Welcome to the latest Enforcement Actions Roundup, a monthly post where our regulatory experts review recent enforcement actions to explain what went wrong for the institution and how your institution can avoid similar issues.

The Enforcement Actions Roundup includes two key elements:  

1. The Enforcement Actions Tracker keeps a running total of enforcement actions by agency – keeping a tally of enforcement actions broken down by overall category and individual topics addressed by each action. This makes it easy to pick out enforcement trends and hot topics. 
   
   
2. The Enforcement Deep Dive reviews each enforcement action to understand what happened, key takeaways, and controls you should review at your institution to avoid making the same mistake. 

Let’s dive in. 

2025 Enforcement Actions Tracker

Please note that a single enforcement action may be included under multiple topics.  

Enforcement Action Deep Dive: February 2025

CFPB Enforcement Actions 

There were no institutional enforcement actions in February by the CFPB.

OCC Enforcement Actions 

OCC Finds Issues with Bank’s Compliance Management and Board-related Activities

• Category: Governance, Risk, and Compliance
• Topic: Insider Activities; Compensation
• Date: February 20, 2025
• Regulation: 12 CFR 5; 12 CFR 30; 12 CFR 215
• Enforcement Action
• Related Guidance: Changes in Directors and Senior Executive Officers; Incentive Compensation: Interagency Guidance on Sound Incentive Compensation Policies; Insider Activities; Compliance Management Systems Handbook

The OCC found unsafe or unsound practices regarding a bank’s compliance management, fair lending risk management, insider activities, compensation practices, recordkeeping practices, and compensation limitations. The formal agreement focused on remedial activities surrounding the institution’s consumer compliance program, insider activities, and compensation program.

Takeaways

Management, leadership, and the Board must have the required knowledge and expertise for their positions. The Board must possess a variety of knowledge and experience to ensure proper governance, risk management, and compliance with laws and regulations. Gaps in knowledge and expertise inevitably lead to other violations.

There were additional Board-related issues, including the institution’s compensation program. The OCC prohibits excessive compensation and considers the combined value of all cash and non-cash benefits provided, the compensation history of the individual and other individuals with comparable expertise at the institution, the institution’s financial condition, comparable compensation practices at similar institutions, and more. The agency evaluates the reasonableness of all compensation, such as whether the compensation for each officer and director is market-based, reasonable, and proportionate to the services rendered, considers the bank’s condition, and determines whether incentive compensation practices comply with OCC guidelines.

Controls to Evaluate

1. Adequate Compliance Management System: The Compliance Management System ensures compliance with all applicable state and federal laws and regulations. The program is well-documented and reviewed periodically. The program includes active tracking of emerging, new, and changed regulations. The program consists of requirements for appropriate staffing within the Compliance Department and training for all employees, agents, management, and the Board. The CMS also assists in avoiding unfair, deceptive, or abusive practices.
2. Compensation Program Reviews: The Compensation Committee meets periodically to review compensation or incentive programs, overall benefits, and compensation levels for directors, executive officers, employees, and principal shareholders. The Committee reviews the information to ensure that compensation and benefits are appealing, reasonable, fair, equitable, and consistent with regulatory guidelines and applicable regulations. External salary surveys are reviewed periodically to ensure employee salaries are in line with market rates. The Committee reports to the Board periodically.
3. Consistent Internal Audits: The internal audit (IA) function is completed in a timely manner and documented thoroughly by competent personnel who report regularly to the Board. IA provides independent assurance to the Board and should support the Board and senior management in promoting an effective governance process and the long-term soundness of the FI.

Related Ncontracts Content in Your Platform

• Nrisk Risk Assessment: Insider Transactions – Reg O
• Nverify Audit: Regulation O: Bank Insider Activities

OCC Cracks Down on BSA/AML Compliance for Bank’s Prepaid Card Program

• Category: Governance, Risk, and Compliance; Third-Party Risk Management
• Topic: AML/CFT; Financial Risk
• Date: February 20, 2025
• Products and Services: Prepaid Cards
• Regulation: 12 CFR 3; 12 CFR 5; 12 CFR 21; 31 CFR 1020
• Enforcement Action
• Related Guidance: Corporate and Risk Governance Booklet; Concentrations of Credit; Liquidity Booklet; FFIEC BSA/AML Manual

The OCC entered into an agreement with a bank after the agency found deficiencies in the institution’s strategic and capital planning, Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) risk management, oversight of payment activities, credit administration, and concentration risk management. Specifically, the bank’s BSA/AML program deficiencies included failures surrounding its written customer identification program (“CIP”), suspicious activity reporting (SARs) requirements, and risks associated with providing prepaid card products.

