OCC chastises M.Y. Safra Bank for oversight of crypto clients, extensive failures in all pillars of AML program

The Skinny:

  • OCC dings New York-based private bank for AML oversight of crypto sector entities.
  • The cease-and-desist order against M.Y. Safra is notable for its expectations around banking ‘digital asset customers’ – a new term in the compliance lexicon.
  • The 30-page order is required reading for AML officers and increases trend of greater involvement, accountability, liabilty for board of directors. 

By Brian Monroe
bmonroe@acfcs.org
February 24, 2020

The regulator of the country’s largest and most complex banks has sanctioned a New York-based private bank for its oversight, monitoring and reporting of potentially suspicious activity tied to crypto clients – a rare foray into where the worlds of virtual assets and compliance converge.

The U.S. Treasury’s Office of the Comptroller of the Currency (OCC) sanctioned M.Y. Safra Bank in a 30-page order that is required reading for anti-money laundering (AML) compliance professionals due to is depth, breadth and detail about what could be considered examiner expectations for banking higher risk clients, including crypto exchanges, crypto ATMs and related crypto-tinged money services businesses (MSBs).

To read the full OCC order, click here.

The cease-and-desist order also continues a theme in prior AML actions by the OCC and other federal regulators in recent years tied to increasing accountability for implementing the compliance improvements by the board of directors.

The seven directors of the bank “have been assigned a lengthy list of responsibilities” that begin with the words and phrases “ensure,” “verify,” “authorize,” “direct,” “adopt,” “require,” “address,” and “hold management accountable,” according to Jim Richards, the former AML chief at Wells Fargo. “Directors beware!”

The OCC highlighted that the core of action centers around Safra’s decision to take on a wealth of new “Digital Asset Customers” or “DACs” – a relatively new phrase and acronym for the financial crime compliance community – that  “significantly increased” the bank’s domestic and international wire and ACH volumes, without the institution at the same time instilling the needed controls to prevent abuse.

More transactional throughput, but fewer controls

At issue is that from November 2016 to February 2019, the bank opened accounts for DACs which consisted of cryptocurrency-related money MSBs, “without sufficient consideration of the BSA/AML risks and failed to implement commensurate controls to address the increased risk,” according to the OCC.

The DACs included digital currency exchangers, digital currency ATM operators, crypto arbitrage trading accounts, blockchain developers and incubators, and fiat currency MSBs.

The action, which is not currently tethered to a monetary penalty, does however include a bevy of costly compliance remediation requirements, including allocating more resources for AML staffers and a top officer with extensive experience, stronger training, a possible upgrade of automated monitoring systems and requirements to bolster compliance audit expertise.

The OCC action also opens up the door for a potential AML fine as it is ordering Safra to engage in a transactional lookback covering nearly all of 2019 to scour for missed suspicious activity reports (SARs), the timeliness, accuracy or lack thereof is a recurring theme throughout the action.

Part of this has to do with weaknesses in the bank’s AML automated transaction monitoring system and related decision-making by analysts reviewing, investigating and escalating the alerts of possible aberrant activity.

The weighty action also touches on some of the more arcane, but critical, areas of AML compliance examiners are scrutinizing that are an amalgam of backend transaction monitoring methodologies, complex, behavior-based scenarios and red-flag inputs  along with the always subjective challenge of human decision-making.

The OCC had specific requirements for the bank to improve, and further audit, areas tied to the “periodic independent validation of the models and filtering thresholds used for the [Bank Secrecy Act (BSA)] monitoring systems in order to ensure that all accounts and transactions are captured, and the systems are adequate to detect potentially suspicious or sanctioned activity.”

Basic CDD failures lead to risk assessment, monitoring gaps

At the same time, Safra also failed in many of the basic, bread-and-butter areas of AML, including the details and accuracy of customer due diligence, an exercise that forms the foundation of the required customer risk assessment – which itself is delineated into low, medium or high and further sensitizes the alerts generated by the transaction monitoring system.

As a result, Safra must engage in risk assessments from an AML and sanctions compliance perspective to ensure risky entities, regions and those blacklisted by the U.S. government are not given easy entre into the domestic and international financial system – all areas the board is now responsible for overseeing.

The Board “shall ensure that BSA audit procedures sufficiently test the alert generation, analysis, investigation, and disposition process and opine on the strength of management’s audit/documentation trail.”