Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Operational Risk

1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested

The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.

Table of Contents

The FDIC’s Spring 2026 Consumer Compliance Supervisory Highlights came out in March. It covers 2025 examination results across FDIC-supervised state non-member banks and thrifts: 1,155 violations cited, $1.2 billion in restitution ordered, 16 formal enforcement actions brought.

Most compliance teams read it once, filed it, and moved on. A few used it to verify their training programs covered the usual suspects. Almost nobody used it the way it should be used: as a live diagnostic for where their own compliance program has the same gaps that FDIC examiners keep finding, year after year, at institutions that also thought they had this covered.

Every violation in this report happened at a supervised institution with a compliance function. They had policies. They had training. They probably had a compliance officer. They still got cited. The question isn’t whether you have a compliance program — it’s whether your program is actually catching the specific failure modes that produce these violations. Those failure modes don’t change much year over year, which makes this report more useful than it might appear at first glance.

Here’s how to use the FDIC’s own findings as a pre-examination self-assessment.

TL;DR

  • The FDIC’s Spring 2026 Supervisory Highlights documented 1,155 consumer compliance violations from 2025 exams; the top 5 violations account for approximately 75% of all findings
  • TILA/Regulation Z led with 462 violations — primarily mortgage disclosure timing and accuracy failures
  • Flood insurance violations generated $150 million in orders — the highest-dollar compliance failure area, driven by portfolio-level systemic errors
  • FDIC brought 16 formal and 11 informal enforcement actions; formal orders required $1.2 billion in restitution (concentrated in a small number of large cases)
  • Third-party oversight is now a named examination theme in the FDIC’s findings — vendor management gaps are being cited alongside statutory violations

The Numbers That Actually Matter

1,155 violations across FDIC-supervised institutions covering a full examination cycle. The FDIC supervises approximately 3,000 state non-member banks and thrifts — which means roughly one in three institutions received a violation finding in 2025. That’s before accounting for multiple violations per institution, which the TILA/Reg Z count alone suggests is common.

98% satisfactory or better is the FDIC’s headline metric. It’s worth what it’s always worth: reassuring on the surface, but the distribution underneath it is what matters to your examination. An institution can maintain a satisfactory overall rating while still receiving significant violation findings in specific areas. The “satisfactory” designation doesn’t mean examiners found nothing.

$1.2 billion in restitution through formal orders is a number that needs context. Restitution figures in supervisory highlights are typically concentrated in a small number of large cases — a single institution with systemic disclosure failures across a multi-year examination period can generate nine-figure restitution that dominates the aggregate. The figure doesn’t mean average consumer compliance exposure is in the hundreds of millions. It means that when disclosure and consumer harm failures run uncorrected through multiple examination cycles, the cumulative remediation is extremely expensive.

$4.7 million in voluntary restitution to 47,902 consumers is the more operationally instructive number. These are institutions that identified their own compliance failures — through internal monitoring, audit, or complaint analysis — and worked with the FDIC to make customers whole outside the formal enforcement process. This is the outcome your monitoring and audit function is designed to produce. Self-identification before examination is materially different from FDIC-identified violations: it demonstrates a functional CMS and typically avoids the escalation from informal to formal action.


The Top Five Violations: What FDIC Examiners Keep Citing

1. Truth in Lending Act / Regulation Z — 462 Violations

TILA/Reg Z topped the 2025 findings with 462 violations — approximately 40% of all cited violations arising from a single regulation. The FDIC specifically identifies the most common failure pattern: institutions failing to provide required mortgage disclosures correctly or within mandated timeframes.

This isn’t a new finding. It’s the same pattern that drove the 2015 TRID (TILA-RESPA Integrated Disclosures) rulemaking. A decade later, the same disclosure timing and accuracy failures are still producing the largest violation category in FDIC consumer compliance exams.

The recurring failure modes:

Loan Estimate delivery timing. The Loan Estimate must reach the consumer within three business days of application. Institutions managing applications across multiple channels — online, phone, branch walk-in — consistently struggle with consistent timing documentation when application completion is ambiguous or when intake processes don’t timestamp delivery. Examiners pull delivery logs and compare them against application dates. If you can’t produce that documentation, you fail the test.

