What an OCC Consent Order Actually Costs, And Why Your Legacy IT Is the Most Likely Trigger in 2026 

Most executive teams at US banks under $50B in assets have a reasonably clear view of the costs they manage every quarter. Credit losses. Operating expenses. Interest rate exposure. Deposit pricing pressure. 

The cost that fewer of them have on the dashboard, and the one rising fastest in expected value, is regulatory exposure tied to legacy information technology. The reason this cost is underweighted is mechanical: in quiet years it appears as zero. In a year with an enforcement event, it appears as a multi-year, board-supervised, ledger-distorting program, and by then the institution has lost the ability to manage it on its own terms. 

The pattern that has emerged across 2023, 2024, and 2025 is one a CFO can plan against. This article walks through what an OCC enforcement action citing IT controls actually costs, why legacy infrastructure has become the most common underlying cause, and what the math says about the expected-value tradeoff between voluntary modernization and remediation under regulator supervision. 

What this article answers 

• How many OCC enforcement actions in recent cycles have cited IT controls, and which institutions are affected. 
• What a typical consent order actually requires, and what it costs the institution in dollars, time, and executive attention. 
• Why legacy infrastructure is now the most common technical root cause behind IT-related findings. 
• How to estimate your institution's probability-weighted regulatory exposure in a way the CFO will accept. 
• Why voluntary modernization consistently produces better outcomes than remediation under supervision. 

The pattern: IT controls language is now standard in OCC enforcement 

Three years ago, an OCC consent order against a community or regional bank typically led with capital, liquidity, or BSA/AML findings. Information technology might appear as a secondary article, often paired with broader risk-management observations. 

That has changed. Looking at OCC enforcement actions across 2024 and 2025, IT-control language now appears prominently in a striking share of orders against banks of all sizes, including community institutions well under $1B in assets. The pattern is not subtle. 

Blue Ridge Bank's January 2024 cease-and-desist addressed violations of law, rule, or regulation related to the Bank Secrecy Act and anti-money laundering, and unsafe or unsound practices, including those related to capital, liquidity risk management, and information technology controls. The order was not terminated until November 2025, nearly two years of active supervisory constraint, board reporting, and required remediation. 

Vast Bank's October 2023 consent order, terminated in September 2025, addressed unsafe or unsound practices, including those related to capital, capital and strategic planning, project management, books and records, liquidity risk management, interest rate risk management, information technology controls, risk management for new products, and custody account controls. Note the structure: IT controls sits alongside core financial governance items, not as a footnote. 

Most recently, a 2023 consent order against a national bank, terminated in September 2025, required the institution to meet higher capital minimums, implement revised capital and strategic planning processes, and maintain detailed project management standards. It also mandated improvements to liquidity and interest rate risk management, adoption of stronger IT controls, and the establishment of formal risk governance for new products and custody account operations. 

The common thread across these orders is that IT-control deficiencies are no longer addressed as discrete technical findings. They are addressed as governance failures at the institution level, meaning the remediation requires board engagement, formal program documentation, and quarterly reporting, regardless of how technical the underlying issue actually is. 

What a consent order actually requires 

A regulatory consent order is, in its simplest description, a legally binding agreement between a financial institution and its primary federal regulator. The bank formally consents to the order without admitting or denying the findings, waiving its right to a formal administrative hearing. This agreement mandates that the institution take specific corrective actions to address identified unsafe practices or violations of law. 

What the simple description omits is the operational weight of executing one. A consent order citing IT controls typically requires the institution to: 

• Establish or restructure a board-level committee with explicit oversight of the remediation program 
• Submit a written remediation plan to the OCC within a defined window (often 30 to 90 days) 
• Engage independent third parties to validate scope, methodology, and progress 
• Provide quarterly progress reporting to the regulator until each article of the order is closed 
• Maintain detailed records demonstrating control improvements at the system, process, and governance level 
• Refrain from specific activities (often new product launches, expansion, or M&A) until the order is terminated 

The institution does not choose the pace. The regulator does. And while a consent order is in effect, the institution operates under what amounts to a parallel governance structure, one that absorbs executive attention disproportionate to the underlying technical scope of the work. 

The duration is the part most CFOs underestimate. Most IT-related consent orders run 18 to 24 months from issuance to termination, and that is for institutions executing well. Institutions that miss milestones, fail independent reviews, or surface additional findings during remediation often see the order run three years or longer. 

The financial math: probability-weighted exposure 

The honest way to put this cost on a board agenda is the same way a CTO already handles credit and operational risk: probability-weighted. 

The formula: 

Annual regulatory exposure = (Probability of consent order in next 24 months × Estimated remediation cost) + (Probability of breach × Average breach cost) + (Probability of regulator-driven growth restriction × Foregone revenue) 

The inputs are not abstract. For US financial services in 2025, the IBM Cost of a Data Breach Report puts the average breach cost at $10.22 million for US organizations, an all-time high and a 9% increase year-over-year, while financial services averages $5.56 million globally per breach. Higher regulatory fines, along with detection and escalation costs, are driving up the ultimate recovery price in the United States. 

For consent-order remediation specifically, the cost range is wider. A community bank under $1B in assets executing a focused IT-controls remediation may spend $2M to $8M across the 18-month program. A mid-size regional executing a broader order touching IT, BSA/AML, and risk management can run $25M to $100M+. The variance is driven primarily by the scope of independent validation required and the underlying technical complexity of the systems being remediated. 