Takeaways

In recent decades, there has been a significant increase in the use of prepaid card products. Institutions are using third-party program providers to manage those programs, but that does not alleviate regulatory compliance requirements. Institutions must select reputable partners that understand the regulatory obligations of the financial institution and conduct proper onboarding and monitoring of those partners.

Prepaid card programs present a higher risk because of the inherent anonymity, so institutions should be vigilant in monitoring for possible illegal activity. Common red flags for prepaid cards can include transactions involving high-risk jurisdictions or countries subject to sanctions, unusual geographic patterns or cross-border movement of funds, and transactions that appear to avoid typical reporting requirements, such as using multiple cards to stay below thresholds.

Controls to Evaluate

1. AML/CFT Compliance: A comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Compliance Program is in place. The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities.
2. Appropriate Documentation and Updates: All aspects of the AML/CFT Program are well documented and regularly reviewed and updated to address emerging risks and regulatory changes.
3. Regular AML/CFT Risk Assessments: Comprehensive AML and CFT risk assessments are conducted regularly. The risk assessment is performed at least annually and whenever significant changes in the business environment, regulatory changes, or operations occur. The risk assessment methodology includes an analysis of money laundering risk (customer, product and services, geographic and transaction risk), terrorist financing (customer relationships, transaction patterns, geopolitical factors), other illicit financial risk (fraud, corruption, tax evasion) and sanctions risk (individuals and entities, countries, screening processes).
4. New Product Risk Assessment: The New Product Risk Assessment process includes evaluating AML/CFT and other compliance-related risks when designing and implementing new products, including sanction-related risks. In addition, it includes identifying mitigating controls prior to implementing any new products or services.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Third Party Risk Management Policy; BSA/AML/CFT Policy
• Nrisk Risk Assessments: CECL – Allowance for Credit Losses; BSA/AML/OFAC
• Nverify Audits: Prepaid Accounts; BSA/AML/OFAC

FRB Enforcement Actions 

There were no institutional enforcement actions in February by the FRB.

FDIC Enforcement Actions 

Flood Insurance Failures Lead to FDIC Penalties at Three Banks

• Category: Lending Compliance
• Topic: Flood Insurance
• Date: February 28, 2025
• Products and Services: Mortgage Lending
• Regulation: 12 CFR 339
• Enforcement Action: 1; 2; 3
• Related Guidance: Flood Disaster Protection Act: 2022 Interagency Questions and Answers Regarding Flood Insurance (2022-16)

The FDIC issued three enforcement actions against banks for violations of the Flood Disaster Protection Act of 1973 (FDPA). One institution failed to obtain flood insurance on a building by securing a designated loan at the time of origination, two failed to provide borrowers a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance, and all three institutions failed to comply with the forced placed flood insurance requirements. All three institutions were assessed civil money penalties for their violations.

Takeaways

Last year, the FDIC and FRB had over 15 FDPA enforcement actions combined, with force-placement violations being a leading issue. If an institution determines that a property is not covered by flood insurance or lacks sufficient coverage, it must notify the borrower to obtain insurance at their expense. If the borrower does not comply within 45 days, the institution must charge the borrower for the cost of the premiums and fees. If the borrower obtains their own coverage and provides proof, the institution must cancel any insurance it purchased and refund any overlapping premiums within 30 days.

To prevent similar violations, ensure policies and procedures require insurance coverage verification and provide employee training so everyone knows flood policy requirements. Also test, monitor, and audit for flood insurance requirements.

