Welcome to the latest Enforcement Actions Roundup covering May’s enforcement actions. Every month, our team of regulatory compliance experts breaks down what went wrong, why it matters, and what your financial organization can do to stay ahead.
This roundup features two key resources:
Enforcement Actions Tracker: A running tally of actions by agency, category, and topic — making it easy to spot enforcement trends and emerging hot spots.
Let's explore this month’s enforcement actions.
Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.
| Year | Fair Lending | Advertising | AML/CFT | Underwriting | UDAAP | Electronic Funds Transfers | Insider Activities | Flood Insurance | Financial Risk | Concentration | Military Lending | Government Loan Programs | |
| CFPB | 2025 | 1 | 2 | 4 | 1 | 1 | |||||||
| 2026 YTD | |||||||||||||
| DOJ | 2025 | ||||||||||||
| 2026 YTD | 1 | ||||||||||||
| OCC | 2025 | 3 | 1 | 8 | 3 | ||||||||
| 2026 YTD | 1 | ||||||||||||
| FRB | 2025 | 1 | 3 | 1 | |||||||||
| 2026 YTD | 1 | 1 | |||||||||||
| FDIC | 2025 | 5 | 3 | 1 | 1 | 1 | 10 | 6 | |||||
| 2026 YTD | 1 | 1 | 2 | 2 | 2 | ||||||||
| NCUA | 2025 | ||||||||||||
| 2026 YTD |
The CFPB issued no institutional enforcement actions in May 2026.
The DOJ entered into this settlement agreement after discovering that a bank holding company forgave loans provided through the PPP that were not eligible for forgiveness. The DOJ also argued the institution was unjustly enriched by the payment made by the SBA to the institution after the loan was forgiven. The institution must pay almost $5 million to the government and fully cooperate with the DOJ's ongoing investigation.
The majority of PPP litigation since the pandemic has involved borrowers who fraudulently obtained loans. However, this action targets the lender, signaling that the DOJ and SBA continue to scrutinize lender-side PPP decisions years after the program ended. It also indicates that approving forgiveness without adequate eligibility review carries real legal and financial consequences.
SBA Lending Policies and Procedures: The Small Business Administration (SBA) lending program policies, processes, and procedures are in place and reviewed periodically. The policies and procedures include steps to properly evaluate, process, close, disburse, service, liquidate, and litigate small business loans, and track fee payments. Policies address standards for: underwriting and documentation, credit administration, collateral perfection and valuation, compliance reviews, risk management of third parties, and accounting, board, and regulatory reporting. Policies also include fair banking requirements to avoid discrimination and debanking. Roles and responsibilities are clearly defined.
Loan Review Program: The loan review program, internal and/or external, is comprehensive, with annual plans reviewed and approved by the board. The program includes appropriate staffing to attain adequate coverage, scope, analysis, and written reports. The loan review program provides for timely and accurate credit classification and risk grading, as well as compliance with SBA lending requirements and compliance requirements. The reports are presented periodically to the board.
Nrisk Risk Assessments
The OCC issued this enforcement action after finding the savings association failed to develop and maintain controls and risk management processes commensurate with its risk and growth. The institution also had Suspicious Activity Reporting (SAR) deficiencies, specifically in its suspicious activity alerting system, which resulted in the system auto-closing alerts that should have been escalated for further review. The institution also suffered from numerous customer due diligence (CDD) failures, including failures to apply enhanced due diligence requirements for foreign financial institution correspondent accounts and a lack of independent testing to identify BSA/AML weaknesses or properly scope high-risk areas.
As an institution grows, so do its risks. The core issue was that the institution grew its payment processing relative to its size, generating substantial wire and ACH volume, including cross-border activity, without investing proportionally in the compliance systems needed to manage the associated risks. Institutions need to continuously validate that systems align with their risk profile.
The OCC also required the institution to engage a third-party consultant to review prior SAR decisions and possibly file any previously unreported SARs. This process could uncover other violations, leading to further findings. The OCC retained the right to expand the look-back scope, which adds further uncertainty and signals that regulators are looking closely to ensure patterns don’t emerge.
Comprehensive AML/CFT Compliance Program: A comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Compliance Program is in place. The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program are a risk-based Customer Due Diligence (CDD) process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. The program also includes suspicious activity monitoring and reporting mechanisms, ensuring timely identification, review, and filing of Suspicious Activity Reports (SARs) with the appropriate authorities, and a sanctions compliance framework to prevent dealings with sanctioned individuals, entities, and countries. All aspects of the AML/CFT Program are well-documented, regularly reviewed, and updated to address emerging risks and regulatory changes.
Enhanced Due Diligence Procedures: Comprehensive enhanced due diligence procedures are in place for all high-risk customer categories, including politically exposed persons (PEPs), customers from high-risk geographic locations, cash-intensive businesses, privately owned ATMs, money service businesses, correspondent banking relationships, private banking clients, and Non-Governmental Organizations (NGOs). Customers with complex ownership structures that require a documented source of funds analysis, nature of activities, beneficial ownership, and periodic review updates based on risk ratings and regulatory requirements are also included.
Ncomply Sample Policies
Nrisk Risk Assessments
Nverify Audits
The FRB issued no institutional enforcement actions in May 2026.
The NCUA issued no institutional enforcement actions in May 2026.
FDIC-25-0142b: For unsafe or unsound banking practices and violations of law or regulation relating to weaknesses in capital, management, earnings, and sensitivity to market risk.
Need help navigating the compliance maze? Get auditable, accurate, cited answers to your regulatory questions with Nquiry, our AI agent built for financial organizations.