Quick background: What led to this order? Who issued it and why?

This is a January 2024 OCC consent order against Blue Ridge Bank, N.A. after regulators concluded the bank’s AML and risk management controls were not keeping up with its fintech partnership activity.

The OCC had already put the bank under a prior formal agreement in 2022, but said the bank failed to fix the underlying issues, so the agency escalated to a much more aggressive enforcement action.

Core violations/findings: What did the regulator say the bank did wrong?

The OCC identified four major problem areas:

• Broken BSA/AML program

  • Weak internal controls,

  • Weak independent testing,

  • Inadequate staffing,

  • Resulting in actual regulatory violations.

• Failure to remediate prior issues

  • The bank allegedly failed to correct problems the OCC had already identified.

• Poor fintech and third-party oversight

  • The OCC repeatedly focused on fintech partners, subpartners, and embedded banking activity.

  • Regulators believed the bank lacked adequate controls over those relationships.

• Broader safety-and-soundness weaknesses

  • Including capital planning,

  • Liquidity management,

  • Strategic planning,

  • And IT controls.

Key remedies and requirements: What must the bank actually do now?

The order basically forces a full rebuild of the bank’s compliance and governance framework.

Key requirements include:

• A board-level compliance committee with ongoing OCC reporting,

• A comprehensive BSA/AML remediation plan,

• Major upgrades to third-party and fintech risk management,

• Enhanced customer due diligence and suspicious activity monitoring,

• Expanded audit and independent testing requirements,

• Mandatory staffing and governance enhancements for the BSA department,

• New strategic and capital plans subject to OCC oversight.

One especially important restriction:

• The bank generally cannot add new fintech relationships or launch new fintech products without OCC non-objection until compliance issues are resolved.

That is effectively a fintech growth freeze.

Penalties and sanctions: Any civil money penalties, restitution, or other financial hits?

Interestingly, there was no civil money penalty in this order itself.

But the OCC imposed serious operational and financial constraints:

• Higher capital requirements:

  • 13% total capital ratio,

  • 10% leverage ratio,

• Restrictions on dividends and capital distributions,

• Potential brokered deposit limitations,

• And continuing OCC authority to impose future penalties if remediation fails.

Timelines and oversight: Deadlines, reporting requirements, and any third-party or regulator monitoring?

The timelines are aggressive:

• 30 days for initial remediation plans and IT controls,

• 60 days for enhanced CDD and SAR monitoring programs,

• 90 days for major risk management, staffing, audit, strategic, and capital initiatives.

The OCC also required:

• Quarterly board reporting,

• Annual program reviews,

• Independent audits and validations,

• And a SAR look-back review to determine whether suspicious activity went previously unreported.

The OCC even reserved the right to expand that look-back review later.

Big-picture implications: What does this mean practically for the bank, its executives, and its ongoing compliance efforts? Any red flags or lessons for other institutions?

This is really a cautionary tale about fintech-driven growth outpacing compliance infrastructure.

The OCC is sending a clear message that:

• Banks remain fully responsible for AML compliance even when activity flows through fintech partners,

• And regulators expect enterprise-grade controls before scaling embedded finance or BaaS programs.

A few notable points:

• The bank was formally designated in “troubled condition,” which has broader regulatory consequences.

• The OCC inserted itself deeply into the bank’s strategic decision-making.

• The board itself was made directly accountable for remediation oversight.

The practical lesson for other institutions is simple:

if fintech growth outpaces AML, governance, staffing, and transaction monitoring capabilities, regulators will step in aggressively and potentially halt expansion altogether.

Cross River Bank Consent Order

Quick background: What led to this order? Who issued it and why?

This is a March 2023 FDIC consent order against Cross River Bank centered on fair lending and marketplace lending compliance failures.

The FDIC concluded the bank’s fintech and third-party lending model outgrew its compliance infrastructure, particularly around:

• Fair lending oversight,

• Data systems,

• Underwriting controls,

• And third-party monitoring.

The order also references violations of:

• ECOA / Regulation B,

• TILA / Regulation Z,

• And safety-and-soundness standards.

Core violations/findings: What did the regulator say the bank did wrong?

The FDIC identified four main issues:

• Weak fair lending compliance management

  • Inadequate internal controls,

  • Weak audit and monitoring systems,

  • And deficient underwriting oversight.

• Poor oversight of fintech and marketplace lending partners

  • The bank allegedly failed to properly oversee third parties, merchants, and partner-originated lending activity.

• Data and systems deficiencies

  • Regulators were concerned the bank lacked reliable systems and accessible data necessary to monitor fair lending compliance effectively.

• Potential discriminatory outcomes

  • The order requires statistical testing for disparities tied to prohibited bases under fair lending laws.

