Scales of justice and blurred lawyer on background. Banner design

Tsunami alert: Enforcement actions are coming

The following is a guest post by Konrad Alt and Catherine Brown, Klaros Group.

Enforcement authority is without question one of the most impactful and feared tools in the toolbox of bank regulators.

The economic, reputational, and strategic implications of enforcement action can long outlive the action itself. All financial institutions strive to avoid them.

Federal banking agencies’ enforcement activity has decreased steadily since the financial crisis. Despite expectations that a Democratic administration might bring increased activity, the decrease began in the Obama Administration and continued into the first years of the Biden Administration. 

In May 2022, however, the Consumer Financial Protection Bureau (CFPB) announced plans to hire 20 new enforcement attorneys, and enforcement orders are now coming fast and furious.

Fully 50% of the agency’s 2022 actions have come in the last two months, with four notable actions in July alone (the OCC, FDIC, and Federal Reserve are also increasingly active on this front). 

Enforcement actions require a lot of fast, heavy lifting. Regardless of the issuing agency, they require management and the board to take a variety of actions and make several regulatory submissions – characteristically in the form of plans to remediate deficiencies the regulator has identified (e.g., an order might require the submission of plans to strengthen management, risk management, compliance or internal audit, improve board oversight of risk, reduce high-risk credit concentrations, enhance capital or liquidity, etc.) – within a short period of time, typically, 60 to 90 days. 

The quality of an institution’s initial response to such requirements can make a big difference. Hitting the ground running and providing timely, high-quality submissions can position your institution to put an enforcement order behind it and move on quickly.

On the other hand, missing deadlines or failing to fully satisfy order requirements can be a recipe for an extended period of poor regulatory relationships and associated constraints on your business.

Given the outlook for increased enforcement activity, the time is right for financial institutions to familiarize themselves with different enforcement action response models and develop plans for quick response should the worst happen.  

Macro photo of tooth wheels with COMPLIANCE, REGULATIONS, STANDARDS, POLICIES and RULES words imprinted on metal surface

Anticipating an enforcement action

Enforcement actions rarely come out of the blue. Most often, management and the board learn of an impending enforcement action during or after a regulatory examination, with the action (often negotiated using some combination of inside and outside counsel) following after several weeks or longer.

What happens during that period is critically important.

Too often, boards of directors and management teams squander it in shocked disbelief or focus on communications, mustering internal and external resources to “tell our story better.”  In our experience, such efforts almost always fail.

While the banking agencies are not immune to errors of fact or judgment, their enforcement actions almost always rest on a factual and analytical record built over months of examination and analysis. When they decide to bring an action, the institutional momentum behind it is almost unstoppable. 

Related: CFPB announces open banking rule

Given this, the most constructive step an institution can take when an enforcement action is imminent is to commission a careful review by a credible independent expert, typically a consultancy or law firm, and commit to the remediation that the expert recommends.

Can such a review forestall agency action? Usually, no. But seeking independent advice and moving forward to take appropriate remediation steps without waiting for an agency to order them can demonstrate to regulators that management and the board are committed to responsive change, rendering the tone of regulatory dialog less adversarial and more constructive.

Many companies also see important cultural advantages in a remedial process that is significantly proactive and therefore more in management’s control than in one that is wholly reactive to agency direction.

Responding to an enforcement action

If you find yourself on the receiving end of an enforcement action, your goals are simple: put it behind you as quickly and completely as possible, with minimal bloodshed.

To do that, you must both comply fully with the letter and the spirit of the requirements outlined in your order and, at least as critically, demonstrate to your regulator that management and the board “get it” – that they understand the issue(s) that occasioned the order, have addressed them fully, and have established controls (often accompanied by personnel or governance changes, or both) that will ensure the same problems don’t recur. 

But that’s all easier said than done. As noted, enforcement orders generally include specific requirements for addressing the identified deficiencies and exacting deadlines for compliance.

Some also require remediation of harm to consumers, obligating the institution to review all implicated accounts and transactions within a specified “lookback” period to identify which consumers were harmed, the extent of their harms, and necessary preconditions for remediation.

The CFPB, in particular, has made clear that it takes these remediation commitments seriously, penalizing Fifth Third Bank in 2021 for failing to timely remediate consumer harm and amending its 2020 complaint against the Bank to include an additional UDAAP violation for its failure to do so.

Although some enforcement actions mandate a prescribed approach to remediation (e.g., retention of an independent consultant), bankers commonly have discretion when deciding how to organize their responses.

Almost always, the determining factors are whether the institution has the expertise and staff resources necessary to fulfill the order’s requirements. If not, the institution must look to third parties to assist in its remediation efforts.

Accordingly, organizational models for enforcement action compliance and remediation fall into one of three categories: 1.) internally staffed, 2.) externally staffed, and 3.) hybrid model. 

Option 1: Insourcing 

Relying solely on internal resources to manage enforcement action compliance often proves challenging.

In the first place, only the largest banking organizations tend to have internal resources with broad enforcement action compliance experience.  Personnel who lack that experience may fail to grasp the nature of the response best calculated to allay regulatory concerns, heightening the risk of a misfire that can extend and even exacerbate regulatory scrutiny.

