outcomes monitored? If those answers require going back to the vendor to find out, the oversight structure likely needs attention.
Third-party risk management programs that were designed for traditional service providers may not be adequately scoped for fintech and digital-asset relationships. That gap is worth closing now rather than at examination time.
AI Governance Is a Compliance Issue, Not Just a Technology Issue
California's privacy framework sets a high bar, and as banks increasingly rely on AI for credit decisions, fraud detection, marketing, and customer servicing, privacy and AI governance are converging. The regulatory question is not whether the technology works; it is whether the bank can explain what the technology does, what data it uses, and how consumer rights are protected when automated decisions are involved.
Compliance officers do not need to become data scientists. They do need to be able to speak to these questions plainly and confidently. That requires visibility into how AI tools are deployed, and it requires that compliance, legal, technology, and business teams are working together rather than in parallel. California has a history of setting expectations that other states eventually adopt. Getting ahead of AI governance now is both a California compliance priority and a reasonable long-term investment.
Housing and Community Investment Have Strategic Implications
California's housing shortage has driven sustained policy focus on affordable housing, ADU financing, and community reinvestment. There is ongoing discussion about a California-specific community reinvestment framework, and existing lending programs that support housing and community development are receiving closer attention from regulators regardless of where that discussion lands.
For compliance officers, the practical step is documentation. Understanding how current lending activity supports community development, and making sure that support is consistently recorded, positions the bank well whether formal requirements change or not. This is also an area where compliance and business strategy genuinely intersect. Banks that are actively engaged in California housing and community investment tend to be better positioned when the regulatory conversation advances.
What compliance officers should take away from this
- California regulatory expectations tend to develop ahead of formal rulemaking. By the time a rule is final, examination practice has often already moved.
- Fee governance requires documented rationale, not just disclosure. The question is whether the reasoning behind fees is defensible and consistently understood internally.
- DFPI examination work is focused on patterns and governance, not just isolated findings. Complaint management and third-party oversight receive close review.
- Fintech and digital-asset partnerships require active monitoring. Contractual language does not substitute for real oversight of what partners are actually doing.
- AI governance is a cross-functional compliance responsibility. Compliance officers need visibility into how automated tools are used and the ability to explain them plainly.
- Community investment documentation is worth maintaining now. It supports both regulatory readiness and the bank's ability to demonstrate its role in the communities it serves.
Closing Thoughts
California compliance is not about being first to every rule. It is about understanding where expectations are forming and building programs that are ready when those expectations sharpen. Each of these five areas reflects where that process is already underway. The compliance officers who are paying attention now will be better positioned than those who wait for the formal signal.