Enforcement actions in the banking industry Trends and lessons learned

Regulators issue hundreds of enforcement actions to banks each year. Recent research sheds light on current trends in the number, type, and severity of these actions, with implications for ways that banks may be able to better anticipate and respond to them.

“The enforcement actions we are issuing today make clear that the OCC will take forceful action, not only when the institutions we supervise engage in wrongdoing, but when management fails to exercise the oversight necessary to ensure that employees follow laws and regulations intended to protect customers and maintain the integrity of markets.” —Thomas J. Curry, Comptroller of the Currency, November 2014

Enforcement actions in banking. Artwork by Chris LyonsThe new realities

Tough, clear, and direct—such was Comptroller Curry’s tone on the day he announced the issuance of enforcement actions (EAs) levying nearly a billion dollars in fines against banks for manipulating the foreign exchange market between 2008 and 2013.

While this particular case is far from the typical EA in terms of the severity of the fines involved, it is, nevertheless, indicative of the heightened regulatory scrutiny banks have had to contend with in recent years. For instance, in 2014 alone, federal banking regulators—that is, the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA)—issued 583 EAs of various types, with the majority of them coming from the FDIC. This number, however, is significantly lower than the peak in 2010, when banking regulators issued a total 1,795 EAs.2

While it is not possible to determine what the next wave of EAs will be, our goal in this report is to help banks learn from the past and better anticipate future trends.

What can banks learn from an analysis of enforcement actions?

Banking regulators routinely issue EAs against institutions and individuals for a number of reasons, including “violations of laws, rules, or regulations, unsafe or unsound banking practices, breaches of fiduciary duty, and violations of final orders, conditions imposed in writing or written agreements.”3 As such, EAs offer some of the most concrete evidence of risk management and compliance issues in the banking industry. In spite of being ex post measures, they offer a clear view into the problems banking supervisors find in their bank examinations. Many of these issues are likely to be endogenous to particular institutions, where problems occur due to reasons unique to those entities. But in some instances, the number and types of EAs reflect market conditions and/or supervisory focus at a specific point in time.4

In almost all instances, EAs are costly to the institutions involved, and often also to individuals at those institutions. Not only do affected entities have to spend money and resources correcting the problems identified by the EA, but they must also sometimes pay restitution to the aggrieved parties and/or pay fines. There is also the reputational cost of being the target of an EA, which, of course, varies by the type and severity of EA. Since most formal EAs are public, there is also the potential embarrassment of having “dirty laundry” aired for all to see.

Nonetheless, as released, EAs from various federal banking regulators are difficult to assess in aggregate and to benchmark. Formal EAs5 are available to the public on regulators’ websites (except certain types such as Sanctions against Personnel), but, to our knowledge, there are only two sources that consolidate all publicly available EAs (SNL Financial is the better known).6 Furthermore, the standard templates available from these sources do not include all relevant historical information, and they are only accessible on a subscription basis.

Complicating any analysis of EAs is the fact that official EA documents contain unstructured textual data. Reviewing these manually is possible, but would take enormous resources, making the effort costly and cumbersome.

Given these limitations, studies that analyze EAs in detail are scarce. To fill this gap, we undertook a study of the EAs issued in the United States from January 1, 2000 through August 27, 2015. Table 1 gives the scope of the analysis. We focused on the following research questions:

  1. How do recent trends in EAs in the banking industry compare with historical norms?
  2. How does the composition of EAs differ by banking supervisor?
  3. How has the mix of EAs changed for institutions of different sizes?
  4. What issues led to the issuance of EAs, especially the more severe ones?

We close with a discussion of what our findings may mean for the outlook for EAs in the banking industry, and for ways that banks may be able to better anticipate, respond, and possibly avoid future EAs.

Table 1

Study methodology

We used the SNL Financial database and followed its EA classification/definitions to analyze trends in EAs in the banking industry over the last 15 years. This database included 13,513 records of EAs from the FDIC, the Federal Reserve System, the OCC (and the OTS), and the NCUA, categorized into 15 EA types. We combined these data with asset size from SNL to analyze EA trends by size of institution.

We also downloaded .pdf files of regulators’ EAs from SNL into another database to analyze the text in these documents.9 This was done to generate deeper insights on the issues triggering severe EAs, especially against large and mid-sized banks. We also referred to annual reports of different regulators to assess the dollar penalties and restitutions levied against institutions and individuals/institution-affiliated parties (IAPs).

