The OCC and Anchorage Digital Bank

A Few Possibly Unfair Questions

Last Thursday, the OCC announced that it had issued a consent order against Anchorage Digital Bank based on the bank’s failure to adopt and implement a compliance program that adequately covers required BSA/AML program elements.

This raised eyebrows because Anchorage Digital Bank has not been subject to OCC supervision for very long: it was only 15 months ago that the OCC conditionally approved Anchorage Digital Bank’s application to convert its state trust bank charter to a national trust bank charter.

The timeline of events looks something like this.

• July 16, 2019: Anchorage announces that Anchorage Trust Company has received a trust company charter from the South Dakota Division of Banking.

• November 6, 2020: Anchorage Trust Company applies to the OCC to convert its South Dakota charter to a national trust bank charter. According to the public portion of the application,¹ copies of various policies and procedures are attached as confidential exhibits, including a “BSA/AML/OFAC Policy and Program” and a “BSA/AML/OFAC Risk Assessment Framework.”

• January 13, 2021: The OCC conditionally approves the conversion application after what it describes as a “thorough review of the company and its current operations” applying “the same rigorous review and standards applied to all charter applications.”

  • As a condition of approval, the OCC requires Anchorage to enter into an Operating Agreement.

  • Article VIII of the Operating Agreement requires Anchorage, within 60 days, to “maintain, enhance, and, as necessary, develop… written [BSA/AML] and [OFAC] compliance programs” meeting certain minimum requirements. These minimum requirements include, among other things, a requirement to designate a qualified BSA/AML Officer, subject to the OCC’s written supervisory non-objection.

  • The Operating Agreement further requires the BSA/AML program mandated by Article VIII to be incorporated into Anchorage’s business plan, which pursuant to Article V of the Operating Agreement is required to be submitted to the OCC within 60 days. Once the business plan is submitted, the Operating Agreement envisions the OCC reviewing the plan and, if the plan is acceptable, making a written determination that it has no supervisory objection to the content included therein (including the BSA/AML program).

• April 21, 2022: The OCC issues a consent order, finding that Anchorage “did not meet the BSA/AML requirements under the Operating Agreement.”

  • The consent order sets out a lengthy set of BSA/AML remedial activities which Anchorage must undertake, including (i) the creation of a compliance committee, (ii) adoption and implementation of a written BSA/AML action plan, (iii) the immediate appointment of a BSA Officer with sufficient independence, resources and status, (iv) customer due diligence, customer risk identification, and high risk account reviews, (v) adoption and implementation of a written suspicious activity monitoring and reporting program, (vi) a SAR look-back (i.e., a review by an independent third party to determine whether additional suspicious activity reports should be filed with respect to previously unreported suspicious activities), (vii) independent testing, (viii) BSA/AML training and (ix) data governance and recordkeeping requirements.

So What Happened Here?

In reading the order the following questions jumped to mind, some of which upon further reflection are probably a bit unfair.

1. How much of this reflects Anchorage’s failures and how much of this is attributable to a change in supervisory expectations from the OCC, now under new leadership?

2. How thorough was the OCC’s review of Anchorage’s application?² As noted above, Anchorage evidently submitted its BSA/AML policies as part of its application. The OCC must not have been completely happy with the existing policies and program, given the requirements of the Operating Agreement, but at the same time the policies and program must have been judged as good enough to conditionally grant the charter, with enhancements to be made later as per the Operating Agreement. This general approach of conditionally approving an application while acknowledging that further work is required - typically specified in an Operating Agreement - is not unusual for the OCC (nor in my opinion is it objectionable), but you could ask questions about how the OCC decides what must be done prior to conditional approval and opening for business, and what can be done afterwards. Did they get that balance wrong here?

3. What happened last spring after Anchorage filed its business plan? As noted, the Operating Agreement required Anchorage to receive the OCC’s supervisory non-objection to its business plan, including the BSA/AML program elements incorporated therein. Given the timeline, I am not sure it makes sense to think that the OCC reviewed the BSA/AML program, granted its non-objection sometime last spring or summer, and then turned around and sought to bring this action a few months later. It seems equally likely that the business plan was submitted and the OCC reviewed and objected from the start.³ But even if so, how do you go from there to a public enforcement action? It is suggestive of a pretty wide bid/ask between what Anchorage thought it should be doing and what the OCC thought Anchorage should be doing.

