Is your financial institution (FI) reviewing and learning from recent enforcement actions?
As a former compliance officer, I’ve learned that reviewing enforcement actions is a crucial, yet often overlooked, part of an effective compliance management program.
When I worked at a financial institution, one of my tasks was bringing regulatory actions to our FI’s committees and reporting key developments to the board — whether related to the Bank Secrecy Act (BSA) and anti-money laundering (AML), flood insurance, or other areas.
However, reporting these events is only the starting point. What’s equally important is asking: Could this happen to us? It’s not just about staying informed — it’s about using enforcement actions as a lens to strengthen your institution’s controls and foster a culture of improvement.
Let’s explore how to assess enforcement actions, review controls, establish ongoing monitoring, and take other key steps to take your compliance program to the next level.
Related: Enforcement Actions Roundup: March 2025
First, you need to identify new enforcement actions. The Ncontracts Enforcement Action Tracker highlights the latest enforcement actions from the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board, and other regulatory agencies.
Once you’ve found a relevant enforcement action, conduct an impact analysis to understand how it could impact your FI’s compliance program, resource management, customers/members, and other departments.
Related: What Is Regulatory Change Management at Financial Institutions?
Internal controls are vital in managing compliance and operational risk by helping FIs proactively identify, mitigate, and respond to regulatory and operational risks.
The Enforcement Action Tracker features a Controls to Evaluate section to help your FI assess whether it has appropriate controls to address the risks identified in regulatory enforcement actions. Drawn from our team’s experience managing compliance and risk at financial institutions, these controls are available in the Nrisk control library. They can be embedded into risk assessments, enabling you to assign control assessments, measure effectiveness, and document outcomes with supporting evidence.
As you review controls, consider these questions:
Pro tip: If you use Nrisk, you can assign control assessments to designated team members and stay updated on their progress. Learn more.
Once the proper controls are in place, it’s time to check your policies and procedures. Are they sufficient, or do they need to be updated?
For example, if you implement a new control — such as one for new product risk assessments — there should be a corresponding procedure that clearly outlines how the control should be executed. This involves not only developing and documenting a policy and procedure but also communicating it across the organization.
Related: Risk Culture vs. Compliance Culture: What’s the Difference?
A key component of communication is proper training. Targeted training is critical to successfully implementing policies and procedures. Consider which of your FI’s departments and individuals need to receive training on a specific control, relevant compliance requirements, and policies and procedures.
In some cases, the board may need training. As noted in The Upside of Compliance by Stephanie Lyon and Michael Berman, “If appropriately crafted and communicated to the right staff, policies can help the board deliver the institution’s culture of compliance and establish essential risk management principles.”
Related: Employee Security Awareness Training Best Practices for FIs
Once you’ve implemented, communicated, and offered training related to a control, your job isn’t done. You need to continuously test and monitor that control to ensure it's working as intended. Check in 60 to 90 days after implementation to determine its effectiveness. When you identify an issue or control deficiency, document it and take corrective action.
As part of your FI's compliance management lifecycle, ongoing monitoring and testing will help your program remain effective and adapt to changing risks or conditions. For example, an automated system-based control is more efficient than a manual version, saving your FI valuable time and resources.
Related: TPRM 101: What is Ongoing Vendor Monitoring for Financial Institutions?
Compliance activities aren’t restricted to the compliance department. Getting feedback from stakeholders across your organization can help identify if the controls are working or if they need adjustments or improvements.
Cross-departmental collaboration — which is a key component of a strong compliance management system — also helps ensure you’re not operating in a silo.
Listen: Communication & Collaboration: Applying the 3 Lines Model
Regulators emphasize the importance of a risk-based compliance program. Initial and ongoing risk assessments assist your FI in identifying risks and determining what controls are in place or need implementation.
A dynamic risk management approach is crucial in today’s evolving risk environment. Rather than performing risk assessments annually, revisit them as needed based on changes in regulatory requirements, your FI’s products and services, customer needs, and other risk conditions.
Related: Risk Management 101: Risk Assessments for Financial Institutions
Ongoing monitoring and testing, risk assessments, and issue management — all these tasks take time and resources. Moreover, a regulatory change can occur anytime, emphasizing the importance of staying prepared and proactive.
Automated compliance management software can support your team by streamlining everyday tasks. When you're effectively tracking regulatory changes, reassessing risks in response to those changes, and continuously monitoring your controls, you're in a much stronger position to avoid regulatory pitfalls — including those that lead to enforcement actions.
Related: Learn how one credit union cut its compliance workload by 33%
If, after leveraging compliance management software, your institution still finds itself unable to perform the necessary compliance oversight or complete business line functions, consider your current staff. You may need to delegate tasks to new team members, reconsider your current departmental structure, or bring in new talent to fill the gaps.
The steps outlined above are integral to learning from enforcement actions and establishing a well-supported compliance management program. However, for the program to be truly effective, the following foundational elements should also be present:
By taking a proactive approach to enforcement actions, your FI can move beyond simply staying informed to strengthening its compliance framework. When reviewing enforcement actions becomes part of your ongoing compliance strategy, you’re not only managing risk but also building a stronger, more resilient institution.
Get details on the latest enforcement actions and learn how to choose the right compliance management software for your institution in our CMS Buyer's Guide.