BSA-AML Examiner School Case Study eBook

it is imperative that the board and senior management demonstrate that the enhancements below are being substantially addressed prior to the upcoming safety and soundness examination, dated February 12, 2024. Failure to demonstrate progress increases the likelihood for rating changes, examination findings as well as pausing additional onboarding of new BaaS partners or clients until risk management gaps are addressed, which may impede further growth of the bank’s BaaS strategy going forward. Enhancements to Risk Management Framework of BaaS Program The following are enhancements related to gaps in third-party risk management, dual controls, and liquidity risk management. The bank’s efforts in demonstrating strengthening the respective areas will be assessed at the upcoming joint safety and soundness examination. • With consideration to effective third-party risk management, the bank should incorporate BaaS-related activities within its business continuity planning (BCP) and business impact analysis (BIA) framework. Consideration should also be given to BCPs and BIAs of current (i.e., Unit and Onyx) and future BaaS partners as well as the decommissioning of or transferring aspects of the program to new vendors. Third-party risk management procedures should also delineate the criticality risk rating methodology and documentation requirements used for potential BaaS partners and specify the use of alternatives when the requested information is not available for due diligence and ongoing monitoring. Additionally, Unit and all BaaS partners should be tracked on the bank’s vendor management risk assessment and classified as either a critical or non-critical vendor. All critical vendors should be incorporated into quarterly monitoring in accordance with internal policies. Refer to SR Letter 23-4 for additional information. • With consideration to managing operational risk, the bank should develop dual control practices and written procedures related to the daily reconciliation of BaaS activities. • With consideration to liquidity risk management, the bank should clearly delineate the current on-balance sheet deposit strategies and key performance indicators pursuant to the BaaS Deposit Phase 1 strategy in its written policies and procedures. On a forward-looking basis, policies and procedures should also delineate limits and restrictions on the deployment of BaaS deposits for bank activity and include them as part of annual liquidity stress testing processes. In addition, policies and procedures should delineate the operational process for the placement of BaaS deposits and ensuring insurance coverage is in effect. We understand that in Deposit Phase 1, the bank intends to sell deposits received through the BaaS program to the Intra-fi network. Although the Phase 1 is documented in the BaaS business strategy presentation, this strategy and post-Phase 1 strategy, the placement of BaaS deposits, and the insurance coverage mechanism should be formalized in the bank’s current liquidity policy.

For Training Purposes Only