InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC issues $6 million penalty against national bank, terminates formal agreement
On September 27, the OCC announced a $6 million civil money penalty against a national bank for alleged unsafe or unsound practices related to a low-document mortgage loan program offered by the bank. According to the OCC, from mid-2011 to December 2019, the bank allegedly, among other things: (i) originated numerous loans that had false or fraudulent loan applications; (ii) falsified applicants’ information on supporting loan documents; (iii) failed to make a reasonable and good faith determination of applicants’ ability to repay; (iv) failed to ensure that documents used to verify applicants’ employment, income, and assets obtained from third parties, were reasonably reliable and accurate; (v) failed to properly disclose fees to third-party mortgage brokers on loan estimates and closing disclosures; and (vi) failed to implement an adequate system of Bank Secrecy Act/anti-money laundering internal controls and failed to file Suspicious Activity Reports in a timely manner. The bank must pay a $6 million civil penalty to the U.S. Treasury Department. The OCC also terminated a 2019 formal agreement between the OCC and the bank to remediate unsafe or unsound practices and violations of law. The OCC found that the bank implemented corrective actions required by the agreement and is in compliance with the enforcement action. The OCC also noted that it is continuing “to review the conduct of institution-affiliated parties subject to OCC jurisdiction who were associated with the now-ceased [program],” and that the “work remains ongoing.”
CFTC orders unregistered respondents to pay $250,000 for CEA violations
On September 22, the CFTC announced a settlement with a cryptocurrency business and its founders (collectively, respondents) for allegedly violating the Commodity Exchange Act (CEA), Commission regulations, and Bank Secrecy Act compliance requirements. According to the CFTC, the respondents allegedly “designed, deployed, marketed, and made solicitations concerning a blockchain-based software protocol that accepted orders for and facilitated margined and leveraged retail commodity transactions.” The protocol allowed users to leverage positions, where the value was determined by the price difference between two digital assets from the time the position was established to the time it was closed. The protocol, according to the CFTC, “purported to offer users the ability to engage in these transactions in a decentralized environment.” The CFTC found that the respondents were not registered with the CFTC and had engaged in unlawful activities that could only be lawfully performed by a registered designated contract market and other activities that could only lawfully be performed by a registered futures commission merchant (FCM). Additionally, the respondents did not comply with the Bank Secrecy Act when they failed to conduct know-your customer diligence on their customers as part of a customer identification program, as required of FCMs. The order requires the respondents to pay a $250,000 civil monetary penalty and to cease and desist from further violations of the CEA and CFTC regulations. Simultaneously, the CFTC filed a complaint in the U.S. District Court for the Northern District of California charging a decentralized autonomous organization and successor to the cryptocurrency business that operated the same software protocol with violating the same laws as the respondents. The CFTC is seeking restitution, disgorgement, civil monetary penalties, trading and registration bans, and injunctions against further violations of the CEA and CFTC regulations.
The same day, CFTC Commissioner Summer K. Mersinger published a dissenting opinion, stating that though she does “not condone[s] individuals or entities blatantly violating the CEA or our rules,” we “cannot arbitrarily decide who is accountable for those violations based on an unsupported legal theory amounting to regulation by enforcement while federal and state policy is developing.” She further argued that there is no provision in the CEA that holds members of a for-profit unincorporated association personally liable for violations of the CEA or CFTC rules committed by the association based solely on their membership status.
OCC orders bank to improve oversight of fintech partnerships
Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve its oversight and management of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance. Under the terms of the agreement, the bank must, within 10 days of the agreement, appoint a compliance committee comprised mostly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the mandated corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks posed by third-party fintech partnerships and address how the bank “identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” Additionally, the bank must establish criteria for their board of directors' review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations.” The agreement also requires due diligence, monitoring, and contingency plan measures.
The agreement further stipulates that the bank’s board and management shall, within 90 days, (i) set up written BSA risk assessment guidelines; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures, and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information, including for fintech businesses; (iv) develop and adhere to a set of standards to ensure timely suspicious activity monitoring and reporting; and (v) establish a program to assess and manage the bank’s information technology activities, including those conducted by third-party partners. The bank must also conduct a suspicious activity review lookback within 30 days.
Fed urges banks to assess legality of crypto activities
On August 16, the Federal Reserve Board issued supervisory letter SR 22-6 recommending steps that Fed-supervised banking organizations engaging or seeking to engage in crypto-asset-related activities should take. The Fed stressed that organizations must assess whether such activities are legally permissible and determine whether any regulatory filings are required under the federal banking laws. Organizations should also notify the regulator and “have in place adequate systems, risk management, and controls to conduct such activities in a safe and sound manner” prior to commencing such activities. Risk management controls should cover, among other things, “operational risk (for example, the risks of new, evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships), financial risk, legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements), and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws, including applicable consumer protection statutes and regulations,” the supervisory letter explained, adding that state member banks are also encouraged to contact their state regulator before engaging in any crypto-asset-related activity. Organizations already engaged in crypto activities should contact the Fed “promptly” if they have not already done so, the agency said, noting that supervisory staff will provide any relevant supervisory feedback in a timely manner.
