On January 24, 2024, the OCC issued a Consent Order to Blue Ridge Bank, finding that the bank failed to establish and maintain a reasonably designed BSA/AML Program. Deficiencies include systemic internal controls breakdowns, weak independent testing, and insufficient BSA staffing, stemming from risk management challenges related to third-party fintech partners.

‍

This enforcement action follows the OCC’s earlier 2022 Written Agreement with the bank, which we wrote about previously here.

‍

Together, these enforcement actions provide the clearest picture of regulatory expectations that partner banks face when working with fintech partners, with BSA/AML compliance posing the greatest challenge.

We’ve provided two resources to help compliance teams respond to this latest action:

• A comparison of the summary requirements in the Consent Order and the prior Written Agreement, with a brief description of key differences - Download OCC Enforcement Action Comparisin for Blue Ridge Bank
• A highlighted version of the full Consent Order marking changes from the Written Agreement - Download BRB Consent Order Comparison

Notably, some of the key new or expanded requirements mentioned in the Consent Order include:

• BSA/AML Action Plan to remediate all BSA/AML issues
• New requirement to ensure end user accounts comply with BSA/AML requirements and provide supporting information to the OCC to demonstrate BSA/AML risks are controlled for each partner
• Expanded CDD and suspicious activity monitoring requirements
• Expanded risk assessment and audit testing scope
• Expanded SAR Look-Back scope
• Expanded BSA Officer requirements
• Strategic Plan covering bank objectives for, among other items, risk profile, use of third-party relationships, product line development, and market segments, plus OCC non-objection for any deviation from the Strategic Plan
• New Capital Plan and capital ratio requirements
• Operational restrictions resulting from “troubled condition” status

Cable's automated assurance, automated risk assessment, and Partner Hub tools enable compliance teams to efficiently manage third-party partner risks, ensure end-to-end BSA/AML compliance through layers of partners all the way to end user accounts, and demonstrate the effectiveness of their risk management to regulators.

‍

Clearly, this action signals 2024 will be a year of strict regulatory scrutiny over the entire BaaS landscape. Evidencing effective risk management to regulators is non-negotiable for compliance teams, and only the companies who go all-in on their compliance capabilities will survive, thrive, and grow to become the dominant players in BaaS.

‍

Get in touch today to learn how Cable is helping partner banks and fintechs alike succeed in today’s regulatory environment.