That signals concern over whether underwriting, pricing, or marketing practices may have produced discriminatory impacts.

Key remedies and requirements: What must the bank actually do now?

The order forces a major rebuild of the bank’s fair lending and third-party oversight framework.

Key requirements include:

• Enhanced board oversight and governance,

• Comprehensive fair lending risk assessments,

• Independent reviews of systems, staffing, and fair lending compliance,

• Expanded statistical monitoring and transaction testing,

• Detailed third-party due diligence and monitoring programs,

• Semi-annual fair lending monitoring reports,

• And potential remediation for affected borrowers.

One especially important provision:

• The bank cannot add new fintech partners or launch new credit products without FDIC non-objection.

That’s effectively a regulator-controlled growth gate.

Penalties and sanctions: Any civil money penalties, restitution, or other financial hits?

The order itself does not impose a civil money penalty.

There’s also no stated restitution amount.

But the bank faces substantial operational costs from:

• Independent consultants,

• System rebuilds,

• Staffing increases,

• Statistical testing,

• And enhanced monitoring obligations.

The FDIC also expressly preserved its ability to pursue future enforcement or additional remedies if problems persist.

Timelines and oversight: Deadlines, reporting requirements, and any third-party or regulator monitoring?

The timelines are aggressive:

• 15 days:

  • Identify all current products and third-party partners.

• 30 days:

  • Submit full inventory of products and partners.

• 45–60 days:

  • Submit remediation plans,

  • Launch risk assessments,

  • Begin independent reviews.

• 90 days:

  • Complete major independent assessments and compliance reports.

The bank also must provide:

• Quarterly progress reports,

• Semi-annual monitoring reports,

• Ongoing board oversight documentation,

• And continuous reporting to the FDIC.

Big-picture implications: What does this mean practically for the bank, its executives, and its ongoing compliance efforts? Any red flags or lessons for other institutions?

This order is a major signal about how regulators view fintech partnership banking and marketplace lending.

The FDIC’s position is essentially:

the bank remains fully responsible for fair lending compliance even when products are originated, marketed, or serviced through third parties.

The most notable takeaways:

• Regulators are deeply focused on algorithmic underwriting and data governance,

• Third-party oversight is now a board-level issue,

• And banks need enterprise-grade fair lending controls before scaling fintech partnerships.

The most burdensome provision is probably the FDIC non-objection requirement for:

• New fintech partners,

• New lending programs,

• And new products.

Practically, that gives regulators significant control over growth strategy.

The broader lesson for other institutions is:

outsourcing customer acquisition or underwriting functions does not outsource regulatory liability.

Lineage Bank Consent Order

Quick background: What led to this order? Who issued it and why?

This is a January 2024 FDIC consent order against Lineage Bank tied to concerns over the bank’s Banking-as-a-Service (“BaaS”) and fintech partnership operations.

The FDIC concluded the bank had unsafe or unsound practices involving:

• Third-party risk management,

• Fintech oversight,

• AML/CFT controls,

• Liquidity management,

• And rapid growth tied to fintech activity.

At a high level, regulators believed the bank’s operational controls and governance framework were not keeping pace with its fintech expansion.

Core violations/findings: What did the regulator say the bank did wrong?

The FDIC focused on four major issues:

• Weak fintech and third-party oversight

  • Insufficient governance over fintech partners, BaaS activity, ACH/payment flows, and downstream third-party relationships.

• AML/CFT weaknesses

  • Concerns around suspicious activity monitoring, customer due diligence, ACH monitoring, SAR processes, and fintech-related AML risk.

• Liquidity and concentration risk

  • Heavy reliance on fintech-related deposits and funding concentrations created regulatory concern around liquidity stability and stress management.

• Insufficient audit and internal controls

  • The FDIC criticized internal audit, monitoring, staffing, and reporting infrastructure tied to high-risk fintech operations.

Key remedies and requirements: What must the bank actually do now?

The order requires a broad rebuild of the bank’s fintech governance framework.

Key requirements include:

• Enhanced board supervision and management accountability,

• Expanded internal audit and control functions,

• A formal enterprise-wide third-party risk management program,

• Independent BaaS risk assessments,

• Formal onboarding procedures for fintech partners,

• Enhanced AML/CFT controls and ACH due diligence,

• Liquidity concentration reduction plans,

• And strengthened capital planning.

One especially notable restriction:

• The bank could not onboard new fintech partners or fintech-related ACH customers until enhanced onboarding and AML controls were implemented.

That is effectively a fintech growth freeze.

Penalties and sanctions: Any civil money penalties, restitution, or other financial hits?

There was no civil money penalty in the order itself.

