Technical writing
OCC Enforcement Actions: Formal Agreements, Cease and Desist Orders, and Civil Money Penalties Against National Banks
The Office of the Comptroller of the Currency supervises every national bank and federal savings association in the United States — institutions whose charters carry “National” or “N.A.” in their legal names. When those institutions violate law or operate unsafely, the OCC publishes its enforcement response on a public database covering decades of formal actions, from the least severe Formal Agreement to Cease and Desist Orders, Civil Money Penalties, and lifetime industry bars on individual bankers.
OCC jurisdiction: what banks are covered
The OCC is an independent bureau of the Treasury Department. It charters, regulates, and supervises two categories of federally chartered depository institutions: national banks, which include nearly all large U.S. commercial banks (identified by “National” or “N.A.” in their legal name), and federal savings associations (identified by “FSB” or “Federal Savings Bank”). State-chartered banks are supervised by either the FDIC or the Federal Reserve, not the OCC, even if they are FDIC-insured.
This distinction matters when using the enforcement database. An action against “JPMorgan Chase Bank, N.A.” appears in the OCC database; an action against a state-chartered community bank appears in the FDIC's enforcement database. The same holding company may have both a nationally chartered subsidiary and a state-chartered subsidiary, generating enforcement records across two agencies simultaneously.
As of 2025, the OCC supervises approximately 1,100 national banks and federal savings associations, holding roughly 70% of total U.S. commercial banking assets. The sheer concentration of assets in OCC-supervised institutions — combined with the richness of the public enforcement record — makes the OCC database the single most consequential bank enforcement dataset in the United States.
Action types in ascending order of severity
The OCC uses eight distinct enforcement instruments, ranging from private informal communications to public orders with mandatory monetary sanctions. Understanding the hierarchy is essential for interpreting any given record.
Commitment Letter. The least severe instrument and the only one that is fully informal and non-public. A Commitment Letter is a written agreement between the bank's board and the OCC in which the board commits to specific corrective actions by specified deadlines. Because it is informal, it does not appear in the public enforcement database. Its existence may only become known through examination reports disclosed in litigation or congressional oversight.
Board Resolution. Also informal and non-public. The bank's board of directors passes a formal resolution acknowledging identified problems and committing the institution to a remediation plan. Like a Commitment Letter, a Board Resolution does not require OCC approval to modify or terminate — the bank acts unilaterally — but the OCC monitors compliance. Board Resolutions are typically used for less severe findings where the OCC is confident the board will act without external compulsion.
Formal Agreement. The first public formal action. A Formal Agreement is a written contract between the OCC and the bank (or individual) that is enforceable in federal court. It requires the bank to take specific corrective actions — typically upgrading internal controls, replacing management, increasing capital, or improving BSA/AML programs — within defined timeframes. Formal Agreements appear in the public enforcement database with the bank name, city, state, OCC charter number, the date issued, and a link to the full PDF. When corrective actions are completed satisfactorily, the OCC issues a termination order, which also appears in the database.
Memorandum of Understanding. The MOU occupies a hybrid position. Some OCC MOUs are informal (not published in the enforcement database), while others are formal enforcement actions that are published. The distinction depends on the procedural path the OCC followed. An informal MOU resembles a Board Resolution in its enforceability; a formal MOU is enforceable in court. Researchers should not assume all MOUs in a bank's history are captured in the public database.
Cease and Desist Order. The most severe formal enforcement action short of a monetary sanction or individual bar. A C&D Order is issued under 12 U.S.C. 1818(b) and requires the bank to immediately stop the conduct found to be unsafe or unsound, or to take affirmative corrective actions. Unlike a Formal Agreement, a C&D Order is issued unilaterally by the OCC after the bank is given notice and an opportunity for a hearing. Consent C&D Orders — where the bank agrees to the terms without contesting the findings — are the most common form. Both contested and consent C&D Orders are published in full in the enforcement database.
Civil Money Penalty. A CMP is a monetary sanction imposed under 12 U.S.C. 1818(i). Three tiers exist, with maximum daily penalties of $25,000 (Tier 1, negligent violations), $125,000 (Tier 2, reckless disregard), and $1,000,000 (Tier 3, knowing violations or violations that result in pecuniary gain). CMPs are frequently issued alongside C&D Orders as a combined enforcement action. The OCC publishes CMP orders with the dollar amount, the basis for the sanction, and whether the penalty was imposed against the institution or against an individual officer or director. Penalty amounts are adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act.
Removal and Prohibition Order. The most severe action available against an individual. An R&P Order permanently bars a banker from participating in the affairs of any federally insured institution. R&P Orders are issued against officers, directors, and other institution-affiliated parties found to have committed fraud, breached fiduciary duty, or demonstrated willful disregard for law or regulation. They are published in the OCC enforcement database and are enforceable against the individual regardless of which bank they attempt to join. A knowing violation of an R&P Order is a federal crime under 12 U.S.C. 1818(j).
