Enforcement Actions Roundup: June 2025

Welcome to the July edition of our Enforcement Actions Roundup, a monthly summary where our regulatory experts break down recent enforcement actions from the previous month, highlight what went wrong, and offer insights to help your institution stay ahead of similar risks. 

The Enforcement Actions Roundup includes two key elements:   

• The Enforcement Actions Tracker is a running total of enforcement actions by agency – keeping a tally of enforcement actions broken down by overall category and individual topics addressed by each action. This makes it easy to pick out enforcement trends and hot topics.  

• The Enforcement Deep Dive reviews each enforcement action to understand what happened, key takeaways, and controls you should review at your institution to avoid making the same mistake.  

Let’s dive in.

Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.

2025 Enforcement Action Tracker

 *Please note that a single enforcement action may be included under multiple topics.

 Enforcement Actions Deep Dive: June 2025 

CFPB Enforcement Actions

There were no institutional enforcement actions by the CFPB in June.

OCC Enforcement Actions

OCC Issues Enforcement Action Against FI for Concentration Risk Management Issues

• Category: Governance, Risk, and Compliance
• Topic: Concentration Risk; Financial Risk
• Date: Signed May 8, 2025; announced June 18, 2025
• Products and Services: Commercial Real Estate
• Regulation: 12 CFR 3; 12 CFR 5; 12 CFR 30; 12 CFR 34
• Enforcement Action
• Related Guidance: Concentrations of Credit; Commercial Real Estate Lending

The OCC issued an enforcement action against this institution for unsafe or unsound practices related to strategic and capital planning, liquidity risk management, and, notably, concentration risk management. The institution lacked adequate systems to monitor and control loan portfolio concentrations, specifically related to Commercial Real Estate (CRE). The institution must implement a written Concentration Risk Management Program and identify known and potential concentrations of credit.

Takeaways

CRE investments carry various risks, including credit risk, market risk, economic risk, and specific challenges related to property management and market conditions. CRE also presents significant risks related to money laundering and was even flagged as a leading compliance risk in 2024 by the Financial Crimes Enforcement Network (FinCEN).

Effective CRE concentration risk management involves seven key elements, including robust oversight by the board and management to ensure strategic alignment and risk appetite adherence. It requires sophisticated portfolio management, comprehensive management information systems, ongoing market analysis, stringent credit underwriting standards, regular portfolio stress testing, and an independent credit risk review function. The complexity of these programs should align with the institution's size, concentration levels, and associated risks, ensuring that CRE exposures remain within acceptable parameters while supporting sound lending practices.

Controls to Evaluate

1. Asset Management Committee: The AMC regularly reviews loan totals, concentrations, interest rate exposure, delinquency, collection activity, other real estate owned (ORE), Allowance for Credit Loss (ACL) and ESG (Environmental, Social and Governance) reports, then makes decisions accordingly, such as revising loan-to-values (LTVs), exposure limits, concentration limits, exceptions, etc.
2. Loan Portfolio Management: The LPM process is in place and includes periodic reporting to the Board regarding the loan portfolio composition, risks, product mix, industry and geographic concentrations, and overall portfolio risk ratings. LPM helps the Board and management: 1) understand the credit culture; 2) helps to set and monitor portfolio objectives and risk tolerance limits; 3) use management information systems (MIS) to prepare appropriate reports for review/analysis; 4) monitor portfolio segmentation and risk diversification objectives; 5) complete analysis of loans originated by other lenders; 6) aggregate policy and underwriting exceptions; 7) review results of stress testing; 8) ensure independent and effective control functions; and 9) conduct analysis of portfolio risks.
3. Asset Liability Committee: ALCO meets regularly to review Investments, Loan Portfolios, Interest Rates, Liquidity, and Capital Levels, and makes adjustments as needed to meet risk tolerances and policy guidelines, including scenario analysis (stress testing) and even ESG risk considerations.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Concentration Risk Policy
• Nrisk Risk Assessments: Credit Administration; Asset Liability Management

FRB Enforcement Actions

There were no institutional enforcement actions by the CFPB in June. 

