In February 2024, the OCC announced it had issued a consent order against Blue Ridge Bank, N.A. for, among other things, violations related to their BSA program. Specifically, the consent order states that the bank has failed to establish and maintain a reasonably designed BSA /AML program that adequately covers required BSA/AML program components.
Deficiencies include systemic internal controls breakdowns, weak independent testing, and insufficient BSA staffing, which resulted in a BSA/AML program violation and other violations of regulations. The consent order also states the bank has failed to correct problems in its BSA program that the OCC previously reported to the bank relating to internal controls, independent testing, and BSA staffing.
Actions required by the OCC include the following:
Compliance committee. The board shall maintain a compliance committee of at least three members, of which a majority shall be directors who are not employees or officers of the bank. The compliance committee shall monitor and oversee the bank's compliance with provisions of this order the compliance committee shall meet at least quarterly and maintain minutes of its meeting. The compliance committee must submit an action plan and regular progress reports to the OCC.
BSA/AML action plan. The consent order also required the bank to submit to the OCC an acceptable written plan detailing remedial action necessary to achieve and sustain compliance with the BSA. At a minimum, this plan must include several things including a description of the corrective actions needed to achieve compliance, the timelines for completing the corrective actions, and the person or persons responsible for completing the corrective action required by this order.
Third party risk management. The consent order requires the board to adopt and implement a written program to effectively assess and manage the risks posed by third party relationships. The third party risk management program should be commensurate with the level of risk and complexity of the board's third party relationships and shall at a minimum address a number of things including written policies, procedures, and processes governing the bank's third party relationships; an assessment of BSA risk for each third party relationship; due diligence and risk assessment criteria for selecting and approving each third party relationship; an effective compliance oversight program for third party relationships, ongoing monitoring; contingency plans; an audit plan for independent reviews by a qualified auditor; evaluation and implementation of adequate staffing to manage third-party relationships; and full assessment of contracts with each third-party relationship.
Bank Secrecy Act risk assessment. The order also requires the board to adopt and implement an effective written BSA risk assessment program. The BSA risk assessment program shall ensure BSA compliance risk assessments provide a comprehensive and accurate assessment of the Bank’s BSA compliance risk across all products, services, customers, entities, transaction types, countries or geographic locations of customers and transactions, accounts, and methods the Bank uses to interact with its customers, including all activities provided by or through the Bank’s third-party relationships. The order states that the board shall review the effectiveness of the BSA risk assessment program at least annually and more frequently if necessary or required by the OCC. Bank management shall regularly update its money laundering, terrorist financing and other illicit financial activity risk assessment as needed when changes in risk factors, events, or operations occur that result in the existing risk assessment no longer accurately reflecting the Bank’s risk profile.
BSA audit program. The Bank’s Board must adopt a revised independent BSA audit program to test the bank's compliance with the BSA relative to the risk profile and overall adequacy of the Bank’s BSA/AML compliance program. The BSA/AML Audit Program should include an expanded scope and risk-based review of activities conducted through the Bank’s third-party relationships. All audits conducted by the internal or external auditor shall be engaged by, reviewed, and approved by the Audit Committee. No less than quarterly, the Board or Audit Committee must review any outstanding BSA audit findings and ensure that corrective actions noted in the BSA audit reports are completed in a timely manner. The Board shall ensure the BSA Audit Program is adequately staffed, with respect to experience level, specialty expertise regarding BSA/AML compliance, and number of individuals employed, to execute the BSA Audit Program fully and promptly.
BSA Compliance Personnel. The Board shall ensure that the Bank’s BSA Department is appropriately staffed with personnel that have requisite expertise, training, skills, and authority. The Board shall ensure that the Bank maintains a permanent, qualified, and experienced BSA Officer who shall be vested with sufficient executive authority, time, and resources to fulfill the duties and responsibilities of the position and ensure compliance with BSA/AML and OFAC laws and regulations and safe and sound operation of the Bank. On an annual basis, the Board shall review and assess the capabilities and qualifications of the Bank’s BSA Officer and BSA Department staff to perform present and anticipated duties, and determine whether changes will be made.
Customer due diligence, enhanced due diligence, and high risk customer identification. The Board shall adopt revised and expanded risk-based policies and adhere to revised and expanded risk-based policies, procedures, and processes (“CDD Program”) to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information. The CDD Program must include, among other things, written risk-based policies and procedures for conducting ongoing CDD, effective processes for developing customer risk profiles, and policies and procedures that define management and staff responsibilities for CDD.
Suspicious activity monitoring and reporting program. The order also requires the Board to ensure Bank management develops, implements, and adheres to an enhanced written risk-based program to ensure the timely identification, analysis, and suspicious activity monitoring and reporting for all lines of business, including through the Bank’s third-party relationships. The Suspicious Activity Monitoring and Reporting Program must include a number of things including an assessment/evaluation of the effectiveness of the Bank’s existing policies and procedures for suspicious activity monitoring and reporting, procedures and processes for the Bank to quantify the volume of activities and transactions conducted by or through the accounts and sub-accounts of each of the Bank’s third-party relationships, requirements for the BSA Department staff to consider appropriate CDD information when conducting alert reviews and suspicious activity investigations, and procedures to ensure SARs are filed timely, completely, and accurately.
Suspicious activity review look-back. Finally, the order requires the bank to conduct a look back for the period of September 1 to October 31, 2023 to identify whether any SAR should have been filed for previously unreported suspicious activity. The bank must implement a revised SAR look-back plan and then complete the SAR look-back within the proposed time. Upon completion of the look-back, the bank should provide a report to the board and copy the OCC of any previously unreported suspicious activity. The look-back report should also describe a number of things including the methodologies and tools used in conducting the review; the process for investigating customers and customer activities; the number and types of customers and accounts reviewed; the number of customers that warranted SAR filings or modifications to existing SAR filings; and the number of customers where the Bank determined not to file a SAR.
The consent order can be found here.