Regulatory Enforcement Actions: Trend & Thematic Analysis

Author

RegBrief Analytics

Published

July 4, 2026

Q2 2026 | Comprehensive Analysis of AML/Compliance Enforcement Patterns

Executive Summary

Across 24 enforcement actions, 20 involved monetary penalties and 4 were resolved without financial sanctions, indicating that regulators used a mix of punitive and non-monetary remedies. The median penalty was $227,700, which is a more representative indicator of typical case severity than the headline total. While the average penalty was $14.5 million, that figure is heavily distorted by a single outlier: Adani Enterprises Limited, which accounted for $275 million of the $289.5 million total penalties. Excluding Adani Enterprises Limited, total penalties fall to $14.45 million, underscoring that most actions were materially smaller than the aggregate suggests.

Geographically, enforcement was highly concentrated in the United States, which accounted for 13 actions and $285.6 million of penalties, including the outlier case. The UK and France represented a much smaller share of monetary exposure, with $1.59 million and $1.42 million respectively. The data also show involvement from 10 regulators across 6 countries, suggesting a broad but uneven enforcement footprint. This pattern points to strong U.S.-led enforcement activity, with cross-border implications for firms operating in multiple jurisdictions or with globally distributed compliance obligations.

The most common compliance weaknesses were concentrated in core control functions: AML Program Governance (44 findings), Investigations & Reporting (38), KYC & Onboarding (36), Transaction Monitoring (24), and Sanctions Screening (21). Root-cause analysis reinforces that these are not isolated control failures but systemic issues, led by Process Design Flaws (46.0%) and Governance Failure (27.6%). In other words, the dominant issues appear to stem from weak control architecture, unclear accountability, and ineffective escalation/reporting processes rather than isolated execution errors alone.

For financial institutions, the implications are clear: regulators are repeatedly targeting foundational AML and sanctions controls, especially where governance and process design are deficient. Firms should prioritize end-to-end remediation of onboarding, monitoring, and investigative workflows; strengthen board and senior management oversight; and validate that technology, data quality, and staffing are aligned to risk. Given the prevalence of non-monetary resolutions alongside monetary penalties, institutions should also expect regulators to use consent orders and similar undertakings to drive sustained remediation, not just financial punishment.


Dataset Overview

This analysis examines 24 regulatory enforcement actions issued in Q2 2026, with sanctioned activity spanning 2014–2026. The dataset covers multiple jurisdictions and financial services sectors and includes detailed compliance findings1, root cause analysis, and remediation roadmaps.

Key Statistics

  • Total Enforcement Actions: 24 (20 with monetary penalties, 4 non-monetary resolutions)
  • Total Penalties Imposed: $289,454,604
  • Median Penalty: $227,700
  • Average Penalty: $14,472,730
  • Penalty Range: $17,405 - $275,000,000
  • Countries Represented: 6
  • Regulators Involved: 10
  • Industry Sectors: 7
WarningOutlier-adjusted view

A small number of actions dominate the headline total: Adani Enterprises Limited ($275,000,000, 95% of total). Excluding this action, total penalties across the remaining 23 actions are $14,454,604 (median $227,700). The distribution and per-country/per-regulator charts below are read with this concentration in mind.


Monetary Penalties Analysis

Total Penalties by Country/Region

The geographic distribution of penalties reveals significant concentration in specific jurisdictions, with enforcement intensity varying considerably across regions.

Figure 1: Total monetary penalties by country

Chart excludes 1 outlier action(s) — Adani Enterprises Limited ($275.0M) — to keep the remaining bars legible. Full totals are in the summary table.

Regional Penalties Summary Table

Table 1: Summary of penalties by country
Total Penalties Average Penalty Max Penalty Number of Actions
country
US $285,564,357 $25,960,396 275000000.0 13
UK $1,585,641 $792,820 1361241.0 2
France $1,417,000 $1,417,000 1417000.0 1
Canada $571,106 $142,777 487853.6 4
Singapore $231,000 $231,000 231000.0 1
Germany $85,500 $85,500 85500.0 3

Penalties by Regulator

Different regulatory bodies demonstrate varying enforcement approaches and penalty magnitudes.

Figure 2: Total penalties by regulatory authority

Chart excludes 1 outlier action(s) — Adani Enterprises Limited ($275.0M) — to keep the remaining bars legible. Full totals are in the summary table.