Deferred Prosecution Agreement with DOJ. In the most serious cases involving criminal conduct, the bank may enter into a DPA with the Department of Justice rather than facing criminal indictment. The OCC coordinates with the DOJ in these cases, typically issuing a simultaneous Consent C&D Order and CMP while the DOJ files and immediately defers the criminal information. The DPA requires the bank to pay a monetary penalty, cooperate with ongoing investigations, and implement a compliance monitor. Violation of the DPA terms revives the criminal prosecution. Notable examples include the HSBC DPA in 2012 for BSA/AML failures involving drug cartel money laundering, which included a combined $1.9 billion in penalties coordinated across the OCC, FinCEN, OFAC, and DOJ.
What each published action contains
The OCC enforcement database at occ.gov/topics/charters-and-licensing/enforcement-actions/index-enforcement-actions.html presents a searchable table with one row per action. Each row contains:
- Institution name — the legal name of the national bank or federal savings association, or the full name of the individual in the case of an R&P Order or individual CMP.
- City and state — the institution's main office location, enabling geographic filtering of enforcement activity.
- Charter number — the OCC's unique identifier for the institution, which persists across name changes and mergers and is the correct join key when linking enforcement records to call report financial data.
- Action type — one of the categories described above: Formal Agreement, Cease and Desist Order, Civil Money Penalty, Removal and Prohibition Order, and so on.
- Date issued — the date the OCC executed the action, not the date of the underlying violation.
- Termination date — the date the OCC formally terminated the action upon satisfactory completion of corrective measures. Actions without a termination date are still active.
- Full text PDF — a link to the complete action document, including all required corrective provisions, compliance timelines, and the specific findings that gave rise to the action. The full text is the primary source for understanding the substance of any enforcement action.
The database covers both current and historical actions going back decades. Actions from the savings and loan crisis era of the late 1980s and early 1990s are included, as are actions from the 2008 financial crisis wave and the more recent BSA/AML enforcement surge of the 2010s.
BSA/AML failures: the dominant enforcement pattern
Bank Secrecy Act and anti-money laundering failures are the single most common basis for OCC enforcement actions. The BSA, enacted in 1970 and substantially strengthened by the USA PATRIOT Act in 2001, requires covered financial institutions to maintain effective AML programs with four mandatory components: internal controls, independent testing, a designated BSA compliance officer, and ongoing employee training. Banks must also file Suspicious Activity Reports (SARs) for transactions that may involve money laundering, structuring, or other suspicious conduct, and Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000.
The OCC's BSA/AML enforcement authority is broad. A bank can be found to have failed its BSA obligations even in the absence of proven money laundering if its AML program was structurally deficient — inadequate transaction monitoring, insufficient customer due diligence, or failure to file SARs for obvious red flags. The OCC may issue a Formal Agreement requiring program remediation, a C&D Order compelling immediate changes, or a CMP for each day of violation. Because BSA violations can persist for years before detection, aggregate penalty calculations under Tier 3 can produce very large CMP amounts.
Several BSA/AML enforcement actions against national banks illustrate the scale and pattern. The OCC issued multiple Consent Orders against Citibank, N.A. in the 2010s requiring BSA/AML program overhauls, accompanied by nine-figure CMPs. U.S. Bank N.A. entered into a DPA with the DOJ in 2017, coordinated with an OCC CMP, for willfully failing to maintain an adequate AML program while processing transactions for a known payday loan Ponzi scheme. Wachovia Bank, N.A. (before its acquisition by Wells Fargo) settled BSA/AML charges stemming from its failure to detect hundreds of millions of dollars in drug cartel bulk cash transactions processed through its correspondent banking relationships.
Wells Fargo: a case study in coordinated enforcement
The Wells Fargo Bank, N.A. enforcement sequence from 2016 onward is the most publicly visible OCC enforcement action in recent history and illustrates how the OCC uses multiple instruments sequentially against a single institution.
The Consumer Financial Protection Bureau and the OCC jointly announced a $185 million penalty in September 2016 after Wells Fargo employees were found to have opened approximately 2 million unauthorized deposit and credit card accounts using customer information without customer consent. The OCC's portion of that action — a $35 million CMP — was the first in a series. The OCC subsequently issued a Formal Agreement in 2018 requiring Wells Fargo to remediate its risk management framework, and issued a broader Consent C&D Order in 2023 for mortgage servicing failures that included deficient loss mitigation processes, improper foreclosure practices, and failure to credit payments correctly.
Each of these actions was issued as a separate enforcement instrument, appeared separately in the OCC enforcement database, and had its own compliance timeline and termination process. Tracking a single institution's enforcement history over time requires reviewing all rows in the database matching the institution's charter number, not just the most recent action.
