.png)
.png)
The Office of the Comptroller of the Currency (OCC) has released two formal agreements, with one in particular offering valuable insights, especially for the banking-as-a-service (BaaS) fintech banking sector. The agreement with Patriot Bank is notably more detailed than other enforcement actions, providing critical takeaways for financial institutions, whether they are involved in fintech partnerships or not. Patriot Bank offered reloadable prepaid cards, a product that has often been overlooked yet remains highly popular, bringing new compliance challenges under the old money services business (MSB) laws.
The OCC Patriot Bank notice repeatedly includes language stating, “The Board shall review the effectiveness of… [insert the section heading].” This raises a significant question—who is responsible for ensuring Board members are properly equipped to assess effectiveness? This is a substantial regulatory expectation, yet agencies do not provide specific indicators to guide the Board in fulfilling this obligation.
The notice also highlights Customer Identification Program (CIP) issues, requiring transaction testing for CIP records, which is an intriguing requirement. In addition, the responsibilities of Program Managers, meaning downstream fintechs offering these prepaid cards, are laid out with interesting regulatory expectations. The agreement specifies seven minimal procedures that essentially require the bank partner to act as a formal audit function in addition to the program conducting its own audit. Banks must have staffing and expertise dedicated to managing program managers, and they are required to implement “granular metrics” on prepaid card activities. These metrics must be detailed enough to educate the Board, including specific areas such as alert closures and sanctions monitoring.
A particularly noteworthy requirement is the due diligence obligation for program managers, which mandates “on-site visits” and a review of how these program managers handle their own funds and other product or service offerings, even if they are not directly connected to the bank. This is a major shift—banks have long applied informal pressure on fintech partners to provide a full picture of their operations, but now this expectation is formalized. Even if a fintech’s activities do not directly impact a particular bank relationship, banks now have an explicit regulatory requirement to understand all of a fintech’s business operations.
Another key aspect of the agreement is the Suspicious Activity Report (SAR) lookback, which is specifically focused on fraud. This is the first instance where fraud has been singled out in this way, rather than broader money laundering concerns. The main sections addressing Suspicious Activity Identification primarily reference fraud-related activities such as “reviewing fraud alerts” and “suspected fraud.” This emphasis is particularly interesting because money laundering is a well-documented risk with prepaid cards. Why the focus on fraud instead of money laundering?
The risk assessment section reflects a common theme seen in enforcement actions—a lack of attention to emerging threats. A weak threat landscape assessment results in an inadequate risk assessment. Without properly identifying threats, financial institutions will struggle to develop meaningful risk assessments, leading to wasted time and ineffective compliance programs.
The role of the Anti-Money Laundering Officer (AMLO) is also highlighted in the agreement, emphasizing independence, authority, and resources. The requirements go beyond AML oversight and extend to the management of the prepaid card program as a whole. The order strongly implies an executive-level status for the AMLO, reinforcing the expectation that this role must carry significant authority within the institution.
Training is once again a focal point, with a clear message that standard video-based training is insufficient. If training does not focus on operationalizing threats in a way that directly relates to what employees will encounter in their roles, it will be deemed inadequate. The order reinforces the need for training that goes beyond theoretical concepts and ensures employees are equipped to identify and respond to actual risks they face in day-to-day operations.
By fLEXI tEAM
Comments