What is a monitorship and when is one imposed on a bank?

The full answer

A monitorship puts an independent third party inside a bank with authority to review controls, test compliance programs, and report directly to regulators or prosecutors. The bank pays for the monitor and has no veto over its conclusions. Reports go to the DOJ or regulator first; the bank typically gets a copy afterward.

The legal instrument is almost always one of three: a deferred prosecution agreement (DPA), a non-prosecution agreement (NPA), or a consent order from a federal banking regulator. DPAs and NPAs come from the Department of Justice, typically after criminal charges for Bank Secrecy Act, AML, or sanctions violations. Consent orders come from the OCC, Federal Reserve, FDIC, FinCEN, or state agencies like NYDFS.

The DOJ's standard for imposing a monitor, set out in the 2008 Morford Memorandum and updated through subsequent policy guidance, is whether there's a "demonstrated need" for independent oversight. In practice, that threshold is crossed when a bank shows one or more of:

• Systemic AML failures. Not isolated errors but a pattern of inadequate transaction monitoring, persistent SAR filing deficiencies, or broken onboarding controls across large segments of the business.
• Sanctions violations with volume. Processing transactions for OFAC-designated jurisdictions where staff knew or should have known.
• Prior remediation commitments that weren't met. A bank that agreed to fix controls in a prior exam cycle and hasn't is a strong monitorship candidate.
• Criminal conviction or DPA at the institutional level. When the bank itself (not just individuals) faces criminal exposure, a monitor is frequently the price of avoiding prosecution.

Knowing what triggers a regulatory exam matters here. A troubled bank rating, then a matter requiring attention (MRA), then a matter requiring immediate attention (MRIA), and then a formal enforcement action: this sequence is well established. Monitorships sit at the end of that chain.

HSBC's 2012 DPA is the benchmark case. After processing billions in transactions for drug cartels and sanctioned jurisdictions, HSBC entered a five-year monitorship with Michael Cherkasky of Exiger as the court-approved monitor. The DOJ extended it in 2017, citing insufficient progress on remediation. In October 2024, TD Bank pleaded guilty to BSA and money laundering conspiracy charges and entered a monitorship as part of a $3 billion-plus settlement: the largest bank-level BSA guilty plea in U.S. history. The DOJ cited chronic failures to monitor accounts linked to drug trafficking networks, including repeated SAR filing failures over multiple years.

Standard monitorship duration is three to five years. Extensions happen often. The OCC's enforcement action database and FinCEN's enforcement page both carry publicly available consent orders and penalty notices that precede or accompany monitorships.

Why this matters

Cost beyond the fine. A penalty is a one-time payment. A monitorship is a sustained operating burden. The bank pays monitor fees (which can run tens of millions per year for large institutions), funds parallel internal remediation teams, and expands its compliance program, all at the same time. How much AML compliance already costs is a common question; a monitorship multiplies that baseline.

Operational restrictions. Consent orders often cap growth. A bank under monitoring may be prohibited from acquisitions, new branches, or new products without regulatory sign-off. Failing an AML exam can start this chain. A monitorship locks it in for years.

Ongoing audit exposure. The monitor can interview any employee and pull any record at any time with no advance notice. Teams managing transaction monitoring false positive rates or customer due diligence programs must be able to demonstrate in real time that those programs work. Deficiencies found by the monitor go directly to the DOJ or OCC.

Milestone deadlines with teeth. Monitors operate against a remediation schedule agreed at the outset. Missing milestones extends the monitorship. In the most serious cases, missed milestones can reactivate criminal prosecution under the original DPA. That risk is not hypothetical.

The failures that produce monitorships follow a pattern: stale customer risk ratings, weak beneficial ownership controls, and transaction monitoring systems generating too many alerts to action effectively. AI-assisted transaction monitoring appears in remediation plans with increasing frequency precisely because alert volume overload is a central reason monitoring programs break down. Getting ahead of what triggers a regulatory exam is the only reliable way to avoid reaching the monitorship threshold.

Related questions

• What happens when a bank fails an AML exam?
• What triggers a regulatory exam?
• How long do banks have to file a SAR?
• What is the penalty for a missed CTR?
• Can AI be used for AML transaction monitoring?

Related concepts and regulations

• What is the difference between CDD and EDD?
• How does FinCEN define suspicious activity?
• What percentage of AML alerts are false positives?
• How often should customer risk ratings be refreshed?
• What is a beneficial owner?