Regulatory Examination and Related Enforcement Also Highlights Perceived Risks of Banking Crypto Clients
The Department of the Treasury’s Office of the Comptroller of the Currency (“OCC”) recently issued a Consent Order against M.Y. Safra Bank arising from the bank’s decision to accept a variety of high-risk, Digital Asset Customers (“DACs”), allegedly without implementing the necessary Bank Secrecy Act (“BSA”) and Anti-Money Laundering (“AML”) controls. Although the OCC did not impose a monetary penalty against the bank, it demanded that the bank implement and maintain a remarkably broad array of potentially costly and extremely detailed measures to strengthen its AML program. And, notably, the OCC specifically tasked the bank’s Board of Directors with implementing, overseeing, and reporting on these measures.
We describe here the OCC’s examination into and requirements imposed on M.Y. Safra Bank. The Consent Order is a reminder to the boards and management of all financial institutions that if they pursue novel and higher-risk customers – certainly, a potentially defensible business plan in our increasingly competitive business environment – then they absolutely have to adjust accordingly their AML compliance program and accompanying transaction monitoring to compensate for such increased risk. This is particularly true when those new customers employ novel technologies or business products which require a particularized ability to understand and address from an AML perspective. New, creative business lines are not necessarily bad – so long as the implementation of the AML compliance program is adjusted appropriately to identify and manage the new risk.
The Consent Order also is a reminder that, as the BSA/AML Examination Manual of the Federal Financial Institutions Examination Council states, “[t]he board of directors, acting through senior management, is ultimately responsible for ensuring that the bank maintains an effective BSA/AML internal control structure,” and otherwise must create a culture of compliance.
This Consent Order and related OCC AML exam and enforcement issues – including the liability of not just institutions, but also the potential individual liability of AML in-house professionals – will be the topic of a forthcoming installment in Ballard Spahr’s Consumer Finance Monitor Podcast by the firm’s AML Team. Please stay tuned our podcast, and read on here.
The OCC’s Examination
In July 2019, the OCC began an examination into M.Y. Safra Bank and found that from November 2016 to February 2019, the bank opened accounts for high-risk customers – DACs comprised of cryptocurrency-related money service businesses (“MSBs”) customers ranging from digital currency exchangers, digital currency ATM operators, crypto arbitrage trading account, and blockchain developers and incubators. These new customers significantly increased the number of the bank’s domestic and international wires and Automated Clearinghouse (“ACH”) transactions. However, and according to the OCC, the bank did not take the additional step of implementing the necessary controls to effectively address and monitor this increased risk.
From this activity, the OCC identified three distinct failures in the bank’s BSA/AML program.
First, the OCC determined that the bank failed to adequately identify and monitor its vulnerabilities to this high-risk customer activity.
Second, the OCC identified various deficiencies in the bank’s BSA/AML program, including: (1) the bank’s inability to effectively assess and evaluate suspicious customer activity and to report Suspicious Activity Reports; (2) the bank’s inadequate Customer Due Diligence (“CDD”) processes concerning ongoing monitoring and independent testing; and (3) the bank’s failure to appoint a qualified BSA Officer with sufficient resources.
Third, the OCC concluded that the bank failed to comply with its own operating agreement (which the OCC required the bank to maintain as a regulated entity) by failing to notify the OCC that it was significantly deviating from its prior business plan – namely, by onboarding these high-risk customers. Arguably, this third factor was the greatest sin in the eyes of the OCC. As this blog has stressed, maintaining good communications with regulators is always key.
Extra AML/BSA Compliance Measures Imposed on the Bank
In lieu of a penalty, the OCC imposed the following, potentially extremely costly and prescriptive compliance requirements on M.Y. Safra Bank:
- Appointing a three-person compliance committee to meet monthly to oversee the bank’s compliance with the OCC’s Consent Order, take minutes of each meeting, and submit written progress reports to the bank’s Board of Directors;
- Writing and adhering to a strategic plan for the bank to set forth, among other items, its desired overall risk profile and liability structure for the next three years;
- Hiring an independent and qualified BSA officer with adequate resources and subject to an annual review;
- Writing and maintaining a written BSA/AML compliance program that adequately monitors and identifies suspicious activity;
- Implementing an independent audit program to assess – via a written report with supporting documentation – the bank’s BSA/AML strengths and weaknesses in several specified areas and to identify immediate action needed to address such weaknesses;
- Proposing an independent, third-party consultant (subject to OCC approval) to review and provide a written report on the bank’s suspicious activity monitoring;
- Creating a written system of internal controls and processes to guarantee compliance with the bank’s SAR filing requirements;
- Implementing and updating every 12 months a written, institutional-wide BSA/AML risk assessment that identifies the bank’s BSA/AML vulnerabilities and strategies for addressing them;
- Implementing and maintaining a robust CDD program that complies with the OCC’s specified requirements and, as a whole, ensures that the bank understands its customers and develops accurate and holistic customer risk profiles; and
- Creating system-wide and job-specific BSA/AML training programs for bank employees.
Throughout the Consent Order, the OCC emphasized that the bank’s Board of Directors bears the primary responsibility for ensuring – and, in fact, proactively verifying – that the bank complies with these myriad requirements. In doing so, the OCC has made clear its position that a Board of Directors – both at M.Y. Safra Bank and beyond – must play an extremely active role in a bank’s BSA/AML program in order to maintain the type of program that the OCC requires.