Nsight Blog | Ncontracts

Enforcement Actions Roundup: June 2026

Written by Jenna Zacharewicz and Toni Fennell | Jul 14, 2026 7:00:01 PM

Welcome to the latest Enforcement Actions Roundup. June brought a $9.7 million DOJ settlement after a community bank's executives spent over a decade overriding AML controls to protect an insider, an FDIC penalty against a bank for six separate flood insurance violations, and a CFPB action that skipped formal enforcement entirely in favor of a public statement compelling consumer redress from a fintech platform. 

Each month, we break down what went wrong, why it matters, and what your financial institution (FI) can do to stay ahead — giving you two resources: the Enforcement Actions Tracker, a running tally of actions by agency, category, and topic, and the Enforcement Deep Dive below, a closer look at each action's details, takeaways, and controls to revisit. 

Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.     

2025/2026 Enforcement Action Tracker

 
  Year Fair Lending Advertising AML/CFT Underwriting UDAAP Electronic Funds Transfers Insider Activities Flood Insurance Financial Risk Concentration Military Lending Government Loan Programs
CFPB 2025 1 2     4 1         1  
  2026 YTD         1              
DOJ 2025                        
  2026 YTD     1                1
OCC 2025     3       1   8 3    
  2026 YTD   1                    
FRB 2025         1     3 1      
  2026 YTD             1   1      
FDIC 2025     5 3 1 1 1 10 6      
  2026 YTD     1 1     2 3 3      
NCUA 2025                        
  2026 YTD                        

 

Enforcement Actions Deep Dive: June 2026

CFPB Enforcement Actions

CFPB Directs Fintech Platform to Redress Consumers After Bank Transition Failures

The CFPB directed a non-bank fintech credit card and rent-payment platform to provide full redress to consumers harmed during a bank partner’s transition. During the transition, a segment of customers experienced serious service failures, including rent and mortgage payments that were debited from their accounts but never delivered to landlords or lenders, missed or delayed payment processing, and inadequate customer service responses. Impacted consumers incurred overdraft fees, late fees, and insufficient funds fees as a result. 

Rather than initiating a formal investigation or enforcement action, CFPB officials worked with the company, reviewed documentation of technical issues and remediation steps taken, and directed the institution to ensure full redress for all affected consumers. 

Takeaways

FIs need to ensure their third-party risk management (TPRM) frameworks specifically address the handoff of payment systems and consumer accounts during program transitions. Agreements with fintech partners should include transition planning requirements, consumer notification standards, payment continuity commitments, and defined protocols for handling in-flight transactions during any transition window. 

The CFPB's decision to use a public statement, rather than a consent order or civil money penalty, to compel redress from a non-supervised entity is itself a significant signal. The Bureau's new Enforcement Principles represent a shift toward collaboration with violating parties for efficient resolution in lieu of formal enforcement actions. 

Controls to Evaluate

  1. Third-Party Risk Management Program: Policies, procedures and controls are implemented relating to third parties that include: (a) planning, (b) thorough initial due diligence (including OFAC searches) and selection process; (c) contract negotiation, including third-party agreements and contractual performance standards; (d) ongoing monitoring, (e) termination, (f) risk assessments, and (g) governance, including independent reviews and documentation/reporting. All duties, roles, and responsibilities are clearly identified.  
    1. AI Governance and Vendor Contracts: A thorough "AI in third-party risk management" process identifies AI usage and changes, specific AI clauses in contracts, and proper AI governance by third parties. 
    2. AI Vendor SLAs and Performance Monitoring: AI-specific service level agreements (SLAs) and performance benchmarks are established for all third-party AI vendors, defining measurable standards for model accuracy, output reliability, fairness, availability, and incident response times. Early warning monitoring systems are in place to detect vendor performance degradation, model drift, or emerging risk conditions prior to service disruption or regulatory impact. 
    3. AI Concentration Risk: AI vendor dependencies are subject to concentration risk assessment to identify and mitigate over-reliance on a single AI provider or shared AI infrastructure, including evaluation of aggregate exposure across vendors and contingency planning for critical AI service disruptions. 
    4. Fourth-Party AI Disclosure: Where third-party AI services involve fourth-party subprocessors or AI supply chain components, vendors are required to disclose the identity, role, and risk profile of material fourth parties. Contracts include provisions for notification of material fourth-party changes and, where applicable, termination rights triggered by undisclosed or high-risk fourth-party dependencies. 
    5. Ongoing Monitoring: Ongoing monitoring includes ensuring that the vendor conducts appropriate training and oversight of employees or agents who have consumer contact or compliance responsibilities. It also includes ensuring the vendor's incident response and business continuity management programs are in place and appropriate, that compliance policies and programs are in place, and identifying and evaluating any AI usage or AI-powered tools and services provided by third and fourth parties. 
    6. Reporting: Reporting includes an overall analysis of the vendors and risks, including an inventory of third parties, analysis of diversity of the vendors, and identifying any environmental, social, and governance (ESG) concerns. 
    7. Third-Party Conduct Review: Activities of third-party contractors, marketing sales personnel, vendors, and service providers are also evaluated, including reviews to ensure they do not engage in unfair, deceptive, or abusive acts or practices with respect to consumer interactions. 

