FDIC Enforcement Actions: The Federal Record of Orders Against Banks and Bankers

There is a federal order that can shut a bank's practices down, and another that can end a banker's career permanently. When the FDIC issues a cease-and-desist order, a civil money penalty, or a removal-and-prohibition order, it publishes the document in a public register—roughly 10,900 enforcement actions, one row per order, each naming the respondent, the action type, the issue date, the docket number, and the basis. It is at once a record of penalized banks and a roll of barred bankers: the people whom the federal government has decided may never again work inside an insured institution.

This article covers what the enforcement-actions dataset is and the FDIC's role as the primary federal regulator of state nonmember banks; the statutory machinery—Section 8 of the Federal Deposit Insurance Act—that authorizes the orders; the main action types, from cease-and-desist and consent orders to civil money penalties, removal-and-prohibition orders, and restitution; the institution-affiliated-party concept that lets the FDIC name and sanction individuals, not just banks; the recurring causes, with particular weight on Bank Secrecy Act and anti-money-laundering failures and on safety-and-soundness and consumer-protection violations; how the data joins to the FDIC institutions directory by name and certificate number; a Python workflow that pulls recent orders, tallies them by action type and year, and ranks them by civil money penalty amount; and the caveats—name-only matching, the multi-regulator landscape, terminated orders, and the gap between an order and an adjudication—every analyst must internalize.

What the dataset is

The Federal Deposit Insurance Corporation is best known for insuring deposits, but it is also a bank supervisor with real enforcement teeth. When a bank it oversees engages in an unsafe-or-unsound practice or violates a law or regulation, the FDIC can bring a formal enforcement action—a legally binding order compelling the institution, or an individual associated with it, to do or stop doing something. The agency publishes those orders in its enforcement decisions and orders (ED&O) system, a public, searchable archive of the final actions it has taken, updated monthly with the orders issued the month before. Drawn from that public system, the record in our database comprises roughly 10,900 enforcement orders.

In our database this record is stored as the table fdic_enforcement, with the grain of one row per order or action: a single bank cited in three separate actions over a decade contributes three rows, and an individual barred by a prohibition order contributes a row of his own, distinct from any action against his bank. The columns capture who the action is against, what kind of action it is, when it was issued, the docket or order number that identifies it, and the basis for it:

respondent              -- the institution or individual the order is against
respondent_type         -- bank/institution vs individual (IAP)
cert                    -- FDIC certificate number of the bank (join key)
institution_name        -- name of the bank, where the respondent is a person
city / state            -- location of the respondent / institution
action_type             -- C&D, consent order, CMP, prohibition, restitution
docket_number           -- the FDIC docket / order number identifying the case
issue_date              -- date the order was issued / became effective
termination_date        -- date the order was terminated, if it has been
cmp_amount              -- civil money penalty assessed, where applicable
basis                   -- the practice or violation underlying the action

Two columns carry most of the analytic weight. The action_type is what distinguishes a corrective order against a still-operating bank from a penalty, and a penalty from a career-ending bar against a person—categories that mean very different things and that an analyst must never collapse. The cert, the FDIC certificate number, is the load-bearing join key: it is the persistent identifier the FDIC assigns to every insured institution, and it is what ties an enforcement action to the same bank's entry in the institutions directory, its quarterly Call Report financials, and—if the bank later fails—its failure record. Where the respondent is an individual rather than a bank, the respondent_type flags the difference and the cert points to the institution the person was affiliated with, so that a prohibition order can still be related to the bank at which the conduct occurred. The docket_number is the stable handle for the case itself—the identifier under which the underlying order document lives in the public system—and the basis records, in the order's own terms, the unsafe-or-unsound practice or the legal violation that prompted the action.

What it is and the FDIC supervisory frame

To read the enforcement data you have to understand which banks the FDIC actually regulates, because the dataset is shaped by the agency's place in the fragmented US bank-supervision system. The United States has multiple federal banking regulators, and which one is a given bank's primary federal regulator depends on the bank's charter and its membership in the Federal Reserve System. National banks are supervised by the Office of the Comptroller of the Currency; state-chartered banks that are members of the Federal Reserve are supervised by the Fed; and state-chartered banks that are not members of the Federal Reserve—the “state nonmember” banks—are supervised by the FDIC. That last category is the FDIC's primary-regulator franchise, and it is the population from which most of the institutions in this dataset are drawn.

