On August 29, Blue Ridge Bank, National Association, disclosed to the U.S. Securities and Exchange Commission a formal agreement with the Office of the Comptroller of the Currency (OCC). The OCC announced the agreement on October 20, detailing how the bank agreed to improve oversight and compliance of their third-party partnerships including assessing Bank Secrecy Act (BSA) and anti-money laundering (AML) risk.
The agreement states that the OCC “found unsafe or unsound practices” related to third-party risk management, BSA/AML risk management, suspicious activity reporting, and information technology control and risk governance. The agreement did not list specific bank practices which the regulator deemed to be unsafe or unsound.
Blue Ridge had grown rapidly in recent years, including several mergers. This rapid growth, combined with concern from consumer groups, may have contributed to heightened scrutiny of Blue Ridge and its management of third-party risk.
The agreement required Blue Ridge to appoint a new independent compliance committee, which must report quarterly to the OCC with detailed reports on the banks’ corrective actions. The OCC also required the bank to improve its oversight and compliance infrastructure. Specific areas of enhancement include third-party risk management policies and procedures, BSA risk assessments and audits, customer due diligence, suspicious activity monitoring, and information technology control programs. Each of these enhancement areas will require written guidelines and potentially new personnel.
Additionally, within the section outlining third-party partnership risk management, the OCC stipulated that before onboarding any new third-party fintech partners, Blue Ridge must obtain no supervisory objection from the OCC.
These actions suggest areas of emphasis for OCC bank examiners that other banks should consider in their business practices and comprehensive risk management processes.
Implications for OCC-Regulated Banking as a Service Providers
Acting Comptroller of the Currency Michael Hsu has indicated several times in recent months that bank-fintech relationships warrant increased regulatory attention because they may introduce new risk for the bank and for the broader banking system if not managed prudently.
We expect the OCC to continue its heightened scrutiny of other partnerships among the banks they regulate for the foreseeable future. Banks should be prepared for increased supervisory attention on third-party relationships and should ensure that compliance policies, procedures, and practices can adequately manage risks in accordance with the OCC’s posture on third-party relationships.
Put Patomak’s Banking Expertise to Work
Patomak has deep experience in helping banks and other financial institutions assess regulatory enforcement and providing assistance managing partnerships. Contact us to learn how Patomak can help you navigate these challenges and help you meet your business goals.