Regulatory Insights

Enforcement during the period was generally low-to-moderate in typical case value, with a median penalty of $227,700 and only 20 of 24 actions carrying monetary penalties; the remaining 4 were non-monetary resolutions. The headline figures are heavily distorted by the outlier Adani Enterprises Limited, which alone accounts for $275,000,000 of the $289,454,604 total. Excluding Adani, total penalties fall to $14,454,604, which is much more representative of the underlying enforcement environment. By regulator, the pattern is highly concentrated: OFAC dominates with $276.05M across 2 actions, driven by very large sanctions cases; SEC follows with a single $7.5M action. In contrast, FINRA shows a higher-volume, lower-severity profile (8 actions, $2.01M total; avg. ~$252K), while OFSI, ACPR, FINTRAC, MAS, and BaFin are mostly in the sub-$1.6M range, suggesting more routine supervisory or conduct enforcement rather than blockbuster penalties. Regionally, the US accounts for almost all monetary value ($285.6M across 13 actions), but that concentration is largely a function of the Adani outlier and OFAC’s large sanctions penalties; outside the US, enforcement is more dispersed and materially smaller in scale.

For multi-jurisdiction compliance programs, the message is to build for heterogeneous enforcement intensity: a sanctions-heavy, high-impact U.S. risk profile alongside smaller but more frequent supervisory actions in Europe, the UK, Canada, and Asia. Programs should therefore combine enterprise-wide controls (screening, sanctions escalation, trade/financial crime monitoring, disclosure controls) with local regulatory mapping for FINRA/SEC, OFAC/OFSI, ACPR/BaFin, FINTRAC, MAS, and prudential agencies like FDIC/OCC. The presence of non-monetary resolutions also matters: consent orders and similar outcomes can signal control deficiencies even where no fine is imposed, so remediation tracking should not be penalty-driven alone. Practically, prioritize robust sanctions governance and investigation protocols for U.S./cross-border exposure, while maintaining jurisdiction-specific playbooks for reporting, recordkeeping, and supervisory engagement to manage the more common mid-sized actions seen outside the outlier cases.

Penalties by Industry Sector

Figure 3: Total penalties by industry sector (USD)

Chart excludes 1 outlier action(s) — Adani Enterprises Limited ($275.0M) — to keep the remaining bars legible. Full totals are in the summary table.

Industry Insights

The clear outlier by total penalty amount is Corporate / Non-Financial, with $277.5M across just 5 actions. That means this sector contributes the vast majority of total penalty volume despite not having the highest number of cases, and its average penalty of $55.5M is dramatically higher than every other sector. The next largest by total penalties is Broker-Dealer / Investment Firm at $9.5M across 10 actions—the highest action count in the table, but still only a small fraction of the total penalty dollars seen in Corporate / Non-Financial. This is a strong example of total penalty volume diverging from action count: broker-dealers are being targeted more frequently, but the corporate/non-financial sector is where the most financially significant enforcement outcomes are concentrated.

The average penalty pattern suggests two very different enforcement profiles. Corporate / Non-Financial is highly concentrated in a few large actions, indicating a small number of severe cases rather than broad-based, lower-value enforcement. FinTech / Payments also stands out with $1.417M from a single action, and Insurance shows $231k from one action—both indicating one-off, potentially material events. By contrast, Broker-Dealer / Investment Firm has 10 actions but only a $1.06M average, suggesting a broader distribution of lower- to mid-sized penalties rather than a few outsized cases. Banking / Financial Institution also shows relatively low total penalties ($254k) across 5 actions, reinforcing that not all high-regulation sectors are generating large penalty volumes in this dataset.

Strategically, compliance investment should be prioritised based on both severity risk and case frequency. For Corporate / Non-Financial, the data argues for targeted, high-control investment focused on preventing rare but very high-impact failures—board-level oversight, enterprise risk controls, and issue escalation are likely to matter most. For Broker-Dealer / Investment Firm, the higher action count suggests a need for scalable, operational compliance improvements and monitoring across a wider set of controls, even though individual penalties are smaller. FinTech / Payments deserves attention as a high-severity, low-frequency risk area, while Banking and Insurance appear lower on penalty volume here, though they should not be deprioritised entirely given the possibility that this dataset reflects only a narrow slice of enforcement activity.


