OCC Consent Orders: From Issuance to Termination — A Practitioner's Walkthrough

TL;DR

• An OCC consent order is a formal, public cease-and-desist entered with the bank’s consent under 12 U.S.C. § 1818(b) — enforceable in federal court and carrying civil money penalty authority, unlike an MRA or Formal Agreement.
• The 2023 revision to PPM 5310-3 added Appendix C, formalizing the OCC’s escalation playbook for banks with persistent weaknesses — including asset reduction and forced divestitures.
• Every article of a consent order must be validated “in compliance” before termination. Infrastructure fixes matter as much as the immediate remediation — banks that fix the symptom but not the root cause cycle back.
• Wells Fargo cleared five consent orders in 2025, some dating to 2016 — a documented case study in what a multi-year consent order regime actually looks like.

You picked up the phone and heard the words no compliance officer wants to hear: “We’re moving to formal enforcement.” Or maybe you didn’t get a call — you found out when your CEO texted a link to the OCC’s enforcement action page, already live.

The MRA phase is over.

For banks that have only ever lived in Matter Requiring Attention territory, a consent order represents a different category of regulatory reality. Different urgency, different legal exposure, different institutional cost. The MRA Remediation Playbook gets you through the first phase of supervisory pushback. This is the next chapter.

What an OCC Consent Order Actually Is

The term “consent order” is used loosely in banking to mean any serious enforcement action. It isn’t. Technically, a consent order is a consent cease-and-desist order issued under 12 U.S.C. § 1818(b). The bank has agreed — consented — to the order rather than contesting the OCC’s notice of charges before an Administrative Law Judge.

That agreement matters for two specific reasons:

It is public. Consent orders are published on the OCC’s website and searchable through the OCC Enforcement Action database. Unlike an MRA, which is private supervisory correspondence, a consent order signals to counterparties, bank partners, investors, and in some cases customers that your institution has a formal regulatory problem. The reputational effect is immediate.

It is court-enforceable. Under 12 U.S.C. § 1818(i), if you fail to comply with the articles of a consent order, the OCC can bring an enforcement action in federal district court — civil money penalties, individual liability for executives and directors, and ultimately receivership in extreme cases. Formal Agreements don’t carry that mechanism.

The Enforcement Ladder — Where Consent Orders Actually Sit

Most practitioners have the escalation sequence wrong. Under OCC PPM 5310-3 (May 2023), the formal structure is:

A Formal Agreement sits between MRA escalation and a consent order. Banks negotiate Formal Agreements specifically to avoid crossing into consent order territory — you get the regulatory attention without the court-enforcement hook and without the full weight of public disclosure in the Federal Register. Once you’re in consent order territory, that negotiating room is gone.

What the 2023 PPM Revision Changed

In May 2023 (OCC Bulletin 2023-16), the OCC updated PPM 5310-3 to add Appendix C: Actions Against Banks With Persistent Weaknesses. This appendix formalized — for the first time — what happens when an institution subject to the OCC’s Heightened Standards framework (12 CFR 30, Appendix D) fails to remediate persistent weaknesses across multiple enforcement cycles.

The answer is severe: the OCC can require a bank to simplify or reduce operations, reduce asset size, divest subsidiaries or business lines, or exit specific markets. Appendix C made explicit what was previously implicit: unresolved consent order articles at complex institutions aren’t just a compliance problem — they’re a franchise risk.

Anatomy of a Consent Order: What the Articles Actually Require

Every OCC consent order is structured as numbered articles. Each article identifies a deficiency, specifies what the bank must do to remediate it, and sets a deadline. You can read the full text of any active consent order at apps.occ.gov/EASearch.

Typical article categories, based on patterns across OCC enforcement actions:

Board and Management Articles: Require the board to adopt new governance structures, establish a compliance committee with specified reporting lines, attend relevant training, and demonstrate active oversight of the remediation program. Board articles usually come first because downstream remediation depends on governance accountability being in place.

Compliance Program Articles: The most common and most labor-intensive category. Require revision of the compliance management system — policies, procedures, training, complaint management, monitoring, and testing. The OCC expects documented evidence that the CMS runs independently, not just that you updated a policy and trained your staff once.

BSA/AML Articles: The OCC’s September 2024 Formal Agreement with Wells Fargo Bank — a 26-page document — required the bank to improve internal controls, policies and procedures, reporting, and management and board accountability specifically around AML and sanctions compliance. Even without an accompanying civil money penalty, the remediation scope was substantial and multi-year.

Risk Management Articles: Formal frameworks for risk identification, quantitative stress testing, model validation, or credit concentration limits — depending on the triggering concern.

Capital and Strategic Plan Articles: Particularly common when the consent order stems from financial condition concerns. Some enforcement actions require the institution to meet specified capital minimums and maintain detailed project management standards for strategic initiatives.

Deadlines: Each article carries specific timeframes — typically 30 days for board governance actions, 60–90 days for written policies, 120–180 days for program implementation, and ongoing periodic reporting thereafter. A missed article deadline triggers “past due” status, which draws additional examiner attention without requiring a new enforcement action.

The First 30 Days: Your Response Protocol

Banks are routinely unprepared for how all-consuming the first 30 days of consent order response actually are.

