Enforcement Actions Roundup: September 2025

Welcome to the October Enforcement Actions Roundup — our monthly look at the enforcement activity from the past month, what went wrong, and what financial institutions (FIs) can learn from it. 

This roundup features two key resources:  

• Enforcement Actions Tracker: A running tally of actions by agency, category, and topic — making it easy to spot enforcement trends and emerging hot spots.
• Enforcement Deep Dive: A closer look at each action, including what happened, key takeaways, and the controls your FI should revisit to avoid similar missteps.  

Let's get started.  

Related: Bookmark the Ncontracts Enforcement Action Tracker to search the latest enforcement actions by date, category, and regulator.  

2025 Enforcement Action Tracker 

Enforcement Actions Deep Dive: September 2025

CFPB Enforcement Actions

The CFPB issued no institutional enforcement actions in September 2025. 

OCC Enforcement Actions

The OCC issued no institutional enforcement actions in September 2025. 

FRB Enforcement Actions

The FRB issued no institutional enforcement actions in September 2025. 

FDIC Enforcement Actions

FDIC Order Institution to End Overdraft-as-Credit Practices

• Category: Governance, Risk, and Compliance; Lending Compliance  
• Topic: Electronic Fund Transfer  
• Products and Services: Overdraft Protection  
• Date: August 7, 2025; Announced September 26, 2025
• Regulation: 12 CFR 324; 12 CFR 364; 12 CFR 1005; 12 CFR 1026  
• Enforcement Action  
• Related Guidance: Overdraft Payment Programs  

The FDIC and the South Dakota Division of Banking found unsafe and unsound banking practices at an institution, including capital deficiencies, liquidity risks, and improper overdraft practices. The institution must cease using overdrafts as a customer financing method and will have 30 days to revise its written overdraft policy.  

The Order prohibited the institution from paying any demand items, such as checks, debit transactions, Automated Clearing House (ACH) transactions, or ATM withdrawals, on any customer account that, when aggregated with all other overdrafts to that customer, exceeds or would exceed $2,000, without the Board of Directors’ prior approval. The institution has 180 days to eliminate or correct any violations and implement appropriate procedures to ensure future compliance.  

Takeaways

Using overdrafts as a form of credit creates substantial risk, including financial risk from losses, regulatory violations, and reputational damage. While the Order doesn’t explicitly cite consumer protection statutes for violations, the FDIC’s findings regarding overdraft issues echo themes common in similar enforcement actions.   

When banks use overdrafts as a form of informal credit — without proper disclosures, underwriting, or repayment terms — they risk violating consumer protection laws. These include Regulation E, which governs electronic fund transfers and requires clear disclosure of overdraft terms; Regulation Z, which mandates transparency around credit costs and obligations; and Section 5 of the FTC Act, which prohibits Unfair or Deceptive Acts or Practices (UDAP).  

Controls to Evaluate

• Overdraft Policy and Procedures: Overdraft policies and procedures include details about disclosures/notices, overdraft limits, fees, posting order, representments, check/deposit holds, insufficient deposits, authorize positive settle negative (APSN), monitoring, chronic/excessive usage, credit reporting, disputes, etc., that are applied consistently, regardless of opt-in or opt-out status.  
• Retail Operations Procedures: Retail operations procedures include required communications with consumers who have chronic/frequent overdrafts, including targeted outreach, providing information on alternative programs that may be less costly and better suited for the individual, or providing a method for the consumer to contact the institution to discuss alternatives, possibly through enhanced period statement messages.
• Overdraft Services: Overdraft services and alternative offerings are reviewed periodically, including possible alternatives for reducing or eliminating fees, transitioning customers from courtesy pay to standard loan products (such as small-dollar loans, credit cards, lines of credit), and/or offering tiered checking accounts with value-added services and/or service fees in lieu of courtesy pay.  