Coordination with FinCEN, DOJ, and FDIC
OCC enforcement actions rarely occur in isolation. Four coordination patterns are common and shape how enforcement data must be analyzed across agencies:
OCC and FinCEN. The Financial Crimes Enforcement Network, a Treasury bureau, has its own BSA enforcement authority under 31 U.S.C. 5321. When a national bank has BSA/AML failures, the OCC typically coordinates its Formal Agreement or C&D Order with a simultaneous FinCEN CMP assessment. The same underlying failures generate two separate published enforcement records: one in the OCC database, one in FinCEN's enforcement action list. Dollar amounts are not duplicated — the agencies negotiate the total penalty and apportion it between them — but researchers who look only at one agency's database will miss half the picture.
OCC and DOJ. Criminal conduct at a national bank generates a parallel DOJ proceeding. The OCC typically issues a Consent C&D Order on the civil enforcement side simultaneously with the DOJ's filing of a criminal information and DPA. The Corporate Prosecution Registry maintained by the University of Virginia School of Law catalogues all federal DPAs and non-prosecution agreements back to 1992. Joining that registry against the OCC enforcement database reveals the full scope of cases where civil and criminal enforcement ran concurrently.
OCC and FDIC. When a bank holding company has both OCC-supervised national bank subsidiaries and FDIC-supervised state bank subsidiaries, enforcement actions may be issued by both regulators against different legal entities within the same corporate family. Joining OCC charter numbers against FDIC RSSD IDs through the NIC (National Information Center) database maintained by the Federal Reserve is the standard approach for tracking enforcement at the holding company level across all supervised subsidiaries.
OCC and OFAC. Banks with sanctions compliance failures often face simultaneous OCC and Office of Foreign Assets Control actions. OFAC publishes its enforcement actions separately at treasury.gov/resource-center/sanctions. The OFAC penalty press releases reference the same underlying conduct that appears in OCC Formal Agreements or C&D Orders, enabling cross-reference.
How to access the database
The OCC enforcement actions index is a filterable HTML table, not a downloadable bulk file. The table supports filtering by institution name, city, state, action type, and date range. Full PDF text for each action is accessible directly from the table. The OCC does not provide a public API or bulk CSV download. Programmatic access requires scraping the table and following PDF links.
For historical actions predating the current web interface, the OCC archives older enforcement actions in its news release system. Actions from the 1980s and 1990s are less consistently formatted than more recent actions but are present. The OCC's Uniform Bank Performance Report system provides the financial data (call report derivatives) needed to contextualize enforcement actions within the institution's financial condition at the time of the action.
Python: scraping and parsing the enforcement table
The following script fetches the OCC enforcement actions index, parses the HTML table into structured records, normalises date fields, extracts PDF links, and produces summary distributions by action type and year. It uses a polite crawl delay and standard government-site User-Agent conventions:
import requests
from bs4 import BeautifulSoup
import csv
import time
from datetime import datetime
import re
# OCC enforcement actions search page (HTML table, no API)
OCC_URL = (
"https://apps.occ.gov/eas/publicsearch/main.aspx"
)
# The OCC also exposes a static index page with filterable results.
# For bulk scraping, use the public enforcement actions index:
INDEX_URL = (
"https://www.occ.gov/topics/charters-and-licensing/"
"enforcement-actions/index-enforcement-actions.html"
)
HEADERS = {"User-Agent": "research-bot/1.0 (academic use)"}
def fetch_occ_enforcement_page(session: requests.Session, page: int = 1) -> str:
"""Fetch one page of OCC enforcement action results."""
params = {
"page": page,
"sortBy": "actionDate",
"sortDir": "desc",
}
resp = session.get(INDEX_URL, params=params, headers=HEADERS, timeout=30)
resp.raise_for_status()
return resp.text
def parse_enforcement_table(html: str) -> list[dict]:
"""Parse the OCC enforcement actions HTML table into structured records."""
soup = BeautifulSoup(html, "html.parser")
table = soup.find("table", {"id": re.compile(r"enforcement", re.I)}) or soup.find("table")
if not table:
return []
records = []
headers = [th.get_text(strip=True).lower().replace(" ", "_")
for th in table.find_all("th")]
for row in table.find_all("tr")[1:]: # skip header row
cells = row.find_all("td")
if not cells:
continue
record: dict = {}
for i, cell in enumerate(cells):
key = headers[i] if i < len(headers) else f"col_{i}"
# Extract PDF link if present
link = cell.find("a", href=re.compile(r"\.pdf", re.I))
record[key] = cell.get_text(strip=True)
if link:
href = link.get("href", "")
if href.startswith("/"):
href = "https://www.occ.gov" + href
record[key + "_pdf"] = href
# Normalise date fields
for date_key in ("action_date", "date_issued", "termination_date"):
if date_key in record and record[date_key]:
try:
record[date_key + "_parsed"] = datetime.strptime(
record[date_key], "%m/%d/%Y"
).date().isoformat()
except ValueError:
record[date_key + "_parsed"] = None
records.append(record)
return records
def scrape_all_actions(max_pages: int = 50) -> list[dict]:
"""Scrape all pages of the OCC enforcement actions table."""
