Enforcement Actions Roundup: April 2025

Welcome to the May edition of our Enforcement Actions Roundup, a monthly summary where our regulatory experts break down recent enforcement actions from the previous month, highlight what went wrong, and offer insights to help your institution stay ahead of similar risks. 

The Enforcement Actions Roundup includes two key elements:   

• The Enforcement Actions Tracker is a running total of enforcement actions by agency – keeping a tally of enforcement actions broken down by overall category and individual topics addressed by each action. This makes it easy to pick out enforcement trends and hot topics.  

• The Enforcement Deep Dive reviews each enforcement action to understand what happened, key takeaways, and controls you should review at your institution to avoid making the same mistake.  

Let’s dive in.

2025 Enforcement Action Tracker

Please note that a single enforcement action may be included under multiple topics.

Enforcement Actions Deep Dive: April 2025 

CFPB Enforcement Actions

There were no institutional enforcement actions by the CFPB in April.   

OCC Enforcement Actions

There were no institutional enforcement actions by the OCC in April.   

FRB and FDIC Enforcement Actions

FRB and FDIC Find Issues with Bank’s Decades-Long Credit Card Interchange Fees 

• Category: Governance, Risk, and Compliance  
• Topic: UDAAP; Regulation Z  
• Date: April 18, 2025 
• Products and Services: Credit Cards  
• Regulation: 12 CFR 1026; 12 USC § 5531  
• Enforcement Action: FRB; FDIC   
• Related Guidance:  CFPB Examination Manual - Unfair, Deceptive or Abusive Acts or Practices (UDAAPs)  

The FDIC and FRB are involved in an enforcement action against a large insured state non-member bank. The FDIC amended a previous order, and the FRB entered a consent order with the bank for significant deficiencies related to the classification and assessment of interchange fees for credit cards. From 2007 through at least 2023, the institution charged merchant customers the higher interchange fees associated with the “commercial” credit cards rather than interchange fees for “consumer” credit cards. The agencies found that at the end of 2022, the bank had classified approximately five million “consumer” credit cards as “commercial,” and approximately 98% of those cards were “consumer” cards that were misclassified. Additionally, the bank did not have policies, procedures, or other controls to classify credit cards for interchange fees properly. 

The bank must update its enterprise risk management framework, corporate governance framework, consumer compliance program, compliance vendor management program, and procedures for account classification and ensure supervision and oversight by the board of directors. 

Takeaways

To prevent similar violations, a robust compliance management system is needed to monitor and address regulatory risks, including updating policies to reflect evolving regulatory changes promptly. Accurate data classification is essential. Systems must be able to distinguish accounts properly so that routine audits can be conducted to detect misclassifications.  

Institutions must also maintain transparent communication with consumers and merchants, clearly disclosing applicable fees and charges. Performing independent audits and risk assessments can identify vulnerabilities so that internal controls can be established to detect unauthorized practices quickly. By prioritizing proactive oversight, transparency, and accountability, institutions can foster trust and reduce the risk of violations.   

Controls to Evaluate

1. Thorough Credit Card Lending Policies and Procedures: Credit card lending policy and procedures are comprehensive. Policy and/or procedures include: (a) application and documentation requirements; (b) credit limit matrices; (c) underwriting requirements (including income, debt levels, credit score, etc.); (d) fees/charges that may be charged; (d) documentation requirements for any deviations from policy or procedures; (e) establishing communication/notice requirement for changes in terms; (f) process of setting and changing interest rates; and (g) reporting structure and requirements for management, the Board, and regulators. 
2. Comprehensive CMS: The Compliance Management System ensures compliance with all applicable state and federal laws and regulations. The program is well-documented and reviewed periodically. The program includes active tracking of emerging, new, and changed regulations. The program consists of requirements for appropriate staffing within the Compliance Department and training for all employees, agents, management, and the Board. The CMS also assists in avoiding unfair, deceptive, or abusive practices. The CMS includes: (a) policies and procedures; (b) monitoring, testing, and audit procedures; (c) board and management oversight and reporting; (d) change management; (e) identification and management of risks; and (f) consumer complaint management program.
3. Strong Internal Controls: Defined and implemented internal controls should govern the organizational and operational structure, including reporting processes and functions for risk management, compliance, and internal audit. The program is appropriately created based on the institution’s size, complexity, organizational structure, scope of activities, risk profile, risk capacity, quality of control functions, geographic diversity, and use of technology. The Risk Management Program is reported regularly to the Board, including any deviations from the risk appetite, risk tolerance, or other risk limits.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Regulation Z – Truth in Lending Act (TILA) Policy; Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Policy 
• Nrisk Risk Assessments: Regulation Z (Truth in Lending Act – TILA); UDAAP – Unfair, Deceptive, or Abusive Acts or Practices 
• Nverify Audits: Truth in Lending Act/TILA; Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) - Audit 