APR calculation errors. Fee inclusions and exclusions from the finance charge continue to drive restatement requirements — particularly at institutions that have changed origination platforms, acquired mortgage portfolios, or use multiple software systems that calculate APR differently. The TILA APR tolerance rules are narrow; errors outside tolerance require corrected disclosures and consumer notification.

Adjustable-rate and HELOC disclosure gaps. Variable-rate products and revolving credit facilities have specific TILA disclosure requirements — initial disclosures, change-in-rate notices, periodic statements — that static disclosure templates frequently fail to cover completely. Rate-change notification failures on ARMs are a consistent finding.

Self-assessment action: Pull 25 recent mortgage closings at random. Compare the Loan Estimate delivery date against the documented application completion date. Review the APR calculation against the final loan terms. Check the periodic statement format against current Reg Z requirements. If your compliance monitoring hasn’t done this in the past 12 months, you’re testing your program’s self-awareness, not its accuracy.


2. Electronic Fund Transfers / Regulation E

EFT violations cluster in two areas: error resolution timeline failures and disclosure deficiencies tied to product launches.

Regulation E’s error resolution requirements are specific about timelines — 10 business days to investigate a dispute (20 business days for certain new accounts), with defined consumer notification requirements at each step. When dispute volume spikes — following a fraud event, a system migration, or a product launch — and investigation queues back up, the timeline violations stack. This is operationally predictable and operationally avoidable, but only if the compliance function has visibility into dispute queue aging and investigation timelines.

Disclosure failures under Reg E frequently connect to digital product launches. Mobile app payment features, ACH authorization frameworks, peer-to-peer payment integrations — these require Reg E disclosures at enrollment and at the time of change. Product and engineering teams don’t always route new features through the compliance review process before launch. The result: disclosures that lag feature deployment, sometimes by months.

Self-assessment action: Pull your current dispute queue. Confirm that every open investigation has a documented investigation date and that none have exceeded the Reg E 10-business-day window. Review the last three product launches that involved any payment feature — confirm compliance review of Reg E disclosure requirements was completed before launch, not after.


3. Flood Insurance — The Highest-Dollar Failure Area

Flood insurance violations contributed significantly to the $150 million in orders the FDIC issued in 2025 for flood insurance violations and unfair acts or practices under Section 5 of the Federal Trade Commission Act. The dollar volume here is disproportionate to the violation count — and the reason matters.

The Flood Disaster Protection Act requires flood insurance on improved property in Special Flood Hazard Areas as a condition of any federally regulated or federally backed loan. The violation pattern is structural: institutions that fail to maintain accurate flood zone determination tracking, that don’t force-place coverage when borrower policies lapse, or that provide deficient notice to borrowers before force placement or at closing.

When these failures occur in a mortgage portfolio, they don’t produce a single violation — they produce a violation for every affected loan. Multiply the number of SFHA loans with coverage gaps by the remediation cost per loan, and the flood insurance exposure reaches figures that dwarf most other compliance failure areas quickly.

The institutions generating significant flood insurance violations have usually not failed from ignorance — they’ve failed from inadequate operational controls around flood zone determination at origination, inadequate monitoring of policy renewal status during the life of the loan, and inadequate alerting when coverage lapses. These are technology and process problems masquerading as compliance violations.

Self-assessment action: Run a current review of your real property loan portfolio. Confirm flood zone determinations are being tracked and documented at origination. Confirm your servicing process includes automated monitoring of flood insurance policy renewals and automated notification workflows when coverage lapses. If these processes are manual, they’re a compliance gap.


4. Truth in Savings Act / Regulation DD

Truth in Savings violations center on deposit account disclosures — APY calculations, fee schedules, change-in-terms notices, and time account maturity notifications.

The recurring failure: product updates that outpace disclosure revision. An institution changes its overdraft fee structure, introduces a new account tier, or modifies a CD renewal methodology — and the formal account disclosures don’t catch up for weeks or months. During that gap, the institution is delivering disclosures to new customers that don’t match its actual practices.

Change-in-terms notices are the other persistent problem. Reg DD requires advance notice of any change to a term that was stated in the initial account disclosure — at least 30 days before the effective date. That timeline requires compliance to have visibility into product changes on the front end, not after launch. If product and compliance aren’t reviewing account feature changes together, the 30-day window closes before anyone notices.

