The federal banking regulators (The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation) issued on July 25 a lengthy joint statement outlining the potential risks that financial institutions face in arrangements with third parties to deliver bank deposit products and services.
The federal banking agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively the “Agencies”), issued a notice of proposed rulemaking (“Agencies’ NPRM”) to modernize financial institutions’ anti-money laundering and countering terrorist financing (“AML/CFT”) programs. The Agencies’ NPRM is consistent with FinCEN’s recent AML/CFT modernization proposal (“FinCEN’s NPRM”), on which we blogged here.
The Agencies’ NPRM does not substantively depart from FinCEN’s NPRM and requires the same program requirements. Although the Anti-Money Laundering Act (“AML Act”) did not require the Agencies to amend their regulations, the Agencies’ goal is to maintain consistent program requirements. The NPRM states that financial institutions will not be subject to any additional burdens in complying with differing standards between FinCEN and the Agencies.
On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.
The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here). It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.
The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.
However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks. Banks are still accountable for executing all activities in compliance with applicable laws and regulations. “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).” Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.” The Guide sets forth this concept in bold, on the first page.
The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers. Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management.
On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Board of Governors of the Federal Reserve System, issued a request for information (RFI).
The RFI seeks information and comment regarding the
Farewell to 2023, and welcome 2024. As we do every year, let’s look back.
We highlight 10 of our most-read blog posts from 2023, which address many of the key issues we’ve examined during the past year: criminal money laundering enforcement; compliance risks with third-party fintech relationships; the scope of authority of bank regulators; sanctions
In its Fall 2023 Semiannual Risk Perspective, published on December 7, the Office of the Comptroller of the Currency (“OCC”) reported on key issues facing the federal banking system. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key risk themes that the OCC underscored in the report included credit, market, operational, and compliance risks.
Of particular note was the discussion on the Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships. We also will discuss briefly certain other compliance and operational risks highlighted by the OCC.
Continue Reading OCC Risk Perspective Report Focuses on Third-Party Relationships with Fintechs
In an unusual move, Laura Akahoshi, former Rabobank (the “Bank”) Chief Compliance Officer (“CCO”), filed on July 6, 2023 an opposition to the Office of the Comptroller of the Currency’s (“OCC”) dismissal of its own administrative enforcement proceeding against her. Akahoshi filed her petition in the U.S. Ninth Circuit Court of Appeals, arguing in part that the Administrative Procedures Act and 18 U.S.C. § 1818 provide the court with jurisdiction to review the OCC’s dismissal.
The OCC’s initial enforcement proceeding stemmed from allegations that Akahoshi participated in an effort to withhold information from an OCC examiner in connection with an examination of the Bank’s Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) program. Specifically, the OCC alleged that Akahoshi had committed misconduct by failing to provide a report created by a third-party consulting firm regarding the adequacy of the Bank’s BSA/AML program.
The case against Akahoshi was one of several administrative enforcement actions that the OCC pursued after Rabobank NA agreed in February 2018 to pay more than $360 million in AML-related settlements reached with the U.S. Department of Justice (“DOJ”) and the OCC. As we previously blogged, the Bank’s former general counsel Daniel Weiss entered into a 2019 Consent Order in which he agreed to be barred from the banking industry and to pay a $50,000 fine. Many of the allegations contained within the Notice of Charges against Akahoshi mirrored those contained within the Notice of Charges against Weiss.
Akahoshi’s efforts face significant legal challenges, as exemplified by the fact that, as we discuss, an ALJ recently denied her application for the $4.2 million in attorney fees and costs that she expended defending herself against the OCC enforcement action. Nonetheless, the matter highlights several important and inter-related issues: the potential liability of individuals for alleged AML compliance failures, and the related powers of regulators; the potential tensions between the interests of individual AML compliance personnel and the financial institution; the role of whistleblowers; and how regulators and the government can use AML compliance audits and reviews by third-party consultants – which can vary greatly in quality, and sometimes can double as stealth business pitches by the consultants – as a sword against the institution.
On June 16, 2023, Michael J. Hsu, Acting Comptroller of the Currency made remarks to the American Bankers Association (“ABA”) Risk and Compliance Conference in San Antonio, Texas. In his remarks, Hsu discussed both the benefits and risks of artificial intelligence (“AI”) and tokenization. The core of Hsu’s remarks is that, given the rapid innovation of AI and tokenization in banking, banks should closely work with regulators to manage technological risks.
Hsu’s remarks came at the right time. Five days later, and as we discuss below, Google Cloud announced the launch of an AI anti-money laundering program. Early results seem promising, but only time will tell whether Hsu’s remarks concerning AI’s risks prove prophetic.
The Federal Reserve, FDIC, and OCC have released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance is intended to provide principles for effective third-party risk management for all types of third-party relationships, regardless of how they may be structured. At the same time, the agencies state that banking organizations have flexibility in their approach to assessing the risks posed by each third- party relationship and deciding the relevance of the considerations discussed in the final guidance
The final guidance rescinds and replaces each agency’s previously-issued guidance on risk management practices for third-party relationships. In their July 2021 proposal, the agencies had included as an appendix FAQs issued by the OCC to supplement the OCC’s existing 2013 third-party risk management guidance. The proposed guidance included the revised FAQs as an exhibit and the agencies sought comment on the extent to which the concepts discussed in the FAQs should be incorporated into the final guidance. In their discussion of the final guidance, the agencies identify which concepts from the FAQs have been incorporated into the final guidance.
A group of five Democratic Senators have sent a letter to the Federal Reserve, OCC, FDIC, and NCUA asking them to take several steps to protect consumers from scams when using Zelle to transfer money.
The Senators ask the four agencies “to closely review and examine the customer reimbursement and anti-money laundering (AML) practices of depository institutions that participate in the Zelle network.” They also ask the Federal Reserve and OCC “to examine Early Warning Services, Inc. (EWS), which operates the Zelle network, on an ongoing basis and for the four agencies “to coordinate their supervisory approach with the Consumer Financial Protection Bureau.” The Senators note that the agencies have authority to supervise the banks that own and operate Zelle and the participating depository institutions for compliance “with key consumer protection and AML laws, including the Electronic Fund Transfer Act (EFTA) and the Bank Secrecy Act (BSA).”