If you're responsible for compliance at a bank, credit union, or any linked financial entity, the phrase "prohibited activities" probably keeps you up at night. It's not just one rule. It's a tangled web of regulations from the Fed, the OCC, the FDIC, and more, each with its own nuances. Getting it wrong isn't an option—the fines are massive, and the reputational damage can be permanent. This guide cuts through the legal jargon. We'll map out the core prohibitions, explain why they exist, and, more importantly, show you how to build a compliance framework that doesn't just check boxes but actually protects your institution.

What You'll Learn Inside

The 5 Core Prohibitions Every Banker Must Know

Let's be clear. When regulators talk about a "bank chain entity," they're referring to the bank itself and its affiliates—think holding companies, sister firms, or subsidiaries. The rules are designed to build walls between these entities to prevent risk from leaking into the insured deposit-taking bank. Forget trying to memorize every statute. Focus on these five pillars.

1. The Affiliate Transaction Firewall (Regulation W & Section 23A)

This is the big one. A bank is heavily restricted in the credit it can extend to its affiliates. Think of it as a family loan with extreme scrutiny. The aggregate limit is 10% of the bank's capital for any single affiliate and 20% for all affiliates combined. And the collateral requirements are stiff—often 100% to 130% with high-quality assets. I've seen banks stumble here by treating inter-company funding as "internal housekeeping." Regulators see it as a potential drain on the bank's safety net.

2. The Anti-Tying Restriction (Section 106 of the BHCA)

You can't force a customer's hand. It's illegal to condition a loan or service on the customer buying another product from you or an affiliate. "We'll approve your commercial loan, but only if you move your wealth management account to our sister company." That's a textbook violation. The subtle trap? Even implied pressure can land you in hot water. Your loan officers need training to avoid even the appearance of coercion.

Key Insight: Many institutions focus on the big, explicit "thou shalt nots" but miss the creeping risk in affiliate transactions. A seemingly harmless line of credit to a real estate affiliate can balloon quickly and eat up your capital limits before you know it. Monitor these exposures daily, not quarterly.

3. Restrictions on Equity Investments

Banks can't just go investing in any company. Their equity investments are largely confined to those that are permissible for national banks, which typically means passive investments. Taking a controlling stake in a non-financial commercial enterprise? Generally a hard no. The Volcker Rule further complicates this by restricting proprietary trading and certain fund investments. The gray area here is around "merchant banking" investments, which have specific holding period and size limits.

4. Prohibitions on Certain Non-Banking Activities

This is about what the affiliates in the chain can do. A bank holding company can engage in activities that are "closely related to banking," as defined by the Federal Reserve (you'll find this list in Regulation Y). But outright commercial activities—like running a manufacturing plant or a tech startup—are prohibited. The goal is to keep the financial system focused on finance, not speculative business ventures.

5. Cross-Marketing and Information Sharing Limits (GLBA & Privacy Rules)

Just because you're under the same corporate umbrella doesn't mean you have free rein with customer data. The Gramm-Leach-Bliley Act (GLBA) sets strict rules. You must give customers clear privacy notices and, in many cases, an opt-out before you can share their nonpublic personal information with nonaffiliated third parties. Sharing with affiliates is generally allowed, but it's a compliance minefield if not managed with clear internal controls and documentation.

Prohibition Governing Rule/Law Primary Risk It Mitig">ates Common Red Flag
Affiliate Lending Limits Section 23A of Fed Act, Reg W Capital drain from bank to risky affiliate "Temporary" inter-company loans that become permanent.
Anti-Tying Section 106 of BHCA Unfair competition & customer coercion Loan officer bonuses linked to cross-sell metrics without proper safeguards.
Equity Investment Bans Bank Holding Company Act, Volcker Rule Speculative losses & conflicts of interest Investing in a fintech partner beyond a passive, minority stake.
Non-Banking Activity Bars Regulation Y Concentration of non-financial risk A holding company acquiring a logistics firm to "serve client needs."
Data Sharing Violations Gramm-Leach-Bliley Act Consumer privacy breaches & legal liability Marketing lists shared between bank and insurance affiliate without proper opt-out checks.

Real-World Scenarios: Where Banks Get Tripped Up

Theory is one thing. Practice is another. Here are two composite cases based on real consent orders I've analyzed. The names are changed, but the lessons are painfully real.

Case Study: First Regional Bancorp & The Real Estate Affiliate Sinkhole.
First Regional had a wholly-owned subsidiary that developed commercial properties. The bank routinely provided construction loans to this affiliate, treating them as low-risk because "we know the management." Over three years, these exposures crept from 5% to 18% of the bank's capital. When the real estate market dipped, the affiliate couldn't sell units, and the loans soured. The OCC hit the bank with a cease-and-desist order, citing repeated Section 23A violations. The killer wasn't just the fine; it was the forced capital raise under duress and the years of enhanced supervision. The mistake? They managed the limit as a year-end reporting issue, not a real-time risk control.

