By Sarah-Beth Felix
CEO, Palmera Consulting
THE Office of the Comptroller of the Currency published two more consent orders today (Thurs) – one directly related to AML issues and one that most likely has some underlying issues re. AML, but more focused on third-party risk management.
Both of these banks have some type of BaaS/fintech offerings. And both will have to undertake some significant steps to get out of these orders. On the order for B2 Bank that is directly related to AML shortcomings, and it is pretty unique. This bank has less than $100MM in assets. Community banks, listen up.
Risk Assessment shortcomings take up pp. 11-14 of the order… which is a little confusing to me for a few reasons :
1) the update to the FFIEC Exam Manual in 2020 for Risk Assessments does not seem to support some of the deficiencies noted in the order
2) the order’s comments on Risk Assessments (I’m thinking enterprise-wide RAs – EWRA) also seem to lump in risk assessments performed at the customer level for identification purposes. I’m confused… yes, customer risk should roll-up to the EWRA in a quantified format per the risk type of the customers, #/$, etc. but I’m having a hard time reading through the specific deficiencies and mentally swinging between EWRA and customer-level risk.
3) the order wants this bank to have a model review of the way in which they have risk-rated… this leads me to believe that this bank over-modelized a nuanced and contextual EWRA and now must support how they got there.
THE LESSON HERE
Don’t over-modelize EWRAs. This may seem nice on the input/output, but less modeling and more operationalizing. Most AML risks do not fit nicely into a scale of 1-5. It’s not a linear risk function.
For several years I’ve been training on how to make a risk assessment work FOR you. If your EWRA is all green with a dash of yellow, it is not working for you. The EWRA should move you and your board to take action – get better auditors, improve technology, add staffing, exit customers, increase fees, etc.
This order also requires the bank to implement a “BSAO Program” – I’ve never seen that before. The items listed on pp. 14-15 are surprising in part because this should have already been part of a long-established BSA Officer role.
But something we have seen in almost every AML order this year – “ensure the BSAO and supporting staff have authority”. Not the illusion of authority. Real authority – to say no, yes, hire/fire, switch systems, expand, etc.
A lesson for community banks involved in #fintech, #lendtech, or other -techs… transference of risk is a real thing. Unregulated payment ecosystems like most of the US’s fintechs/lendtechs will pass risk onto your bank. Full stop.
If your legal teams are not warning you of this before engagement, get a new legal team. I can give you some good names.
We hope you enjoyed reading this article
If you would like unlimited access to AML Intelligence premium articles, newsletter delivered twice a week, access to our Global Bank Fines and Penalties database, free access to Boardroom Series events and much more, select one of our subscription options and become a subscriber!
