Enforcement Actions Roundup: April 2026

Welcome to the latest Enforcement Actions Roundup covering April’s enforcement actions. Every month, our team of regulatory compliance experts breaks down what went wrong, why it matters, and what your financial organization can do to stay ahead. 

This roundup features two key resources:  

• Enforcement Actions Tracker: A running tally of actions by agency, category, and topic — making it easy to spot enforcement trends and emerging hot spots.  
• Enforcement Deep Dive: A closer look at each action, including what happened, key takeaways, and the controls your FI should revisit to avoid similar missteps.

Let's explore this month’s enforcement actions.

Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.    

2025/2026 Enforcement Action Tracker

Enforcement Actions Deep Dive: April 2026 

CFPB Enforcement Actions

The CFPB issued no institutional enforcement actions in April 2026. 

DOJ Enforcement Actions

The DOJ issued no institutional enforcement actions in April 2026. 

OCC Enforcement Actions

OCC Takes Action Against Bank for Deceptive VA Loan Marketing

• Category: Governance, Risk, and Compliance 
• Topic: UDAAP; Advertising; Military Lending 
• Products and Services: VA Loans 
• Date: Signed April 2, 2026; Announced April 16, 2026 
• Regulation: 15 USC 45 
• Enforcement Action 
• Related Guidance: OCC Handbook: Unfair or Deceptive Acts or Practices and Unfair, Deceptive, or Abusive Acts or Practices  

The OCC issued this enforcement action after finding a bank had made multiple false or misleading statements to consumers in connection with VA loan products. The bank sent consumers millions of deceptive advertisements claiming they had funds available, but those purported "available funds" were simply the consumer's own home equity, accessible only by taking out a new loan.  

Employees also made verbal representations suggesting the bank had a special relationship with the VA and misrepresented loan terms by implying interest rates or monthly payments would decrease over time. The products were fixed-rate, permanent loans with no such guarantee. Consumers who acted on those representations incurred significant origination fees and were left with higher rates and larger monthly payments than their prior loan terms.

Takeaways

This enforcement action highlights the importance of ensuring that marketing materials and loan officers' verbal representations are accurate, transparent, and consistent with the actual product terms. Targeting veterans or the military community, who are afforded certain additional protections, makes this even more critical. Institutions should conduct regular audits of outbound marketing campaigns to confirm that all communications clearly identify the nature of the product being offered and that no implied endorsement of government agencies is present.   

Additionally, your institution should implement a robust pre-approval process for all outbound marketing materials, conduct call monitoring and script reviews to identify employee misrepresentations, and provide training to correct any errors. A complaint management system that flags patterns of consumer confusion or dissatisfaction serves as a critical early warning mechanism and can protect your institution from future enforcement issues.  

Related: 5 Ways Complaint Management Can Reduce Compliance Risk 

Controls to Evaluate

1. Marketing Policies and Procedures: Marketing policies and procedures are in place and reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include requiring the compliance department to review and approve all marketing materials (print, social media, blogs, etc.) prior to publication to ensure all regulatory requirements have been met.
2. Pre-Publication Compliance Review: All marketing campaigns and materials are reviewed by compliance prior to implementation and/or distribution, regardless of marketing approach (print, mailing, electronic ad, social media, email, etc.). The review includes accuracy and clarity of verbiage and disclosures, intended audience, content (including diversity), delivery avenue, and verification that credit trigger leads or mortgage inquiry data purchased from credit bureaus are not being used as the basis for consumer solicitation. If affiliates/third parties are used for the marketing, compliance will also review the distribution methods and any system data points or parameters used to determine the audience.  
3. Consumer Complaint Management: A thorough process is in place for receiving and responding to consumer complaints, including complaints made to third parties, the Better Business Bureau, the CFPB, social media, and other channels. Written policies and procedures are established to record, categorize, analyze, investigate, resolve, and respond to complaints in an appropriate and timely manner. The process addresses how complaints are defined and documented; responsibility and accountability for identifying, addressing, and escalating complaints; tracking of complaints and responses; analysis of complaint trends to identify root causes; and reporting complaint data to the board and management. 
4. Root Cause Analysis and Remediation: A robust root cause analysis and remediation process for recurring complaints to prevent regulatory violations is in place. This process includes engaging in a review of all affected accounts and customers and engaging in proactive self-corrective action to correct existing violations and prevent future issues.  
5. Employee Conduct Policies and Training: Policies and controls are implemented relating to employee conduct that include: 
   1. Initial and ongoing training 
   2. Performance reviews or audits 
   3. Discipline policies and records of disciplinary actions
   4. Compensation programs 

Activities of employees are evaluated to ensure they do not engage in unfair, deceptive, or abusive acts or practices with respect to consumer interactions. Employees who market or promote products or services are adequately trained so that they do not engage in unfair, deceptive, or abusive acts or practices.

