On 10 October 2024, TD Bank pleaded guilty to wilfully violating the Bank Secrecy Act and agreed to pay $3.09 billion in combined DOJ, FinCEN, OCC, and Federal Reserve penalties. Between January 2018 and April 2024, 92 percent of TD’s transaction volume, about $18.3 trillion, ran unmonitored.
FinCEN called it the largest depository-institution penalty in US Treasury history. The bank also accepted a four-year FinCEN monitorship, a five-year DOJ probation, and a three-year independent monitor.
| What every bank director and compliance lead needs to know about regulatory compliance |
| Regulatory compliance is the operating system of a bank, not a back-office checklist. TD Bank’s $3.09 billion BSA/AML settlement in October 2024 is the clearest recent proof that a weak bank compliance program can put an entire franchise at risk. |
| The six pillars of a credible banking regulatory compliance program are regulatory inventory, risk assessment, policies and procedures, controls, monitoring and testing, and training and culture. Skip any one of these and the program will fail its first serious exam. |
| Ponemon research pegs the cost of non-compliance at 2.71x the cost of compliance. For a mid-size US bank, that gap is $9.35 million per year, more than enough to fund the compliance program program several times over. |
| Small banks spend 11%-15.5% of payroll on bank compliance, compared with 6.5% at the largest institutions (CSBS 2025). That burden is a strategic problem, not just a budget line. |
| RegTech is the real the compliance function multiplier for 2026-2030. The market grows from $14.7B in 2025 to $115.5B by 2035 (CAGR 20.6%), and the banks pulling ahead are the ones treating AI-assisted monitoring as a core control, not a pilot. |
| The banking regulatory compliance horizon for 2026 is dominated by Basel III endgame, NYDFS Part 500 full MFA, ESG/climate disclosure, digital-asset rules, and the OCC’s recalibrated heightened standards. Boards that ignore the horizon lose the program. |
Regulators didn’t sanction TD because the rules were unclear; they sanctioned TD because its regulatory complianceprogram was, as the settlement papers put it, wilfully inadequate.
The bill for a thin regulatory compliance program is rarely abstract; it lands in a guilty plea, a press conference, and a decade-long remediation roadmap.
Compliance program is not a back-office function. It is the operating system of a bank. Every deposit, every loan, every wire, every algorithm runs on top of a stack of rules, BSA, AML, Dodd-Frank, GLBA, SOX, FATCA, OFAC, CFPB consumer protection, NYDFS Part 500, Basel III, and the growing list of digital-asset and AI-model rules.
The practitioner question is not whether banking regulatory compliance matters. It is whether your program is the kind that survives the next enforcement cycle, or the kind that quietly accumulates deficiencies until a regulator finds them.
This guide is the playbook we wish every bank board and compliance lead had before their next OCC or FDIC exam.
We work through a six-step bank compliance program, the laws that anchor it, the 2025-2026 enforcement data that every board should already know, the RegTech and AI shifts changing the control set, and the pitfalls that turn well-funded programs into shelfware.
We write for practitioners, compliance officers, CROs, internal auditors, directors on risk and audit committees, who will have to defend their the compliance function decisions in a post-mortem, not a classroom.
By the end, you will have: a working definition of banking regulatory compliance and the six controls that hold it together, a mapping of the seven federal laws every US bank answers to, an evidence-grounded view of 2025-2026 fines and enforcement patterns, a chart-backed case for why the program pays back 2.71x.
A compliance officer job description you can paste into HR, a pitfalls table based on recent enforcement actions, a forward-look for 2026-2028, and a FAQ section built for both Google and AI-assistant surfaces.
If your CEO asked you right now whether your regulatory compliance program would survive a TD-scale exam, you should be able to answer in two minutes by the time you finish reading.
What Banking Regulatory Compliance Actually Means in 2026
Banking regulatory compliance is the discipline of demonstrating, with evidence, not opinion, that a bank follows every law, rule, guideline, and supervisory expectation that governs how it takes deposits, lends money, moves value, manages risk, and treats customers.
The emphasis is on demonstrating. Regulators don’t grade intent. They grade artefacts: policies with version histories, risk assessments with rating rationales, control tests with sample selections, board minutes with actual risk discussions, suspicious activity reports filed on time.
A bank regulatory oversight program that cannot produce those artefacts on demand is, in the language of OCC examiners, unsafe and unsound.
