An official website of the United States government
Share This Page:
An institution supervised by the Office of the Comptroller of the Currency (OCC) filed a second-tier appeal with the Ombudsman. The appeal disagreed with a deputy comptroller’s decision on a formal appeal. Specifically, the institution appealed the past due status of three matters requiring attention (MRA) and a violation of a regulation communicated in a supervisory letter (SL).
The appeal disagreed with the past due status of the sanctions screening MRA. The appeal stated that the prior report of examination (ROE) did not include a due date for corrective action; therefore, the supervisory office (SO) could not deem the MRA past due. In addition, the appeal asserted that the institution committed only to engage a vendor to upgrade and tune the system used for sanctions screening by the commitment date and did not commit to complete the tuning and validation work by the same date. The appeal also stated that the institution submitted reasonable time frames for corrective action implementation, which the OCC should have considered in determining the MRA status.
The appeal disagreed with the past due status of the two concerns in the suspicious activity alert and case processes MRA. For the data management concern, the appeal asserted that the institution had implemented a quality control process by the due date and implemented new system automated reports as of the start date of the examination. The appeal also stated that the status of the management information system (MIS)/reporting concern should be pending validation, not past due. The appeal argued that the lack of independent validation of corrective actions and examiners’ inability to assess the operating effectiveness of the enhanced procedures should not be grounds for a past due status.
The appeal disagreed with the past due status of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Asset Control (OFAC) risk assessment methodology MRA, stating that the institution completed all corrective actions by the due dates. In addition, the appeal argued that the SL went beyond the MRA to criticize the institution about two new issues related to staff turnover and wire transfer volume. The appeal argued that the past due status is inappropriate for a self-identified risk factor (staff turnover) that the institution subsequently incorporated into its risk assessments. Regarding the second new issue, the appeal noted that overstating the wire transfer volume in the risk assessment did not cause harm and instead understated the effectiveness of the institution’s internal controls by overstating the risk posed to the institution.
The appeal disagreed with the internal controls pillar violation of 12 CFR 21.21(d)(1), “Procedures for Monitoring Bank Secrecy Act Compliance.” It noted that the SO should not cite the violation because the scope of the examination was too narrow to form conclusions about the adequacy of the institution’s system of internal controls. The appeal said the institution’s internal controls are “robust.” It further challenged the SO’s conclusions regarding the pillar violation, stating that the suspicious activity alert backlog had been self-disclosed and the SO noted that management had made acceptable substantial progress in remediating the BSA/AML MRAs.
The appeal further argued that insufficient time for the institution to demonstrate sustained performance of corrective actions should not be the basis for citing a pillar violation. The appeal asserted that the reported deficiencies do not justify a pillar violation because (1) the ROE that communicated the new MRA did not discuss staff turnover, (2) the institution included staff turnover in its risk assessments completed for the next year and in the risk assessment policies and procedures, and (3) overstating the institution’s wire transfer volume did not result in harm.
The Ombudsman concurred with the SO on all issues appealed.
The Ombudsman concurred with the SO that the status of the sanctions screening MRA was past due because management had not implemented all corrective actions required as of the examination. While the SO erred by not including the corrective action date in the ROE the institution originally provided, management communicated in a subsequent email its commitment to implement all corrective actions by a specific date. This included engaging a vendor to upgrade and tune the system and completing a model validation by the commitment date. Management failed to provide an acceptable or valid reason for why it did not complete all corrective actions and did not communicate the reason for the delay to the SO promptly to determine a modified remediation date. The delay is unacceptable given the importance of ensuring sanctions compliance. Weaknesses related to sanctions screening require immediate attention because of the deficient practice combined with the high-risk nature of the activities. The lack of a commitment date in the ROE does not absolve management from continuing to implement corrective actions; it is management’s responsibility to correct MRAs in a timely manner before deficiencies result in additional risk to the institution.
