Carlin McCrory discusses a recent consent order between Patriot Bank and the Office of the Comptroller of the Currency following a $27 million loss.
In this episode of Payments Pros, host Carlin McCrory discusses a recent consent order between Patriot Bank and the Office of the Comptroller of the Currency (OCC) following a $27 million loss. The order addresses unsafe practices and legal violations, focusing on prepaid card program oversight. Key areas of concern include the need for a strategic plan, evaluation of internal operations, and staffing requirements. The bank must also enhance its Customer Identification Program (CIP) and ensure adequate monitoring of third-party program managers.
Carlin discusses key takeaways from the OCC's consent order with Patriot Bank, emphasizing that other banks should maintain high compliance standards, particularly in BSA/AML programs, and tailor policies and procedures to specific business lines. She underscores the importance of thorough monitoring of fintech partners. Additionally, banks should implement robust suspicious activity reporting, conduct detailed BSA/AML risk assessments, and ensure effective internal audit coverage.
Payments Pros – The Payments Law Podcast — Strengthening Compliance: Lessons From the OCC's Consent Order With Patriot Bank
Hosts: Carlin McCrory
Date Aired: April 2, 2025
Carlin McCrory:
Welcome to another episode of Payments Pros, a Troutman Pepper Locke podcast focusing on the highly regulated and ever evolving payment processing industry. This podcast features insights from members of our fintech and payments practice, as well as guest commentary from business leaders and regulatory experts in the payments industry. I'm Carlin McCrory, one of the hosts of the podcast. Before we jump into today's episode, let me remind you to visit and subscribe to our blog, TroutmanFinancialServices.com, and don't forget to check out our other podcasts on Troutman.com/Podcasts. We have episodes that focus on trends that drive enforcement activity, digital assets, consumer financial services and more. Make sure to subscribe to hear the latest episodes. Today I'll be discussing a recent agreement between Patriot Bank and the Office of the Comptroller of the Currency, the OCC, to address unsafe practices and legal violations following a $27 million loss.
I'm going to discuss the key areas of concern identified by the OCC as well as the corrective actions agreed upon to resolve these issues. Before we dive in, I want to give a little background and overview considering everything that's happened from the administration change. So first and foremost, we don't predict or see the prudential banking regulators easing up on BSA AML findings, generally speaking, which we do see some of those findings in this specific order. And even if some of the prudential regulators perhaps are a bit more lax because of the change in administrations, I would be hesitant because knowing there could be a flip in administration later, any more active regulators can look back at your prior activity and assess findings for any inadequacies. And we're also expecting some of the blue state regulators to increase their enforcement activities. So while things may be a little bit slower on the enforcement side, it's a good time right now to focus on your compliance operations and ensure that they are adequate, and make sure that your BSA AML program is up to speed and of a high standard in quality, considering we continue to see these findings in enforcement actions.
So now here's some details on the order. On January 14th of this year, 2025, Patriot Bank entered this consent order with the OCC. Now, what's significant or unique about this order is that it's focused on prepaid card program oversight. And while this order does talk about that a lot, I think there are a lot of things that our audience can glean from the order specifically, even though there are many focus points related to prepaid card programs, one of the things that the OCC is requiring is a three-year strategic plan with objectives for the bank's overall risk profile, earnings, growth, balance sheet mix, et cetera. As part of this strategic plan, I want to note that the order requires an evaluation of the bank's internal operations, including staffing requirements, board and management information systems, policies and procedures for their adequacy and contribution to the accomplishment of the strategic goals and objectives.
And this strategic plan should also include a description of the bank's target market, as well as competitive factors identified in the target market, and ways that the bank can mitigate risk. So one thing that you'll hear me talk about now and a little bit later on is this strategic plan requires an assessment of staffing requirements. This is something we see in a lot of the orders to make sure that the bank has appropriate staffing for specific areas. That could be BSA AML staffing, or that could just be a broader assessment of staffing, like it's mentioned here. Additionally, the bank has to review its customer identification program or CIP. A couple of the things in the CIP section of this order. First, the bank has to have a policy that contains a clear statement of management and staff's responsibility for CIP. That's nothing new. However, this policy and procedure must dictate the responsibility for transaction testing of re-loadable prepaid card CIP records.
