- Key insight: This is the second OCC enforcement action against Community Federal Savings Bank since 2020, and the 2020 order had specifically required the bank to write a strategic plan that controlled BSA/AML risk.
- What's at stake: The BSA/AML rebuild can reach into onboarding, transaction monitoring and product timelines at the fintechs that use the bank's rails, including Wise and Crypto.com.
- Forward look: The bank must hire two outside consultants, including a SAR look-back consultant who can recommend new suspicious-activity reports for historical transactions the bank's automated system auto-closed.
Overview bullets generated by AI with editorial review.
Federal bank regulators on Thursday ordered the small Queens, N.Y., bank that sponsors
The Office of the Comptroller of the Currency, or OCC, said Community Federal Savings Bank had systemic breakdowns in its internal controls over customer due diligence, suspicious-activity monitoring, independent testing and Bank Secrecy Act compliance staffing.
The agency disclosed
The bank, chartered in 2001, reported roughly $866 million in assets and $753 million in deposits as of its
While the bank is relatively small, its partner roster is not.
The bank provides U.S. dollar accounts for Wise, the U.K.-based international money-transfer fintech, and issues the prepaid card behind Crypto.com's spend product. It also acts as a payments-sponsor bank for a broader roster of fintech and card-issuing clients.
A Community Federal Savings Bank spokesperson told American Banker the bank takes the order seriously and has "been actively working to remediate the identified items."
The bank said it "began enhancing its compliance framework well before the Consent Order was issued" and has made "significant investments" in its systems and programs since mid-2024.
Remediation is "well underway," the spokesperson said, and the bank expects to resolve the outstanding matters "over the coming months."
What the OCC found
Since 2020, Community Federal "has significantly grown its payment processing line, relative to its size, resulting in significant annual wire and ACH activity, including cross-border activity involving foreign financial institutions," the order said.
"Despite the growing volume of transactions flowing through its payment processing line and the attendant risks, the bank has failed to develop and maintain controls and risk management processes commensurate with its risk and growth," the order continued.
The bank's automated system for screening alerts about possibly suspicious transactions "auto-closed a very high percentage of all ingested alerts," according to the order.
The OCC said the filters were not calibrated to the bank's actual payment-processing risk profile or its growing international exposure.
The bank's customer due diligence was "ineffective," according to the order.
The bank also did not understand "the nature of certain of its customers' businesses and the purpose of the transactions in the payment processing line, including risks related to foreign financial institutions."
In some cases the bank also failed to determine whether it held correspondent accounts for foreign financial institutions at all. That question controls whether a bank has to comply with a part of the USA PATRIOT Act that sets the enhanced due diligence requirements.
The OCC also found Community Federal's independent testing weak. The bank's internal auditor "failed to identify BSA/AML program weaknesses" and did not scope audit work into the bank's high-risk areas, the order said.
The cited violations include the OCC's Bank Secrecy Act and anti-money-laundering program regulation, federal law covering suspicious-activity reporting, and an information-sharing requirement under the PATRIOT Act.
The order's findings, the OCC said, are "based on concerns largely unrelated to customers involved in digital assets activities."
An OCC spokesperson did not respond to a request for comment.
A small bank with a long fintech list
The order repeatedly anchors its findings in "the payment processing line" of the bank. That is the part of Community Federal's business where its fintech and crypto-card partners reside, not the traditional thrift activities of a federal savings association.
Other federal regulators have hit similar fintech-partner banks in recent years.
In 2023, the Federal Deposit Insurance Corp., or FDIC, entered
The next year, the OCC entered
Those are the same kinds of grounds the OCC cited at Community Federal this month.
The OCC's Novel Bank Supervision office, the unit whose assistant deputy comptroller signed Thursday's order, supervises this kind of institution.
OCC flagged anti-money-laundering risk at this bank in 2020
The OCC has put Community Federal under enforcement action before.
In
The agency placed the bank in "troubled condition" status and required it to set up a compliance committee and to write a three-year strategic plan.
The plan, the 2020 agreement specified, had to include "action plans and time frames to control risks where exposure is high," particularly with regard to "compliance, strategic, and reputation risks, and BSA/AML risk."
The bank then grew the payment-processing line that the OCC said this month had outstripped its controls.
Five of the seven Community Federal directors who signed Thursday's order also signed the 2020 agreement.
In 2011, before its functions were folded into the OCC, the Office of Thrift Supervision issued
That order restricted higher-risk lending, required a conforming business plan and required the bank to revise its suspicious-activity-reporting policies to correct deficiencies the regulator had identified the year before.
What the bank has to do, and what is not in the order
Within 15 days of the April 24 order, the bank had to appoint a compliance committee with a majority of independent directors. Within 90 days, it must submit an action plan describing the steps it will take.
The bank must hire two outside consultants. One will conduct an end-to-end review of the bank's anti-money-laundering program.
The other will review historical suspicious-activity monitoring and recommend whether the bank should file new suspicious-activity reports for previously unreported activity, or correct or amend prior filings.
A bank spokesperson declined to say whether Community Federal has selected either consultant.
The order also requires the bank to rebuild its internal-controls program, including a written customer-due-diligence program and a separate program for screening transactions against requests submitted under Section 314(a) of the USA PATRIOT Act.
The bank must overhaul its independent-testing program, too.
If the bank's Bank Secrecy Act officer position is vacated, the OCC must pre-clear the next one.
The bank said its current Bank Secrecy Act officer joined after the examination period underlying the order and "has been instrumental in ongoing remediation efforts."
The outside reviewer will examine historical transactions, including ones that the bank's automated alert system auto-closed, and decide whether they should now generate suspicious-activity reports.
The order does not impose a civil money penalty on the bank, restrict the bank's growth or its ability to onboard new fintech partners, nor name any officer or director individually or bar anyone from working in banking.
A bank spokesperson said the order "does not impose restrictions on partner onboarding," adding, "We continue to partner with new and existing fintech clients in a safe and sound manner."
The OCC reserved the right to pursue further enforcement on the same facts, including against the bank's "institution-affiliated parties."
In late 2023, Wise moved its U.S. dollar account-details service to Community Federal Savings Bank from
A Wise spokesperson did not respond to a request for comment on the OCC's order against Community Federal.
Crypto.com, whose U.S. cardholder agreement names Community Federal Savings Bank as the issuer of its prepaid card, also did not respond to a request for comment.
