Learn more about the latest security and privacy threats
Editorial illustration for the article "EagleBank BSA settlement: $9.7M for a decade of ignored check kiting".

EagleBank will pay over 9.7 million dollars after admitting it ran no AML programme for a decade while executives shielded a check kiting scheme. What it means.

Table of contents

EagleBank agreed on 30 June 2026 to pay more than 9.7 million dollars under a non-prosecution agreement, admitting it willfully failed to run an anti-money laundering programme from 2010 to 2021. The Justice Department said senior executives repeatedly overrode compliance staff who tried to stop a decade-long check kiting scheme.

  • EagleBank will pay a fine of 9,057,821.62 dollars plus 736,515 dollars in forfeiture, resolving a Bank Secrecy Act investigation with no criminal charges filed.
  • The bank admits it willfully failed to establish an anti-money laundering and countering the financing of terrorism programme between 2010 and 2021.
  • Two customers, a father and son, ran a check kiting scheme for more than a decade, causing a loss of almost 6.3 million dollars to another financial institution.
  • Senior executives overrode compliance personnel who tried to close the accounts; the father was a friend and business partner of EagleBank's former chief executive, who resigned in 2019.
  • It is EagleBank's second regulator settlement in four years, after a 22.9 million dollar insider-lending resolution with the Federal Reserve and SEC in 2022.

What did EagleBank admit in the BSA settlement?

The EagleBank BSA settlement resolves an admission that the bank had no functioning anti-money laundering programme for eleven years. In the non-prosecution agreement announced on 30 June 2026, EagleBank and its parent, Eagle Bancorp Inc., admit that between 2010 and 2021 they willfully failed to establish an AML and countering the financing of terrorism programme, in violation of the Bank Secrecy Act. The bank will pay over 9.7 million dollars and adopt remedial measures.

The Justice Department framed the failure in blunt terms. Banks "must be gatekeepers, not gateways, for criminal activity," said Assistant Attorney General A. Tysen Duva of the Criminal Division. The case was investigated by the FBI and prosecuted by the Bank Integrity Unit of the Criminal Division's Money Laundering, Narcotics and Forfeiture Section together with the US Attorney's Office for the Middle District of Pennsylvania.

ItemDetail
Announced30 June 2026 (non-prosecution agreement)
Total payableOver 9.7 million dollars
Fine9,057,821.62 dollars
Forfeiture736,515 dollars (overdraft-fee proceeds)
Conduct period2010 to 2021
Admitted violationWillful failure to establish an AML/CFT programme, Bank Secrecy Act
Loss to third-party bankAlmost 6.3 million dollars
TermOne-year non-prosecution agreement

How did a check kiting scheme run for a decade?

The scheme worked because the same accounts that should have triggered alerts were protected from inside the bank. Two customers, a father and son, wrote checks against accounts holding insufficient funds and deposited them at another bank, exploiting the delay before each check cleared. Fraudsters keep the loop spinning, often in a circular pattern between banks, so overdrafts are nominally covered by the next bad check.

What makes the case notable is the internal override. According to the Justice Department, senior bank executives repeatedly blocked compliance personnel who tried to close the accounts and end the conduct. The father was a friend and business partner of EagleBank's former chief executive, who resigned in 2019. Over the life of the scheme, the pattern produced a loss of almost 6.3 million dollars at a separate financial institution, while EagleBank collected overdraft fees, the exact proceeds it has now forfeited.

What does the EagleBank BSA settlement change for your obligations?

Nothing in the law changed, but the case sharpens how three long-standing duties are judged. The EagleBank BSA settlement is a reminder that a written policy is not a programme, and that suppressed alerts are treated as the absence of a programme, not a lapse.

First, the four pillars of an AML programme under the Bank Secrecy Act. A programme needs a designated compliance officer, internal controls, independent testing, and training. EagleBank admitted a willful failure to establish that programme, which means examiners and prosecutors will read documented-but-ignored controls as no controls at all.

Second, suspicious activity reporting. Check kiting is a classic reportable pattern, and a Suspicious Activity Report must generally be filed within 30 days of initial detection of the activity. When staff flag conduct and are overruled, the filing duty does not disappear; the institution remains on the hook for every unfiled report, and the override itself becomes documentary evidence of willfulness rather than mere negligence.

Third, governance and the independence of the compliance function. The order turns on executives overriding compliance, so boards should expect scrutiny of escalation paths, of who can close a flagged account, and of whether the compliance officer can act without commercial veto. Record-keeping matters here too: the audit trail of overridden alerts is what converted a control gap into an admitted crime.

