A unique and just-plain interesting consent agreement from the US Office of the Comptroller of the Currency (OCC) issued earlier this month against National Iron Bank sets out a lengthy array of compliance undertakings that emphasize compliance and risk personnel having the resources and adequate authority to carry out their responsibilities.
It includes references to board compliance committees and board responsibilities, capital and strategic planning, risk management strategies, credit underwriting practices, anti-money-laundering risk monitoring, and reporting issues.
But most of all, it emphasizes the resources that must be assigned to Bank Secrecy Act oversight – and the authority that must be given to those charged with performing it.
The OCC order against the Connecticut-based bank says the OCC found unsafe or unsound practices at the bank, specifically as they relate to the bank’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance efforts. Without getting into exactly what went wrong at the bank, the agreement lists the issues involved and, pivoting off of those weaknesses, spells out in great detail what the bank’s board of directors must undertake in terms of new compliance measures.
Compliance commitments
Within 30 days of the date of the agreement, the board must appoint a compliance committee of at least three members to monitor and oversee the bank’s compliance with the provisions of its agreement with the OCC. The compliance committee should meet at least quarterly and maintain minutes of its meetings.
Within 90 days of the date of the agreement, and thereafter within 30 days after the end of each quarter, the compliance committee must submit to the board a written progress report giving a description of the corrective actions needed to achieve compliance with each article of its agreement with the OCC; the specific corrective actions undertaken to comply with each article of the agreement; and the results and status of the corrective actions. That report must then be shared with the Assistant Deputy Comptroller (ADC) within a certain timeframe.
The plan should include an assessment of staffing levels conducted by an independent third party to review the number, qualifications, skills, and experience of staff needed to accomplish the goals and objectives of the bank’s agreement.
The board must adopt a capital planning process to assess the bank’s capital adequacy in relation to its overall risks and implement a plan to verify it on a regular basis. This plan must also be reviewed by the ADC and include stress testing, risk-scenario plans and detailed quarterly financial projections, among other things.
The board must also send the ADC an acceptable written strategic plan for the bank, covering at least a three-year period that establishes objectives for the bank’s overall risk profile, earnings performance, growth, balance sheet mix, off-balance sheet activities, liability structure, and capital and liquidity adequacy, and strategies to achieve those objectives. The plan should include an assessment of staffing levels conducted by an independent third party to review the number, qualifications, skills, and experience of staff needed to accomplish the strategic goals and objectives of the bank’s agreement with the OCC, and a description of assigned roles and responsiblities.
The board must send the OCC a written concentration risk management program pertaining to the bank’s known and potential concentrations of risk, including credit, liquidity and interest rate risks and action plans to conform to certain limits established in the agreement. The bank must also adopt a written credit underwriting and administration program that cannot be adjusted without specific steps being taken.
Secrecy and money laundering
The board must ensure the bank is appropriately staffed with BSA/AML personnel that have requisite expertise, training, skills, and authority. The board shall ensure that the bank maintains a permanent, qualified, and experienced BSA officer who has sufficient executive authority, and resources to fulfill the duties and responsibilities of the position and ensure the safe and sound operation of the bank.
The BSA officer must offer periodic reporting to the board and senior management about the status of the Bank’s BSA/AML program, including compliance with the BSA and the how the bank is meeting the requirements of its agreement with the regulator.
An important ingredient of this oversight and reporting, the OCC says, is maintaining appropriate staffing levels, which includes promptly appointing a new BSA officer if the current person vacates the role, with detailed information about any newly hired BSA officer being supplied to the ADC – who can object to the appointment of that new officer.
The board must agree to hold bank management and personnel accountable for executing their responsibilities pertaining to the agreement.
The board must ensure the bank revises, adopts, implements, and adheres to acceptable, appropriate risk-based policies and procedures for collecting customer due diligence (CDD) information, particularly monitoring for higher-risk customers and their transactions across the institution as a whole.
A formal process for reviewing suspicious activity alerts and prompt filings of suspicious activity reports (SARs) must be created and reviewed at least annually. In addition, the bank must do a SAR look-back to make sure not SARs were let unreported.
The board must agree to hold bank management and personnel accountable for executing their responsibilities pertaining to the agreement.
All of the compliance undertakings as part of the agreement remain effective and enforceable until such time as it is terminated in writing by the OCC.
Authority of Bank Secrecy Officer
The authority the OCC places in the BSA officer and the incredibly precise requirements it outlines for his or her replacement at the bank is unique and noteworthy.
The OCC says the personnel collecting CDD data must have the authority (and training and resources) to do their particular job function as well. It’s a theme the OCC keeps going back to – the importance of having sufficient numbers of highly trained staff, empowered to perform their roles at the business.
Those highly trained individuals are then more able to add context and judgment to what automated systems can offer up as data points.
Also, the SAR program must spell out its investigative practices, but the OCC counsels against being overly prescriptive, leaving room for the analysts to pursue what they need to determine if something is suspicious. The OCC also mentions “critical analysis” many times to emphasize that transactions should be reviewed carefully and all conclusions are well-supported.