Enforcement Actions Roundup: May 2025

Welcome to the June edition of our Enforcement Actions Roundup, a monthly summary where our regulatory experts break down recent enforcement actions from the previous month, highlight what went wrong, and offer insights to help your institution stay ahead of similar risks. 

The Enforcement Actions Roundup includes two key elements:   

• The Enforcement Actions Tracker is a running total of enforcement actions by agency – keeping a tally of enforcement actions broken down by overall category and individual topics addressed by each action. This makes it easy to pick out enforcement trends and hot topics.  

• The Enforcement Deep Dive reviews each enforcement action to understand what happened, key takeaways, and controls you should review at your institution to avoid making the same mistake.  

Let’s dive in.

Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.

2025 Enforcement Action Tracker

 *Please note that a single enforcement action may be included under multiple topics.

 Enforcement Actions Deep Dive: May 2025 

CFPB Enforcement Actions

There were no institutional enforcement actions by the CFPB in May.  

OCC Enforcement Actions

There were no institutional enforcement actions by the OCC in May.

FRB Enforcement Actions

There were no institutional enforcement actions by the FRB in May.

FDIC Enforcement Actions

FDIC Issues Enforcement Actions Against Two FIs for BSA Violations

• Category: Governance, Risk, and Compliance; Third-Party Risk Management
• Topic: AML/CFT; Financial Risk
• Date: Institution 1- Signed April 29^th, announced May 30, 2025; Institution 2- Signed April 3, 2025, announced May 30, 2025
• Regulation: 31 CFR 1010; 12 CFR 326; 12 CFR 353
• Enforcement Actions: Institution 1; Institution 2
• Related Guidance: FFIEC BSA/AML Manual; Frequently Asked Questions Regarding the FinCEN Suspicious Activity Report (SAR); Suspicious Activity Report Statistics (SAR Stats), Glossary and Interactive Maps

The FDIC issued enforcement actions against two institutions for Bank Secrecy Act (BSA) violations related to Anti-Money Laundering/Countering the Financing of Terrorism Programs (AML/CFT program). Both institutions had deficiencies in internal controls, customer due diligence (CDD), suspicious activity reports (SARs), and risk assessment processes.

In addition to BSA violations, one institution also had broader financial risks requiring remediation, including capital adequacy, interest rate risk, and liquidity management.

Both institutions must submit quarterly progress reports to regulators detailing compliance efforts and results. Additionally, both have 90 days to overhaul their AML/CFT programs, enhance board oversight, update procedures for customer identification, risk profiling, ongoing monitoring, and enhance due diligence for high-risk customers, and improve procedures for detecting and reporting suspicious activity, including timely SAR filing and FinCEN search responses.

Takeaways

Challenges regarding SARs and customer due diligence requirements remain a common issue when it comes to BSA violations. Institutions must have a risk-based CDD framework that considers the types of customers they serve, the products and services they offer, the geographic locations in which they operate, and the delivery methods used. Institutions also need to have a process for reviewing high-risk consumers, including cash-intensive businesses, money service businesses, and other relevant entities.

Additionally, preparation is essential to respond to suspicious activity, recognize red flags like activity inconsistent with a customer's profile or unusual customer behavior, and to have procedures in place to report this information to FinCEN promptly. SARs must include a straightforward narrative describing the suspicious activity and attach any supporting documentation.

Lastly, institutions using third parties to comply with BSA requirements must assess whether the third parties’ systems are appropriately validated, including the accuracy, completeness, and consistency of the systems’ information.

Controls to Evaluate

1. AML/CFT Program: A comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Compliance Program is in place. The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program are a risk-based Customer Due Diligence (CDD) process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. The program also includes suspicious activity monitoring and reporting mechanisms, ensuring timely identification, review, and filing of Suspicious Activity Reports (SARs) with the appropriate authorities, and a sanctions compliance framework to prevent dealings with sanctioned individuals, entities, and countries.
2. AML/CFT Risk Assessments: Comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) risk assessments are conducted regularly. The risk assessment is performed at least annually and whenever significant changes in the business environment, regulations, or operations occur. The risk assessment methodology includes an analysis of money laundering risk (customer, product and services, geographic and transaction risk), terrorist financing (customer relationships, transaction patterns, geopolitical factors), other illicit financial risk (fraud, corruption, tax evasion) and sanctions risk (individuals and entities, countries, screening processes). The risk assessment process is documented and includes any findings and actions taken to mitigate identified risks. The risk assessment results are reported to senior management and the Board.
3. TPRM Program: A Third-Party Vendor Management Program is in place that includes: (a) thorough initial due diligence and selection process; (b) contract negotiation, including third-party agreements and contractual performance standards; (c) ongoing monitoring (including model validation); (d) termination; (e) risk assessments; and (f) governance, including independent reviews and documentation/reporting. All duties, roles, and responsibilities are clearly identified. Ongoing monitoring includes ensuring that the vendor conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Third Party Risk Management Policy; BSA/AML/CFT Policy 
• Nrisk Risk Assessments: BSA/AML/OFAC; Vendor Management
• Nverify Audits: BSA/AML/OFAC 