Related Ncontracts Content in Your Platform

Ncomply Sample Policies 

• Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) Policy 
• Consumer Complaint Policy  
• Compliance Management System Policy 
• Marketing & Advertising Policy 

Nrisk Risk Assessments

• Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) 
• Complaint Management 
• Compliance Management 

Nverify Audits

• Complaint Management – Compliance Monitoring 
• Complaint Management – Compliance Review 
• Unfair, Deceptive, or Abusive Acts and Practices (UDAAPs) – Compliance Review 

FRB Enforcement Actions

FRB Cites Bank Holding Company for Board Oversight Failures and Affiliate Transaction Violations

• Category: Governance, Risk, and Compliance 
• Topic: Insider Activities; Financial Risk 
• Products and Services: USDA Loans; Small Business Loans 
• Date: April 14, 2026
• Regulations: 12 CFR 223; 12 CFR 225 
• Enforcement Action 
• Related Guidance: Legal Interpretations FAQs of the Board's Regulations; Regulation Y – Frequently Asked Questions 

The FRB issued an enforcement action after finding deficiencies in a bank holding company’s board oversight, capital weaknesses, and violations of the affiliate transaction rule. The company’s board failed to maintain effective control and supervision over the firm's major operations as it pursued its aggressive United States Department of Agriculture and Small Business Administration (USDA/SBA) loan growth strategy through nonbank subsidiaries. The board lacked adequate mechanisms to oversee capital, earnings, liquidity, and risk management and had not established appropriate risk tolerance guidelines and limits aligned to the firm's business strategy.   

Takeaways

While pursuing rapid growth through nonbank subsidiaries, a board's oversight responsibilities do not shrink as the organization's complexity grows — they expand.   

A bank holding company that launches a specialty lending strategy routed through nonbank affiliates must proactively establish risk tolerance frameworks, stress-test capital and liquidity assumptions, and ensure that management has the depth and qualifications to execute the strategy safely. A board that approves a growth strategy without building the governance infrastructure to monitor is effectively operating in the dark.  

Controls to Evaluate

1. Affiliate Transaction Compliance Reviews: The Compliance Department performs periodic risk-based reviews of affiliate transactions to ensure compliance with Regulation W requirements, including proper identification and documentation of covered transactions, adherence to quantitative limits and collateral requirements, market terms validation, and appropriate application of exemptions. Reviews assess transaction valuation methodologies, aggregate exposure calculations, pricing documentation, and control effectiveness across all affiliate relationships and transaction types. Testing frequency and sample size are determined based on transaction volume, complexity, risk profile, and prior findings, with enhanced scrutiny applied to high-dollar exposures, transactions approaching regulatory limits, complex structures, and areas with previous deficiencies. All findings are documented, reported to senior management and the appropriate risk committee, and tracked through remediation. Material deficiencies or adverse regulatory findings trigger expanded reviews and accelerated corrective action within established timeframes. The compliance department maintains comprehensive documentation demonstrating ongoing compliance with all aspects of Regulation W.  
2. Collateral Valuation and Independent Review: Credit Risk performs independent reviews at transaction inception for all covered transactions, including verification of collateral eligibility, sufficiency, and proper valuation, with quarterly reviews thereafter focusing on material exposures. Review procedures include validation of collateral valuation methodology, obtaining updated appraisals for real estate collateral annually or upon material market changes, verification of marketability and liquidity for securities collateral, and stress testing of collateral values using adverse market scenarios. Credit Risk maintains a collateral exception log documenting any coverage deficiencies or valuation disputes, with material shortfalls. Margin calls are initiated within 24 hours when collateral values decline below required thresholds, with forced liquidation provisions activated if margins remain unmet for 5 business days.  
3. Board Approval Management: A board approval management system automatically identifies transactions requiring board approval based on regulatory thresholds, transaction complexity, unusual terms, or risk characteristics. Mandatory routing through formal approval of workflows prevents execution without documented board consent. The system integrates with board meeting management platforms to track approval status, expiration dates, and renewal requirements, with automatic alerts 30, 15, and 5 days before approval expiration. Transactions requiring board approval must include a comprehensive package:
   1. Detailed transaction summary with business rationale and strategic alignment 
   2. Independent risk assessment
   3. Compliance memorandum confirming regulatory requirements 
   4. Legal opinion on transaction structure and enforceability 
   5. Valuation analysis with market comparables 
   6. Alternatives analysis 

The platform maintains immutable records of all board actions using blockchain technology, including meeting minutes with discussion notes, voting records showing individual director positions, attendance logs confirming quorum requirements, conflict of interest disclosures and recusal documentation, and approval conditions with compliance tracking.  