Please see appendix B for SNL’s definitions of different types of formal EAs.


Types of enforcement actions

There are two broad categories of EAs: informal and formal. Quite often, in instances warranting less serious action, banking supervisors may pursue the informal route. Sometimes they issue Memoranda of Understanding, while at other times they ask the institutions to submit Commitment Letters, Board Resolutions, or Safety and Soundness Plans for regulatory approval, depending on the severity of the violation. Informal actions are not known to the public, nor are they enforceable in court or used to assess fines. Nonetheless, in spite of their limited scope, informal actions are powerful enforcement tools.10

Formal EAs, on the other hand, are generally initiated for more serious infractions where the aim is to “correct practices [or conditions] that the regulators believe to be unlawful, unsafe, or unsound.”11 These actions, taken against both institutions and individuals or IAPs (under 12 USC 1818), usually take the form of Cease and Desist (C&D) Orders, Written or Formal Agreements, and Assessment of Civil Money Penalties (CMPs), to name a few. They are disclosed to the public, and unlike the informal actions, they “are authorized by statute (mandated in some cases)” and enforceable in federal courts (except Formal Agreements).12

In this research, we primarily focus on formal EAs and documents released to the public. Please see appendix B for a list and definitions of the EAs included in our analysis.

Question 1. How do recent trends in enforcement actions in the banking industry compare with historical norms?

Finding: The number and severity of enforcement actions are stabilizing at historic levels—but the associated fines have increased markedly since 2010.

Trend 1: The overall number of EAs is returning to normal levels.

Our analysis of formal EAs by federal banking regulators over the last 15 years shows some notable differences in the number of EAs issued in different periods (figure 1).

Figure 1

In the pre-2008 period, on average, 683 formal EAs were issued each year. The spike in the number of EAs in 2005 (when 1,073 EAs were issued) was largely driven by an increase in Sanctions against Personnel. As one would expect, banks witnessed a sharp upturn in EAs in 2008 and 2009. Due to banks’ deteriorating capital, liquidity, and earnings performance during this time period, as well as the lag generally observed in the issuance of EAs, 2010—with 1,795 EAs issued—had the highest number of EAs within our analysis period. Of the records with an identified regulator, a plurality of the 2010 EAs (44 percent) were issued by the FDIC, followed by the Federal Reserve System.

Since 2011, the number of EAs has been on a steady decline. In 2014, for instance, only 583 EAs were issued—well below the average during 2000–2007.

Since 2011, the number of EAs has been on a steady decline. In 2014, for instance, only 583 EAs were issued—well below the average during 2000–2007.

Trend 2: The broader mix of enforcement action types is also beginning to return to its pre-2008 composition.

Not all EAs are alike—some are more severe than others. Of the 15 formal EA types tracked by SNL, three—Cease and Desist Orders or Consent Orders, Formal Agreements, and Prompt Corrective Actions (PCAs)—are classified by SNL as “severe” due to their impact on and significance for institutions. The remaining 12 EA types are considered “less severe.” (Refer to appendix B for definitions of all 15 EA types from SNL Financial.)

Severe actions: In all years from 2000 through August 27, 2015, less severe actions outnumbered severe actions, except in 2009 and 2010 (figure 2). From 2000 through 2007, severe actions represented 17 percent, on average, of the total number of EAs, with the lowest incidence of severe actions in 2006.

Figure 2

2009 and 2010 present a stark contrast, with severe EAs comprising 52 percent and 56 percent of the total in those years, respectively. In 2010, C&D Orders and Formal Agreements were the top two types of EAs issued. If we consider PCAs, the most severe of all the actions, nearly 54 percent of all those issued in our 15-year analysis period date back to 2009 and 2010. By 2014, the number of PCAs had declined to just 10 from a peak of 101 in 2010.

Since 2011, the proportion of severe actions has been on a steady decline, reaching less than 20 percent in 2014. The decline may be a result of three factors: 1.) many institutions that were weak had already failed; 2.) a more positive market environment; and 3.) greater discipline among banks of all types in improving their financial soundness and in complying with regulations.

Less severe actions: In the less severe category, Sanctions against Personnel (SAPs)—requiring the removal, suspension, or issuance of prohibition orders against individuals or IAPs, including employees, officers, and directors of a banking institution—was the most common EA type issued in our analysis period, comprising about 43 percent of all EAs, on average, between 2000 and 2014. Interestingly, SAPs constituted 68 percent of all EAs in 2005, largely driving the spike in that year’s total EAs.

