OCC Enforcement: The Federal Record of Actions Against National Banks

Every national bank in the United States operates under a charter granted by a single federal official: the Comptroller of the Currency. The same office that grants the charter can constrain it — and when a national bank launders money, abuses its customers, or runs an unsafe-or-unsound operation, the Office of the Comptroller of the Currency answers with a cease-and-desist order, a consent order, a civil money penalty, or, against the banker personally, an order barring them from the industry for life. The OCC publishes those actions, and this dataset is that published record: roughly 4,900 enforcement actions, one row apiece, naming the bank or the banker, the kind of action, the date, and the penalty — the visible trace of the federal government disciplining the institutions it chartered.

This article covers what the OCC enforcement record is and the charter-and-supervise mandate that produces it; what the OCC supervises and how that defines the universe of who can be sanctioned; the enforcement toolkit, from the informal formal agreement to the consent order, the civil money penalty, and the removal-and-prohibition order against an individual; the legal trigger — violations of law and “unsafe or unsound” practices — that gives the OCC its reach; the recurring themes that mirror the largest banks the OCC supervises, from Bank Secrecy Act and anti-money-laundering failures to the 2010s mortgage-servicing consent orders and the Wells Fargo sales-practices matter; how the OCC record fits with the FDIC and Federal Reserve enforcement records to cover the whole banking system; how the table joins to the FDIC institutions directory and the other regulators' actions; a Python workflow that pulls the actions, tallies them by type and year, and ranks institutions; and the caveats every analyst must keep in mind.

What the dataset is

The OCC enforcement record is the published catalogue of the formal actions the Office of the Comptroller of the Currency has taken against the institutions it supervises and against the people who run them. The OCC is a bureau of the United States Department of the Treasury, established by the National Currency Act of 1863 and the National Bank Act of 1864 to charter, regulate, and supervise the national banking system that those Civil War–era statutes created. Enforcement is the sharp end of that supervisory mandate: when ordinary supervision — the examinations, the matters-requiring-attention, the supervisory letters — is not enough to correct a problem, the OCC escalates to a formal, legally binding enforcement action, and it publishes the result.

In our database this record is stored as the table occ_enforcement, with the grain of one row per enforcement action keyed by the action and the institution or individual it names. A single bank that received a consent order in one year and a separate civil money penalty in another contributes two rows; an individual barred from banking contributes a row of their own. The catalogue records civil money penalties on the order of several billion dollars in aggregate across the actions it covers — a figure dominated by a handful of very large penalties against the largest national banks. The columns capture who was sanctioned, what kind of action it was, when it took effect, and the financial terms:

action_id            -- the OCC enforcement-action document number
action_type          -- C&D, consent order, CMP, formal agreement,
                        personal C&D, removal/prohibition, restitution
respondent_name      -- the national bank, FSA, or named individual
respondent_type      -- institution or institution-affiliated party (IAP)
charter_number       -- OCC charter number of the bank (when applicable)
city / state         -- location of the institution
effective_date       -- date the action took effect
termination_date     -- date the action was terminated (if lifted)
penalty_amount       -- civil money penalty assessed (when applicable)
basis                -- the conduct: BSA/AML, unsafe/unsound, consumer, etc.
document_url         -- link to the published action document

The action_type and respondent_type columns do most of the interpretive work. The action type distinguishes the OCC's graduated toolkit — a formal agreement is a different animal from a consent cease-and-desist order, which is different again from a standalone civil money penalty or a lifetime prohibition. The respondent type draws the other load-bearing distinction: whether the action runs against the institution — the bank itself — or against an institution-affiliated party (IAP), the statutory term for a director, officer, employee, controlling shareholder, or agent of the bank. Actions against institutions reshape how a bank operates; actions against individuals can end a banker's career. The charter_number is the join key to the rest of the supervisory record — the OCC charter number identifies the bank uniquely — and the effective_date and termination_date bracket the life of the action, since most orders are eventually terminated once the bank has remediated and the OCC is satisfied.