Compliance Theme Analysis

This section examines the frequency and distribution of compliance failures across key AML/compliance domains.

Theme Frequency Overview

Figure 4: Compliance findings by domain

Theme Frequency Table

Table 2: Detailed breakdown of compliance themes
Number of Findings Number of Entities
domain_display
AML Program Governance 44 19
Investigations & Reporting 38 20
KYC & Onboarding 36 16
Transaction Monitoring 24 12
Sanctions Screening 21 5

Multi-Domain Violation Patterns

Compliance failures often span multiple domains. Understanding which domains tend to fail together helps identify systemic weaknesses.

Table 3: Co-occurrence of compliance domain failures
Unnamed: 0 Domain 1 Domain 2 Co-occurrences
0 0 Investigations & Reporting KYC & Onboarding 14
1 1 Investigations & Reporting Transaction Monitoring 11
2 2 KYC & Onboarding Transaction Monitoring 8
3 3 Investigations & Reporting Sanctions Screening 5
4 4 KYC & Onboarding Sanctions Screening 3
5 5 Sanctions Screening Transaction Monitoring 1

Theme Pattern Insights

The most problematic domains by breadth of impact are AML Program Governance, Investigations & Reporting, and KYC & Onboarding. AML Program Governance has the highest number of findings (44), indicating foundational weaknesses in oversight, policies, resourcing, escalation, or control ownership. Investigations & Reporting is close behind with 38 findings across 20 entities, making it both highly frequent and widely distributed; this suggests recurring breakdowns in alert disposition, case management, SAR/STR decisioning, and regulatory reporting discipline. KYC & Onboarding also stands out with 36 findings, meaning customer risk identification and due diligence controls are failing at scale. By contrast, Sanctions Screening has fewer entities affected (5) but still 21 findings, which implies that while it is concentrated in fewer firms, the failures may be deep and systemic where they exist.

The multi-domain patterns show that failures are rarely isolated. The strongest linkage is between Investigations & Reporting and KYC & Onboarding (14 co-occurrences), followed by Investigations & Reporting and Transaction Monitoring (11), and KYC & Onboarding and Transaction Monitoring (8). This suggests a common control-chain issue: weak onboarding/KYC leads to poor customer risk profiles, which then undermines monitoring scenarios and makes investigations less effective. The repeated pairing of Investigations & Reporting with both KYC and Transaction Monitoring implies that downstream case handling is often compensating for upstream control gaps, rather than functioning as a separate, resilient layer. Sanctions Screening co-occurs less often, but when it does, it appears alongside the same core domains, reinforcing that sanctions issues may be part of broader program weakness rather than a standalone screening-tool problem.

Prioritization should focus first on governance and end-to-end control design, not just individual tools. Firms should (1) strengthen AML governance with clear accountability, KRIs/KPIs, independent QA, and board-level reporting on control failures; (2) fix KYC/onboarding by tightening CDD/EDD standards, beneficial ownership capture, risk scoring, and periodic refresh triggers; and (3) improve investigations and reporting with documented case standards, escalation thresholds, and quality review of SAR/STR decisions. Transaction monitoring should be recalibrated using risk-based scenarios tied to customer profiles, with regular validation and tuning. Sanctions screening should be reviewed for data quality, list-update timeliness, and alert handling, but because it co-occurs less frequently, it should be prioritized in firms where screening issues are observed alongside broader onboarding or monitoring weaknesses.

Priority Distribution by Domain

The severity of compliance gaps varies across domains, with different distributions of high, medium, and low priority findings.2

Figure 5: Gap priority distribution across compliance domains

Root Cause Analysis

Understanding the underlying causes of compliance failures is critical for effective remediation.

Overall Root Cause Frequency

Figure 6: Top root causes of compliance failures

Root Cause Summary Table

Table 4: Complete root cause frequency distribution
Frequency Percentage
root_cause
Process Design Flaw 75 46.0
Governance Failure 45 27.6
Insufficient Technology 11 6.7
Resource Constraints 10 6.1
Data Quality Issues 8 4.9
Information Siloing 7 4.3
Cultural/Tone Issues 6 3.7
External Factors 1 0.6

Root Causes by Compliance Domain

Different compliance domains exhibit distinct root cause patterns.