Since 2011, the proportion of severe actions has been on a steady decline, reaching less than 20 percent in 2014.

Trend 3: A steep increase in the dollar amounts of Civil Money Penalties and restitutions in the post-2009 period suggests that the cost of doing business is rising.

Analysis of the OCC’s data on EAs suggests that CMPs and restitutions levied on institutions and individuals or IAPs have increased significantly, compared to pre-2008 levels. In fact, banks and IAPs have spent $4 billion on restitutions and $1.5 billion on CMPs since 2010 (figures 3A and 3B).13 According to our analysis, a similar trend can be observed in the CMPs imposed by the Federal Reserve System and the FDIC.

Figure 3 A and B

Question 2. How does the composition of enforcement actions differ by banking supervisor?

Finding: The composition of enforcement actions reflects differences in supervisory mandates. The FDIC’s supervisory style is more direct than that of other regulators.

Each federal banking regulator has a specific focus for its supervision. For instance, the Federal Reserve System supervises state member banks, BHCs, and savings and loan holding companies; the FDIC is the primary supervisory body for state-chartered banks and savings institutions that are not members of the Federal Reserve System; the OCC’s supervision authority extends to all national banks and federal savings associations; while the NCUA regulates credit unions. Finally, the CFPB’s consumer protection agenda applies to banks with assets over $10 billion and other non-banking institutions.14

The number of entities under each regulator’s supervision also varies. For instance, the FDIC had jurisdiction over 4,138 commercial and savings institutions as of December 31, 2014, compared to 1,513 and 858 institutions under the purview of the OCC and the Federal Reserve System, respectively.15

Although each regulator has a different mission, two fundamental elements are common to their supervisory agenda: safety and soundness, and consumer protection. (The exception is the CFPB, which only focuses on the latter.) As a result, there is a fair amount of collaboration among banking supervisors in the initiation of EAs. This collaboration has been particularly evident in the years since the financial downturn—in recent years, numerous instances exist of joint-agency EAs issued against the same institution for the same or related infractions.

The financial downturn also prompted banking supervisors to be more vigilant and aggressive in issuing EAs, as shown by the 1,795 and 1,247 EAs in 2010 and 2011, respectively. Owing to the lag effect in EA issuance, we found that the FDIC issued twice as many EAs annually, on average, and the Federal Reserve System three times as many annually, in the post-2009 period than in the pre-2008 period (figure 4).

Figure 4

In terms of composition of EAs, the FDIC has mainly issued C&D Orders, which represent 43 percent of its total actions (excluding SAPs) between 2000 and 2014. This is followed by Other Fines, that is, CMPs against institutions, which represent 23 percent of its actions over the last 15 years. This pattern of injunction-type sanctions suggests that the FDIC takes a more direct approach against institutions.

On the other hand, the Federal Reserve System has mostly issued Formal Agreements, which make up about 74 percent of its total EAs (excluding SAPs). It has made minimal use of C&D Orders, suggesting a less direct approach. Formal Agreements are perceived to be less onerous than C&D Orders, as they are not enforceable in federal courts.

The OCC has used a mix of severe actions (30 percent Formal Agreements and 23 percent C&D Orders).17 In addition, the OCC has also been active in issuing fines against individuals and IAPs, as evidenced by the 23 percent of its total EAs being Fines Levied against a Person. The OCC issued the highest number of Fines against a Person—623 between 2000 and 2014, compared to 366 by the FDIC and 12 from the Federal Reserve System.

Lastly, 55 percent of the NCUA’s EAs (excluding SAPs) were Other Fines, that is, fines or Civil Money Penalties against institutions. However, in absolute numbers, the NCUA issued just 50 orders of Civil Money Penalty/Other Fines over the last 15 years, less than one-tenth of 766 such orders issued by the FDIC.

