Last week the Office of the Comptroller of the Currency (OCC) announced its October enforcement actions, including a formal agreement with Axiom Bank, National Association (Axiom). Most of the ensuing industry media coverage has focused on the violations and deficiencies with Axiom's Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance. Very little has been reported about Axiom's third-party risk management failures. This article will discuss these failures and highlight why other banks should take notice.
Axiom's Third-Party Risk Management Failures
The OCC's agreement with Axiom did not specify the actual third-party risk management deficiencies it identified, which is the norm for OCC enforcement actions. However, the OCC's laundry list of remediation requirements provides insight into the findings.
Under the agreement, Axiom has 30 days to submit for OCC approval a written plan outlining how Axiom will assess and manage the risks posed by its third-party relationships, including specifically its prepaid card and merchant processing partnerships. At a minimum, Axiom's plan must include the following:
- Strategy for third-party relationships, including how Axiom will identify the inherent risks of its third-party activities and how it will select, assess, and oversee third parties
- Assessment of BSA risk for each third-party relationship and the processes each third party will use to mitigate such risks as required by applicable laws and regulations
- Due diligence and risk assessment criteria for selecting and approving each third party, ensuring the criteria are appropriate for the products, services, and activities each third party provides
- Written contracts that detail the rights and responsibilities of all parties
- Processes for ongoing monitoring of third-party activities and performance
- Contingency plans for terminating third-party relationships
- Clear roles and responsibilities for overseeing and managing third parties and their associated risks
- Evaluation and implementation of adequate staffing to manage third parties, including personnel with requisite expertise
- Documentation and reporting requirements that facilitate the board's management, oversight, accountability, monitoring, and risk management of all third-party relationships
- Independent review that allows Axiom's management to assess the effectiveness of its third-party risk management and ensure alignment with its strategy
- Annual Board review of plan effectiveness with appropriate amendments where warranted
In setting out these requirements, the OCC pointed Axiom to specific regulatory resources for guidance, including:
- OCC Bulletin 2023-17, "Third-Party Relationships: Interagency Guidance on Risk Management" (published June 6, 2023),
- "FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual: "Third Party Payment Processors" and "Prepaid Access" (Rev. February 2015).
OCC Restricts Axiom's Business Activities
Given the nature and severity of these deficiencies, the OCC also prohibited Axiom from adding any new merchant processing relationships, new prepaid card partnerships, or additional merchants to its existing merchant processing partnerships without prior approval from the OCC.
Why Other Banks Should Take Notice
Emphasis on Third-Party Risk Management: The enforcement action underscores the importance of having a robust third-party risk management program. Banks must ensure adequate third-party risk assessment, due diligence, monitoring, and contingency planning.
Regulatory Compliance: The action highlights the need for banks to comply with regulatory requirements and guidelines, such as those outlined in the OCC Bulletin 2023-17 and the FFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual. Non-compliance can lead to severe consequences, including restrictions on business activities and hefty fines.
Proactive Risk Mitigation: The OCC's findings serve as a reminder for banks to proactively identify and mitigate risks before they become issues, and more importantly, before they become the subject of a regulatory enforcement action.
Need help with your third-party risk management program?
At iKinetiq, we know compliance can be challenging from staying abreast of regulatory requirements to staffing your team with the appropriate expertise. Our team can help. We offer a regulatory gap assessment that identifies deficiencies in your current program and recommends appropriate remediations that are consistent with regulatory requirements, commensurate with your level of third-party risk, and appropriately scaled for your organization's size and complexity. Act now. Don't wait for an enforcement action.