Which regulators fine banks the most?

The OCC leads by volume with thousands of banking enforcement actions. The SEC and CFTC impose the largest individual bank penalties, often exceeding $500 million. The FCA's bank enforcement has totalled over £3 billion since 2013, driven by FX manipulation and AML cases. AUSTRAC's per-breach penalty model produced the $1.3 billion Westpac fine. BaFin, CBI, and MAS also actively enforce against banks.

Which regulators are leading on consumer protection and conduct enforcement?

The FCA leads globally on consumer conduct enforcement through the Consumer Duty framework introduced in 2023. ASIC has intensified consumer protection enforcement since Australia's 2019 Royal Commission. The SEC pursues investor protection through fraud and disclosure cases. SEBI and MAS have expanded retail investor protection programmes, while EU regulators enforce MiFID II suitability and product governance requirements.

Systems and Controls Failures: Why Regulators Are Fining for Operational Weakness

Systems and Controls Failures: Global Enforcement Analysis

Systems and controls enforcement has expanded beyond a catch-all regulatory category into a strategic enforcement tool, with regulators worldwide using operational failures as the basis for some of their largest penalties. The FCA's TSB fine (£48.65 million for IT migration failure), the OCC's Wells Fargo actions, and ASIC's pursuit of banking operational failures demonstrate that operational weakness is now a primary enforcement target.

Why Systems and Controls Matter

Regulators increasingly view systems and controls failures as root causes rather than incidental findings. A firm with adequate AML transaction monitoring systems is less likely to facilitate money laundering. A firm with robust governance structures is less likely to experience conduct failures. This causal logic drives enforcement investment in operational standards.

Common Failure Patterns

Analysis of enforcement actions across the FCA, BaFin, ASIC, MAS, OCC, and SEC reveals recurring patterns: technology implementation failures, inadequate management information and reporting, governance structures that exist on paper but lack practical effectiveness, and change management programmes that underestimate operational risk.

Operational Resilience Enforcement

The FCA and PRA's operational resilience framework creates new enforcement exposure for firms that fail to identify important business services, set impact tolerances, and test their ability to remain within tolerance during disruption. Similar frameworks are emerging in other jurisdictions.

Practical Implications

Systems and controls enforcement creates compliance obligations that span technology, governance, risk management, and operational resilience. Firms should treat operational effectiveness as a regulatory requirement, not merely a business efficiency objective.