Office of the Comptroller of the Currency (OCC) Fines & Enforcement Guide

Office of the Comptroller of the Currency Fines & Enforcement Guide

US national bank supervisory intelligence. OCC supervises 1,040 national banks holding $16 trillion assets (66% US commercial banking). 2024 enforcement tripled to 36 actions (vs 11 in 2023), led by TD Bank $450M OCC portion ($3.1B total—largest BSA penalty in history: 92% of transactions unmonitored 2018-2024, $671M laundered, first bank guilty plea to felony conspiracy, asset cap until remediation). Other major cases: JPMorgan Chase $250M (trade surveillance), Citibank $75M (governance), City National Bank $65M (risk management). Priorities: BSA/AML zero-tolerance, cybersecurity preventative controls, third-party fintech risk (May 2024 guidance), CRE stress (office vacancy 19%, values -35%). OCC's Basel III implementation role and enforcement precedents preview UK/EU/Asia regulatory themes 12-18 months ahead.

Executive Summary

Scope: 1,040 national banks, $16T assets (66% US commercial banking). Tiered: Large/Global ($500B+), Regional/Midsize ($30-500B), Community (<$30B)
2024 Enforcement Tripled: 36 actions (vs 11 in 2023). TD Bank $450M OCC ($3.1B total—largest BSA), JPMorgan $250M, Citibank $75M, City National $65M
BSA/AML Zero-Tolerance: TD Bank: 92% transactions ($18.3T) unmonitored 2018-2024, $671M laundered, first felony conspiracy guilty plea, asset cap $434B until remediation
Operational Risk: Cybersecurity top priority (preventative controls emphasis), fraud/payments elevated, third-party fintech (May 2024 guidance), CRE stress (office vacancy 19%, values -35%)

Coverage Summary

Coverage window: 1987-2026
Actions tracked: 5579
Publication model: Search Register
Native currency: USD
Dashboard currency: GBP
Coverage stance: Growing coverage - Live OCC enforcement-actions register published from the official JSON export of the public search tool.

Regulator Analysis

#### Coverage Assessment This guide treats the regulator feed as public enforcement intelligence. It is designed to show what the public record is good for, and where the current dataset may have coverage gaps or formatting differences compared to other major regulators. Office of the Comptroller of the Currency is currently tracked across 1987-2026, with 5579 published actions normalised into the dashboard. Growing live coverage with enough depth for trend work, but still expanding over time. The dataset is usable, but it is still better treated as a directional intelligence feed than a fully mature archive.

Operational confidence: Standard live feed with routine monitoring and stronger operational reliability.
Primary source model: Search Register.
Jurisdiction: United States (North America).
Coverage note: Live OCC enforcement-actions register published from the official JSON export of the public search tool.

#### Why OCC Matters Internationally OCC's $16T supervised assets (66% US commercial banking), Basel Committee role, and enforcement precedents ($3.1B TD Bank BSA penalty) make it essential monitoring for UK/EU banks with US operations or benchmarking against US regulatory standards. Global Reach: OCC supervises 49 federal branches of foreign banks, creating direct touchpoints for UK/EU institutions. Three largest US banks (JPMorgan, BofA, Wells Fargo) rank top 10 globally. TD Bank $3.1B penalty (largest BSA in history: $18.3T unmonitored, $671M laundered, felony guilty plea, $434B asset cap) establishes AML expectations impacting FCA, ECB, FINMA enforcement intensity. Basel III Leadership: OCC serves on Basel Committee alongside Federal Reserve, FDIC. July 2023 'Basel III Endgame' proposed rulemaking affects international banks with US operations. Risk Governance Framework (formal risk appetite, capital/liquidity buffers, board oversight) influences UK/EU enterprise risk management approaches.