Days 1–3: Notify your board. The consent order obligates the board specifically — and most orders require a board resolution within 30 days acknowledging receipt and committing to compliance. Engage outside counsel before you respond to any examiner communication. Notify your state regulator (if applicable) and any bank partners who have audit or examination rights before they read the news.

Days 4–10: Article-by-article analysis with legal, compliance, internal audit, and affected business lines. For each article: What specifically is required? What’s the deadline? Who owns it? What does “in compliance” look like — a policy? A program? Periodic reporting? A validated control? This analysis becomes your consent order project charter.

Days 11–20: Stand up your Consent Order Management Office (COMO) — or whatever you call it internally. This function tracks article status, manages examiner communications, maintains evidence files, and prepares board compliance reports. Examiners will ask to see your tracking infrastructure during follow-up examinations. A structured issues management tracker maps well to consent order article tracking: owner, deadline, deliverable, evidence, status, escalation path.

Days 21–30: Deliver the board-approved action plan (if required by the order) and begin execution on the first wave of articles — typically the governance requirements that must be in place before substantive remediation can start.

Building Evidence That Survives Validation

The most common mistake in consent order remediation is treating “we fixed it” as equivalent to “we can prove we fixed it in a way an examiner will credit.”

Every article will be independently reviewed during follow-up examination activity. The examiner’s question is not “did you fix the original problem?” The question is: “Does your evidence demonstrate sustainable, systemic compliance?”

That means:

• Policy adoption: The dated, board-approved final policy — not a draft, not an email chain. Evidence of board approval that can be traced to a board meeting.
• Training: Completion records with employee names, dates, and assessment scores — not an attestation that training occurred.
• Program operation: Transaction samples, monitoring reports, exception documentation with disposition notes, showing the program ran independently over time.
• Control sustainability: Evidence that the control operates as designed without ad-hoc manual intervention — not just that someone executed it once before the exam.

Build your evidence file per article from day one. Banks that remediate well but document poorly end up with articles marked “not in compliance” at validation — which restarts the remediation clock and risks escalation.

How Consent Orders End: The Termination Process

The OCC terminates a consent order when:

1. The bank has demonstrated compliance with all articles, or
2. Specific articles are deemed outdated or irrelevant to the bank’s current circumstances, or
3. The OCC incorporates remaining articles into a new or amended enforcement action.

The third pathway is not a clean exit. It means you were still fighting old articles when a new problem emerged.

Termination requires the OCC to affirmatively designate every article “in compliance” through follow-up examination work. The bank cannot self-certify termination. The OCC then issues a separate termination order, which is also published publicly — and which will note both the termination date and the original issuance date. A three-to-five-year span between issuance and termination is common for complex, multi-article orders.

The Wells Fargo Case Study: What a Decade of Enforcement Looks Like

Wells Fargo provides the most documented case study of multi-cycle OCC enforcement in modern banking history. Beginning with actions related to consumer account sales practices in 2016, the bank accumulated overlapping consent orders and formal agreements across mortgage loss mitigation, auto lending, compliance management, and AML.

In 2025, Wells Fargo cleared five consent orders in a single calendar year — a milestone that reflected sustained remediation investment across multiple years. Specific terminations included a March 2025 termination of a Cease and Desist Order dated September 9, 2021 (mortgage loss mitigation deficiencies), and June 2025 terminations of two formal agreements from 2015 related to Gramm-Leach-Bliley Act financial subsidiary compliance.

Despite the 2025 clearances, the Federal Reserve’s 2018 asset cap remained in place — a reminder that multi-regulator enforcement regimes require independent management of each agency’s action. Clearing an OCC consent order does not affect a Fed enforcement action. Each regulator’s timeline is its own.

The Wells Fargo experience illustrates a pattern that recurs across institutions: consent order remediation at a bank with significant institutional complexity runs on a 5–10 year timeline. At a community bank with a more discrete problem, 18–30 months is achievable — but only if the bank treats remediation as a sustained operational program rather than a project sprint.

So What?

If you’re reading this because you’ve received a consent order, the mental model that actually helps is this: a consent order is a multi-year project with precisely specified deliverables, an exacting client, and a final exam you cannot schedule in advance. Your job is not just to fix the original problem. Your job is to build the institutional infrastructure that makes the examiner confident the problem will not recur — and to prove that confidence through documented evidence.

Banks that exit consent orders fastest share consistent traits: they treat each article as a discrete project with clear ownership and evidence requirements from day one; they invest in the examiner relationship through proactive communication and zero surprises; they staff the remediation effort seriously; and they don’t declare victory when the original issue is resolved — they declare victory when the examiner does.

The banks that stay in consent orders longest fix the symptom and miss the root cause. Examiners have seen that pattern enough times to recognize it in the first follow-up review.

Related reading: MRA Remediation Playbook: How to Respond When You Get a Matter Requiring Attention · FFIEC IT Examination Handbook: A Practitioner’s Walkthrough · Compliance Monitoring and Testing: How to Build a Risk-Based Program That Survives an Exam

External references: OCC PPM 5310-3 (May 2023) · OCC Enforcement Action Search · Wells Fargo Formal Agreement (September 2024) · 12 U.S.C. § 1818 · OCC Bulletin 2023-16 (PPM Revision)