OCC Publishes List of Every Criminal Regulatory Offense It Enforces — What National Banks Should Do With It

TL;DR

• On May 8, 2026, the OCC issued its report under Executive Order 14294, cataloging every criminal regulatory offense enforceable by the OCC or DOJ — with mens rea standards and penalty ranges
• The report sits on top of OCC Bulletin 2025-13, which sets four factors OCC officers must weigh before referring a violation for criminal prosecution: harm, gain, expertise, and awareness
• This is not a deregulation — the underlying criminal statutes still apply. What changes is OCC’s stated referral discipline and its public list of where criminal exposure exists
• Compliance teams should map listed offenses to RCSA controls, update training for roles with elevated criminal exposure, and tune issues management to flag matters that meet the four referral factors

The OCC dropped a quiet but important document on May 8: a complete list of every criminal regulatory offense it or the Department of Justice can enforce, paired with the mens rea standard and potential penalty range for each one. It went out as News Release 2026-36 and lives in an Excel attachment. No fanfare. No comptroller statement.

That’s the wrong way to read it. This report is the OCC’s first comprehensive published map of where federal banking regulation crosses into criminal liability — and it’s the back end of an executive order that has been quietly reshaping how every federal agency thinks about criminal referrals for the last twelve months. If you’re running compliance at a national bank or federal savings association, this is a primary source that belongs in your RCSA and your training inventory by the end of this quarter.

Where this report came from

On May 9, 2025, the President signed Executive Order 14294, “Fighting Overcriminalization in Federal Regulations” (90 Fed. Reg. 20363). The order’s stated policy positions are blunt:

• Criminal enforcement of regulatory offenses is disfavored
• Strict liability criminal regulatory offenses are disfavored
• Every NPRM and final rule with criminal consequences published after the order must explicitly state a mens rea requirement for each element of the offense

EO 14294 then handed every agency two homework assignments. First, by June 23, 2025, publish guidance describing how the agency would address criminally liable regulatory offenses going forward. Second, within 365 days, submit a report to OMB listing every criminal regulatory offense enforceable by the agency or DOJ, the range of penalties, and the applicable mens rea standard.

The OCC met both deadlines. The June 2025 guidance landed as OCC Bulletin 2025-13 on June 23, 2025 (90 Fed. Reg. 26413). The 365-day report landed on May 8, 2026 — one day shy of the deadline.

The four factors that now control criminal referrals

The June 2025 guidance is the part most compliance officers should already have read but probably haven’t. It sets out the four enumerated factors OCC officers and employees should consider before referring an alleged criminal regulatory offense to DOJ:

Read those four factors as the questions a federal prosecutor will be asked to answer if the OCC refers a matter. They’re also the questions an internal investigation should be asking from day one — because if your file already addresses them in writing, you control the narrative when it gets to legal.

What “every criminal regulatory offense” actually covers

The report doesn’t expand criminal liability — it just maps it. The big buckets compliance officers will recognize:

• Bank Secrecy Act criminal provisions — willful BSA violations under 31 U.S.C. § 5322 carry up to 5 years (10 years if part of a pattern of illegal activity), with penalties up to $250,000 (or $500,000 in the aggravated case). Structuring under 31 U.S.C. § 5324 is a separate offense
• False bank entries and reports — 18 U.S.C. § 1005, willful false entries in books, reports, or statements of a financial institution. Up to 30 years
• Bank fraud — 18 U.S.C. § 1344. Up to 30 years
• Misapplication of bank funds — 18 U.S.C. § 656 (officer/employee/agent embezzlement)
• Section 19 prohibitions — 12 U.S.C. § 1829, the FDIC’s bar on individuals with covered convictions participating in insured depository institution affairs without written consent
• Bribery of bank examiners — 18 U.S.C. § 212
• Truth in Lending and other consumer regulation criminal provisions — for willful and knowing violations

The report’s value isn’t telling compliance officers that bank fraud is a crime. It’s giving you a single, official document that lists all of these in one place, with the mens rea standard for each — knowingly, willfully, intentionally, recklessly — so you can tune training and controls to the actual standard rather than a generalized “don’t do crime” message.

Read this together with what came before

This report doesn’t sit alone. It connects to the 2025–2026 thread of DOJ corporate enforcement reorganization and the SEC’s enforcement realignment. All three sit in the same direction: explicit prosecutorial discipline, fewer reflex referrals, more focus on cases with documented harm, gain, and intent.

It also matters for AML programs. The same week as this report, FinCEN’s BSA program reform package is still in comment. If your firm is reworking BSA program governance, the OCC’s published list of criminal BSA exposures should drive how you scope individual liability training for the BSA Officer, MLRO, and audit functions.

The compliance work this report creates

The report is short. The compliance work it creates is not. Five things to put on the calendar:

1. Map every listed offense to a control owner

Walk down the OCC report row by row. For each criminal regulatory offense, identify:

• The specific control(s) in your RCSA designed to prevent or detect it
• The control owner (named role, not “the team”)
• The relevant policy or procedure
• The training assignment — does the role with exposure get trained on the specific offense and mens rea standard?

