The US OCC has tasked Wells Fargo with enhancing its audit programme and sanctions practices after the regulator found the bank’s current AML compliance programme lacking. What can other FIs learn?
On 12 September 2024, the US banking regulator, the US Office of the Comptroller of the Currency (OCC), entered into a formal agreement with Wells Fargo Bank after identifying “deficiencies relating to the bank’s financial crimes risk management practices and anti-money laundering internal controls.”
Shutterstock.com/JHVEPhoto
The OCC has imposed several measures on the San Fracisco-based bank to remediate its anti-money laundering (AML) safeguards, including to create:
- a plan of actions needed to “achieve and sustain compliance” with the Bank Secrecy Act 1970 (BSA) and all other US economic sanctions law, including rules of the Office of Foreign Assets Control (OFAC); and
- a dedicated compliance committee to oversee and monitor the bank’s compliance with the OCC agreement.
The agreement did not include a fine against Wells Fargo and stated that the bank is working to fix the problems.
Lexology PRO outlines some of the key lessons that financial institutions can learn from the recent enforcement action, including the need for dedicated AML compliance officers and regular external testing of AML compliance programmes.
Why did the OCC bring this action against Wells Fargo?
OCC found violations of several laws and regulations, including parts of the Code of Federal Regulations (CFR) procedures which require banks to monitor compliance with the BSA.
According to the formal agreement, the OCC found:
- the bank’s internal controls for AML were inadequate, breaching 12 C.F.R. § 21.21(d)(1);
- the bank failed to report suspicious activities as required, breaching 12 C.F.R. § 21.11(d);
- the bank’s customer due diligence processes were insufficient, breaching 31 C.F.R. § 1020.210(a)(2)(v)(A);
- the OCC found issues with the bank’s customer identification programme, breaching 31 C.F.R. § 1020.220(a)(2)(i)(A)(3);
- the bank did not adequately collect and verify beneficial ownership information, breaching 31 C.F.R. § 1010.230(b)(2);
- the bank failed to properly report currency transactions, breaching 31 C.F.R. § 1010.313; and
- the bank did not comply with the travel rule, which requires information in transmittal orders for funds transfers of US$3,000 or more, breaching 31 C.F.R. § 1010.410(f)(1).
Further details on how Wells Fargo violated these procedures has not been disclosed by the OCC or the bank itself.
The formal agreement states that Wells Fargo has “begun to take corrective action and has committed to taking all necessary and appropriate steps to remedy the deficiencies identified by the OCC and to enhance its internal controls and financial crimes risk management practices.”
This is not the first time that Wells Fargo has come under scrutiny from the OCC and US banking regulators. Since 2016 – when it emerged that Wells Fargo employees had created millions of unauthorised accounts in the name of customers to meet sales targets without customers’ knowledge or consent – the OCC has kept a close eye on the bank and its AML and BSA compliance.
In January 2020, the OCC brought enforcement actions against eight former Wells Fargo executives for their roles in the 2016 scandal. Former chairman and CEO John Stumpf agreed to a US$17.5 million penalty and an industry bar with the OCC. A month later, Wells Fargo agreed with the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to pay US$3 billion to resolve potential criminal and civil liability.
What are the measures imposed on Wells Fargo by the OCC?
Independent compliance committee
According to the agreement, Wells Fargo’s board will maintain a compliance committee of at least three members (of which the majority are not employees of the bank). The committee will be responsible for “monitoring and overseeing the bank’s compliance with the provision of the agreement.”
The committee will create regular reports for the board detailing corrective actions undertaken by the bank, the status and results of the actions and details of outstanding actions that need to be addressed.
Compliance “action plan”
The OCC has ordered Wells Fargo to create an action plan that details the remedial actions needed to “achieve and sustain” compliance with the BSA and all other US economics sanctions law.
Wells Fargo will submit the action plan within 120 days of the agreement to the examiner-in-charge, an OCC officer that maintains a continuous, on-site presence at the largest national banks in the US under OCC supervision.
The action plan will include a description of the corrective actions, the list of articles of the BSA that they address, timelines to complete the actions and names of those responsible for helping the bank complete the actions.
Wells Fargo’s board will adopt the plan and ensure that the bank adheres to the plan, including the timelines.