Self-assessment action: Compare your current fee schedule against your most recent formal account disclosure. If there are discrepancies, you have a change-in-terms compliance gap. Review your change management process for deposit product updates — confirm compliance is notified and disclosure revisions are completed at least 30 days before any change takes effect.


5. Home Mortgage Disclosure Act / Regulation C — 72 Violations

HMDA produces 72 violations in the 2025 data, concentrated in the same failure modes year over year: missing data fields, incorrect applicant demographic information, incorrect loan purpose codes, and property type mismatches.

The operational risk from HMDA violations compounds in a way that other disclosure violations don’t: HMDA data is the foundation for fair lending analysis. When your HMDA data has errors, you’ve created a compliance violation and simultaneously impaired your ability to monitor your own disparate impact exposure. Examiners who find HMDA reporting errors typically expand into fair lending review — and if your own fair lending analysis has been running on incorrect HMDA data, you may have missed demographic patterns that the corrected data would have revealed.

Self-assessment action: If you’re a HMDA reporter, review your current year-to-date LAR before year-end. Check for blank or incorrect fields in demographic data collection, property type classification, and loan purpose coding. Run a consistency check across your origination system, servicing system, and HMDA reporter to confirm data is flowing correctly between systems.


Third-Party Oversight: The Named Theme That Wasn’t Always

In the 2026 Supervisory Highlights, the FDIC specifically identifies third-party oversight as a recurring examination theme from 2025 — not just as a general best practice, but as a driver of actual compliance violations.

The pattern the FDIC is finding: institutions using third parties to deliver consumer-facing services (loan origination, payment processing, disclosure delivery, debt collection, customer service) and failing to maintain adequate vendor compliance monitoring. The violations the vendor causes — Reg Z disclosures delivered late, Reg E notices missing required elements, Truth in Savings disclosures not updated when product terms changed — attach to the supervised institution, not the vendor.

The specific gaps the FDIC identifies:

  • Vendor contracts that don’t include consumer compliance obligation flow-downs
  • Due diligence that evaluates vendor security but not vendor compliance performance
  • Monitoring programs that track uptime and error rates but don’t review consumer disclosure accuracy
  • No defined process for incident response when a vendor compliance failure triggers notification or restitution obligations

The 2023 interagency guidance on third-party relationships is the operative framework. Vendor financial health monitoring and ongoing oversight covers the operational monitoring side. Compliance training program requirements covers how to extend consumer protection training to third parties who deliver those services on your behalf.


Your Self-Assessment Checklist

Use the FDIC’s findings as a directed self-assessment. If your examination were tomorrow:

TILA/Reg Z: Can you produce delivery-date documentation for the last 25 mortgage Loan Estimates? Have you run an APR accuracy audit in the past 12 months? Are your HELOC and ARM disclosures current against the Reg Z requirements for variable-rate products?

Regulation E: Is your dispute queue current within the 10-business-day investigation window? Was compliance reviewed for the last three payment product launches before those features went live?

Flood insurance: Is flood zone determination tracked at origination and monitored for SFHA loans throughout the loan term? Is force-placement and lapse notification automated, or are you relying on manual tracking?

Truth in Savings: When did your last product update produce a formal change-in-terms notice — and was that notice delivered 30+ days before the change? Do your current account disclosures match your actual fee schedule?

HMDA: If you report HMDA data, when did you last run a data quality review on your current year LAR? Are there any blank or defaulted demographic data fields?

Third parties: Does every vendor who delivers consumer-facing services have a contract provision that flows down consumer compliance obligations? Does your monitoring program measure vendor compliance performance — not just operational performance?

Finding gaps here is the right outcome. A self-identified gap with a documented remediation plan is categorically different from an examiner-identified violation — both for your enforcement risk and for how your CMS is evaluated.

The RCSA (Risk & Control Self-Assessment) provides the control-level framework to document what these findings mean, who owns remediation, what the evidence looks like, and how to track progress in a format that examiners recognize as a functional compliance monitoring program. Regulatory examination readiness covers the documentation and evidence packaging step that turns self-assessment findings into exam preparation.

