On May 21, 2026, the Office of the Comptroller of the Currency (OCC) made public an April 2026 consent order (AA-ENF-2025-21) against a federal savings association based in the Northeast for deficiencies in its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. The order is the latest in a growing line of enforcement actions demonstrating that regulators are paying close attention to smaller institutions — particularly those that have expanded rapidly into payment processing and fintech-adjacent business lines without proportionally scaling their compliance infrastructure. For community banks pursuing revenue growth through fintech partnerships and payments services, the lessons are both clear and urgent.

What Happened at the Bank

The OCC found that since 2020, the bank had significantly expanded its payment processing capabilities relative to its size, resulting in substantial annual wire and ACH activity, including cross-border activity involving foreign financial institutions. Despite this rapid growth in transaction volume and attendant risk, the bank failed to develop and maintain controls and risk management processes commensurate with that risk and growth.

The comptroller’s findings detail a cascade of interconnected failures. The bank’s suspicious activity monitoring processes were deficient for identifying, investigating, and reporting potentially suspicious activity. Specifically, the bank’s automated suspicious activity alerting system had filtering criteria and thresholds that were not adequately tuned to the risk profile of its payment processing line. An automated alert triage system had deficiencies in its logic, data, and methodology, resulting in the system auto-closing a very high percentage of all ingested alerts — alerts that should have been escalated for further review.

The bank’s customer due diligence program was also found to be ineffective. As a result, the bank did not understand the nature of certain of its customers’ businesses or the purpose of transactions flowing through the payment processing line, including risks related to foreign financial institutions. In various instances, the bank failed to determine whether it had correspondent accounts for foreign financial institutions, compromising its ability to ensure compliance with due diligence requirements under Section 312 of the USA PATRIOT Act.

Adding to these systemic breakdowns, the bank’s independent testing for BSA/AML was weak — its internal auditor failed to identify BSA/AML program weaknesses and failed to scope in high-risk areas of the bank’s program. The OCC ultimately concluded that the bank had not established and maintained a reasonably designed BSA/AML compliance program, citing systemic breakdowns in internal controls, weak independent testing, and weak BSA staffing. These deficiencies resulted in violations of 12 C.F.R. § 21.21 (BSA/AML program violation), 12 C.F.R. § 163.180(d) (suspicious activity reporting violation), and 31 C.F.R. § 1010.520(b)(3) (violation of information sharing requirements under Section 314(a) of the USA PATRIOT Act).

The consent order requires the bank to appoint a compliance committee, submit a comprehensive action plan within 90 days, engage an independent third-party consultant to conduct a full BSA program assessment, overhaul its internal controls and customer due diligence programs, implement a risk-based suspicious activity review program, conduct a SAR lookback to identify previously unreported suspicious activity, and ensure adequate BSA/AML staffing. Notably, the OCC signed this order through the assistant deputy comptroller for Novel Bank Supervision — a signal about how the agency categorizes institutions with significant fintech and payments-oriented business models.

Why This Matters: The Risk Landscape for Community Banks in Payments and Fintech

The bank described above is not an anomaly. It joins another community bank that received a BSA/AML consent order from the OCC in October 2024 for similar failures involving oversight of payment processor accounts. Together, these actions confirm that regulators are not only focused on the largest financial institutions with high-risk, cross-border business models, but also on local community banks that fail to meet their BSA/AML obligations adequately.

The pattern is instructive. Community banks seeking to diversify revenue through fintech partnerships and payment processing services are inherently taking on disproportionate risk relative to their traditional business profiles. Payment processing introduces high transaction volumes, cross-border exposure, relationships with non-bank fintech companies and their end customers, and rapid scaling dynamics — all of which demand sophisticated monitoring systems, robust customer identification and due diligence programs, and staffing levels capable of managing that complexity. When a bank’s compliance infrastructure does not keep pace with its business growth, the regulatory consequences can be swift and severe.

The OCC has been explicit about its expectations. U.S. regulators scrutinize compliance program budgets in relation to growth and demand and continue to re-evaluate those programs dynamically. Financial institutions cannot have a “set it and forget it” approach to AML compliance. This principle, articulated forcefully in the context of the historic $3.1 billion resolution entered into by a large national bank in 2024, applies with equal force to community banks operating at a fraction of that scale.

Practical Compliance Guidance for Community Banks

For community banks that are currently engaged in, or contemplating, fintech partnerships and payments business lines, the following recommendations emerge directly from the lessons of the OCC’s April 2026 consent order:

1. Scale your BSA/AML compliance program in lockstep with business growth. The central failure described in the OCC’s April 2026 consent order was that the bank significantly expanded its payment processing operations without commensurate controls. Before onboarding a new payments partner or expanding transaction volumes, conduct a proactive risk assessment and ensure your compliance budget, technology, and staffing can absorb the added risk. As the OCC’s order makes clear, your BSA/AML risk assessment must evaluate the impact of new product lines, third-party relationships, transaction types and volumes, and geographies served.
   
2. Invest in transaction monitoring systems that are properly calibrated to your risk profile. The automated alert system utilized by the bank in the OCC’s April 2026 consent order had filtering thresholds that were not tuned to its payment processing business, and its triage logic auto-closed alerts that warranted human review. Institutions should conduct regular model validation and threshold testing — particularly when adding new products or customers — to ensure that monitoring systems apply appropriate rules, thresholds, and filters commensurate with the bank’s risk profile. Data analytics and AML software solutions that align transaction monitoring and SAR reporting with your risk model can significantly reduce compliance costs while improving detection rates.
   
3. Build a customer due diligence program that genuinely understands your payment customers’ businesses. In its April 2026 consent order, the OCC found that the bank did not understand the nature of certain of its customers’ businesses or the purpose of their transactions. For banks serving fintech companies and payment processors, this means conducting enhanced due diligence at onboarding and on an ongoing basis, including understanding the fintech’s end-user customer base, transaction flows, geographic exposure, and business model. Design your Know Your Customer (KYC) programs to reflect the risk within your customer base — time-consuming, enhanced due diligence should be reserved for your highest-risk customers. At the same time, procedures for lower-risk relationships can be simplified.
   
4. Ensure your independent testing function has the scope, competence, and courage to identify weaknesses. The bank’s internal auditor failed to identify weaknesses in the BSA/AML program and failed to scope in high-risk areas. Whether your audit is conducted internally or by a third party, it must encompass your highest-risk business lines — including any payments or fintech activities — and test whether controls are functioning as designed.
   
5. Staff your BSA/AML function with qualified professionals who have sufficient independence, authority, and resources. Weak BSA staffing was explicitly cited as a contributing factor in the consent order. Community banks do not need to match the compliance headcount of multinational institutions, but they must ensure that their BSA officers and support staff have the expertise to manage the institution’s actual risk profile — not just its historical one.
   

The Takeaway

The OCC’s recent consent order is a clear signal that regulators expect community banks to match their ambition with proportionate compliance investment. The revenue opportunity in fintech partnerships and payments processing is real, but so are the risks — and the consequences of failing to manage them. Community banks contemplating growth in this space should view the order not as a cautionary tale about a single institution, but as a regulatory roadmap for what is expected of any bank whose risk profile is evolving. The institutions that will thrive in the fintech partnership ecosystem are those that build compliance programs as a strategic capability, not as an afterthought, and that invest continuously in the people, technology, and processes needed to keep pace with their own success.