An official website of the United States government
Share This Page:
An institution supervised by the Office of the Comptroller of the Currency (OCC) filed an appeal with the Deputy Comptroller. The appeal disagreed with conclusions communicated in a supervisory letter (SL) issued after an examination. Specifically, the institution appealed the past due status of three matters requiring attention (MRA) and a violation of a regulation.
The appeal disagreed with the past due status of the sanctions screening MRA. The appeal stated the prior report of examination (ROE) did not include a due date for corrective action, making it impossible for the MRA to be past due. In addition, the appeal asserted that the institution committed to engage a vendor to upgrade and tune the system used for sanctions screening by the commitment date; not complete the tuning and validation work by the same date. The appeal also stated the institution submitted reasonable timeframes for implementation and independent validation, which the OCC should have considered in determining the MRA status.
The appeal disagreed with the past due status of the suspicious activity alert and case processes MRA. For the data management concern, the appeal asserted that the institution had implemented a quality control process by the due date and implemented automated reports in the production environment as of the start date of the examination. The appeal also stated the status of the management information system (MIS)/reporting concern should be pending validation, not past due. The appeal argued that the lack of independent validation of corrective actions and examiners’ inability to assess the operating effectiveness of the enhanced procedures should not be grounds for a past due status. Finally, the appeal claimed that the OCC abruptly conducted the examination without any advance notice, which is another reason for not considering the MRA past due.
The appeal disagreed with the past due status of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Asset Control (OFAC) risk assessment methodology MRA stating that the institution completed all corrective actions by the due dates. In addition, the appeal argued that the SL went beyond the MRA to criticize the institution with two new issues. Further, the appeal argued that the past due status is inappropriate for a self-identified risk factor (staff turnover) that the institution subsequently incorporated into its risk assessments. Lastly, the appeal noted that overstating the wire transfer volume for 2021 did not cause harm and instead, understated the effectiveness of the institution’s internal controls by overstating the risk posed to the institution.
The appeal disagreed with the violation of 12 CFR 21.21(d)(1), noting it should not be cited because the scope of the examination was too narrow to form conclusions about the adequacy of the institution’s system of internal controls. The appeal claimed the institution’s internal controls are “robust.” The appeal further challenged the supervisory office’s (SO) conclusions regarding the institution’s suspicious activity alert and case processes and suspicious activity monitoring program. As support, the appeal stated the bank (1) self-reported the backlog, (2) believed the backlog would be cleared soon, (3) made efforts to improve its suspicious activity report alerts, case documentation, and annotation, and (4) believed the SL did not identify, document, or explain any issues with the institution’s alert and case documentation and annotation. The appeal further argued that insufficient time for the institution to demonstrate sustained performance of corrective actions should not be the basis for citing a pillar violation. The appeal asserted that the reported deficiencies in the institution’s risk assessments, such as failure to properly address staffing turnovers and overstating the institution’s wire transfer volume, do not justify a pillar violation because (1) the prior ROE did not discuss staff turnover, (2) the institution included staff turnover in its 2023 risk assessments and risk assessment policies and procedures, and (3) overstating the institution’s wire transfer volume did not result in harm and overestimating risk should not result in a pillar violation.
The Deputy Comptroller concurred with the SO on all issues appealed.
The Deputy Comptroller concurred with the SO that the status of the sanctions screening MRA was past due because the institution did not implement all corrective actions within the expected timeframe. While the ROE did not note a due date, various subsequent correspondence from senior management of the institution indicated that management understood the MRA commitment dates. This included the commitment dates for engaging a vendor to upgrade the system and completing a model validation by the due dates. Therefore, the lack of a due date in the ROE does not negate the institution’s corrective action commitments. The appeal’s assertion that the institution submitted reasonable timeframes was based on updated commitments submitted after the SL was issued. Examiners concluded the institution had not identified the root cause of the large volume of alerts and false positives, both of which are the primary concerns of the original MRA. While the institution engaged a third-party vendor to upgrade the system and perform an impact analysis, the work was not expected to be completed until after the examination. Management also committed to conduct a model validation exercise upon completion of the system upgrade and tuning exercises. The validation of the model was not completed as of the examination. The Deputy Comptroller also concurred with the SO that some corrective actions were not effective or sustainable. The MRA required management to revise policies, procedures, and processes to establish criteria for alert narratives, including providing clear and documented support for overall disposition, and ensure a second level reviewer provides credible challenge. While the institution has updated the relevant policies and procedures, these enhanced procedures have not been consistently followed, supporting the fact that enhanced processes are not effective or sustainable.
