NCUA Enforcement: The Federal Record of Actions Against Credit Unions

A credit union is a bank that its customers own. It has no shareholders to enrich, no stock to issue—just members who pool their savings to lend to one another. But a member-owned cooperative can fail, and its officers can steal, exactly as a bank can, and when that happens the same federal agency that chartered and insured the institution moves against it: a cease-and-desist order, a civil money penalty, an officer barred for life from the industry, or, at the end of the line, the seizure and unwinding of the credit union itself. The NCUA enforcement record holds roughly 1,400 of those actions—the credit-union half of the country's depository-supervision machinery, the half the bank enforcement records never see.

This article covers what the NCUA enforcement dataset is and what one row represents; the agency itself—an independent federal regulator that, unusually, charters, supervises, and insures the institutions it polices—and the National Credit Union Share Insurance Fund that backs member deposits; the Federal Credit Union Act and how the cooperative, not-for-profit, field-of-membership frame differs from bank supervision even as the enforcement tools mirror the banking regulators; the full ladder of actions, from a consent order to a civil money penalty to a prohibition order to conservatorship and liquidation; the recurring themes—Bank Secrecy Act and anti-money-laundering deficiencies, recordkeeping failures, and outright fraud at small institutions; how the record joins to the FDIC, OCC, and Federal Reserve enforcement datasets to span every federally insured depository in the United States; a Python workflow that pulls the actions from ncua.gov and tallies them by type, year, and repeat respondent; and the caveats every analyst must hold before drawing conclusions from the data.

What the dataset is

The NCUA publishes, on its website, the formal enforcement actions it has taken against credit unions and the individuals associated with them. Each action is a public document—a consent order, a civil money penalty assessment, a prohibition notice, an order placing a credit union into conservatorship—and the dataset is the structured record of those documents. The grain is one row per enforcement action, keyed to the credit union or the individual against whom the action runs. A single credit union that incurs several actions over a period contributes several rows; a single action against a named officer contributes one. Across the public record there are roughly 1,400 of these actions.

In our database the record is stored as the table ncua_enforcement. The columns capture who the action runs against, what kind of action it is, the legal basis, the dates, and any monetary amount:

respondent_name      -- the credit union or individual the action names
respondent_type      -- institution (credit union) or individual (official)
charter_number       -- NCUA charter number, where the respondent is a CU
city_state           -- location of the credit union
action_type          -- consent order, civil money penalty, prohibition,
                        conservatorship, liquidation, cease-and-desist
action_basis         -- statute / regulation cited (e.g. BSA, unsafe-or-unsound)
penalty_amount       -- civil money penalty assessed, where applicable
effective_date       -- date the action takes effect
termination_date     -- date the order is terminated / lifted, where applicable
document_id          -- the published order or notice identifier

The respondent_type field carries more weight than it appears to. Enforcement runs against two very different kinds of party. An action against an institution—the credit union itself—addresses the conduct or condition of the organization: a deficient Bank Secrecy Act program, an unsafe lending practice, an inadequate capital position. An action against an individual—a director, officer, or employee, an “institution-affiliated party” in the statutory language—addresses a person's misconduct, and its most powerful form, the prohibition order, bars that person from working at any federally insured depository, not merely the one where the misconduct occurred. The charter_number is the join key for institutional actions: the NCUA assigns each federally insured credit union a charter number, and that number ties an enforcement action to the same credit union's Call Report financials, its field-of-membership record, and its supervisory history. The action_type and action_basis together are the analytic payload—they tell you not just that the agency acted, but how severely and on what legal grounds.

What the NCUA is, and the Share Insurance Fund

The National Credit Union Administration (NCUA) is the independent federal agency that charters, supervises, and insures the nation's credit unions. It was created in 1970, consolidating the federal credit-union function that had previously moved among several agencies, and it is run by a board appointed by the President and confirmed by the Senate. The NCUA occupies an unusual position among federal financial regulators: it is a combined chartering authority, prudential supervisor, and deposit insurer all in one. For federal credit unions it is the chartering agency—the body that grants a group the legal authority to operate as a credit union. For all federally insured credit unions, federal and state-chartered alike, it is the insurer and, in its insurance capacity, an examiner and enforcer. The bank world splits these functions across several agencies; in the credit-union world the NCUA holds most of them at once.

The instrument that ties it all together is the National Credit Union Share Insurance Fund (NCUSIF), the credit-union analogue to the FDIC's Deposit Insurance Fund. The NCUSIF insures the share accounts—in credit-union vocabulary a deposit is a “share,” reflecting the member's ownership stake—of members at federally insured credit unions, backing those accounts up to the same $250,000 limit that applies to bank deposits, and the fund carries the full faith and credit of the United States. The fund is the source of the NCUA's deepest enforcement interest: every dollar a failing credit union loses beyond its capital is a dollar the insurance fund—ultimately the other credit unions that capitalize it, and behind them the taxpayer—may have to make good. That exposure is why the agency does not merely write rules but examines, cites, and, when prevention fails, seizes. Enforcement is the NCUA protecting the fund.

The cooperative frame and how it differs from bank supervision

A credit union is not a small bank. It is a different kind of institution, and the differences shape what the supervisor watches and how the enforcement record reads. The governing statute is the Federal Credit Union Act, and its defining premises are that a credit union is member-ownedand not-for-profit. There are no outside shareholders; the members who deposit are the owners, and the institution exists to serve them at cost rather than to generate a return for investors. Earnings, after reserves, return to members as better rates and lower fees rather than as dividends to shareholders. This is the cooperative structure, and it changes the supervisory question subtly: there is no equity market signaling distress, no stock price for an examiner to watch, and the governance runs through a volunteer board elected one-member-one-vote rather than by share ownership.

The second structural difference is the field of membership. A credit union may not serve the general public; it may serve only a defined group bound by a common bond—employees of a particular employer, members of an association, residents of a defined community. The field-of-membership rules govern who may join, and they are a live regulatory subject, because expansions of the common bond, conversions between charter types, and the boundary between a credit union and a bank are perennially contested. For the enforcement record this matters because membership and chartering questions are part of the supervisory frame in a way they simply are not for banks: a credit union can run into trouble not only over how it lends but over whether it is serving a field of membership it is authorized to serve.

Yet—and this is the crucial point for reading the data—the enforcement tools mirror the banking regulators almost exactly. The same statutory apparatus that lets the FDIC, the OCC, and the Federal Reserve issue cease-and-desist orders, assess civil money penalties, and remove and bar individuals applies, in parallel form, to the NCUA. The substantive standards an examiner enforces—safety and soundness, capital adequacy, the Bank Secrecy Act, consumer-protection rules—are largely shared across all federally insured depositories. So the difference between credit-union and bank supervision is one of detail and frame—the cooperative ownership, the not-for-profit purpose, the field-of-membership constraint, the share-insurance fund—layered over an enforcement machinery that is fundamentally the same. That is precisely what makes the four depository-regulator enforcement records joinable and comparable: they describe the same kinds of action against the same kinds of failure, applied to institutions that differ in ownership but not in the public's reliance on their soundness.

The ladder of enforcement actions

The actions in the dataset form a ladder of escalating severity, and reading the action_type is how you place a row on it. The agency reaches for the lowest rung that addresses the problem and climbs only as the problem resists correction or the institution's condition deteriorates.

Cease-and-desist and consent orders are the workhorse. A cease-and-desist order directs a credit union (or an individual) to stop a violation or an unsafe-or-unsound practice and, often, to take affirmative corrective steps—fix the BSA program, raise capital, tighten lending. Most are issued by consent: the respondent agrees to the order without admitting or denying the findings, which resolves the matter without a contested hearing. A consent order is the most common formal action, and its terms—the specific deficiencies it requires the institution to remedy—are where the substance of a supervisory problem is laid out in public.

Civil money penalties (CMPs) are the monetary sanction. The agency can assess a money penalty for violations of law and regulation and for unsafe-or-unsound practices, and one recurring, almost administrative, use deserves particular mention: penalties for late or inaccurate Call Report filing. Every federally insured credit union must file a quarterly Call Report (the 5300) reporting its financial condition; a credit union that files late or files materially inaccurate data can be assessed a civil money penalty, and these filing-related penalties are a distinct, high-count stream in the record—more clerical than scandalous, but a genuine enforcement category that any tally by type will surface.

