Compliance Fines and Penalties: What US Regulators
Comprehensive breakdown of compliance fines by sector in the US: FinCEN, OFAC, FTC penalties. Real enforcement data, trends, and how to reduce exposure.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIn 2025, FinCEN and federal banking regulators imposed over $2.1 billion in AML-related penalties, with Bank Secrecy Act (BSA) violations and sanctions breaches accounting for the majority. The FTC continued to issue fines across healthcare, telecoms, and financial services for consumer protection and privacy violations. This article maps out which US regulators fine which sectors, how much they charge, and what patterns are emerging from recent enforcement data.
US regulators and their enforcement powers
The US regulatory landscape distributes compliance enforcement across multiple federal and state agencies, each with distinct sectoral jurisdiction and penalty frameworks. Understanding which regulator covers your sector is the first step in managing compliance risk.
FinCEN administers the BSA and oversees AML compliance for financial institutions and other covered entities. The OFAC enforces US sanctions programs. The FTC enforces consumer protection and privacy laws across all sectors. The OCC supervises national banks and federal savings associations, while the Federal Reserve oversees bank holding companies and state member banks.
| Regulator | Sectors supervised | Maximum penalty | Legal basis |
|---|---|---|---|
| FinCEN | Banks, MSBs, casinos, insurance, broker-dealers, precious metals dealers | Up to $1 million per violation per day (willful) | BSA / AMLA 2020 |
| OFAC | All US persons and entities | Up to $20 million per violation (criminal); $356,579 per civil violation | IEEPA, Trading with the Enemy Act |
| FTC | All sectors (consumer protection, privacy) | $50,120 per violation (adjusted annually) | FTC Act, CCPA enforcement referrals |
| OCC | National banks, federal savings associations | Unlimited (proportionate to violation) | 12 USC ยง1818 |
| SEC | Broker-dealers, investment advisers, public companies | Up to $2.27 million per violation (individuals); $22.7 million (entities) | Securities Exchange Act, Dodd-Frank |
FinCEN's enforcement authority expanded significantly under the Anti-Money Laundering Act of 2020 (AMLA), part of the National Defense Authorization Act. AMLA strengthened whistleblower incentives, increased penalties for repeat offenders, and broadened FinCEN's supervisory reach to include dealers in antiquities and certain real estate transactions (FinCEN โ AMLA 2020 Fact Sheet).
Banking and financial services: where the largest fines land
Banking consistently attracts the heaviest regulatory penalties in the United States. BSA violations, weak transaction monitoring, and inadequate customer due diligence are the primary triggers.
The TD Bank case in 2024 stands as a landmark. TD Bank agreed to pay over $3 billion in penalties โ including $1.3 billion to FinCEN and $1.8 billion to the DOJ โ after pleading guilty to conspiracy to commit money laundering and BSA violations. The bank failed to monitor approximately $18.3 trillion in customer transactions over a decade, allowing criminal networks to launder hundreds of millions of dollars (DOJ โ TD Bank Press Release).
| Year | Entity | Fine amount | Regulator | Primary failing |
|---|---|---|---|---|
| 2024 | TD Bank | $3+ billion | FinCEN / DOJ | BSA conspiracy, transaction monitoring failures |
| 2023 | Binance | $4.3 billion | FinCEN / DOJ / OFAC | AML failures, sanctions violations |
| 2022 | USAA Federal Savings Bank | $140 million | FinCEN | BSA program deficiencies |
| 2021 | Capital One | $390 million | FinCEN | Willful BSA violations, failure to file SARs |
| 2020 | Goldman Sachs | $2.9 billion | DOJ / SEC / Fed | 1MDB bribery and money laundering |
| 2012 | HSBC | $1.9 billion | DOJ / OCC | AML and sanctions failures |
FinCEN's enforcement strategy has expanded beyond traditional banks to include crypto exchanges and fintechs. The Binance enforcement action in 2023 signals that operating outside the US does not shield institutions from American AML law when they serve US customers. When customer volumes increase, customer due diligence and transaction monitoring must scale accordingly.
Consumer protection and privacy enforcement: the FTC's approach
The FTC takes an aggressive enforcement posture on consumer privacy, data security, and deceptive practices, prioritizing sectors that process large volumes of sensitive personal data. Healthcare, financial services, and technology companies face the highest scrutiny.
The US does not have a single comprehensive federal privacy law equivalent to the GDPR, but the FTC Act's prohibition on unfair or deceptive practices provides broad enforcement authority. State laws โ particularly the California Consumer Privacy Act (CCPA) and its successor the CPRA โ add additional layers of compliance requirements and penalties.
| Sector | Typical FTC fine range | Common violations |
|---|---|---|
| Technology / Social media | $50 million - $5 billion | Deceptive privacy practices, data misuse |
| Healthcare / Health tech | $1 million - $100 million | HIPAA-related enforcement, health data breaches |
| Financial services | $10 million - $500 million | Unfair lending practices, data security failures |
| Retail / E-commerce | $500K - $50 million | Deceptive advertising, data breach notification failures |
| Telecoms | $10 million - $200 million | Unauthorized charges, privacy violations |
The FTC's landmark $5 billion penalty against Facebook (Meta) in 2019 remains the largest privacy enforcement action in US history. The agency has signaled a shift toward larger penalties for systemic failures, particularly involving AI-enabled data practices and health data collected outside HIPAA's scope (FTC โ Privacy and Data Security Enforcement).
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesInsurance sector: growing regulatory attention
The insurance sector in the US is primarily regulated at the state level, with each state's Department of Insurance overseeing conduct and solvency. AML obligations apply to insurance companies under the BSA, with FinCEN requiring insurers offering covered products (life insurance, annuities) to maintain AML programs and file suspicious activity reports.
