The Office of the Comptroller of the Currency released its May 2026 enforcement actions on Thursday, with the central bank-facing action focused on Bank Secrecy Act and anti-money-laundering weaknesses at Community Federal Savings Bank, a federal savings association based in Woodhaven, New York.

The OCC said it issued a consent order against Community Federal Savings Bank for deficiencies in the bank’s BSA/AML compliance program that resulted in violations of law or regulation. The agency cited violations including 12 CFR 21.21, which covers BSA/AML program requirements; 12 CFR 163.180(d), which covers suspicious activity reporting obligations for federal savings associations; and 31 CFR 1010.520(b)(3), involving information-sharing requirements under section 314(a) of the USA PATRIOT Act.

The action was disclosed in OCC News Release 2026-40, dated May 21, 2026, as part of the regulator’s monthly publication of public enforcement actions. The release said the OCC uses enforcement actions against banks to require boards of directors and management teams to take timely steps to correct deficient practices or violations identified by examiners. The May release included one new bank consent order, one prohibition order against an institution-affiliated party, and five terminations of earlier formal agreements or consent orders.

For Community Federal Savings Bank, the consent order provides a detailed picture of the regulator’s concerns about how compliance controls kept pace with growth in higher-risk activity. According to the order, since 2020 the bank “significantly grown its payment processing line” relative to its size, resulting in significant annual wire and ACH activity, including cross-border activity involving foreign financial institutions. The OCC found that, despite that growth and the risks attached to it, the bank failed to develop and maintain controls and risk management processes commensurate with its risk profile and expansion.

The findings place the order squarely within the banking sector’s broader regulatory focus on payment flows, correspondent exposure, transaction monitoring and customer due diligence. Banks involved in payment processing can face elevated operational and financial-crime risks when transaction volumes grow quickly, especially where customers, counterparties or payment pathways involve foreign financial institutions or cross-border flows. The OCC’s order does not frame the matter as a capital or liquidity problem; instead, it targets the governance, monitoring and control architecture supporting the bank’s compliance obligations.

The order states that Community Federal Savings Bank neither admitted nor denied the OCC’s findings. It also notes that the bank had begun taking some corrective actions and had articulated commitments to remedy the deficiencies identified by the regulator. Still, the OCC imposed a formal remediation program requiring board-level oversight, written plans, independent assessments and continuing reporting obligations.

A significant portion of the order focuses on suspicious activity monitoring. The OCC found that the bank’s processes for identifying, investigating and reporting potentially suspicious activity were deficient. The order said the bank’s automated alerting system had not been adequately tuned to the risk profile of the payment processing business, increases in higher-risk products and services, or international exposures. The OCC also said the bank used an automated alert triage system with deficiencies in logic, data and methodology, which resulted in alerts being auto-closed when they should have been escalated for further review.

That finding is especially relevant for banks relying on automated monitoring systems to manage high transaction volumes. The order’s language indicates the OCC expects monitoring rules, thresholds and filters to be aligned with actual activity and risk, not merely installed as static technology controls. When alert settings are not calibrated to business growth or customer risk, a bank can miss activity that should be investigated and, where appropriate, reported through Suspicious Activity Reports.

The order also found that the bank’s customer due diligence program was ineffective. According to the OCC, the bank did not understand the nature of certain customers’ businesses or the purpose of transactions in the payment processing line, including risks related to foreign financial institutions. The agency said the bank failed to effectively consider risks related to payment processing customers, including the volume of cross-border transactions. It also said that, in various instances, the bank failed to determine whether it had correspondent accounts for foreign financial institutions, which was necessary to ensure compliance with due diligence requirements under section 312 of the USA PATRIOT Act.

Customer due diligence is a core control in BSA/AML compliance because it gives banks the baseline information required to assess expected activity, assign risk ratings and identify deviations that may signal suspicious conduct. Where a bank processes payments for customers with complex transaction patterns, weak customer-risk information can undermine both front-end onboarding and back-end monitoring. The OCC’s findings suggest that customer knowledge, transaction purpose and foreign financial-institution exposure were not sufficiently integrated into Community Federal Savings Bank’s risk framework.

The OCC further cited weak independent testing. The order said the bank’s internal auditor failed to identify BSA/AML program weaknesses and failed to scope and effectively test high-risk areas of the BSA/AML program. Independent testing is one of the pillars of bank BSA compliance programs, and the regulator’s finding points to a governance weakness beyond individual transaction reviews. If internal audit or other independent control functions do not test the areas of greatest risk, boards and senior management may receive an incomplete view of whether a compliance program is functioning as designed.

The formal remediation requirements begin with governance. The bank’s board must appoint a compliance committee of at least three members within 15 days of the order, with a majority composed of directors who are not employees or officers of the bank or its subsidiaries or affiliates. The committee is required to monitor and oversee compliance with the order, meet at least quarterly, maintain detailed minutes and make those minutes available to the OCC.

Within 90 days, the bank must submit a written action plan to the OCC for review and a prior written determination of no supervisory objection. That plan must detail the remedial actions necessary to achieve and maintain compliance with the BSA and must include the substantive requirements of the order’s articles covering program assessment, internal controls, suspicious activity review, look-back work, audit and staffing. The plan must identify corrective actions, cite the relevant order provisions, set completion timelines and assign responsible parties.