CFPB’s enforcement history: Brief but potent

Prior to the Dodd-Frank Wall Street Reform and Consumer Protection Act, the power to enforce regulations related to consumer financial protection resided with multiple agencies (the FDIC, the OCC, the FRB, the OTS, the NCUA, the Federal Trade Commission [FTC], and the Department of Housing and Urban Development [HUD]), but lawmakers felt that this regulatory approach was not the most effective. As a result, through the Dodd-Frank Act, federal lawmakers empowered the CFPB with sole rulemaking authority for implementing consumer protection regulations. However, the CFPB shares supervisory and enforcement powers related to consumer protection with the four federal banking regulators, the FTC, and the HUD.18

One of the CFPB’s primary objectives is to protect consumers’ financial interests from UDAAP, a regulatory acronym for “unfair, deceptive, or abusive acts or practices” of financial entities. The CFPB runs a Supervision, Enforcement, and Fair Lending program, which employs a dedicated team of 633 employees (46 percent of the CFPB’s total full-time workforce in 2014) to ensure that institutions (including non-banks) comply with federal consumer financial laws.19

On July 18, 2012, nearly a year after its inception, the CFPB issued its first EA for deceptive credit card marketing practices. Since then, the CFPB has been fairly active in issuing EAs against UDAAPs across various product categories. As of August 2015, the CFPB had issued a total of 70 EAs against all types of entities. Of these, 20 were against banks/BHCs and credit card companies, with fines and relief totaling ~$3.5 billion ($3.3 billion in relief to consumers and $209.5 million in CMPs/fines).20

Nearly half of the EAs issued against banks and credit card companies were for deceptive marketing and enrollment, unfair billing, illegal debt collection, and discriminatory pricing practices in credit cards (figure 5A). Together, these entities were levied about $2.7 billion in fines for their credit card-related activities (figure 5B). The next most significant type of EA (in terms of dollar amounts) was actions related to mortgages ($648 million), which cover mortgage servicing, mortgage discrimination, mortgage steering, kickbacks, and illegal practices.
Figure 5

Question 3. How has the mix of enforcement actions changed for institutions of different sizes?

Finding: While the number of enforcement actions has declined since 2010, their composition differs from the years before 2008 for all institution sizes.

Large institutions (those with assets greater than $50 billion): Of all the EAs in our study sample, nearly 17 percent were against large institutions, and their employees/IAPs. Figures 6A and 6B summarize the changing composition of these EAs issued against individuals and IAPs of these banks and the institutions themselves over time, respectively. Some important trends in EA composition over the last 15 years are:21

  • Sanctions against Personnel have comprised 89 percent of the total number of EAs against large banks since 2000. Presumably, these SAPs largely represent removal or prohibition orders due to an individual’s wrong behavior, such as dishonesty, breach of trust, or money laundering. However, this EA type has been declining since 2010 (figure 6A), resulting in fewer total sanctions for large institutions since then.
  • Another recent trend is the increase in EAs against institutions (figure 6B); since 2011, severe and less severe EAs against institutions combined have ranged between 15 percent and 29 percent of total EAs in any given year. However, in prior years, these sanctions were no more than 9 percent of total EAs in any given year. This upward trend in sanctions against institutions in recent years is a meaningful change in the supervisors’ focus.

Figure 6 A and B

Mid-sized institutions (with assets between $10 billion and $50 billion): In total, mid-sized banks and their employees/IAPs have received only 5 percent of all EAs issued since 2000. Key highlights of EA activity against mid-size banks are:

  • Similar to the trend among large institutions, about 77 percent of the total number of EAs against mid-sized banks were SAPs. This EA type, however, has been declining since 2010 (figure 7A), so much so that the total number of EAs issued every year beginning in 2010 has consistently remained below historical averages.
  • Severe EAs against mid-sized institutions have remained reasonably low through our analysis period, except in 2009 and 2010, when they rose marginally to 12 and 10, respectively (figure 7B).

Figure 7 A and B

Small institutions (assets less than $10 billion): Small institutions, in aggregate, received a higher number of EAs than their larger counterparts. This is to be expected, given the large number of small institutions that have received an EA: More than 5,500 individual institutions with less than $10 billion in assets (including failed, merged, or acquired institutions during the analysis period) have received an EA since 2000. However, on average, small institutions received only about 1.9 EAs through our analysis period, compared to 29.2 for large institutions and 5.1 for mid-sized institutions.22 (The high average number of EAs received by large banks reflects the large number of SAPs issued against individuals of these institutions—perhaps not surprising given these institutions’ employee size.) Highlights of EAs against small banks include:

  • EAs against institutions outnumbered EAs against individuals (including SAPs) between 2008 and 2012, especially in 2009 and 2010.
  • The total number of EAs is returning to pre-2008 levels, largely due to the declining incidence of severe EAs (C&D Orders and Formal Agreements) since 2011 (figure 8B). On a relative basis, however, SAPs remain common (figure 8A), unlike the trend among large and mid-sized banks.
  • Small institutions were the only bank category to receive Prompt Corrective Action orders in the last 15 years, largely for “undercapitalization” issues.23 Not surprisingly, about 83 percent of PCAs were issued during 2009–2012.

