The Office of the Comptroller of the Currency (OCC) has released updated guidance related to administrative enforcement of Bank Secrecy Act/Anti-Money Laundering (BSA/AML) violations and the assessment of Civil Money Penalties (CMPs). The recent updates provide OCC-supervised financial institutions with revised guidance related to the agency's procedures, as well as insight into the OCC's focus and supervisory goals. Such guidance must be carefully evaluated, since institutions can face CMPs of $150 million or greater, and individuals can face CMPs of $175,000 or greater.

Updated Civil Money Penalty Analysis

On February 26, 2016, the OCC released a revised Policies and Procedures Manual policy for assessing civil money penalties (CMP Policy) discussing how the agency will assess civil money penalties against national banks, thrifts, federal branches and agencies, service providers, and institution-affiliated parties.

The OCC initially provided guidance on calculating civil money penalties in 1993 in the form of its CMP Matrix. The 1993 CMP Matrix assists OCC examiners in evaluating allegedly unsafe or unsound banking practices, statutory and regulatory violations, and other violations for the possible imposition of a CMP.

The guidance includes tables describing the factors that the OCC will weigh when considering CMPs (11 aggravating factors—with intent receiving the highest weight level—and 3 mitigating factors) along with increasing gradations of severity for each factor. The numerical score assigned to each factor is multiplied by the factor weight to arrive at a component factor score, and the factor scores are then combined to produce a composite CMP matrix score. Each matrix score corresponds to a suggested action, which can be a supervisory letter, letter of reprimand, or a CMP.

The updated CMP Policy provides guidance only, and does not create any obligations for the agency or rights that are enforceable by affected parties. However, the CMP Policy continues to be a useful resource for institutions seeking to evaluate OCC decision-makers who are likely to address certain types of conduct and compliance issues.

Focus on Institutions

While similar to the 1993 CMP Matrix in approach, the updated CMP Policy provides an increased level of detail in the CMP analysis, and for the first time includes a suggested action table intended for use with institutions that proposes ranges of CMP amounts depending on the size of the institution.

For example, the lowest score for institutions that indicates a CMP should be assessed (41-70) suggests a CMP ranging from $10,000 to $15 million, based on the size of the institution (total assets below $50 million versus total assets over $100 billion, respectively). Notably, the highest score for each category of institution authorizes penalties ranging from $100,000+ to $150 million+, but in each case no more than 1 percent of total assets.

Focus on Individuals

The updated CMP Policy also focuses on Institution-Affiliated Parties (IAPs). IAPs include individuals such as directors, officers, employees, controlling shareholders, and other persons participating in a bank's affairs. Certain independent contractors and service providers who knowingly or recklessly participate in violations may also constitute IAPs. The IAP matrix diverges somewhat from the institution matrix: the "financial gain or other benefit as a result of violation" is weighted more heavily for IAPs than for institutions. The updated CMP Policy matrix for individuals also contains a new factor for consideration relating to the degree of the IAP's responsibility for the internal controls environment and its effectiveness, thus focusing on the prospect of assessing personal liability when such controls break down.

A Step Away from Uniformity

Four core considerations of the banking regulators' CMP analysis are set by statute. Further, the Federal Financial Institutions Examination Council (FFIEC) in 1998 set out a list of 13 relevant factors for assessing CMPs. However, the OCC's new CMP Policy is not an interagency guidance, which may cause confusion and ambiguity for institutions that interact with multiple regulators.

BSA Built into the CMP Policies

For institutions, the CMP Policies include a new factor (factor 11), "Effectiveness of internal controls (IC) and compliance program (CP)," and BSA/AML violations are added into the factor "Loss or harm to consumers or the public." Moreover, the OCC's newly updated BSA/AML guidance (discussed below) states that "[i]n addition to a cease-and-desist order, the OCC may also pursue [CMPs] when warranted." These additions are consistent with the OCC's continued emphasis on BSA/AML issues and institutions' need for strong risk management oversight.

OCC Updates BSA/AML Guidance

On February 29, 2016, the OCC released OCC Bulletin 2016-6, providing updated BSA/AML guidance (and rescinding OCC Bulletin 2005-45). The updated bulletin reiterates the OCC's statutory mandate to issue cease-and-desist orders for BSA/AML compliance violations. The bulletin also introduces an addition to the agency's administrative enforcement process: the provision of a Notice and Opportunity to Respond to a "15-day Letter."

The pre-enforcement 15-day Letter process allows an institution that has been deemed to be noncompliant to respond to the agency's concerns. The OCC's supervisory office considers any information provided by the institution in order to recommend a course of action to the agency. This allows the institution an opportunity to respond before a decision to issue a cease-and-desist order is finalized. If the process ultimately results in a cease-and-desist order, the institution may consent, or challenge the proposed order in an administrative hearing.

The guidance and procedures addressed in the updates described above are likely to be useful for institutions interacting with the OCC and its examiners. However, there is work left to do in developing a unified, interagency approach to CMPs, rather than the promulgation of multiple sets of guidelines that may differ by agency. Nonetheless, financial institutions are advised to make use of the revised guidance and insight into the OCC's underlying supervisory goals, including an emphasis on individual responsibility.