But the FDIC's reach does not stop at the banks for which it is the primary regulator. Because it insures the deposits of essentially every bank in the country, the FDIC is also a back-up supervisor for insured institutions whose primary regulator is the OCC or the Fed. In that back-up role it retains a residual enforcement authority that it can exercise when the deposit insurance fund is at risk and the primary regulator has not acted—a power used sparingly, but real. The practical consequence for the data is that the dataset is dominated by actions against state nonmember banks and their people, with a thinner tail of back-up and special-examination actions, and that any cross-regulator picture of bank enforcement requires combining this dataset with the parallel enforcement records published by the OCC, the Federal Reserve, and the National Credit Union Administration. The FDIC record is authoritative for its own franchise; it is not the whole of federal bank enforcement.

The legal engine behind nearly every record in the table is Section 8 of the Federal Deposit Insurance Act, the provision that arms the federal banking agencies with their formal enforcement powers. Section 8 authorizes the agency to issue cease-and-desist orders against unsafe-or-unsound practices and violations of law (Section 8(b)), to remove and permanently prohibit individuals from the banking industry (Section 8(e)), and to assess civil money penalties (Section 8(i)). It also supplies the two foundational standards that recur throughout the basis field: an unsafe or unsound practice, a deliberately broad concept that captures conduct contrary to accepted standards of prudent banking operation even where no specific rule has been broken; and a violation of law, rule, or regulation, the narrower and more concrete basis. Understanding that these two standards underlie the actions is what lets an analyst read the basis field correctly: many orders rest on the elastic unsafe-or-unsound standard rather than on a discrete statutory violation, which is precisely why the FDIC can act on a bank's deteriorating condition before any law is technically broken.

Action types: C&D, consent, CMP, prohibition, restitution

The action_type field encodes a small but consequential taxonomy, and getting the distinctions right is the single most important thing in working with the data. The actions range from corrective measures against a still-functioning bank to penalties to bars that end a person's career, and they are not interchangeable.

The cease-and-desist order is the workhorse corrective tool. It directs a bank—or an individual—to stop an unsafe-or-unsound practice or a violation and, just as often, to take affirmative action: to raise capital, strengthen management, improve its loan underwriting, build its allowance for loan losses, or overhaul a deficient compliance program. A cease-and-desist order is forward-looking and remedial; it governs how the bank must operate going forward and typically stays in force until the FDIC is satisfied the problems are fixed. The overwhelming majority of these are consent orders: rather than litigate, the respondent stipulates to the order—agrees to its terms without admitting or denying the findings—and the FDIC issues it by consent. Because consent is the norm, an analyst should not read the prevalence of consent orders as the absence of contested conduct; it reflects the practical reality that banks under supervisory pressure almost always settle.

The civil money penalty (CMP) is the monetary sanction. It is a fine assessed against an institution or an individual for violations or for unsafe-or-unsound practices, scaled by the seriousness of the conduct, the degree of culpability, and the harm caused. CMPs can be modest or, for the gravest matters—large-scale Bank Secrecy Act failures, systemic consumer-protection violations—they can run to substantial sums, and the dataset includes some of the largest civil money penalties the FDIC has ever assessed. The removal-and-prohibition order is the most severe action against a person, and the one that makes this dataset a register of barred bankers. It removes an individual from his position and permanently prohibits him from participating in the affairs of any FDIC-insured institution—not just the bank where the conduct occurred, but the entire insured banking system, for life. Finally, the restitution order requires a respondent to pay back money—to the bank or to harmed customers—and is frequently coupled with a cease-and-desist order or a CMP rather than standing alone. A single matter can therefore generate several rows: a consent C&D against the bank, a CMP and a prohibition against the officer who caused the problem, and a restitution order to make the victims whole.

Institution-affiliated parties: naming the individual

The feature that makes the enforcement data far more than a list of troubled banks is the FDIC's authority to act against individuals, and the legal vehicle for that authority is the institution-affiliated party (IAP). The Federal Deposit Insurance Act defines the IAP expansively: it reaches a bank's directors, officers, and employees, its controlling shareholders, and certain agents and independent contractors— attorneys, accountants, appraisers, and others—who knowingly or recklessly participate in a violation or a breach of fiduciary duty that harms the institution. The breadth of the definition is deliberate: it lets the FDIC reach the people who actually caused a bank's problems, not merely the institutional shell.

That an action can name a person is what gives the prohibition order its bite and the dataset its second face. When the FDIC issues a removal-and-prohibition order against an IAP, it does more than punish a single bank—it removes that person from the trusted-banker pool governmentwide across insured institutions. Because the bar is permanent and industry-wide, the set of prohibition orders functions as a federal register of barred bankers: a list of the officers, directors, employees, and agents whom the United States has decided cannot be trusted inside an insured institution again. The respondent_type column is what lets an analyst separate this register from the actions against institutions, and the individual records are often the analytically richer half—they name the embezzling loan officer, the president who falsified records, the director who looted the bank— where the institutional record names only the bank that failed to stop them. As with any person-level federal dataset, the value depends entirely on careful entity resolution of the free-text name, a theme the caveats return to.

