The Office of the Comptroller of the Currency (“OCC”) entered into a Consent Order (available here) with Anchorage Digital Bank (“Anchorage”), which requires Anchorage to create a compliance committee and take steps to remediate alleged shortcomings with respect to the implementation and effectiveness of Anchorage’s Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) program. Notably, Anchorage will pay no civil penalty.
Anchorage is not any regular entity overseen by the OCC: it is a cryptocurrency custodian. As we will discuss, the timing of the Consent Order indicates that even when regulators permit crypto activities by financial institutions, they remain cautious, particularly as to BSA/AML compliance. The OCC’s actions send a clear message that regulated entities offering emerging technology financial services must adhere to the same BSA/AML monitoring and reporting requirements as more traditionally regulated entities.
The January 2021 Operating Agreement
In January 2021, the OCC granted Anchorage conditional approval for a national trust bank charter. The preliminary approval had requirements, including that Anchorage enter into an Operating Agreement with the OCC. Under the Operating Agreement, Anchorage needed to, amongst other things, implement a written BSA/AML and Office of Foreign Assets Control (“OFAC”) compliance program. When the OCC’s conditional approval letter described the conversion of Anchorage Trust Company, a South Dakota trust company, into a national trust bank operating under the title of Anchorage Digital Bank, the OCC described its unusual activities:
Anchorage Trust offers custody services primarily to institutional investors that transact in digital assets and cryptocurrencies, including but not limited to certain tokenized securities and cryptocurrencies . . . . In addition to its core custody services, Anchorage Trust provides various custody services to its customers that are distinct from, but ancillary to, its core custody services. These services will, among other things, allow customers to be active participants in the protocols underlying each digital asset [and will include digital staking and settlement services].
Further, when the OCC announced Anchorage’s conditional approval and Operating Agreement, its press release acknowledged the uniqueness of the situation and stated:
The OCC granted a national trust bank charter to Anchorage after thorough review of the company and its current operations. As an enforceable condition of approval, the company entered into an operating agreement which sets forth, among other things, capital and liquidity requirements and the OCC’s risk management expectations.
In granting this charter, the OCC applied the same rigorous review and standards applied to all charter applications. By bringing this applicant into the federal banking system, the bank and industry will benefit from the OCC’s extensive supervisory experience and expertise. At the same time, the Anchorage approval demonstrates that the national bank charters provided under the National Bank Act are broad and flexible enough to accommodate evolving approaches to financial services in the 21st century.
It is remarkable that the Consent Order was issued only 15 months after the conditional approval, granted after the OCC purportedly applied a “thorough” and “rigorous” review. It is impossible to tell from the Consent Order precisely what were the alleged BSA compliance lapses which occurred within the span of 15 months, although there appears to be an emphasis on Suspicious Activity Report filings. Further, given the lack of any monetary penalty, this action appears to represent “only” a warning shot. Nonetheless, it clearly shows that financial institutions desiring to immerse themselves in digital currencies face significant BSA/AML demands.
The Consent Order
The Consent Order alleges that as of 2021 Anchorage violated the Operating Agreement because it failed to adopt and implement a compliance program that adequately covers the required BSA/AML program elements, including, in particular, internal controls for customer due diligence and procedures for monitoring suspicious activity. The Consent Order factual section is very general and provided no specific instances of BSA/AML violations or insufficiencies in Anchorage’s BSA/AML program.
Anchorage neither admits nor denies the factual allegations in the Consent Order. The Consent Order states that Anchorage has begun corrective action and is committed to taking all necessary steps to remedy the identified deficiencies. Although the Consent Order in effect reiterates, point by point, the need to comply with the basics of any BSA/AML compliance plan (i.e., a designated BSA compliance officer; independent testing; training; an adequate program capable of identifying suspicious activity; adequate customer due diligence; etc.), the details of the Consent Order are worth discussing, particularly in regards to information which Anchorage must provide to the OCC.
The OCC’s settlement provisions require that Anchorage’s Board of Directors (“Board”) submit to the OCC for review and approval an acceptable written action plan detailing the remedial actions necessary to achieve and sustain compliance with BSA/AML laws and regulations (“Action Plan”). The Board must submit the Action Plan within thirty days of the date of the Consent Order. The Action Plan must, at a minimum, specify (1) a description of the corrective actions needed to achieve compliance with each article of the Consent Order; (2) timelines for completion of the corrective actions; and (3) the person(s) responsible for completion of the corrective actions. Pursuant to the Consent Order, Anchorage cannot significantly deviate from or materially change the Action Plan. To modify the initial Action Plan, Anchorage must receive the OCC’s written approval. It is the Board’s responsibility to verify that Anchorage management has timely implemented all corrective actions required by the Consent Order.
In addition, the OCC’s settlement provisions require that the Board appoint a Compliance Committee of at least three members, of which a majority are directors who are not employees or officers of Anchorage (or any of its subsidiaries or affiliates). The Board must submit in writing to the OCC the names of the members of the Compliance Committee and provide timely updates of any changes.
The Compliance Committee is responsible for monitoring and overseeing Anchorage’s compliance with the Consent Order. The Compliance Committee must submit written progress reports to the Board describing in detail (1) the corrective actions needed to achieve compliance with the Consent Order, (2) the parties responsible for the completion of outstanding corrective actions, (3) the specific corrective actions undertaken, and (4) the results and status of the corrective actions, including improvements to the BSA/AML program.
Anchorage must have a qualified and independent BSA Officer with sufficient authority and resources to fulfill the duties of the position and ensure compliance with BSA/AML requirements. The Consent Order states that the BSA Officer must provide timely and accurate periodic reporting to the Board and senior management about the status of Anchorage’s BSA/AML program. The Board must ensure that Anchorage has sufficient staff with appropriate skills and expertise to support the BSA Officer and the BSA/AML program. Each year, the Board must review the sufficiency of staff, document its review conclusions in writing, and take prompt actions to correct any deficiencies. If Anchorage desires to contract with a third party to perform BSA/AML functions, Anchorage must conduct and document an assessment of the third party’s adequacy of skills and training.
CDD and SARs
Anchorage must adopt and implement appropriate risk-based policies and procedures for collecting Customer Due Diligence (“CDD”) information and a written program for monitoring and reporting suspicious activity, including the filing of Suspicious Activity Reports (“SARs”). The Consent Order includes a list of minimum CDD procedures and policies that Anchorage must implement, such as a procedure to update due diligence information for existing moderate and high-risk customers to establish an accurate customer risk profile. The Consent Order also includes a highly detailed description of minimal requirements for Anchorage’s written suspicious activity reporting program. In addition to the written program, Anchorage must complete an independent validation of its monitoring systems and report the findings to the Compliance Committee and the OCC. Anchorage must further hire an independent third-party consultant to assess the need to file SARs for any previously unreported suspicious activity. Under the Consent Order, the OCC reserves the right to expand the scope of the retroactive SAR filings.
Audit Program and Training
Amongst the other remediation requirements, the Consent Order provides that Anchorage must adhere to a BSA/AML independent testing program (“Audit Program”) commensurate with its money laundering, terrorist financing and other illicit financial activity risk profile. Furthermore, the Consent Order requires that Anchorage implement a written training program for all appropriate employees and Board members to ensure their awareness of their responsibility for compliance with the requirements of the BSA and the Anchorage’s BSA/AML program. Anchorage must perform an independent assessment of its BSA/AML training and provide a written report to the Compliance Committee and the OCC.