InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases enforcement actions for October 2024
On October 17, the OCC released a list of recent enforcement actions taken against banks and individuals affiliated with national banks, federal savings associations and institution-affiliated parties, or IAPs. The OCC issued four formal agreements against banks, a cease and desist order against a fifth bank, and four orders of prohibition against IAPs. The formal agreements and cease and desist order include allegations that the banks engaged in unsafe or unsound practices related to BSA/AML compliance, board management, credit underwriting, liquidity risk management and strategic planning. The orders of prohibition against IAPs include allegations of fraud, misappropriation of funds, stealing bank funds, and making false representations. A list of OCC enforcement action types can be found here.
Fed issues cease and desist against bank
On September 4, the Fed and the Texas Department of Banking published a cease and desist order alleging deficiencies identified in a Texas-based bank’s corporate governance, risk management and compliance with BSA/AML laws. Under the order, the bank’s board of directors will be required to submit a plan to strengthen oversight of compliance with BSA/AML requirements and Office of Foreign Assets Control (OFAC) regulations. The plan must include actions to maintain effective control, contain measures to track and escalate noncompliance, and ensure adequate resources and expertise.
The board must submit a corporate governance plan addressing the findings of an independent third-party report. The bank must also submit a revised BSA/AML compliance program, which should address third-party report findings, enhance internal controls, conduct comprehensive risk assessments, and ensure independent testing and effective training.
In addition, the bank must submit quarterly progress reports detailing actions taken to comply with the order. The bank’s board of directors consented to the order and waived any rights to challenge its terms.
DFPI has bank pay $63 million for crypto-exchange non-compliance
On July 1, the California DFPI released a consent order against a bank holding company for allegedly making misleading statements about the bank’s BSA/AML compliance program related to its crypto-asset exchange network. The Fed issued a separate order with similar information. According to the orders, the bank holding company provided financial services to persons who wished to buy and sell crypto-assets. To facilitate these operations, the bank launched an internal payments platform that allowed customers to participate in its crypto-asset exchange network. However, in May 2023, the California DFPI had the bank enter a cease-and-desist order, requiring the bank to liquidate and cease these operations. In June of this year, the bank agreed to pay a civil money penalty of $43 million, in addition to a payment of $20 million as a department penalty, bringing the bank’s penalty package total to $63 million. The bank neither admitted nor denied any of the allegations made by the California DFPI.
FinCEN releases notice on U.S. passport card’s counterfeit use in finance
On April 15, FinCEN, along with the Department of State, released its notice on the apparent rise of counterfeit use of U.S. passport cards at financial institutions. FinCEN urged financial institutions to be “vigilant” in the fight against identity theft and fraud schemes, especially under their BSA practices. Since 2018, the Department of State has identified a “concerning increase” in counterfeit use of U.S. passport cards with apparently over 4,000 victims. FinCEN released this notice to help financial institutions identify and report suspicious activity by promoting three areas: (i) providing an overview of common scenarios and typologies; (ii) highlighting several red flags in areas of concern; and (iii) reminding financial institutions of their BSA obligations.
The notice discussed suspicious behavior, namely how individuals and fraud rings are falsely “making, selling, and using” counterfeit U.S. passport cards to access accounts at financial institutions. FinCEN noted actors prefer using U.S. passport cards since they are a less familiar form of identification and cheaper to counterfeit (compared to passport books). On fraudulent activity, FinCEN stated actors will use counterfeit U.S. passport cards to impersonate the victim at the victim’s “known financial institution branch.” After accessing the account successfully, the Department of State highlighted three types of attempted transactions: (1) asking questions on account balance and withdrawal limits and withdrawing large amounts of cash below the Currency Transaction Reporting (CTR) threshold; (2) cashing stolen or forged checks to obtain funds; and (3) establishing a new joint account with a second illicit actor as a joint owner. FinCEN outlined technical, behavioral, and financial red flags to help financial institutions detect and report suspicious activity. Red flags may include technical issues with a U.S. passport card’s photo, such as lack of raised text, and discrepancies in its holographic seal, among others. Last, FinCEN reminded financial institutions of BSA obligations, including, but not limited to, filing Suspicious Activity Reports (SARs) and CTRs.