What the OCC supervises

The reach of the OCC enforcement record is defined by the OCC's charter authority, and that authority is specific. The OCC charters, regulates, and supervises all national banks — the banks that carry “National Association” or the abbreviation “N.A.” in their name and operate under a federal charter rather than a state one — together with all federal savings associations (federal thrifts, often carrying “FSB” in their name), a population the OCC absorbed from the former Office of Thrift Supervision when that agency was abolished in 2011. The OCC also supervises the federal branches and agencies of foreign banksoperating in the United States. Those three categories — national banks, federal savings associations, and federal branches of foreign banks — are the entire universe of institutions the OCC can examine and, when warranted, sanction.

This matters for the shape of the data because the national-bank charter is the charter of choice for the country's largest banks. Most of the systemically important megabanks — the trillion-dollar institutions whose names anchor the financial system — hold national-bank charters and are therefore OCC-supervised. The consequence is that the OCC enforcement record, while smaller in row count than the records of regulators that oversee thousands of small institutions, is disproportionately weighted toward the very largest banks and the very largest penalties. A single consent order against a megabank can carry a civil money penalty larger than the sum of hundreds of actions against community banks. Any reading of the dataset that treats every action as equivalent will miss this: the distribution of action counts and the distribution of penalty dollars are two very different shapes, and the dollar distribution is dominated by a small number of landmark actions against the biggest institutions the OCC charters.

The enforcement toolkit

The OCC's enforcement authority is graduated, and the action-type field is a ladder of increasing formality and severity. Reading where an action sits on that ladder is the first step in interpreting any row.

Formal agreements sit at the lower end of the formal toolkit. A formal agreement is a written, enforceable agreement between the OCC and the bank committing the bank to a program of corrective action — to strengthen its capital, fix its risk management, overhaul a deficient compliance program — on a defined schedule. It is more serious than the informal supervisory tools (the memorandum of understanding, the matter requiring attention) but stops short of an order. Above it sits the cease-and-desist order (C&D), the workhorse of bank enforcement: an order directing the bank to stop a violation or unsafe practice and, affirmatively, to take specified remedial steps. The overwhelming majority of C&Ds are consent orders — the bank agrees to the order without admitting or denying the findings, which lets the OCC and the bank resolve a matter without the delay and uncertainty of litigation. When you see a high-profile bank “entering into a consent order with the OCC,” this is what has happened.

The civil money penalty (CMP) is the monetary instrument. The OCC can assess CMPs against both institutions and individuals for violations of law, regulation, final orders, or written agreements, with the size of the penalty tiered by the seriousness and the degree of culpability — from technical violations at the low end to knowing, reckless, or substantially harmful conduct at the high end. A CMP often accompanies a consent order rather than standing alone, which is why the penalty-amount field is populated for some actions and blank for others. The OCC can also order restitution — requiring the bank to repay customers it harmed — which is conceptually distinct from a penalty (it makes victims whole rather than punishing the bank) and looms large in consumer-harm matters.

The most severe instruments run against people. A personal cease-and-desist order directs a named institution-affiliated party — a particular officer or director — to stop specified conduct, and a personal CMP can be assessed against them individually. At the top of the ladder is the removal-and-prohibition order: an order removing an individual from the bank and prohibiting them from ever again participating in the affairs of any federally insured depository institution. A prohibition order is, in effect, a lifetime ban from banking, and it requires a showing not only of misconduct but of its effect (loss to the institution or gain to the individual) and a culpable state of mind. These personal actions are the reason the dataset must distinguish institution respondents from IAP respondents: a single failure at a bank can produce both a consent order against the institution and a prohibition order against the executive responsible.

The legal trigger: violations and “unsafe or unsound” practices

What gives the OCC the authority to reach into a bank is a deceptively short statutory phrase. The core enforcement provisions of the Federal Deposit Insurance Act authorize the OCC to act when an institution or an institution-affiliated party has engaged in, or is about to engage in, a violation of a law, rule, regulation, or condition, or in an unsafe or unsound practicein conducting the business of the bank. The first branch is concrete: a bank that breaches a specific statute or regulation — the Bank Secrecy Act, a consumer-protection rule, a lending limit — has committed a violation, and that violation supports an action.

The second branch — unsafe or unsound practice— is the broad, flexible authority that gives bank supervision its distinctive reach. It is not tied to any single rule; it captures any conduct contrary to accepted standards of prudent banking operation that exposes the institution (or its insurance fund) to an abnormal risk of loss or harm. A bank does not have to have broken a specific law to be acting unsafely: inadequate capital, reckless lending, deficient internal controls, a risk-management system that cannot keep pace with the bank's growth — all can constitute unsafe-or-unsound practices even where no discrete statute has been violated. This is what lets the OCC act preventively, before unsafe conduct ripens into a loss, and it is why so many consent orders recite both branches: a specific violation, plus the broader unsafe-or-unsound practice the violation reveals. The basis field in the data, which records the conduct underlying an action, draws on both branches, and reading it is how an analyst tells a narrow technical violation from a fundamental breakdown in how a bank is run.

Recurring themes: BSA/AML, mortgage servicing, and sales practices

Because the OCC supervises the largest banks, the themes that recur across its enforcement record are the themes of large-bank misconduct over the past two decades. Three dominate.

Bank Secrecy Act and anti-money-laundering (BSA/AML) failuresare the most persistent single theme. The Bank Secrecy Act requires banks to maintain programs to detect and report money laundering — to know their customers, monitor for suspicious activity, file suspicious-activity and currency-transaction reports, and screen against sanctions. Large, complex banks moving enormous volumes of money across borders are chronically exposed to gaps in those programs, and the OCC has brought some of its largest and most consequential actions for BSA/AML deficiencies: consent orders requiring banks to overhaul their monitoring systems, and civil money penalties — frequently coordinated with the Financial Crimes Enforcement Network and the Department of Justice — running into the hundreds of millions or billions of dollars. BSA/AML actions are a defining feature of the OCC record precisely because the institutions it supervises are the ones through which the largest illicit flows would pass.

The 2010s mortgage-servicing and foreclosure consent ordersare the second great cluster. In the aftermath of the 2008 financial crisis, the largest mortgage servicers — many of them national banks — were found to have processed foreclosures with systematic deficiencies, including the “robo-signing” of foreclosure affidavits by employees who had not reviewed the underlying files. The OCC, alongside the other federal banking agencies, issued a wave of consent orders in the early 2010s requiring the servicers to remediate their foreclosure practices and provide redress to harmed borrowers. These mortgage-servicing orders are a distinct, crisis-driven stratum in the data, concentrated in a few years and a handful of very large institutions, and they illustrate how a single industry-wide failure can leave a cluster of structurally similar actions across the record.

Sales-practices misconduct is the third theme, and its emblem is the Wells Fargo unauthorized-accounts matter, in which a national bank's employees, under intense sales pressure, opened large numbers of deposit and credit accounts for customers without their knowledge or consent. The matter produced OCC consent orders, very large civil money penalties, required restitution to harmed customers, and an extraordinary set of follow-on actions — including personal actions against former senior executives, with civil money penalties and prohibition orders. The sales-practices cluster is analytically important because it shows the full toolkit deployed against a single institution and its leaders at once: institution-level consent orders and CMPs, restitution for customers, and individual prohibition and penalty actions against the people responsible. Beyond these three named themes, the record is rounded out by the perennial supervisory staples — capital and liquidity deficiencies, operational-risk and information-technology failures, fair-lending and other consumer-compliance violations, and inadequate risk governance at fast-growing banks — the unsafe-or-unsound practices that bank supervision exists to catch.

How it fits with the FDIC and Federal Reserve

The OCC enforcement record cannot be read in isolation, because the OCC is one of three federal banking agencies that divide the supervision of the US banking system, and a complete picture of bank enforcement requires all three. The division is by charter type and institutional form, and it is the single most important fact for assembling a national view.

