TD Bank 2024: $3.09B Enforcement Action

What happened?

TD Bank's AML failures accumulated over nearly a decade. According to the DOJ press release published in October 2024, the bank maintained an inadequate anti-money laundering program from at least 2014 through 2023. Its transaction monitoring system left a substantial portion of US retail banking transactions entirely outside the scope of automated review or manual scrutiny, according to regulatory findings.

Three criminal networks moved money through the bank during this period. The DOJ filings described networks linked to drug trafficking organizations, including groups connected to Colombian cartels and Chinese fentanyl trafficking operations. According to regulatory findings, hundreds of millions of dollars in illicit proceeds flowed through TD Bank accounts without triggering the suspicious activity reports the Bank Secrecy Act required.

The bribery element made this case particularly serious. The DOJ filings described TD Bank employees accepting gifts, including gift cards, from network operatives to process transactions without filing alerts and, in some cases, to warn operatives about regulatory inquiries. Once employees are compromised, technology controls stop functioning entirely. An alert fires; a bribed employee dismisses it.

The investigation drew in the DOJ's Criminal Division, FinCEN, and the OCC. In October 2024, TD Bank N.A. and its parent, TD Bank US Holding Company, both entered guilty pleas, making TD Bank the first US bank holding company to plead guilty to Bank Secrecy Act conspiracy charges. The total financial penalty across all three regulators reached $3.09 billion.

What did regulators say?

DOJ leadership described the conduct as a deliberate pattern rather than isolated failures. According to the DOJ press release, senior officials stated the bank had prioritized profit over its legal obligations, allowing drug traffickers, human smugglers, and other criminal actors to exploit its accounts for years. The press release characterized the AML failures as systemic and long-running, not the product of oversight or limited resources.

FinCEN's $1.3 billion civil money penalty was the largest in the agency's history. The FinCEN press release described a bank with a broken compliance culture, one in which staff concerns about monitoring gaps were not acted on and where cost reduction consistently took priority over the resources needed to run an effective AML program. FinCEN's Director stated in the press release that the bank had allowed fentanyl traffickers and other criminals to exploit the financial system.

The OCC issued a formal enforcement action alongside its own financial penalty. Its findings documented compliance deficiencies running through multiple levels of TD Bank's US retail operations, from front-line controls through board-level governance. The OCC also imposed an asset cap, restricting US growth until remediation benchmarks are met.

All three regulators converged on the same conclusion. This wasn't one breakdown or one bad actor. The consent order found the bank had structured its compliance function in ways that systematically underinvested in monitoring capacity and personnel, and this persisted for years without effective correction.

What controls failed?

Transaction monitoring was the central failure. Regulatory findings described a program that left a substantial proportion of TD Bank's US retail transaction volume outside the scope of automated alerts. For a bank handling those volumes, that gap means entire categories of suspicious activity patterns went undetected for years. Partial monitoring isn't a smaller version of full monitoring; it's a structural blind spot.

FATF Recommendation 20 requires institutions to identify and report suspicious transactions promptly. If monitoring doesn't run, institutions can't comply with that obligation, regardless of how polished their SAR filing procedures look on paper. TD Bank's monitoring gaps made it structurally impossible to meet BSA reporting requirements across large portions of its business.

Customer due diligence also broke down. Under the FinCEN CDD Rule, banks must understand the nature and expected purpose of customer relationships and monitor for activity that deviates from those profiles. Regulatory findings described accounts opened with thin documentation and customer risk profiles that weren't refreshed as transaction behavior evolved. Without accurate profiles, ongoing monitoring generates noise rather than signals.

SAR filing failures followed directly. Monitoring gaps meant suspicious patterns weren't identified. CDD gaps meant the bank lacked baseline customer data to distinguish normal from abnormal activity. The result, per the DOJ filings, was hundreds of millions of dollars in transactions that should have generated SARs and didn't.

Governance was the deepest failure. The OCC consent order found the compliance function was chronically underresourced, that escalation paths from compliance staff to senior leadership were ineffective, and that the board didn't receive adequate reporting on the extent of AML program deficiencies. Budget decisions consistently favored growth over compliance staffing and technology investment. That's the pattern regulators look for when they decide whether to pursue criminal charges.

Which regulations were violated?

The primary statute was the Bank Secrecy Act (31 U.S.C. § 5318), which requires US financial institutions to establish and maintain an effective AML compliance program, file Currency Transaction Reports for cash transactions above $10,000, and file Suspicious Activity Reports when they detect activity indicative of potential money laundering or financial crime. TD Bank pleaded guilty to conspiracy to violate the BSA. It was the first US bank holding company to do so.

OCC-specific charges arose under 12 CFR Part 21, the OCC's implementing regulation requiring national banks to develop and administer a program reasonably designed to assure and monitor compliance with the BSA. The OCC found that TD Bank had failed this standard across its US retail operations over an extended period. A full record of the OCC's enforcement actions, including the TD Bank matter, is searchable at the OCC enforcement actions index.

The FinCEN CDD Rule, which implements the international standard set in FATF Recommendation 10 on customer due diligence, was also directly at issue. The bank's onboarding procedures and ongoing monitoring practices fell short of what both frameworks require. FinCEN's full statutory and regulatory framework for financial institutions is documented at the FinCEN BSA resources page.