Controls to Evaluate

1. Updated Flood Insurance Policies: Flood insurance policies and procedures are in place and reviewed periodically. Roles and responsibilities should be clearly defined, and policies and procedures should be communicated to all staff. Procedures include (a) pulling flood determinations for loans that will be secured by real estate; (b) requiring flood insurance for real estate-secured loans in a designated flood zone before loan closing; (c) notification to customers of flood insurance requirements; (d) review process to ensure proper flood insurance is in place before loan closing and for the duration of the loan (e) monitoring loans to ensure that flood insurance coverage is maintained for the entire duration of the loan; (f) flood insurance renewal monitoring and tracking; (g) force placement insurance requirements and customer notification processes; (h) maintaining documentation of flood insurance policies in the loan file including proof of coverage and policy details.
2. Adequate Training: All staff involved in flood insurance processes receive ongoing training to stay abreast of changes in requirements.
3. Compliance Reviews: The Compliance department periodically performs a review to ensure compliance with Flood Insurance requirements.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Flood Disaster Protection Act (FDPA) Policy
• Nrisk Risk Assessments: Flood Disaster Protection Act
• Nverify Audits: Flood Disaster Protection Act (FDPA)

FDIC, CDFPI Issues Cease and Desist Order Over BSA Violations

• Category: Governance, Risk, and Compliance; Third-Party Risk Management
• Topic: AML/CFT
• Date: February 28, 2025
• Products and Services: Merchant Services
• Regulation: 12 CFR 326; 12 CFR 353; 31 CFR 1010
• Enforcement Action
• Related Guidance: FFIEC BSA/AML Manual

The FDIC, in partnership with the California Department of Financial Protection and Innovation (CDFPI), issued a consent order against a bank for BSA violations related to the institution’s Merchant Services Program and relationships with Independent Sales Organizations (ISOs) and Sub-ISOs. Additionally, the institution lacked a qualified individual to oversee the AML/CFT program requirements.

Takeaways

This enforcement action highlights the importance of understanding your customer’s risk profile and having a highly qualified AML/CFT officer. This individual is responsible for ensuring that your institution has risk-based customer due diligence (CDD) policies and procedures, which can help your institution avoid exposure to bad actors or detect and report unusual or suspicious activity. Additionally, your institution must ensure that there are enhanced due diligence (EDD) or ongoing due diligence procedures for consumers that pose a higher risk to your institution.

Another crucial factor is the continued training and education at your institution. Banks must provide training to appropriate personnel commensurate with the institution’s risk profile, and include regulatory updates to the rule, guidance, best practices, and more.

Controls to Evaluate

1. Comprehensive AML and CFT Compliance Programs: The Anti-Money Laundering and Countering the Financing of Terrorism Compliance programs should include robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program are a risk-based Customer Due Diligence (CDD) process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. All aspects of the AML/CFT Program are well documented and regularly reviewed and updated to address emerging risks and regulatory changes.
2. Enhanced Due Diligence: EDD procedures define both when and what additional customer information will be collected based on the customer risk profile and the specific risks posed.
3. Comprehensive Merchant Services Program: The program should include the Board of Directors reporting requirements related to AML/CFT compliance and BSA-related issues that identify compliance gaps and the need for corrective action. In addition, the program consists of requirements for the AML/CFT Officer to review any Independent Sales Organizations (ISOs) that are part of the program. The AML/CFT Officer review includes evaluating the ISO's AML/CFT Program and documentation. In addition, the AML/CFT Officer assesses the overall Merchant Services Program, which includes an assessment of the current risk environment and an evaluation of the effectiveness of controls.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Third Party Risk Management Policy; BSA/AML/CFT Policy
• Nrisk Risk Assessments: BSA/AML/OFAC
• Nverify Audits: BSA/AML/OFAC

Oversight and Lending and Collection Policies Lead to FDIC, WDFI Consent Order

• Category: Governance, Risk, and Compliance
• Topic: Underwriting
• Date: February 28, 2025
• Products and Services: Lending
• Regulation: 12 CFR 323; 12 CFR 324; 12 CFR 364; 12 CFR 365
• Enforcement Action
• Related Guidance: Risk Management Manual of Examination Policies: Loans; Applying Model Risk Management to Current Expected Credit Losses (CECL) Models at Large Banks; Interagency Appraisal and Evaluation Guidelines; Interagency Guidance on Credit Risk Review Systems

The FDIC, in connection with the Washington Department of Financial Institutions (WDFI), issued a consent order against a bank for unsafe or unsound banking practices relating to Board and senior management oversight, credit underwriting and administration, internal audit, and information technology.

