The US Treasury’s Office of the Comptroller of the Currency (OCC) has issued a lengthy and prescriptive “consent cease and desist order” against Wells Fargo for “deficiencies in an internal control pillar” of the bank’s anti-money laundering (AML) compliance program tied to the “wholesale banking group.”
In the 25-page order released last week, but dated November 19, the OCC, which oversees the nation’s largest and most complex banks, examiners noted that Wells Fargo “failed to make acceptable substantial progress toward correcting previously identified” AML problems that were brought to its attention relating to “due diligence practices and customer risk assessment” in the wholesale group in prior exams.
The order continues a trend of heightened regulatory focus around certain financial crime compliance areas, including the systems and functions for risk assessment and alert monitoring, data integrity and related accuracy and shelf life, the quality and timeliness of training, and whether changes in risk or suspicious activity are feeding back into customer risk scores on a regular basis.
The OCC stated that the wholesale group’s risk assessment initiatives were “not effective,” its customer due diligence (CDD) practices were “unsatisfactory,” relationship staff and front-line monitoring efforts were not satisfactory and the unit had lax governance and oversight practices.
In order to address the deficiencies, the bank must engage in a multi-pronged effort to improve training, monitoring and oversight efforts involving everyone from front line staff to officers and the board of directors.
The bank must also approve a new “compliance committee,” appoint a specialized officer to oversee remediation efforts and create a new tool that enables relationship staff in the wholesale group to update customer diligence details to better understand them and aid in the creation of suspicious activity reports.
The most challenging part of the order could be tied to the requirement to reassess and potentially retool the wholesale group’s customer risk assessment protocols. The OCC is requiring the bank to conduct a “comprehensive risk assessment” of the group’s customer relationships, including the risk-rating methodology and the weighting of risk indicators such as account type, volume of transactions and geographic region.
As well, the AML customer risk assessment methodology shall “also be reviewed by internal audit for the adequacy of identification of risk; for controls to manage identified risks; for gap analyses where controls are not sufficient; and for action plans to address gaps.”
These measures must also be updated annually or whenever there is a “significant change” in risk within the group, a tall order for a large bank with a diverse customer base and with ties to potentially risky regions all over the world.