A consent order is the point where supervisory concerns become a legal obligation. Unlike an MRA or MRIA, which are supervisory findings within a confidential examination report, a consent order is a formal enforcement action with binding terms, public disclosure, and specific consequences for noncompliance. When a community bank receives a consent order from the FDIC, the remediation is no longer a matter of management discretion. It's a legal requirement with a defined timeline and regulatory oversight.
The good news: a consent order is called a "consent" order because the institution agrees to it. That agreement gives you some ability to influence the terms. But once signed, the terms are binding, and failure to comply can result in civil money penalties, additional restrictions, or escalation to a cease-and-desist proceeding.
Key Takeaways:
- A consent order is a public, legally binding enforcement action, fundamentally different from confidential MRAs and MRIAs
- Consent orders are issued under 12 U.S.C. § 1818(b) and carry civil money penalty risk for noncompliance
- Remediation timelines in consent orders are fixed deadlines, not guidelines
- Board members have personal oversight responsibilities that examiners will verify
How a Consent Order Differs from MRAs and MRIAs
Understanding the distinction between supervisory findings and enforcement actions is critical for calibrating your response.
| Factor | MRA/MRIA | Consent Order |
|---|---|---|
| Legal status | Supervisory finding (not legally binding) | Legally binding enforcement action |
| Authority | Examination process | 12 U.S.C. § 1818(b) |
| Public disclosure | Confidential (12 CFR Part 309) | Publicly available on FDIC Enforcement Actions database |
| Consequence of noncompliance | Escalation to more severe supervisory action | Civil money penalties under 12 U.S.C. § 1818(i) |
| Timeline flexibility | Negotiable within reason | Fixed deadlines; extensions require formal FDIC approval |
| Board obligation | Oversight and reporting | Specific compliance obligations, often with personal attestation |
| Counterparty notification | Generally not required | May be required for correspondent banks, investors, or counterparties |
| Impact on operations | Indirect | May include direct restrictions on activities, growth, or products |
The critical shift: with MRAs and MRIAs, the institution proposes its corrective action plan and timeline. With a consent order, the FDIC dictates the terms. The institution may negotiate during the drafting process, but once the order is signed, the terms are fixed.
The Path to a Consent Order
Consent orders don't appear without warning. The typical escalation path follows a pattern:
- Examination findings (MRA/MRIA): Examiner identifies deficiencies and expects corrective action
- Repeat or unresolved findings: Deficiencies persist through one or more subsequent examinations
- Informal supervisory action, The FDIC may issue a memorandum of understanding (MOU) or similar informal agreement
- Formal enforcement consideration, The FDIC regional office recommends formal action to the Division of Risk Management Supervision
- Consent order negotiation, The institution is presented with proposed terms and has the opportunity to negotiate before signing
The FDIC's Statement of Policy on Enforcement Actions outlines the factors considered when deciding whether to pursue formal enforcement:
- Severity and duration of the deficiency
- Whether prior supervisory actions were effective
- Whether the institution demonstrated good faith corrective efforts
- Risk to depositors and the Deposit Insurance Fund
- Management and board responsiveness to supervisory concerns
Institutions that respond promptly and substantively to MRAs and MRIAs, with documented evidence of remediation, are far less likely to face consent orders. The escalation almost always involves a pattern of inadequate response to earlier findings. Understanding how to respond to an MRA at the earliest stage is the best prevention.
What a Consent Order Typically Contains
Consent orders follow a standard structure, though the specific provisions vary by institution and the nature of the deficiencies. Common elements include:
Specific Corrective Action Requirements
The order will specify exactly what the institution must do, often with more detail than an MRA:
- Policy revisions with specific requirements for content and board approval
- System or process changes with defined implementation criteria
- Staffing requirements, such as hiring a qualified BSA officer or adding compliance staff
- Third-party reviews, independent assessments by firms acceptable to the FDIC
- Lookback reviews, retrospective review of transactions, accounts, or decisions during the deficiency period
Fixed Compliance Deadlines
Each requirement has a specific deadline, typically expressed as a number of days from the effective date of the order. Common timelines:
- Policy revisions: 60-90 days
- Staffing changes: 90-120 days
- System implementations: 120-180 days
- Independent reviews: 90-180 days
- Lookback reviews: 120-180 days
These deadlines are not guidelines. Missing them requires formal written request to the FDIC regional office, with justification and a revised timeline. Unapproved deadline extensions can trigger civil money penalties.
Board Reporting Obligations
The order typically requires:
- Board approval of all corrective actions within specified timeframes
- Quarterly (or monthly) compliance reports to the board, documented in minutes
- Certification by the board that the institution is in compliance with all order provisions
- Submission of compliance reports to the FDIC at defined intervals
Operational Restrictions
Depending on the nature of the deficiency, the order may impose restrictions:
- Growth limitations, restrictions on asset growth, new product offerings, or geographic expansion
- Activity restrictions, prohibition on certain activities until corrective actions are complete
- Dividend restrictions, limitations on capital distributions under 12 CFR § 303.241
- Personnel requirements, mandatory retention or hiring of specific roles
Public Disclosure and Its Consequences
Unlike MRAs and MRIAs, consent orders are public documents. They're posted on the FDIC's Enforcement Decisions and Orders database and are accessible to anyone.
This public disclosure creates secondary consequences that MRAs don't:
Counterparty and correspondent bank concerns. Correspondent banks, Federal Home Loan Banks, and other counterparties may review the order and adjust their risk assessment of your institution. Some correspondent relationships include covenant provisions triggered by enforcement actions.