Table 5: Cross-tabulation of root causes by compliance domain
Cultural/Tone Issues Data Quality Issues External Factors Governance Failure Information Siloing Insufficient Technology Process Design Flaw Resource Constraints
domain_display
AML Program Governance 1 2 1 18 1 1 14 6
Investigations & Reporting 3 1 0 10 1 1 19 3
KYC & Onboarding 0 2 0 10 2 0 22 0
Sanctions Screening 2 1 0 7 2 3 6 0
Transaction Monitoring 0 2 0 0 1 6 14 1

Root Cause Insights

Across the 24 actions, the typical monetary case was a $227,700 median penalty, while the outlier-excluded total penalties were $14,454,604; the headline $289,454,604 total is heavily skewed by the Adani Enterprises Limited action, which alone accounts for $275,000,000. Excluding that outlier, the penalty profile is much more modest and better reflects the broader population of cases. There were also 4 non-monetary resolutions, indicating that not every matter resulted in a financial sanction. The most significant systemic root causes are clearly Process Design Flaws (46.0%) and Governance Failures (27.6%), together comprising nearly three-quarters of all cited causes. This suggests the core issue is not isolated employee error, but weak control architecture: unclear ownership, inadequate escalation paths, ineffective review/approval steps, and compliance processes that are not designed to reliably prevent, detect, and remediate breaches.

Root causes vary meaningfully by domain. AML Program Governance is dominated by Governance Failure (18) and Process Design Flaw (14), with some Resource Constraints (6), indicating weak oversight, under-resourced control functions, and insufficient management accountability. Investigations & Reporting shows the highest concentration of Process Design Flaws (19) plus Governance Failures (10) and notable Cultural/Tone Issues (3), pointing to poor case-handling procedures and weak escalation culture. KYC & Onboarding is overwhelmingly a process problem (22), with some governance and data quality issues, implying onboarding controls are either incomplete or inconsistently executed. Sanctions Screening is more mixed, with process design, governance, and Insufficient Technology (3) all material, which is consistent with screening-rule tuning, list-management, and alert-handling weaknesses. Transaction Monitoring stands out for Insufficient Technology (6) alongside process design flaws, suggesting model coverage, scenario calibration, and alert workflow automation are not keeping pace with risk. In short: governance and process failures are the common denominator, but technology gaps become more prominent in monitoring and screening, while data quality and siloing recur where customer and transactional information must be integrated.


Aggravating & Mitigating Factors

Enforcement documents record factors that intensified regulatory concern (aggravating) or earned credit (mitigating). Aggregated across all actions, these reveal what behaviours regulators penalise most and what most reliably reduces exposure.

Table 6: Recorded aggravating vs mitigating factors
Factor Entries Actions
factor_type
aggravating 89 23
mitigating 47 16

Across these matters, the dominant aggravating theme is persistence and repetition: many failures lasted multiple years, sometimes across several examination cycles or from 2018 through 2025, and several firms ignored prior warnings or earlier commitments to fix the same issue. A second recurring theme is actual harm, not just technical noncompliance: customer losses, unnecessary surrender fees, unauthorized trading, undisclosed trading costs, missed suspicious transaction reports, weak recordkeeping, and sanctions exposure that allegedly supported prohibited activity all show up repeatedly. A third common aggravator is systemic control failure—deficiencies in AML/CFT pillars, inadequate surveillance, poor supervisory systems, incomplete risk assessments, and failure to test or escalate known red flags. Finally, regulators repeatedly note the absence of meaningful self-correction: no timely self-reporting, no credible acceptance of responsibility, and, in some cases, inconsistent testimony or disregard of prior regulatory feedback. In rough terms, multi-year persistence and control breakdowns appear in a large share of the actions, while actual customer/market harm and ignored warnings are also frequent and heavily weight aggravation.

The mitigating themes are much more consistent and, importantly, more credible when they are concrete and documented. The strongest credit comes from prompt remediation: revised WSPs, enhanced surveillance, updated AML procedures, automated monitoring tools, new escalation thresholds, and cessation of the problematic conduct. Cooperation is another recurring mitigator, especially where firms provide comprehensive documentation, waive privilege, accept stipulations, or conduct thorough independent investigations. Regulators also credit formal undertakings such as senior-management certification, independent reviewers, and paid penalties, though these usually matter less than real operational fixes. Some matters also receive limited credit for narrow scope, small relative volume, lack of prior history, or absence of intent/knowledge, but these are secondary compared with demonstrable remediation. In practical terms, the behaviors that most aggravate regulators are prolonged inaction, repeated red flags, and continued customer or sanctions harm after notice; the behaviors that most reliably earn credit are fast, verifiable fixes backed by testing, governance, and sustained cooperation.