But the order imposed major operational and financial constraints:

• Elevated capital requirements:

  • 12.5% Tier 1 leverage ratio,

  • 16% Total Risk-Based Capital ratio,

• Restrictions on dividends and management fees,

• Brokered deposit limitations,

• And substantial remediation costs tied to consultants, staffing, audits, and monitoring.

Timelines and oversight: Deadlines, reporting requirements, and any third-party or regulator monitoring?

The timelines are aggressive:

• 30–60 days:

  • Fintech contingency plans,

  • AML staffing assessments,

  • ACH policy updates,

  • Liquidity planning updates.

• 90 days:

  • Internal audit upgrades,

  • BaaS risk assessments,

  • Capital plans,

  • Formal onboarding programs.

• 120 days:

  • Strategic plan revisions,

  • Full third-party risk framework implementation,

  • Suspicious activity lookback reviews.

The FDIC also required:

• Quarterly progress reports,

• Monthly board reporting,

• Annual independent third-party assessments,

• Ongoing FDIC review and comment rights.

Big-picture implications: What does this mean practically for the bank, its executives, and its ongoing compliance efforts? Any red flags or lessons for other institutions?

This order is another strong signal that regulators are heavily scrutinizing BaaS and fintech partnership banking models.

The FDIC’s core message is:

banks remain fully responsible for risk management, AML compliance, liquidity oversight, and consumer protection — even when activity flows through fintech partners.

The biggest themes:

• Regulators are highly focused on fintech deposit concentration and liquidity risk,

• Third-party governance is now a board-level responsibility,

• And growth restrictions are becoming a standard remedy where fintech operations outpace controls.

The most burdensome provisions are probably:

• The effective freeze on onboarding new fintech relationships,

• The elevated capital requirements,

• And the requirement for ongoing independent BaaS risk assessments.

The broader lesson for other institutions is:

rapid fintech-driven growth without mature AML, liquidity, audit, and third-party governance infrastructure is now a major enforcement trigger for regulators.

Choice Financial Group

Quick background: What led to this order? Who issued it and why?

This is a December 2023 joint consent order from the FDIC and the North Dakota Department of Financial Institutions against Choice Financial Group. It followed a June 2023 examination where regulators concluded the bank had BSA/AML violations, especially tied to third-party financial services relationships.

The bank consented without admitting or denying the alleged violations.

Core violations/findings: What did the regulator say the bank did wrong?

The regulators focused on four main BSA/AML issues:

• Board oversight was not strong enough. The Board must take direct responsibility for AML/CFT compliance and meet monthly on BSA issues.

• Third-party activity created AML/CFT risk. The order repeatedly focuses on customers and activity coming through third-party financial services relationships.

• CIP, CDD, and SAR monitoring needed remediation. The bank must improve customer identification, due diligence, beneficial ownership controls, alert handling, SAR decisioning, and suspicious activity reporting across all business lines, including third-party channels.

• Staffing, audit, training, and systems validation were deficient. The order requires resource assessments, independent AML/CFT audits, tailored training, and validation of suspicious activity monitoring systems.

Key remedies and requirements: What must the bank actually do now?

The order is basically a full AML/CFT remediation plan.

The bank must:

• Establish an AML/CFT Compliance Committee within 30 days, with a majority of members not involved in daily operations.

• Revise the AML/CFT Program and complete a new ML/TF risk assessment within 60 days, including risks from third-party activity.

• Rebuild internal controls within 120 days, specifically around CIP, CDD, beneficial ownership, suspicious activity monitoring, and third-party referrals.

• Conduct a lookback review of customers onboarded through specified third-party relationships and activity since the inception of those relationships.

• Validate suspicious activity monitoring systems used by the bank and third parties, including fixing data gaps and ensuring customer and transaction data are accurate and complete.

• Strengthen BSA Officer authority, staffing, independent audit, and AML/CFT training.

Penalties and sanctions: Any civil money penalties, restitution, or other financial hits?

There is no civil money penalty or stated restitution amount in the order.

But it is still expensive and burdensome. The bank must pay for independent reviews, lookback work, systems validation, staffing enhancements, audit upgrades, training, and ongoing reporting.

The order also preserves the ability of the FDIC, DFI, or other agencies to take additional action against the bank or institution-affiliated parties.

Timelines and oversight: Deadlines, reporting requirements, and any third-party or regulator monitoring?

The key deadlines are tight:

• Immediately: Board must improve AML/CFT oversight and hold monthly BSA discussions.

• 30 days: Establish AML/CFT Compliance Committee.

• 60 days: Revise AML/CFT Program, complete ML/TF risk assessment, identify independent parties for the lookback, resource assessment, and AML/CFT audit.

