Federal Reserve Enforcement: The Federal Record of Actions Against Bank Holding Companies

The Federal Reserve is best known for setting interest rates, but it is also a bank supervisor—and when the institutions it watches over break the law or run themselves into the ground, it acts in public. Its enforcement record is the paper trail of those actions: the cease-and-desist orders, the consent orders, the civil money penalties, the written agreements, and the orders that bar a banker from the industry for life. Roughly 1,500 actions sit in this record, each naming a bank holding company, a state member bank, a foreign bank's US operation, or an individual insider, and recording what the Fed ordered them to do—or to stop doing—and when.

This article covers what the Federal Reserve enforcement dataset is and where it comes from; the Fed's distinctive supervisory remit at the holding-company level and why that vantage shapes the actions it brings; the legal authority behind enforcement and the spectrum of action types from the informal written agreement through the cease-and-desist order to the civil money penalty and the removal-and-prohibition order; the Bank Secrecy Act and anti-money-laundering emphasis that runs through so much of the record; the wave of post-2008 mortgage-servicing consent orders the Fed issued alongside the OCC; how the Federal Reserve fits the three-regulator banking trio with the OCC and the FDIC and how the three enforcement records together span the banking system; how this table joins to the FDIC and OCC enforcement data and the FDIC institutions directory; a Python workflow that pulls the actions, tallies them by type and year, and ranks institutions by action count; and the caveats—name-only matching, the informal-action blind spot, and the difference between an action and an adjudication—that every analyst must internalize.

What the dataset is

The Federal Reserve is the central bank of the United States, and one of its statutory roles is the supervision and regulation of a specific slice of the banking system. When the institutions in that slice—or the people who run them—violate banking law or engage in unsafe or unsound practices, the Board of Governors takes enforcement action. The Board publishes those actions: it is a matter of public record who was ordered to do what, and the searchable enforcement-actions archive on the Board's website is the authoritative source. This dataset is a structured rendering of that archive—roughly 1,500 actions—keyed by the action and by the institution or individual it names.

In our database the record is stored as the table fed_enforcement, with the grain of one row per action against a party: a single bank that is hit with a consent order in one year and a follow-on civil money penalty in another contributes two rows, and an order naming both an institution and its former chief executive may appear as more than one party-level record. The columns capture who was acted against, what kind of action it was, and when it took effect:

name                  -- the named party (banking organization or individual)
party_type            -- institution (holding company, state member bank,
                         foreign-bank US operation) or institution-affiliated party
action_type           -- cease-and-desist / consent order, written agreement,
                         civil money penalty, removal-and-prohibition, BSA order
effective_date        -- the date the action takes effect
termination_date      -- the date the action is terminated, if it has been
url                   -- link to the order document on federalreserve.gov
related_entity        -- the holding company or bank the party is affiliated with
rssd_id               -- Fed institution identifier, where the party is an institution

Three fields carry the analytic weight. The name and party type together say whether the action is against an institution (a holding company, a state member bank, a foreign bank's US branch or agency) or against an institution-affiliated party— a director, officer, employee, or other insider who can be pursued individually. The action type says what kind of action it is, which is the single most important attribute for understanding the severity and the legal posture of a case. And the effective date—paired, where present, with a termination date—anchors the action in time, which is what makes trend analysis and the join to other records possible. Where the named party is an institution, an RSSD identifier—the Fed's persistent institution key—can tie the action to the institution's full supervisory and financial profile.

The Federal Reserve's supervisory remit

To read the Fed's enforcement record you have to understand what the Fed actually supervises, because its remit is narrower and, in one respect, higher up the corporate structure than the popular image of it as “the bank regulator” suggests. The United States has three federal banking regulators, and they divide the system by charter type. The Federal Reserve is the primary federal supervisor of bank holding companies and financial holding companies—the parent companies that own banks—of state-chartered banks that are members of the Federal Reserve System (“state member banks”), and of the US operations of foreign banks, including their branches, agencies, and the holding companies through which they operate here.

The holding-company vantage is the defining feature. Most large American banks are owned by a holding company, and the Federal Reserve supervises that top-of-the-house parent on a consolidated basis—looking at the whole organization, not just the chartered bank inside it. This is the umbrella-supervisor role created and strengthened by the Bank Holding Company Act and, after the financial crisis, by the consolidated-supervision provisions of the Dodd-Frank Act. The practical consequence for the enforcement record is distinctive: the Fed's actions tend to address group-widefailures—deficiencies in enterprise risk management, capital planning, compliance, and governance that span an entire banking organization—rather than only the misconduct of a single chartered bank. When the Fed orders a holding company to strengthen its board oversight or its firmwide compliance program, it is exercising a kind of supervision that sits above the individual-bank level where the OCC and the FDIC operate.