Figure 8 A and B

Question 4. What issues led to the issuance of enforcement actions, especially the more severe ones, since 2008?

Finding: Deficiencies in mortgage servicing practices and Bank Secrecy Act (BSA) compliance triggered many severe EAs for large institutions. On the other hand, EAs against mid-sized institutions were typically driven by concerns regarding financial safety and soundness of the institution/BHC.

Understanding reasons for severe EAs was easier said than done. Lack of a standardized format for this data point meant that we had to study the unstructured text of each EA individually to extract this information. The application of text analytics helped us here; however, we limited the scope of this exercise to severe EAs issued since 2008 to large and mid-sized institutions (C&D Orders and Formal Agreements, as PCAs were only issued against smaller institutions).

Figures 9A and 9B show the top underlying issues resulting in severe EAs against large and mid-sized banks. Severe actions against large institutions highlight compliance and risk management issues such as deficiencies in residential mortgage servicing and foreclosure practices and violation of the Bank Secrecy Act or the Anti-Money Laundering (AML) Act. Some of these issues are still on the supervisors’ radar. For instance, the OCC in its 2015 Semiannual Risk Perspective, notes “Risk management weaknesses predominantly associated with operations, BSA/AML, compliance, internal controls, and credit are driving concerns in matters requiring attention (MRA) and enforcement actions (EA)” at the large banks it supervises.24

Among mid-sized institutions, however, financial soundness appears to be a more pressing issue—nearly 45 percent of the severe EAs issued against these institutions since 2000 stemmed from weaknesses in financial soundness, either of the institution or the BHC (figure 9B). Violation of BSA/AML or deficiencies in related compliance programs ranked second in the list of issues for mid-sized institutions.

Lastly, violations of Section 5 of the Federal Trade Commission (FTC) Act were also somewhat common among both large and mid-sized institutions. The federal banking regulators’ EAs on this issue demonstrate their focus, similar to that of the CFPB, on consumer protection against unfair or deceptive sales practices.

Figure 9 A and B

What is the outlook for enforcement actions in the banking industry?

Although the number of enforcement actions has declined in recent years, one may expect banking supervisors to remain aggressive in their penalties ...

The decline in the total number of EAs since 2011, especially the severe ones, is certainly a positive development for the banking industry. 2014 saw the least number of severe actions issued against banks since 2008.25 This trend signals that, overall, banks have made meaningful improvements in their financial soundness, including higher capital and liquidity levels, and better asset quality.

However, if recent EAs against some large banks provide any indication, supervisors are not reluctant to promptly enforce banking rules and regulations where there appear to be lapses. We expect this trend to continue in the near future, especially in areas such as risk management and compliance management, where supervisors are increasingly relying on forward-looking data and tools rather than lagging indicators, as was the norm in the past. Stress testing of credit and liquidity risks is another area regulators are keeping tabs on in the banking industry.

… and to expand the types of issues they will proactively monitor.

With safety and soundness, and consumer protection as top priorities, regulators may continue to issue sanctions for violation of BSA/AML laws and unfair/deceptive consumer practices. In addition, an analysis of regulators’ strategic plans suggests that cybersecurity, credit risk, and interest rate risk may also be among the key focus areas over the next few years.26

Take cybersecurity, for instance. The FDIC routinely conducts IT and operations examinations at FDIC-supervised institutions and technology service providers (TSPs), which are third parties that provide technical assistance to financial institutions. The result of this examination is then included in the management component of the Safety and Soundness rating (CAMELS rating) of the institution. In addition, the FDIC also monitors cybersecurity issues in the industry through on-site examinations as well as through regulatory and intelligence reports. Given the strategic risk associated with cybersecurity, the FDIC intends to beef up its staff and intensity of IT examinations over the next few years.27 Similarly, other federal banking regulators have their own programs to address cybersecurity issues in the institutions they supervise.28

