<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

2024 Regulatory Expectations and Enforcement Actions Recap

6 min read
Mar 13, 2024

What will examiners look for in 2024? What should your financial institution’s regulatory compliance priorities be, and how can you address any weak points?

In February’s webinar, we explored areas of heightened regulatory oversight in 2024. Let’s dive into our recap.

(Note: Fair Lending remains a hot topic – so hot that it had its own webinar: Fair Lending: Get Ready for 2024. Check it out for fair lending expectations and enforcement.)

Account fees draw agency scrutiny 

The agencies are cracking down more aggressively on so-called “junk fees.” The FDIC, OCC, CFPB, and NCUA have all indicated they want to eliminate “authorize positive, settlement negative” fees (or APSNs).

Examiners are also focusing on non-sufficient fund (NSF) fees from bounced checks and representment fees. Thus far, the CFPB has been most aggressive about profit-generating overdraft fees at FIs with over $10 billion in assets by enforcement and through a proposed rule that would increase the regulatory burden by imposing Reg Z requirements.

For example, a $20-billion bank in Virginia recently agreed to refund $5 million in overdraft fees and pay an additional $1.2 million in restitution to the CFPB’s victims' relief fund for allegedly failing to disclose overdraft fees to consumers.

While the CFPB is targeting FIs of $10 billion or more, the agencies will be looking into the overdraft fee programs for smaller and intermediate-sized FIs, as highlighted in the NCUA’s 2024 Supervisory Priorities.  

FIs of all sizes need a risk assessment of their account fee and overdraft programs. Does your overdraft program help or harm consumers? Do your disclosures fulfill regulatory expectations?

Related: Risk Assessing Overdraft Programs: Is the Fee Income Worth the Risk?

Regulators continue to focus on HMDA violations

FIs still get tripped up by Section 8 of the Uniform Residential Loan Application. How can this be?

The problem with Section 8 boils down to the actual collection of demographic information. Bank of America paid a $12 million fine because loan officers failed to ask borrowers for the required information. If your FI has a high number of “information-not-provided" in its HMDA-reportable data, regulators will ask questions.  

Complying with fair lending laws requires comparing your number of demographic “information-not-provided" with peer institutions and monitoring individual lenders to establish demographic data collection benchmarks. 

FIs also need to be consistent when it comes to cash-out refinancing compared to traditional refinancing. There’s a common misconception that there’s an imposed dollar amount in cash-out vs. standard refinancing, but that’s not true. Your FI must ensure that these loans match your own internal policies and procedures. Many FIs don’t realize that fair lending noncompliance can occur when they fail to comply with their own stated policies, regardless of whether they satisfy existing regulations and laws.

BSA/AML is an ongoing challenge

The asset size of your FI doesn’t matter when it comes to BSA risk – it depends on the products and services you offer, your customer base, and your geographic footprint. FIs that engage in cannabis banking or serve cross-border consumers in high-crime areas need to be especially vigilant,

The OCC recently penalized American Express $15 million for failure to comply with Customer Identification Program (CIP) regulations, one of the cornerstones of AML compliance.   

Another New York credit union shut its doors when FinCEN discovered a BSA compliance officer violated the law in January 2023. BSA noncompliance poses an existential threat to smaller banks and credit unions.  

With that in mind, let’s focus on what your FI can do to mitigate this risk:

  • Establish a BSA program commensurate with your level of risk: If your FI serves consumers in an area known for drug trafficking or crime, you need more robust BSA risk controls.  
  • Implement a strong CIP program: You may have a strong CIP, but are your third-party vendors also following the rules? In the Bank of America example, it had outsourced customer identification for some customers, so pay attention to your third-party risk in this area.  
  • Keep up with your Suspicious Activity Reports (SARs): FIs need the right system or software to identify and file the appropriate SARs.
  • Stay updated on OFAC sanctions: The geopolitical landscape is consistently shifting. FIs require real-time updates regarding the institutions, persons, and countries prohibited from doing banking business in the United States.