Additional Thematic Analyses

Penalty Severity vs Root Cause

Examining whether specific root causes correlate with higher penalties can inform prioritization.

Total Allocated Penalty by Root Cause (Top 8)

Penalties allocated proportionally across findings by priority weight (high=3, medium=2, low=1).

  • Process Design Flaw: $138,333,258 (60 findings across 20 actions)
  • Governance Failure: $63,517,612 (36 findings across 20 actions)
  • Insufficient Technology: $28,956,006 (9 findings across 8 actions)
  • Cultural/Tone Issues: $28,906,230 (6 findings across 5 actions)
  • Information Siloing: $28,855,533 (6 findings across 6 actions)
  • Resource Constraints: $519,205 (6 findings across 6 actions)
  • Data Quality Issues: $366,759 (5 findings across 4 actions)

Temporal Patterns

Violation Period Statistics

  • Average violation duration: 1373 days
  • Median violation duration: 1368 days
  • Longest violation period: 2921 days
  • Shortest violation period: 29 days

Strategic Actions by Root Cause

For the three most frequent root cause categories, following are some strategic actions that can be taken to prevent such lapses occurring at your institution. Strategic actions for remaining root causes are in the [Appendix: Strategic Actions — Additional Root Causes].

Governance Failure

  1. Stand up enterprise AML governance with board-linked accountability: Create a formal governance structure that ties AML/CFT policy ownership, issue management, and escalation thresholds to senior management and board committees. This should include recurring board reporting, named action owners, due dates, and challenge protocols to ensure issues are not just logged but actually resolved.
  2. Implement a unified compliance assurance and control-testing program: Build a single assurance framework covering risk assessments, control inventories, periodic testing, QA sampling, and independent review across AML, sanctions, investigations, and supervisory controls. The goal is to create consistent evidence of control effectiveness and a repeatable remediation lifecycle with validation of closure.
  3. Establish dynamic risk governance for customers, products, and third parties: Put in place governance forums and operating routines that periodically recalibrate risk taxonomy, high-risk customer treatment, country risk, and third-party oversight based on typologies, regulatory change, and behavior shifts. This should drive timely updates to controls, monitoring thresholds, and escalation rules before risk becomes systemic.

Insufficient Technology

  1. Deploy an integrated surveillance and case-management stack: Replace fragmented tools with a platform that links alerts, case evidence, investigator workflow, QA, and regulatory reporting in one auditable environment. This improves timeliness, reduces manual error, and gives leadership end-to-end visibility into alert-to-filing performance.
  2. Build a centralized data and retention layer for monitoring: Create a surveillance data mart or equivalent foundation that retains historical events, supports pattern analytics, and provides examiner-ready audit trails. This is essential for tuning scenarios, validating outcomes, and proving that monitoring decisions were based on complete information.
  3. Implement configurable, validated detection engines: Use technology that supports scenario tuning, model validation, below-the-line testing, and risk-specific surveillance rules across AML, market abuse, sanctions, and trade monitoring. The expected impact is better detection precision, fewer false negatives, and stronger evidence that monitoring is risk-based and controlled.

Process Design Flaw

  1. Redesign onboarding, CDD, and risk-rating workflows end to end: Standardize digital onboarding with mandatory data capture, exception handling, periodic refresh, and dynamic customer risk scoring tied to behavior, geography, and adverse events. This reduces inconsistent account opening practices and ensures risk ratings stay current throughout the customer lifecycle.
  2. Automate investigation and reporting workflows with decision governance: Connect monitoring, case management, evidence collection, legal review, and SAR/STR filing into a single workflow with timestamps, service-level metrics, and QA checkpoints. This improves timeliness, strengthens decision consistency, and creates defensible records for regulators.
  3. Institutionalize regulatory change and policy lifecycle management: Create a formal process that translates regulatory updates into policy revisions, control changes, training, and attestations with version control and evidence retention. This ensures the program adapts quickly when products, jurisdictions, or typologies change.

