Appeal of Compliance with a Formal Enforcement Action (Second Quarter 2017)
A community bank operating under an enforcement action appealed to the Ombudsman the requirement to obtain a prior written determination of no supervisory objection and the denial of no supervisory objection for the implementation of a prepaid debit card program.
The appeal argued that a prior written determination of no supervisory objection under the enforcement action was not required because the bank is not offering a new product. The appeal contends the bank already offers general purpose prepaid debit cards, similar to the product contemplated in the proposal. The appeal stated the bank would engage a vendor to assist in the implementation and monitoring of the proposed product. The appeal disagreed with the supervisory office’s (SO) reason of weak due diligence for denying no supervisory objection. The appeal contends that management addressed short- and long-term strategies for the bank and product, completed an adequate risk assessment, and described how the bank would comply with legal and regulatory requirements. The appeal also argued that the Bank Secrecy Act (BSA)/anti-money laundering (AML) risk from the proposed product as well as a financial analysis of the vendor were considered in the due diligence process.
The Ombudsman conducted a comprehensive review of the information submitted by the bank and the SO and relied on the following supervisory standards:
- The enforcement action entered into between the Office of the Comptroller of the Currency (OCC) and the bank.
- OCC Bulletin 2004-20, “Risk Management of New, Expanded, or Modified Products: Risk Management Process,” May 10, 2004.
- OCC Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance,” October 30, 2013.
- OCC Bulletin 2011-27, “Prepaid Access Programs: Risk Management Guidance and Sound Practices,” June 28, 2011.
The Ombudsman concurred with the SO that the prepaid debit card program required a prior written determination of no supervisory objection per the enforcement action. The prepaid debit card program was not a new product because the bank currently offers general prepaid debit cards, similar to the cards that would be offered under the new proposal. The proposed product, however, would add a new marketing partner, change the bank’s marketing channels, and have a material impact on the bank’s operations. As such, the proposed product would be a significant deviation from the bank’s existing product line and requires a prior written determination of no supervisory objection under the enforcement action.
The Ombudsman determined that the SO appropriately denied no supervisory objection for the proposed product due to a weak due diligence process. The bank’s due diligence did not incorporate risk management guidance outlined in OCC Bulletin 2004-20 for new products and OCC Bulletin 2011-27 specific to prepaid debit cards. The due diligence process did not effectively outline the bank’s future strategy, goals, and objectives for the bank and product. The strategic plan submitted by the bank lacked a discussion of the bank’s strategic direction, overall risk appetite, and an analysis on how the bank’s staff members, infrastructure, and capital would support the proposed prepaid debit card program.
The Ombudsman determined that the risk assessment was weak, based on the vendor, and not an evaluation of the bank’s risk profile. The bank did not perform an assessment of existing risks and risk management systems as well as additional risks and risk management systems necessary to manage the proposed product. While the bank discussed staffing needs and management expertise, it was not specific to the implementation of the proposed product. Also, the bank would rely heavily on the vendor’s policies, procedures, and systems, but management did not perform an assessment of the vendor’s compliance program or the management information system capabilities that would help management and the Board understand the vendor’s control environment and risk mitigation practices.
The Ombudsman also determined that the bank did not consider key due diligence factors as discussed in OCC Bulletin 2004-20. These factors are
- details on how management would monitor the vendor’s performance or the performance criteria and benchmarks that would measure the success or failure of the product.
- management expertise to properly oversee the implementation and oversight of the program.
- a detailed implementation plan on how the prepaid debit card would be brought to market.
The Ombudsman also determined that the bank did not sufficiently or accurately assess the audit and compliance systems to implement such a high-risk activity. The Ombudsman also agreed with the SO that the bank did not address whether the bank could manage the increased BSA/AML risk from the proposed product. The bank discussed hiring additional staff members to manage the risks arising from the proposed product, but the addition of staff members was reliant on future capital and earnings that may be generated upon product implementation. In addition, the bank planned to establish an audit and compliance function after the prepaid card program was launched. The Ombudsman agreed with the SO that the board of directors and management must ensure risk management functions and personnel are in place before implementing the proposed product to ensure risks are properly managed and monitored.
The Ombudsman concurred with the SO that the bank’s due diligence did not perform an adequate financial analysis of the vendor. While the bank provided the vendor’s financial projections for 2016 along with the 2015 financial results, the bank did not provide a financial analysis of the vendor. OCC Bulletin 2013-29 requires a bank to conduct due diligence, including a financial analysis, on third parties before selecting and entering into a contract.