Feature Operational Risk
1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.
Table of Contents
The FDIC’s Spring 2026 Consumer Compliance Supervisory Highlights came out in March. It covers 2025 examination results across FDIC-supervised state non-member banks and thrifts: 1,155 violations cited, $1.2 billion in restitution ordered, 16 formal enforcement actions brought.
Most compliance teams read it once, filed it, and moved on. A few used it to verify their training programs covered the usual suspects. Almost nobody used it the way it should be used: as a live diagnostic for where their own compliance program has the same gaps that FDIC examiners keep finding, year after year, at institutions that also thought they had this covered.
Every violation in this report happened at a supervised institution with a compliance function. They had policies. They had training. They probably had a compliance officer. They still got cited. The question isn’t whether you have a compliance program — it’s whether your program is actually catching the specific failure modes that produce these violations. Those failure modes don’t change much year over year, which makes this report more useful than it might appear at first glance.
Here’s how to use the FDIC’s own findings as a pre-examination self-assessment.
TL;DR
- The FDIC’s Spring 2026 Supervisory Highlights documented 1,155 consumer compliance violations from 2025 exams; the top 5 violations account for approximately 75% of all findings
- TILA/Regulation Z led with 462 violations — primarily mortgage disclosure timing and accuracy failures
- Flood insurance violations generated $150 million in orders — the highest-dollar compliance failure area, driven by portfolio-level systemic errors
- FDIC brought 16 formal and 11 informal enforcement actions; formal orders required $1.2 billion in restitution (concentrated in a small number of large cases)
- Third-party oversight is now a named examination theme in the FDIC’s findings — vendor management gaps are being cited alongside statutory violations
The Numbers That Actually Matter
1,155 violations across FDIC-supervised institutions covering a full examination cycle. The FDIC supervises approximately 3,000 state non-member banks and thrifts — which means roughly one in three institutions received a violation finding in 2025. That’s before accounting for multiple violations per institution, which the TILA/Reg Z count alone suggests is common.
98% satisfactory or better is the FDIC’s headline metric. It’s worth what it’s always worth: reassuring on the surface, but the distribution underneath it is what matters to your examination. An institution can maintain a satisfactory overall rating while still receiving significant violation findings in specific areas. The “satisfactory” designation doesn’t mean examiners found nothing.
$1.2 billion in restitution through formal orders is a number that needs context. Restitution figures in supervisory highlights are typically concentrated in a small number of large cases — a single institution with systemic disclosure failures across a multi-year examination period can generate nine-figure restitution that dominates the aggregate. The figure doesn’t mean average consumer compliance exposure is in the hundreds of millions. It means that when disclosure and consumer harm failures run uncorrected through multiple examination cycles, the cumulative remediation is extremely expensive.
$4.7 million in voluntary restitution to 47,902 consumers is the more operationally instructive number. These are institutions that identified their own compliance failures — through internal monitoring, audit, or complaint analysis — and worked with the FDIC to make customers whole outside the formal enforcement process. This is the outcome your monitoring and audit function is designed to produce. Self-identification before examination is materially different from FDIC-identified violations: it demonstrates a functional CMS and typically avoids the escalation from informal to formal action.
The Top Five Violations: What FDIC Examiners Keep Citing
1. Truth in Lending Act / Regulation Z — 462 Violations
TILA/Reg Z topped the 2025 findings with 462 violations — approximately 40% of all cited violations arising from a single regulation. The FDIC specifically identifies the most common failure pattern: institutions failing to provide required mortgage disclosures correctly or within mandated timeframes.
This isn’t a new finding. It’s the same pattern that drove the 2015 TRID (TILA-RESPA Integrated Disclosures) rulemaking. A decade later, the same disclosure timing and accuracy failures are still producing the largest violation category in FDIC consumer compliance exams.
The recurring failure modes:
Loan Estimate delivery timing. The Loan Estimate must reach the consumer within three business days of application. Institutions managing applications across multiple channels — online, phone, branch walk-in — consistently struggle with consistent timing documentation when application completion is ambiguous or when intake processes don’t timestamp delivery. Examiners pull delivery logs and compare them against application dates. If you can’t produce that documentation, you fail the test.
APR calculation errors. Fee inclusions and exclusions from the finance charge continue to drive restatement requirements — particularly at institutions that have changed origination platforms, acquired mortgage portfolios, or use multiple software systems that calculate APR differently. The TILA APR tolerance rules are narrow; errors outside tolerance require corrected disclosures and consumer notification.
Adjustable-rate and HELOC disclosure gaps. Variable-rate products and revolving credit facilities have specific TILA disclosure requirements — initial disclosures, change-in-rate notices, periodic statements — that static disclosure templates frequently fail to cover completely. Rate-change notification failures on ARMs are a consistent finding.