The foreign-bank dimension is the Fed's other distinctive territory. Foreign banks operate in the United States through branches, agencies, and US holding-company structures, and the Federal Reserve is the umbrella supervisor of those US operations. A meaningful share of the Fed's enforcement actions—and some of its largest—concern foreign banking organizations: their US branches' Bank Secrecy Act and sanctions compliance, the adequacy of their US risk management, and their dealings with the US financial system. This is a category that the OCC and FDIC records carry far less of, and it is part of why the three banking-regulator enforcement records are complements rather than duplicates: each covers a different charter and structural slice of the system.

Legal authority and the spectrum of action types

The Federal Reserve's enforcement authority flows chiefly from the Federal Reserve Act, the Bank Holding Company Act, and the consolidated banking-enforcement provisions added to the Federal Deposit Insurance Act by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989. Those statutes give the federal banking agencies a shared toolkit of formal enforcement instruments, and the Fed draws on the same instruments the OCC and FDIC do. The two trigger conditions are constant across the toolkit: a violation of law or regulation, or an unsafe or unsound practice—the elastic but foundational supervisory standard for conduct that, even if not strictly illegal, exposes the institution to abnormal risk of loss. The action types form a rough ladder of severity.

The written agreement is the most formal of the instruments the Fed publishes that is still essentially corrective rather than punitive. It is a negotiated document in which the institution agrees to a program of remediation— strengthen capital, fix the loan-review function, improve board oversight—on a defined schedule. It is a serious supervisory step that signals identified problems, but it stops short of the legal force of an order. (The Fed also uses still-less-formal supervisory tools, such as memoranda of understanding, that are generally not published; the public record is tilted toward the formal end of the spectrum, a point the caveats return to.)

The cease-and-desist order is the workhorse formal action. It directs a party to stop a violation or unsafe practice and, affirmatively, to take remedial steps—and unlike a written agreement it is a legally enforceable order, breach of which can itself trigger penalties. The overwhelming majority of cease-and-desist orders are issued by consent: the institution agrees to the order without admitting or denying the findings, which is why “consent order” and “cease-and-desist order” are often used interchangeably in the record. The civil money penalty (CMP) is the monetary sanction— a fine assessed against an institution or an individual for violations or unsafe practices, often levied alongside a consent order rather than alone. The removal-and-prohibition order is the most severe action aimed at people: it removes an institution-affiliated party from their position and bars them from participating in the affairs of any insured depository institution, a career-ending sanction reserved for serious misconduct involving personal dishonesty or willful disregard. Finally, the Fed issues orders under the Bank Secrecy Act, addressed in the next section, which frequently combine a cease-and-desist directive with a substantial CMP.

The Bank Secrecy Act and AML emphasis

If a single substantive theme runs through the Federal Reserve's modern enforcement record, it is anti-money-laundering compliance. The Bank Secrecy Act (BSA) and the anti-money-laundering (AML) regime built on top of it require banks to maintain programs to detect and report suspicious activity—customer due diligence, transaction monitoring, suspicious activity and currency transaction reporting, and a designated compliance function with board oversight. The federal banking agencies are responsible for examining the institutions they supervise for BSA/AML compliance, and the Fed, as the supervisor of holding companies and of foreign banks' US operations, sits squarely over some of the institutions where AML risk is highest.

BSA/AML deficiencies are a recurring driver of the Fed's most significant actions, and the holding-company and foreign-bank vantage is exactly why. AML failures are characteristically program-wide—a transaction-monitoring system that misses suspicious patterns, a due-diligence process that fails to identify high-risk customers, a compliance function that is under-resourced across the whole organization. Those are enterprise failures, and the Fed's consolidated supervision is built to reach them. The foreign-bank dimension compounds it: the US branches of foreign banks have repeatedly been the subject of large BSA orders, because cross-border banking is where money-laundering and sanctions-evasion risk concentrates. A Fed BSA order typically requires the institution to overhaul its compliance program under a detailed remediation plan, sometimes under independent review, and frequently pairs that cease-and-desist directive with a civil money penalty— and in the largest matters the Fed acts alongside other authorities, including state regulators and the Treasury Department's financial-crimes and sanctions offices, so that one underlying failure can generate parallel actions across several agencies.

