Supervisory Experience and Enforcement Actions Continue to Drive Supervisory Priorities and Policy Development

This article identifies themes we have observed in recent public formal enforcement actions issued to institutions by the US federal bank regulatory agencies (Agencies) — the Board of Governors of the Federal Reserve System (Federal Reserve), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) — in the past year.¹

We have found that supervisory experiences and enforcement actions continue to drive supervisory priorities and policy development, with this year’s focus being on bank-fintech arrangements, bank capital planning and adequacy, and continued focus on perceived weaknesses at global systemically important banks (G-SIBs), which in the latter case appear to reflect unique deficiencies at each institution.

Since June 1, 2023, the Agencies have issued more than 100 formal enforcement actions against financial institutions, including close to 30 formal agreements, more than 50 consent orders (C&Ds),² and more than 25 orders for civil money penalties (CMPs).³

Our insights are based on formal enforcement actions, which are, by law, required to be made public.⁴ In addition to these public activities, the Agencies also use confidential examination reports and a variety of other informal, nonpublic enforcement actions, such as board resolutions and memorandums of understanding, which are confidential and not typically legally enforceable through the federal court system.

An agency’s shift from examination findings to enforcement actions is typically a progressive one. While the Agencies may take formal enforcement actions for violations of laws, rules, or regulations; unsafe or unsound practices; breaches of fiduciary duty; and violations of other prior enforcement actions, many weaknesses identified at institutions are resolved nonpublicly through the institution’s responses to matters identified in examination reports as requiring attention or immediate attention, or confidential informal enforcement actions before rising to the level of a violation of law or regulation, unsafe or unsound practice, or other conditions that would support a formal enforcement action.⁵

The Agencies take into account a variety of factors when determining what type of enforcement action is appropriate, including the scope and severity of a bank’s deficiencies, particularly in policies, procedures, and control systems; whether those deficiencies are improving or worsening; the presence or absence of insider abuse; the presence or absence of systemic or significant violations of laws or regulations; whether the bank’s board or directors and senior management have appropriately sought to address identified deficiencies; the bank’s ratings; and the level of risk posed by the bank’s activities.⁶

C&Ds may be enforced in the federal court system and are issued when a bank has engaged in an unsafe or unsound practice or a violation of law, rule, regulation, condition imposed in writing, or written agreement (e.g., a formal or written agreement). C&Ds permit the Agencies to require a bank to undertake or refrain from undertaking certain actions, such as ceasing and desisting from engaging in an unsafe or unsound practice or violation, taking affirmative action to correct or remedy any conditions resulting from any violation or practice, making restitution or providing reimbursement, restricting asset growth or other activities or functions, disposing of a loan or other asset, rescinding an agreement or contract, employing qualified officers or employees, or taking other actions an agency determines appropriate.

Formal agreements are agreements between a bank, as authorized by its board of directors, and an agency, and they are typically used when a bank’s risk management or other deficiencies are deemed to be less severe than those that might warrant a C&D.⁷ Violations of these agreements can serve as the legal basis for additional enforcement actions, including CMPs.

Third-Party Risk Management and Fintech Enforcement Actions

Across the Agencies, it is common to find consent orders for non-G-SIB banks consistently focused on weaknesses in third-party risk management and fintech activities.

In June 2023, the Agencies issued final, joint guidance for managing risks associated with third-party relationships, including relationships with financial technology companies. In May 2024, the OCC issued “Third-Party Risk Management: A Guide for Community Banks,” intended as a companion piece to the guidance and focused on assisting community banks that are national banks in developing and implementing third-party risk management practices.

Between June 1, 2023, and June 30, 2024, the Agencies entered into more than 45 C&Ds with non-G-SIBs — of which 12 were consent orders — and one formal agreement. The C&Ds either specifically referenced the guidance in articulating appropriate remedial actions or otherwise addressed third-party risk management in the context of fintech relationships or services.⁸

Fintech-related enforcement actions are informing and driving supervisory priorities and policy development.

On July 25, 2024, the Agencies issued a joint statement highlighting “potential risks related to arrangements between banks and third parties to deliver bank deposit products and services to end users,” including third-party, liquidity, compliance, and operational risks, informed by the Agencies’ “supervisory experience” and resulting in a “large number of enforcement actions in connection with these arrangements in recent years.”