AI Investment Themes

AI opportunities identified in enforcement actions are mapped directly to the root causes that drove each violation. For the three most frequent root cause categories, the three highest-impact AI use cases are surfaced below, followed by an investment reference table. Use cases for remaining root causes are in the [Appendix: AI Use Cases — Additional Root Causes].

Top Use Cases by Root Cause

Process Design Flaw

Missing controls, poor workflow design, or inadequate compliance procedures.

  1. (PD-1) Apply NLP to map WSP text to Rule 2330 obligations and identify missing supervisory procedures, evidence requirements, and escalation triggers. Technology: Natural Language Processing, Decision Support, Explainable AI

  2. (PD-2) Use AI-assisted enterprise risk assessment drafting to map business lines, branch geographies, service channels, and regulatory factors into a structured annual AML risk assessment. Technology: Process Automation, Generative AI, Natural Language Processing, Explainable AI

  3. (PD-3) Use NLP and workflow automation to detect EDD triggers, assemble evidence, and prompt analysts for missing high-risk customer information. Technology: Natural Language Processing, Process Automation, Decision Support, Generative AI, Explainable AI

Governance Failure

Weak oversight, unclear accountability, or insufficient board/senior management engagement.

  1. (GF-1) Use AI to map obligations, controls, issues, and evidence across shared enterprise AML processes and identify accountability gaps. Technology: Natural Language Processing, Process Automation, Agentic Automation, Graph-Based Learning

  2. (GF-2) Use NLP and process automation to map policies, procedures, audit findings, and control evidence into a continuously updated AML control inventory and gap register. Technology: Natural Language Processing, Process Automation, Decision Support, Explainable AI

  3. (GF-3) Apply decision-support analytics to prioritize remediation items by regulatory criticality, dependency, and residual risk for management and board reporting. Technology: Predictive Analytics, Decision Support, Probabilistic & Causal Methods, Explainable AI

Insufficient Technology

Legacy systems, lack of automation, or inadequate tooling for compliance obligations.

  1. (IT-1) Use graph analytics to identify hidden relationships among accounts through shared identifiers, referrals, IPs, funding sources, and trading behavior. Technology: Graph-Based Learning, Pattern Recognition, Entity Resolution, Explainable AI

  2. (IT-2) Detect suspicious low-priced securities liquidation patterns using behavioral anomaly detection combined with market-volume concentration analysis. Technology: Pattern Recognition, Predictive Analytics, Deep Learning, Explainable AI

  3. (IT-3) Detect abnormal post-IPO trading patterns, including concentration, synchronized orders, and rapid price-impact behavior in low-priced securities. Technology: Pattern Recognition, Predictive Analytics, Deep Learning, Explainable AI

Investment Reference Table

Table 7: AI use case investment reference — expected benefit, ROI, and key risks
  Expected Benefit Estimated ROI Risks
Use Case      
PD-1 Accelerates policy gap detection and keeps supervisory documentation aligned to regulatory requirements. 3-9 months to payback Compliance Risk: AI should not replace legal interpretation; Model Risk: Incomplete rule mapping may miss nuanced obligations
PD-2 Reduces manual drafting gaps, improves consistency, and accelerates periodic updates when business conditions or regulations change. 6-18 months Compliance Risk: Generated text may omit nuances unless reviewed by compliance; Model Risk: Hallucinated or unsupported statements in narrative output; Operational Risk: Dependency on prompt design and document quality; Reputational Risk: Weak audit trail if human approvals are not enforced
PD-3 Improves EDD coverage and consistency while reducing manual evidence-gathering time. 6-12 months Compliance Risk: False negatives could leave high-risk cases untreated; Operational Risk: Fragmented source data may limit effectiveness; Model Risk: Incomplete trigger detection from unstructured text
GF-1 Creates clearer traceability between regulatory obligations and shared controls, improving governance over inter-affiliate dependencies. 12-18 months via reduced manual governance effort and faster issue identification Operational Risk: incomplete source documentation can create inaccurate mappings; Compliance Risk: automated control interpretations may require intensive review; Model Risk: graph relationships may overstate dependency significance
GF-2 Faster remediation tracking, better evidence completeness, and improved consistency in AML control governance. 6-12 months Compliance Risk: Incorrect mapping of controls to regulatory obligations; Operational Risk: Inconsistent document quality may reduce extraction accuracy; Model Risk: Hallucinated summaries or missed obligations without human oversight
GF-3 Improves sequencing of remediation work and transparency for supervisory follow-up. 6-12 months Model Risk: Poor scoring logic may understate critical items; Compliance Risk: Management overreliance on automated prioritization; Operational Risk: Data inconsistencies across functions
IT-1 Improves detection of nominee-account structures and coordinated trading clusters tied to firm-sponsored IPOs. 9-15 months through higher-quality investigations and reduced manual linkage analysis Data Quality Issues may create spurious links; Compliance Risk from opaque relationship scoring if not explainable; Reputational Risk if customers are wrongly linked
IT-2 Improves identification of sell-only, concentrated-volume, and repetitive liquidation behavior across omnibus and DVP/RVP accounts. 12-18 months Model Risk: false negatives may miss manipulative activity; Compliance Risk: regulators will expect explainability and documented thresholds; Operational Risk: dependency on data completeness across OMS and surveillance systems
IT-3 Earlier identification of suspicious trading typologies and improved prioritization of manipulative-trading alerts. 6-12 months to analyst efficiency gains if data feeds already exist Model Risk: false negatives could miss manipulation; Compliance Risk: explainability needed for regulatory exams; Operational Risk: dependence on complete market and clearing data