Three things have changed about banking regulatory compliance since 2020 and any practitioner who hasn’t updated their mental model is working off a stale playbook.
First, the scope has widened well beyond AML and consumer protection, SEC climate disclosure, digital-asset custody, AI model risk, and operational resilience now sit squarely inside the perimeter.
Second, regulators expect banks to surface problems, not wait to be caught; the 36-hour cybersecurity incident notification rule and the CFPB’s supervisory letters make that explicit. Third, enforcement has become personal.
The NYDFS Part 500 Second Amendment requires CEOs and CISOs to sign annual compliance certifications; other agencies are following.
Why Banking Regulatory Compliance Is Now Board-Level Work
Compliance requirements has moved from a compliance department issue to a board-of-directors issue. The OCC’s 2014 Heightened Standards (Appendix D to 12 CFR Part 30) already required each director of a covered bank to oversee the risk governance framework and hold management accountable for adhering to it.
A 2025 proposed amendment would move the threshold from $50B to $700B in assets, but the direction of travel for board compliance program accountability is unambiguous.
Boards that delegate bank regulatory oversight entirely to the chief compliance officer are the boards whose members end up named in consent orders.
The strongest banks have made banking regulatory compliance a standing agenda item at every board risk and audit committee meeting, with a dashboard that ties regulatory obligations to key risk indicators for banks, exam findings, and remediation status.
That dashboard is the single most useful artefact a bank can build in 2026. It turns regulatory compliance from a retrospective conversation into a forward-looking one.
The Seven Core US Laws Inside Every Banking Regulatory Compliance Program
Banking regulatory compliance in the United States rests on a stack of laws that every practitioner should be able to recite in order. The table below is the reference card we hand to every new compliance officer on day one.
Memorising this list is the start of competent the compliance program work; understanding how the rules interact is what separates a good compliance officer from an excellent one.
| Law / Rule | Year | What it governs | Primary regulator |
| Bank Secrecy Act (BSA) | 1970 | Suspicious activity reporting, CTRs, KYC, AML program minimums | FinCEN / OCC / Fed / FDIC |
| Gramm-Leach-Bliley Act (GLBA) | 1999 | Financial-privacy notices, safeguards rule for customer data | FTC / federal banking agencies |
| Sarbanes-Oxley Act (SOX) | 2002 | Internal controls over financial reporting, CEO/CFO certifications | SEC / PCAOB |
| USA PATRIOT Act Title III | 2001 | Customer Identification Program, enhanced due diligence, correspondent banking | FinCEN / OCC |
| Dodd-Frank Act | 2010 | Systemic-risk oversight, CFPB consumer-protection, Volcker Rule, stress testing | CFPB / Fed / OCC / SEC |
| FATCA | 2010 | Foreign financial account reporting, Form 8938, 40% understatement penalty | IRS |
| OFAC sanctions regime | ongoing | Blocked persons, sanctions screening, SDN list controls | Treasury / OFAC |
Figure 1: The seven anchor laws every US banking regulatory compliance program must map to controls.
Chart 1: Bank compliance enforcement: global bank fines 2019-2025, with TD Bank’s record-breaking $3.09B BSA/AML penalty highlighted (sources: Fenergo, FinCEN, OCC, ABA Banking Journal).
The Six-Step Banking Regulatory Compliance Program
Now that we have defined banking regulatory compliance and listed its legal anchors, the next question is how to actually build a program that will survive an exam.
The six-step framework below is how we structure every this compliance framework engagement. It mirrors the FFIEC examination procedures, the OCC Comptroller’s Handbook on compliance management, and the COSO framework that most US banks use for internal controls over financial reporting.
Each step produces a named artefact. If you cannot show an examiner the artefact, the step is not done.
Chart 2: Where banking regulatory compliance effort actually concentrates: the six-step program plotted by share of total programme time.
Step 1 of Banking Regulatory Compliance: Regulatory Inventory and Mapping
Every regulatory compliance program starts with a regulatory inventory, a living register of every law, rule, and guideline that applies to the bank. For a community bank the list is usually 150-250 obligations; for a large US bank operating internationally it exceeds 1,500.
The inventory must map each obligation to an owner, a business process, and at least one control. Without the mapping, banking regulatory compliance devolves into a collection of disconnected policies that no one can prove cover everything.
Thomson Reuters’ Cost of Compliance survey consistently finds that financial firms track more than 200 regulatory alerts a day, the inventory is what turns that fire-hose into a manageable workstream.
