By Sarah-Beth Felix
CEO, Palmera Consulting
A TOP U.S. bank regulator on Wednesday imposed a $65 million fine on the Royal Bank of Canada’s American unit, City National Bank, over gaps in the lender’s risk management and internal controls.
The Office of the Comptroller of the Currency (OCC) said that the bank engaged in unsafe or unsound practices, including failure to establish effective risk management and internal controls.
The OCC issued a cease-and-desist order requiring the bank to take broad and comprehensive corrective actions to improve its strategic plan, the agency said in a statement.
In October, City National disclosed that RBC has injected about $2.95 billion into its U.S. unit to bolster its capital. The capital injections came as a part of management actions to improve profitability at City National.
This week’s CMP was directly related to failures in:
- operational risk management;
- BSA/AML/OFAC;
- fair lending;
- strategic risk management;
- and investment management practices.
The order (pp. 6-14) highlights the AML and sanctions deficiencies. There were several deficiencies noted that are not new… how long had these issues been going on? Deficiencies noted in controls, risk assessments, CIP, UBOs, and CDD.
Key takeaways
1) “Critical analysis” for high-risk customer reviews. If your HRC reviews are not telling a story, but just regurgitating the transactional activity, you are missing out. Tell a story, use OSINT and context to build the lens by which you view the customer, then look at the activity and write how/why the activity/revenue you see is reasonable (or not) for that customer.
Moreover, if your HRC reviews produce no SARs – they are not effective!
2) Quality Control – I call it QX – it can be before/after the processes. It just needs to happen. Even if you are a small community bank, you need a QX process over higher risk areas and/or functions that have a role in your AML/sanctions processes.
3) Staffing assessments – these are a theme in almost every order in 2022-2023. You need enough people – but you also need the RIGHT people. We can help with our proprietary screening tool.
4) Risk Assessments – the OCC had a lot to say about what the RA should entail – review pp. 8-10. An interesting statement – “The Board shall review and provide credible challenge to the Risk Assessments and document its review in the Board minutes.” Board minutes must include documentation of the Board’s involvement.
5) Expected activity is their baseline – per usual. But this isn’t accurate. I would hope they mean projected activity by the customer. The expected activity should come from the AML analyst given what they know and expect that customer to do (reasonableness standard).
6) OFAC Risk Assessment – should be distinct from the AML RA.
New issues noted
1) Authority is seen a few times – not just for the AML Officer, but for the AML team that is responsible for collecting CDD information and preparing SARs. What could this mean? That the AML team was stonewalled by other depts when they tried to collect CDD on the customer? Was the AML team not allowed to file SARs on certain customers?
2) Detailed, accurate documentation of personnel roles and responsibilities – too many generalists and not enough specialists. For a bank of that asset size, they should have teams dedicated to various categories of risk and corresponding processes.
3) Thresholds used for detecting ML now have to be approved by senior management and the Board. (Huh??)
4) The bank must perform adverse media screening on all new customers – Yikes! How is this a stipulation? (pg. 13)