Related Ncontracts Content in Your Platform

Third Party Risk Management (TPRM)

Related: Most TPRM books teach you how to run a program. This one teaches you how to run it well — and what to do with it once you do. 

DOJ Enforcement Actions

DOJ Settles with Community Bank After Executives Overrode AML Controls to Protect Insider

The DOJ entered into a non-prosecution agreement with a community bank and its parent company after the FI admitted that between 2010 and 2021, it willfully failed to establish an adequate AML/CFT program in violation of the Bank Secrecy Act. In one instance, the bank permitted a father and son to operate a check scheme for more than a decade, which was made possible because the father was a friend and business associate of the bank's former chairman and CEO, who resigned in 2019. 

Senior executives at the bank repeatedly overrode the efforts of compliance personnel who sought to close the accounts and stop the illicit conduct. The bank's facilitation of the scheme caused approximately $6.3 million in losses to another FI. The institution will pay over $9.7 million for its violations. 

Takeaways

This enforcement action is a stark reminder that AML/CFT compliance programs can be rendered entirely ineffective when senior management actively overrides the very controls designed to prevent financial crime. Compliance functions require meaningful authority, protected escalation paths that survive management interference, and board-level oversight. Programs must be capable of acting independently when executive conduct is a problem.  

FIs should also review their suspicious activity escalation frameworks to ensure that compliance staff can elevate concerns (including those touching bank officers or their associates) directly to the board or an independent audit committee without risk of retaliation or override.

Controls to Evaluate

  1. BSA/AML/CFT Monitoring System: BSA/AML/CFT integrated systems are in place to identify suspicious activities through properly structured monitoring with filtering criteria tailored to institutional risk profiles, including higher-risk products, services, customers, and geographic locations; manage complete Suspicious Activity Report (SAR) processes from alert evaluation through filing and continuous monitoring; detect currency structuring patterns across time periods and locations, including employee-assisted activities; maintain clear data lineage and audit trails; support repeat SAR filing for ongoing suspicious activity; and ensure SAR confidentiality and record retention compliance to prevent regulatory violations and facilitate effective suspicious activity detection and reporting. 
  2. BSA/AML/CFT Compliance Officer: The BSA/AML/CFT compliance officer, appointed by the board of directors, is responsible for coordinating and monitoring day-to-day BSA/AML/CFT compliance and manages all aspects of the BSA/AML/CFT compliance program and BSA/AML/CFT regulatory requirements. The individual(s) responsible for the overall BSA/AML/CFT compliance program are qualified and have access to suitable resources such as: 
    1. Adequate staffing with the skills and expertise necessary for the overall risk level (based on products, services, customers, and geographic locations), size or complexity, and organizational structure 
    2. Systems to support the timely identification, measurement, monitoring, reporting, and management of ML/TF and other illicit financial activity risks. 

The BSA/AML/CFT Officer's input is sought regarding the ML/TF and other illicit financial activity risks related to expansion into new products, services, and customer types, and geographic locations; or operational changes, such as the implementation of, or adjustments to, systems that impact the BSA compliance function. Appropriate independence of the BSA/AML/CFT compliance officer may include, but is not limited to: clear lines of reporting and communication ultimately up to the board of directors or a designated board committee that do not compromise the BSA compliance officer's independence, the ability to undertake the BSA/AML/CFT compliance officer's role without undue influence from other business lines, and identification and reporting of issues to senior management and the board of directors.

  1. Check Kiting Detection: Automated monitoring systems detect check kiting patterns, including frequent large-dollar deposits across multiple accounts, rapid withdrawal activity, and float exploitation. Kiting alerts are reviewed daily by operations staff and escalated to fraud management when indicators meet defined thresholds, with account restrictions applied pending investigation. 

Related Ncontracts Content in Your Platform

BSA/AML/CFT

Fraud Risk Management

OCC Enforcement Actions

The OCC issued no institutional enforcement actions in June 2026. 

