The US Federal Reserve recently brought an enforcement action against Customers Bancorp (Customers) for what it called “significant deficiencies” around the bank’s risk-management and anti-money-laundering practices.
The enforcement action against the Pennsylvania-based bank, which provides digital asset services and a tokenized instant payments platform, stemmed from a recent examination by the Fed, the central bank said.
The Fed ordered the bank to enhance its compliance with anti-money laundering and Office of Foreign Assets Control (OFAC) regulations, and to notify the Fed before launching any new service or relationship with third parties tied to its digital asset strategy.
The bank must also submit several revised plans relating to strengthening board oversight of bank activities, risk management, Bank Secrecy Act/anti-money-laundering (BSA/AML) compliance, customer due diligence (CDD), and suspicious activity monitoring.
The enforcement action does not come with a fine, but the bank must regularly report back to regulators on its progress with those directives. A requirement to notify the Fed and get its non-objection on new business activities or partnerships in the Fed’s order indicates the Fed is going to be closely monitoring the bank.
Customers Bancorp
Customers Bancorp deals only in US dollars and does not accept cryptocurrency or make loans to support crypto activities. It offers its dozens of digital asset firm clients a real-time, blockchain-based payments platform called Customer Bank Instant Token (CBIT) that lets those crypto clients make US dollar payments around the clock.
The Fed said a recent examination uncovered “significant deficiencies” related to Customers’ risk management and compliance with AML regulations. The Fed said the bank has begun to address those deficiencies, and the bank’s chief risk officer, Joan Cheney, said in a statement that the bank is committed to meeting the expectations of regulators including its obligations under the recently announced actions.
The bank must notify the Fed 30 days in advance of taking on “any new strategic initiative, product, service, or relationship with third parties related to the digital asset strategy.”
“We have already begun taking a number of significant steps to strengthen our risk management practices and BSA/AML compliance program,” she said.
Within a day of the announced settlement with the Fed, the bank released a press release saying it had appointed Allen Love as Chief Compliance and AML Officer. In this role, Love will be responsible for leading the bank’s enterprise-wide compliance program, “ensuring it continues to evolve as regulatory expectations increase,” as it phrased the appointment.
Compliance program enhancements ordered
The bank was directed to take a number of actions, including:
- Strengthening board oversight of the management and operations of the bank’s compliance with AML, BSA requirements and OFAC regulations. The plan to bolster board oversight needs to include actions the board will take “to maintain effective control over and supervision” of the bank’s major activities, including its digital asset strategy, as well as ways to ensure the board monitors management’s adherence to policies and regulations and steps to bolster the “quality, comprehensiveness, and granularity” of reports the board receives in overseeing the bank’s operations, the Fed said.
- Enhance its risk management practices around its digital asset strategy, and put forth a plan that includes enhanced risk management policies and standards, ways to make sure those involved with digital asset strategy have necessary expertise and independence, and measures to facilitate quick identification and reporting of risk exposures.
- Revise its AML/BSA compliance program to feature an internal controls system that ensures ongoing compliance, and that is managed by a qualified AML/BSA compliance officer.
- Bolster its CDD program, including information collection and retention, and implementing risk assessment of the bank’s customers and a method to assign risk ratings to them.
- Improve its suspicious activity monitoring and reporting program, which should feature a “well-documented methodology” for laying out rules and processes that consider the bank’s type of customers, services and activities.
- Develop working customer identification policies that allow the bank to identify subjects of law enforcement requests and identify suspicious activity related to those subjects.
- Retain an independent third party to review the bank’s transaction monitoring activity between March and August 2023 to determine whether suspicious activity involving high-risk customers or transactions was properly flagged and reported. The findings will be evaluated by the Fed.
- Notify the Fed before creating any new subsidiary.
- Notify the Fed before creating or testing a “new intra- or inter-bank instant payments platform or network other than the existing Customers Bank Instant Token,” as stated in the order. More specifically, the bank must notify the Fed 30 days in advance of taking on “any new strategic initiative, product, service, or relationship with third parties related to the digital asset strategy.”
Servicing crypto firms
Customers’ crypto payments business makes up about 15% of the bank’s deposits, Bloomberg reported, citing Piper Sandler analysts. The bank has done business with several of the most prominent crypto firms, such as Galaxy Digital, Coinbase and Circle, and those firms have had a hard time finding a US bank to service their needs, thanks to last year’s tech-bank crisis that saw the demise of leading banks serving crypto customers.
But Customers showed signs of struggling with those crypto relationships; in June, it said it had cutting down on its hedge fund activity and had capped its crypto deposits.
The US banking regulators have issued guidance to banks meant to limit their exposure to the crypto sector, and the Fed said last year that it was revamping its own digital assets approach, calling it a “novel activities supervision program” staffed with specialized experts to help banking supervisors monitor the overlap of the crypto sector with the banking system.
The program is designed to focus on the risks of novel activities, such as fintech and crypto activities, as a complement to its existing supervisory teams. “As we do so, we will identify whether there are other risk factors – such as high growth or concentration – that warrant additional supervisory attention,” Michael Barr, the Fed’s vice chair for supervision, said last May.
At the time, Barr said Silicon Valley Bank’s failure was a sign that stronger standards should apply to a broader set of firms, not just the largest ones. “As a result, we plan to revisit the tailoring framework, including to re-evaluate a range of rules for banks with $100 billion or more in assets,” he said.
Staffing levels
The Fed’s order emphasises the significant deficiencies in the bank’s AML and OFAC programs, including noting that those compliance programs needed to cover both the mainline bank’s business and its digital assets and instant payments business.
In other words, the bank’s staffing levels and resources generally were strained to meet its obligations.
And the Fed’s order notes this fact several times. It specifically directs the bank to make sure that those persons charged with oversight over the bank’s digital asset strategy “possess the appropriate subject matter expertise, stature, independence, and authority; have clearly defined roles and responsibilities; and are allocated adequate resources and staffing.”
The regulator goes on to say in the order that these staffing levels and other resources paid to the bank’s BSA/AML and OFAC compliance programs must be periodically reevaluated and not adjusted once and considered done.