The order also requires a comprehensive end-to-end BSA program assessment by a third-party consultant. The assessment must evaluate all components of the bank’s BSA program, identify deficiencies that need to be addressed and determine whether the program is commensurate with the bank’s size, complexity and risk profile. The consultant must provide written conclusions to the board and provide copies and supporting materials to the OCC upon request.

In internal controls, the bank must develop and maintain an acceptable system to identify and control risks associated with money laundering, terrorist financing and other illicit financial activity. The required controls include a written institution-wide risk assessment covering products, services, customer types, customer risk ratings, transaction types, transaction volumes and geographies served. The board must ensure that the risk assessment is updated periodically and whenever significant changes in BSA/AML risk occur within the bank or its business lines.

The order separately requires the bank to develop a written customer due diligence program with clear customer risk categories, an effective risk-rating methodology, ongoing monitoring, periodic reviews of higher-risk customers and accounts, and timely identification of correspondent accounts for foreign financial institutions. It also requires a program to screen bank files, records and data sources for section 314(a) information-sharing obligations.

On suspicious activity review, the bank must implement a risk-based program consistent with its regulatory obligations. The order requires monitoring systems that identify potentially suspicious activity by applying appropriate rules, thresholds and filters tied to the bank’s risk profile. It also requires effective and timely alert disposition, appropriate consideration of customer due diligence information during investigations, timely and accurate SAR filings, and prompt remediation of any backlogs in the suspicious activity review process.

The OCC also ordered a SAR look-back conducted by an independent third-party consultant. The look-back must determine whether SARs should be filed for previously unreported suspicious activity and review the quality and accuracy of prior SAR filings to determine whether corrections or amendments are needed. Within 60 days of completing the look-back, the consultant must provide the board with a written report addressing reviewed customers, accounts and transactions; matters requiring additional investigation; recommended new SAR filings; and existing SARs that should be corrected or amended.

The order imposes requirements on audit and staffing as well. The bank must strengthen its BSA/AML audit program so that deficiencies in processes and controls are promptly reported to the board or audit committee and senior management. The board or audit committee must ensure management takes prompt action to remedy audit findings and that the audit function validates corrective action. If the bank’s BSA officer position is vacated, the board must retain a qualified replacement with sufficient independence, authority and resources. The bank must also employ sufficient staff with appropriate training, skills and expertise to support the BSA officer and the broader BSA/AML program.

The OCC did not announce a civil money penalty against Community Federal Savings Bank in the May release. However, the order expressly reserves the agency’s right to assess civil money penalties or take other enforcement actions if the OCC determines that the bank has continued, failed to correct, or otherwise violated the order or the underlying legal requirements. The order also says the settlement does not prevent the OCC from taking other actions against the bank or institution-affiliated parties based on the findings or other matters.

The May enforcement package included a separate order of prohibition against Dyemond Williams, a former associate at JPMorgan Chase Bank, N.A. in Columbus, Ohio. The OCC said Williams made or assisted others in making unauthorized withdrawals from customer accounts and that the bank suffered a loss of at least $38,500. An order of prohibition bars an individual from participating in the affairs of a bank or other covered institution as defined under federal banking law.

The agency also terminated several earlier enforcement actions. The terminations included an order ending a formal agreement with Axiom Bank, National Association of Maitland, Florida, dated October 3, 2024; an order terminating a 2021 consent order against Cenlar Federal Savings Bank of Ewing, New Jersey; and orders terminating formal agreements with Lincoln FSB of Nebraska, The First National Bank of Waverly and The First National Bank of Williamson. The OCC said it terminates enforcement actions when a bank has demonstrated compliance, when outstanding provisions have become outdated or irrelevant, or when unresolved provisions are incorporated into a new action.

For the banking industry, the Community Federal Savings Bank order is likely to be read as a control-scaling case. The OCC’s findings repeatedly link compliance weaknesses to growth in payment processing and cross-border activity, underscoring that a bank’s financial-crime risk can rise faster than its asset size or traditional community-bank profile might imply. The order also reinforces that automated systems do not insulate banks from supervisory criticism if their rules, filters and thresholds are not calibrated to actual risks.

The action comes against a regulatory backdrop in which the BSA framework remains a central tool for detecting and preventing money laundering and other illicit finance. FinCEN describes the Bank Secrecy Act as authorizing Treasury to impose reporting and other requirements on financial institutions and other businesses to help detect and prevent money laundering. The OCC’s own BSA materials state that the statute establishes program, recordkeeping and reporting requirements for national banks, federal savings associations, federal branches and agencies of foreign banks, with OCC implementing regulations including 12 CFR 21.11 and 12 CFR 21.21.

Community Federal Savings Bank’s immediate regulatory burden is now operational rather than rhetorical: it must document a remediation plan, obtain OCC non-objection for key elements, engage independent consultants, review past suspicious activity handling, improve board oversight and maintain evidence that corrective actions are implemented and effective. For counterparties and market observers, the order signals continued supervisory scrutiny of banks that facilitate payment flows and foreign-linked transactions, particularly where compliance staffing, audit testing and monitoring systems do not match the complexity of the business.