BSA-AML Examiner School Case Study eBook

INTERNAL MEMO REGARDING RECENT VISITATION ON THE BANK’S BaaS PROGRAM: The Fed conducted an offsite visitation of TS&J Bank, Eagle, Nebraska, which commenced December 4, 2023, and focused on the bank’s implementation of a novel Banking as a Service (BaaS) strategy, including relationships with the designated service provider, Unit Finance Inc., (Unit), and Onyx Card, LLC., (Onyx). Examiners’ review was limited in scope and primarily centered on the bank’s third-party risk management; cybersecurity/information security; and the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) program. In addition, financial implications such as capital planning, earnings impact, and liquidity risk were considered. Following the visitation, FED and the STATE examiners met with representatives of the board of directors (board) and senior management on January 16, 2024, to discuss the observations made during the visitation, which are included in this correspondence for your review. Representing the bank were Chief Executive Officer Lynn Love, President Todd Tallon, Vice President of Finance Seth Simmons, and Chief Compliance Officer/BSA Officer Ruby Rose. Members of both the FED and STATE were present. As was discussed during the visitation and the subsequent meeting to discuss observations, to ensure safe and sound banking practices, a bank’s risk management program must be commensurate with the level of risk present in a bank’s activities. In particular, BaaS activities are complex and present high inherent risks. A bank should ensure it has in place adequate systems, risk management, and controls to conduct such activities in a safe, sound, and compliant manner. We recognize the board’s commitment and intention to implement a risk management framework that effectively mitigates risk associated with the BaaS strategy and program. Such intention was demonstrated through the establishment of a board risk committee and chief risk officer, hiring of knowledgeable and competent staff, such as Chief Compliance Officer/BSA Officer Rose who is well-versed in BaaS strategies, and a third-party risk management program that captures key principles of Supervision and Regulation Letter (SR Letter) 23-4, Interagency Guidance on Third-Party Relationships: Risk Management (SR Letter 23-4). We also acknowledge several, adequate qualities of the bank’s risk management program that are in process of being fully developed and were unavailable to be reviewed. In addition, due to the limited scope of the review, not all areas were assessed for appropriateness or adequacy. As a reminder, it is important that controls are in place prior to the bank engaging any new products and service activities and that the bank’s risk management framework should emulate either growth, expansion, or change in the BaaS strategy. The BaaS strategy is active; therefore,

For Training Purposes Only