The OCC supervises national banks and federal savings associations — the federally chartered depository institutions. The Federal Deposit Insurance Corporation (FDIC) is the primary federal supervisor of state-chartered banks that are not members of the Federal Reserve System (state nonmember banks), in addition to its universal role as deposit insurer and as the receiver for failed banks. The Federal Reserve supervises bank holding companies and financial holding companies, and is the primary federal supervisor of state-chartered banks that are members of the Federal Reserve System (state member banks). Put together, the three agencies' enforcement records cover the entire depository system: the OCC for the national charter, the FDIC for the state nonmember banks, and the Federal Reserve for the holding companies and state member banks. A megabank typically appears across more than one of these records at once — the national-bank subsidiary in the OCC record, the holding company in the Federal Reserve record — which is why analysts who want to understand enforcement against a banking organization, rather than against a single legal entity, must consult all three regulators' data and reconcile them. The OCC record is the national-bank piece of that larger map.

Joining to the FDIC institutions directory and the other regulators

The analytical power of the OCC enforcement record is multiplied when it is joined to the broader bank-supervision data, and two joins matter most. The first is to the FDIC institutions directory, the master registry of every federally insured bank, active and historical. The institutions directory carries, for each bank, its identifiers (the FDIC certificate number and the FFIEC's RSSD identifier), its charter class and primary federal regulator, its location, its asset size, and its activity status. Joining occ_enforcement to the institutions directory — on the bank name, the OCC charter number, or the location, resolving to the institution's certificate or RSSD identifier — is what lets an analyst weight an enforcement action by the size of the bank it names. Without that join, an action against a community bank and an action against a megabank look identical; with it, every action is anchored to an institution of known asset size, charter class, and regulator, which is the prerequisite for any normalized analysis of enforcement intensity.

The second join is to the other bank-regulator enforcement records — the FDIC's and the Federal Reserve's. Because a single banking organization is supervised entity-by-entity across the three agencies, joining their enforcement records (again resolving each respondent to a stable institution identifier) is what reconstructs the full enforcement history of a banking group: the OCC action against the lead national bank, the Federal Reserve action against the parent holding company, and any FDIC action against an affiliated state bank, assembled into one timeline. This cross-regulator join is also what reveals coordinated actions — the many cases in which the federal banking agencies act together, sometimes alongside the Consumer Financial Protection Bureau, FinCEN, or the Department of Justice, on a single matter. The OCC record is, in this sense, one strand that becomes far more informative when braided together with the others.

Analytical uses

A structured, date-stamped, respondent-resolved record of national-bank enforcement supports a distinctive set of analyses that no single press release or order can.

Enforcement intensity over time is the most immediate use. Because each action carries an effective date and a type, an analyst can chart the OCC's enforcement cadence year by year — the surge of mortgage-servicing orders in the early 2010s, the steady baseline of BSA/AML actions, the bursts that follow a discovered failure — and decompose it by action type to see whether the agency is leaning on consent orders, formal agreements, or penalties at a given moment. Read alongside the regulatory and economic backdrop, the time series is a record of how the federal posture toward national banks has shifted across administrations and across the credit cycle.

Institution and banker rankings exploit the respondent fields. Ranking institutions by action count, or by aggregate civil money penalty, surfaces the banks that have drawn the most federal attention — almost always, for the dollar ranking, the largest national banks. Filtering to IAP respondents and counting prohibition and personal-penalty actions surfaces the individuals the OCC has barred or fined, the part of the record that holds bankers, not just banks, personally accountable. Theme and basis analysis uses the basis field to track which categories of misconduct — BSA/AML, consumer harm, capital and risk governance, operational risk — drive enforcement, and how that mix evolves. And the cross-regulator and FDIC-institutions joinsdescribed above turn the record from a list of national-bank actions into a normalized, organization-level, system-wide view of who is being disciplined, how hard, for what, and how it compares across the charter types the three agencies divide between them.

