Bank of America 2024: $225M Enforcement Action

What happened?

Bank of America's $225 million penalty from the OCC in July 2024 arose from the bank's administration of prepaid debit card accounts used to distribute state unemployment benefits during the COVID-19 pandemic. According to the OCC press release, the bank failed to maintain adequate internal controls over this program, which at its peak processed payments for millions of benefit recipients across multiple states.

The core failure was two-sided. Fraudsters exploited weak identity verification to drain accounts through account takeover and synthetic identity schemes. At the same time, the bank's automated fraud-flagging systems froze legitimate claimants out of their funds, sometimes for weeks. The bank then failed to properly investigate disputes and, according to regulators, systematically denied or delayed customer claims in violation of federal consumer protection rules.

The program's scale amplified the damage. Bank of America was the primary administrator for California's Employment Development Department (EDD) debit card program, one of the largest unemployment benefit distribution channels in the country. Regulators alleged that the bank did not treat this operational exposure with commensurate compliance rigor, and that deficiencies present earlier in the program persisted without adequate correction.

The OCC's formal action, issued alongside a separate penalty from the Consumer Financial Protection Bureau, addressed the bank's obligations under Regulation E (the Electronic Fund Transfer Act), which governs consumer liability for unauthorized transactions and sets strict timelines for investigating disputes.

What did regulators say?

The OCC's press release stated that Bank of America failed to "develop and maintain a compliance risk management program commensurate with the bank's size, complexity, and risk profile" in connection with the prepaid debit card program. Regulators alleged that the bank's internal controls were inadequate to detect and respond to the volume of fraud affecting the accounts, and that its error resolution procedures did not meet the standards required under federal law.

The OCC press release cited violations of the Consumer Financial Protection Act, the Electronic Fund Transfer Act, and its implementing regulation, Regulation E. The agency found that the bank denied consumer claims without conducting reasonable investigations and failed to provide provisional credit within the timeframes federal law requires.

The CFPB, which issued its own $90 million penalty in parallel, stated publicly that the bank "illegally froze customer accounts using a faulty fraud detection program" and "failed to investigate disputes" from customers who had done nothing wrong. According to the CFPB's press release, tens of thousands of customers were left without access to unemployment benefits they were entitled to.

Taken together, the regulators' statements describe a compliance function that was neither sized nor structured for the operational risk the bank had taken on by administering one of the country's largest pandemic-era benefit programs.

What controls failed?

Several distinct control layers failed, and they compounded each other.

Identity verification at account opening was insufficient for the program's fraud exposure. The bank's customer identification processes, which should conform to Section 326 CIP requirements, did not adequately screen for synthetic identities or detect the coordinated account creation patterns used by fraud rings. During peak pandemic periods, the bank processed high volumes of new account openings without proportional enhancement to its verification controls.

Transaction monitoring failed to distinguish fraud patterns from legitimate high-volume usage. Automated systems either flagged too broadly, blocking legitimate recipients, or failed to catch organized account takeover activity. The bank's behavioral analytics did not adapt quickly enough to the unusual velocity and geography patterns that characterize pandemic-era unemployment fraud.

Dispute investigation processes were inadequate at volume. Regulation E requires banks to investigate error notices within specific timeframes and provisionally credit accounts pending resolution. According to regulators, the bank's processes failed to meet these obligations consistently. Staff and system capacity had not been scaled to match the dispute volume the program generated.

Governance and escalation were also cited. Senior oversight of the program's risk profile did not trigger timely remediation when problems became apparent. The bank's internal audit and compliance review functions did not produce corrective action at the pace the situation required.

SAR filing obligations under the Bank Secrecy Act apply when a bank knows or suspects a transaction involves funds from criminal activity. The scale of fraud across the EDD accounts created SAR filing obligations that demanded robust, automated detection pipelines; gaps in transaction monitoring directly undermined the bank's ability to meet those obligations in a timely way.

Which regulations were violated?

The OCC and CFPB enforcement actions cited several regulatory frameworks.

The primary consumer protection violation was under Regulation E (12 CFR Part 1005), which implements the Electronic Fund Transfer Act. The bank failed to meet its error resolution obligations, provisional credit requirements, and consumer notification timelines. For a bank administering a mass-scale prepaid program, Regulation E compliance is not optional infrastructure; it's a hard legal floor.

The Bank Secrecy Act and its implementing rules create obligations when unusual or suspicious transaction patterns arise. The BSA requires financial institutions to maintain programs reasonably designed to detect and report suspicious activity. Deficiencies in transaction monitoring and customer due diligence affect a bank's ability to meet those obligations. The FinCEN CDD Rule sets baseline standards for knowing who you're doing business with; the EDD account openings stressed those standards significantly.

The OCC also cited violations under the Consumer Financial Protection Act's prohibition on unfair, deceptive, or abusive acts or practices (UDAAP), specifically tied to the bank's systematic denial of legitimate customer claims.

For peer institutions running government benefit disbursement programs, 12 CFR Part 21 sets the OCC's BSA compliance expectations. Banks operating such programs at scale cannot treat compliance as a back-office function; regulators expect it to be engineered into the program's operational architecture from the start.