Prohibition orders run against people. When a director, officer, or employee has engaged in misconduct—dishonesty, breach of fiduciary duty, a violation that caused loss—the agency can issue a prohibition (removal-and-prohibition) order that bars that individual from participating in the affairs of any federally insured depository institution. This is the industry death penalty for an individual, and its reach is governmentwide across the depository system: a person prohibited by the NCUA is barred from banks as well as credit unions, just as a person barred by a banking regulator is barred from credit unions. The prohibition order is the single most consequential individual sanction in the dataset.

Conservatorship and liquidation are the end of the ladder, and they run against the institution itself. When a credit union is so troubled that it can no longer be left to its own management, the NCUA can place it into conservatorship—taking control of the institution, installing the agency (or an agent) to run it, and attempting to rehabilitate it or arrange a merger into a sound credit union. When rehabilitation is impossible, the agency proceeds to liquidation: it closes the credit union, pays out the insured shares from the Share Insurance Fund, and winds down the assets. These are not corrective orders aimed at changing behavior; they are the resolution of a failure, and they are where the enforcement record and the insurance-fund record meet. A liquidation row is the terminal event for an institution—the point at which prevention has run out and the fund absorbs the loss.

Recurring themes: BSA, recordkeeping, and fraud at small institutions

Read across the action_basis field and the same causes recur, and they cluster in a way that reflects the structure of the credit-union industry—a large number of very small institutions, many run by thin staff, alongside a smaller number of large, sophisticated ones.

Bank Secrecy Act and anti-money-laundering deficienciesare among the most common bases for formal action. The Bank Secrecy Act requires every financial institution, credit unions included, to maintain a program to detect and report money laundering—to file suspicious activity reports and currency transaction reports, to know its members, and to monitor transactions. A small credit union with limited staff can struggle to run a compliant BSA/AML program, and a deficient program—missing policies, untrained staff, unfiled reports—is a classic trigger for a consent order requiring remediation, and sometimes for a civil money penalty. BSA/AML is one of the largest single themes in the depository enforcement records across all four regulators, and the credit-union record is no exception.

Recordkeeping and reporting failures are the second recurring theme, and they shade from the clerical into the serious. At the mild end are the Call Report filing problems already described. At the more serious end are recordkeeping failures that obscure the institution's true condition—inadequate books, missing documentation of loans, controls so weak that the credit union cannot reliably state what it owns and owes. Poor recordkeeping is rarely the whole of a problem, but it is frequently the symptom that surfaces a deeper one and the deficiency a corrective order requires the institution to fix first, because nothing else can be supervised reliably until the books can be trusted.

Fraud at small institutions is the theme behind a disproportionate share of the most severe actions—the prohibitions, the conservatorships, the liquidations. A very small credit union, run by a manager with broad authority and little independent oversight, is structurally vulnerable to insider fraud: embezzlement, fictitious loans, the diversion of member funds. Because the institution is small, a single dishonest official can cause losses large relative to its capital, and the failure can come quickly. This is why the individual-prohibition and the institution-failure ends of the dataset are linked: the same insider fraud that bars a person for life is often the event that sinks the credit union and forces the fund to pay out. The skew of the credit-union industry toward many small institutions is, in this respect, directly visible in the shape of its enforcement record.

The four-regulator picture and how the records join

The NCUA enforcement record is most valuable as the piece that completes a set. Federal depository supervision is divided among four agencies: the FDIC and the OCC and the Federal Reserve cover banks (and bank holding companies), and the NCUA covers credit unions. Together their four enforcement datasets span every federally insured depository institution in the United States—there is no federally insured place to keep money that one of the four does not supervise. An analyst who has only the bank records has three-quarters of the picture; adding the NCUA record closes it.

Because all four regulators draw on the same statutory enforcement toolkit, the records are structurally joinable and comparable. The action types line up—cease-and-desist, consent order, civil money penalty, prohibition—so a cross-regulator tally of, say, BSA/AML enforcement, or of individual prohibitions, can be built by stacking the four datasets and harmonizing the type and basis fields. The individual dimension is where the join is most powerful: a prohibition order is governmentwide across the depository system, so a person barred by the NCUA should not turn up employed at an FDIC-supervised bank, and matching the named individuals across the four records—by name, with the usual care—tests exactly that. The institutional dimension joins through identifiers and geography: a credit union's NCUA charter number ties its enforcement history to its Call Report financials, just as a bank's FDIC certificate number ties its actions to its call-report data, letting an analyst relate enforcement intensity to institution size, condition, and trend across the whole insured-depository universe rather than within a single regulator's silo.