FRB Enforcement Actions

The FRB issued no institutional enforcement actions in June 2026.

FDIC Enforcement Actions

FDIC Penalizes Bank After Six Missed Flood Insurance Requirements and Notice Failures

The FDIC issued a civil money penalty against an institution for a pattern or practice of violations of the Flood Disaster Protection Act of 1973 (FDPA). The bank failed on six occasions to obtain flood insurance on a building securing a designated loan at the time of origination and failed to provide borrowers with the required Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance when making, increasing, extending, or renewing a loan on three separate occasions. 

Takeaways

Flood insurance violations continue to be among the FDIC's most frequently cited compliance issues, and this action illustrates how a relatively small number of loan-level failures can still constitute a 'pattern or practice' that triggers a formal civil money penalty.  

Even community banks with modest loan volumes must ensure their origination workflows include flood zone determination checks and that the completion and delivery of the Notice of Special Flood Hazard is a mandatory checklist item, not a discretionary step. Given that flood violations were the FDIC's third-most frequently cited compliance issue in 2025, and that both notice failures and origination failures appear together in this action, FIs should verify their training and procedures address both violation types explicitly.

Controls to Evaluate

  1. Pre-Closing Flood Compliance Checklist: A unified pre-closing flood compliance checklist is completed by designated loan operations staff for all applicable loans prior to loan closing, funding, or transaction finalization. The checklist consolidates all required flood compliance verification steps into a single documented review, providing a comprehensive pre-closing gate control. The checklist requires verification and documentation of the following steps, as applicable to the loan type and flood zone status: 
     
    1. Flood Insurance Coverage: Flood insurance is in force, coverage amount meets the lesser of the outstanding loan balance or maximum NFIP limit, declarations page is retained in the loan file, and the mortgagee clause is accurate. 
    2. Flood Hazard Determination Form: A completed flood hazard determination form is on file using the current required form version, all fields are fully populated, and the determination is current and not subject to the reuse limit. 
    3. Force Placement Pre-Notification: Where applicable, borrower deficiency notification was sent, delivery was confirmed, and the 45-day cure period has elapsed before force placement is initiated. 
    4. Flood Hazard Notice Delivery: The flood hazard notice was generated on the current approved template, delivered to the borrower within a reasonable time before closing, and a signed borrower acknowledgment is retained in the loan file. 
    5. Flood Hazard Notice Timing: The notice delivery date precedes the loan consummation date, and servicer notification has been initiated. 
    6. Escrow Setup and Notice: For covered loans, escrow has been set up correctly in the servicing system, the written escrow notice has been provided to the borrower, and the escrow notice is retained in the loan file. 
    7. Escrow Notice for Escrow-Required Loans: The written escrow notice has been generated, delivered, and retained where the escrow requirement applies. 

Completed checklists are retained in the loan file as evidence of pre-closing flood compliance review. Incomplete checklist items prevent loan closing advancement; exceptions require supervisor authorization and are tracked as compliance exceptions.

  1. Automated Workflow Hard Stops: A loan origination and servicing system is configured with mandatory workflow hard stops at defined flood compliance checkpoints, preventing transactions from advancing without completion of required flood compliance steps. Hard stops are applied at the following trigger points: 

    1. Flood Hazard Determination: Loan approval or commitment cannot advance when a completed flood hazard determination form has not been attached, accepted, and marked as reviewed by a designated staff member. 
    2. Flood Notice Delivery: Loan funding or closing cannot be processed when delivery of the required flood hazard notice to the borrower has not been confirmed and time-stamped in the system. 
    3. Loan Modification/MIRE Event: A loan modification, extension, increase, or renewal cannot be finalized until a flood compliance trigger review has been completed and documented, confirming whether the transaction constitutes a triggering event and, if so, that the required flood compliance workflow has been initiated. 

Manual override of any hard stop requires supervisor authorization, a documented justification entered in the system, and creation of an auditable exception record reviewed by compliance on a periodic basis. Exception records are trended to identify patterns of non-compliance. 

Related Ncontracts Content in Your Platform 

Flood Disaster Protection Act (FDPA)

NCUA Enforcement Actions

The NCUA issued no institutional enforcement actions in June 2026.  

Additional Enforcement Actions

FDIC

FDIC-25-0148b - For unsafe or unsound banking practices relating to board and senior management oversight, capital adequacy, liquidity, earnings, and interest rate risk.  

This month's actions all trace back to the same question: could your FI explain its risk story if an examiner asked today? Download our free Exam Readiness Checklist to find out before they do.