Related Ncontracts Content in Your Platform

Ncomply Sample Policies

• Regulation W – Transactions Between Member Banks and Their Affiliates Policy 

Nrisk Risk Assessments

• Regulation W – Transactions Between Member Banks and Their Affiliates 

FDIC Enforcement Actions

FDIC Issues Agreement for AML/CFT Program Deficiencies

• Category: Governance, Risk, and Compliance
• Topic: AML/CFT 
• Date: Signed March 26, 2026; Announced April 24, 2026 
• Regulations: 31 CFR 1020; 12 CFR 326; 12 CFR 353 
• Enforcement Action  
• Related Guidance: FDIC BSA/AML Resources; FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual; Bank Secrecy Act: Customer Identification Program Rule Exemption for Insurance Premium Finance Loans (FIL-95-2020) 

The FDIC entered into an agreement with a bank after the agency found deficiencies in the institution’s Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program. Specific program failures included risk assessment and internal control inadequacies related to Customer Due Diligence (CDD), Suspicious Activity Reporting (SAR), and Currency Transaction Reporting (CTR) procedures, as well as the absence of a qualified AML/CFT Officer and an AML Training Program for staff. 

Takeaways

To maintain compliance with the Bank Secrecy Act (BSA), a financial institution must establish a comprehensive, written AML/CFT Program commensurate with ML/TF risk profile, supported by a dynamic risk assessment covering all products, services, customer types, and mitigating controls.   

Strong internal controls are required, including a CDD program, timely and accurate filing of SARs and CTRs, and monthly compliance reporting to the board. A designated, qualified AML/CFT Officer with sufficient authority, resources, and expertise must oversee day-to-day compliance and administration of the entire program. All staff, management, and board members must complete tailored AML/CFT training at least annually, with documentation of attendance and knowledge assessments maintained. Independent testing of the program must be done at least annually, with findings reported to the board. 

Related: How to Create Dynamic BSA/AML/CFT Risk Assessments 

Controls to Evaluate

1. BSA/AML/CFT Compliance Officer: The BSA/AML/CFT compliance officer, appointed by the board of directors, is responsible for coordinating and monitoring day-to-day BSA/AML/CFT compliance and managing all aspects of the BSA/AML/CFT compliance program and BSA/AML/CFT regulatory requirements. The individual(s) responsible for the overall BSA/AML/CFT Compliance Program are qualified and have access to suitable resources, including: 
   1. Adequate staffing with the skills and expertise necessary for the overall risk level (based on products, services, customers, and geographic locations), size or complexity, and organizational structure 
   2. Systems to support the timely identification, measurement, monitoring, reporting, and management of ML/TF and other illicit financial activity risks
   
   The BSA/AML/CFT Officer's input is sought regarding the ML/TF and other illicit financial activity risks related to expansion into new products, services, and customer types, and geographic locations; or operational changes, such as the implementation of, or adjustments to, systems that impact the BSA compliance function. Appropriate independence of the BSA/AML/CFT compliance officer may include, but is not limited to:  
   
   1. Clear lines of reporting and communication ultimately up to the board of directors or a designated board committee that do not compromise the BSA compliance officer’s independence 
   2. The ability to undertake the BSA/AML/CFT compliance officer’s role without undue influence from other business lines
   3. Identification and reporting of issues to senior management and the board of directors 
2. BSA/AML/CFT Training Program: The training: 
   1. Is provided for appropriate personnel and covers the aspects of the BSA/AML/CFT that are relevant to the institution and its risk profile
   2. Covers BSA/AML/CFT regulatory requirements, supervisory guidance, and the institution's internal BSA/AML/CFT policies, procedures, and processes  
   3. Is tailored to each individual’s specific responsibilities, as appropriate 
   4. Is targeted when necessary for specific ML/TF and other illicit financial activity risks and requirements applicable to certain business lines or operational units, such as lending, trust services, foreign correspondent banking, and private banking 
   5. Is typically provided to new staff during employee orientation or reasonably thereafter 
   6. Is provided periodically to the BSA/AML/CFT Officer and support staff that is relevant and appropriate for them to remain informed of changes to regulatory requirements and changes to the institution's risk profile 
   7. Is provided to the board of directors and senior management 
3. Comprehensive AML/CFT Compliance Program: A comprehensive AML and CFT  compliance program is in place. The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program are a risk-based CDD process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. The program also includes suspicious activity monitoring and reporting mechanisms, ensuring timely identification, review, and filing of SARs with the appropriate authorities, and a sanctions compliance framework to prevent dealings with sanctioned individuals, entities, and countries. All aspects of the AML/CFT Program are well documented, regularly reviewed, and updated to address emerging risks and regulatory changes.  
4. Independent Program Testing: A periodic independent review and validation of the entire BSA/AML/CFT program and board and senior management oversight effectiveness is conducted by qualified internal audit or external parties. The review includes a comprehensive assessment of governance adequacy, resource allocation decisions, accountability mechanisms, program components, risk assessment processes, compliance monitoring systems, and recommendations for program and governance improvements to ensure effective oversight and regulatory compliance.  

