Dive Brief:
- The Federal Reserve has issued an enforcement action against Malvern, Pennsylvania-based Customers Bank, the central bank said Thursday, with a stipulation that the bank notify the Fed before launching any new service or relationship with third parties tied to its digital asset strategy.
- The order requires the bank to submit several revised plans relating to strengthening board oversight of bank activities, risk management, Bank Secrecy Act/anti-money laundering compliance, customer due diligence, suspicious activity monitoring and enhancing compliance with Office of Foreign Assets Control regulations.
- “Customers Bank is committed to meeting the expectations of our regulators, including its obligations under the recently announced actions,” said Joan Cheney, the bank’s chief risk officer and executive vice president, in a Thursday statement. “We have already begun taking a number of significant steps to strengthen our risk management practices and BSA/AML compliance program.”
Dive Insight:
Customers, which offers banking services to digital asset customers, operates an instant payments platform allowing commercial clients to make tokenized payments over a distributed ledger technology system to other commercial clients of the bank. The $21.3 billion-asset bank has partnered with a number of crypto firms, including Coinbase, Gemini and Kraken.
Two years ago, there were three banks operating at the intersection of traditional banking and digital asset activities. Two – Silvergate Capital and Signature Bank – have since collapsed.
In light of that, and that the Fed has made no secret of its opinion on digital asset activities, Thursday’s action “is not surprising in the least,” said David Sewell, a partner at law firm Freshfields who spent several years at the Federal Reserve Bank of New York.
Sewell noted the Fed now has “a fairly well-developed playbook” in addressing these issues with regard to concerns and requirements around tightening BSA/AML compliance and enhancing board oversight and suspicious activity monitoring.
However, the requirement to notify the Fed and get its non-objection on new business activities or partnerships “is a fairly strong signal that the Fed is going to keep them on a short leash for probably an extended period of time,” Sewell said.
The Fed said a recent examination uncovered “significant deficiencies” related to Customers’ risk management and compliance with AML regulations. The bank has begun to address those, the Fed noted.
In the order, the bank was directed to take a number of actions, including strengthening board oversight of the management and operations of the bank’s compliance with AML, BSA requirements and OFAC regulations.
A plan to bolster board oversight needs to include actions the board will take “to maintain effective control over and supervision” of the bank’s major activities, including its digital asset strategy, as well as ways to ensure the board monitors management’s adherence to policies and regulations and steps to bolster the “quality, comprehensiveness, and granularity” of reports the board receives in overseeing the bank’s operations, the Fed said.
Customers also must beef up risk management practices around its digital asset strategy, and put forth a plan that includes enhanced risk management policies and standards, ways to make sure those involved with digital asset strategy have necessary expertise and independence, and measures to facilitate quick identification and reporting of risk exposures.
The bank’s revised AML/BSA compliance program must feature an internal controls system that ensures ongoing compliance, and must also be managed by a qualified AML/BSA compliance officer, the enforcement action said.
Revisions to the bank’s customer due diligence program must include stepping up information collection and retention, and implementing risk assessment of the bank’s customers and a method to assign risk ratings to them.
Customers was also ordered to improve its suspicious activity monitoring and reporting program, which should feature “well-documented methodology” for laying out rules and processes that consider the bank’s type of customer, service and activities. The bank must also outline policies that allow it to identify subjects of law enforcement requests and identify suspicious activity related to those subjects, the Fed said.
Additionally, an independent third party must review Customers’ transaction monitoring activity between March and August 2023 to determine whether suspicious activity involving high-risk customers or transactions was properly flagged and reported. Findings are to be evaluated by the Fed.
The bank also has to notify the Fed before creating any new subsidiary, or before creating or testing a “new intra- or inter-bank instant payments platform or network other than the existing Customers Bank Instant Token,” the enforcement action said.
Customers’ crypto payments business makes up about 15% of its deposits, Bloomberg reported, citing Piper Sandler analysts. The bank doesn’t anticipate exiting or shrinking that business, Bloomberg reported, but the Fed’s enforcement action is expected to affect the unit’s profitability as the bank works to remediate the issues.
“We are dedicated to addressing these items and continuing to serve our customers with the highest standards of integrity and excellence, as we have for the past 15 years,” Cheney said in the statement.
As crypto companies have had to turn to “more novel types of financial institutions” – such as under-regulated fintechs – following the Signature and Silvergate failures, digital asset activities are being pushed further from view of the Fed and other banking agencies, Sewell noted. Less visibility into the space could be an “unintended consequence,” he added.