Skip to main content
OCC Flag

An official website of the United States government

Appeal of Component Ratings, Matters Requiring Attention, and Violations of Law (Second Quarter 2019)


A federal savings association (bank) supervised by the Office of the Comptroller of the Currency (OCC) appealed to the Ombudsman the conclusions from the most recent report of examination (ROE) of the bank issued by the supervisory office (SO). Specifically, the bank appealed

  • violation of 12 CFR 163.180(d)(3).
  • violation of 12 CFR 21.21(d)(1).
  • corrective action requiring a look-back review by an independent entity for a matter requiring attention (MRA).
  • component rating of 3 for management.


The appeal asserted the violation of 12 CFR 163.180(d)(3) is not in line with the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual. The appeal claimed that the FFIEC manual states examiners should only substitute their judgment for that of the bank's AML team when the bank does not follow an established suspicious activity report (SAR) decision-making process, or if there is an indication of bad faith or significant failures. The appeal contended that the examiners failed to consider that management determined not to file a SAR after following its procedures to investigate the accounts for potential suspicious activity and the ROE did not criticize management's failure to establish a SAR decision-making process or follow existing policies, or identify evidence of bad faith in any of the five instances.

The appeal contended that the violation of 12 CFR 21.21(d)(1) is predicated on the SO's conclusion that the bank's ability to identify and report potential suspicious activity is weak and the bank failed to file SARs in five instances. The appeal asserted that examiners improperly used isolated instances of the bank's internal reviews to conclude systemic deficiencies in the bank's BSA/AML program and niche loan product.

The appeal argued that the primary support for requiring the bank to engage an independent party to perform a look-back review is the SO's criticism of the bank's review of loans paid off within the first year and the level of review of certain loan-related documents. The appeal asserted that the SO's criticism is insufficient to justify a multiyear look back. The appeal contended the SO's criticism is based on an inaccurate comparison of the conditional prepayment rate (CPR) of the bank's niche adjustable rate mortgage loan products to the CPRs for 30-year fixed-rate mortgage loans. The appeal further contended that the inclusion of an independent look back in an MRA, rather than as a part of a formal enforcement action, is inconsistent with OCC Bulletin 2013-33, "Use and Review of Independent Consultants in Enforcement Actions: Guidance for Bankers."

The appeal asserted that the management component rating of 3 is not supported. The appeal contended that the ROE stated that the concerns regarding the BSA/AML program largely supported the downgrade in the management rating. The appeal contended that the key distinction between a 2 and a 3 rating is the ability of management to address the SO's concerns in an effective manner and the ROE did not criticize the board's oversight or ability to address the issues in the ordinary course of business. The appeal argued the bank has effectively enhanced its operations on its own initiative and has addressed supervisory concerns identified in the examination process.

Supervisory Standards

The Ombudsman conducted a comprehensive review using the following supervisory standards:

  • 12 CFR 21.21, "Procedures for Monitoring Bank Secrecy Act (BSA) Compliance"
  • 12 CFR 163.180, "Suspicious Activity Reports and Other Reports and Statements"
  • "Bank Supervision Process" booklet of the Comptroller's Handbook, June 2018
  • OCC Bulletin 2007-36, "Bank Secrecy Act/Anti-Money Laundering: BSA Enforcement Policy"
  • OCC Bulletin 2011-12, "Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management"
  • OCC Bulletin 2013-33, "Use and Review of Independent Consultants in Enforcement Actions: Guidance for Bankers"
  • OCC Bulletin 2014-60, "Bank Secrecy Act/Anti-Money Laundering: Revised FFIEC BSA/AML Examination Manual"


The Ombudsman concurred with the weaknesses in the bank's suspicious activity research relative to all loan customers cited in the violation, which, together, evidenced a systemic breakdown in the bank's SAR decision-making process. In addition, the Ombudsman concurred with the SO that the bank failed to file a SAR, as required by 12 CFR 163.180(d)(3), in all but one of the five instances and asked the SO to revise the ROE and supervisory records. The Ombudsman also asked the SO to update the corrective action section of the violation to state that management must ensure the bank has effective suspicious activity processes and staff for identifying, monitoring, and reporting suspicious activity. The Ombudsman agreed with the bank that the ROE did not discuss the bank's investigation of the suspicious activity related to the loan accounts and asked the SO to expand the violation write-up to acknowledge this process.

The Ombudsman concurred with the SO to cite a violation of 12 CFR 21.21(d)(1). The Ombudsman agreed that management and the board failed to establish a compliance program that provides for an effective system of internal controls to assure ongoing compliance with the BSA. The bank's monitoring for BSA and AML was not risk-focused or sufficient in depth to prevent violations or proactively detect unusual or suspicious activity. The internal control pillar violation was supported because the bank's customer due diligence, enhanced due diligence, BSA risk assessment, and suspicious activity monitoring programs processes were inadequate and impaired the bank's ability to comply with the BSA. The Ombudsman asked the SO to expand the corrective action section of the violation to specifically list all of the related MRAs to ensure management understood the corrective actions that needed to be implemented to correct the violation.

The Ombudsman concurred with the SO that the bank should retain a third party to conduct a look-back review given the underwriting and suspicious activity monitoring weaknesses identified in the ROE. Concerns outlined in various BSA and credit-related MRAs suggest the potential for unidentified suspicious activity and the lack of expertise and/or staffing to conduct a comprehensive look back in a timely manner. The Ombudsman concluded that the ROE did not reference the niche portfolio's CPR in relationship to industry CPR rates, as argued in the appeal. Instead, the ROE stated, and the Ombudsman agreed, that the bank's scope of review of the loan payments was manual and limited to only 12 months after loan origination when, in practice, the payments occurred well beyond that period. Examiners noted numerous instances of loan payoffs occurring just after the 12-month period. Finally, the Ombudsman determined the SO's inclusion of an independent look back in a corrective action within an MRA is not inconsistent with OCC Bulletin 2013-33. The bulletin does not specifically permit or prohibit examiners from requiring the bank to use an independent consultant through an MRA or that independent consultants may be required only in the context of enforcement actions.

The Ombudsman concurred with the SO's decision to rate management a 3. The Ombudsman determined management and board performance need improvement and risk management practices are less than satisfactory given the nature of the bank's activities. The Ombudsman noted that the number and severity of the MRAs related to the bank's BSA program, asset quality, and information technology; the two BSA-related violations of law; and insufficient credit, compliance, and strategic risk management documented in the ROE support this rating. The SO issued one repeat and eight new MRAs and designated three MRAs as past due. Of the 12 MRAs communicated in the ROE, six related to BSA/AML and the remaining six documented significant risk management weaknesses within the bank's credit and information technology functions. The Ombudsman asked the SO to expand the ROE to provide additional support for the management rating.