Appendix

Priority Level Definitions

Priority levels are assigned using a deterministic decision tree applied during document extraction:

  • High — penalty >$10M attributable to this gap; regulator labelled the conduct “egregious”; gap enabled actual illegal activity; or criminal referral was made
  • Medium — significant control weakness attracting explicit regulatory criticism; contributed to the penalty but was not the primary driver
  • Low — documentation or procedural gap only; technical non-compliance with no evidence of exploitation

Data Sources

Currency note: Q2 2026 penalty amounts arrive pre-converted to USD upstream, so the pipeline is run with --amounts-in-usd and no run-time FX conversion is applied. This differs from Q1 2026, whose local-currency amounts are converted at run time via rates.json. Quarter-over-quarter penalty deltas therefore compare like-for-like on currency but may carry minor exchange-rate noise from the differing conversion timing.

  • Primary Data: Regulatory enforcement action records (regbriefs-Q22026.csv)
  • Fields Analyzed: Entity, regulator, industry, penalty amounts, violation periods, findings by domain, root causes, priorities
  • Time Period: 2014-2026
  • Geographic Coverage: 6 countries, 10 regulators

Source Documents

Entity Regulator Source Document(s)
Cambridge Investment Research, Inc. FINRA [1]
Michael Venturino FINRA [1]
Brentwood Capital Advisors LLC FINRA
Covington County Bank FDIC [1]
MoneyGram International SA ACPR [1]
Birks Group Inc. FINTRAC [1]
RE/MAX Twin City Realty Inc. (also operating as Twin City Realty Inc.) FINTRAC [1]
VersaBank FINTRAC [1]
Moody Capital Solutions, Inc. FINRA [1]
Blue Ocean ATS FINRA [1]
13010431 Canada Inc. (operating as Necosmart) FINTRAC [1]
Adani Enterprises Limited OFAC [1] [2]
Community Federal Savings Bank OCC [1]
Pictet Overseas Inc. FINRA [1]
Padang Trust Singapore Pte. Ltd. MAS [1]
FTI Consulting, Inc. OFAC [1]
AIL Leasing München AG BaFin
CRONBANK Aktiengesellschaft BaFin
Instinet Germany GmbH BaFin
Prime Number Capital, LLC FINRA [1]
Deutsche Bank AG London Branch OFSI [1]
Sabre Global Technologies Limited (SGTL) OFSI [1]
Outset Global Trading Limited FINRA [1]
Merrill Lynch, Pierce, Fenner & Smith Incorporated SEC [1] [2] [3]

Report Generated: 2026-07-04 12:36:28

Report Period: Q2 2026

Footnotes

  1. Findings are discrete compliance gaps identified within each enforcement action document. Each enforcement action may contain multiple findings across one or more compliance domains.↩︎

  2. See [Appendix: Priority Level Definitions] for the criteria used to assign each priority level.↩︎