The post-2008 mortgage-servicing consent orders

The single most visible episode in the Fed's recent enforcement history is the wave of mortgage-servicing consent orders that followed the 2008 financial crisis. In the aftermath of the housing collapse, the country's largest mortgage servicers were found to have engaged in deficient and unsafe foreclosure practices on a mass scale—the “robo-signing” of foreclosure affidavits without proper review, inadequate documentation, and failures in loss mitigation that harmed borrowers. Because the major servicers were units of large bank holding companies, the Federal Reserve, as the consolidated supervisor of those holding companies, issued a coordinated set of consent orders against them—in parallel with the Office of the Comptroller of the Currency, which acted against the national-bank servicers it supervised.

That episode is instructive about how the Fed's enforcement works and why its record looks the way it does. The orders were issued more or less simultaneously across multiple institutions, addressing the same category of failure—which is why the enforcement record shows clusters of similar actions concentrated in particular years rather than a smooth flow. They were holding-company-level orders aimed at firmwide servicing operations, the kind of group-wide action the Fed's remit is built for. And they were coordinated with another banking regulator, illustrating the recurring pattern in which a single industry-wide failure produces parallel actions split along charter lines between the Fed and the OCC. For an analyst, the practical lesson is that the Fed's actions are not independent random events: they cluster by theme and by episode, so that a year-by-year count is as much a map of the major supervisory campaigns—mortgage servicing, then AML, then capital and risk management— as it is a measure of any steady baseline of enforcement.

The three-regulator banking trio

The Federal Reserve is the third member of a trio of federal banking regulators whose enforcement records, taken together, span the entire US banking system. The division runs along charter and membership lines. The Federal Reservesupervises bank holding companies, state member banks, and foreign-bank US operations. The Office of the Comptroller of the Currency (OCC), a bureau of the Treasury Department, supervises nationally chartered banks and federal savings associations. The Federal Deposit Insurance Corporation (FDIC)supervises state-chartered banks that are not members of the Federal Reserve System (“state nonmember banks”), in addition to its system-wide role as the deposit insurer and receiver. Every insured bank in the country falls under one of these three as its primary federal regulator, determined by its charter and its Fed membership.

This division is why the three enforcement records are complementary, not redundant, and why joining them produces something none of them is alone: a near-complete map of formal bank supervision in the United States. A researcher studying, say, BSA/AML enforcement across the whole industry cannot rely on any one agency's record—the Fed's captures the holding companies and foreign banks, the OCC's captures the national banks, and the FDIC's captures the state nonmember banks. The three agencies coordinate through the Federal Financial Institutions Examination Council (FFIEC), which sets uniform examination principles and standards so that a state member bank and a national bank are examined against substantially the same expectations. That coordination is part of why the action types are common across the three records—cease-and-desist orders, civil money penalties, written agreements, and removal-and-prohibition orders mean the same things at each agency—which in turn is what makes a unified, cross-agency analysis tractable.

Joining to the OCC, FDIC, and institutions data

The Fed enforcement table is most powerful as one facet of an integrated banking-supervision record, and there are three joins that matter most—each one extending what a single agency's actions can tell you.

The first is to the OCC and FDIC enforcement records. Our fed_enforcement table is built to sit alongside the parallel OCC and FDIC enforcement tables, so that the three can be unioned into a single governmentwide bank-enforcement dataset. Because the action types are common across the agencies, a union supports questions no single record can answer: the total volume of, say, civil money penalties across all insured banks in a given year; the relative enforcement intensity of the three agencies; and—most interestingly—cases where the same institution or the same individual appears in more than one agency's record. A banker barred by one agency's removal-and-prohibition order is barred from the affairs of any insured depository institution, so that prohibition is relevant whether the next bank that person might join is national, state member, or state nonmember; tracing such a party across the three records is precisely the kind of analysis the union enables.

The second join is to the FDIC institutions directory. The FDIC maintains the master registry of every insured US bank—active and historical—with each institution's charter type, primary regulator, asset size, location, and identifiers, including the same RSSD institution key the Fed uses. Joining fed_enforcement to that directory by institution is what turns a bare enforcement action into a contextual one: it supplies the bank's size, charter, and status, so an analyst can normalize enforcement by asset size, confirm that an action's target really is a state member bank or holding-company subsidiary, and follow what later happened to the institution—whether it remediated, merged, or failed. Without the directory the actions are names; with it, each action is anchored to an institution of known size, charter, and fate.