Takeaways

Institutions that find themselves in similar waters will have to do some heavy lifting in updating oversight and lending and collection policies. Sound lending policies and procedures require complete loan documentation, including borrower information, financial information, copies of tax returns, etc. Additionally, policies and procedures must consider a borrower’s ability to repay and set out realistic repayment terms, so borrowers are set up for success. Lastly, institutions should consider creating a loan “watch list” for risky loans to establish a forward-looking approach to loan reviews.

Controls to Evaluate

1. Comprehensive Allowance for Credit Losses (ACL): These policies and procedures should be periodically reviewed and updated as needed.
2. Established Appraisal Management Program: Commercial and retail loan policies include requirements for risk rating, loan review, and problem loan management.
3. Comprehensive Underwriting Memo for Insider Loans: This includes analysis of market rate, term, collateral type/valuation/LTV (loan-to-value), DTI (debt-to-income)/cash flow, credit score, etc. to ensure that the terms are comparable to non-insider transactions. In addition, the memo includes a total aggregation of credit extensions for the insider to ensure compliance. The memo is presented to the Board for pre-approval.

Related Ncontracts Content in Your Platform (h4)

• Nrisk Risk Assessments: Appraisal Management; Commercial Loan Underwriting; Consumer Loan Underwriting
• Nvendor Surveys: Appraiser Due Diligence
• Date: February 28, 2025

Bank to End SBA Loans After FDIC, Rhode Island Department of Business Regulation Action 

• Category: Governance, Risk, and Compliance
• Topic: Underwriting
• Date: February 28, 2025 
• Products and Services: Small Business Loans
• Regulation: 13 CFR 120
• Enforcement Action
• Related Guidance: Issuance of SOP 50 57 3.1 (Information Notice 5000-856113)

The FDIC and the Rhode Island Department of Business Regulation, Division of Banking (DBR), issued an enforcement action against a bank for allegedly charging illegal fees for Small Business Administration 7(a) loans. The bank worked with a loan referral agent who referred small businesses to the bank for SBA loans but charged fees in excess of the referral agreement and failed to accurately disclose fees. This was done intentionally, with both the CEO and COO having knowledge of the illegal activity.

As a result, a $3.5 million restitution penalty was levied against the bank. The bank is also required to dispose of all SBA loans in its portfolio or ensure the maintenance of all servicing rights and obligations associated with its SBA loans and comply with required IT infrastructure and document and data retention requirements. Additionally, the bank intends to terminate deposit insurance and surrender its banking charter.

Takeaways

The SBA 7(a) lending program is designed to assist high-risk, small business borrowers that have demonstrated an inability to secure credit from other sources. There are certain fees that can be charged in connection with these loans, such as reasonable servicing fees, late fees, and fees for necessary out-of-pocket expenses.

However, lenders and associates may not charge borrowers for referral fees or additional compensation that is not permitted by the SBA. An applicant can choose to employ an agent to represent the applicant, but all charges must have a necessary and reasonable relationship to the services performed. Lastly, lenders must accurately disclose those fees to the borrower, including the services performed and the amount of each fee paid by the applicant for those services.

Lenders should review 13 CFR § 120.221 on charging fees and ensure that policies and procedures prevent misconduct or violation of the SBA’s requirements.

Controls to Evaluate

1. Knowledgeable Lending Staff: Ensure lending staff are skilled, knowledgeable, and trained to understand the credit, operational, and compliance risks related to Small Business Administration (SBA) lending.
2. Comprehensive Small Business Administration Lending Program: Ensure SBA lending program policies and procedures are in place and are reviewed periodically, and roles and responsibilities are clearly defined.

NCUA Enforcement Actions 

There were no institutional enforcement actions in February by the NCUA.

Additional Enforcement Actions 

FDIC

• FDIC-24-0086b (Signed January 1, 2025; Announced February 28, 2025)- For unsafe and unsound banking practice and capital planning failures.

Want more regulatory news and updates?

Watch our 2025 Regulatory Expectations & Enforcement Webinar on demand.