Investor and shareholder notification. For publicly traded institutions, consent orders require securities disclosure. Even for privately held community banks, shareholders may become aware through public records.
Reputation impact. Local and trade media monitor FDIC enforcement actions. A consent order can become a news story in banking publications, affecting customer confidence and recruitment.
Regulatory cross-impact. Other regulators (state banking departments, FinCEN for BSA matters) may take independent action based on the FDIC's consent order findings.
The practical implication: a consent order isn't just a compliance event. It's an institutional event that touches operations, finance, governance, and reputation simultaneously. It requires a coordinated response beyond the compliance function.
Board Responsibilities Under a Consent Order
Board obligations under a consent order are qualitatively different from MRA oversight. They're specified in the order itself and are individually enforceable.
Specific board responsibilities typically include:
- Review and approve all corrective action plans within the deadlines specified in the order
- Certify compliance with order provisions at defined intervals, often quarterly
- Ensure adequate resources, budget, staffing, technology, are allocated to remediation
- Monitor progress through dedicated reporting, typically monthly during active remediation
- Engage directly with the FDIC during progress reviews and interim examinations
- Personal attestation, individual board members may be required to attest that they've read, understand, and will oversee compliance with the order
Failure to fulfill board obligations under a consent order can result in personal civil money penalties against individual directors under 12 U.S.C. § 1818(i)(2). This is not a theoretical risk, the FDIC has assessed penalties against individual directors who failed to exercise adequate oversight of consent order compliance.
Remediation Under a Consent Order
The remediation process under a consent order follows the same general methodology as MRA remediation, root cause analysis, corrective action planning, implementation, validation, monitoring, but with higher stakes and less flexibility.
Key differences in consent order remediation:
- No self-set timelines. Deadlines are in the order. Extensions require formal FDIC approval.
- Independent validation. The FDIC may require remediation validation by an independent third party, not just internal testing.
- Interim reporting to the FDIC. Progress reports submitted directly to the FDIC regional office, separate from board reporting.
- Follow-up examination. The FDIC will conduct a targeted examination specifically to verify consent order compliance, often before the next full-scope exam. See our guide on what triggers a follow-up examination.
The overall remediation process, from consent order effective date to termination, typically takes 12-24 months for community banks. The order remains in effect until the FDIC formally terminates it, which requires a determination that all provisions have been satisfied. For more on typical timelines, see our guide on FDIC remediation timelines.
Getting the Consent Order Terminated
Termination is not automatic. Even after completing all corrective actions, the consent order remains in effect until the FDIC issues a formal termination order. The process:
- Complete all corrective actions with documented evidence
- Pass the compliance examination, the FDIC conducts a targeted review to verify all order provisions are satisfied
- Demonstrate sustainability, examiners want to see that corrections are embedded in ongoing operations, not just point-in-time fixes
- Request termination, the institution formally requests termination, typically through the examiner-in-charge
- FDIC review and approval, the regional office and, for significant orders, Washington review the termination request
- Termination order issued, a public document confirming the order is terminated
The termination review focuses heavily on sustainability. An institution that implemented fixes but can't demonstrate ongoing monitoring and control sustainability may find the order remains in effect longer than expected.
How Teams Execute Consent Order Remediation
Consent order remediation requires the same discipline as MRA remediation, but with zero margin for error on timelines, evidence, and reporting. The institutions that execute well treat every order provision as a tracked workflow with fixed deadlines and evidence requirements that can't slip.
Canarie maps consent order provisions into individual tracked workflows with the same structure used for ongoing compliance execution: owners, milestones, evidence gates, board reporting triggers, and automatic escalation on approaching deadlines. Progress reports for the board and the FDIC pull from the same evidence base, ensuring consistency.
See how compliance teams manage enforcement action remediation →
Frequently Asked Questions
How long does a consent order stay on a bank's record?
A consent order remains in effect until the FDIC formally terminates it. Termination typically occurs 12-24 months after the effective date for community banks, assuming all provisions are satisfied. After termination, the order remains in the FDIC's public enforcement database permanently as a historical record. The order itself doesn't "expire", it must be affirmatively terminated through a formal process.
Can a bank continue normal operations under a consent order?
It depends on the order's specific provisions. Some consent orders impose operational restrictions, growth limitations, product restrictions, dividend limitations, or activity prohibitions. Others require corrective actions without restricting operations. Review the order carefully with legal counsel to understand which activities are restricted. Even unrestricted activities may be affected indirectly, as counterparties and correspondents may adjust their risk appetite based on the public order.
What's the difference between a consent order and a cease-and-desist order?
A consent order is agreed to by the institution: it consents to the terms. A cease-and-desist order can be imposed unilaterally after a formal administrative hearing under 12 U.S.C. § 1818(b). In practice, most enforcement actions are resolved through consent orders because both parties prefer to avoid the time and cost of administrative proceedings. The practical obligations under either type of order are similar, but a cease-and-desist order issued after contested proceedings typically signals a more adversarial relationship.
Does a consent order affect the bank's CAMELS rating?
Yes. A consent order is a significant factor in the management (M) component of the CAMELS rating and may affect other components depending on the underlying deficiencies. An active consent order will generally prevent a management component rating above 3 (fair). The composite rating may also be affected, which has implications for deposit insurance assessment rates, supervisory examination frequency, and certain regulatory approvals.