Step 2 of Banking Regulatory Compliance: Risk Assessment and Rating
The regulatory compliance risk assessment translates the inventory into a prioritised view of where the bank could fail. The methodology that works in practice is a two-axis rating: inherent likelihood × inherent consequence, then control effectiveness, then residual.
Our compliance risk assessment framework walks through the full process, and the regulatory compliance risk assessment template is a ready-to-use Excel artefact you can adapt to your bank. Residual, not inherent, is the number that goes to the board.
If the methodology isn’t documented, the rating isn’t credible, and the banking regulatory compliance conversation stops short.
Step 3 of Banking Regulatory Compliance: Policies, Standards and Procedures
Bank compliance policies translate the risk assessment into actual rules for the business. The hierarchy is policy (board-approved, principle-level), standard (management-approved, detail-level), procedure (operational, step-level).
Each layer must be versioned, dated, owner-named, review-cycled, and cross-referenced back to the regulatory inventory. A common banking regulatory compliance failure is policy bloat, hundreds of pages of documents that contradict each other.
The fix is a best policy management software tool that enforces a single source of truth. NYDFS examiners specifically look for policy version histories during Part 500 exams.
Step 4 of Banking Regulatory Compliance: Control Design and Implementation
Controls are where regulatory compliance policies meet reality. The discipline is to design preventive controls wherever possible (automated sanction screening, transaction monitoring tuned to typology).
Detective controls as a safety net (independent testing, surveillance analytics), and corrective controls for when the first two fail (case management, remediation workflows). Control design must be documented and control operation must be evidenced.
TD Bank’s BSA/AML failings are the definitive compliance program case study: the policies were largely in place; the controls were not operating. The best risk and compliance automation tools are now essential for banks handling more than a few hundred thousand transactions a day.
Step 5 of Banking Regulatory Compliance: Monitoring, Testing and Reporting
Compliance requirements monitoring is the 2nd-line function that runs continuously; testing is the 2nd-line sampling exercise that runs on a cycle; independent internal audit is the 3rd-line attestation.
The best internal audit management software platforms in the market now integrate all three so reports flow into a single dashboard.
Board reporting is the output that matters. A banking regulatory compliance dashboard should show: open regulatory obligations, overdue remediation items, recent exam findings and status, recent suspicious activity filings, and forward-looking regulatory changes. If the board only sees backward-looking numbers, it’s not a the compliance function dashboard; it’s a scoreboard.
Step 6 of Banking Regulatory Compliance: Training, Culture and Remediation
The final step of bank regulatory oversight is the one most programs under-resource: training, culture, and remediation.
Every US bank must deliver annual BSA/AML training, GLBA privacy training, OFAC screening training, and role-specific training for high-risk functions (trade finance, correspondent banking, private wealth).
What separates strong banking regulatory compliance cultures from weak ones is whether escalation is rewarded or punished.
Wells Fargo’s fake-accounts scandal, the case that triggered the $1.95 trillion asset cap finally lifted in June 2025, is a culture story, not a policy story. The policies forbade the behaviour; the culture rewarded it.
For risk teams translating those lessons into measurable controls, see our guide on KRIs for sales teams in regulated industries, which covers pipeline-quality, conduct, and incentive-plan thresholds.
The Business Case for Banking Regulatory Compliance Investment
Having walked through the six-step regulatory compliance program, the natural board question is whether it pays back. The evidence says it does, and the multiplier is large enough to end the debate.
Ponemon Institute’s True Cost of Compliance study across multinational organisations puts the average total cost of non-compliance at $14.82 million, against $5.47 million for running a well-resourced banking regulatory compliance program. That is a 2.71x multiplier, $9.35 million saved for every $5.47 million spent.
In our experience those numbers understate the case for banks, because the non-compliance number excludes reputational damage and asset-cap-style growth constraints.
Chart 3: Bank regulatory oversight arithmetic: prevention costs $5.47M on average, while non-compliance costs $14.82M, a 2.71x return on investment (Source: Ponemon Institute).
What Banking Regulatory Compliance Non-Compliance Actually Costs in 2025
The 2024-2025 enforcement data is sobering. Global bank fines for financial-crime and regulatory-compliance breaches totalled $4.5 billion in 2024, with AML violations, including transaction monitoring failures, alone exceeding $3.3 billion (fintech.global).