The BSA/AML and safety-and-soundness causes

The basis field records why each action was brought, and a handful of recurring themes account for the bulk of the record. Recognizing them is what turns the basis text from boilerplate into an account of how banks and bankers actually run into trouble.

Bank Secrecy Act and anti-money-laundering (BSA/AML) failuresare among the most prominent and the most heavily penalized causes in the dataset. The Bank Secrecy Act and its implementing regime require banks to maintain an effective AML program— a system of internal controls, independent testing, a designated compliance officer, and training—to perform customer due diligence, and to file suspicious activity reports and currency transaction reports that feed the government's financial-intelligence apparatus. When a bank's program is deficient—inadequate monitoring, a failure to file required reports, weak controls over high-risk customers—the FDIC brings enforcement actions that frequently pair a cease-and-desist order compelling a program overhaul with a civil money penalty, and BSA/AML matters account for several of the largest CMPs in the record. These actions often run in parallel with assessments by FinCEN, the Treasury bureau that administers the BSA, so a single BSA failure can surface in more than one federal enforcement record at once.

Safety-and-soundness orders are the largest category by volume and the heart of the FDIC's prudential mission. These rest on the unsafe-or-unsound standard and address the things that put a bank's solvency and the deposit insurance fund at risk: inadequate capital, concentrations of risky credit, deficient loan underwriting and loan-loss reserving, poor liquidity management, weak internal controls, and ineffective management and board oversight. They are the orders that proliferate in and after periods of financial stress, when deteriorating real estate and credit conditions push marginal banks toward failure, and they are the supervisory paper trail that often precedes a bank's appearance in the failure record. Consumer-protection and fair-lending violations form a third major stream: deceptive or unfair practices, violations of the lending and disclosure statutes, and discriminatory lending, brought under the FDIC's authority over the institutions it supervises (with the Consumer Financial Protection Bureau holding parallel authority for the largest banks). The remaining records run to fiduciary breaches, insider abuse, embezzlement, and falsification of records—the integrity failures that most often produce the individual prohibition orders.

Joining to the institutions directory and the bank lifecycle

The enforcement table is most valuable not in isolation but as one stage in the integrated FDIC record of a bank's life, and the cert—the FDIC certificate number—is the universal join key that makes the integration possible. Three joins matter most.

The first is to the institutions directory, the FDIC's master registry of every insured bank, active and historical, served by the public BankFind Suite API. Joining fdic_enforcement to the directory by certificate number is what supplies the context an action lacks on its own: the bank's asset size, its charter class, its primary regulator, its location, and its current status. That context is what lets an analyst distinguish a routine corrective order against a small community bank from a major action against a large institution, normalize enforcement counts against the population of supervised banks, and confirm that a respondent named in the order is in fact a state nonmember bank within the FDIC's primary-regulator franchise. Without the directory join, an order is a name and a date; with it, every order is anchored to an institution of known size, type, and standing.

The second join is to the bank's quarterly Call Report financials, also keyed by certificate number. Because the Call Report records a bank's capital, asset quality, earnings, and liquidity quarter by quarter, joining it to the enforcement record lets an analyst place an order on the bank's financial timeline: watch capital erode and problem loans climb in the quarters before a safety-and-soundness order, and watch whether the order's required corrective action is followed by recovery or by continued deterioration. This is the join that turns a static order into a story— the supervisory intervention set against the financial trajectory it was meant to arrest. The third and most sobering join is to the bank-failure record. When a bank fails, it leaves a failure entry keyed by the same certificate number, and ordering the enforcement actions and the failure date in time reveals the enforcement-to-failure pipeline: how often a failed bank had outstanding cease-and-desist orders, how long before failure the first order issued, and whether the supervisory paper trail anticipated the collapse it could not prevent.

Analytical uses

A national, institution-resolved, date-stamped record of bank enforcement supports a distinctive set of analyses that no single order can reveal.

Enforcement trends by type and year is the most immediate use. Because each action carries a type and an issue date, an analyst can chart how the mix and volume of orders move over time—the surge of safety-and-soundness orders in and after a banking crisis, the multi-year build of BSA/AML actions as that supervisory priority intensified, the cadence of prohibition orders—and read the enforcement record as a barometer of where supervisory attention has been concentrated and how banking stress has ebbed and flowed.

