An official website of the United States government
Share This Page:
A bank supervised by the Office of the Comptroller of the Currency (OCC) appealed to the Ombudsman the conclusions communicated in the most recent report of examination (ROE) as well as a violation provided in a separate cover after the examination. Specifically, the bank appealed the following:
The appeal disagreed with all six concerns outlined in the BSA/AML Compliance Program MRA.
The appeal disagreed with the Investigation Processes MRA criticizing the bank’s case investigation process for potentially suspicious activity in transactions processed by the bank. The appeal argued that the basis of the MRA was supported by isolated and technical incidents and that the decision to file a SAR is an inherently subjective judgement.
The appeal disputed two concerns related to the 314(a) Identification and Reporting MRA regarding management information systems and reporting because the issue was self-identified and consisted of isolated incidents.
The appeal contended that the BSA Audit MRA criticizing the bank’s independent audit function for the prepaid card program was due to the examination team’s failure to review all prepaid card-related audits. The appeal claimed the bank performed sufficient audits to assess the effectiveness of the bank’s oversight of the prepaid paid card program with respect to BSA/AML compliance.
The appeal disputed the BSAO and Staffing MRA by arguing that the BSAO was competent and met the requirements outlined in the BSA/AML Manual, the bank’s BSA/AML staffing was sufficient, and management appropriately monitored staffing levels at the TPSPs.
The appeal contested the status of two concerns outlined in the BSA/AML Third-Party Transaction Monitoring MRA. The appeal argued that the bank completed the corrective actions to address the third-party alert management concern and it should not be noted as past due. Further, the appeal argued that the bank also completed the corrective actions required to address the concern over reliance on the third parties and the status should not be noted as open—corrective action not yet due.
Given the arguments outlined above, the appeal contended that the violation of 12 CFR 21.21(d)(1), “Bank Secrecy Act; Contents of Compliance Program; Internal Controls,” was unsupported. The appeal argued that the BSA/AML concerns identified at the examination pertained to a small subset of the bank’s overall business and that the BSA/AML Manual allows the bank flexibility in designing its BSA/AML program and internal control procedures.
The appeal contended that there was no evidence of a violation of the SAR regulation because the bank is not required to file a SAR if the TPSPs had already filed a SAR and the noted incidents were isolated.
Finally, the appeal argued that the management rating of 3 was largely based on incorrect findings and conclusions regarding the bank’s BSA/AML compliance program that are being disputed. The appeal also stated that the bank addressed many of the concerns by the time the supervisory office (SO) issued the ROE. The appeal also pointed to the component ratings and satisfactory risk management in other areas of the bank, except for compliance, as support for a 2 rating for the management component.
Except for the violation of the SAR regulation, the Ombudsman concurred with the SO on all issues appealed. In addition, the Ombudsman revised some of the MRAs for clarity and accuracy.
The Ombudsman concurred with the SO for all six concerns outlined in the BSA/AML Compliance Program MRA regarding deficiencies in the bank’s prepaid card program outsourced to TPSPs.
The Ombudsman agreed with the SO regarding the Investigation Processes MRA. The bank’s case investigation process, for transactions processed at the bank, needed improvement. The examiners appropriately assessed the bank’s SAR decision-making process and quality of policies and procedures to identify deficient practices.
The Ombudsman concurred with the SO regarding both concerns for the 314(a) Identification and Reporting MRA.
Based on a review of relevant audit work papers, the Ombudsman concurred with the SO that the independent audit function for prepaid card activities was insufficient. The bank’s internal audit function failed to identify internal control deficiencies in the bank’s BSA/AML compliance program related to the prepaid card activities due to an inadequate scope and depth of review and failure to promptly escalate key control weaknesses.
The Ombudsman also agreed with the SO that the bank was operating without a qualified BSAO. The BSA/AML-related concerns and violations identified at the examination, including two BSA pillar violations, are evidence that the BSAO was not knowledgeable or appropriately managing the bank’s BSA/AML compliance program. In addition, the Ombudsman concurred with the SO that the BSA/AML staffing at the bank was insufficient. As the bank’s transaction volume increased, management did not increase staffing levels commensurately. New internal control deficiencies identified during the examination and untimely corrective actions on previously identified deficiencies also suggest inadequate staffing levels, training, or knowledge. Finally, the bank did not have a clear understanding or support to determine if staffing levels were appropriate at the TPSPs.
The Ombudsman agreed with the status assigned by the SO to the two concerns within the BSA/AML Third-Party Transaction Monitoring MRA. The status of one of the concerns was appropriately identified as past due. During the on-site examination, examiners’ validation of the bank’s corrective actions revealed that the actions were not effective or sustainable. The second concern was appropriately noted as open—corrective action not yet due, because the commitment date was beyond the examination period, as the bank requested an extension. The bank submitted the documents related to the corrective action a short time before the SO issued the ROE. However, since the bank’s submission was after the period of assessment covered by the ROE, the SO accurately reflected the status of the concern as not yet due.
The Ombudsman concurred with the SO to cite a violation of 12 CFR 21.21(d)(1), “Bank Secrecy Act; Contents of Compliance Program; Internal Controls.” The Ombudsman agreed that management and the board failed to establish a compliance program that provides for an effective system of internal controls to assure ongoing compliance with the BSA. Internal controls should be commensurate with the institution’s size, structure, risk, and complexity. Critical internal controls for BSA can generally be categorized into four key areas: (1) customer due diligence (CDD) and enhanced due diligence (EDD), including the bank’s customer identification program (CIP); (2) risk assessment; (3) suspicious activity monitoring, investigation, and reporting; and (4) currency transaction reporting processes. The SO identified deficiencies in several key internal control areas that impaired the bank’s ability to comply with the BSA. The bank’s prepaid card program activities represented a high volume of transactions.
The Ombudsman concurred with the SO’s decision to change the management component rating to a 3. Compliance risk practices were weak given the nature of the institution’s activities and were not commensurate with the bank’s high and increasing risk profile. The number and severity of the BSA/AML MRAs and violations identified by the examiners were evidence that the board and management were not adequately identifying, measuring, monitoring, or controlling BSA/AML risks. The examination resulted in six new BSA/AML MRAs, two past-due MRAs, violations related to the USA PATRIOT Act Section 314(a), and two BSA pillar violations for internal controls and the BSAO. The “Bank Supervision Process” booklet of the Comptroller’s Handbook states, “The OCC considers BSA/AML examination findings in a safety and soundness context when assigning the management component rating. Serious deficiencies in a bank’s BSA/AML compliance create a presumption that the management rating will be adversely affected because risk management practices are less than satisfactory.” While the SO’s support for the management rating appropriately relied heavily on the BSA/AML deficiencies noted above, it is important to note that the SO also identified four new MRAs related to risk management weaknesses in other areas of the bank.
The Ombudsman determined that the SAR violation provided to bank management under a separate cover was not supported and removed any reference to it in the ROE. The instances of the violations were either identified after the on-site examination or were a result of corrective actions the bank took in response to examination findings. The SO will assess and consider these instances of violations in a future supervisory activity to conclude on whether a finding of a violation of law is appropriate.