Bank to pay Fed, NYDFS almost $30 million for deficient third-party risk management practices
On October 19, the Fed and NYDFS announced an enforcement action against a New York-based bank for alleged violations of consumer identification rules and deficient third-party risk management practices. NYDFS Superintendent Adrienne A. Harris stated that the bank failed to prevent a “massive, ongoing fraud” related to its prepaid card program. According to the Fed’s cease-and-desist order, illicit actors managed to open prepaid card accounts through a third-party, and moved hundreds of millions of dollars of direct deposit payroll payments and state unemployment benefits through the accounts. The Fed’s order requires the bank to, among other things, improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include (i) policies and procedures to ensure third-party service providers are complying with federal and state law; (ii) a third-party risk management oversight program; (iii) policies and procedures to ensure the bank’s Chief Compliance Officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and (iv) a comprehensive identity theft prevention program. The Fed also requires the bank to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay an additional $15 million civil monetary penalty, and to submit remediation and program reporting.