Self-assessment action: Pull 25 recent mortgage closings at random. Compare the Loan Estimate delivery date against the documented application completion date. Review the APR calculation against the final loan terms. Check the periodic statement format against current Reg Z requirements. If your compliance monitoring hasn’t done this in the past 12 months, you’re testing your program’s self-awareness, not its accuracy.
2. Electronic Fund Transfers / Regulation E
EFT violations cluster in two areas: error resolution timeline failures and disclosure deficiencies tied to product launches.
Regulation E’s error resolution requirements are specific about timelines — 10 business days to investigate a dispute (20 business days for certain new accounts), with defined consumer notification requirements at each step. When dispute volume spikes — following a fraud event, a system migration, or a product launch — and investigation queues back up, the timeline violations stack. This is operationally predictable and operationally avoidable, but only if the compliance function has visibility into dispute queue aging and investigation timelines.
Disclosure failures under Reg E frequently connect to digital product launches. Mobile app payment features, ACH authorization frameworks, peer-to-peer payment integrations — these require Reg E disclosures at enrollment and at the time of change. Product and engineering teams don’t always route new features through the compliance review process before launch. The result: disclosures that lag feature deployment, sometimes by months.
Self-assessment action: Pull your current dispute queue. Confirm that every open investigation has a documented investigation date and that none have exceeded the Reg E 10-business-day window. Review the last three product launches that involved any payment feature — confirm compliance review of Reg E disclosure requirements was completed before launch, not after.
3. Flood Insurance — The Highest-Dollar Failure Area
Flood insurance violations contributed significantly to the $150 million in orders the FDIC issued in 2025 for flood insurance violations and unfair acts or practices under Section 5 of the Federal Trade Commission Act. The dollar volume here is disproportionate to the violation count — and the reason matters.
The Flood Disaster Protection Act requires flood insurance on improved property in Special Flood Hazard Areas as a condition of any federally regulated or federally backed loan. The violation pattern is structural: institutions that fail to maintain accurate flood zone determination tracking, that don’t force-place coverage when borrower policies lapse, or that provide deficient notice to borrowers before force placement or at closing.
When these failures occur in a mortgage portfolio, they don’t produce a single violation — they produce a violation for every affected loan. Multiply the number of SFHA loans with coverage gaps by the remediation cost per loan, and the flood insurance exposure reaches figures that dwarf most other compliance failure areas quickly.
The institutions generating significant flood insurance violations have usually not failed from ignorance — they’ve failed from inadequate operational controls around flood zone determination at origination, inadequate monitoring of policy renewal status during the life of the loan, and inadequate alerting when coverage lapses. These are technology and process problems masquerading as compliance violations.
Self-assessment action: Run a current review of your real property loan portfolio. Confirm flood zone determinations are being tracked and documented at origination. Confirm your servicing process includes automated monitoring of flood insurance policy renewals and automated notification workflows when coverage lapses. If these processes are manual, they’re a compliance gap.
4. Truth in Savings Act / Regulation DD
Truth in Savings violations center on deposit account disclosures — APY calculations, fee schedules, change-in-terms notices, and time account maturity notifications.
The recurring failure: product updates that outpace disclosure revision. An institution changes its overdraft fee structure, introduces a new account tier, or modifies a CD renewal methodology — and the formal account disclosures don’t catch up for weeks or months. During that gap, the institution is delivering disclosures to new customers that don’t match its actual practices.
Change-in-terms notices are the other persistent problem. Reg DD requires advance notice of any change to a term that was stated in the initial account disclosure — at least 30 days before the effective date. That timeline requires compliance to have visibility into product changes on the front end, not after launch. If product and compliance aren’t reviewing account feature changes together, the 30-day window closes before anyone notices.
Self-assessment action: Compare your current fee schedule against your most recent formal account disclosure. If there are discrepancies, you have a change-in-terms compliance gap. Review your change management process for deposit product updates — confirm compliance is notified and disclosure revisions are completed at least 30 days before any change takes effect.
5. Home Mortgage Disclosure Act / Regulation C — 72 Violations
HMDA produces 72 violations in the 2025 data, concentrated in the same failure modes year over year: missing data fields, incorrect applicant demographic information, incorrect loan purpose codes, and property type mismatches.
The operational risk from HMDA violations compounds in a way that other disclosure violations don’t: HMDA data is the foundation for fair lending analysis. When your HMDA data has errors, you’ve created a compliance violation and simultaneously impaired your ability to monitor your own disparate impact exposure. Examiners who find HMDA reporting errors typically expand into fair lending review — and if your own fair lending analysis has been running on incorrect HMDA data, you may have missed demographic patterns that the corrected data would have revealed.
Self-assessment action: If you’re a HMDA reporter, review your current year-to-date LAR before year-end. Check for blank or incorrect fields in demographic data collection, property type classification, and loan purpose coding. Run a consistency check across your origination system, servicing system, and HMDA reporter to confirm data is flowing correctly between systems.