The National Association of Insurance Commissioners (NAIC) provides model regulations that most states adopt, creating a patchwork of compliance requirements. FinCEN has indicated increasing focus on the insurance sector, particularly regarding life insurance policies used as vehicles for money laundering and sanctions evasion.
State regulators impose fines for claims handling violations, product governance failures, and market conduct issues. The New York Department of Financial Services (NYDFS) has emerged as one of the most aggressive state regulators, with enforcement actions frequently exceeding $10 million. Insurance intermediaries and managing general agents face increasing scrutiny as state regulators expand their supervisory perimeters.
Professional services: accountants and real estate under FinCEN
FinCEN's AML supervision of professional services is expanding significantly. The Corporate Transparency Act of 2021 (CTA) requires most US companies to report beneficial ownership information to FinCEN, creating new compliance obligations for accountants, attorneys, and company formation agents who assist clients with entity formation (FinCEN โ Beneficial Ownership Information).
Real estate has been a particular focus. FinCEN's Geographic Targeting Orders (GTOs) have required title insurance companies to identify the natural persons behind shell companies used in all-cash real estate purchases in targeted metropolitan areas since 2016. In 2024, FinCEN proposed a rule to extend AML requirements to the entire residential real estate sector, requiring reporting of non-financed transfers involving legal entities or trusts (FinCEN โ Real Estate Rulemaking).
Accountants providing tax advisory, entity formation, or trust services face similar scrutiny. While CPAs are not yet formally designated as covered financial institutions under the BSA, FinCEN has proposed regulations that would extend AML program requirements to investment advisers, and accounting professionals are expected to follow.
International regulatory comparison: EU AMLD6 and the global trend
For US firms operating across borders, the EU's new AML package creates additional compliance requirements. AMLD6 doubles maximum sanctions to EUR 10 million or 10% of annual turnover and creates the AMLA as a centralized EU supervisory authority.
The US framework under AMLA 2020 broadly mirrors these standards in ambition, but structural differences remain. The US relies on a network of federal and state regulators rather than a single supervisory authority. Penalty levels in the US often exceed EU maximums โ the TD Bank and Binance cases demonstrate that aggregate US penalties for AML failures can reach billions, far exceeding EU caps. US firms servicing EU clients must comply with both regimes, increasing the compliance burden and the potential for dual enforcement.
Trends shaping 2026 enforcement
Three enforcement patterns are visible across US regulators. First, crypto and fintech firms face the same compliance expectations as traditional banks. The Binance and TD Bank cases demonstrate that technology does not earn regulatory leniency โ if anything, it increases scrutiny.
Second, FinCEN and the DOJ are increasingly willing to pursue criminal rather than civil enforcement for BSA failures. The TD Bank guilty plea opened the door to criminal liability for institutions, not just individuals, fundamentally changing the risk calculus for compliance officers.
Third, cross-agency coordination is intensifying. FinCEN, the DOJ, OFAC, the SEC, and state regulators share intelligence more actively through mechanisms like the Bank Secrecy Act Advisory Group (BSAAG), meaning a compliance failure flagged by one regulator can trigger investigation by multiple agencies simultaneously. Firms that invest in robust document verification and KYC processes reduce their exposure across all regulatory touchpoints at once.
For a comprehensive overview, see our document fraud data trends guide.
Frequently asked questions
What is the largest AML fine ever imposed in the United States?
The Binance settlement in 2023, totaling $4.3 billion across FinCEN, the DOJ, and OFAC, represents the largest aggregate AML-related penalty in US history. For a single agency, FinCEN's $1.3 billion penalty against TD Bank in 2024 is the largest civil monetary penalty the bureau has ever imposed. These cases set precedents for future enforcement against both domestic and foreign institutions serving US customers.
Can FinCEN and the FTC both fine the same company?
Yes. FinCEN enforces the BSA and AML regulations, while the FTC enforces consumer protection and privacy laws. A firm that suffers a data breach involving customer financial data could face penalties from FinCEN for BSA reporting failures and from the FTC for deceptive data security practices related to the same incident. State attorneys general may also bring parallel actions under state consumer protection statutes.
Are small firms exempt from AML fines?
No. Under the BSA, all covered financial institutions must maintain AML programs regardless of size. FinCEN has penalized money services businesses, small community banks, and individual compliance officers for BSA violations. The Corporate Transparency Act also imposes beneficial ownership reporting requirements on small entities. Proportionality may affect the fine amount, but it does not eliminate the compliance obligation.
How do US fines compare to EU penalties?
US fines for AML failures consistently exceed those imposed by most EU member states, both in absolute terms and relative to firm size. The US framework's combination of federal criminal penalties (DOJ), civil monetary penalties (FinCEN), and sanctions enforcement (OFAC) can produce aggregate settlements in the billions โ far above the AMLD6 maximum of 10% of turnover. The EU's new centralized enforcement through AMLA may narrow this gap over time.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified attorney for advice tailored to your circumstances.
For deeper context on the document fraud patterns that drive these regulatory actions, read our document fraud statistics overview. You can also explore our AML compliance guide for practical steps to build a compliant program, or review the AMLD6 obligations for obligated entities. Our data from over 180,000 documents processed monthly shows that automated verification reduces compliance gaps by detecting 94.8% of fraudulent documents with a false positive rate of 2.8%. Learn how CheckFile.ai supports compliance workflows, or visit our pricing page.
Go further
To dive deeper into this topic, explore our complete guide on document verification.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.