The supervisory letter follows an interagency statement released last November by the Fed, OCC, and FDIC (covered by InfoBytes here), which announced the regulators’ intention to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
NYDFS imposes $30 million fine against trading platform for cybersecurity, BSA/AML violations
On August 2, NYDFS announced a consent order imposing a $30 million fine against a trading platform for alleged violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (3 NYCRR Part 504), Cybersecurity Regulation (23 NYCRR Part 500), and for failing to maintain adequate Bank Secrecy Act/anti-money laundering (BSA/AML) obligations. According to a Department investigation, the platform’s BSA/AML compliance program contained significant deficiencies, including an inadequate transaction monitoring system. Among other things, the platform failed to timely transition its manual system to an automated transaction monitoring system, which was unacceptable for a program of its size, customer profiles, and transaction volumes, and did not devote sufficient resources to adequately address risks. The Department also found “critical failures” in the platform’s cybersecurity program, which failed to address operational risks, and that specific policies within the program did not fully comply with several provisions of the Department’s cybersecurity and virtual currency regulations. According to the press release, pursuant to NYDFS’s Transaction Monitoring Regulation and Cybersecurity Regulation, companies should only file a Certificate of Compliance with the Department if their programs are fully compliant with the applicable regulation.
In light of the program’s deficiencies, NYDFS stated that the platform’s 2019 certifications to the Department attesting to compliance with these regulations should not have been made and thus violated the law. The platform also “failed to comply with the Supervisory Agreement by failing to promptly notify the Department of (a) actual or material potential actions, proceedings, or similar process that were or may have been instituted against [the platform] or any affiliated entity by any regulatory body or governmental agency; and (b) of the receipt by [the platform], or any affiliated entity, of any subpoena from any regulatory body or governmental agency in which [the platform], or any affiliated entity, was the target of the investigation.” NYDFS determined that in addition to the penalty, the platform will be required to retain an independent consultant that will perform a comprehensive evaluation of its compliance with the Department’s regulations and the platform’s remediation efforts with respect to the identified deficiencies and violations.
A Buckley Special Alert is forthcoming.
FDIC releases June enforcement actions
On July 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in June. During the month, the FDIC made public twelve orders consisting of “three consent orders, one order to pay civil money penalty, four orders of prohibition, one section 19 order, one order terminating consent order, two orders of termination of insurance, one Notice of Intention to Prohibit from Further Participation, Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law, Order to Pay, Notice of Hearing, and Prayer for Relief.” The FDIC imposed a civil money penalty against a Missouri-based bank for alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank “made, increased, extended or renewed a loan secured by a building or mobile home located or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral.” The bank must pay a $7,000 civil money penalty.
The actions also include a consent order with a Georgia-based bank, which alleged that the bank violated “law or regulation related to weaknesses in the Bank’s compliance with the Bank Secrecy Act.” According to the consent order, the bank must, among other things: (i) “enhance its oversight of the Bank’s BSA/AML Compliance Program and assume full responsibility for the approval of sound BSA/AML policies, procedures, and processes”; (ii) “revise, adopt, and implement a written BSA/AML Compliance Program, including policies and procedures”; and (iii) “review and revise as appropriate its written policies, procedures, and processes for assessing the money laundering, terrorist financing, and other illicit financial activities risk profile of the Bank.”
OCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and operational resilience are “top issues for the federal banking system.” The OCC also noted that it has implemented regulations and standards requiring banks to implement information security programs and protect confidential information. For example, the Interagency Guidelines Establishing Standards for Safety and Soundness Standards “require insured banks to have internal controls and information systems appropriate for the size of the institution and for the nature, scope, and risk of its activities and that provide for, among other requirements, effective risk assessment and adequate procedures to safeguard and manage assets.” OCC regulations also, among other things, require banks to file Suspicious Activity Reports when a known or suspected violation of federal law or a suspicious transaction related to illegal activity, or a violation of the Bank Secrecy Act is detected. In regard to examination manuals, the OCC also noted that it uses a risk-based supervision process to evaluate banks’ risk management, identify material and emerging concerns, and require banks to take corrective action when warranted. The report also discussed current and emerging cybersecurity and resilience threats to the banking sector, which include ransomware, account takeover, supply chain risks, and geopolitical threats. Additionally, the OCC noted that it “monitor[s] longer-term technology developments, which may affect cybersecurity and resilience in the future.” The use of artificial intelligence, including machine learning, is one such development that may impact cybersecurity, according to the OCC.
House passes bill to expand AML regulation
On July 20, the U.S. House passed H.R. 7900 with a 329-101 vote. Section 5401 of the bill, if passed, would amend the Bank Secrecy Act to require that professional service providers who “serve as key gatekeepers to the U.S. financial system adopt anti-money laundering procedures that can help detect and prevent the laundering of corrupt and other criminal funds into the United States.” Section 5401 calls for the imposition of anti-money laundering requirements on any person, excluding any governmental entity, employee, or agent, who engages in any activity which the Secretary determines by regulation to be the provision, with or without compensation, of (i) corporate or other legal entity arrangement, association, or formation services; (ii) trust services; or (iii) third party payment services, among other things. The strategy is intended to combat money laundering through shell companies by imposing anti-money laundering requirements on persons who act as gatekeepers for legal entities to enter the United States.
FDIC releases May enforcement actions
On June 24, the FDIC released a list of 14 public enforcement actions taken against banks and individuals in May. These orders consist of “two consent orders, one modification of an 8(e) prohibition order, three orders to pay civil money penalty, three orders of prohibition, two section 19 orders, and one order of prohibition from further participation and order to pay, one order terminating amended supervisory prompt corrective action directive, and one order of termination of insurance.” Included is an order to pay a civil money penalty imposed against a Texas-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank failed “to obtain flood insurance or obtain an adequate amount of insurance coverage, at or before loan origination, for all structures in a flood zone, including multiple structures,” and failed “to force-place flood insurance, after loan origination, when the insurance on buildings securing the loan” was insufficient or nonexistent. The order assessed a $2,000 civil money penalty.
The FDIC also issued a consent order against a Utah-based bank based on alleged unsafe or unsound banking practices relating to the Bank Secrecy Act. The bank neither admitted nor denied the alleged violations but agreed to, among other things, “increase its oversight of the Bank's compliance with the BSA” and “conduct a comprehensive assessment of BSA/AML staffing needs.”