Additionally, for the CIP program, the bank must have a policy that ensures staff responsible for gathering the CIP information for re-loadable prepaid cards and make sure this staff has sufficient authority and skills to perform their assigned responsibilities. So what I want you to take away from this is that to the extent that the bank is in specific lines of business, your policies and procedures should be tailored accordingly. We oftentimes see very broad and generic CIP policies, and you can tell here that the OCC is looking for something a little bit more specific based off of the bank's line of business. Next, the bank is also required to have sufficient program manager due diligence and monitoring as it relates to its prepaid card business. And as part of the order, the bank is required to submit a written plan designed to ensure the BSA AML risks associated with providing prepaid card products through third-party program managers are identified, managed, and controlled, and that they're consistent with safe and sound risk management practices.
I'm not sure of the specific facts that led to this finding, but what I would assume or guess is that the bank was not properly monitoring these third-party program managers and perhaps had insufficient BSA AML controls on these third-party program managers to ensure that they were doing what they should be doing. To the extent that the bank is pushing down its responsibilities onto a third party like these program managers, the bank still has ultimate responsibility and control over these parties, and it's required to ensure that the BSA, AML and anything else that these third parties are doing, are adequate and sufficient to meet the regulatory standards. There's also a section in the order related to suspicious activity, identification, evaluation, and reporting. The bank must have procedures to ensure adherence to ongoing monitoring requirements for prepaid card fraud-related activities, and to ensure timely review, investigation and SAR filings as needed.
This portion of the order also requires procedures to ensure complete and accurate reporting to senior management and the board regarding suspected fraud in the prepaid card business and any related SAR filings. We see in many of these orders that they require more board involvement, and here you're seeing that the BSA AML findings and the SAR findings that the bank should be finding as it relates to the prepaid card program should be reported up to the board so that the board has oversight and is aware of the activities and everything that's going on with the bank. Another requirement from the order is a suspicious activity look back. I'm not going to go into a ton of detail on this. It is what it sounds like it is. And we see this in many of the orders that have BSA AML findings. To the extent that there are findings where they think the bank has not found all of the suspicious activity, the bank will be required to do a look back to ensure that it has properly filed all SARs that were required to be filed.
Another section from the order is a BSA AML risk assessment. And while this is common practice, all banks should be conducting a risk assessment. You can glean things from the order because technically there is no legal requirement if you go look at the Bank Secrecy Act for a risk assessment, but it is certainly expected by all of the regulators. And so if you go and read this section, it includes general things that the bank should be doing for its risk assessment, like identifying risk categories related to products and services, customer types, transaction types, but they're also requiring a detailed analysis of all data obtained related to these specific risk categories. And at a minimum, the bank is required to analyze volumes, trends, types of transactions and services by country or geographic location, numbers of customers that pose a higher BSA AML risk, and an evaluation of all relevant information obtained through the bank's processes.
There's also a section in the order related to the BSA officer as well as staffing and training. As I emphasized earlier, staffing has been a huge part of many of the bank enforcement orders, and it's something that banks should really look at and conduct an assessment to make sure that they have adequate staff. And as it relates to this order again, this order notes that the BSA AML training program has to be tailored to each individual's job-specific duties and responsibilities. So the training for the BSA department staff has to specifically cover prepaid card activities and risks. Training for the board and senior management must also include an overview of AML risk inherent to the prepaid card business. Again, sometimes we see banks do a very broad and generic BSA AML training, and based off this order, the OCC is basically saying, well, no, we need to look at your specific lines of business and conduct BSA AML training that's specific to your business lines. And in this case the prepaid card business.
Another interesting thing from this order is that there's a section specifically related to payment activities. The bank has to submit a payment activities oversight program to the OCC, and it has to discuss various risks, including BSA AML, but also risks involved in processing ACH and wire transfers. This program is required to include parameters or rules related to ACH and wire transfer monitoring that address all of the risks presented by the different ACH originators or wire originators, the beneficiaries and counterparties to the transactions. The banks are also required to ensure that it has effective processes to identify and document ACH and wire activity that reflects perhaps a higher than normal risk or activity that could be suspicious, unreasonable, or abnormal. The last thing I want to point out as it relates to this section is the bank is required to ensure that it has effective processes to ensure internal audit coverage of the prepaid card business and make sure that that audit coverage is comprehensive and includes sufficient review and testing of the risks and related controls for the business.
The order includes other items like credit administration, such as dealing with problems with loans, workouts, and a financial analysis of borrowers, concentrations of credit and liquidity risk management. But I wanted to hit the highlights of the order here today.
That's all I have as it relates to the Patriot Bank consent order. Thank you so much for joining me today, and thank you to our audience for listening to today's episode. Don't forget to visit our blog TroutmanFinancialServices.com and subscribe so you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. We look forward to next time.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.