OCC orders Blue Ridge Bank to strengthen fintech partnership oversight

Dive card:

• The Office of the Comptroller of the Currency (OCC) ordered Charlottesville, Virginia-based Blue Ridge Bank to improve its oversight of third-party fintech partnerships, according to a Securities and Exchange Commission (SEC) filing on Thursday. The bank must also strengthen its anti-money laundering risk management, suspicious activity reporting and information technology controls after the regulator “found unsafe or unsound practices”, the filing indicated.
• The submission did not describe any specific problematic situation. But Blue Ridge was the subject of an April 2021 letter the Student Borrower Protection Center and other advocacy groups wrote to the OCC about an “income sharing” lending option the bank offered in partnership with fintech MentorWorks, in which students pledge some of their income earned after graduation.
• Blue Ridge and FVCB in January finalized a planned merger that would have created the fourth largest community bank headquartered in Virginia. The banks delayed the transaction in November because of “certain regulatory concerns” the OCC found with Blue Ridge. But none of the institutions described these concerns in publicly available writing. Nor did they blame the OCC’s findings for the dissolution of the bond.

Diving Insights:

Under the order, Blue Ridge must obtain the OCC’s no-objection before entering into new contracts with fintech partners or adding new products in collaboration with existing partners.

The bank agreed to detail in an “action plan” how it would better monitor suspicious activity, including “high-risk customer activity involving … third-party fintech partners.”

Blue Ridge must within 10 days appoint a compliance committee consisting mainly of members from outside the bank to meet quarterly and review progress. The OCC ordered the panel to provide the regulator — by Dec. 31, and quarterly thereafter — details on the corrective actions Blue Ridge intends to implement, the timelines for completing them, the names of those responsible and status updates on those actions. .

The OCC also ordered Blue Ridge to write and implement, within 60 days, guidelines for assessing risks from third-party fintech partnerships and addressing how the bank identifies risks from those partners’ products, services and activities, in relation to the Bank Secrecy Act (BSA), compliance, liquidity, credit and operations.

Within 90 days, the OCC wants Blue Ridge to have written guidelines for BSA risk assessment, a separate document governing BSA audits and another set of standards intended to assess and manage the bank’s information technology activities, including those performed by third-party partners.

In particular, the audit program must have an “expanded scope” that includes fintech partner activities, and the bank must ensure that the BSA department is “appropriately staffed with personnel who have the necessary expertise, training, skills and authority,” the filing indicated.

The filing detailed no monetary penalties that Blue Ridge may incur from the order.

However, the bank said it “continues to cooperate with the OCC, and to work to bring the bank’s fintech policies, procedures and operations into compliance with OCC directives,” according to American Banker.

“The bank’s board and management are obliged to fully comply with the provisions of the agreement within the required timeframes, and believe that the bank has made progress in meeting the requirements to date,” the bank said.

An OCC spokesperson declined to comment, telling American Banker that the regulator does not comment on specific banks or enforcement actions.