Case Study: Trustworthy Bank & The Coercive Cross-Sell.
Trustworthy Bank's board pushed hard for "synergy" between its mortgage division and its title insurance agency (an affiliate). Loan officers were given steep discounts on title services to offer customers. The script was, "Using our title agency will streamline your closing and save you money." Sounds good, right? The CFPB saw it differently. They found the pricing was structured to make the in-house option de facto mandatory, and customers weren't genuinely shopping. This constituted an illegal tie. The settlement cost millions and required a complete overhaul of sales incentives and training. The lesson? Synergy pursued without strict legal guardrails is just a compliance failure waiting to happen.

A Non-Consensus View You Won't Hear Often: Most compliance programs are built to answer the regulator's last exam finding. They're backward-looking. The institutions that stay out of trouble design their controls around future business initiatives. Before that new fintech partnership is signed, before that new product is launched, compliance is at the table asking, "Which of the five prohibitions does this trigger?" It's a proactive, not reactive, mindset.

How to Build a Bulletproof Compliance Framework

Knowing the rules isn't enough. You need a system. This isn't about buying expensive software (though that can help). It's about embedding these principles into your daily operations.

Step 1: The Centralized Affiliate Registry

This sounds basic, but you'd be shocked how many banks have a fuzzy view of their corporate family tree. Create and maintain a single source of truth—a live document listing every entity in the chain, its ownership percentage, and its primary business activity. Update it quarterly. This registry is the foundation for applying all the other rules.

Step 2: Implement Transaction-Specific Pre-Approval Workflows

Any transaction with an affiliate—a loan, a service agreement, a data transfer—must flow through a defined approval path. The workflow should automatically flag:

  • Is the counterparty in our registry?
  • Does this trigger 23A limits? (Calculate the impact in real-time).
  • Does this involve customer data? (Trigger a GLBA review).
This stops problems before money moves or data is shared.

Step 3: Training That Goes Beyond the Legal Text

Don't just train your compliance staff. Train your relationship managers, your loan officers, your product developers. Use the case studies above. Ask them: "If a long-time commercial client who uses our affiliate for payroll wants a discount on a new loan, how do you respond?" Make it practical.

Step 4: Independent Testing and Audit

Your internal audit function must regularly test these controls. Not just a sample check, but a deep dive. Can you circumvent the pre-approval workflow? Are limits being calculated correctly? This independent validation is what gives the board and regulators confidence that your program isn't just paper.

One final, critical piece: Document everything. Not as a chore, but as your defense. Show the thought process behind every decision related to affiliate dealings. If you ever face scrutiny, this narrative will be more valuable than any policy document.

Your Top Compliance Questions Answered

Our bank wants to partner with a fintech company. At what point does an investment or partnership create a prohibited "affiliate" relationship?

This is the million-dollar question in modern banking. The trigger is typically control, not just ownership. If your bank or holding company owns 25% or more of the voting securities, it's likely an affiliate. But control can also be established through board representation, contractual agreements that dictate key operations, or the ability to exercise a controlling influence. The gray area is in minority investments with strategic partnerships. My advice: Involve legal counsel early to structure the deal. Often, using a pure arms-length service agreement or a very passive, non-controlling minority stake can keep the fintech outside the restrictive affiliate rules, while a joint venture or controlling stake brings the whole regulatory firewall into play.

We're a small community bank with a simple holding company structure. Are these "bank chain entity" prohibitions really that relevant to us?

Absolutely, and sometimes more so. The rules apply to all FDIC-insured banks and their affiliates, regardless of size. Smaller banks often have closer, more informal relationships between the bank and its holding company or related entities. That informality is the risk. A common pitfall for community banks is the holding company taking on debt (like a trust preferred security) and then downstreaming the funds to the bank as capital. That's fine. But if the holding company then uses other bank funds to pay its debt service without strict adherence to 23A limits, you've got a violation. Your size doesn't exempt you; it just means a single misstep can have a proportionally larger impact on your capital.

What's the single most overlooked detail when managing Section 23A affiliate lending limits?

People forget to include credit exposures beyond formal loans. Under 23A, "covered transactions" include purchases of assets from an affiliate, acceptances of affiliate-issued securities as collateral, and even certain derivative exposures. If your bank buys a loan portfolio from its mortgage affiliate or accepts low-quality affiliate paper as collateral for a completely unrelated loan, those transactions likely count against your 10% and 20% limits. Most tracking systems I've reviewed focus on the loan book and miss these other exposures. Conduct a full-scope review annually to catch these hidden exposures.

If we discover a past transaction that might have violated one of these prohibitions, what should our first step be?

Don't panic and don't try to hide it. Immediately engage your general counsel or outside legal counsel specializing in bank regulation. The first step is a privileged internal review to understand the scope, cause, and financial impact. In many cases, if the violation is identified through your own compliance efforts and is promptly reported and remediated (e.g., the transaction is unwound or brought within limits), regulators may view it more favorably in an enforcement context. Self-reporting through your regulator's exam portal or contacting your supervisory office demonstrates a commitment to compliance. The worst action is to do nothing and hope it's not found in the next exam.