The third, broader join is to the other federal records that name the same parties. A large BSA matter at a foreign bank's US branch may surface simultaneously in the Fed's record, in a Treasury financial-crimes or sanctions action, and in a state regulator's order; a fraud or False Claims matter that names a bank executive may connect to the federal exclusions record. Linking the Fed's actions to those adjacent datasets—on institution name, individual name, and shared identifiers—is what reveals the full enforcement footprint of a single underlying failure, which is almost always larger than any one agency's slice of it.

Analytical uses

A structured, date-stamped, party-resolved record of Federal Reserve enforcement supports a set of analyses that a casual reading of individual orders cannot.

Enforcement trends by type and year is the most immediate use. Because each action carries an action type and an effective date, an analyst can chart how the mix and the volume of actions shift over time—the spike of mortgage-servicing consent orders after 2008, the steady stream of BSA orders, the cadence of civil money penalties—and read those movements as a record of the Fed's supervisory priorities. As the dataset overview noted, the actions cluster by episode, so the trend line is best read as a history of supervisory campaigns rather than as a smooth enforcement baseline.

Ranking institutions and individuals by action count exploits the named-party field to surface the banks and bankers that recur in the record—institutions with a chain of actions across years, which is often a signal of persistent, unremediated problems, and individuals named across more than one institution. Severity and penalty analysis uses the action type, and where available the penalty amount, to weight actions by seriousness rather than counting them equally, distinguishing a written agreement from a removal order or a large CMP. And the cross-agency union— joining the Fed, OCC, and FDIC records—supports the genuinely system-wide questions: the industry-wide volume of a given action type, the parties pursued by more than one regulator, and the full reach of an industry-wide failure across the charter divide.

Python workflow: actions by type, by year, and by institution

The script below pulls the Federal Reserve enforcement-actions export from the Board's website, normalizes the free-text action label into a coarse family so consent orders, civil money penalties, written agreements, and prohibitions group cleanly, and then produces three views: actions by type, actions per year, and the named parties ranked by action count. No API key is required—the Board publishes the record through its public enforcement-actions search and a downloadable export. Because the export's column headers vary between Board releases, the script resolves the working column names defensively rather than hard-coding them.

import requests, io, csv
import pandas as pd
from collections import Counter

# Federal Reserve Board enforcement actions -- public, no API key.
#
# The Board publishes its enforcement actions through the search page
# at federalreserve.gov/supervisionreg/enforcementactions.htm and offers
# a downloadable spreadsheet of the full record. The export path and the
# exact column headers shift between Board releases, so isolate the URL
# here and resolve column names defensively rather than hard-coding them.
EXPORT_URL = "https://www.federalreserve.gov/supervisionreg/files/enforcementactions.csv"


def load_actions(url=EXPORT_URL):
    r = requests.get(url, timeout=300)
    r.raise_for_status()
    text = r.content.decode("utf-8", errors="replace")
    return pd.DataFrame(list(csv.DictReader(io.StringIO(text))))


def col(frame, *candidates):
    # Resolve a column by trying several known header spellings.
    lower = {c.lower(): c for c in frame.columns}
    for cand in candidates:
        if cand.lower() in lower:
            return lower[cand.lower()]
    raise KeyError(f"none of {candidates} in {list(frame.columns)[:12]}...")


df = load_actions()
print(f"Enforcement actions loaded: {len(df):,}")

c_name = col(df, "Banking Organization", "Individual", "Individual or Entity", "Name")
c_type = col(df, "Action", "Type", "Provision/Action")
c_eff  = col(df, "Effective Date", "Action Date", "Date")

# Parse the effective date and derive a year for trend work.
df["_dt"]   = pd.to_datetime(df[c_eff], errors="coerce")
df["_year"] = df["_dt"].dt.year

# --- 1. Actions by type ------------------------------------------------
# Normalize the free-text action label to a coarse family so consent
# orders, C&D orders, CMPs, written agreements, and prohibitions group.
def family(label):
    s = (label or "").lower()
    if "civil money" in s or "penalt" in s:      return "Civil money penalty"
    if "prohibit" in s or "removal" in s:        return "Removal / prohibition"
    if "written agreement" in s:                 return "Written agreement"
    if "cease" in s or "consent" in s:           return "Cease-and-desist / consent"
    if "bank secrecy" in s or "bsa" in s:        return "Bank Secrecy Act"
    return "Other"

df["_family"] = df[c_type].map(family)
print("\nActions by type:")
for fam, n in df["_family"].value_counts().items():
    print(f"  {fam:<30} {n:>5,}")

