Appeal of Matters Requiring Attention, Violations of Law, and Management Rating (Third Quarter 2020)

Background

A bank supervised by the Office of the Comptroller of the Currency (OCC) appealed to the Ombudsman the conclusions communicated in the most recent report of examination (ROE) as well as a violation provided in a separate cover after the examination. Specifically, the bank appealed the following:

  • Matters requiring attention (MRA) regarding
    • Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Compliance Program.
    • Investigation Processes.
    • 314(a) Identification and Reporting.
    • BSA Audit.
    • BSA Officer (BSAO) and Staffing.
  • Past-due status and open—corrective actions not yet due status of two concerns for the BSA/AML Third-Party Transaction Monitoring MRA.
  • Violation of 12 CFR 21.21(d)(1), “Bank Secrecy Act; Contents of Compliance Program; Internal Controls.”
  • Component rating of 3 for management.
  • Violation of suspicious activity report (SAR).

Discussion

The appeal disagreed with all six concerns outlined in the BSA/AML Compliance Program MRA.

  1. The appeal disagreed that board and management oversight of the bank’s prepaid card program, outsourced to third-party service providers (TPSP), was deficient. The appeal contended that the bank had developed, administered, and maintained an effective program for compliance with the BSA and its implementing regulations as described in the Federal Financial Institutions Examination Council BSA/AML Examination Manual (BSA/AML Manual).
  2. The appeal asserted that the bank’s risk assessment process and documentation of its BSA/AML/Office of Foreign Assets Control (OFAC) risk exposure associated with the prepaid card program was comprehensive when considering complete information.
  3. The appeal disagreed with the conclusion that reports to monitor the TPSPs’ performance and ensure adherence to BSA regulatory requirements were deficient and contended that the bank’s process for requiring the TPSPs to elevate unusual (and potentially suspicious) activity to the bank was effective and met regulatory requirements.
  4. The appeal argued that the examiners misapplied the requirements of the SAR regulation; OCC Bulletin 2011-27, “Prepaid Access Programs: Risk Management Guidance and Sound Practices”; and related interpretive guidance from the Financial Crimes Enforcement Network (FinCEN) in determining that the bank was required to file a duplicate SAR when the TPSPs had already filed a SAR. The appeal argued that the bank developed its policies and procedures contemplating that the TPSPs would file SARs on behalf of the bank and contended there was no prohibition of this approach.
  5. The appeal also argued that conclusions regarding the bank’s alert and case disposition process were neither supported nor consistent with the BSA/AML Manual. The appeal indicated that the bank maintained multiple controls, including testing and internal audits, to ensure cases had sufficient support for disposition.
  6. The appeal disagreed that the bank’s quality assurance (QA) function to monitor the TPSPs’ compliance with BSA/AML requirements was insufficient. The bank asserted that the examination team did not identify any instances of missed SAR filings or deficient policies, procedures, or processes.

The appeal disagreed with the Investigation Processes MRA criticizing the bank’s case investigation process for potentially suspicious activity in transactions processed by the bank. The appeal argued that the basis of the MRA was supported by isolated and technical incidents and that the decision to file a SAR is an inherently subjective judgement.

The appeal disputed two concerns related to the 314(a) Identification and Reporting MRA regarding management information systems and reporting because the issue was self-identified and consisted of isolated incidents.

The appeal contended that the BSA Audit MRA criticizing the bank’s independent audit function for the prepaid card program was due to the examination team’s failure to review all prepaid card-related audits. The appeal claimed the bank performed sufficient audits to assess the effectiveness of the bank’s oversight of the prepaid paid card program with respect to BSA/AML compliance.

The appeal disputed the BSAO and Staffing MRA by arguing that the BSAO was competent and met the requirements outlined in the BSA/AML Manual, the bank’s BSA/AML staffing was sufficient, and management appropriately monitored staffing levels at the TPSPs.

The appeal contested the status of two concerns outlined in the BSA/AML Third-Party Transaction Monitoring MRA. The appeal argued that the bank completed the corrective actions to address the third-party alert management concern and it should not be noted as past due. Further, the appeal argued that the bank also completed the corrective actions required to address the concern over reliance on the third parties and the status should not be noted as open—corrective action not yet due.

Given the arguments outlined above, the appeal contended that the violation of 12 CFR 21.21(d)(1), “Bank Secrecy Act; Contents of Compliance Program; Internal Controls,” was unsupported. The appeal argued that the BSA/AML concerns identified at the examination pertained to a small subset of the bank’s overall business and that the BSA/AML Manual allows the bank flexibility in designing its BSA/AML program and internal control procedures.