FDIC Issues More Flood Insurance-Related Violations

• Category: Lending Compliance
• Topic: Flood Insurance
• Date: Institution 1- signed April 7, 2025, announced May 30, 2025; Institution 2- signed April 7, 2025, announced May 30, 2025; Institution 3- signed April 28, 2025, announced May 30, 2025
• Products and Services: Mortgage Lending
• Regulation: 12 CFR 339
• Enforcement Actions: Institution 1; Institution 2; Institution 3
• Related Guidance: FEMA: National Flood Insurance Program: Reauthorization Guidance; Flood Disaster Protection Act: 2022 Interagency Questions and Answers Regarding Flood Insurance (2022-16)

The FDIC issued enforcement actions against three institutions for Flood Disaster Protection Act of 1973 (FDPA) violations. One institution failed to follow forced placed flood insurance procedures, two failed to obtain flood insurance on a building securing a designated loan at the time of the origination, and all three failed to obtain flood insurance or lacked adequate coverage at or before making, increasing, renewing or extending a loan. All three institutions also failed to provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief assistance when making, increasing, extending or renewing loans.

Takeaways

Flood insurance violations remain the top enforcement area in 2025, resulting in over $95,000 in penalties in April alone. The penalties varied in significance from around $3,000 for a handful of violations, to over $75,000 for systemic oversights. To uphold FDPA compliance, your institution needs a thorough, structured strategy that not only ensures adherence — especially regarding insurance verification, borrower notifications, and force-placement procedures — but also proactively identifies potential violations before they escalate into widespread issues.

Controls to Evaluate

1. Updated Flood Insurance Policies and Procedures: Flood insurance policies and procedures are in place and are reviewed periodically. Roles and responsibilities are clearly defined, and policies and procedures are communicated to all staff. Procedures include: (a) pulling flood determinations for loans that will be secured by real estate; (b) requiring flood insurance for real estate secured loans in a designated flood zone before loan closing; (c) notification to customers of flood insurance requirements; (d) review process to ensure proper flood insurance is in place before loan closing and for the duration of the loan (e) monitoring loans to ensure that flood insurance coverage is maintained for the entire duration of the loan; (f) flood insurance renewal monitoring and tracking; (g) force placement insurance requirements and customer notification processes; (h) maintaining documentation of flood insurance policies in the loan file including proof of coverage and policy details.
2. Comprehensive Loan Operations Procedures: Loan Operations procedures include continuous monitoring of all insurance policies and related escrow (if applicable), including flood insurance, and handling all forced-place policies as necessary plus providing all notices and disclosures as required.
3. Trained Staff: All staff involved in flood insurance processes receive ongoing training to stay abreast of changes in requirements.
4. Periodic Reviews: The Compliance department periodically performs a review to ensure compliance with Flood Insurance requirements.

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Flood Disaster Protection Act (FDPA) Policy
• Nrisk Risk Assessments: Flood Disaster Protection Act
• Nverify Audits: Flood Disaster Protection Act (FDPA)

NCUA Enforcement Actions

There were no institutional enforcement actions by the NCUA in May.

Additional Enforcement Actions

OCC 

• AA-EC-2025-04 For engaging in unsafe or unsound practices, including those relating to strategic and capital planning, earnings, and board and management supervision.
• AA-WE-2025-20 For unsafe or unsound practices regarding management and board supervision, strategic and capital planning, liquidity risk, interest rate risk, and concentration risk.
  

Want more regulatory news and updates?

Watch our 2025 Regulatory Expectations & Enforcement Webinar on demand.