Related Ncontracts Content in Your Platform

Ncomply Sample Polices

• BSA/AML/CFT Policy 

Nrisk Risk Assessments

• BSA/AML/CFT 

Nverify Audits

• BSA/AML/OFAC Compliance Review 

FDIC Issues Enforcement Actions Against Two Institutions for Flood Insurance Violations

• Category: Governance, Risk, and Compliance
• Topic: Flood Insurance
• Products and Services: Mortgage Lending
• Date: Enforcement 1 – Signed March 6, 2026; Announced April 24, 2026 | Enforcement 2 – Signed March 26, 2026; Announced April 24, 2026 
• Regulation: 12 CFR 339 
• Enforcement Action 1 | Enforcement Action 2 
• Related Guidance: Flood Disaster Protection Act: 2022 Interagency Questions and Answers Regarding Flood Insurance (2022-16); Consumer Compliance Examination Manual – Flood Disaster Protection Act; FDIC Issues 2026 Consumer Compliance Supervisory Highlights  

The FDIC issued enforcement actions against two institutions for violations of the Flood Disaster Protection Act of 1973 (FDPA). Institution one made, increased, extended or renewed a loan secured by a building or mobile home located, or to be located, in a special flood hazard area without providing timely notice whether flood insurance was available for the property. Institution two failed to implement forced place flood insurance in 20 cases.  

Takeaways

Flood insurance violations were the FDIC's third-most frequently cited compliance issue in 2025, with more than 131 violations. Failure to confirm adequate flood insurance when a loan secured by buildings or mobile homes in special flood hazard areas accounted for 41% of violations. Banks are required to employ FEMA's flood hazard determination form to verify whether collateral is in an SFHA where insurance is available through the National Flood Insurance Program (NFIP). Institutions must retain completed determination forms throughout each loan term and implement robust internal controls to ensure ongoing compliance across loan portfolios. 

Force-placed flood insurance violations are also common for FDPA issues. If an institution finds that a property lacks the required or adequate flood insurance during the term of a designated loan, it must promptly notify the borrower to secure coverage at their own expense. If the borrower does not procure insurance within 45 days, the institution must acquire it on the borrower’s behalf and may charge associated premiums and fees. If the borrower subsequently obtains their own coverage, the institution must cancel the force-placed policy and refund all premiums paid by the borrower.  

Controls to Evaluate

1. Flood Insurance Policies and Procedures: Flood insurance policies and procedures are in place and are reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include: 
   1. Pulling flood determinations for loans that will be secured by real estate 
   2. Requiring flood insurance for real estate secured loans in a designated flood zone before loan closing 
   3. Notification to customers of flood insurance requirements 
   4. Review process to ensure proper flood insurance is in place before loan closing and for the duration of the loan  
   5. Monitoring loans to ensure that flood insurance coverage is maintained for the entire duration of the loan 
   6. Flood insurance renewal monitoring and tracking 
   7. Force placement insurance requirements and customer notification processes
   8. Maintaining documentation of flood insurance policies in the loan file, including proof of coverage and policy details 
2. Loan Closing Checklists: Loan Operations procedures include loan closing checklists that require proper approval and all documentation, notices, and disclosures to be in place and reviewed before loan closing; proper fees to be verified; and all policy exceptions to be identified and documented, with loan closing instructions documented. 
3. Ongoing Insurance Monitoring: Loan operations procedures include continuous monitoring of all insurance policies and related escrows (if applicable), including flood insurance, and handling all forced-place policies as necessary plus providing all notices and disclosures as required.  

Related Ncontracts Content in Your Platform

Ncomply Sample Policies

• Flood Disaster Protection Act (FDPA) Policy 

Nrisk Risk Assessments

• Flood Disaster Protection Act

Nverify Audits

• Flood Disaster Protection Act (FDPA) Compliance Review 

NCUA Enforcement Actions

The NCUA issued no institutional enforcement actions in April 2026. 

Many enforcement actions trace back to a compliance question that didn't get answered. Nquiry is built for exactly that — instant, AI-powered research so you're never guessing when it matters. See how Nquiry works.