Lessons in Risk & Compliance:  Axiom Bank’s Formal Agreement with the OCC

Axiom Bank N.A. is a national banking institution based in Florida, recognized for its involvement in Banking as a Service (BaaS) and its partnerships with fintechs. Recently, it entered into a formal agreement with the Office of the Comptroller of the Currency (OCC) in line with the enhanced scrutiny regulators have placed on banks that adopted this business model.

Following an investigation, the OCC raised concerns about Axiom’s compliance with regulatory standards, particularly regarding the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations and its Third-Party Risk Management (TPRM).

Analyzing the enforcement action taken against Axiom Bank by the OCC, requires outlining the key components of the formal agreement and placing it in the context of the bank’s regulatory history.

Between 2023 and 2024, regulators have issued 14 enforcement actions against banks engaged in BaaS programs, most of which are community banks. The regulatory pressure on this business is evident, and while each enforcement action has its specific details—since not all banks have the same irregularities—board governance, AML/BSA, and TPRM remain the primary concerns.

Axiom Bank’s formal agreement covers two of these three main concerns, and it demonstrates a diligence response by the regulator to address irregularities since the bank has maintained relationships with non-banking partners in its BaaS program (Raisin, Majority, Cable, CashRepublic, ReleasePay, etc.) since 2022.

It’s also worth mentioning that Urban Trust Bank, Axiom Bank’s predecessor, had previously entered into a formal agreement in 2012 with the OCC due to issues with its business plan, customer compliance risk management, SAR filing process, and third-party relationships.

What does the formal agreement state?

These are the essential elements highlighted in this enforcement action, reflecting the OCC’s priorities and compliance requirements:

  1. Establishment of a Compliance Committee:
    • Axiom Bank is required to appoint a Compliance Committee within 30 days, consisting of at least three members, with a majority being independent directors who are not employees or officers of the bank. This committee will be responsible for overseeing compliance with the terms of the agreement. The committee must meet at least quarterly and maintain detailed minutes of its meetings to ensure transparency and accountability in monitoring compliance efforts.
  2. BSA/AML Action Plan:
    • The bank must submit a comprehensive BSA/AML Action Plan within 30 days, detailing remedial actions necessary to achieve compliance with BSA regulations, including a description of corrective actions needed, reasonable timelines for completing these actions, designated personnel responsible for each action and plans for independent validation of corrective actions within 60 days after completion. 
    • The bank must implement a BSA/AML training program.
    • The plans must be adopted by the Board and implemented immediately upon receiving no supervisory objection from the OCC.
  3. BSA/AML Internal Control Program:
    • Within 60 days, Axiom Bank must develop a written program of policies and procedures to identify and control risks associated with money laundering and terrorist financing. 
    • This program should include detailed documentation of personnel roles and responsibilities, procedures for updating risk assessments related to current and proposed products and services, a customer due diligence program, and specific procedures addressing BSA/AML risks related to third parties, ensuring coordination with the TPRM framework.
  4. Suspicious Activity Monitoring:
    • The bank is required to adopt a suspicious activity review program within 90 days to ensure timely identification, evaluation, and reporting of suspicious activities across all lines of business. 
    • This program should include procedures for identifying and reporting suspicious activities, including those related to new account openings and ongoing monitoring.
  5. Third-Party Risk Management Program:
    • Axiom Bank must create a comprehensive strategy for managing third-party relationships, identifying inherent risks, particularly regarding BSA/AML compliance, and detailing selection, assessment, and oversight processes for these third parties.
    • The bank must conduct thorough assessments of BSA risks for each third-party relationship, focusing on compliance with anti-money laundering regulations and evaluating the effectiveness of each party’s risk mitigation processes.
    • Axiom Bank must implement tailored due diligence criteria for selecting third parties, maintain written contracts outlining responsibilities, and ensure continuous monitoring of third-party activities to manage associated risks effectively.

Lastly, the formal agreement forbids Axiom Bank from establishing new merchant processing partnerships, prepaid card partnerships, or adding merchants to existing processing partnerships, unless the bank has received no supervisory objection from the OCC for such additional merchant or partnership.

Key lessons learned from Axiom’s formal agreement:

This enforcement action offers valuable insights into compliance challenges, regulatory expectations, and the evolving standards for banks in the BaaS and fintech partnership landscape. These are the key lessons learned from this enforcement action:

  1. Importance of having strong compliance frameworks: 

The enforcement highlights the necessity for banks to establish comprehensive internal control programs that effectively identify and mitigate risks associated with money laundering and terrorist financing. Axiom Bank’s requirement to develop a BSA/AML action plan underscores that sound governance is essential when you are a bank, and especially if you are a bank involved in BaaS. 

On this point, it is important to note that compliance with the BSA and related regulations is not merely a superficial checkbox exercise. In the past, the same entity faced similar requirements under the BSA for related reasons. Therefore, when a bank undertakes remediation in response to regulatory requirements, the process should be as thorough as possible and aligned with the bank’s business verticals, including any new ones, such as a BaaS program, as in this case.

Additionally, this lesson helps us to understand the importance of continuous monitoring and evaluation of compliance measures, ensuring that any deficiencies are promptly addressed.

  1. Importance of third-party risk management in BaaS:

Axiom Bank’s formal agreement, and the prohibition of establishing new partners, showcases the critical importance of establishing and conducting a thorough third-party risk management program. In the program, the bank must establish how it will select, assess, and oversee third parties, including contingency plans for terminating third-party relationships effectively if necessary.

In this regard, the banks—especially the ones involved in BaaS—must conduct thorough due diligence processes tailored to each third-party relationship as the financial institution will be accountable for any breach by their business partners.

As the bank’s internal controls and risk management, the TPRM should also be executed regularly, analyzing the business partner’s adherence to contractual obligations, and the effectiveness of its risk mitigation strategies. It is also important to point out that the risk related to the third party is not limited to complying with AML/BSA regulations, but also operatory, financial, cybersecurity, and all other related areas that can compromise the bank’s operation and reputation.

  1. Importance of independent validation of compliance efforts: 

This formal agreement also reinforces the value of external audits and assessments in maintaining accountability and ensuring that compliance measures are effective and aligned with regulatory expectations. 

Moreover, the emphasis on independent validation reflects a broader regulatory trend toward enhancing transparency and accountability in the banking sector as this is not the first time regulators have emphasized the importance of independent validation of compliance efforts, and even more so, the need to carry out corrective actions on issues identified by this oversight.

Financial institutions are increasingly expected to demonstrate their commitment to compliance through rigorous external reviews, which help to assure regulators and stakeholders that potential risks are being managed effectively.

Implications for future compliance

Reviewing regulators’ enforcement actions is essential to understand the areas they are flagging for banks. In this formal agreement with Axiom Bank, we can see the regulator’s emphasis on TPRM as crucial, especially if you are a bank with a BaaS program. Additionally, compliance with AML/CFT regulations is essential, and when entering a partnership, it is vital to ensure that your potential partner meets regulatory standards.

Banks must adopt a proactive approach to compliance, particularly in the highly regulated banking sector and the increasingly scrutinized BaaS business.

At Chaindots, we empower financial institutions to stay ahead by simplifying due diligence and compliance processes. Ready to take the next step? Contact us today to learn how we can support  journey: support@chaindots.com 

Eager to change?

Document

Copyright © 2024 Chaindots   |   All Rights Reserved   |   Terms and Conditions Website   |   Terms and Conditions Platform  |  Cookie Policy WebsitePrivacy Policy

Copyright © 2024 Chaindots

All Rights Reserved

Terms and Conditions

 Privacy Policy