The FDIC publishes this report every year because these violations happen every year. The institutions that keep getting cited aren’t running compliance programs that missed these areas entirely — they’re running programs where the controls exist on paper but don’t catch the specific operational failures that produce violations. The difference between a satisfactory examination and a findings-heavy one is usually in the control effectiveness layer, not the policy layer.


Sources: FDIC Spring 2026 Consumer Compliance Supervisory Highlights (PDF), FDIC — FDIC Issues 2026 Consumer Compliance Supervisory Highlights, Cooley Finsights — FDIC Issues 2026 Consumer Compliance Supervisory Highlights, Guidepost Solutions — Most Frequently Cited Consumer Compliance Violations in 2025

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What were the most frequently cited violations in 2025 FDIC consumer compliance exams?
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights identified 1,155 violations in 2025 exams, with the top five categories accounting for approximately 75% of all violations cited. TILA/Regulation Z led with 462 violations — primarily failures to provide required mortgage disclosures correctly or within mandated timeframes. The remaining top violations were Electronic Fund Transfers (Regulation E), flood insurance requirements under the Flood Disaster Protection Act, Truth in Savings (Regulation DD), and HMDA/Regulation C (72 violations). Third-party oversight was also specifically identified as a recurring examination theme, appearing alongside traditional consumer protection statutes in exam findings.
Why do flood insurance violations generate such large dollar enforcement amounts?
Flood insurance violations are structurally different from most consumer compliance violations because they affect entire loan portfolios rather than individual transactions. The Flood Disaster Protection Act requires flood insurance on improved property in Special Flood Hazard Areas (SFHAs) as a condition of any federally regulated loan — and when an institution fails to require, monitor, or force-place that coverage, the violation affects every loan in the SFHA portfolio that lacks adequate coverage. The required remediation — waiving incorrectly assessed premiums, reimbursing forced-place insurance costs, or correcting flood zone determination errors — scales with loan count. That's why the FDIC's 2025 findings show $150 million in orders for flood insurance and UDAP violations, a number disproportionate to the violation count.
What is a compliance management system (CMS) and how does the FDIC evaluate it?
A compliance management system (CMS) is the integrated structure of board oversight, management direction, policies and procedures, training, monitoring and audit, and consumer complaint response that an institution uses to manage its consumer compliance obligations. The FDIC evaluates CMS quality as the primary lens for assessing compliance risk — violations are treated as evidence that one or more CMS components failed. Examiners assess whether the board and senior management are actively involved in compliance oversight, whether policies and procedures are current and accurate, whether training reaches relevant staff, whether monitoring catches gaps before they become violations, and whether the complaint process surfaces and resolves consumer issues. A strong CMS earns examiner credit even when isolated violations exist; a weak CMS triggers elevated scrutiny across the entire program.
What's the difference between a formal and informal FDIC enforcement action?
A formal enforcement action is a public, legally binding document — consent orders, cease and desist orders, civil money penalties — issued when the FDIC determines that an institution has engaged in unsafe or unsound practices or committed violations that warrant mandatory corrective action. Formal actions are disclosed publicly. In 2025, the FDIC brought 16 formal enforcement actions. Informal enforcement actions — memoranda of understanding (MOUs), commitment letters, board resolutions — are non-public agreements where the institution commits to corrective action without a formal legal requirement. In 2025, 11 informal actions were taken. Informal actions typically follow less severe findings or responsive management; formal actions typically involve systemic failures, consumer harm, or management that hasn't adequately responded to previous supervisory concerns.
How does third-party oversight fit into the FDIC's consumer compliance examination framework?
The FDIC's Spring 2026 Supervisory Highlights specifically identified third-party oversight as a recurring examination theme in 2025. When an institution uses a vendor, fintech partner, or service provider to deliver consumer-facing services — loan origination, payment processing, disclosure delivery, customer service, collections — the compliance obligation for those consumer protections remains with the supervised institution. Examiners are looking for vendor contracts that include compliance obligation flow-downs, ongoing monitoring of third-party compliance performance, and incident response coordination when a vendor failure triggers regulatory notification requirements. The 2023 interagency guidance on third-party relationships is the operative framework; institutions that haven't mapped their vendor relationships against consumer compliance obligations have a gap the FDIC will find.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

RCSA (Risk & Control Self-Assessment)

141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.