OFAC enforcement settlements totalled $265 million in 2025, up from $49 million in 2024, with eight of the 14 public actions targeting Russia-related sanctions (Sidley 2025 sanctions review).
FinCEN imposed a $42 million penalty in February 2025 and a $3.5 million penalty in December 2025, and launched a multi-tiered operation against more than 100 money services businesses along the southwest border.
The punchline for any banking regulatory compliance lead writing a budget memo: the regulator pipeline is not slowing down.
The Banking Regulatory Compliance Cost Burden on Small Banks
Compliance requirements costs are not evenly distributed. The CSBS Working Paper 25-01, the most rigorous 2025 study on the question, shows the smallest US banks spending 11% to 15.5% of payroll on banking regulatory compliance tasks, against 6% to 10% for the largest.
The annual personnel compliance cost gap between smallest and largest banks is 3.8%-8.2% of total payroll.
This is a structural regulatory compliance problem: fixed compliance costs spread across smaller balance sheets mean community banks effectively pay a scale tax to stay in business.
The FDIC’s 25 November 2025 threshold revision, the most significant since the 1990s, is a first attempt to address it.
Chart 4: Regulatory compliance as a share of payroll, by bank size (CSBS 2025 Working Paper 25-01).
Banking Regulatory Compliance in the Age of AI and RegTech
The business case is one side of the story; technology is the other. Banking regulatory compliance in 2026 is being rebuilt around RegTech.
The RegTech market grows from $14.7 billion in 2025 to $115.5 billion by 2035 at a 20.6% CAGR, the fastest-growing segment of enterprise risk technology. Banking and financial services already capture roughly 50% of RegTech spend.
The banks pulling ahead are the ones treating AI-assisted transaction monitoring, automated regulatory-change management, and model-risk dashboards as core the compliance program controls, not pilots.
Chart 5: Banking regulatory compliance and the RegTech trajectory: $14.7B in 2025 to $115.5B by 2035 (CAGR 20.62%).
How AI Is Reshaping Banking Regulatory Compliance Monitoring
AI is changing bank compliance in three concrete ways. First, transaction monitoring is moving from rule-based alerts (high false-positive rates, around 95% in traditional AML systems) to machine-learning classifiers that learn from investigator feedback.
Second, regulatory-change management is moving from manual alert review to large-language-model summarisation that flags obligations against the bank’s control library. Third, adverse-media and sanctions screening have collapsed from hours per case to seconds per case.
None of this removes the banking regulatory compliance officer; all of it changes what the compliance officer spends time on. The AML Act of 2020 explicitly recognised AI’s role in strengthening transaction monitoring.
Model Risk Management as Banking Regulatory Compliance: SR 11-7 Reloaded
The this compliance framework rulebook for AI runs through SR 11-7 and the OCC’s 2021 update.
The guidance demands three the compliance program safeguards for every model: independent validation, ongoing monitoring of outputs against outcomes, and documentation.
Generative AI stretches the SR 11-7 framework, the regulators have publicly acknowledged that LLMs are not easily evaluated using traditional validation techniques.
The OCC Bulletin 2025-26 clarified community-bank expectations, and the model risk management SR 11-7 practitioner guide lays out the validation framework that auditors accept.
Banks deploying generative AI in credit, fraud, or customer-servicing loops without an SR 11-7-aligned model inventory are building the compliance program debt that will be exposed at their next exam.
The Banking Regulatory Compliance Stack: What to Build, Buy or Rent
The banking regulatory compliance technology stack in 2026 has five layers: an integrated GRC platform (workflow, obligations, assessments), a policy management tool, a regulatory-change management service, a transaction monitoring / screening engine, and an audit management suite.
Our comparisons across best compliance management software, best risk and compliance automation tools, and best ERM software platforms walk through specific products and their bank compliance fit.
The build-buy-rent decision depends on scale: community banks typically rent (SaaS), regionals buy selected components, globals build on top of commercial platforms.
The Banking Regulatory Compliance Officer: Role, Skills, Pay
A regulatory compliance program is only as credible as the person running it. The chief compliance officer (CCO) sits in the 2nd line of defence, reports independently to the board (usually through the audit or risk committee), and owns the six-step program end-to-end.
The banking regulatory compliance officer also chairs or co-chairs the compliance committee, signs off on policies, certifies SAR filings, and, in NYDFS-covered institutions, co-signs the annual Part 500 certification with the CEO. This is not a compliance-department manager role; it is an officer of the bank.