FDIC issues February enforcement action against New York bank for lack of effective third-party oversight
On March 29, the FDIC released its list of February 2024 enforcement actions, which included a consent order against a New York digital bank in which the FDIC alleged a lack of sufficient oversight of the bank’s third-party relationships. According to the consent order, the bank allegedly engaged in unsafe and unsound banking practices due to a lack of internal controls appropriate to the bank’s size and risk of its third-party relationships, and weaknesses in board oversight of asset growth and management, among other issues. The FDIC further alleged that the bank violated several laws including BSA, EFTA, and TISA.
The FDIC ordered the bank’s board to increase its oversight of the bank’s management and the bank’s financial condition commensurate with the size of the bank and the risk of its third-party relationships. Further, the FDIC ordered the board to correct or eliminate any unsafe banking practices or violations of the law. On data and systems, the FDIC ordered the bank to conduct a data and systems review and develop a written action plan to address any deficiencies or weaknesses. Notably for the bank’s third-party relationships, the FDIC ordered that the bank’s procedures, data, and systems include “clear lines of authority” responsible for monitoring bank procedures and effective risk assessments. Finally, among other things, the FDIC ordered the bank to implement look-back reviews and have its board review the bank’s program to ensure compliance with consumer-related laws.
House Committee report finds broad financial surveillance by federal government using financial institutions data following January 6th events
On March 5, the Committee on the Judiciary and its Select Subcommittee on the Weaponization of the Federal Government released an interim staff report on how federal law enforcement agencies, in the wake of the events of January 6, 2021, at the U.S. Capitol, engaged in financial surveillance by encouraging financial institutions to provide data on private transactions of consumers without a nexus to criminal conduct. The report indicated the consumers particularly targeted were those who tend to hold “conservative viewpoints.” The report cited several whistleblower testimonies and provided email transcripts of the government agents’ requests. One institution allegedly acted “voluntarily and without legal process” and provided the FBI with a dataset of names of those who used that institution’s credit or debit card in the Washington, D.C. region between January 5 and January 7, 2021, but also included those who had ever used that institution’s debit or credit card to purchase a firearm. The report suggested that citizens who did nothing other than go “shopping or exerciz[e] their Second Amendment rights” were placed under a type of financial surveillance between their financial institution and the government, making specific mention of right-leaning individuals now at risk.
The report provided context with the Right to Financial Privacy Act of 1978, Section 314(a) of the USA Patriot Act, and the Bank Secrecy Act in mind. While these federal acts were created to protect citizens, the report alleged they “have failed to adequately protect American’s financial information.” The report was particularly critical of the federal government using “informal meetings and backchannel discussions” with financial institutions to devise the best methods for getting Americans’ private financial information, including using merchant category codes and politicized “search terms,” and the federal government disseminating “political materials” to such institutions that were allegedly “hostile” to conservative viewpoints and “treated lawful transactions as suspicious.”
Fed finds CEO engaged in crypto “pig butchering” scam which led to bank failure
On February 7, the Federal Reserve issued an evaluation report, as required by the Federal Deposit Insurance Act (where a loss to the deposit insurance fund is considered material), on a recently failed bank; the Fed concluded the bank failed due to alleged fraudulent activity by the bank’s CEO. In particular, the Fed found that the CEO initiated a series of wire transfers over the course of three months totaling about $47.1 million of the bank’s money as part of a cryptocurrency scam known as “pig butchering.” According to a FinCEN alert, “pig butchering” occurs when a scammer convinces its victims to invest in purportedly legitimate cryptocurrency investments but then steals the victim’s money.
The Fed found that the bank’s employees neglected to follow proper internal controls and policies that could have “prevented or detected” the alleged fraudulent activity, attributing the failure to a reluctance to challenge the CEO given the CEO’s “dominant role in the bank and prominent role in the community.” Specifically, the employees did not comply with the bank’s BSA/AML policy or file suspicious activity reports as outlined under the policy. As a result, the Fed recommended (i) increasing the awareness among state member banks of cryptocurrency scams; and (ii) providing training to examiners on cryptocurrency scams.