The Deputy Comptroller concurred with the SO that the suspicious activity alert and case processes MRA was past due because the institution did not fully implement or begin implementing all corrective actions within the expected timeframe. For the data management concern, the institution committed to automate key MIS reports to identify any gaps in the current suspicious activity tracking mechanisms as well as develop and implement a quality control process that periodically reviews these tracking mechanisms. Based on a review of relevant work papers, the Deputy Comptroller concurred with the SO that the institution had not developed or implemented a quality assurance (QA) process as of the examination to address the original concerns. Only one quality control report had been issued at the time of the examination, and the report did not address all the logs described in the MRA. Management acknowledged the QA policy was in a design state and established only a framework while the institution continued to build up the QA staff. Through a review of relevant workpapers, the Deputy Comptroller concurred there was no evidence demonstrating the automated reports were in production or actively used by management at the time of the examination. Examiners also noted certain corrective actions were not effective or sustainable. The institution implemented timely corrective actions from the third-party gap analysis and provided ongoing training to staff on any new or changed processes. The institution was not able to demonstrate enhanced procedures, policies, and training were effective, however, in addressing the original concerns related to alert and case documentation and annotation. Due to continued alert backlog, the institution had not consistently dispositioned new alerts generated after implementing the policies and procedures. The institution also did not obtain an independent validation of any corrective actions taken to address potential third-party gap analysis findings by the commitment dates.
The Deputy Comptroller concurred with the SO that the BSA/AML and OFAC risk assessment methodology MRA was past due because the institution did not implement all corrective actions within the expected timeframe. The 2022 BSA/AML and OFAC risk assessments did not incorporate the atypically high level of staff turnover or assess the impact of known high staff turnover on the institution’s control functions related to suspicious activity monitoring and reporting processes and customer due diligence reassessments. Further, the risk assessment included inaccurate wire clearing volumes. Reliance on inaccurate information can prevent the risk assessment from accurately reflecting the institution’s money laundering, terrorist financing, and other illicit financial activity risks even if the inaccuracy resulted from an overestimation of a particular risk. Risk assessments support the development and implementation of risk-based compliance programs. An inaccurate or incomplete accounting of specific risks can negatively affect how the institution implements various aspects of its BSA/AML compliance program and key internal controls in suspicious activity monitoring, investigation, and reporting. This can potentially cause the institution to divert resources from higher risk areas. Finally, the SO’s criticism of the institution’s omission of staff turnover and inaccurate wire data used in the risk assessments are not considered new issues. These findings support the concerns as communicated in the original MRA.
The Deputy Comptroller concurred with the SO that a violation of 12 CFR 21.21(d)(1), “Procedures for monitoring Bank Secrecy Act Compliance,” occurred. Internal controls must be commensurate with the institution’s size, structure, risk, and complexity. Critical internal controls for BSA include risk assessments and suspicious activity monitoring, investigation, and reporting processes. A violation of 12 CFR 21.21(d)(1) is supported because there are deficiencies related to the institution’s risk assessment and suspicious activity monitoring, investigation, and reporting processes that impair the bank’s ability to comply with the BSA. OCC policies and procedures do not require examiners to review the entirety of a program during an examination to form a supervisory decision. Examiners identified deficiencies in suspicious activity alert and case processes, suspicious activity reporting processes, and BSA/AML and OFAC risk assessment processes during the previous examination, with many of the concerns remaining uncorrected or outstanding at the time of the examination. These concerns, coupled with a new MRA on suspicious activity monitoring program, support citing a violation. The examiners’ workpapers demonstrate that the basis of the pillar violation was not “insufficient passage of time” but deficiencies in the institution’s risk assessment and suspicious monitoring, investigation, and reporting processes. The SL and prior ROE communicated these deficiencies as outstanding and past due MRAs. While the SL did not discuss specific issues related to the alert/case documentation and annotation, these concerns were outlined in the original MRA, which was communicated in the prior ROE. As noted in the BSA/AML and OFAC risk assessment MRA, the institution’s BSA/AML risk assessment process remained ineffective at the time of the examination. The SO’s criticism of the risk assessment process was centered in the institution’s 2022 risk assessments submitted at the time of the examination. The OCC expects a risk assessment to appropriately account for the institution’s money laundering, terrorist financing, and other illicit financial activity regardless of whether those risks were specifically mentioned in prior supervisory communications.
The appeal challenged the SO’s decisions based on the institution’s “self-identification” and “self-reporting” of several deficiencies. Regardless of the “self-identified” status of a particular concern, the OCC’s focus is to validate that the institution is implementing timely and effective corrective actions to address these concerns. The “self-identification” or “self-reporting” of certain issues does not absolve the institution of its responsibilities to ensure effective and sustainable corrective actions are completed by the commitment dates.
The institution also raised concerns about the timing of the examination and the amount of time given to the institution to gather documents for the target examination. The OCC expects the institution to complete corrective actions to address the MRA concerns by the due dates, regardless of the timing of an examination. The Deputy Comptroller found that examiners followed appropriate OCC procedures in planning the examination and evaluating the status of the MRAs.