Python workflow: actions by type, by year, and by institution

The script below pulls the OCC enforcement actions from the agency's public enforcement-actions search on occ.gov, then computes the core descriptive views: the breakdown of actions by type, the count of actions by year, a ranking of institutions by action count with light name normalization so that the same bank under spelling variants collapses to one row, and the aggregate civil money penalty on record. No API key is required for public data. One thing to keep in mind throughout: the OCC's EASearch is a public search interface, not a documented data API with a stable JSON schema, so the script isolates the one site-specific hook — how it requests and extracts the result rows — and resolves the working column names defensively rather than hard-coding them. Any production use should be validated against the current EASearch advanced-search form and, for penalty totals, cross-checked against the published action documents.

import requests, pandas as pd

# The OCC publishes every enforcement action it has taken in a public,
# searchable system -- the Enforcement Actions Search (EASearch) on
# occ.gov / occ.treas.gov. It covers cease-and-desist and consent
# orders, civil money penalties, formal agreements, personal orders,
# and removal/prohibition orders against institution-affiliated parties.
# No API key is required for public data.
#   - search UI:        https://apps.occ.gov/EASearch
#   - advanced search:  https://apps.occ.gov/EASearch (filter by date / type)
#   - OTS thrift archive (pre-July 2011): published as an Excel file
#
# IMPORTANT: EASearch is a public *search interface*, not a documented
# data API. The OCC does not publish a stable JSON endpoint with a fixed
# schema, and the request path and field names change between site
# releases. The robust approach is to drive the EASearch advanced-search
# form and export/parse the result rows it returns; for bulk work,
# export from the search form rather than scraping. Isolate the request
# and the column resolution here and confirm both against the current
# OCC site before relying on them.
EASEARCH = "https://apps.occ.gov/EASearch"


def fetch_actions(params=None, page_size=1000):
    # Page through the full EASearch result set. The exact request path,
    # parameter names, and response envelope are site-version specific;
    # confirm them against the live EASearch advanced-search form (open
    # the browser network panel while running a search) and adjust the
    # 'results' key and paging parameters to match the current release.
    rows, page = [], 0
    base = dict(params or {})
    while True:
        q = {**base, "pageSize": page_size, "pageIndex": page}
        r = requests.get(EASEARCH, params=q, timeout=120,
                         headers={"User-Agent": "research/1.0"})
        r.raise_for_status()
        # EASearch returns HTML by default; when an export/data view is
        # used it returns structured rows. Adapt the extraction to the
        # form's actual response (e.g. r.json()["results"] or an HTML
        # table parse) -- treat this line as the one site-specific hook.
        batch = r.json().get("results", [])
        if not batch:
            break
        rows.extend(batch)
        page += 1
    return pd.DataFrame(rows)


def col(frame, *candidates):
    # OCC field names vary across exports; resolve defensively.
    lower = {c.lower(): c for c in frame.columns}
    for cand in candidates:
        if cand.lower() in lower:
            return lower[cand.lower()]
    raise KeyError(f"none of {candidates} in {list(frame.columns)[:12]}")


df = fetch_actions()
print(f"Enforcement actions loaded: {len(df):,}")

c_type = col(df, "ActionType", "Type", "Document Type")
c_name = col(df, "BankName", "Name", "Institution", "Respondent")
c_date = col(df, "StartDate", "EffectiveDate", "Date")
c_pen  = col(df, "Penalty", "CMP", "Amount")

# --- 1. Actions by type (C&D, consent order, CMP, formal agreement) ----
print("\nActions by type:")
for t, n in df[c_type].fillna("(blank)").value_counts().head(15).items():
    print(f"  {t[:42]:<42} {n:>5,}")

# --- 2. Actions by year -------------------------------------------------
df[c_date] = pd.to_datetime(df[c_date], errors="coerce")
by_year = df[c_date].dt.year.value_counts().sort_index()
print("\nActions by year (recent):")
for yr, n in by_year.tail(12).items():
    print(f"  {int(yr)}: {n:>4,}")

# --- 3. Institutions ranked by action count ----------------------------
# Normalize the respondent name so the same bank under spelling
# variants collapses to one row before ranking.
def norm(name):
    s = (name or "").upper().strip()
    for suffix in (", N.A.", " N.A.", ", NATIONAL ASSOCIATION",
                   " NATIONAL ASSOCIATION", ", FSB", " FSB"):
        if s.endswith(suffix):
            s = s[: -len(suffix)].strip()
    return " ".join(s.split())

df["_inst"] = df[c_name].map(norm)
print("\nTop 15 institutions by action count:")
for inst, n in df["_inst"].value_counts().head(15).items():
    print(f"  {inst[:40]:<40} {n:>4,}")