Banking Regulatory Compliance Officer, Skills That Move the Needle
The regulatory compliance officers who actually move the needle share a profile: 10+ years in banking, at least one rotation through a front-office business, a CAMS or ICA certification, strong reading of regulations (not just summaries), and, most importantly, the political skill to push back on a CEO who wants banking regulatory compliance to move out of the way.
Pay reflects the scarcity. BSA/AML officer salaries in 2025-2026 range from $61,500 at the 25th percentile to $172,500 at the 90th (ZipRecruiter 2026), with the average for a US BSA/AML compliance officer at $98,949. Large-bank CCOs in money centers frequently exceed $1 million in total comp.
Banking Regulatory Compliance Officer Job Description, Ready to Use
| Responsibility area | What a compliance program officer does |
| Program governance | Owns the six-step bank compliance framework; signs off on policies; chairs the compliance committee; co-signs regulatory certifications. |
| Regulatory change management | Maintains the regulatory inventory; maps new rules to controls; briefs the board on material bank compliance changes. |
| Risk assessment | Leads the annual compliance risk assessment; ratifies inherent, control, and residual ratings; escalates residual risks above appetite. |
| Monitoring and testing | Designs and runs the 2nd-line monitoring plan; reviews testing results; escalates exceptions; coordinates with internal audit. |
| Training and culture | Designs annual training curriculum; owns this compliance framework culture surveys; runs speak-up and whistleblower reviews. |
| Regulator management | Single point of contact for OCC, Fed, FDIC, CFPB, NYDFS; manages exam responses, MRA/MRIA remediation, consent orders. |
| Board reporting | Presents a quarterly banking regulatory compliance dashboard; flags forward-looking obligations; briefs audit and risk committees. |
Figure 2: Banking regulatory compliance officer responsibilities, a paste-ready job description for HR and the board charter.
Pitfalls That Derail Banking Regulatory Compliance Programs
Every strong the compliance function program we have seen failed the same handful of ways before it got strong.
The table below is the pattern-book we keep from 2024-2025 enforcement actions. Each pitfall has a named regulator, a named bank, and an evidenced fix.
Use it as a pre-mortem: if any of the seven descriptions feel uncomfortably familiar, that’s the area to fix first.
| Pitfall | Evidence / named case | Fix |
| Transaction-monitoring gaps in BSA/AML regulatory compliance | TD Bank: 92% of transaction volume unmonitored 2018-2024; $3.09B settlement October 2024. | Coverage reconciliation quarterly; independent model validation; monitored-vs-booked volume KRI on the board dashboard. |
| Sales-incentive schemes that break banking regulatory compliance | Wells Fargo fake-accounts scandal; Fed asset cap 2018-June 2025. | Incentive-plan compliance review; speak-up monitoring; link pay to conduct outcomes, not just production. |
| Policy bloat and contradictions | Multiple 2024-2025 OCC MRAs for policy governance gaps. | Single-source policy management system; annual review cycle; clear policy-to-control-to-test linkage. |
| Under-scoped NYDFS Part 500 regulatory compliance | NYDFS enforcements for MFA, asset inventory, senior-officer certification failures 2024-2025. | MFA universal by 1 November 2025; asset inventory with owner, RTO and support-expiry; CEO/CISO dual-sign certification. |
| Model risk management weak on generative AI | OCC and Fed supervisory commentary 2024-2025; SR 11-7 extended scope. | Model inventory including LLMs and agents; validation protocol for non-traditional models; audit trail for AI-assisted decisions. |
| Board regulatory compliance oversight in name only | OCC Heightened Standards exam findings 2024; individual director consent orders. | Bank compliance dashboard every meeting; annual self-assessment against Appendix D; named committee owner per regulatory domain. |
| Remediation backlog masquerading as a plan | Common finding across FFIEC agency exams 2024-2025. | Issues and actions register with aging; automatic board escalation of 90+ day overdue items; evidence-of-closure requirement. |
Figure 3: Seven pitfalls in banking regulatory compliance programs, with evidence and fixes drawn from 2024-2025 enforcement actions.
The Banking Regulatory Compliance Horizon 2026-2028
Ending a bank regulatory oversight playbook at current practice is a mistake. What arrives next always matters more than what is already on the books, because the bank that prepares early sets the cost curve.
Our read on the 2026-2028 horizon, drawn from Fed, OCC, FDIC, NYDFS, EU, and Basel Committee statements, identifies five shifts every banking regulatory compliance officer should be planning against right now.
Banking Regulatory Compliance Shift #1, Basel III Endgame Arrives
Basel III Endgame, or its revised US incarnation, moves capital calculation from familiar risk-weight formulas to a more standardised, less model-sensitive approach.
Early estimates put the aggregate CET1 capital increase at 16-25% for affected bank holding companies, concentrated in the largest and most complex institutions (EY Basel III Endgame).
The compliance requirements consequence is substantial: new reporting templates, new stress scenarios, new internal-model documentation, and a new conversation with the board about risk-weighted-asset optimisation.
Our Basel III endgame final rule guide walks through the detail.
Banking Regulatory Compliance Shift #2, NYDFS Part 500 Full Maturity
NYDFS Part 500 is now in its full-maturity phase. Universal MFA took effect 1 November 2025. Dual-signature CEO/CISO certification is annual.
The asset inventory must track owner, location, classification, support-expiry, and RTO. Evidence retention is five years.
Banks still treating Part 500 as an IT problem miss the regulatory compliance implication: the regulation is a rehearsal for rules the federal agencies will write next.
Our NYDFS 23 NYCRR 500 compliance guide details every requirement and FTC Safeguards Rule compliance covers the adjacent federal regime.
Banking Regulatory Compliance Shift #3, AI and Algorithmic Accountability
AI governance is the next frontier of banking regulatory compliance. The EU AI Act classifies credit-scoring models as high-risk, triggering conformity assessments, data-governance requirements, and human-oversight obligations.
The NIST AI RMF is the US analogue that federal banking agencies are quietly adopting as a supervisory benchmark. Expect OCC and Fed examination modules on generative-AI governance by 2026, with CFPB following on lending-specific AI.
Banking Regulatory Compliance Shift #4, Digital Assets Enter the Perimeter
US bank regulatory posture toward digital assets shifted in 2025. OCC interpretive letters confirm national banks may hold digital assets as principal for network operations and engage in riskless-principal crypto-asset transactions (Freshfields 2025 Regulatory Roundup).
The regulatory compliance work is significant: custody controls, AML for on-chain transactions, market-abuse surveillance, and accounting treatment all need new policies. Our crypto trading risk management guide is a useful starting point.
Banking Regulatory Compliance Shift #5, Operational Resilience and DORA
Operational resilience has become a formal banking regulatory compliance domain in the UK, EU, and US.
The EU’s Digital Operational Resilience Act (DORA) applies to US financial firms with EU operations; our DORA compliance checklist for US financial firms covers scope, timelines and controls.
Federal US agencies issued a joint statement in July 2024 warning that banks remain fully accountable for outsourced activities, tightening third-party risk management framework 2026 expectations.
Expect 2026-2027 to bring harmonised US operational-resilience rules that pull together incident notification, critical third-party designation, and recovery/resolution planning.
Frequently Asked Questions About Banking Regulatory Compliance
The questions below are the ones we field most often from boards, audit committees, and incoming compliance officers. Each answer is deliberately short enough to paste into a the compliance program board pack, and long enough to be useful when a regulator reads it.
Q1. What is banking regulatory compliance in plain language?
Banking regulatory compliance is the discipline of making sure a bank obeys every law, rule, and supervisory expectation that governs how it handles money, customers, and risk, and being able to prove it with evidence.
The BSA, Dodd-Frank, SOX, GLBA, FATCA, OFAC, NYDFS Part 500, and a growing list of AI and digital-asset rules all sit inside the bank compliance perimeter.
Q2. Who enforces banking regulatory compliance in the US?
Multiple agencies do. The OCC supervises national banks; the Federal Reserve supervises bank holding companies and state-member banks; the FDIC supervises state non-member banks; the CFPB enforces consumer-protection rules at banks above $10B;
FinCEN runs the BSA regime; the SEC polices securities and SOX; OFAC enforces sanctions; state regulators like NYDFS add a layer. A credible banking regulatory compliance program assigns a named owner to each agency.
Q3. How big does a banking regulatory compliance program need to be?
There is no universal answer, but the CSBS 2025 data gives a defensible benchmark. Small banks devote 11%-15.5% of payroll to this compliance framework; large banks 6%-10%.