In its 2015 Semiannual Risk Perspective, the OCC notes a growing evidence of credit risk in banks’ underwriting practices amid increasing competition from other banks and non-banks. Product categories exhibiting rising credit risk include syndicated leveraged loans, commercial real estate lending, and indirect auto lending, among others.29

Interest rate risk could be another area of supervisory focus in the coming years. In the low-rate environment of recent years, banks have managed to procure low-cost funding from retail and commercial depositors. However, as rates rise, less sticky deposits could shift to higher-interest-earning products, resulting in competition for sticky deposits. This competition will likely increase the cost of bank funding and lead to net interest margin compression. Regulators are planning to conduct off- and on-site examinations to better understand institutions’ interest rate risk exposure and their sensitivity position, and to ensure that banks’ interest rate risk policies and oversight are effective.30

But, the story doesn’t end here …

Although the scope of our study focuses on EAs by four federal banking regulators and the CFPB, other agencies—including the Securities and Exchange Commission (SEC), the Department of Justice (DoJ), and the US Commodity Futures Trading Commission (CFTC), to name a few—also keep a close watch on banks’ activities. For instance, the DoJ fined five global banks nearly $2.8 billion in May 2015 for violations in currency trading and London Interbank Offered Rate (LIBOR) manipulation.31 In addition to the heavy penalty, a key highlight of this sanction is that it marks the first time in more than two decades that banks have pled guilty to a criminal offense of such magnitude, in contrast to the more common approach of paying fines without admitting or denying any wrongdoing.

In the future, we expect banking regulators and other agencies to continue to supervise banks’ activities with vigor. The issues that trigger EAs may change over time, but one may well expect this higher level of scrutiny to continue for some time.

In the future, we expect banking regulators and other agencies to continue to supervise banks’ activities with vigor.

How can banks better anticipate and respond to future enforcement actions?

A robust risk management and compliance framework demonstrating resilience, vigilance, and responsiveness could help prepare banks for future enforcement actions.

Even if supervisory oversight was not intense, banks can only benefit by getting better at identifying and managing the types of issues that trigger EAs. Undoubtedly, this is easier said than done; but our view is that both regulators and banks can learn some important lessons from the EAs in recent years.

Our view is that an effective risk management and compliance system is one that is strong, vigilant, and prompt (figure 10).

Figure 10

KeyAttributes_strongStrong to defend

It goes without saying that a bank’s primary goal should be to avoid receiving EAs in the first place, particularly the severe types. The lower volume of EAs since 2011 may or may not portend an easing of supervisory scrutiny; it could, however, suggest banks’ improving financial soundness and a change in their culture of compliance. Banks appear to be more attuned to correcting problems proactively before supervisors issue severe actions, although there is undoubtedly still work to be done to further strengthen banks’ risk management and compliance functions.

The above historical analysis of EAs can offer some helpful lessons to the banking industry. An understanding of what issues trigger EAs, on both an absolute and relative basis, could enable banks to understand regulators’ focus areas, enhance their own internal controls, and arm themselves with the right risk management tools. According to our analysis, the most severe EAs today stem from violation of or non-compliance with relatively old statutes, such as BSA/AML or Section 5 of the FTC Act. With regulatory changes being introduced each year, institutionalizing processes relating to such existing laws could also help banks comply with newer regulations.

This said, the issues to proactively defend against are likely to differ from bank to bank. Given their size, systemic risks, and complexity of business operations, large banks will probably need to spend more effort in maintaining a strong enterprise-wide compliance management system. Mid-sized banks, on the other hand, could bolster their risk management and data governance processes so that their supervision programs are more forward-looking as opposed to relying on lagging indicators—stress testing of credit and liquidity risk being two examples of a proactive approach. For the smaller banks, however, safety and soundness through strong internal controls could still be the most important area on which to focus.

Furthermore, given the continued high incidence of Sanctions against Personnel since 2010, there appears to be a need for greater awareness of and training around individual accountability, as well as for more proactive management oversight. Most infractions are committed by people, a fact that only reinforces the importance of such initiatives in managing the culture of the organization. A recent speech by the DoJ’s deputy attorney general, which proposed that high-ranking officials be held more accountable for “white collar crimes,” adds further weight to this defense mechanism.32

VigilantVigilant to detect

Vigilance underscores the need for strong monitoring and control systems to detect issues before they are discovered in supervisory examinations.