FDIC Enforcement Actions

FDIC Issues Enforcement Action Against Bank for AML/CFT Program Deficiencies

• Category: Governance, Risk, Compliance; Third-Party Risk Management
• Topic: AML/CFT
• Date: Signed May 15, 2025; announced June 27, 2025
• Regulation: 12 CFR 326; 12 CFR 353; 12 CFR 364; 31 CFR 1010
• Enforcement Action
• Related Guidance: FFIEC BSA/AML Manual; Interagency Guidance on Third-Party Relationships: Risk Management

 The FDIC issued an enforcement action against a bank addressing significant deficiencies in the bank's Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program and Bank Secrecy Act (BSA) compliance. The action highlights critical issues with third-party relationship management and regulatory oversight, and requires enhanced board oversight, revised AML/CFT and third-party risk management programs, and role-specific BSA training for all personnel.

Takeaways

This enforcement action serves as another example of the heightened regulatory focus on third-party relationships, especially in the era of fintech relationships. When third parties are used to conduct bank activities, particularly those high-risk or high-enforcement areas, they must do so in line with the financial institution’s standards. The institution’s third-party risk management program must, among other requirements, align with its size, complexity, and risk profile, have appropriate due diligence procedures for new third-party relationships and ongoing due diligence for existing relationships, and provide proper oversight for those relationships.

Ultimately, your institution cannot outsource compliance responsibilities and must bear the burden of regulatory pitfalls, so ensuring proper oversight and management of third parties is critical to your institution’s success. Remember, anti-money laundering and countering the financing of terrorism will remain one of the top priorities of the Trump administration and new agency leadership.

Controls to Evaluate

1. Comprehensive AML/CFT Program: The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program are a risk-based Customer Due Diligence (CDD) process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. The program also includes suspicious activity monitoring and reporting mechanisms, ensuring timely identification, review, and filing of Suspicious Activity Reports (SARs) with the appropriate authorities, and a sanctions compliance framework to prevent dealings with sanctioned individuals, entities, and countries.  
2. Robust TPRM Program: A Third-Party Vendor Management Program is in place that includes: (a) thorough initial due diligence and selection process; (b) contract negotiation, including third-party agreements and contractual performance standards; (c) ongoing monitoring (including model validation); (d) termination; (e) risk assessments; and (f) governance, including independent reviews and documentation/reporting. All duties, roles, and responsibilities are clearly identified. Ongoing monitoring includes ensuring that the vendor conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
3. BSA/AML/CFT Training: The training program (1) is provided for appropriate personnel and covers the aspects of the BSA that are relevant to the institution and its risk profile; (2) covers BSA regulatory requirements, supervisory guidance, and the institution's internal BSA/AML policies, procedures, and processes; (3) is tailored to each individual’s specific responsibilities, as appropriate; (4) is targeted when necessary for specific ML/TF and other illicit financial activity risks and requirements applicable to certain business lines or operational units, such as lending, trust services, foreign correspondent banking, and private banking; (5) is typically provided to new staff during employee orientation or reasonably thereafter; (6) is provided periodically to the BSA Officer and support staff that is relevant and appropriate for them to remain informed of changes to regulatory requirements and changes to the institution's risk profile; (7) is provided to the board of directors and senior management.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: BSA/AML/CFT Policy; Third-Party Risk Management (TPRM) Policy
• Nrisk Risk Assessments: BSA/AML/OFAC
• Nverify Audits: BSA/AML/OFAC Compliance Review; BSA/AML/OFAC Audit
• Nvendor Surveys: GLBA Due Diligence Survey; Moderate Due Diligence Survey; Critical Due Diligence Survey

NCUA Enforcement Actions

There were no institutional enforcement actions by the NCUA in June.

Additional Enforcement Actions

OCC 

• AA-NE-2025-18 - For unsafe or unsound practices related to strategic planning and earnings performance.
• AA-CE-2025-22 - For unsafe or unsound practices related to strategic planning, capital planning, credit administration, and liquidity risk management.
  
  

Don’t let midyear changes catch you off guard. Join Ncontracts’ experts as they unpack key regulatory developments from the first half of 2025, highlight what’s still evolving, and explain what it means for your compliance priorities, risk posture, and exam readiness.