The Anti-Money Laundering Act of 2020 strengthened the BSA's enforcement framework and expanded FinCEN's authority to impose civil money penalties. It formed part of the statutory backdrop against which the record $1.3 billion assessment was made.

Which typologies were involved?

Drug trafficking proceeds laundering was the core pattern. According to the DOJ press release, criminal networks linked to Colombian drug trafficking organizations and Chinese fentanyl trafficking groups used TD Bank accounts to move hundreds of millions of dollars in drug proceeds. This is classic placement and layering: cash from street-level drug distribution is deposited across multiple accounts, moved between them, and eventually integrated into the legitimate financial system. Large US retail banks with extensive branch networks are attractive targets for this typology precisely because of their transaction volumes.

Insider bribery and employee corruption is the less common but more serious typology in this case. The DOJ filings described employees accepting gifts, including gift cards, to process suspicious transactions without filing alerts and to warn criminal network operatives about regulatory scrutiny. When insiders are compromised, technology controls don't hold. No transaction monitoring system built for external threats catches a compliance employee who's been paid to suppress alerts. This typology requires a different detection approach entirely: behavioral analytics on employee actions within compliance systems, not just on customer transactions.

Cash-intensive transaction abuse also featured. Criminal networks used TD Bank's branch infrastructure to move high volumes of cash with minimal scrutiny. The Currency Transaction Report regime under the BSA exists specifically to catch cash structuring and large-denomination movements, but it only works when the underlying monitoring is running. When monitoring doesn't cover a substantial portion of transactions, CTR filing becomes a procedural exercise rather than a detection tool.

The combination matters. No single control defeats all three typologies simultaneously. Effective detection requires transaction monitoring, employee behavioral analytics, and rigorous SAR filing discipline, all operating in parallel.

Aftermath and remediation

The financial penalties were divided across three regulators. FinCEN's $1.3 billion civil money penalty was the largest in the agency's history. The DOJ criminal resolution, including criminal fines and forfeiture, totaled approximately $1.8 billion, according to the DOJ press release. The OCC imposed its own financial penalty as part of a concurrent enforcement action. Together, these brought the total to $3.09 billion.

The most consequential operational outcome was the OCC's asset cap. Effective from the date of resolution, TD Bank's US retail operations were barred from growing assets beyond a fixed threshold until the bank demonstrates, to the OCC's satisfaction, that its AML program has been substantially remediated. For a bank that had been actively expanding in the US market, this is a meaningful strategic constraint. Several analysts following the announcement in October 2024 described the asset cap as potentially more costly over time than the cash penalties.

An independent compliance monitor was appointed, reporting directly to regulators. Monitor mandates in BSA cases of this scale typically run three to five years and involve deep access to the bank's systems, transaction data, and compliance personnel.

Leadership changes followed. TD Bank's CEO Bharat Masrani, who had previously announced plans to retire, departed around this period. The bank's board undertook a governance review focused on the structure and authority of its compliance function.

Reputational damage was also real. The guilty plea generated extensive coverage and raised questions among institutional investors about TD Bank's US growth strategy. The asset cap created specific uncertainty about whether the bank could continue competing for US market share at its prior rate.

Lessons for other institutions

The most direct lesson is about monitoring coverage. Any compliance team that can't state, with confidence, what percentage of its transaction volume its automated monitoring actually covers should treat that gap as an immediate priority. Partial coverage isn't a smaller version of full coverage. It's a structural blind spot that criminal networks identify and exploit. Getting to 90% or above isn't a stretch target; it's the minimum standard regulators expect.

The SAR filing requirements under the BSA are clear: 30 days from detection, 60 with extension. But SAR discipline lives or dies on the quality of the monitoring below it. Banks that can't monitor can't detect; banks that can't detect can't file. The TD Bank case is a reminder that SAR filing performance and transaction monitoring coverage are not independent metrics.

Third: customer due diligence isn't a one-time onboarding exercise. Risk profiles need to be refreshed. An account that was low-risk at opening may look very different two years later if transaction volumes, counterparty patterns, or geographic exposure have changed. Automated triggers for periodic CDD review, calibrated to account activity, are standard practice for a reason.

Fourth: insider threat is a real AML vector, not a theoretical one. Behavioral analytics on employee actions within compliance systems, separation of duties between the alert-generation function and alert-review function, and anonymous reporting channels all matter. The TD Bank case shows what happens when bribery goes undetected inside a compliance function for an extended period.

Fifth: board-level AML reporting needs real granularity, not summary dashboards. Boards need to see monitoring coverage metrics, SAR filing rates against transaction volumes, escalation history, and gap analysis with timelines for remediation. When the board doesn't see the problem accurately, the organization doesn't fix it. The OCC consent order made this explicit.

How FluxForce helps prevent similar failures

TD Bank's failures centered on monitoring coverage gaps, SAR filing breakdowns, and employee insider compromise. FluxForce agents run continuous transaction monitoring across full transaction volumes, identify behavioral anomalies in real time, and auto-draft SAR reports with complete supporting evidence attached. Behavioral analytics on employee actions within compliance workflows directly address the insider-threat vector. Every decision generates a full, audit-ready evidence trail from the moment it fires. Book a demo to see it in a live environment.