Concrete example, from the public record: the Clear Fork Bank consent order in October 2024 illustrates the community-bank scenario. Clear Fork Bank is one of the oldest, privately owned banks in Texas with only six retail locations and approximately $800 million in assets. While not nearly as onerous as the OCC's settlement with TD Bank, the legal, compliance, and personnel costs associated with remediating the order will undoubtedly strain Clear Fork Bank. The article goes on to note that bank regulators are not only focused on the largest financial institutions with high-risk, cross-border business models, but on local community banks not adequately meeting their BSA/AML obligations.  

The strain is the point. For institutions under $1B in assets, a multi-year remediation program is not a budget line, it is a strategic distraction that absorbs the leadership time the institution would otherwise spend on growth, product development, or competitive positioning. 

Why legacy IT keeps showing up as the root cause 

When an OCC examiner cites IT controls as a finding, the underlying issue is almost never that the institution failed to install a tool or write a policy. The underlying issue is that the institution's legacy infrastructure cannot produce the evidence, audit trail, or control consistency that current supervisory expectations require. 

The pattern shows up in three specific ways: 

Transaction monitoring on legacy AML systems.

Rules-only fraud and AML engines built on legacy infrastructure cannot adapt to the typology and volume requirements current examiners expect. The Bank of America BSA/AML case illustrated the broader supervisory direction: outdated monitoring systems are a liability in an era where financial crime is increasingly sophisticated, and regulators expect continuous investment in BSA compliance, leveraging AI-driven monitoring tools to reduce false positives and improve detection accuracy.  

Audit trail and data lineage gaps in legacy cores.

When an examiner asks for the data lineage behind a specific reported figure, a modern stack produces the answer in minutes. A legacy stack with fragmented integrations across FIS, Fiserv, Jack Henry, or custom middleware often cannot produce it at all, and the inability to produce it becomes the finding. 

Identity, access management, and change control on aging infrastructure.

Legacy systems that lack modern role-based access controls, change-management logs, or segregation of duties consistently surface as IT-control findings during examination. These are not bolt-on fixes; they are architectural properties of the underlying systems. 

The broader supervisory direction has been described directly: a consent order should be viewed not as a setback, but as an opportunity to modernise compliance governance, yet executing them presents significant challenges, including managing multiple remediation projects that strain resources and staff morale, while meeting strict regulatory deadlines adds further pressure.  

In other words: the regulatory exposure is, in practice, a modernization mandate executed under time pressure that the institution did not choose. 

Forced modernization versus voluntary modernization 

This is the comparison that matters most for executive decision-making, and it is the one most institutions don't run until it's too late to choose. 

A voluntary modernization program runs on the institution's timeline. It can be scoped to bounded pilots. It can sequence the highest-value systems first. It can use bench-strength engineering rather than emergency contract talent. It can be coordinated with normal budget cycles, board calendars, and competing strategic priorities. 

A forced modernization, meaning a modernization compelled by a consent order or matter requiring attention, has none of those properties. It runs on the regulator's timeline. Scope is set by the order, not by ROI. Sequencing is dictated by the most urgent control gap, not by business priority. Independent validators must be engaged. Talent is hired in a market where the institution is one of many simultaneously trying to staff the same kind of remediation. Costs run consistently higher than voluntary modernization at the same scope, and outcomes consistently worse. 

The expected-value math, at most mid-size institutions, looks roughly like this: 

• Probability of an IT-control-related consent order in the next 24 months: 5% to 15%, depending on the institution's most recent examination cycle, peer enforcement patterns, and the visibility of legacy control gaps in supervisory letters. 
• Estimated remediation cost if an order arrives: $5M to $50M for community and regional institutions. 
• Expected-value annual carry of doing nothing: $250K to $7.5M. 

Compared against a voluntary modernization program, typically scoped at $2M to $10M for the same technical scope, executed on the institution's terms, with broader strategic benefits, the math has tipped. 

What this means for 2026 

The OCC's stated posture and the public enforcement record both point in the same direction. Consent orders are legally binding, publicly filed, and often impose operational limits until remediation is complete. They typically signal systemic control weaknesses rather than isolated issues. The realistic forecast for 2026 and 2027 is not that supervisory expectations on IT controls will hold steady; it is that they will continue to tighten. 

The practical implication for an executive team running a mid-size US financial institution is straightforward: 

1. Make regulatory exposure a quantified line item. Probability-weighted exposure belongs on the same dashboard as credit and operational risk. The CFO can model this in a spreadsheet using the formula above. 
2. Audit the legacy control gaps before the examiner does. Most IT-control findings are predictable. The institution's own technology team almost always knows where the weaknesses are. Documenting them, prioritizing remediation, and reporting progress to the board internally is cheaper than having the regulator do it externally. 
3. Treat voluntary modernization as the cheaper option, even where it appears more expensive on a one-year basis. The three-year expected value comparison consistently favors voluntary execution. The institution simply has to run the numbers to see it. 

The choice that matters in 2026 is not whether to modernize legacy IT. The choice is whether to modernize on the institution's terms or the regulator's. For most mid-size US banks, the math now favors choosing first. 

Continue reading: Case Study Banco Internacional, modernization efforts powered by Velx.