Self-policing and proactive reporting could work in institutions’ favor, and even potentially soften future actions. Regulators, more often than not, consider self-disclosures and proactive communications when assessing penalties.33 On the other hand, efforts to knowingly conceal violations or deficiencies tend to increase CMP assessments and worsen the institutions’ relationships with supervisors.34

The role of the board of directors is especially critical at this step. The board can not only set the right tone but be vigilant in its oversight of banks’ compliance programs. Getting involved earlier in the process as problems are identified by banking supervisors can go a long way.

PromptPrompt to respond

Once institutions are recipients of EAs, banks should take steps to resolve them promptly and effectively. Regulators often acknowledge and consider a bank’s level of cooperation while assessing fines. The repercussions of delay can be quite serious, and often lead to additional legal expenses.

Many severe EAs require banks’ boards to create a compliance committee to oversee the bank’s compliance with the EA. These banks are also subject to greater reporting requirements as a result. Maintaining proactive dialogue with regulators to provide regular updates of compliance at each stage is critical. Lastly, having an open and collaborative relationship with supervisors can go a long way in meeting regulatory expectations.

Our view is that an effective risk management and compliance system is one that is strong, vigilant, and prompt.

Appendix A

A brief history of enforcement actions in the banking industry

Enforcement actions have been a key supervisory tool for decades. The Banking Act of 1933, which also created the FDIC, gave federal banking regulators some powers to force banking institutions to follow certain directives.35 For more than 30 years after its creation, however, the FDIC only had authority to undertake one type of EA—terminating an institution’s deposit insurance. Although powerful, this action was often limited in scope and quite punitive. This changed in 1966, when Congress passed the Financial Institution Supervisory Act, which empowered federal regulators to issue Cease and Desist Orders to:

  • Stop practices in violation of existing laws or detrimental to the financial soundness of the institution
  • Order institutions to take corrective action

More than a decade later, in 1978, the Financial Institution Regulatory and Interest Rate Control Act was enacted. This significantly expanded regulators’ powers to issue EAs against individuals and also to levy CMPs (fines) for violation of existing laws or for non-compliance with previous EAs, such as C&D Orders.

The savings and loan crisis in the 1980s resulted in two more pieces of legislation—the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) and the Federal Deposit Insurance Corporation Improvement Act (FDICIA). Passed in 1989 and 1991, respectively, these two laws significantly enhanced the supervisory tools available to regulators. In addition to setting capital requirements and overhauling the deposit insurance system, the laws empowered regulators to demand that banks change management, remove/suspend personnel, limit growth, and cease dividend payments. The FIRREA also expanded the purview of regulators’ supervision to include institution-affiliated parties (IAPs), such as brokers, attorneys, or third-party technology service providers (TSPs), who have a relationship with banking entities.

These new regulations also mandated the public disclosure of formal EAs beginning on August 9, 1989. However, due to wide discrepancies in search features and the level of detail disclosed by each agency, it was only in 2000 that all formal actions (with a few exceptions) became available online on supervisors’ websites.

More recently, various titles in the Dodd-Frank Act strengthened federal banking regulators’ oversight of the banking industry and intensified their focus on governance and risk management. In particular, the Dodd-Frank Act established the CFPB to consolidate and bolster policymaking and enforcement powers in the consumer protection area.

Prior to the Dodd-Frank Act, especially after the FIRREA and FDICIA came into effect, skeptics feared that the expansion in banking supervisors’ enforcement powers would hamper banks’ growth. However, a study by the Federal Reserve Bank of Minneapolis (FRBM) in 2006 revealed that these fears were unfounded. For instance, in the years after these regulations came into effect, the number of bank failures declined significantly, and industry earnings overall improved meaningfully.36

Further, the FRBM research showed EA activity has tended to follow supervisors’ assessment of banking conditions. During periods of solid earnings, EA activity is largely driven by a regulatory focus on risk management and compliance. But during times of weaker financial performance, EAs were mainly intended to improve financial indicators related to the CAMELS rating system. Our analysis also found this pattern to hold since 2008.

Appendix B

SNL’s definitions of enforcement actions included in the analysis38

Severe enforcement action types

I. Against institutions

1. Cease and Desist Orders: An injunction-type, enforceable order that may be issued to an institution or when a banking organization is engaging, has engaged, or is about to engage in an unsafe or unsound banking practice or a violation of law. Sometimes, C&D Orders are also referred to as Consent Orders. SNL’s classification of C&D Orders includes temporary C&D Orders, which are typically issued only when it becomes immediately necessary to protect a bank against ongoing or expected harm. A temporary C&D Order may require affirmative action to prevent insolvency, dissipation of assets, a weakened condition, or prejudice.