Civil money penalty analysis exploits the cmp_amount field: ranking the largest penalties, tracking the total and median penalty over time, and breaking penalties down by cause to see which kinds of conduct— BSA/AML, consumer protection, insider abuse—draw the heaviest fines. The barred-banker register exploits the prohibition orders: building, from the individual respondents, a searchable list of the people permanently barred from insured banking—a due-diligence resource for any institution vetting a prospective officer or director, and a research base for studying who ends up barred and why. Finally, the enforcement-to-failure pipeline brings the failure join to bear: measuring how predictive outstanding orders are of subsequent failure, how much lead time the supervisory record provided, and whether the orders that issued were commensurate with the deterioration the financials show—the question of whether the enforcement program caught, and acted on, the problems it exists to catch.

Python workflow: pulling orders and ranking by penalty

The script below pulls recent FDIC enforcement orders from the agency's public ED&O system, resolves the (version-dependent) column names defensively, and produces three core views: actions tallied by type, actions tallied by year, and the largest civil money penalties in the pull. One thing to understand before running it: ED&O at orders.fdic.gov is a public, monthly-updated search system, not a documented data API—there is no public JSON or REST endpoint for the orders, and the FDIC BankFind Suite API (banks.data.fdic.gov) serves institutions, financials, failures, and the like, but not enforcement orders. So the only programmatic paths are to request the genuine public ED&O pages (and the monthly press-release listings) and parse the order rows out of the rendered HTML, or to export the results the search form returns. The script does the former and resolves working column names at runtime; for serious work, export from the ED&O search form rather than scraping, confirm the current page markup, and page through every release. Requirements: requests and pandas (with lxml for read_html).

import requests, pandas as pd

# FDIC Enforcement Decisions and Orders (ED&O).
#
# The FDIC publishes the full text of every final formal enforcement
# action it has issued in a public, searchable system -- Enforcement
# Decisions and Orders (ED&O) -- updated monthly with the orders issued
# the preceding month:
#   - search UI:        https://orders.fdic.gov/s/
#   - search form:      https://orders.fdic.gov/s/searchform
#   - monthly listing:  https://orders.fdic.gov/s/press-release-orders
#
# IMPORTANT: ED&O is a search interface, not a documented data API. There
# is no public JSON/REST endpoint for the orders, and the FDIC BankFind
# Suite API (banks.data.fdic.gov) covers institutions, financials,
# locations, history, failures, SOD, summary, and demographics -- it does
# NOT serve enforcement orders. So the only programmatic paths are to
# request the public ED&O pages (and the monthly press-release listings)
# and parse them, or to export the search results the UI returns. Treat
# the parsing below as illustrative and confirm the current page markup;
# for bulk work, export from the ED&O search form rather than scraping.
EDO_BASE  = "https://orders.fdic.gov/s"          # public ED&O search system
EDO_FEED  = f"{EDO_BASE}/press-release-orders"     # monthly order listings


def fetch_month(year, month, day):
    # The monthly press-release-orders page lists the orders the FDIC
    # published for a given release. Request the genuine public page; the
    # response is HTML rendered by the ED&O app, so parse the order rows
    # out of it (e.g. with pandas.read_html or an HTML parser) rather than
    # expecting a JSON body.
    params = {"prYear": year, "prMonth": month, "prDate": day}
    r = requests.get(EDO_FEED, params=params, timeout=120,
                     headers={"User-Agent": "research/1.0"})
    r.raise_for_status()
    try:
        tables = pd.read_html(r.text)          # one row per published order
    except ValueError:
        return pd.DataFrame()
    return pd.concat(tables, ignore_index=True) if tables else pd.DataFrame()


def col(frame, *candidates):
    lower = {c.lower(): c for c in frame.columns}
    for cand in candidates:
        if cand.lower() in lower:
            return lower[cand.lower()]
    raise KeyError(f"none of {candidates} in {list(frame.columns)[:12]}...")