Third-Party Oversight: The Named Theme That Wasn’t Always
In the 2026 Supervisory Highlights, the FDIC specifically identifies third-party oversight as a recurring examination theme from 2025 — not just as a general best practice, but as a driver of actual compliance violations.
The pattern the FDIC is finding: institutions using third parties to deliver consumer-facing services (loan origination, payment processing, disclosure delivery, debt collection, customer service) and failing to maintain adequate vendor compliance monitoring. The violations the vendor causes — Reg Z disclosures delivered late, Reg E notices missing required elements, Truth in Savings disclosures not updated when product terms changed — attach to the supervised institution, not the vendor.
The specific gaps the FDIC identifies:
- Vendor contracts that don’t include consumer compliance obligation flow-downs
- Due diligence that evaluates vendor security but not vendor compliance performance
- Monitoring programs that track uptime and error rates but don’t review consumer disclosure accuracy
- No defined process for incident response when a vendor compliance failure triggers notification or restitution obligations
The 2023 interagency guidance on third-party relationships is the operative framework. Vendor financial health monitoring and ongoing oversight covers the operational monitoring side. Compliance training program requirements covers how to extend consumer protection training to third parties who deliver those services on your behalf.
Your Self-Assessment Checklist
Use the FDIC’s findings as a directed self-assessment. If your examination were tomorrow:
TILA/Reg Z: Can you produce delivery-date documentation for the last 25 mortgage Loan Estimates? Have you run an APR accuracy audit in the past 12 months? Are your HELOC and ARM disclosures current against the Reg Z requirements for variable-rate products?
Regulation E: Is your dispute queue current within the 10-business-day investigation window? Was compliance reviewed for the last three payment product launches before those features went live?
Flood insurance: Is flood zone determination tracked at origination and monitored for SFHA loans throughout the loan term? Is force-placement and lapse notification automated, or are you relying on manual tracking?
Truth in Savings: When did your last product update produce a formal change-in-terms notice — and was that notice delivered 30+ days before the change? Do your current account disclosures match your actual fee schedule?
HMDA: If you report HMDA data, when did you last run a data quality review on your current year LAR? Are there any blank or defaulted demographic data fields?
Third parties: Does every vendor who delivers consumer-facing services have a contract provision that flows down consumer compliance obligations? Does your monitoring program measure vendor compliance performance — not just operational performance?
Finding gaps here is the right outcome. A self-identified gap with a documented remediation plan is categorically different from an examiner-identified violation — both for your enforcement risk and for how your CMS is evaluated.
The RCSA (Risk & Control Self-Assessment) provides the control-level framework to document what these findings mean, who owns remediation, what the evidence looks like, and how to track progress in a format that examiners recognize as a functional compliance monitoring program. Regulatory examination readiness covers the documentation and evidence packaging step that turns self-assessment findings into exam preparation.
The FDIC publishes this report every year because these violations happen every year. The institutions that keep getting cited aren’t running compliance programs that missed these areas entirely — they’re running programs where the controls exist on paper but don’t catch the specific operational failures that produce violations. The difference between a satisfactory examination and a findings-heavy one is usually in the control effectiveness layer, not the policy layer.
Sources: FDIC Spring 2026 Consumer Compliance Supervisory Highlights (PDF), FDIC — FDIC Issues 2026 Consumer Compliance Supervisory Highlights, Cooley Finsights — FDIC Issues 2026 Consumer Compliance Supervisory Highlights, Guidepost Solutions — Most Frequently Cited Consumer Compliance Violations in 2025
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What were the most frequently cited violations in 2025 FDIC consumer compliance exams?
Why do flood insurance violations generate such large dollar enforcement amounts?
What is a compliance management system (CMS) and how does the FDIC evaluate it?
What's the difference between a formal and informal FDIC enforcement action?
How does third-party oversight fit into the FDIC's consumer compliance examination framework?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
◆ Keep reading
Related posts.
Operational Risk
What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships
On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.
Jul 7, 2026
Operational Risk
The 2026 CRE Loan Maturity Wall: How Community Banks Should Stress-Test Their Commercial Real Estate Portfolios Right Now
More than $1.5 trillion in commercial real estate loans mature in 2026. Roughly 31% of all U.S. banks are CRE-concentrated. Here's the stress-testing methodology community banks need — before examiners ask for it.
Jul 6, 2026
Operational Risk
Liquidity Risk KRIs Beyond LCR and NSFR: The 12 Early Warning Metrics That Give You Days, Not Hours
LCR and NSFR tell regulators you're compliant. Liquidity KRIs tell you when you're three days from a crisis. Here are the 12 metrics every risk manager should be tracking — and what SVB's 31 open MRAs reveal about what happens when early warning breaks down.
Jul 2, 2026