FDIC Enforcement Actions

FDIC Issues Several Flood Insurance-Related Violations

• Category: Lending Compliance  
• Topic: Flood Insurance 
• Date: April 25, 2025 
• Products and Services: Real Estate Lending 
• Regulation: 12 CFR 339 
• Enforcement Action 1; 2; 3; 4 
• Related Guidance: Loans in Areas Having Special Flood Hazards; Interagency Questions and Answers Regarding Flood Insurance  

Institution One failed to obtain sufficient flood insurance coverage at or before loan origination, increase, extension, or renewal on loans secured by property in a special flood hazard area (SFHA). Institution Two failed to obtain sufficient flood insurance coverage at the time of force placement on loans secured by property in a SFHA. Institution Three issued or updated loans in SFHAs without requiring flood insurance or notifying consumers about its availability. Both Institution Three and Four violated force-placed flood insurance rules. 

Takeaways 

Flood insurance violations have been the highest enforcement action area in 2025. This year alone the FDIC has ordered $70,000 in civil monetary penalties for failures to comply with flood insurance requirements. To prevent this misconduct, establish clear policies and procedures for verifying insurance coverage and monitoring for proper coverage at renewal, ensuring that adequate flood insurance is in place and that changes haven’t been made. Additionally, keep up to date with any third-party vendors used to track flood map changes and closely monitor those vendors. 

Controls to Evaluate 

1. Updated Flood Insurance Policies and Procedures: Flood insurance policies and procedures are in place and are reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include: (a) pulling flood determinations for loans that will be secured by real estate; (b) requiring flood insurance for real estate secured loans in a designated flood zone before loan closing; (c) notification to customers of flood insurance requirements; (d) review process to ensure proper flood insurance is in place before loan closing and for the duration of the loan (e)  monitoring loans to ensure that flood insurance coverage is maintained for the entire duration of the loan; (f) flood insurance renewal monitoring and tracking; (g) force placement insurance requirements and customer notification processes; (h) maintaining documentation of flood insurance policies in the loan file including proof of coverage and policy details. 
2. Comprehensive Loan Operations Procedures: Loan Operations procedures include continuous monitoring of all insurance policies and related escrows (if applicable), including flood insurance, and handling all forced-place policies as necessary plus providing all notices and disclosures as required. 
3. Trained Staff: All staff involved in flood insurance processes receive ongoing training to stay abreast of changes in requirements. 
4. Periodic Reviews: The Compliance department periodically performs a review to ensure compliance with Flood Insurance requirements. 

Related Ncontracts in Your Platform

• Ncomply Sample Policies: Flood Disaster Protection Act (FDPA) Policy 
• Nrisk Risk Assessments: Flood Disaster Protection Act 
• Nverify Audits: Flood Disaster Protection Act (FDPA)

NCUA Enforcement Actions

There were no institutional enforcement actions by the NCUA in April.  

Additional Enforcement Actions

OCC  

FRB   

FDIC  

• FDIC-25-0022b - For unsafe and unsound banking practices related to deficiencies and weaknesses in the supervision and direction of management, earnings, capital planning, interest rate risk, liquidity, internal audit, information technology, and strategic planning.

NCUA 

Want more regulatory news and updates? 

Watch our 2025 Regulatory Expectations & Enforcement Webinar on demand.