Related: The Four Pillars of a Strong BSA/AML Compliance Program

Credit reporting remains a top compliance concern

  1. Policies don’t match practices. You can violate the FCRA even if you’re compliant with regulatory requirements and prohibitions. FIs might have a solid dispute and third-party risk management program for credit reporting, but if policies reference outdated information or systems, examiners will still ding them. FIs should review their policies at least once a year to ensure they align with practices. 
  1. Failure to investigate direct disputes. FIs have a duty to investigate direct disputes even if the consumer does not send their dispute to a requested additional or second address. Often, FIs will have consumers submit their original disputes to a local or specialized representative better equipped to address their issue. Even if the consumer doesn’t do this, regulators still expect the dispute to be addressed within investigation timeframes. 
  1. Notify consumers of frivolous or irrelevant disputes. You have a regulatory obligation to notify all consumers of frivolous or irrelevant disputes. FIs must also provide instructions to consumers about the specific information they need to investigate these disputes. “Specific” is the operative word here – you can’t ask consumers to provide everything. You need to communicate the information you need in the notice. 
  1. Trigger leads and making a credit offer. When your FI pays a consumer reporting agency to generate pre-screened (trigger) leads, it must take the extra step of making a full offer of credit. You must convey the offer made, guarantee it as long as credit conditions are met, inform the consumer that the offer was pre-screened, and allow the consumer to opt out of future prescreened offers.

Credit reporting is a significant issue for FIs, and examiners will take a close look at your complaint management program. Handling disputes is an integral part of your overall compliance management system (CMS).

Related: Consumer Complaints Are at an All-Time High. What Are You Doing About Them?

1071, CRA Modernization, and 1033


FIs should not wait for the Supreme Court's June 2024 decision on the CFPB to begin planning and budgeting for 1071. Spoiler alert: court watchers do not believe the CFPB’s funding mechanism will be ruled unconstitutional.

Lenders with experience reporting HMDA loans understand how heavy the compliance lift for 1071 will be. Time is a factor, especially for Tier One commercial lenders with at least 2,500 covered credit transactions for calendar years 2022 and 2023

While the effective date of October 1, 2024, for data collection might be pushed back, you need to operate under the reasonable assumption that 1071 is going forward. Congress has already tried (and failed) to pass a bill that would eliminate 1071. Hopefully, you’ve begun implementing the policies and procedures, training officers and staff, and creating a program for 1071 compliance.

Check out our 1071 Resource Center for more information.


Last year, we also received the final rule for CRA modernization. For the April 1, 2024, effective date, banks must delineate facility-based assessment areas as normal. Large banks (with assets greater than $10 billion) must also ensure that their assessment areas include whole (and not partial counties) as stipulated under the new CRA.

Additionally, banks must post their updated public CRA file on their website. Your public file needs to be current and contain all relevant data (comments, branch openings, facility closings, etc.). If you haven’t begun working with your marketing team or the third party that manages your website to include this information, now is the time.


The CFPB will also give us a final verdict on the proposed rule for Section 1033 in 2024. This proposal requires banks and credit unions to make account information available to consumers and authorized third parties. 

FIs need to make this data available through developer interfaces to allow third parties and consumers to make account inquiries and gather data.  The proposal has been controversial because (according to one interpretation) it would not allow FIs to charge fees to develop and maintain these interfaces. It’s not clear if this is the intention of the proposed rule, but we’ll keep you updated on how this regulation progresses.

Preparing your FI for heightened regulatory scrutiny in 2024

Compliance management will take center stage for FIs in 2024. With account fees, consumer lending, and BSA/AML drawing additional attention, FIs must be prepared. At the same time, large regulatory changes from 1071 to CRA modernization will continue to loom over the regulatory landscape in banking. 

FIs should focus on updating compliance and risk assessments (accounting for recent changes or innovations), implementing internal compliance monitoring and testing, boosting their third-party risk management programs, and adopting a repeatable regulatory change management framework.

Want even more insights on other regulatory compliance hot topics? 

Listen to Our Discussion of 2024 Regulatory Expectations

watch the webinar  

Subscribe to the Nsight Blog