2. Formal Written Agreements/Supervisory Agreements: The provisions of a Formal Written Agreement or Supervisory Agreement (known collectively as Formal Agreements) are set out in article-by-article form and prescribe those restrictions, corrective measures, and remedial measures necessary to correct deficiencies or violations in a bank and return it to a safe and sound condition. Unlike Cease and Desist Orders, Formal Agreements are not enforceable in the federal court system.

3. Prompt Corrective Actions: A PCA is an order that requires a banking organization to take certain corrective measures to be taken to protect its capital level based upon certain statutory remedies that have been dictated by the bank’s capital condition. SNL classifies Capital Directives as PCA in its EA database. Capital Directives are orders requiring a banking organization to inject additional capital to raise its capital to an acceptable level. They are similar to PCA in the sense that certain measures need to be executed to protect the company’s capital level.

Less severe enforcement action types

I. Against institutions

4. Deposit Insurance Threat:39This is one of the most severe action type, but due to its low incidence, SNL classifies it under less severe EAs. When a banking organization has no tangible capital, the insured status of the banking organization may be suspended pending completion of a formal deposit termination proceeding. In some more severe cases, the deposit insurance can be terminated if the institution is in unsafe or unsound condition, or has engaged in unsafe or unsound banking practices or violations of law.

5. Other Fines: These are monetary penalties against an institution for unsafe or unsound banking practices or actions, violations of law, or failure to comply with an order issued by the appropriate banking regulator.

6. Order Requiring Restitution: Institutions subject to restitution orders are required to reimburse the aggrieved parties or the regulatory agency for losses caused or for unjust enrichment.

7. Call Report Infractions: Call Report Infractions are penalties assessed against a banking organization for delays in filing call reports.

8. Sanctions Due to a HMDA Violation: These actions impose penalties assessed against a banking organization for violations of the Home Mortgage Disclosure Act.

9. Memo of Understanding (MoU): Regulators usually do not disclose MoUs as C&D Orders or Formal Agreements, so we cannot easily identify these actions. Furthermore, MoUs typically precede a Formal Agreement. In past years, the agencies would issue an MoU, followed by a Formal Agreement, and finally a C&D Order to force banks to make recommended changes. But nowadays, this sequence is not necessarily followed.

10. Hearing Notice or Other Action:

  • Hearing Notice: When a federal agency has an opinion that a bank or an IAP has engaged in unsafe or unsound banking practices or has violated laws or regulations, then the federal agency may issue a Notice of Hearing to the institution or the IAP. Such hearings are generally held within 60 days from the date of issuance of such a notice. If, in the hearing process, the bank or IAP is found to be at fault, then an EA is issued.
  • Other Action: Lastly, all other EAs against institutions are classified in this category.

II. Against individuals

11. Sanctions against Personnel: Through a Sanction against Personnel, any IAP who has violated any law, any order to cease and desist, or any condition imposed in writing, or who has engaged or participated in any unsafe or unsound banking practice, may also be removed, dismissed, or suspended from his or her employment at a banking organization and/or prohibited from being involved in the affairs of any insured banking organization without prior regulatory approval.

12. Cease and Desist Order against a Person: An injunction-type, enforceable order that may be issued against an individual when he/she is engaging, has engaged, or is about to engage in an unsafe or unsound banking practice or a violation of law.

13. Fines Levied Against a Person: These are monetary penalties against an individual for unsafe or unsound banking practices or actions, violations of law, or failure to comply with an order issued by the appropriate banking regulator.

14. Restitution by a Person: Through Restitution by a Person actions, individuals who are subject to restitution orders are required to reimburse banking organizations or the regulatory agency for losses caused or for unjust enrichment.

15. Other Actions against a Person: All other EAs against individuals are classified under this category.

About the Center for Financial Services

The Deloitte Center for Financial Services (DCFS), part of the firm’s US Financial Services practice, is a source of up-to-the-minute insights on the most important issues facing senior-level decision makers within banks, capital markets firms, mutual fund companies, private equity firms, hedge funds, insurance carriers, and real estate organizations. We offer an integrated view of financial services issues, delivered through a mix of research, industry events and roundtables, and provocative thought leadership—all tailored to specific organizational roles and functions.