Internal review
The bank’s internal audit department will carry out a review of the bank’s progress towards implementing the plan 120 days after the action plan is approved by the examiner-in-charge. Quarterly reviews of the action plan will be carried out by the audit department thereafter.
Enhanced risk management
Wells Fargo is required to “enhance BSA/AML and OFAC Sanctions compliance risk management by front-line units,” through strengthening policies, procedures and controls, as well as controls testing. The OCC also ordered the bank to improve its financial crime risk management function and enhance its:
- independent risk management system;
- independent testing programme;
- risk assessment;
- systems and data integrity;
- OFAC compliance programme;
- suspicious activity identification;
- and customer due diligence processes
The formal agreement also limits new business Wells Fargo can undertake. Within 60 days, the bank will submit to the examiner-in-charge a new business initiative programme to assess and mitigate the BSA/AML and OFAC sanctions risks of new products, services or markets. This requirement means that Wells Fargo must seek permission from the OCC before expanding into certain medium or high-risk areas, without naming them.
Failure to meet these deadlines can result in further enforcement action and even penalties by the OCC. In July, the OCC amended a cease and desist order from October 2020 against Citibank relating to deficiencies in its risk management, compliance risk management and internal controls. The amendment was made based on the bank’s “failure to meet remediation milestones.” The OCC assessed a US$75 million civil money penalty against Citibank (to be paid to the US Treasury) in the recent amendment.
Key compliance lessons
Dedicated AML compliance teams and officers
A joint statement on the enforcement of BSA and AML requirements by several federal agencies (including the OCC) outlines that the designation of a qualified individual or individuals as the BSA compliance officer is one of five pillars needed for an effective BSA compliance programme.
The BSA compliance officer is “responsible for coordinating and monitoring day-to-day compliance with BSA regulatory requirements,” according to the Federal Financial Institutions Examination Council’s BSA/AML manual.
The BSA compliance officer is responsible for implementing the bank’s BSA/AML policies, procedures and processes and must have clear communication channels with the bank’s senior management and board of directors.
Enhanced risk management
The enforcement action from the OCC highlights the importance of robust risk management practices within banks. In a Lexology PRO interview, András Bácsfalvi, group chief compliance officer and money laundering reporting officer (MLRO) at Hungary’s Magayr Bankholding Zrt, emphasised the need for banks to develop a risk matrix that reflects its appetite to risk, along with the need to “manage risk, not avoid it.”
Compliance teams should ensure that their AML and sanctions risk management frameworks are regularly updated to address emerging threats, such as conflicts.
Regular risk assessments
Regular BSA/AML and OFAC risk assessments are also key to managing risk at large banks. These assessments should include an analysis of products, channels, transactions and locations where the bank operates and the risk of sanctions in those locations.
On 3 July 2024, the US Financial Crimes Enforcement Network proposed a rule to strengthen and modernise financial institutions’ AML programmes under the AML Act 2020. If approved, the rule would require financial institutions to establish, implement, and maintain an effective, risk-based, and reasonable AML programme with certain minimum components, including mandatory risk assessments.
Robust internal controls
The OCC found deficiencies in Wells Fargo’s internal controls. According to 12 C.F.R. § 21.21(d)(1) of the Code of Federal Regulation, banks should include a “system of internal controls to ensure ongoing compliance”.
These internal controls could include transaction monitoring systems, identification verification processes, and regular internal audits.
Continuous updates and improvements to AML policies
In the OCC’s enforcement action against Wells Fargo, the agency outlines that management at the bank will take “appropriate and timely action to address any deficiencies noted in independent testing and regulatory examinations.”
To ensure constant compliance with changing AML regulation, financial institutions should instruct third parties for testing of their BSA compliance programmes. Details on how to carry out independent testing are provided in this manual from the FFIEC.
Constant training to staff members is essential to prevent money laundering and terrorist financing. This checklist outlines to in-house counsel and compliance staff at US financial institutions the need for up-to-date training, as well as identifying which staff require training.
As part of its recent series of compliance “pain points,” Lexology Pro looked at how companies can monitor and detect increasingly complex and tech-enabled money laundering, including by putting in place a demonstrable AML compliance system.