Analytical uses

A complete, type-coded, date-stamped record of enforcement against credit unions supports a distinct set of analyses, several of which only become possible once the record is read as a dataset rather than as a stack of individual orders.

Enforcement composition and trend is the most immediate. Tallying actions by type reveals the mix—how many consent orders versus civil money penalties versus prohibitions versus failures—and tallying by year reveals the cadence, which tends to rise in and after periods of financial stress as troubled institutions surface. Separating the high-count, low-severity stream (Call Report penalties) from the low-count, high-severity stream (conservatorships and liquidations) is essential, because a raw count of “actions” conflates a clerical fine with the seizure of an institution.

Repeat-respondent and individual-tracking analysisexploits the respondent fields. Normalizing the party name surfaces credit unions that incur multiple actions—the chronically troubled institutions—and tracing named individuals across actions, and across the bank enforcement records, reveals people who recur: an officer prohibited at one institution who appears in the record of another, the cross-regulator pattern the governmentwide bar is meant to prevent. As always with name-based work, the quality of this analysis is bounded entirely by the entity resolution applied to the free-text name field.

Failure and resolution study uses the conservatorship and liquidation rows as the terminal events in a credit union's life, joined to its Call Report history through the charter number, to ask what precedes failure—which deficiencies were cited, how far in advance, and whether earlier corrective orders predicted the eventual collapse. And cross-regulator comparison brings the four-record picture to bear: stacking the NCUA, FDIC, OCC, and Fed records to compare how the credit-union supervisor's enforcement posture—its mix of actions, its use of penalties, its propensity to bar individuals—differs from the bank regulators', holding the cooperative structure in mind as the explanation for the differences that emerge.

Python workflow: pulling and tallying the actions

The script below reads the NCUA enforcement-actions listing from the agency's website—the public record at ncua.gov, no key required—into a DataFrame, then computes three of the core views: actions by order family (collapsing the raw action labels into consent orders, civil money penalties, prohibitions, conservatorships, and liquidations), actions by year, and the credit unions and individuals with the most actions. Because the published listing's page path and column labels shift between site refreshes, the script isolates those in one place and resolves the column names defensively rather than hard-coding them; any production use should be validated against the current enforcement-actions pages and should prefer a bulk export where the agency provides one. Requirements: requests, pandas, and an HTML parser (lxml) for read_html.

import requests, re
import pandas as pd
from collections import Counter

# NCUA publishes its enforcement actions on the agency website
# (ncua.gov), under the Regulation & Supervision -> Enforcement
# Actions pages. No API key is required for the public record.
#
# The agency exposes the actions as browsable pages and, for bulk
# work, as downloadable listings. The script below reads the public
# listing into a DataFrame; the exact page/file path and column
# labels shift between site refreshes, so isolate them here and
# confirm against the current ncua.gov enforcement-actions pages.
#   - landing page: https://ncua.gov/regulation-supervision/enforcement-actions
# This works from a flat listing because it ships every action in
# one pass and carries no rate limit.
LISTING_URL = "https://ncua.gov/regulation-supervision/enforcement-actions"


def load_actions(url=LISTING_URL):
    # The listing is published as an HTML table; pandas.read_html
    # parses the visible columns directly. Fall back to a CSV/JSON
    # export where the agency provides one for a given release.
    r = requests.get(url, timeout=120, headers={"User-Agent": "research"})
    r.raise_for_status()
    tables = pd.read_html(r.text)
    # Pick the widest table on the page (the actions listing).
    return max(tables, key=lambda t: t.shape[1])


def col(frame, *candidates):
    lower = {c.lower(): c for c in frame.columns.astype(str)}
    for cand in candidates:
        for key, original in lower.items():
            if cand.lower() in key:
                return original
    raise KeyError(f"none of {candidates} in {list(frame.columns)[:10]}")


df = load_actions()
print(f"Enforcement actions loaded: {len(df):,}")

c_party = col(df, "credit union", "name", "respondent", "party")
c_type  = col(df, "action", "type", "document")
c_date  = col(df, "date", "effective", "issued")