• 90–120 days: Submit lookback and audit plans, adopt revised audit/training programs, and rebuild internal controls.

• 180 days: Complete systems validation and correct cited AML/CFT violations.

The bank must also submit quarterly progress reports within 45 days after each quarter-end.

Big-picture implications: What does this mean practically for the bank, its executives, and its ongoing compliance efforts?

This is a straightforward but serious BSA/AML order with a strong third-party-risk overlay.

The practical message is: Choice remains responsible for AML/CFT compliance even when customers are onboarded or activity flows through third parties. Regulators expect the bank to control CIP, CDD, beneficial ownership, suspicious activity monitoring, SAR filing, staffing, audit, and data quality across the whole ecosystem.

The most burdensome provisions are:

• The third-party customer/activity lookback going back to the inception of the relevant relationships,

• The validation of suspicious activity monitoring systems used by both the bank and third parties,

• And the independent staffing/resource assessment.

For other institutions, the lesson is simple: third-party financial services programs need AML infrastructure that scales with the business. If the bank cannot prove who the customers are, what activity is expected, how suspicious activity is escalated, and whether monitoring systems work, regulators will force a full remediation buildout.

Sutton Bank Consent Order

Quick background: What led to this order? Who issued it and why?

This is a February 2024 joint FDIC and Ohio Division of Financial Institutions consent order against Sutton Bank. The focus is BSA/AML compliance, especially around third-party program managers and prepaid card programs. Sutton consented without admitting or denying the alleged unsafe or unsound practices and BSA-related violations.

Core violations/findings: What did the regulator say the bank did wrong?

The regulators focused on four main issues:

• AML/CFT program weaknesses. Sutton’s program had to be revised to meet BSA requirements and address deficiencies from the 2023 examination.

• Insufficient board oversight. The Board must take direct responsibility for AML/CFT policies, procedures, implementation, and remediation.

• Third-party control gaps. The bank must inventory third parties and identify which AML/CFT functions they perform, including CIP, transaction monitoring, independent testing, and suspicious activity reporting.

• Prepaid card program issues. Regulators specifically called out suspicious activity monitoring and CIP weaknesses in prepaid card programs managed by third-party program managers.

Key remedies and requirements: What must the bank actually do now?

The bank must execute a targeted AML/CFT remediation plan.

Key requirements:

• Revise the AML/CFT program to match Sutton’s risk profile and include oversight of third parties performing AML/CFT obligations.

• Improve Board supervision, appoint or maintain a qualified BSA Officer reporting directly to the Board, and establish a Directors’ Committee to oversee order compliance.

• Conduct an independent AML/CFT staffing and systems review.

• Build third-party risk management controls, including due diligence, ongoing monitoring, quarterly reporting, and corrective action expectations.

• Strengthen suspicious activity monitoring for prepaid card programs, including alert review, referral tracking, documentation, SAR processes, and quality control.

• Fix CIP for prepaid card programs and conduct a CIP lookback of prepaid card customers beginning July 1, 2020.

Penalties and sanctions: Any civil money penalties, restitution, or other financial hits?

No civil money penalty or restitution amount is imposed in the order.

But this is still costly: Sutton must pay for remediation, independent resource review, program redesign, third-party monitoring, training, suspicious activity monitoring upgrades, and the prepaid-card CIP lookback.

Timelines and oversight: Deadlines, reporting requirements, and any third-party or regulator monitoring?

The timelines are tight:

• 60 days: Submit the prepaid-card CIP lookback plan.

• 90 days: Improve Board oversight, complete staffing/resource actions, implement third-party controls, revise suspicious activity monitoring, fix prepaid-card CIP procedures, and update training.

• 120 days: Complete the CIP lookback review.

• 180 days: Revise the AML/CFT program and correct all cited violations and AML/CFT weaknesses.

Oversight is board-heavy. The Directors’ Committee must produce monthly compliance reports, and quarterly progress reports must be signed by every Board member and submitted to the FDIC and Ohio Division.

That board-signature requirement is a notable accountability feature.

Big-picture implications: What does this mean practically for the bank, its executives, and its ongoing compliance efforts?

This is a BSA/AML order about outsourced program risk. The message is simple: Sutton remains responsible for AML/CFT compliance even when prepaid card operations and customer-facing functions are handled by third-party program managers.

The most burdensome provisions are:

• The prepaid-card CIP lookback back to July 1, 2020,

• The requirement to map third-party AML/CFT responsibilities,

• And the enhanced suspicious activity monitoring controls for prepaid program managers.

For other banks, the lesson is clear: prepaid, fintech, and partner-led programs need bank-level visibility into CIP, transaction monitoring, suspicious activity referrals, documentation, and corrective action. Outsourcing the program does not outsource the BSA risk.