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Overdraft; Overdraft Policy on ATM and One-Time Debit Card Transaction; Regulation E – Electronic Funds Transfer Act  
• Nrisk Risk Assessments: Overdraft Services; Regulation E - Electronic Funds Transfer Act (EFTA)

FDIC Issues Enforcement Action for AML/CFT Violations

• Category: Governance, Risk, and Compliance  
• Topic: AML/CFT  
• Date: August 15, 2025; September 26, 2025
• Regulation: 31 CFR 1020; 12 CFR 326; 12 CFR 353  
• Enforcement Action  
• Related Guidance: FFIEC BSA/AML Manual; Interagency Interpretive Guidance on Customer Identification Program Requirements under Section 326 of the USA PATRIOT Act; FAQ Regarding the FinCEN Currency Transaction Report (CTR); FAQ Regarding the FinCEN Suspicious Activity Report (SAR) 

The FDIC issued an enforcement action against an institution for numerous AML/CFT violations. The institution has 90 days to: (1) review its AML/CFT program to reflect its money laundering (ML), terrorist financing (TF), and other illicit financial activities, and risk profile; and (2) implement a periodic monitoring program of adherence to the AML/CFT Program.  

The institution must also conduct an ML/TF risk assessment at least annually, reviewing all products, services, types of customers, business lines, staffing levels, mitigating controls, and any issues identified in enforcement actions. The institution must implement and maintain a system of internal controls for BSA compliance, taking into consideration risk, size, complexity, organizational structure, distribution channels, and identified deficiencies and weaknesses. The internal controls must specifically address Customer Due Diligence (CDD), Suspicious Activity Reports (SARs), and Currency Transaction Reports (CTRs).   

Takeaways

CDD, SARs, and CTRs are crucial components to any institution’s BSA Program, and weaknesses can leave your institution vulnerable. CDD programs must have appropriate risk-based policies, procedures, and processes for conducting ongoing CDD for new and existing customers, and work in conjunction with an institution’s customer identification program (CIP) and suspicious activity monitoring to develop customer risk profiles.  

Institutions must also have policies, procedures, processes, and systems, including manual monitoring systems, and if applicable, automated software monitoring systems, for monitoring, detecting, and reporting suspicious activity. SARs must be filed within 30 days of identifying unusual or suspicious activity when the suspect is known, or within 60 days when the suspect is unknown.  

Lastly, institutions must have processes and policies regarding currency transaction reports, which are required for each transaction exceeding $10,000, whether conducted by, through, or to the bank. Internal controls must be designed to ensure ongoing compliance with CTR requirements and be commensurate with your ML/TF risk profile, complexity, and organizational structure.  

Controls to Evaluate

• AML/CFT Program: A comprehensive Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Compliance Program is in place. The program includes robust policies, procedures, and internal controls to detect, prevent, and report money laundering and terrorist financing activities. Key components of the program include a risk-based Customer Due Diligence (CDD) process, including a Customer Identification Program (CIP) and ongoing monitoring of customer transactions. The program also includes suspicious activity monitoring and reporting mechanisms, ensuring the timely identification, review, and filing of Suspicious Activity Reports (SARs) with the appropriate authorities. Additionally, it features a sanctions compliance framework to prevent dealings with sanctioned individuals, entities, and countries. All aspects of the AML/CFT Program are well-documented and regularly reviewed, with updates made to address emerging risks and regulatory changes.  
• BSA/AML/CFT Systems: BSA/AML/CFT systems are in place that support CDD requirements including automated customer risk rating algorithms, beneficial ownership identification tools, high-risk customer flagging capabilities, enhanced due diligence workflow management, ongoing monitoring automation, and transaction monitoring systems that detect unusual patterns, structured transactions, rapid movement of funds, transactions inconsistent with customer profiles, geographic risk indicators, and suspicious relationship activities to ensure effective customer risk assessment and ongoing oversight.  
• SAR Procedures: Comprehensive Suspicious Activity Reporting (SAR) procedures are in place requiring systematic suspicious activity identification and reporting including properly structured monitoring systems with risk-based filtering criteria, complete SAR process management from detection through filing within required timeframes, thorough narrative documentation standards, currency structuring detection across multiple dimensions, repeat SAR filing for ongoing suspicious activity, SAR confidentiality protection, record retention compliance, board reporting requirements for SAR filings, and law enforcement cooperation protocols to ensure effective suspicious activity reporting and prevent regulatory violations and money laundering facilitation.  
• CTRs: Currency Transaction Reports are filed for each transaction in currency (deposit, withdrawal, exchange of currency, or other payment or transfer) of more than $10,000 by, through, or to the institution; and for each CTR, the name and address of the individual presenting the transaction, as well as recordation of the identity, account number, and Social Security or taxpayer identification number, if any, of any person or entity on whose behalf such a transaction is conducted.   

