Enforcement Actions Roundup: August 2025

Welcome to the September Enforcement Actions Roundup — our monthly look at the enforcement activity from the past month, what went wrong, and what financial institutions (FIs) can learn from it. 

This roundup features two key resources: 

1. Enforcement Actions Tracker: A running tally of actions by agency, category, and topic — making it easy to spot enforcement trends and emerging hot spots.
2. Enforcement Deep Dive: A closer look at each action, including what happened, key takeaways, and the controls your FI should revisit to avoid similar missteps. 

Let's dive in.

Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator. 

2025 Enforcement Action Tracker 

Please note that a single enforcement action may be included under multiple topics.

Enforcement Actions Deep Dive: August 2025

CFPB Enforcement Actions

CFPB Issues Enforcement Action Against Fintech Provider for Record-Keeping Failures

1. Category: Governance, Risk, and Compliance; Third-Party Risk Management
2. Topic: UDAAP
3. Products and Services: Deposits
4. Institution Type: Fintech
5. Date: August 21, 2025  
6. Regulation: 12 USC § 5531;12 USC § 5536  
7. Enforcement Action
8. Related Guidance: Interagency Guidance Regarding Deposit Reconciliation Practices 

The CFPB issued an enforcement action against a company that facilitated relationships between nonbank financial technology entities and partner banks and provided material services to fintech platforms that offered banking services to consumers. The company was a “service provider” under the Consumer Financial Protection Act and failed to maintain adequate records of the location of consumers’ funds. The company also failed to ensure the accuracy and consistency of those records maintained by its partnering banks, causing consumers to lose access to their funds.  

The company filed for bankruptcy in 2024, so the fine is a nominal $1. Additionally, the company is permanently enjoined from deposit-taking activities, payment and data processing activities, acting as a custodian of funds, transmitting or exchanging funds, or receiving compensation from or working for entities engaged in these activities.   

Takeaways

FIs working with service providers don’t escape the liability of third-party misconduct. The banks partnered with the offending company were also hit with a class-action lawsuit for their inability to reconcile customer discrepancies.  

Ensure your institution is protected by implementing and maintaining robust due diligence and ongoing monitoring programs, focusing on auditing of fund movements and balances, immediate customer notification procedures, and contingency planning for instances where service providers become insolvent.

Controls to Evaluate

1. Documented Fintech Management Program: The program includes 

1. Complete due diligence and risk assessment for each fintech company prior to partnership
2. Effective contract/agreement creation with confidentiality agreements and service level and reporting requirements
3. Analysis of partnership profitability
4. Ongoing monitoring of the fintech's performance with the contract, financial stability, adequate policies/procedures, internal controls, testing, insurance, training, and staffing  
5. Analysis of fintech's third-party risk management program (and listing to ensure OFAC and 'countries of concern' are addressed)
6. Alternate partnerships in the event of fintech failure or inability to perform 

2. Strong TPRM Program: A third-party vendor management program should be in place and include

1. Thorough initial due diligence and selection process
2. Contract negotiation, including third-party agreements and contractual performance standards
3. Ongoing monitoring
4. Termination
5. Risk assessments
6. Governance, including independent reviews and documentation/reporting. All duties, roles, and responsibilities are clearly identified. Ongoing monitoring includes ensuring that the vendor conducts appropriate training and oversight of employees or agents who have consumer contact or compliance responsibilities. 

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Third-Party Risk Management Party
• Nrisk Risk Assessments: Vendor Management Risk Assessment  
• Nverify Audits: Vendor Risk Management
• Nvendor Surveys: GLBA Due Diligence; Moderate Due Diligence 

OCC Enforcement Actions

See Additional Enforcement Actions below. 

FRB Enforcement Actions

No institutional enforcement actions were issued by the FRB in August 2025. 

FDIC Enforcement Actions

No institutional enforcement actions were issued by the FDIC in July 2025.

NCUA Enforcement Actions

No institutional enforcement actions were issued by the NCUA in August 2025. 

Additional Enforcement Actions

OCC

• AA-CE-2025-30: For unsafe or unsound practices, including those related to capital, strategic planning, liquidity, and contingency funding planning. 

Compliance doesn’t have to be overwhelming. Ncomply centralizes compliance management in one platform — streamlining oversight, eliminating silos, and keeping you ahead of regulatory change.  

See how it works in a product tour.