On January 24, 2024, the OCC issued a Consent Order to Blue Ridge Bank, finding that the bank failed to establish and maintain a reasonably designed BSA/AML Program. Deficiencies include systemic internal controls breakdowns, weak independent testing, and insufficient BSA staffing, stemming from risk management challenges related to third-party fintech partners.
Together, these enforcement actions provide the clearest picture of regulatory expectations that partner banks face when working with fintech partners, with BSA/AML compliance posing the greatest challenge.
We’ve provided two resources to help compliance teams respond to this latest action:
- A comparison of the summary requirements in the Consent Order and the prior Written Agreement, with a brief description of key differences
- A highlighted version of the full Consent Order marking changes from the Written Agreement
Notably, some of the key new or expanded requirements mentioned in the Consent Order include:
- BSA/AML Action Plan to remediate all BSA/AML issues
- New requirement to ensure end user accounts comply with BSA/AML requirements and provide supporting information to the OCC to demonstrate BSA/AML risks are controlled for each partner
- Expanded CDD and suspicious activity monitoring requirements
- Expanded risk assessment and audit testing scope
- Expanded SAR Look-Back scope
- Expanded BSA Officer requirements
- Strategic Plan covering bank objectives for, among other items, risk profile, use of third-party relationships, product line development, and market segments, plus OCC non-objection for any deviation from the Strategic Plan
- New Capital Plan and capital ratio requirements
- Operational restrictions resulting from “troubled condition” status
Cable's automated assurance, automated risk assessment, and Partner Hub tools enable compliance teams to efficiently manage third-party partner risks, ensure end-to-end BSA/AML compliance through layers of partners all the way to end user accounts, and demonstrate the effectiveness of their risk management to regulators.
Clearly, this action signals 2024 will be a year of strict regulatory scrutiny over the entire BaaS landscape. Evidencing effective risk management to regulators is non-negotiable for compliance teams, and only the companies who go all-in on their compliance capabilities will survive, thrive, and grow to become the dominant players in BaaS.
Get in touch today to learn how Cable is helping partner banks and fintechs alike succeed in today’s regulatory environment.
Cable is the all-in-one effectiveness testing platform that helps you comply with your financial crime requirements.