The appeal contended that there was no evidence of a violation of the SAR regulation because the bank is not required to file a SAR if the TPSPs had already filed a SAR and the noted incidents were isolated.

Finally, the appeal argued that the management rating of 3 was largely based on incorrect findings and conclusions regarding the bank’s BSA/AML compliance program that are being disputed. The appeal also stated that the bank addressed many of the concerns by the time the supervisory office (SO) issued the ROE. The appeal also pointed to the component ratings and satisfactory risk management in other areas of the bank, except for compliance, as support for a 2 rating for the management component.

Supervisory Standards

  • 12 CFR 21.21, “Minimum Security Devices and Procedures, Reports of Suspicious Activities, and Bank Secrecy Act Compliance Program”
  • Regulation for SAR
  • 31 CFR 1020.320, “Reports by banks of suspicious transactions”
  • OCC Bulletin 2014-60, “Bank Secrecy Act/Anti-Money Laundering: Revised FFIEC BSA/AML Examination Manual”
  • OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance”
  • OCC Bulletin 2011-27, “Prepaid Access Programs: Risk Management Guidance and Sound Practices”
  • OCC Bulletin 2007-36, “Bank Secrecy Act/Anti-Money Laundering: BSA Enforcement Policy” (since replaced by OCC Bulletin 2020-75)
  • “FinCEN Amendment to the Bank Secrecy Act Regulations—Definitions and Other Regulations Relating to Prepaid Access,” Fed. Reg. Vol. 75, No. 123 (June 28, 2010) (preamble and explanatory text associated with this proposed rule)
  • “Bank Secrecy Act Regulations—Definitions and Other Regulations Relating to Prepaid Access,” Fed. Reg. Vol. 76, No. 146 (July 29, 2011) (FinCEN Prepaid Access Final Rule)
  • FinCEN SAR Electronic Filing Requirements, March 2015
  • Comptroller’s Handbook, “Bank Supervision Process” (June 2018)
  • Comptroller’s Handbook, “Internal and External Audits”(December 2016)
  • Comptroller’s Handbook, “Compliance Management Systems” (June 2018)

Conclusions

Except for the violation of the SAR regulation, the Ombudsman concurred with the SO on all issues appealed. In addition, the Ombudsman revised some of the MRAs for clarity and accuracy.

The Ombudsman concurred with the SO for all six concerns outlined in the BSA/AML Compliance Program MRA regarding deficiencies in the bank’s prepaid card program outsourced to TPSPs.

  1. Board and management’s oversight of the TPSPs was deficient. While the bank established a governance framework to oversee third-party relationships, breakdowns occurred in the execution of policies and procedures designed to ensure compliance and effective oversight.
  2. The bank’s BSA/AML/OFAC risk assessment associated with transactions processed by or through the bank’s TPSPs was not adequate.
  3. Management did not ensure TPSPs provided the bank with the reporting required by established written agreements to ensure compliance with the BSA.
  4. Management did not ensure that one of the TPSPs’ policies and procedures were in line with the written agreement and with the bank’s BSA/AML compliance requirements regarding identification of potentially suspicious activity. Examiners appropriately applied the requirements of the SAR regulation, OCC Bulletin 2011-27, and related interpretive guidance from FinCEN, as they apply to the bank’s requirement to file a SAR on transactions processed by or through TPSPs. The corrective action did not require the bank to file a duplicate SAR, only that the bank must comply with its SAR filing requirements outlined in the SAR regulation.
  5. Validation of examiners’ transaction testing revealed that management did not ensure TPSPs adequately supported alert and case dispositions. Such oversight of the TPSPs is necessary for the bank to demonstrate its ability to comply with the SAR filing requirements. The Ombudsman did note an error in the exception levels quoted in the ROE and asked the SO to revise the MRA to reflect the corrected exception level.
  6. The bank’s QA function was insufficient in monitoring and supporting third-party processes to ensure compliance with BSA/AML requirements. The bank had established a written policy to monitor the TPSP's adherence to bank policies and BSA/AML regulations, but monitoring activities at times were absent or ineffectively executed.

The Ombudsman agreed with the SO regarding the Investigation Processes MRA. The bank’s case investigation process, for transactions processed at the bank, needed improvement. The examiners appropriately assessed the bank’s SAR decision-making process and quality of policies and procedures to identify deficient practices.

The Ombudsman concurred with the SO regarding both concerns for the 314(a) Identification and Reporting MRA.