# --- 4. Aggregate civil money penalties --------------------------------
pen = pd.to_numeric(df[c_pen], errors="coerce").fillna(0)
print(f"\nTotal civil money penalties on record: ${pen.sum():,.0f}")
print(f"Actions carrying a CMP: {(pen > 0).sum():,} of {len(df):,}")

Two practical notes apply. First, the institution ranking is only as good as the name normalization that precedes it: bank names appear in the record with and without the “National Association” suffix, with punctuation variants, and across the mergers that constantly reshape the industry, so a serious ranking must resolve each respondent to a stable institution identifier — ideally the FDIC certificate or RSSD number obtained via the institutions-directory join — rather than relying on string matching alone. Second, the penalty total the script computes is a floor, not a precise figure: many actions carry no CMP, some penalties are recorded in the action document rather than a structured field, and penalties announced jointly with FinCEN or the Department of Justice can be attributed differently across agencies, so the aggregate should be read as the OCC-recorded civil money penalty across the actions that carry a structured amount, not as the total cost of the underlying misconduct.

Limitations and analytical caveats

The OCC enforcement record is the authoritative public account of formal actions against national banks, but it carries structural limitations that an analyst must internalize before drawing conclusions from it.

It records formal actions, not all supervision. The published enforcement record is the visible tip of a much larger, mostly confidential supervisory process. The great bulk of bank supervision happens through examinations, matters-requiring-attention, and informal tools — memoranda of understanding, supervisory letters — that are not public and do not appear in the data. A bank with no enforcement actions is not necessarily a bank with no supervisory concerns; it may be one whose concerns were resolved informally before they ever escalated to a formal, published action. The dataset measures formal enforcement, which is a deliberate, escalated subset of supervision, not supervision as a whole.

Counts and dollars are different distributions. Because the OCC supervises the largest banks, the penalty dollars in the record are concentrated in a small number of landmark actions, while the action counts are spread across many smaller institutions. Aggregating without regard to bank size conflates two very different things: an agency that brought many small actions and one that brought a few enormous ones can show similar totals on one axis and wildly different totals on the other. Every comparison — across years, across institutions, against the other regulators — should be explicit about whether it is counting actions or summing penalties, because the two tell different stories, and neither is meaningful without normalizing for the size and number of the institutions involved.

Consent orders are negotiated resolutions, not adjudications.The overwhelming majority of actions are consent orders entered without the bank admitting or denying the OCC's findings. This is efficient and routine, but it means the record reflects what the agency and the bank agreed to memorialize, not the output of a contested fact-finding process. The findings recited in a consent order are the OCC's, accepted by the bank for the purpose of resolution; they are authoritative as the basis of the action, but they are not a court's adjudication of disputed facts, and a few matters that the bank contests are resolved through a different, litigated path that looks different in the data.

There is reporting lag, the record is partly a snapshot of active orders, and cross-regulator attribution is hard. An action appears after the OCC finalizes and publishes it, so the most recent matters are under-represented in any snapshot, and orders are terminated when a bank remediates — meaning a view of currently active orders understates the historical count of who has ever been sanctioned. Mergers and name changes constantly reshape respondent identity, so longitudinal analysis of a single bank requires careful entity resolution across the institution's history. And because the OCC frequently acts jointly with FinCEN, the CFPB, the Federal Reserve, and the Department of Justice on the same underlying conduct, a single matter can be recorded across several agencies' datasets with penalties attributed differently — so naive cross-dataset summing will double-count. Held with these caveats in mind, the occ_enforcement table is a uniquely valuable resource: roughly 4,900 actions naming the national banks, federal savings associations, and bankers the Comptroller of the Currency has formally disciplined — the federal record of accountability for the institutions the United States itself chartered.