Consistent with the recent fintech enforcement actions and areas identified for remediation, the Agencies “observed heightened risk” in the following areas:

• Limits on a bank’s “ability to establish clear lines of accountability, implement effective risk and compliance management strategies, and address and remediate issues as they arise, especially where novel arrangements place certain traditional banking activities outside of the bank”
• The possibility that customers may not understand the nature of the account relationship they are establishing through the fintech and the fact that FDIC-deposit insurance will not protect them in the event of the fintech’s failure 
• The inability to comply with applicable laws and regulations and conduct banking operations in a safe and sound manner with the rapid growth in the number, size, or complexity of bank-fintech arrangements
• Increased reliance on such arrangements, resulting in the “bank’s business becoming highly concentrated in the arrangement(s)” and increased vulnerability to market stresses, particularly if deposits generated from the arrangements are used to fund longer-term assets
• Lack of access to information on “end users,” potentially impeding a bank’s ability to comply with applicable consumer protection, recordkeeping, Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance, sanctions, and state escheatment laws and regulations

On the same day, the Agencies also issued a request for information on bank-fintech arrangements involving deposit-taking activities; payment activities, including card issuance; and consumer and small-business lending. The request for information seeks, among other things, more detailed information on the operations of such arrangements, including contractual provisions allocating roles and responsibilities among the participants, data sharing among participants, how banks plan for and manage terminations of these arrangements, the impact of the arrangements’ size and significance to the bank on the bank’s oversight, and how bank-fintech arrangements could amplify or contain financial shocks.

The enforcement actions involving fintech activities are, by and large, consent orders that are not preceded by a less severe form of public enforcement action.

With one exception, all the public enforcement actions involving fintechs are C&Ds rather than written agreements or formal agreements. Based on publicly disclosed enforcement actions, the Agencies appear to be moving to C&Ds directly without first entering into public, formal agreements or written agreements with the banks — indicating that the Agencies have more-significant concerns about the potential impact of each bank’s deficiencies on banks’ safety and soundness.

Thus far, only one fintech-related C&D in the covered period has involved the assessment of CMPs.

There is no apparent geographic concentration among the banks subject to the enforcement actions or among banks subject to a particular state or federal bank regulatory authority.

The banks (or bank holding companies) subject to the enforcement actions relating to fintech activities are geographically dispersed, and the banks include national banks, state member banks, and nonmember banks. Only one Federal Reserve action involved a bank holding company alone, and there have been no parallel actions between the Federal Reserve with respect to a bank holding company and the FDIC or OCC with respect to a subsidiary bank.

State bank regulator participation has been somewhat limited, so far.

In only three of the 10 fintech-related enforcement actions involving state-chartered banks did the state banking regulator join the agency’s action. In many of the cases in which the state banking regulators did not join the agency’s action, the state banking regulator took action independently against the bank. Notably, bank regulators in Tennessee, Washington, and Utah did not join actions against banks chartered in their states.

The banks subject to these fintech-related actions are, by and large, community banks.

All of the 13 public fintech-related enforcement actions involve banks with assets of less than $10 billion, as of December 31, 2023, with seven having total assets of less than $1 billion.

The time between the completion of the first examination and the enforcement action appears to be shortening.

Time spans between the earliest examination report (in the six actions where examination report dates are listed) and the date of the enforcement action ran from approximately 18 months to a little under six months, with two actions taken in 2024 occurring within about six months of the examination date. While we cannot know for sure, it is possible that the decrease in time between the first examination and the enforcement action reflect an increased sense of urgency on the part of the Agencies.⁹

With one exception, the actions involve banks or bank holding companies and not institution-affiliated parties (IAPs) that are entities or service providers subject to the Bank Service Company Act.

In only one instance in the past year has an agency taken a public enforcement action against an entity that is not a bank or bank holding company. On November 30, 2023, the FDIC entered into a consent order with Comenity Servicing LLC, which provides information technology and other services to certain banks. The FDIC took action against Comenity as an “institution-affiliated party” of certain “insured depository institutions” within the meanings of 12 U.S.C. 1813(c)(2) and 1813(u), respectively. The order requires Comenity to improve the supervision and direction of management and its oversight and monitoring of all service provider activities, including those conducted through third-party relationships.

Under the Federal Deposit Insurance Act, as amended, 12 U.S.C. Section 1818, an agency can pursue a variety of formal, as well as informal, enforcement actions against an IAP. The standards for action against an IAP are generally those that would apply if an agency were seeking to take action against a bank or bank holding company, and the term “IAP” includes bank directors, officers, employees, and controlling shareholders as well as an “agent for ... an insured depository institution” and “any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in any violation of law or regulation, breach of fiduciary duty, or unsafe or unsound practice, which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution.”¹⁰

The consent order with Comenity arose following an information technology examination conducted by the FDIC. While Comenity is not a bank, bank holding company, or affiliate of either, it is subject to examination by the Agencies under the Bank Service Company Act (BSCA).¹¹

The Agencies have historically used this enforcement authority against third-party service providers that are IAPs and subject to the BSCA infrequently. Some of the most recent uses of this combination of authorities were 10 or more years ago. In 2011, the Federal Reserve, the FDIC, the OCC, the Office of Thrift Supervision, and the Federal Finance Housing Agency undertook an interagency horizontal review of major residential-mortgage servicers and mortgage service providers that led to consent orders with third parties providing mortgage servicing for a variety of banks.¹² In 2013, the Agencies undertook formal enforcement actions against BSCA-subject technology service providers that were alleged to have engaged in unsafe or unsound banking practices in the performance of the services that they provided to insured depository institutions.¹³

Continued Focus on Capital Planning and Adequacy

We have seen a number of actions aimed at improving capital planning and adequacy since the failure of Silicon Valley Bank in March 2023 and subsequent market disruption, but we have not seen as many formal actions as may have been anticipated under the circumstances. The actions have primarily taken the form of written agreements or formal agreements, as opposed to C&Ds, with non-G-SIB banks that are often focused on capital adequacy, asset quality, and liquidity risk management.

Between June 1, 2023, and June 30, 2024, the Agencies entered into more than 20 written agreements or formal agreements with non-G-SIBs: 11 with the Federal Reserve and the rest with the OCC.¹⁴ The Federal Reserve’s written agreements predominantly focus on capital adequacy, asset quality, and liquidity risk management, with some also focused on governance and interest rate risk management, and one on BSA/AML compliance. The OCC formal agreements also focus on capital adequacy and a variety of risk management practices, including BSA/AML compliance.

G-SIB Enforcement Actions Do Not Indicate Common Weaknesses Across Multiple Institutions

For G-SIBs, the formal enforcement actions have generally arisen from alleged control weaknesses specific to a G-SIB’s organization. Recent actions have addressed the alleged failure to adequately monitor market misconduct in trading activities undertaken by a firm and its clients, alleged illegal disclosures of confidential supervisory information, alleged deficient management practices regarding counterparty credit risk, alleged unfair and deceptive practices in connection with representment fees, and alleged failures to make sufficient remedial progress under prior C&Ds.

 

---

^[1] This article reviews formal enforcement actions issued by the Agencies to banks and other entities (but not individuals) between June 1, 2023, and June 30, 2024, and made available to the public as of July 31, 2024. 
^[2] There were no contested cease and desist orders finalized in this period.
^[3] Counted via federalreserve.gov (searching for cease and desist orders, CMPs, and written agreements), apps.occ.gov (searching active records for institutions, C&Ds, CMPs, and formal agreements), orders.fdic.gov/s/searchform (searching respondent types bank and company, assessment of CMPs, cease and desist orders and C&Ds, and written agreements). Our review does not cover certain formal enforcement actions, including prompt corrective action directives.
^[4] Final enforcement orders are public in accordance with the Financial Institutions Reform, Recovery, and Enforcement Act of 1989. Written agreements are made public in accordance with the Crime Control Act of 1990. We caution that any analysis of agency action is necessarily limited in breadth by the nature of publicly available information.
^[5] “Bank Enforcement Actions and Related Matters” in Policies and Procedures Manual, OCC, May 25, 2023.
^[6] “Bank Enforcement Actions and Related Matters” in Policies and Procedures Manual, OCC, May 25, 2023.
^[7] In some cases, depending on the nature of the case, an agency may be required to issue a C&D. See 12 U.S.C. Section 1818(s) (requiring the issuance of a C&D in certain cases involving violations of the Bank Secrecy Act).
^[8] Other C&Ds address deficiencies in third-party risk management outside of the context of fintech relationships or services. 
^[9] A shortened time period could also be driven by a variety of other factors, including increased agency enforcement staffing and changes in processing enforcement actions within the agency. Actions that do not involve interagency coordination may also take less time than those that involve more than one state or federal bank regulatory agency. 
^[10] 12 U.S.C. Section 1813(u).
^[11] 12 U.S.C. Sections 1861 to 1867.
^[12] See e.g., “In the Matter of MERSCORP, Inc., and the Mortgage Electronic Registration Systems, Inc., Reston, Virginia,” OCC, April 13, 2011. See also “In the Matter of Lender Processing Services, Inc. Jacksonville, Florida DocX, LLC Alpharetta, Georgia LPS Default Solutions, Inc. Mendota Heights, Minnesota,” OCC, April 13, 2011, as amended. 
^[13] “In the Matter of Fundtech Corporation, Jersey City, New Jersey, BServ, Inc. Las Vegas, Nevada,” OCC, December 9, 2013, and “Agreement by and between Jack Henry Associates, Inc., Monett, Missouri, and the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve Bank of St. Louis,” OCC, December 4, 2013. 
^[14] The FDIC did not enter into any written or formal agreements in this period; the last time the FDIC entered into a written agreement was in 2013. In this period, the FDIC entered into more than 30 C&Ds, compared with 13 for the Federal Reserve and nine for the OCC.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.