  1. The Ombudsman acknowledged that one of the concerns was self-identified, but agreed with the SO that the internal control deficiencies warranted an MRA. The self-identified issue was regarding the bank’s failure to report 314(a) matches to FinCEN over a period of several months, which is a violation of law. As of the time of examination, the self-identified issue remained unresolved. In accordance with the “Bank Supervision Process” booklet of the Comptroller’s Handbook, examiners are required to cite a violation if the board or management are aware of a violation and disclose it to the OCC before or during the examination. When examiners identify a violation, they should also identify any deficient practices that contribute to the violation. If bank management has not corrected deficient practices that caused or contributed to the violation, examiners must communicate the OCC’s concern with these practices in an MRA. In addition, examiners are required to issue an MRA concern that is self-identified if it is a significant unresolved concern that the bank initially discovered.
  2. The second concern was not self-identified and revealed a flaw in management’s application of 314(a) requirements to identify matches that need to be reported to FinCEN. This process flaw required the bank to perform a 12-month look-back review. The Ombudsman concluded that the concern was not isolated, as the flaw was in the bank’s process for performing 314(a) searches. The result was an unknown population and period of potentially unreported 314(a) matches.

Based on a review of relevant audit work papers, the Ombudsman concurred with the SO that the independent audit function for prepaid card activities was insufficient. The bank’s internal audit function failed to identify internal control deficiencies in the bank’s BSA/AML compliance program related to the prepaid card activities due to an inadequate scope and depth of review and failure to promptly escalate key control weaknesses.

The Ombudsman also agreed with the SO that the bank was operating without a qualified BSAO. The BSA/AML-related concerns and violations identified at the examination, including two BSA pillar violations, are evidence that the BSAO was not knowledgeable or appropriately managing the bank’s BSA/AML compliance program. In addition, the Ombudsman concurred with the SO that the BSA/AML staffing at the bank was insufficient. As the bank’s transaction volume increased, management did not increase staffing levels commensurately. New internal control deficiencies identified during the examination and untimely corrective actions on previously identified deficiencies also suggest inadequate staffing levels, training, or knowledge. Finally, the bank did not have a clear understanding or support to determine if staffing levels were appropriate at the TPSPs.

The Ombudsman agreed with the status assigned by the SO to the two concerns within the BSA/AML Third-Party Transaction Monitoring MRA. The status of one of the concerns was appropriately identified as past due. During the on-site examination, examiners’ validation of the bank’s corrective actions revealed that the actions were not effective or sustainable. The second concern was appropriately noted as open—corrective action not yet due, because the commitment date was beyond the examination period, as the bank requested an extension. The bank submitted the documents related to the corrective action a short time before the SO issued the ROE. However, since the bank’s submission was after the period of assessment covered by the ROE, the SO accurately reflected the status of the concern as not yet due.

The Ombudsman concurred with the SO to cite a violation of 12 CFR 21.21(d)(1), “Bank Secrecy Act; Contents of Compliance Program; Internal Controls.” The Ombudsman agreed that management and the board failed to establish a compliance program that provides for an effective system of internal controls to assure ongoing compliance with the BSA. Internal controls should be commensurate with the institution’s size, structure, risk, and complexity. Critical internal controls for BSA can generally be categorized into four key areas: (1) customer due diligence (CDD) and enhanced due diligence (EDD), including the bank’s customer identification program (CIP); (2) risk assessment; (3) suspicious activity monitoring, investigation, and reporting; and (4) currency transaction reporting processes. The SO identified deficiencies in several key internal control areas that impaired the bank’s ability to comply with the BSA. The bank’s prepaid card program activities represented a high volume of transactions. 

The Ombudsman concurred with the SO’s decision to change the management component rating to a 3. Compliance risk practices were weak given the nature of the institution’s activities and were not commensurate with the bank’s high and increasing risk profile. The number and severity of the BSA/AML MRAs and violations identified by the examiners were evidence that the board and management were not adequately identifying, measuring, monitoring, or controlling BSA/AML risks. The examination resulted in six new BSA/AML MRAs, two past-due MRAs, violations related to the USA PATRIOT Act Section 314(a), and two BSA pillar violations for internal controls and the BSAO. The “Bank Supervision Process” booklet of the Comptroller’s Handbook states, “The OCC considers BSA/AML examination findings in a safety and soundness context when assigning the management component rating. Serious deficiencies in a bank’s BSA/AML compliance create a presumption that the management rating will be adversely affected because risk management practices are less than satisfactory.” While the SO’s support for the management rating appropriately relied heavily on the BSA/AML deficiencies noted above, it is important to note that the SO also identified four new MRAs related to risk management weaknesses in other areas of the bank.

The Ombudsman determined that the SAR violation provided to bank management under a separate cover was not supported and removed any reference to it in the ROE. The instances of the violations were either identified after the on-site examination or were a result of corrective actions the bank took in response to examination findings. The SO will assess and consider these instances of violations in a future supervisory activity to conclude on whether a finding of a violation of law is appropriate.