UK/EU banks with US federal branches: Direct OCC supervision for BSA/AML, operational resilience, third-party risk—TD Bank case ($3.1B) demonstrates enforcement severity
Basel III monitoring: OCC implementation guidance previews international capital standards affecting globally active banks
Correspondent banking: US correspondents under OCC face heightened scrutiny—ensure counterparty AML adequacy
Fintech partnerships: May 2024 OCC guidance on bank-fintech arrangements signals digital banking regulatory direction

#### 2024 Enforcement Tripled—Key Priorities 36 enforcement actions in 2024 (vs 11 in 2023, 17 in 2022) with intensified focus on BSA/AML, operational risk, CRE, third-party relationships. BSA/AML Zero-Tolerance: TD Bank $3.1B total ($450M OCC): 92% transactions ($18.3T) unmonitored 2018-2024, $671M laundered, felony guilty plea, $434B asset cap until remediation. OCC Semiannual Risk Perspective highlights data governance gaps, transaction exclusions increasing SAR noncompliance. Message: systemic AML failures trigger criminal referrals, asset caps, growth restrictions. Operational Risk Elevation: Cybersecurity top priority with first-time preventative controls emphasis (not just incident response). Fraud/payments third priority. JPMorgan $250M trade surveillance deficiency demonstrates expectations for technology controls, automated monitoring accuracy. Third-Party Fintech Risk: May 2024 guidance, Bulletin 2024-20 emphasize banks cannot outsource compliance accountability. Elevated risks: operational, compliance, liquidity, concentration, deposit insurance misrepresentation. Enhanced due diligence, ongoing monitoring, contingency planning required. CRE Stress: Office vacancy 19% (Q1 2024), values -35%, multifamily -30%, 69% of maturing office loans unpaid in 2023, 76% high refinancing risk. Banks hold 50% CRE debt. Focus: concentration risk, stress testing, loan workouts, appraisals.

BSA/AML monitoring must cover 100% in-scope transactions—TD Bank's 92% gap ($18.3T unmonitored) demonstrates supervisory intolerance for exclusions
Cyber preventative controls required (ransomware, DDoS, data exfiltration)—not just detection/remediation
Bank-fintech partnerships: enhanced due diligence, cannot outsource accountability despite innovation goals
CRE concentration approaching thresholds (100% capital construction, 300% total CRE) triggers scrutiny
Governance failures: Citibank $75M for remediation slippage, City National $65M for board oversight gaps

#### Supervisory Structure & International Coordination Tiered supervision (Large/Global $500B+, Regional/Midsize $30-500B, Community <$30B), Basel Committee role, and supervision of 49 foreign bank federal branches create international touchpoints. Risk-Based Approach: Large institutions ($500B+): continuous supervision, quarterly CAMELS. Midsize ($30-500B): periodic exams, targeted reviews. Community (<$30B): 12-18 month statutory exams, tailored scope. Risk Governance Framework for $50B+ assets requires formal risk appetite, capital/liquidity buffers, board oversight. 2024 Semiannual Risk Perspective top risks: CRE (office vacancy 19%, values -35%), operational (cybersecurity, fraud), compliance (BSA/AML), market (interest rate, liquidity). Basel III & Cross-Border Coordination: OCC serves on Basel Committee with Federal Reserve, FDIC. July 2023 'Basel III Endgame' proposed rulemaking affects international banks with US operations. OCC supervises 49 foreign bank federal branches—TD Bank $3.1B demonstrates BSA/AML expectations apply equally. UK-US Financial Regulatory Working Group addresses stablecoin regulation, resolution planning (G-SIBs across US/UK/EU jurisdictions).

