On October 23, 2018, the Office of the Comptroller of the Currency (OCC) assessed a $100 million civil money penalty against a national bank primarily known for its issuance of credit cards, for failing to comply with a 2015 consent order requiring the financial institution to timely remedy deficiencies in its Bank Secrecy Act/anti-money laundering (BSA/AML) program.
The penalty highlights the importance of efficiently and effectively responding to BSA/AML compliance deficiencies, including the need to adequately staff, monitor and report suspicious activity.
What happened
In 2015, the bank entered into a consent order with the OCC after the agency found the bank failed to adopt and implement a compliance program that adequately covered the required BSA/AML program elements due to an inadequate system of internal controls and ineffective independent testing, and failed to file all necessary Suspicious Activity Reports (SARs).
Specifically, the OCC found that the bank lacked an enterprisewide BSA/AML risk assessment and had systemic deficiencies in its transaction monitoring systems, risk management and quality assurance programs for its remote deposit capture product. The bank also lacked customer due diligence and enhanced due diligence policies and processes for its correspondent banking business, as well as a process to escalate BSA/AML control decisions to the bank’s risk management department. Further, the bank failed to identify significant amounts of suspicious activity and to file the required SARs.
Among other requirements, the 2015 consent order obligated the bank to appoint and maintain a compliance committee to monitor and oversee the bank’s compliance with the order, develop and implement a comprehensive BSA/AML action plan, conduct a comprehensive enterprisewide risk assessment associated with each of its lines of business and products, develop and implement policies and procedures for gathering customer due diligence and enhanced due diligence including for its correspondent banking business, and conduct a “look-back” audit to look for suspicious account and transactional activities.
The OCC’s most recent action against the bank on October 23 imposed a civil money penalty of $100 million due to the bank’s failure to “timely achieve compliance with the 2015 Consent Order” for a nearly one-year period between July 2016 and July 2017. The regulator found the bank failed to file additional SARs and initiated wire transfer transactions that contained inadequate or incomplete information, triggering the new consent order.
The bank has since undertaken corrective action and is “committed to taking all necessary and appropriate steps to remedy the deficiencies identified by the OCC, and to enhance the Bank’s BSA/AML compliance program,” according to the 2018 consent order.
To read the 2018 OCC consent order, click here.
To read the 2015 OCC consent order, click here.
Why it matters
For financial institutions, the OCC’s latest consent order reiterates the importance of robust BSA/AML policies, procedures and controls, and diligent suspicious activity reporting, particularly in light of heightened enforcement by federal banking regulators and other recent multimillion penalties. While big banks may have robust compliance programs in place, midsize and smaller banks should be particularly attentive to appropriate staffing levels and expertise in BSA/AML compliance—or face similar penalties.