On February 20, 2020, the federal Office of the Comptroller of the Currency (OCC) announced a Bank Secrecy Act enforcement action against a federal savings bank (Bank). This is one of the first, if not the first, public enforcement actions against a bank related to banking cryptocurrency-related operations. Banks that currently provide banking services to cryptocurrency-related companies, or are considering providing banking services to such companies in the future, should carefully review this enforcement action and consider where the quality of the bank’s AML compliance program is commensurate with these high-risk customers.
Like most OCC enforcement actions, the OCC’s order contains little in the way of factual development. Since November 2016, the Bank had provided banking services to a variety of cryptocurrency-related entities, including “digital currency exchangers, digital currency ATM operators, crypto arbitrage trading accounts, blockchain developers and incubators, and fiat currency MSBs.” The OCC found that these activities “increased the volume of the Bank’s domestic wires, international wires, Automated Clearinghouse (ACH), and cross-border ACH transactions without sufficient monitoring or controls in place,” leading to deficient customer due diligence and suspicious activity monitoring practices. These findings were aggravated by a finding that the Bank had failed to secure prior approval for a material deviation from an approved business plan. Despite these findings, the OCC did not impose a civil money penalty.
The programmatic requirements are typical for a robust BSA enforcement action, covering governance (Articles III and IV), BSA resources and staffing (Article V), internal controls (Article VI), audit (Article VII), risk assessments (Article X) and training (Article XI). The order also covered suspicious activity monitoring and reporting (Article VIII) and customer due diligence (Article XI). Finally, the order requires the Bank to conduct an SAR lookback review over a 319-day period (Article IX). This is a fairly lengthy lookback period and could easily amount to a million-dollar project (if not more). Banks negotiating such orders should bear in mind the compliance costs associated with programmatic requirements and argue for tailoring enforcement action requirements to reflect the agency’s findings and concerns.