#### How to Use OCC Intelligence

Quarterly Enforcement Review: Monitor apps.occ.gov/EASearch (updated January 2025 with subject search since 2012) and monthly press releases. Track themes: half of 2024 actions addressed strategic/capital planning, liquidity/interest rate risk, oversight failures.
Semiannual Risk Perspective: Fall 2024 identified credit (CRE), operational (cybersecurity, fraud), compliance (BSA/AML), market (interest rate) risks. Use as 6-month forward indicator for control investments, board reporting.
BSA/AML Benchmarking: TD Bank $3.1B establishes floor: 100% transaction monitoring coverage (not 92%), SAR processes with human oversight, quarterly OFAC testing, board metrics on coverage/SAR filings/alerts.
Third-Party Risk (May 2024 guidance): Due diligence (financial condition, compliance), contract terms (roles, performance, audit rights), ongoing monitoring (metrics, complaints), contingency planning (service transition).
CRE Concentration: Office vacancy 19%, values -35%, 69% unpaid 2023 maturities, 76% high refinancing risk. Thresholds: 100% capital construction, 300% total CRE trigger scrutiny. Stress test property declines, tenant defaults, refinancing challenges.
Escalation Triggers: BSA/AML exclusions without risk assessment; inadequate cyber preventative controls; fintech partnerships lacking due diligence; CRE office concentration; remediation slippage (Citibank $75M).

Signals Worth Tracking

BSA/AML Zero-Tolerance for Systemic Failures: TD Bank $3.1B (largest BSA in history, OCC $450M): 92% transactions ($18.3T) unmonitored 2018-2024, $671M laundered, felony guilty plea, $434B asset cap. Demonstrates criminal referrals, growth restrictions when AML failures systemic. OCC Semiannual Risk Perspective: data governance gaps, transaction exclusions increase SAR noncompliance. Watch: incomplete monitoring coverage, SAR process inadequacies, OFAC screening gaps, board oversight failures. International: largest BSA penalty globally influences UK/EU enforcement intensity.
Cybersecurity Preventative Controls Priority: Top operational risk (2024 Semiannual Risk Perspective). First-time preventative controls emphasis (not just incident response): ransomware prevention, DDoS mitigation, data exfiltration controls, access management, vulnerability patching. Fraud/payments third priority. Watch: inadequate preventative cyber controls, delayed incident response, insufficient backup testing, fraud monitoring gaps. Relevant for UK/EU: previews DORA, FCA operational resilience enforcement.
Third-Party Bank-Fintech Arrangements Scrutiny: May 2024 guidance, Bulletin 2024-20 establish expectations for deposit products via third parties. Elevated risks: operational (technology failures), compliance (deposit insurance misrepresentation), strategic (reputational), liquidity (volatility), concentration (single-channel). Separate examination priority. Watch: inadequate vendor due diligence, insufficient ongoing monitoring, lack of contingency plans, FDIC coverage confusion. International: FCA, ECB, BaFin intensifying third-party risk—OCC previews themes.
CRE Stress—Office/Multifamily Concentrations: Office vacancy 19% (Q1 2024, exceeding Great Recession/COVID), values -35%, multifamily -30%, 69% of maturing loans unpaid 2023, 76% high refinancing risk. Banks hold 50% CRE debt. Half of 2024 actions addressed liquidity/interest rate risk. Watch: CRE approaching thresholds (100% capital construction, 300% total CRE), stress testing property declines/defaults/refinancing challenges, appraisal quality, loan workouts. Relevant for UK/EU with US CRE or European office portfolios facing remote work pressures.

Questions For Compliance Leaders

Does BSA/AML monitoring cover 100% in-scope transactions (not 92% like TD Bank $3.1B case) with documented risk rationale for exclusions? Do SAR processes include investigation, escalation, senior review beyond automated alerts? Does board receive quarterly metrics on coverage, SAR volumes, OFAC alerts?
For US operations/correspondent banking: Are cyber preventative controls adequate per OCC emphasis (ransomware, DDoS, data exfiltration, access management, patching)? Is operational resilience testing validating critical function continuity under severe scenarios?
For fintech partnerships/BaaS: Does third-party risk framework meet OCC May 2024 guidance (due diligence, contract terms, ongoing monitoring, contingency planning)? Are elevated risks addressed: deposit insurance misrepresentation, consumer confusion, liquidity/concentration from single-channel dependency?
For CRE exposures: Are concentrations approaching thresholds (100% capital construction, 300% total CRE)? Does stress testing model office value declines (35%), tenant defaults, refinancing challenges (76% high risk)? Are loan workout capabilities adequate—staffing, appraisals, collateral monitoring?

Official Sources

OCC enforcement actions - Official OCC enforcement-actions index and search tool.

Operating Takeaways

OCC as US Benchmark: $16T assets (66% US commercial banking), Basel III leadership, TD Bank $3.1B BSA precedent establish global expectations—monitor quarterly for US regulatory direction
BSA/AML Zero-Tolerance: TD Bank first felony guilty plea, asset cap demonstrates systemic AML failures trigger criminal referrals, growth restrictions, multi-billion penalties when laundering occurs
Operational Risk Priority: Cyber preventative controls, fraud/payments, bank-fintech scrutiny signal top-tier focus—relevant for UK/EU as DORA, FCA operational resilience intensify
CRE Stress: Office vacancy 19%, values -35%, 69% unpaid maturities preview global stress—London, Paris, Frankfurt office portfolios face similar remote work pressures

Frequently Asked Questions

#### Why monitor OCC if my firm doesn't have US national bank charter? US Banking Dominance: OCC-supervised institutions hold $16T assets—world's largest supervised banking concentration, establishing de facto global benchmarks for risk management, BSA/AML, operational resilience. Basel III: OCC serves on Basel Committee; July 2023 'Basel III Endgame' affects international banks with US operations and influences G20 capital adequacy interpretation. Cross-Border: UK/EU banks with US federal branches (49 supervised) face direct OCC oversight. Enforcement Precedents: TD Bank $3.1B BSA (largest in history) signals global AML enforcement direction—FCA, ECB, FINMA studying for lessons. Correspondent Banking: International banks using US correspondents must ensure counterparty AML adequacy. Forward Intelligence: Semiannual Risk Perspectives identify risks 6-12 months before UK/EU supervisory priorities.

#### How does OCC compare to UK PRA and EU ECB Banking Supervision? OCC vs PRA: OCC combines prudential + conduct (BSA/AML, consumer protection); PRA focuses prudential (FCA handles conduct). OCC: 1,040 institutions, $16T; PRA: all UK deposit-takers. OCC has chartering authority; PRA does not. Both risk-based with tiers (OCC: Large/Global, Regional, Community; PRA: Cat 1-4). OCC vs ECB: ECB supervises significant institutions >€30B (117 SIs, ~€26T); OCC all national banks regardless of size. ECB uses Joint Supervisory Teams; OCC dedicated exam teams (large) or periodic exams. ECB prioritizes NPL reduction, climate, digitalization; OCC prioritizes BSA/AML, CRE, cybersecurity, third-party risk. Geography: OCC covers US federal banks; PRA covers UK; ECB covers 21 Euro Area countries.

#### What's the best way to access OCC enforcement and regulatory guidance? Primary channels: (1) Enforcement Actions Database (apps.occ.gov/EASearch): Searchable archive since 1989, updated January 2025 with subject search since 2012. Monthly press releases. (2) Semiannual Risk Perspective (Spring/Fall): Top risks to federal banking. Fall 2024: CRE, cybersecurity, BSA/AML, fraud. Best for 6-12 month forward priorities. (3) Comptroller's Handbook: Supervisory guidance on Corporate/Risk Governance, BSA/AML, Cybersecurity, Fair Lending. (4) OCC Bulletins: Policy updates (Bulletin 2024-20: bank-fintech). Subscribe for notifications. (5) Annual Report: Statistics (1,040 banks, $16T assets, 36 actions 2024), strategic priorities. Effective monitoring: Quarterly enforcement + biannual Risk Perspective + annual report + Bulletin subscription.