# --- 2. Actions by year ------------------------------------------------
print("\nActions per year (last 10 reported):")
by_year = df.dropna(subset=["_year"]).groupby("_year").size()
for yr, n in by_year.tail(10).items():
    print(f"  {int(yr)}  {n:>4,}  {'#' * min(int(n), 50)}")

# --- 3. Institutions ranked by action count ----------------------------
# Many institutions appear more than once across years and action types.
print("\nTop 15 named parties by action count:")
for name, n in Counter(df[c_name].fillna("(unknown)")).most_common(15):
    print(f"  {str(name)[:46]:<46} {n:>3,}")

Two practical notes apply. First, the family function that buckets the free-text action label is deliberately coarse and order-dependent—a real classification should be validated against the Board's own action-type vocabulary and should handle the compound actions that pair, say, a cease-and-desist directive with a civil money penalty, which a single-label bucketing will assign to only one family. Second, the institution ranking keys on the raw name string, which means its quality depends entirely on entity resolution: the same banking organization can appear under slightly different name spellings across years, and a holding company and its bank subsidiary are distinct names for what is, supervisorily, one organization. For serious work, resolve parties to a stable identifier—the RSSD key for institutions—before counting, exactly what the join to the FDIC institutions directory described above provides.

Limitations and analytical caveats

The Federal Reserve enforcement record is authoritative and public, but it captures only part of the supervisory picture, and several features must be held in mind before drawing conclusions.

The record is formal actions only—the informal supervision is invisible. The most important caveat is that what the Fed publishes is the formal end of the enforcement spectrum: written agreements, cease-and-desist and consent orders, civil money penalties, and prohibition orders. A great deal of supervision happens through informal tools that are generally not made public—examination findings, supervisory letters, memoranda of understanding, and the confidential ratings the agencies assign. An institution can be under intense supervisory pressure without a single public enforcement action against it. The published record therefore measures the visible tip of supervision, and a low action count at an institution or in a period is not evidence of a problem-free institution or a quiet supervisory environment—it may simply mean the pressure was applied through channels that never reach the public archive.

Name-only matching produces false positives and misses entities.Joining the record to itself or to other datasets on the named-party string carries the familiar hazards. Common bank and personal names collide; a holding company and its subsidiaries appear under related but distinct names; the same institution's name changes across mergers and rebrandings. Any analysis that counts or links parties by name alone—ranking institutions, detecting repeat offenders, joining to the OCC and FDIC records—must be treated as a first pass to be confirmed against stable identifiers (the RSSD key) and corporate-family structure, not as a finished result.

An action is not an admission, and a consent order is not an adjudication. The overwhelming majority of the Fed's formal actions are entered by consent, in which the institution agrees to the order's terms without admitting or denyingthe underlying findings. A consent order documents what the Fed required and what conduct it was concerned about; it is not a court judgment that the violations occurred as alleged. Treating the findings recited in a consent order as adjudicated facts over-reads them. Likewise, the existence of an action says nothing on its own about how serious the matter ultimately proved to be—a written agreement and a large civil money penalty are both “an action,” and only the action type and, where present, the penalty amount distinguish their gravity.

There is reporting lag and the record evolves. An action appears in the public archive after it is issued and posted, so the most recent weeks are systematically under-represented in any snapshot. More subtly, actions are terminated when an institution satisfies the order's requirements, and the termination is itself recorded—so the meaning of a row changes over its life, from an open, active order to a closed, satisfied one. An analysis that treats every action as currently in force overstates the live supervisory burden; one that ignores terminations loses the information about which institutions actually remediated. The dataset is authoritative for the history of formal actions; it is best read as a living record whose entries have life cycles, not as a static list.

Held with those caveats, fed_enforcement is a uniquely valuable record: roughly 1,500 formal actions naming the bank holding companies, state member banks, foreign-bank US operations, and insiders that the Federal Reserve has ordered to fix what was broken or to leave the industry—the holding-company-level slice of a three-agency enforcement system that, joined across the Fed, the OCC, and the FDIC, maps the formal supervision of the entire American banking system.