# --- 1. Actions by type (order family) ---------------------------------
def family(label):
    s = str(label).lower()
    if "liquidat" in s:          return "Liquidation"
    if "conservator" in s:       return "Conservatorship"
    if "prohibition" in s or "removal" in s: return "Prohibition / removal"
    if "civil money" in s or "cmp" in s or "penalt" in s: return "Civil money penalty"
    if "cease" in s or "consent" in s or "c&d" in s: return "Cease-and-desist / consent"
    return "Other"

df["_family"] = df[c_type].map(family)
print("\nActions by family:")
for fam, n in df["_family"].value_counts().items():
    print(f"  {fam:<28} {n:>5,}")


# --- 2. Actions by year ------------------------------------------------
years = pd.to_datetime(df[c_date], errors="coerce").dt.year
print("\nActions by year (most recent 10):")
for yr, n in years.value_counts().sort_index().tail(10).items():
    print(f"  {int(yr)}  {n:>4,}")


# --- 3. Credit unions with the most actions ----------------------------
# Normalize the party name so repeat respondents collapse to one key.
def norm(name):
    s = re.sub(r"[^a-z0-9 ]", " ", str(name).lower())
    s = re.sub(r"\b(federal|fcu|cu|credit|union|the)\b", " ", s)
    return " ".join(s.split())

df["_party"] = df[c_party].map(norm)
print("\nMost-cited parties:")
for party, n in Counter(df["_party"]).most_common(12):
    if party:
        print(f"  {party[:42]:<42} {n:>3,}")

Two points about the script matter. First, the family() classifier is a convenience, not a substitute for the agency's own document labels—a single published action can carry more than one label (a combined cease-and-desist and civil-money-penalty order, say), and the keyword mapping picks one bucket where a careful analysis would record both; for anything load-bearing, read the action_type field as published rather than the collapsed family. Second, the most-cited-parties tally is only as good as the name normalization: stripping the “Federal,” “Credit Union,” and “FCU” tokens collapses obvious variants, but genuine entity resolution—and especially matching individuals across the NCUA record and the three bank-regulator records—requires the same disciplined, identifier-anchored approach that every name-based join across these datasets demands.

Limitations and analytical caveats

The NCUA enforcement record is the authoritative public account of formal action against credit unions, but it has boundaries an analyst must respect before drawing conclusions from it.

It records formal actions, not the whole of supervision.The dataset captures the public, formal enforcement actions—the orders and notices the agency publishes. It does not capture the much larger volume of informal supervisory activity—examination findings, documents of resolution, letters of understanding, and other non-public corrective steps—through which most supervisory problems are actually resolved. A credit union absent from the enforcement record is not necessarily a credit union without supervisory issues; it may be one whose issues were handled informally. The record is the tip of the supervisory iceberg, and reading the absence of a formal action as a clean bill of health misreads what the data is.

Action counts conflate severity. The single most important interpretive caution is that a raw count of actions treats a civil money penalty for a late Call Report and the liquidation of a failed institution as one unit each. They are not remotely comparable. Any analysis that ranks years, regulators, or institutions on “number of actions” without separating the high-volume, low-severity stream from the rare, terminal events will be measuring the wrong thing. The order family is the minimum stratification any honest tally requires.

There is reporting lag and the record is published, not instantaneous. A formal action becomes a row only after it is issued and posted, and there is an interval between the underlying conduct, the agency's decision, and the document's appearance on the website. The most recent months are therefore systematically under-represented in any snapshot, which means recency-sensitive metrics—the count of actions “this year”—will understate the true figure at the leading edge. The record is reliable for established patterns and multi-year trends, not as a real-time monitor of last month's enforcement.

Name matching across institutions and individuals is hard.Credit-union names are repetitive—countless institutions are named for an employer, a place, or a saint, and many share words—and individual names collide as they do everywhere. Joining the NCUA record to the bank-regulator records, or to a credit union's Call Report history, demands the institutional identifiers (the NCUA charter number, the counterpart certificate numbers on the bank side) wherever they are available, and treats a bare name match as a candidate to confirm, never a conclusion. The governmentwide reach of a prohibition order makes the cross-regulator individual join especially valuable—and especially exposed to false positives if done on name alone.

Held with those caveats, the ncua_enforcement table is the indispensable credit-union piece of the federal depository-supervision picture: roughly 1,400 actions, from a clerical filing penalty to the seizure of a failed cooperative, that record how the agency which charters, supervises, and insures the nation's credit unions moves to protect its members and its insurance fund—and that, joined to the FDIC, OCC, and Federal Reserve records, complete the account of enforcement across every federally insured depository in the United States.