Anchorage OCC Consent Order: Expectations for crypto compliance and remediation requirements
Last week, the U.S. Office of the Comptroller of the Currency (OCC) issued a first-of-its-kind Consent Order to Anchorage Digital Bank. The order offers compliance officers unique insights about compliance expectations vis-à-vis digital assets and remediation activities.
Anchorage was the first crypto firm to receive conditional approval for a national trust charter from the OCC in January 2021. That kicked off a year of notable milestones for the bank, including being the digital asset bank of choice when Visa sought to buy its first NFT, and enabling Visa to become the first major payments network to conduct a settlement transaction using a stablecoin.
Now, Anchorage has become the first federally chartered digital asset bank to face an OCC enforcement action for Bank Secrecy Act (BSA)/anti-money laundering (AML) violations. Upon receiving its charter, Anchorage entered into an operating agreement with the OCC requiring that it implement a BSA/AML compliance program. But in its Consent Order, the OCC said Anchorage has not yet complied fully with that requirement, though the OCC acknowledged the bank’s progress on corrective actions.
Digital asset compliance expectations
As this represents the first BSA/AML enforcement action involving a digital asset bank, compliance officers have an opportunity to glean insights from the Consent Order about the OCC’s view on compliance programs in the crypto context. While the digital asset-specific references in the Consent Order’s requirements are limited, there are at least two items to note.
First, the OCC expects that Anchorage’s suspicious activity monitoring program will ensure the bank collects “sufficient information” on digital asset transactions to enable effective identification of suspicious activity. Second, the OCC expects that the bank’s independent testing function should be staffed by persons having speciality expertise in both BSA/AML compliance and digital assets.
Remedial action requirements
The Consent Order also provides compliance officers with a sense of regulators’ expectations regarding BSA/AML remediation activities, the typically short timelines and the resources that should be engaged.
Among other things, the Consent Order requires the bank to do the following:
- Within 15 days, appoint a Compliance Committee that meets at least quarterly;
- Within 30 days, submit a BSA/AML Action Plan addressing the bank’s BSA/AML deficiencies, violations and corrective actions;
- Within another 30 days from submitting the Action Plan (and 30 days after each Compliance Committee meeting), the Compliance Committee must submit progress reports to the Board, which must send the report to the OCC.
- Within 90 days, implement a suspicious activity monitoring and reporting program.
- Within 90 days, propose an independent consultant to conduct a SAR Look-Back (then within 60 days of the OCC’s approval of the consultant, propose a scope and timeline for the Look-Back, with a report to the OCC required within 30 days of the Look-Back completion).
- Within 180 days (and annually thereafter), review the effectiveness of the bank’s BSA/AML compliance program and adequacy of the bank’s BSA Officer and staff.
A key element to remediation efforts is establishing governance structures that provide oversight and accountability, like compliance committees and regular reporting mechanisms to provide internal and external updates.
Additionally, it can be challenging to not only develop and implement remedial measures in a short time-frame, but also manage monitoring and reporting mechanisms that demonstrate the effectiveness of your remedial and go-forward measures. Sometimes you may feel that all your time is spent reporting instead of engaging in actual remediation activities! It’s important to plan in advance how to collect necessary information for reporting, including identifying responsible team members and appropriate sources to check.
Finally, as evidenced by the recent USAA enforcement action, if a regulator requires you to implement corrective actions, you have to always keep in mind the threat of further penalties if your progress toward compliance is too slow.