FATF Recommendation 20 on suspicious transaction reporting is the international baseline. US banks must meet or exceed it. When monitoring gaps prevent timely SAR filing on account takeover activity, the failure is simultaneously a domestic BSA violation and a departure from FATF standards.

Which typologies were involved?

The EDD fraud case concentrated two typologies.

Account takeover fraud was the dominant pattern. Fraudsters obtained personal information through data breaches, phishing, and dark-web purchases, then used it to access legitimate benefit accounts and redirect funds before recipients noticed. The velocity of takeovers was high, exploiting the window between account opening and the recipient's first login.

Synthetic identity fraud was the second major pattern. Criminals created fictional or blended identities using real Social Security numbers combined with fabricated personal data, applied for accounts, and claimed benefits on behalf of identities that did not correspond to real individuals collecting unemployment. This typology is particularly hard to detect with static rule-based systems because the accounts appear clean until funds are extracted.

Both typologies have a money laundering dimension. The proceeds moved through money mule networks, peer-to-peer payment platforms, and cryptocurrency exchanges. That movement creates SAR filing obligations under the BSA and FATF Rec 20. It also creates layering patterns that cross-institution information sharing, if used, can help detect. Section 314(b) voluntary information sharing exists precisely for these cases; banks with strong fraud-to-AML pipelines use it routinely.

For compliance teams, the lesson from this typology mix is that fraud operations and AML operations cannot run as independent silos. Account takeover fraud generates SAR obligations. Synthetic identity fraud generates CIP failures. Both demand a response that cuts across the traditional compliance org chart.

Aftermath and remediation

The total public penalty was $315 million: $225 million from the OCC and $90 million from the CFPB, according to both agencies' press releases. The CFPB's $90 million included both a civil money penalty and redress requirements for affected consumers.

The OCC's consent order required Bank of America to implement a comprehensive compliance remediation plan covering error resolution processes, fraud detection capabilities, and governance over large-scale consumer programs. The bank was required to submit periodic progress reports to the OCC.

For affected customers, the CFPB required the bank to make restitution for improper claim denials and restore access to frozen funds. According to the CFPB, tens of thousands of consumers were affected.

Bank of America's share price absorbed the penalty without lasting disruption; $225 million is material but manageable for an institution of its balance-sheet size. The reputational impact was more concentrated in California, where the EDD program was most visible and media coverage of frozen accounts was extensive throughout 2020 and 2021.

The enforcement action arrived after years of public complaints, state-level investigations, and prior regulatory attention. The California Department of Financial Protection and Innovation had flagged concerns earlier. The eventual federal enforcement timeline reflected how long systemic compliance failures at large institutions can persist before producing formal penalty outcomes.

Leadership at the bank's consumer banking division acknowledged the failures publicly. The bank stated it had already invested significantly in program improvements by the time the formal enforcement action was issued.

Lessons for other institutions

This case gives compliance teams at large banks a clear diagnostic checklist.

Scale triggers obligations. Administering a government benefit program for millions of customers is not ordinary consumer banking. It brings regulatory obligations, fraud exposure, and dispute volumes that demand purpose-built compliance architecture, not existing retail banking controls applied at higher volumes. Before accepting large-scale program administration contracts, compliance leadership needs to formally assess whether internal controls are sized for the task.

Fraud and AML cannot be separate silos. Account takeover fraud at volume creates suspicious activity that must be reported. If your fraud operations team and your BSA team don't have a formal handoff protocol for high-volume account compromise events, you have a SAR filing gap. Build the bridge before the regulator finds the gap.

Regulation E deadlines are hard. The provisional credit and investigation timelines under Regulation E are not aspirational. Failing them at scale, as this case shows, produces nine-figure penalties. If your dispute resolution process cannot meet statutory timelines during volume spikes, that's a compliance risk that needs staffing and system investment, not just policy documentation.

Early warning signals matter. The EDD account problems were visible in customer complaints and state-level attention for years before the federal enforcement action. Compliance teams should treat elevated complaint rates in a specific product or program as a leading indicator, not a customer service issue. Escalation pathways from complaint data to senior compliance leadership should be short and formal.

Vendor and program oversight has teeth. Banks that administer third-party programs remain fully responsible for the compliance posture of those programs. "We were administering someone else's program" is not a defense the OCC accepts.

We've seen banks repeatedly underestimate the compliance lift of large-scale benefit programs and government partnerships. The EDD case is the clearest example of what that underestimation costs.

How FluxForce helps prevent similar failures

FluxForce's AI agents monitor transaction patterns in real time, flagging account takeover indicators and unusual benefit disbursement activity as it happens rather than in batch review. Nova Sentinel runs continuous behavioral analytics across account populations, detecting the velocity and geographic anomalies that characterize organized fraud rings. Automated SAR drafting ensures that fraud events crossing AML thresholds produce timely, complete filings without manual bottlenecks. Every decision carries a full audit trail, making Regulation E investigation timelines achievable at scale. For compliance teams managing large consumer programs, that combination of speed, coverage, and evidence trails is the architecture that prevents a fraud problem from becoming a regulatory crisis. Book a demo to see it in practice.