If a row has no identified control or owner, that is an open issue. Open it in your issues management system today, assign a remediation date, and get it through your committee. This is exactly the type of gap external auditors will start asking about by year-end.

2. Update issue intake to capture the four DOJ-referral factors

When a control breakdown or potential violation lands in your issues queue, the intake form should include explicit fields capturing:

• Estimated harm caused (financial, customer, regulatory)
• Estimated gain to any individuals involved
• Roles and licensure of individuals implicated
• What the individuals knew about the rule and their conduct’s lawfulness

This isn’t paranoia. It’s making sure that if a matter does escalate, your file mirrors the framework the OCC will use. It also helps legal triage early — privileged review attaches faster when the file is already structured.

3. Re-scope criminal-exposure roles in training

Roles to flag as elevated criminal exposure on the OCC’s list:

• CCO — willful failure to maintain an effective compliance program is a documented theory in past BSA cases
• BSA Officer / MLRO — direct exposure under 31 U.S.C. § 5322 for willful BSA failures
• CFO and Controller — false entries (§ 1005), false reports to regulators
• Model Risk Management owners — false reports to regulators where model output drives regulatory submissions
• Loan officers and underwriters — bank fraud and misapplication
• Internal audit leadership — false statement exposure if findings are knowingly altered or suppressed

For each, the annual training should name the statute, the mens rea standard, and the four DOJ-referral factors. Generic “don’t violate the law” training does not document an effective program. Specific, role-tailored training does.

4. Update your regulatory change calendar

The third operative provision of EO 14294 — that all new rules with criminal consequences must explicitly state a mens rea requirement for each element — means new banking rulemakings will look slightly different. Pay attention to the preamble language in upcoming OCC and FDIC NPRMs. When mens rea is silent or ambiguous, that’s a comment opportunity. Your trade association is going to flag it; you should know to flag it internally too.

5. Brief the audit committee

The audit committee should see this report at its next meeting. Recommended materials:

• The OCC’s May 8, 2026 News Release 2026-36 and the linked spreadsheet
• Bulletin 2025-13 with the four referral factors
• A one-page management memo mapping the offenses to your RCSA and identifying any control gaps
• A summary of training updates planned for elevated-exposure roles

This is a short briefing — fifteen minutes. The point is that when an examiner or auditor asks “have you reviewed the OCC’s criminal offenses report and updated your program,” the answer is yes, with a documented date and committee minutes.

What this is not

A few things this report is not:

• It is not deregulation. None of the underlying criminal statutes are repealed. A willful BSA violation is still a willful BSA violation
• It does not bind the DOJ. DOJ retains independent prosecutorial discretion. The four factors guide OCC referrals, not DOJ acceptance
• It does not eliminate strict liability criminal offenses that exist in current statutes. EO 14294 disfavors them prospectively in new rules and asks agencies to consider them in enforcement, but it cannot rewrite Congress’s statutory choices
• It does not apply to state-chartered banks. State-chartered institutions should expect parallel work from the FDIC, Federal Reserve, and state regulators, but the OCC report governs national banks and federal savings associations

30/60/90 day checklist

Next 30 days:

• Pull and read the OCC’s May 8, 2026 report (Excel attachment to News Release 2026-36)
• Read OCC Bulletin 2025-13 in full, including the Federal Register text at 90 Fed. Reg. 26413
• Brief the CCO and General Counsel; agree on workplan ownership
• Add the report and bulletin to the regulatory change log

31–60 days:

• Map every listed criminal regulatory offense to an RCSA control and a named control owner
• Open issues for any offense without an identified control or owner
• Update issue intake forms to capture the four DOJ-referral factors
• Schedule audit committee briefing

61–90 days:

• Refresh annual compliance training for elevated-exposure roles to cover specific statutes and mens rea standards
• Update third-line audit’s compliance program assessment template to test for documented mapping
• Confirm the regulatory change function is reviewing new NPRMs for explicit mens rea language

CTA

If your issues management process doesn’t yet capture the four DOJ-referral factors at intake, the Issues Management Tracker & Template is the fastest way to bolt that on without rebuilding your GRC from scratch. The fields fit cleanly into the standard issue lifecycle — root cause, severity, owner, target date — and document the harm/gain/expertise/awareness analysis your legal team will want long before a referral conversation happens.

Sources

• OCC News Release 2026-36 — Report on Criminal Regulatory Offenses (May 8, 2026)
• OCC Bulletin 2025-13 — Guidance on Referrals for Potential Criminal Enforcement (June 23, 2025)
• Executive Order 14294 — Fighting Overcriminalization in Federal Regulations (90 Fed. Reg. 20363)
• Federal Register — Guidance on Referrals for Potential Criminal Enforcement (90 Fed. Reg. 26413)
• American Banker — OCC outlines plan for referring regulatory offenses to DOJ