all_records: list[dict] = []
session = requests.Session()
for page in range(1, max_pages + 1):
print(f"Fetching page {page}...")
html = fetch_occ_enforcement_page(session, page)
records = parse_enforcement_table(html)
if not records:
print(f" No records on page {page}, stopping.")
break
all_records.extend(records)
print(f" Got {len(records)} records (total: {len(all_records)})")
time.sleep(1.0) # polite crawl delay
return all_records
def summarise_by_action_type(records: list[dict]) -> dict[str, int]:
"""Count actions by type."""
counts: dict[str, int] = {}
for r in records:
action_type = r.get("action_type", r.get("type", "Unknown"))
counts[action_type] = counts.get(action_type, 0) + 1
return dict(sorted(counts.items(), key=lambda x: x[1], reverse=True))
def summarise_by_year(records: list[dict]) -> dict[str, int]:
"""Count actions by year issued."""
counts: dict[str, int] = {}
for r in records:
date_str = r.get("action_date_parsed") or r.get("date_issued_parsed", "")
year = date_str[:4] if date_str else "Unknown"
counts[year] = counts.get(year, 0) + 1
return dict(sorted(counts.items()))
def write_csv(records: list[dict], path: str) -> None:
if not records:
print("No records to write.")
return
fieldnames = list(records[0].keys())
with open(path, "w", newline="", encoding="utf-8") as f:
writer = csv.DictWriter(f, fieldnames=fieldnames, extrasaction="ignore")
writer.writeheader()
writer.writerows(records)
print(f"Wrote {len(records)} records to {path}")
if __name__ == "__main__":
actions = scrape_all_actions(max_pages=100)
print("\nAction type distribution:")
for action_type, count in summarise_by_action_type(actions).items():
print(f" {action_type}: {count}")
print("\nActions by year:")
for year, count in summarise_by_year(actions).items():
print(f" {year}: {count}")
write_csv(actions, "occ_enforcement_actions.csv")
The resulting CSV provides one row per enforcement action with the institution name, charter number, city, state, action type, issued date, termination date, and a direct URL to the full text PDF. Charter numbers can be joined against the FDIC's BankFind Suite — which exposes OCC charter numbers alongside FDIC RSSD IDs for national banks — to enrich each enforcement action with call report financial data covering the period before, during, and after the action.
How journalists and compliance professionals use the data
Journalists use the OCC enforcement database in two primary modes. Reactive coverage — reporting on a newly announced action against a named institution — relies on the OCC's press release and the full text PDF to understand the specifics. Investigative coverage uses the historical record to establish patterns: an institution with three Formal Agreements over ten years for BSA/AML deficiencies, each terminated only after years of noncompliance, presents a different narrative than an institution with a single resolved action. Joining OCC enforcement records against CFPB consumer complaint data, HMDA mortgage lending data, and SEC enforcement actions creates a comprehensive regulatory health profile for any major national bank.
Compliance professionals at national banks monitor the OCC enforcement database for two purposes. First, tracking peer institution actions reveals where the OCC is currently focusing examination resources — a wave of BSA/AML Formal Agreements across mid-size national banks signals heightened examiner scrutiny that will spread to similar institutions. Second, the full text PDFs of recent Formal Agreements and C&D Orders function as de facto supervisory guidance, specifying the OCC's current expectations for AML program elements, model risk management, or interest rate risk controls in operational detail that formal guidance documents rarely match.
Due diligence analysts acquiring or investing in a national bank check the OCC enforcement database as a standard step. An active Formal Agreement or C&D Order is a material contingent liability: it imposes compliance costs, constrains dividend payments and share buybacks in some cases, and may restrict the bank from pursuing acquisitions until the OCC terminates the action. The charter number is the reliable identifier for historical lookups, since institution names change through mergers and rebrandings while the charter number persists.
For the FDIC's parallel bank failure and enforcement record covering state-chartered institutions: FDIC bank failure data: every U.S. bank that has failed since 1934 →
For SEC enforcement actions against securities firms and broker-dealers that often coordinate with OCC actions against their bank affiliates: SEC enforcement actions: the public record of every securities law violation →
For entity resolution techniques needed to join enforcement records across OCC, FinCEN, FDIC, and SEC databases by institution name and identifier: Building a compliance screening risk score from federal enforcement data →