The Ombudsman also concurred with the SO that some corrective actions for the sanctions screening MRA were not effective or sustainable. The MRA required management to revise policies, procedures, and processes to establish criteria for alert narratives, including providing clear, documented support for overall disposition, and to ensure that a second-level reviewer provides credible challenge. While the institution revised the relevant policies and procedures, the institution’s staff was not consistently following the enhanced procedures, supporting the SO’s finding that those procedures are not effective or sustainable. The Ombudsman concurred with the SO that the suspicious activity alert and case processes MRA was past due because the institution did not implement the corrective actions outlined in the two concerns of the MRA by the commitment date. For the data management concern, examiners confirmed that management completed the first required corrective action; however, management did not prove sustained ability to effectively operate under the implemented corrective actions because of insufficient amount of time. In addition, management needed to implement additional actions to address the second required corrective action: develop and implement an ongoing quality control process that addresses errors on various logs and ensures the adequacy of the recently implemented automated process. Although management selected a vendor to assist in this effort, the automated reports had not yet been fully implemented. Examiners noted that the reports provided during the examination did not address all logs noted in the MRA. Additionally, management informed examiners that it was still building the quality assurance program with support staff and the policy document was more of a framework.
For the MIS/reporting concern, management did not fully implement either of the corrective actions by the commitment date. Although management improved suspicious activity monitoring policies and processes and delivered required training, an insufficient amount of time had transpired to demonstrate effectiveness or sustainability of the corrective actions for this concern. Additionally, management did not complete an independent validation of the corrective actions as required by the MRA.
The Ombudsman concurred with the SO that the BSA/AML and OFAC risk assessment methodology MRA was past due because the institution did not fully implement the required corrective actions to the risk assessments within the expected time frame. The 2022 BSA/AML and OFAC risk assessments did not incorporate the atypically high level of existing and projected staff turnover on the institution’s control functions related to suspicious activity monitoring and reporting processes and customer due diligence reassessments.
Further, the risk assessment included inaccurate wire clearing volumes. Relying on inaccurate information can prevent the risk assessment from accurately reflecting the institution’s money laundering, terrorist financing, and other illicit financial activity risks even if the inaccuracy resulted from an overestimation of a particular risk. Risk assessments support the development and implementation of risk-based compliance programs. Inaccuracies in the assessment may affect an institution’s development of effective, risk-based internal controls and can potentially cause the institution to divert resources from higher risk areas. In this case, the discrepancy was substantial, addressing a high-risk area, and was unexplained and uncorrected at the time of the examination. Accordingly, it was appropriate for the SO to consider this risk assessment deficiency when evaluating the status of the MRA.
The Ombudsman concurred with the SO’s decision to cite a violation of 12 CFR 21.21(d)(1) because the bank’s system of internal controls did not ensure ongoing compliance with the BSA. The SO followed the appropriate supervisory standards in identifying deficiencies related to the system of internal controls pillar for the BSA compliance program in a timely manner. OCC policy does not require examiners to review every aspect of a bank’s system of internal controls before concluding that a violation is warranted. A violation should be cited when examiners identify deficiencies in key areas of critical internal controls, such as customer and enhanced due diligence. Deficiencies in one or more key areas may be sufficient to justify an internal control pillar violation, particularly when the deficiencies affect higher-risk products, services, customers, or geographies.
In addition, the conclusion that the institution made acceptable substantial progress in remediating MRAs does not preclude the citation of the internal controls pillar violation. Various deficiencies were present at the time of the examination that supported citing the violation. While management made efforts to address the concerns that resulted in acceptable substantial progress, examiners identified continued and new deficiencies in critical areas of the institution’s internal controls. The examiners identified deficiencies related to the institution’s risk assessment as well as suspicious activity monitoring, investigation, and reporting processes that affect the institution’s ability to comply with the BSA. In addition, the institution had a significant new suspicious activity monitoring deficiency: a substantial and longstanding backlog of suspicious activity alerts that involved high-risk activity and geographies and resulted in potential untimely suspicious activity reports. Collectively, these continuing and newly identified deficiencies substantially affect the effectiveness of the institution’s system of internal controls.
The appeal challenged the SO’s decisions based on the institution’s self-identification and self-reporting of several deficiencies. Regardless of the self-identified status of a particular concern, the OCC’s focus is to validate that the institution implements timely, effective corrective actions to address these concerns. The self-identification or self-reporting of certain issues does not absolve the institution of its responsibilities to ensure that effective, sustainable corrective actions are completed by the commitment dates.