OCC Takes Issue With Vast Bank's Custody Controls
Today the OCC released three enforcement actions it took last month against national banks or federal savings associations. One of the enforcement actions is a consent order against Vast Bank, N.A., a national bank based in Tulsa, Oklahoma with a little over $1 billion in total assets.
The OCC concludes that Vast Bank has engaged in various unsafe and unsound practices, including those relating to “capital; capital and strategic planning; liquidity risk management; project management; books and records; interest rate risk management; [and] IT controls.”
So Vast Bank is now required to maintain higher minimum capital ratios (Article IV), to create a capital and strategic plan (Article V), to improve its processes for keeping complete and accurate books and records, including with respect to unspecified “intangible assets” (Article VII), and so on.
What might be most interesting about this consent order, though, are two areas of unsafe and unsound practices highlighted by the OCC that I left out of the quote a few paragraphs above. These are “risk management for new products” and “custody account controls.”
Risk Management for New Products
Article XI of the consent order requires that Vast Bank prepare and submit to the OCC for its prior non-objection a “written plan for adding new, modifying existing, or expanding existing product and service offerings.”
The plan must “ensure management designs, implements, and monitors the Bank’s risk management system for new activity development and effectively measures, monitors, and controls risks associated with new activities.” Before any new activity can be introduced, management must “establish appropriate policies and procedures that outline the standards, responsibilities, processes, and internal controls for ensuring that risks are well understood and mitigated with reasonable parameters.”
The plan must also address “the risks posed by third-party partnerships.” For example, the plan needs to “detail how the Bank selects, assesses and oversees third-party providers.”
Custody Account Controls
Article XII of the consent order requires Vast Bank to prepare and submit to the OCC for its prior non-objection a “written custodial control plan.” The purpose of this plan, according to the consent order, is “to provide management with clear direction to safeguard assets under custody, produce reliable financial reports, and comply with applicable laws and regulations.”
Among other things, the custody control plan must lay out steps the bank will take to “ensure safekeeping of all assets under management in such a manner as to preclude comingling of customer assets with the assets of the bank or its agents, sub-custodians, or third-party vendors.”
Not Clear What This Is About, But…
As is usually the case with consent orders, the details underlying the OCC’s findings are fairly sparse. It is therefore unclear what exactly happened to lead the OCC to conclude, for example, that Vast Bank’s management was in need of “clear direction” as to how to safeguard assets under custody, or to preclude commingling of customer assets with those of others.
One wonders, though, if these OCC worries about custody accounts, as well as the OCC’s concerns about the bank’s processes for launching new products, relate, at least in part, to a new initiative launched by Vast Bank in 2021.1
Vast Bank, a $800 million-asset family-owned institution, launched its crypto banking services this summer when it unveiled a platform that allows customers to store and exchange digital assets at the Tulsa, Oklahoma-based bank.
Since launching at the end of August, CEO Brad Scrivner said the new offering has allowed the bank to significantly grow its retail customer base.
“We’re probably at about 50% of what it took us 40 years to build, in terms of our retail customer population, in just those eight weeks,” he said.
Vast Bank currently on its website describes itself as the “first nationally chartered U.S. bank that allows you to buy, sell, and hold cryptocurrency assets through your mobile banking app.” Elsewhere on its website, Vast Bank describes the Advantages to Having a Bank as Crypto Custodian. The resource center of press releases and other articles on the bank’s website is similarly bullish on crypto custody by banking organizations.
Maybe all of this is unfair. As noted above, the consent order does not call out any products or services in particular; nor does it name specific categories of custodied assets. So it is possible that the OCC thinks the crypto custody services offered by Vast Bank are really, really great, and it is other, unspecified custodial services offered by Vast Bank that the OCC believes are in need of correction.
And, of course, even if this is in part about crypto, there is no way to judge, based on the recitals in the public consent order at least, whether the OCC’s findings and required corrective actions are supported by the evidence.
Given these sources of uncertainty, there is no groundbreaking conclusion to this post. The point, for now, is just to highlight an enforcement action that seems like it may combine multiple areas of recent OCC focus: fast growth by smaller banks, third-party risk management, and digital asset related activities.
This article is from 2021, but perhaps as continued evidence of the observation made in the quote from the CEO about retail customer population consider that Vast Bank’s call report for the quarter ended June 30, 2021 says that it had 5,199 deposit accounts holding $250,000 or less (Schedule RC-O, Memorandum Item 1.a.2). For its most recent call report for the quarter ended September 30, 2023, Vast Bank reported that it had 15,366 deposit accounts holding $250,000 or less.