As a rule of thumb, a $1B community bank should have at least 2-3 FTEs dedicated to banking regulatory compliance plus BSA/AML, and a regional bank at $10B needs 25-40 FTEs across compliance, BSA, fraud, and financial-crime investigations.
Q4. What does a banking regulatory compliance exam actually look like?
OCC, Fed, and FDIC regulatory compliance exams follow FFIEC procedures: pre-exam document request list, on-site or hybrid fieldwork for 2-6 weeks, a closing meeting, and a report of examination (ROE) issued 60-120 days later.
Findings are graded as Matters Requiring Attention (MRA) or Matters Requiring Immediate Attention (MRIA). Unaddressed MRIAs can become consent orders, cease-and-desist orders, or civil money penalties.
Q5. How does a bank prove banking regulatory compliance?
With artefacts, not assertions. Banking regulatory compliance evidence includes regulatory inventories, risk assessments with methodology documentation, policies with version history, control design documents, monitoring plans with sampling methodology.
Testing workpapers, SARs and CTRs filed, training records, board meeting minutes, and management self-assessments. NYDFS requires five-year retention; the OCC typically expects three to five years depending on the document.
Q6. What is the biggest recent banking regulatory compliance case and what did it teach us?
TD Bank’s $3.09 billion BSA/AML settlement in October 2024 is the recent high-water mark. TD admitted wilful violation of the BSA; 92% of its transaction volume ($18.3 trillion) went unmonitored over six years.
The compliance program lessons: transaction-monitoring coverage is not a technical metric, it’s a board metric; culture enables or blocks escalation; and monitorships now last four or more years.
FinCEN’s record-breaking enforcement sets the tone for every bank compliance program built from 2025 onwards.
Q7. How should a board structure banking regulatory compliance oversight?
The OCC Heightened Standards (Appendix D to 12 CFR Part 30) give the clearest template: the board or a board risk committee approves the regulatory compliance framework, reviews a dashboard each meeting, meets the CCO without management present at least annually, and completes an annual self-assessment against Appendix D.
Audit and compliance functions must report independently of the businesses they review.
Q8. What is the single highest-ROI banking regulatory compliance investment in 2026?
In our experience, the highest-ROI banking regulatory compliance investment in 2026 is an integrated obligations-to-controls-to-tests platform combined with an AI-assisted transaction-monitoring engine.
The combination slashes false positives, cuts manual remediation time by 40-60%, and produces the evidence auditors and regulators actually want. Either investment alone underperforms the combination.
Executive Summary, Banking Regulatory Compliance Action Plan
Close the loop with action. A bank compliance program that is not measured against a dated action list quietly reverts to the status quo between exams.
The checklist below is the one we give new clients as a first-90-days scorecard. It is deliberately SMART: every item has an owner, a deliverable, and a review date. Print it, tape it to the CCO’s wall, and re-read it on the first day of every quarter.
| Compliance program action | Owner | 90-day deliverable |
| Refresh regulatory inventory and map obligations to controls | CCO + Legal | Updated register with owner and last-tested date per obligation |
| Run annual the compliance function risk assessment | CCO + 2nd line | Inherent / control / residual ratings with methodology documented |
| Stand up banking regulatory compliance board dashboard | CCO + Board secretary | Quarterly pack with KRIs, findings, remediation aging, horizon scan |
| Close all open MRAs/MRIAs over 90 days | CRO + line owners | Evidence of closure pack for each item |
| Validate AML transaction-monitoring coverage | BSA officer + MRM | Volume reconciliation + coverage KRI tile on the board dashboard |
| Upgrade policy management to single source of truth | CCO + CIO | Version-controlled policy library with review cycle |
| Deliver annual training at 100% completion | CCO + HR | BSA/AML, OFAC, GLBA and role-specific training logged in LMS |
| Deliver 2026 horizon scan to board | CCO | Briefing on Basel III Endgame, Part 500, AI, digital assets, DORA |
Figure 4: Banking regulatory compliance 90-day action plan, the SMART scorecard we hand clients on day one.
The banks that treat the compliance function as an operating system, not a department, are the ones that turn regulation into a competitive advantage.
They close the exam book faster, spend less on remediation, attract the best compliance talent, and have the optionality to move into new products (digital assets, AI-native underwriting, embedded finance) without building the control stack from scratch.
The banks that treat regulatory compliance as an overhead line are the ones that end up in a DOJ press release. That binary choice is the What, So What, Now What of this entire gui
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.