Welcome to the latest Enforcement Actions Roundup. June brought a $9.7 million DOJ settlement after a community bank's executives spent over a decade overriding AML controls to protect an insider, an FDIC penalty against a bank for six separate flood insurance violations, and a CFPB action that skipped formal enforcement entirely in favor of a public statement compelling consumer redress from a fintech platform.
Each month, we break down what went wrong, why it matters, and what your financial institution (FI) can do to stay ahead — giving you two resources: the Enforcement Actions Tracker, a running tally of actions by agency, category, and topic, and the Enforcement Deep Dive below, a closer look at each action's details, takeaways, and controls to revisit.
Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.
| Year | Fair Lending | Advertising | AML/CFT | Underwriting | UDAAP | Electronic Funds Transfers | Insider Activities | Flood Insurance | Financial Risk | Concentration | Military Lending | Government Loan Programs | |
| CFPB | 2025 | 1 | 2 | 4 | 1 | 1 | |||||||
| 2026 YTD | 1 | ||||||||||||
| DOJ | 2025 | ||||||||||||
| 2026 YTD | 1 | 1 | 1 | ||||||||||
| OCC | 2025 | 3 | 1 | 8 | 3 | ||||||||
| 2026 YTD | 1 | ||||||||||||
| FRB | 2025 | 1 | 3 | 1 | |||||||||
| 2026 YTD | 1 | 1 | |||||||||||
| FDIC | 2025 | 5 | 3 | 1 | 1 | 1 | 10 | 6 | |||||
| 2026 YTD | 1 | 1 | 2 | 3 | 3 | ||||||||
| NCUA | 2025 | ||||||||||||
| 2026 YTD |
The CFPB directed a non-bank fintech credit card and rent-payment platform to provide full redress to consumers harmed during a bank partner’s transition. During the transition, a segment of customers experienced serious service failures, including rent and mortgage payments that were debited from their accounts but never delivered to landlords or lenders, missed or delayed payment processing, and inadequate customer service responses. Impacted consumers incurred overdraft fees, late fees, and insufficient funds fees as a result.
Rather than initiating a formal investigation or enforcement action, CFPB officials worked with the company, reviewed documentation of technical issues and remediation steps taken, and directed the institution to ensure full redress for all affected consumers.
FIs need to ensure their third-party risk management (TPRM) frameworks specifically address the handoff of payment systems and consumer accounts during program transitions. Agreements with fintech partners should include transition planning requirements, consumer notification standards, payment continuity commitments, and defined protocols for handling in-flight transactions during any transition window.
The CFPB's decision to use a public statement, rather than a consent order or civil money penalty, to compel redress from a non-supervised entity is itself a significant signal. The Bureau's new Enforcement Principles represent a shift toward collaboration with violating parties for efficient resolution in lieu of formal enforcement actions.
Third Party Risk Management (TPRM)
Related: Most TPRM books teach you how to run a program. This one teaches you how to run it well — and what to do with it once you do.
The DOJ entered into a non-prosecution agreement with a community bank and its parent company after the FI admitted that between 2010 and 2021, it willfully failed to establish an adequate AML/CFT program in violation of the Bank Secrecy Act. In one instance, the bank permitted a father and son to operate a check scheme for more than a decade, which was made possible because the father was a friend and business associate of the bank's former chairman and CEO, who resigned in 2019.
Senior executives at the bank repeatedly overrode the efforts of compliance personnel who sought to close the accounts and stop the illicit conduct. The bank's facilitation of the scheme caused approximately $6.3 million in losses to another FI. The institution will pay over $9.7 million for its violations.
This enforcement action is a stark reminder that AML/CFT compliance programs can be rendered entirely ineffective when senior management actively overrides the very controls designed to prevent financial crime. Compliance functions require meaningful authority, protected escalation paths that survive management interference, and board-level oversight. Programs must be capable of acting independently when executive conduct is a problem.
FIs should also review their suspicious activity escalation frameworks to ensure that compliance staff can elevate concerns (including those touching bank officers or their associates) directly to the board or an independent audit committee without risk of retaliation or override.
The BSA/AML/CFT Officer's input is sought regarding the ML/TF and other illicit financial activity risks related to expansion into new products, services, and customer types, and geographic locations; or operational changes, such as the implementation of, or adjustments to, systems that impact the BSA compliance function. Appropriate independence of the BSA/AML/CFT compliance officer may include, but is not limited to: clear lines of reporting and communication ultimately up to the board of directors or a designated board committee that do not compromise the BSA compliance officer's independence, the ability to undertake the BSA/AML/CFT compliance officer's role without undue influence from other business lines, and identification and reporting of issues to senior management and the board of directors.
Check Kiting Detection: Automated monitoring systems detect check kiting patterns, including frequent large-dollar deposits across multiple accounts, rapid withdrawal activity, and float exploitation. Kiting alerts are reviewed daily by operations staff and escalated to fraud management when indicators meet defined thresholds, with account restrictions applied pending investigation.
BSA/AML/CFT
Fraud Risk Management
The OCC issued no institutional enforcement actions in June 2026.
The FRB issued no institutional enforcement actions in June 2026.
The FDIC issued a civil money penalty against an institution for a pattern or practice of violations of the Flood Disaster Protection Act of 1973 (FDPA). The bank failed on six occasions to obtain flood insurance on a building securing a designated loan at the time of origination and failed to provide borrowers with the required Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance when making, increasing, extending, or renewing a loan on three separate occasions.
Flood insurance violations continue to be among the FDIC's most frequently cited compliance issues, and this action illustrates how a relatively small number of loan-level failures can still constitute a 'pattern or practice' that triggers a formal civil money penalty.
Even community banks with modest loan volumes must ensure their origination workflows include flood zone determination checks and that the completion and delivery of the Notice of Special Flood Hazard is a mandatory checklist item, not a discretionary step. Given that flood violations were the FDIC's third-most frequently cited compliance issue in 2025, and that both notice failures and origination failures appear together in this action, FIs should verify their training and procedures address both violation types explicitly.
Completed checklists are retained in the loan file as evidence of pre-closing flood compliance review. Incomplete checklist items prevent loan closing advancement; exceptions require supervisor authorization and are tracked as compliance exceptions.
Automated Workflow Hard Stops: A loan origination and servicing system is configured with mandatory workflow hard stops at defined flood compliance checkpoints, preventing transactions from advancing without completion of required flood compliance steps. Hard stops are applied at the following trigger points:
Manual override of any hard stop requires supervisor authorization, a documented justification entered in the system, and creation of an auditable exception record reviewed by compliance on a periodic basis. Exception records are trended to identify patterns of non-compliance.
Flood Disaster Protection Act (FDPA)
The NCUA issued no institutional enforcement actions in June 2026.
FDIC-25-0148b - For unsafe or unsound banking practices relating to board and senior management oversight, capital adequacy, liquidity, earnings, and interest rate risk.
This month's actions all trace back to the same question: could your FI explain its risk story if an examiner asked today? Download our free Exam Readiness Checklist to find out before they do.