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: BSA/AML/CFT 
• Nrisk Risk Assessments: BSA/AML/CFT  
• Nverify Audits: BSA/AML/OFAC  

FDIC Finds Gap in FI's Board Oversight and Risk Management Practices

• Category: Governance, Risk, and Compliance
• Topic: Insider Activities 
• Date: August 18, 2025; Announced September 26, 2025 
• Regulation: 12 CFR 324;12 CFR 364
• Enforcement Action
• Related Guidance: Risk Management Manual of Examination Policies- 4.1 Management 

The FDIC identified unsafe and unsound practices related to deficiencies and weaknesses in an institution’s board of directors' oversight and in its liquidity risk management, capital planning, strategic planning, and profitability. At a minimum, the institution must revise its succession plan to include all management roles and ensure that roles are filled by individuals with the requisite skills, knowledge, and experience necessary to satisfactorily oversee and manage activities, operations, and associated risks.  

Takeaways

Strong board oversight begins with establishing a formal risk management framework, outlining risk appetite, setting clear escalation protocols, and ensuring emerging risks are actively monitored. To be effective, the board must receive timely, detailed, and actionable reports that focus on key performance indicators and risk metrics. Boards should regularly conduct internal reviews, audits, and scenario planning to stay ahead of potential issues rather than waiting for examiners to flag them.  

Additionally, institutions must ensure that employees have the requisite skills, experience, expertise, authority, and resources necessary to satisfactorily oversee and manage activities, operations, and associated risks, and take appropriate action if they lack the required competency.   

Controls to Evaluate

1. Liquidity and Funds Management Policy: The liquidity and funds management policy is comprehensive and reviewed periodically. The policy may include 
   • Structure and responsibilities of the Asset Liability Committee (ALCO)
   • Requirement of periodic review of the FI's deposit structure/composition
   • Permissible funding sources and concentration limits
   • Calculation for cost of funds
   • Procedures for measuring and monitoring liquidity (including static measurements and cash flow projections using base case and stress scenarios)
   • Type and mix of permitted investments
   • System of internal controls (including independent reviews of liquidity management practices, compliance with internal policies, procedures and risk limits)
   • Contingency funding plan
   • Periodic testing requirement of liquidity lines
   • Procedures for reviewing and documenting assumptions used in liquidity projections
   • Procedures for approving exceptions to policies, limits and authorizations
   • Identify permissible wholesale funding sources and authority levels for accessing them
   • Process for measuring and monitoring unused borrowing capacity
   • Established target liquidity ratios and parameters 
     
     
2. Liquidity Management and Monitoring Framework: A comprehensive liquidity management and monitoring framework is in place, providing real-time and forward-looking oversight of cash positions, payment flows, and funding requirements across all correspondent banking relationships through sophisticated automated systems and established minimum buffer requirements. The framework includes continuous intraday monitoring of cash positions, payment queues, expected receipts, and available funding with payment prioritization capabilities and automated fund positioning, daily end-of-day position analysis with stress testing under various scenarios, forward-looking liquidity forecasting for multiple time horizons, and maintenance of minimum liquidity buffers calculated based on historical payment volumes, stress testing results, and regulatory requirements to ensure adequate funding under both normal and stressed market conditions.  
   
   
3. Succession Planning: A succession planning process is in place that identifies critical roles, develops successor candidates, and ensures smooth transitions in the event of key personnel departures. The process includes leadership development programs, mentoring relationships, and documented transition procedures.  

Related Ncontracts Content in Your Platform

• Ncomply Sample Policies: Enterprise Risk Management; Succession Planning; Liquidity Risk Management Policy  
• Nrisk Risk Assessments: Corporate Governance 

NCUA Enforcement Actions

The NCUA issued no institutional enforcement actions in September 2025. 

Compliance doesn’t have to be complex. Ncomply brings everything together in one platform—simplifying oversight, breaking down silos, and helping you stay ahead of regulatory change. 

Take a product tour to see it in action.