FDIC issues December 2023 enforcement actions
On January 26, the FDIC released a list of administrative enforcement actions taken against banks and individuals in December 2023. During that month, the FDIC made public 12 orders consisting of “four orders of termination of deposit insurance; three orders terminating consent orders; two consent orders; one order terminating supervisory prompt corrective action directive; one order of prohibition from further participation; one order to pay a civil money penalty (CMP); and one Decision and Order to Prohibit from Further Participation and Assessment of Civil Money Penalty.”
Included is a consent order with a Mississippi-based bank for alleged Bank Secrecy Act violations, along with violations of a previous consent order from 2020, imposing a $600,000 civil money penalty. Also included is a consent order with a Kentucky-based bank, alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulation” relating to, among other things, the Bank Secrecy Act. The bank neither admitted nor denied the allegations but agreed to create a written plan to recover its losses from the bank’s relationship with a third-party loan program, to reduce the bank’s risk position in the program, and to stop granting any extensions of credit through adversely classified or criticized loans related to the third-party loan program. The consent order additionally requires the bank’s board to assess the sufficiency of the bank’s allowance for credit losses (ACL), ensuring the establishment of an appropriate ACL and to uphold and accurately report it. Specifically, “management shall review updated credit risk metrics and loss data for the third-party loan programs referenced in the ROE and ensure appropriate provisions to the ACL relative to this information.”
FinCEN issues FAQs on PPP
On January 12, FinCEN and the SBA issued FAQs on the Paycheck Protection Program (“PPP”), established under the CARES Act, to assist borrowers and lenders in interpreting the CARES act and the PPP Interim Final Rule. Among the issues addressed in the FAQs, FinCEN and the SBA provided guidance regarding whether under the CDD Rule, lenders are required to collect, certify, or verify beneficial ownership information for existing customers, stating that it is not necessary to re-verify “[i]f the PPP loan is being made to an existing customer, and the existing customer and the necessary information was previously verified. Additionally, FinCEN and the SBA addressed the question of whether a lender’s collection of the information required with respect to owners of 20% or greater interest in PPP applicants is sufficient to satisfy a lender’s obligation to collect beneficial ownership information under the Bank Secrecy Act. FinCEN and the SBA stated that for lenders with existing customers the lender does not need to reverify beneficial ownership information for owners that hold ownership interests of at least 20 percent, and with respect to new customers with the same ownership interest, all natural persons will need to provide the same information in order to satisfy BSA requirements. FinCEN also answered more FAQs on its April 2020 FAQs regarding the PPP on Second Draw PPP Loans, on BSA/AML compliances, and on SBA Procedural Notice 5000-835955, the last stating that a “PPP lender may reveal the existence of a SAR to the SBA when requesting a guaranty purchase (without charge-off) from the SBA.”
NYDFS and Fed order bank to pay fines for BSA/AML non-compliance
On January 19, the Federal Reserve Board and NYDFS each issued separate enforcement actions against one of the largest banks in the world for alleged compliance deficiencies and violations under BSA/AML. The Fed issued its cease and desist order and ordered the bank to pay a civil money penalty of $2.4 million. The NYDFS also issued a similar consent order with a monetary penalty of $30 million.
According to the Fed’s order, an investigation into the bank’s practices determined that the New York branch lacked any formal policies or training on confidential supervisory information (CSI). Additionally, the order required the bank to submit a written plan to enhance internal compliance controls to the Fed, including designation of a CSI officer, among other requirements. According to NYDFS’s order, the bank previously entered into a 2018 cease and desist order with the Fed to address “significant deficiencies” in its compliance with BSA/AML requirements and OFAC regulations. NYDFS conducted an examination in 2022 and found that deficiencies cited in the 2018 order persisted for several more years. A subsequent examination in 2023 found that the bank had made significant efforts toward enhancing its compliance programs and successfully remediated prior deficiencies. Per this most recent order, NYDFS found that the bank’s BSA/AML program was not in compliance for several years; the bank failed to maintain appropriate accounting records; and the bank failed to submit a report after discovering the occurrence of “embezzlement, misapplication, larceny, forgery, fraud, [or] dishonesty[.]” The consent order stipulated several remediation requirements, including a status report to NYDFS on the bank’s BSA/AML compliance.