# Pull several recent monthly releases and stack them. Field names below
# are resolved defensively because the rendered columns vary by release.
frames = [fetch_month(2026, m, 28) for m in range(1, 6)]
df = pd.concat([f for f in frames if not f.empty], ignore_index=True)
print(f"Enforcement orders loaded: {len(df):,}")

c_type = col(df, "actionType", "action type", "OrderType", "type")
c_date = col(df, "issueDate", "issued date", "EffectiveDate", "date")
c_resp = col(df, "respondent", "order title", "name", "party")
c_cmp  = col(df, "cmpAmount", "civilMoneyPenalty", "penalty", "amount")

# --- 1. Actions by type: C&D, consent, CMP, prohibition, restitution ---
print("\nOrders by action type:")
for t, n in df[c_type].fillna("(blank)").value_counts().items():
    print(f"  {str(t)[:40]:<40} {n:>6,}")

# --- 2. Actions by year ------------------------------------------------
df["_yr"] = pd.to_datetime(df[c_date], errors="coerce").dt.year
print("\nOrders by year (last 10):")
for yr, n in df["_yr"].value_counts().sort_index().tail(10).items():
    print(f"  {int(yr)}  {n:>6,}")

# --- 3. Largest civil money penalties ----------------------------------
df["_cmp"] = pd.to_numeric(df[c_cmp], errors="coerce")
top = df.dropna(subset=["_cmp"]).nlargest(10, "_cmp")
print("\nLargest civil money penalties in this pull:")
for _, row in top.iterrows():
    print(f"  ${row['_cmp']:>14,.0f}  {str(row[c_resp])[:44]}")

Two things about the script deserve emphasis. First, the defensive column resolution is not incidental: ED&O renders its results as a web page rather than a stable data feed, the visible columns vary by release, and the field names are not contractual, so hard-coding them is the surest way to write a script that breaks on the next refresh—the small col helper isolates that fragility in one place, and the search form's own export is the more durable source than parsing the page. Second, the certificate number is the bridge to the rest of the FDIC universe: once orders are in a DataFrame, the natural next step is to resolve each respondent to its cert and join on it to the BankFind institutions directory for asset size and charter class, and to the Call Report financials for the capital-and-asset-quality timeline, which is what converts a flat list of orders into the institution-resolved, financially contextualized analysis the dataset is built to support—the BankFind API and its bulk downloads are the genuine, documented home of that institution and financial data, even though the orders themselves are not in it.

Limitations and analytical caveats

The enforcement-actions dataset is the most comprehensive public record of FDIC bank enforcement, but it carries structural limitations that an analyst must internalize before drawing conclusions—or, worse, before acting on a match.

It is one regulator's record, not all of bank enforcement.The FDIC is the primary federal regulator only for state nonmember banks; national banks are enforced by the OCC, state member banks by the Federal Reserve, and credit unions by the NCUA. An action that one might expect against a large national bank may live entirely in the OCC's or the Fed's enforcement record and never appear here. Any analysis that treats the FDIC dataset as the universe of US bank enforcement will systematically understate activity against the institutions the FDIC does not primarily supervise. A complete picture requires combining this record with the parallel enforcement databases the other federal banking agencies publish.

Name-only matching produces false positives, especially for individuals. The individual respondents—the barred bankers—are recorded as free-text names, and common personal names will collide: a prohibition order against a “John Smith” will match many innocent John Smiths. The certificate number reliably identifies the institution involved, but resolving a named individual to a real person, or screening a job applicant against the prohibition list, requires confirming the match against additional identifying detail—the bank, the location, the date—rather than treating a name hit as a determination. As with every person-level federal list, a name match is a flag to investigate, not a conclusion, and the cost of getting it wrong runs in both directions.

An order is not an adjudication, and most are consent orders.The dominant form of action is the consent order, in which the respondent agrees to the terms without admitting or denying the findings. The presence of an order is therefore not the same as a litigated, proven finding of wrongdoing: it records that the FDIC asserted a basis and the respondent agreed to corrective terms, often as the pragmatic alternative to a contested proceeding. Reading a consent order as an adjudicated verdict over-reads what it is. Relatedly, the basis field summarizes the order's grounds; the full texture—the specific conduct, the magnitude, the remediation required—lives in the underlying order document in the public system, not in the structured extract.

Orders are terminated, and there is reporting lag. A cease-and-desist order stays in force only until the FDIC terminates it once the bank has fixed the underlying problems, and a termination is itself a recorded action. An analysis that counts outstanding orders without accounting for terminations will misstate the supervisory burden a bank currently carries, and one that ignores the termination_date cannot tell an active order from a resolved one. There is also a lag between the conduct, the order's issuance, and its appearance in the public system—orders are typically posted on a monthly cadence—so the most recent period is systematically under-represented in any snapshot. The dataset is authoritative for established patterns and multi-year trends; it is not a real-time monitor of what was issued last week.

Held with these caveats in mind, the fdic_enforcement table is a uniquely valuable resource: roughly 10,900 orders, institution-resolved by certificate number and date-stamped, recording where the FDIC compelled a bank to change course, where it fined an institution or an insider, and where it barred a banker from the industry for life—the supervisory record that sits between the country's state-chartered banks and the failures the agency exists to prevent.