Welcome to the latest Enforcement Actions Roundup, a monthly post where our regulatory experts review recent enforcement actions to explain what went wrong for the institution and how your institution can avoid similar issues.
The Enforcement Actions Roundup includes two key elements:
Let’s dive in.
| Fair Lending | Advertising | AML/CFT | Underwriting | UDAAP | Electronic Funds Transfers | Insider Activities | Flood Insurance | Financial Risk | Concentration | |
| CFPB | 1 | 2 | 2 | 1 | ||||||
| OCC | 2 | 1 | 1 | 1 | ||||||
| FRB | ||||||||||
| FDIC | 3 | 1 | 1 | |||||||
| NCUA |
Please note that a single enforcement action may be included under multiple topics.
There were no institutional enforcement actions in February by the CFPB.
The OCC found unsafe or unsound practices regarding a bank’s compliance management, fair lending risk management, insider activities, compensation practices, recordkeeping practices, and compensation limitations. The formal agreement focused on remedial activities surrounding the institution’s consumer compliance program, insider activities, and compensation program.
Management, leadership, and the Board must have the required knowledge and expertise for their positions. The Board must possess a variety of knowledge and experience to ensure proper governance, risk management, and compliance with laws and regulations. Gaps in knowledge and expertise inevitably lead to other violations.
There were additional Board-related issues, including the institution’s compensation program. The OCC prohibits excessive compensation and considers the combined value of all cash and non-cash benefits provided, the compensation history of the individual and other individuals with comparable expertise at the institution, the institution’s financial condition, comparable compensation practices at similar institutions, and more. The agency evaluates the reasonableness of all compensation, such as whether the compensation for each officer and director is market-based, reasonable, and proportionate to the services rendered, considers the bank’s condition, and determines whether incentive compensation practices comply with OCC guidelines.
The OCC entered into an agreement with a bank after the agency found deficiencies in the institution’s strategic and capital planning, Bank Secrecy Act/ Anti-Money Laundering (BSA/AML) risk management, oversight of payment activities, credit administration, and concentration risk management. Specifically, the bank’s BSA/AML program deficiencies included failures surrounding its written customer identification program (“CIP”), suspicious activity reporting (SARs) requirements, and risks associated with providing prepaid card products.
In recent decades, there has been a significant increase in the use of prepaid card products. Institutions are using third-party program providers to manage those programs, but that does not alleviate regulatory compliance requirements. Institutions must select reputable partners that understand the regulatory obligations of the financial institution and conduct proper onboarding and monitoring of those partners.
Prepaid card programs present a higher risk because of the inherent anonymity, so institutions should be vigilant in monitoring for possible illegal activity. Common red flags for prepaid cards can include transactions involving high-risk jurisdictions or countries subject to sanctions, unusual geographic patterns or cross-border movement of funds, and transactions that appear to avoid typical reporting requirements, such as using multiple cards to stay below thresholds.
There were no institutional enforcement actions in February by the FRB.
The FDIC issued three enforcement actions against banks for violations of the Flood Disaster Protection Act of 1973 (FDPA). One institution failed to obtain flood insurance on a building by securing a designated loan at the time of origination, two failed to provide borrowers a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance, and all three institutions failed to comply with the forced placed flood insurance requirements. All three institutions were assessed civil money penalties for their violations.
Last year, the FDIC and FRB had over 15 FDPA enforcement actions combined, with force-placement violations being a leading issue. If an institution determines that a property is not covered by flood insurance or lacks sufficient coverage, it must notify the borrower to obtain insurance at their expense. If the borrower does not comply within 45 days, the institution must charge the borrower for the cost of the premiums and fees. If the borrower obtains their own coverage and provides proof, the institution must cancel any insurance it purchased and refund any overlapping premiums within 30 days.
To prevent similar violations, ensure policies and procedures require insurance coverage verification and provide employee training so everyone knows flood policy requirements. Also test, monitor, and audit for flood insurance requirements.
The FDIC, in partnership with the California Department of Financial Protection and Innovation (CDFPI), issued a consent order against a bank for BSA violations related to the institution’s Merchant Services Program and relationships with Independent Sales Organizations (ISOs) and Sub-ISOs. Additionally, the institution lacked a qualified individual to oversee the AML/CFT program requirements.
This enforcement action highlights the importance of understanding your customer’s risk profile and having a highly qualified AML/CFT officer. This individual is responsible for ensuring that your institution has risk-based customer due diligence (CDD) policies and procedures, which can help your institution avoid exposure to bad actors or detect and report unusual or suspicious activity. Additionally, your institution must ensure that there are enhanced due diligence (EDD) or ongoing due diligence procedures for consumers that pose a higher risk to your institution.
Another crucial factor is the continued training and education at your institution. Banks must provide training to appropriate personnel commensurate with the institution’s risk profile, and include regulatory updates to the rule, guidance, best practices, and more.
The FDIC, in connection with the Washington Department of Financial Institutions (WDFI), issued a consent order against a bank for unsafe or unsound banking practices relating to Board and senior management oversight, credit underwriting and administration, internal audit, and information technology.
Institutions that find themselves in similar waters will have to do some heavy lifting in updating oversight and lending and collection policies. Sound lending policies and procedures require complete loan documentation, including borrower information, financial information, copies of tax returns, etc. Additionally, policies and procedures must consider a borrower’s ability to repay and set out realistic repayment terms, so borrowers are set up for success. Lastly, institutions should consider creating a loan “watch list” for risky loans to establish a forward-looking approach to loan reviews.
The FDIC and the Rhode Island Department of Business Regulation, Division of Banking (DBR), issued an enforcement action against a bank for allegedly charging illegal fees for Small Business Administration 7(a) loans. The bank worked with a loan referral agent who referred small businesses to the bank for SBA loans but charged fees in excess of the referral agreement and failed to accurately disclose fees. This was done intentionally, with both the CEO and COO having knowledge of the illegal activity.
As a result, a $3.5 million restitution penalty was levied against the bank. The bank is also required to dispose of all SBA loans in its portfolio or ensure the maintenance of all servicing rights and obligations associated with its SBA loans and comply with required IT infrastructure and document and data retention requirements. Additionally, the bank intends to terminate deposit insurance and surrender its banking charter.
The SBA 7(a) lending program is designed to assist high-risk, small business borrowers that have demonstrated an inability to secure credit from other sources. There are certain fees that can be charged in connection with these loans, such as reasonable servicing fees, late fees, and fees for necessary out-of-pocket expenses.
However, lenders and associates may not charge borrowers for referral fees or additional compensation that is not permitted by the SBA. An applicant can choose to employ an agent to represent the applicant, but all charges must have a necessary and reasonable relationship to the services performed. Lastly, lenders must accurately disclose those fees to the borrower, including the services performed and the amount of each fee paid by the applicant for those services.
Lenders should review 13 CFR § 120.221 on charging fees and ensure that policies and procedures prevent misconduct or violation of the SBA’s requirements.
There were no institutional enforcement actions in February by the NCUA.
Want more regulatory news and updates?
Watch our 2025 Regulatory Expectations & Enforcement Webinar on demand.