Banking regulators have given us more lessons to ponder about effective third-party risk management and compliance programs, courtesy of a $30 million sanction against a bank in New York that had neither and ended up stuck in a pandemic-era $300 million fraud scheme.
The bank in question is Metropolitan Commercial Bank (MCB), a bank in New York City with $6 billion in assets that mostly works in loan origination and issuing third-party debit cards nationwide. The Federal Reserve and the New York Department of Financial Services announced civil fines of $30 million against MCB last week for failing to exercise proper oversight of MovoCash, a prepaid debit card outfit that used MCB as its banking partner.
That business relationship meant that MCB was responsible for assuring that MovoCash had an effective customer due diligence program in place. MovoCash struggled on that front; fraudsters used weaknesses in its customer identification program to create accounts for people who didn’t actually exist, and then used those fake accounts to divert state unemployment benefits — and in 2020, as the covid-19 pandemic took flight and Congress enacted generous new unemployment benefits, those diversions added up. The fraudsters swindled some $300 million, $200 million of which remains unrecovered.
So why should the compliance community, especially those not in banking, care about this case? What lessons can we learn?
Well, lots. The real lessons here aren’t about the intricacy of banking regulation and anti-money laundering programs; they’re about an inability to respond to red flags of risk, especially in times of turmoil and operational uncertainty — which is a predicament that can snare any organization if you’re not disciplined in your approach to compliance and third-party risk management.
Let’s begin with a look at what unfolded at MCB.
A Surge in Fraud
As described in the settlement order between MCB and the New York Department of Financial Services, MCB first began its business relationship with MovoCash in 2016. MovoCash marketed its prepaid cards to consumers around the country, but the cards themselves were issued by MCB and qualified as MCB bank accounts as far as regulators were concerned. That meant MCB was responsible for assuring that MovoCash’s AML compliance program — including customer identification procedures — met regulatory standards.
Trouble first began to surface in January 2020. That’s when MCB compliance personnel noticed that one of the biggest complaints MCB received about its prepaid card program was that fraudsters were opening prepaid card accounts using another person’s identity. The fraudsters would then direct payments, including direct-deposit payroll payments and government benefits, onto the fraudulently opened cards.
That same month, MBC was also warned about a spike in wire transfers associated with those prepaid accounts, and wire transfers are often a red flag for fraud. MBC asked MovoCash about the suspicious activity, and MovoCash answered that “the relevant activity had been identified and addressed.” So MCB “took no further steps to ensure that this type of transaction activity would not recur within the MovoCash program.”
Let’s pause here to recap. MCB had clear evidence of suspicious activity with a third party (MovoCash), but took that third party’s word that the suspicious activity had been halted. MBC did nothing within its own third-party oversight program to address the risk in question.
Then came March 2020, when the covid-19 pandemic struck with full force and several things happened all at once:
- First, regulators expressly warned banks to beware of an increase in cyber-fraud stemming from the pandemic.
- Second, MCB compliance officers noticed that the bank had significantly more fraudulent account openings in connection with MovoCash than any other third-party program MCB was running.
- Third, Congress passed the CARES Act that month, which offered extensive new unemployment benefits. As soon as that happened, MCB noticed a surge in new MovoCash account openings — and a surge in complaints from consumers that fraudulent MovoCash accounts had been opened in their name.
The next few months were turbulent times for MCB. The surge in new accounts subsided by April 2020, but it was clear that weak controls at MovoCash were allowing substantial fraud to happen with those prepaid cards. What happened next is worth quoting at length from the DFS settlement order:
Senior executives at MCB discussed the possibility of terminating the relationship with MovoCash, but the bank chose not to do so at that time, and, instead, continued to allow new accounts to be opened. An internal suggestion that more stringent [customer identification] controls be implemented — e.g., documentary ID verification for new accounts – might be worth considering on a temporary basis was not ultimately acted upon.
By June, federal law enforcement told MCB executives that MovoCash had extensive problems with fraudulent prepaid cards. By July, regulators told MBC that at least 60,000 to 80,000 fraudulent MovoCash accounts were opened each week, and $2 million was being diverted every day. MBC halted new MovoCash accounts that month, and ended the program altogether in August.
‘Failure to Act Sooner’
We could spend all day examining the specific remediation steps that MCB has promised to undertake, including better customer due diligence, a program to review new products before launch, stronger internal controls and AML procedures, and the like. Both the New York DFS order and the Federal Reserve settlement order are quite detailed in what they expect MCB to do.
But is that really the most important and profound lesson to learn here? I keep coming back to two fundamental points.
First, MCB’s management knew about the fraud risks with MovoCash as early as January 2020, before the pandemic struck, but took no action in response. Then, second, senior management was caught unprepared for a spike in fraud risk when the pandemic struck in March 2020.
Those are compliance shortcomings that could afflict any organization. It was a failure to be responsive to red flags or changes in risk, and that’s what worries me more than any specific missteps in customer due diligence and documentation.
Regulators noticed that failure to be responsive, too. “The bank’s failure to act sooner helped facilitate more than $300 million in pandemic unemployment benefits to be misdirected,” the DFS settlement order reads.
Part of me wants to go easy on MCB because pretty much everyone was unprepared for the pandemic in March 2020. Even MCB published a statement about the enforcement order, describing its troubles as a “unique challenge that arose for a short period at the height of the COVID-19 pandemic.”
Really, though? Because we still have the fact that MBC knew about MovoCash’s red flags at least since January 2020, well before covid-19 reached the United States. For whatever reason, MCB failed to engage with those red flags at that time. That’s a failure of the control environment, more than it was a failure of specific control activities such as better customer due diligence.
And if MCB was unprepared or unwilling to engage with third-party risks then, when times were easy, that stance only became far more dangerous when covid-19 did arrive. Success is all about taking compliance seriously during the ordinary times, so that you’re better able to cope when the surge times come.