This article was originally published on April 11, 2025 on Law360 and is republished here with permission.
On Jan. 14, Patriot Bank, based in Stamford, Connecticut, entered into an agreement[1] with the Office of the Comptroller of the Currency to address and rectify several alleged unsafe or unsound practices and violations of law. This agreement followed the bank's reported loss of nearly $27 million for the quarter ending Sept. 30, 2024.
This agreement is comprehensive and particularly noteworthy due to its specific focus on program managers and payment activities, highlighting the critical role they play in risk management and compliance.
The detailed requirements for monitoring and managing risks associated with automated clearing house, or ACH, and wire transfers, and the emphasis on prepaid card activities, underscores the importance of thorough oversight in these areas.
Despite the regulatory changes occurring since the administration change in January, we do not anticipate regulators to back down on enforcement related to Bank Secrecy Act/anti-money laundering — known as BSA/AML — findings.
Many of the items are similar to previous OCC agreements with other banks. However, this agreement's specificity on program managers and payment activities stands out. Patriot had onboarded prepaid card managers that had BSA/AML deficiencies, and the bank must ensure that it is monitoring these program managers for compliance.
The OCC identified several areas of concern at Patriot, including strategic planning, capital planning, BSA/AML risk management, payment activities oversight, credit administration and concentrations risk management.
To address these issues, Patriot and the OCC agreed on a comprehensive plan that includes specific corrective actions and oversight mechanisms that the bank must implement within specified timelines.
The OCC required Patriot to create a strategic plan, covering at least three years, that establishes objectives for the bank's overall risk profile, earnings performance, growth, balance sheet mix, off-balance sheet activities, liability structure, capital and liquidity adequacy, product line development, and market segments that the bank intends to promote or develop. The board must review and update the strategic plan annually and as needed.
The agreement includes several BSA/AML requirements.
First, within 30 days of the agreement, the bank had to submit a written plan detailing the remedial actions necessary to achieve and sustain compliance with the BSA. The agreement said the plan should include corrective actions, timelines and responsible parties, and must be reviewed for effectiveness at least annually.
Patriot is required to enhance its customer identification program. This includes ensuring that the bank gathers the appropriate information for opening reloadable prepaid cards, in addition to transaction testing of reloadable prepaid card customer identification program records. The customer identification program must ensure the bank operates in accordance with applicable law and regulations, and is consistent with the bank's BSA/AML risk assessment.
The bank must conduct a BSA/AML risk assessment. This assessment needs to include an analysis of data for each specific risk category that includes volumes, trends, and types of transactions and services by country or geographic location, as well as the numbers of customers that typically pose higher BSA/AML risk, both by type of risk and by geographic location, according to the agreement.
The agreement says Patriot is required to maintain a qualified BSA officer, and the board must ensure the bank has sufficient staff with appropriate skills and expertise needed to support the BSA officer and the bank's BSA/AML program governing prepaid cards. The staff must be vested with sufficient authority to fulfill their respective duties and responsibilities. An AML training program must be tailored to each individual's job-specific duties and responsibilities.
Training for BSA staff must specifically cover prepaid card activities and risks, the agreement says, and training for the board and senior management must also include an overview of money laundering risks inherent in the prepaid card business and be sufficient to enable the board to provide adequate oversight of the BSA/AML program governing prepaid cards.
The bank must ensure that BSA/AML risks associated with providing prepaid card products through third-party program managers are identified, managed and controlled, per the agreement. This includes procedures to ensure that program managers are registered with the Financial Crimes Enforcement Unit, if applicable, and comply with state and local licensing requirements.
Patriot must conduct and document ongoing monitoring and testing of program managers to ensure comprehensive review of new and existing cardholder accounts, BSA and fraud alerts, sanctions, and other relevant areas.
Bank management must obtain and report granular metrics related to prepaid card activities to the board, including alert closures, cases, new cardholder accounts and sanctions activities.
The bank must perform appropriate risk-based due diligence for program managers, including periodic on-site visits, annual reviews of the program manager's BSA/AML program, and assessment of their independent BSA/AML audit reports, according to the OCC agreement.
The bank must have policies and procedures to review and determine whether to close any program manager account exhibiting significant risks for money laundering or terrorist financing, such as excessive suspicious activity reports, lack of transparency or failure to provide requested information.
The agreement also requires the bank to have a suspicious activity review program to ensure that all suspicious activity and fraud alerts are reviewed, investigated and reported, as applicable. Complete and accurate reporting must be made to senior management and the board regarding suspected fraud in the prepaid card business and any related SAR filing.
Patriot is also required to conduct a SAR lookback to ensure that any previously unreported suspicious activity is reviewed to ensure that all findings that require SAR filings have been made.
Patriot is required to implement a comprehensive payment activities oversight program to manage risks involved in processing ACH and wire transfers, including the risks presented by the originators, beneficiaries and counterparties. The program must outline parameters for monitoring ACH and wire transfers, and for identifying and documenting high-risk, suspicious, unreasonable, or abnormal activity.
Reports must be made to the board about trends in ACH and wire volume, transactions by client type, number of originators, return rates for the bank, level of risk of originators, any high-risk originators, and any Nacha rule violations.
The program must also include an enterprise risk management framework with elevated monitoring of payment activity risks and the establishment of key performance and risk indicators for monitoring operational risks from ACH and wire transactions. Internal audits must sufficiently review and test the risks and related controls of the prepaid card business, including BSA/AML, compliance and operational risks.
This agreement with Patriot reflects the OCC's continued commitment to BSA/AML compliance.
While many of the identified items in the agreement are consistent with previous agreements the OCC has made with other banks, the distinct focus on payments and prepaid card program managers stands out. We anticipate that enforcement actions related to BSA/AML compliance will continue to remain a priority for the OCC.
[1] https://www.occ.gov/static/enforcement-actions/eaAA-NE-2025-05.pdf.