Second, regardless of where in the company they come from, the internal resources decked against enforcement action response commonly struggle to balance their remediation responsibilities with their day jobs. 

Nevertheless, staffing the response effort with internal resources can be a reasonable option when the issues are straightforward, and the team has the right stuff.

In such cases, a good practice is to entrust the leadership of the remediation effort to an executive independent of the area(s) that gave rise to the order and to charge that executive with escalating any impediments to full, timely compliance to the board or a board oversight committee. 

Option 2: Outsourcing to Consultants or Attorneys 

In part because of the challenges and risks associated with reliance on internal resources, most institutions facing enforcement actions will choose to outsource the heavy lifting of enforcement action response to a third party, typically a consultancy but sometimes a law firm.

While invariably expensive, using a third party to staff the remediation effort can have significant advantages over reliance on internal resources.

In enforcement circumstances, the institution’s regulators (and sometimes its management or board) have often lost confidence in the abilities of key executives.

Enlisting a third party with demonstrable credentials can help to instill confidence that the institution is committed to getting the remediation effort right. Additionally, firms that practice in this area invariably have broader experience than even the most experienced management teams.

While the specific requirements of an order may be new to the institution involved, the consultant may well have experience with a similar or identical requirement at other institutions and, based on that experience, may clearly understand the type of response best calculated to satisfy the regulator.

Occasionally, a regulator will require that an enforcement action be remediated with the assistance or oversight of an independent third party (most commonly for particularly egregious or very large-scale enforcement actions). For example, following the financial crisis, the OCC, FRB, and FDIC required each of the fourteen largest mortgage servicers to retain an independent consultant to conduct a lookback review to identify appropriate remediation for consumers harmed in the foreclosure process. 

Effective knowledge transfer and handoff can significantly challenge the fully outsourced approach to enforcement action remediation.

Major financial institutions, especially, that have adopted this approach often give an initial 60-180 day consulting contract intended to ensure timely submission of the various plans required by the order, only to realize that those plans obligate the institution to build new programs and controls, the development of which (often a much larger effort) requires the issuance of another consulting contract, either to the same consultancy or a different one.

By the time the second contract nears completion, the consultants involved have a vastly deeper understanding of the mechanics of ongoing compliance than the bank’s own personnel.

Many large consultancies have secured near-permanent beachheads at major financial institutions in just this way.

Option 3: Hybrid Approaches

Between the polar extremes of fully insourcing and fully outsourcing the remediation effort lie a range of solutions involving a mix of internal and external resources. Institutions adopting such hybrid approaches commonly seek to manage expenses while mitigating some of the weaknesses of fully insourced or outsourced alternatives.

Most commonly, hybrid approaches enlist a third party with appropriate experience to manage or validate remediation work performed by less expensive internal or contract resources. Using internal resources working under expert oversight, perhaps with contract resource support, helps promote knowledge transfer.

The reporting line of the third party is an important consideration in structuring hybrid relationships. While many institutions entrust this responsibility to their general counsels, such arrangements can put a  general counsel in a no-win situation.

In practice, the institution’s regulators will demand to see the third party’s findings, recommendations, and possibly its work papers, so the arrangement creates no realistic promise of attorney-client privilege.

Additionally, knowing that the general counsel’s responsibilities conventionally include advocacy on the institution’s behalf, bank examiners commonly view work performed under attorney supervision with some suspicion.

A better arrangement, in our experience, places the third party under the oversight of a standing or special compliance committee of the board, with a majority of independent directors.

In such an arrangement, the third party is positioned to review management’s efforts to meet order requirements and opine on the likelihood that those efforts will satisfy regulatory expectations.

In practice, this arrangement drives considerable knowledge transfer as members of management seek education and direction from the third party early in their remediation efforts to avoid embarrassment when the time for board review and approval of their work arrives.


The outlook for heightened enforcement activity is clear. The CFPB is expressly committed to driving industry change through enforcement activity. Other federal banking agencies will not wish to appear lax by comparison.

The combined effects of dramatic interest rate shifts and increasingly challenging macroeconomic circumstances will inevitably create many opportunities for them to showcase toughness through enforcement activity.

While every financial institution will work hard to avoid being the target of a federal enforcement action, inevitably, some will fail.

Those institutions that plan ahead, identifying how they will staff and govern their enforcement action response efforts should the worst occur, can dramatically improve their prospects for minimizing damage to their businesses and brands.  

  • Konrad Alt

    Konrad is a financial services leader with deep expertise and decades of experience in risk management, compliance, corporate governance, and regulatory strategy and affairs.

  • Catherine Brown

    Catherine is a seasoned compliance and ethics professional, specializing in regulatory risk management and consumer compliance in the financial services industry. Catherine advises large, complex financial institutions on regulatory requirements and trends in all aspects of consumer compliance, corporate conduct/ethics, and anti-money laundering/ financial crimes, and focuses much of her practice on preparation for and response to regulatory examination. Prior to joining Klaros, Catherine was a founding partner of Treliant Risk Advisors, where she co-led the regulatory compliance practice.