4. What happened with the BSA Officer? Some parts of the consent order make sense to me as potentially understandable (even if not justifiable) failures by Anchorage to meet the OCC’s expectations. For instance, as noted above the consent order includes requirements related to customer due diligence, risk identification and high-risk accounts, as well as SAR filing. For this sort of thing, it is easy to see how a bank might believe what it is doing is sufficient while its regulator takes a different view. What is more difficult to understand, though, is the provision of the consent order requiring Anchorage to immediately appoint a BSA Officer. They were already supposed to have done that as part of the Operating Agreement,⁴ and per the Operating Agreement the appointment of that officer was supposed to be subject to OCC non-objection. Did Anchorage just…never appoint a BSA Officer? Was the BSA Officer appointed and acceptable to the OCC, but then something changed? You could ask similar questions about the consent order’s BSA/AML training program requirements, which mostly seem to require things Anchorage should have been doing from the start.

5. How are other crypto trust companies under OCC supervision doing? In the months after approving Anchorage’s application, the OCC also conditionally approved a conversion application from Protego Trust Bank and a charter application from Paxos National Trust. For Anchorage, the conditional approval was followed a week later by Anchorage Digital Bank opening for business. For Protego and Paxos, the timeline between conditional approval and opening for business has been longer: it is now a year later and neither bank has yet opened.⁵ How should we think about this discrepancy? Should it affect our answers to Questions 1 and 2 above?

6. What does this say about South Dakota’s regulatory approach to crypto-focused trust companies? It does not necessarily reflect well on the emerging state-level regulatory regime that a company could maintain BSA/AML programs that apparently passed muster with state regulators but that when put in front of federal regulators were almost immediately found to be deficient.⁶

The OCC said in 2021 that by bringing Anchorage “into the federal banking system, the bank and industry will benefit from the OCC’s extensive supervisory experience and expertise.” It is easy to make jokes about this, but I do genuinely believe it to be true. I bet Anchorage genuinely believes it too.⁷

1

A copy of the public portion of the application is available in the OCC’s FOIA Electronic Reading Room, in the Conversion Applications folder. There will have been pre-filing meetings and discussions before the application was filed.

2

Just over two months between filing and approval is relatively quick for a conversion application, particularly once you factor in the November and December holidays, but that sort of timeline is not dramatically out of line with the timeline for other non-crypto-related conversion applications. See for example notable conversion applications from 2013 (~ 2 months from filing to approval), 2015 (~3.5 months), 2016 (~ 1 month), 2017 (~ 3 months) and 2019 (~ 3.5 months). You might object that these comparisons are off base on the grounds that (A) some of these examples are federal savings association to national bank applications - i.e., a switch from one OCC-supervised entity to another, meaning the OCC was not starting from scratch, and/or (B) crypto raises unique issues. I do not entirely disagree, but the point here is merely that if you want to accuse the OCC of cutting corners I do not think it is fair to do so based on the timing alone.

3

In a statement given to CoinDesk, Anchorage described the issues only as having been “identified by the OCC in 2021 in its supervisory capacity.”

4

Even setting aside the Operating Agreement, the appointment of a BSA Officer is a requirement of the OCC’s regulations. See 12 CFR 21.21(d)(3) and this section of the FFIEC BSA/AML Manual.

5

Protego’s website states that Protego Trust Bank N.A. is launching in 2022, without specifying a date. Paxos, which also operates (and intends to keep) a New York-state charter, has not provided a recent update on the opening date for Paxos National Trust, so far as I can tell.

6

I warned that some of these questions were probably unfair, and this one is maybe too unkind to South Dakota. It is certainly possible that Anchorage’s program was appropriate for its 2019 business model, but that as its business continued to grow and mature its compliance programs failed to grow and mature along with the business. We also do not know what, if anything, South Dakota did as part of the confidential supervision process.

7

In a statement emailed to Compliance Week following the publication of the consent order, Anchorage said, “Anchorage is proud to be the first digital asset custody bank to be held to the same standards as traditional federally chartered banks. Meanwhile, we maintain the steadfast belief that we should not be the only such federally regulated digital asset bank. This shouldn’t deter others from working together with the OCC to establish regulatory precedent. Instead, we hope it encourages others to follow suit knowing that a workable path forward exists.”