What is still uncertain about the case?

The open questions are about people, not the bank. The non-prosecution agreement resolves corporate liability, but it does not, on its face, name charges against the executives who overrode compliance, and the customers' criminal exposure sits outside this document. Whether individuals face separate action is unresolved.

There is also a policy read to watch. A non-prosecution agreement with a one-year term and no monitor is a relatively light corporate outcome for an eleven-year, admitted, willful failure. That reflects current Department practice of rewarding cooperation and self-remediation, but it leaves compliance leaders guessing where the line now sits between a fine and an indictment. The deterrent value of the EagleBank BSA settlement depends on whether the remedial commitments are tested and whether individuals are held to account.

How does the penalty compare to recent AML actions?

By dollar value, this is a mid-size Bank Secrecy Act outcome, well below recent broker-dealer penalties such as Canaccord's, but it is unusual in resting on an admitted willful override of compliance. The comparison that matters most is internal: EagleBank has now settled with financial regulators twice in four years.

ActionYearAmountCore issue
EagleBank, DOJ non-prosecution agreement2026Over 9.7 million dollarsWillful failure to run an AML programme; check kiting
EagleBank, Federal Reserve and SEC202222.9 million dollarsUndisclosed related-party insider loans
[Canaccord Genuity, FinCEN consent order](/resources/news/canaccord-fincen-80-million-aml-penalty)202680 million dollarsBroker-dealer AML programme failures

The 2022 matter was different in substance, related-party lending disclosures rather than AML, and it ended with the bank's founder permanently barred from banking and personally fined. Read together, the two actions place the EagleBank BSA settlement inside a governance culture in which controls were overridden from the top, the thread a supervisor will pull next.

How should compliance teams respond?

Start with the override risk, because that is what turned a control gap into an admitted crime. Confirm that no commercial officer can unilaterally close, reopen, or suppress a flagged account, and that every override is logged, escalated, and reviewed independently. Re-test your check kiting and overdraft-pattern rules against real account histories, not sample data, and confirm your Suspicious Activity Report timeliness holds when an alert is disputed. Give the compliance officer a documented, board-level escalation path that no executive can veto, and evidence your four pillars with independent testing rather than a policy binder. Tie the whole customer due diligence chain back to a verified identity, so a monitoring alert can be linked to a real person and not quietly dismissed.

Onboarding integrity is the foundation the rest of this rests on. Zyphe gives you decentralised, data-minimising KYC with a reusable credential and an exportable audit trail, so your monitoring and customer due diligence sit on a verified identity anchor and no central honeypot of documents. If you want to see how that lowers both fraud and breach exposure, book a demo.

The bottom line

The EagleBank BSA settlement is not really about check kiting; it is about what happens when a compliance function can be overruled from the corner office. A documented control that gets overridden is, in the eyes of prosecutors, no control at all. For teams running KYC and AML, the durable takeaways are governance independence, a logged and reviewable override process, and timely suspicious activity reporting that survives internal pushback. Strong, verified onboarding and a clean audit trail are what let those controls hold when someone senior would rather they did not.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

It is a non-prosecution agreement announced on 30 June 2026 in which EagleBank and parent Eagle Bancorp admit they willfully failed to run an anti-money laundering programme from 2010 to 2021, in breach of the Bank Secrecy Act. EagleBank will pay a fine of 9,057,821.62 dollars and forfeit 736,515 dollars, and will strengthen its AML controls.

The Justice Department chose a non-prosecution agreement, under which it agrees not to bring charges provided EagleBank meets the terms over a one-year period. This reflects Department practice of crediting cooperation and remediation, though the outcome is notably light for an eleven-year, admitted, willful failure to maintain a programme.

Check kiting exploits the delay between depositing a check and its clearing, writing checks against insufficient funds and covering them with further bad checks, often circulating between banks. It is a recognised fraud typology, so a bank that detects the pattern must generally file a Suspicious Activity Report within 30 days of initial detection rather than let the accounts continue.

Yes. In 2022 EagleBank paid 22.9 million dollars to settle Federal Reserve and SEC findings over undisclosed related-party loans, and its founder and former chief executive was permanently barred from banking and personally fined. The 2026 Bank Secrecy Act matter is a separate action on different conduct.

The central lesson is that suppressed alerts are treated as no programme at all. Ensure no commercial executive can override or close a flagged account without independent review, log every override, keep Suspicious Activity Report filing timely even when an alert is contested, and evidence your AML pillars with independent testing.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo