Feature Operational Risk
What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships
On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.
Table of Contents
The OCC’s consent order against Community Federal Savings Bank landed on May 21, 2026, and the industry’s first read was predictable: a crypto-adjacent sponsor bank got caught with a bad BSA/AML program. The Crypto.com and Wise connection made it easy to frame as a digital asset story.
That framing is wrong, and it’s dangerous for institutions that take it at face value.
The OCC explicitly said the findings are “based on concerns largely unrelated to customers involved in digital assets activities.” What got CFSB written up wasn’t its crypto clients. It was a payment processing operation that grew significantly faster than the transaction monitoring, customer due diligence, and staffing infrastructure that should have scaled with it. The digital asset clients were incidental to the core finding: when payment volume grows and controls don’t, BSA/AML failures follow.
That’s an operational risk lesson every institution growing through fintech partnerships needs to sit with.
TL;DR
- OCC consent order against Community Federal Savings Bank (May 21, 2026) cited BSA/AML failures tied to rapid payment processing growth—not to crypto or digital asset partners specifically
- Three core deficiencies: automated alert system tuned for an earlier, lower-volume risk profile; CDD gaps leaving the bank without understanding of what was flowing through its payment processing line; and independent testing and staffing that never scaled with transaction growth
- The order requires a SAR look-back consultant to review historical auto-closed alerts—a significant operational burden that could surface years of missed reportable activity
- The operational risk lesson: controls that were adequate when the payment processing line launched may not be adequate now, and the gap between “adequate at launch” and “adequate today” is exactly what regulators are examining
Who Is Community Federal Savings Bank?
Community Federal Savings Bank is a single-branch federal savings association in Woodhaven, New York. Its asset base is small. What distinguishes it is the payment processing business it has built since approximately 2020—serving as the U.S. sponsor bank for Wise’s dollar-denominated accounts and as the issuer behind Crypto.com’s prepaid card product, among a broader roster of fintech and card-issuing clients.
This growth model—a small institution with a large payment processing operation—isn’t unusual. The fintech banking-as-a-service wave created a cohort of community banks and savings associations that grew their balance sheets and fee income through fintech partnerships, processing payment volumes far exceeding what their retail deposit franchise would suggest. The OCC examined CFSB and found what it has found at a number of these institutions: the payment processing growth was real; the compliance infrastructure wasn’t keeping up.
The consent order was publicly released May 21, 2026, docketed as AA-ENF-2025-21. It does not include a monetary penalty, which is notable—the OCC can impose civil money penalties for BSA/AML violations, and the absence of one suggests the OCC’s primary goal here is remediation, not punishment. That doesn’t make the order light. A consent order is still a public document, a matter of regulatory record, and an examiner deliverable that will follow the institution through its next several supervisory cycles.
The Three Operational Failures the OCC Found
1. Alert Auto-Closing That Was Suppressing the Signal
Most transaction monitoring systems are designed to generate alerts when transactions match risk patterns. Banks then triage alerts: some are investigated and filed as SARs, others are closed after review as benign. Alert “auto-closing” refers to system logic that closes certain alerts automatically—based on thresholds, customer type, prior transaction history, or other criteria—without requiring a human to review them.
Auto-closing is not inherently problematic. High-volume monitoring environments generate enormous alert counts, and some automated triage logic is necessary. The problem is when the triage criteria are calibrated for a risk profile that no longer matches the institution’s actual business.
The OCC found that CFSB’s automated suspicious activity alerting system had “filtering criteria and thresholds that were not adequately tuned to the payment-processing line, higher-risk products and services, and international exposures.” The system was auto-closing “a very high percentage” of alerts that should have been escalated for further review.
Think about what that means operationally. The bank had a system generating alerts. The system was then suppressing those alerts—automatically, without human judgment—at a rate the OCC found to be excessive. A human BSA analyst never saw the flagged transactions because the system had decided, based on outdated criteria, that they didn’t warrant review.
This is why the consent order requires a SAR look-back. The OCC needs to know how many of those auto-closed alerts, over what period, contained reportable suspicious activity that the bank failed to file. Look-backs are operationally expensive and can surface years of missed FinCEN filings that must now be made retroactively.
2. CDD Gaps on the Payment Processing Line
Customer due diligence at its core requires that a bank understand who its customers are and what transactions to expect from them. For a payment processor relationship, that means understanding: who is this fintech’s customer base? What business do they conduct? What kinds of transactions—volume, frequency, geography, counterparties—are normal for this relationship?
The OCC found that CFSB’s customer due diligence program was deficient and that the bank “did not understand the nature of certain customers’ businesses and the purpose of transactions flowing through its payment processing line, including risks related to foreign financial institutions.”
This isn’t a paperwork deficiency. A bank that doesn’t understand what’s flowing through its payment processing line cannot set meaningful monitoring thresholds, cannot identify when a customer’s transactions deviate from expected patterns, and cannot make a defensible SAR decision. CDD is the foundation of the transaction monitoring program—without it, you’re generating alerts from a baseline you’ve never validated.
The foreign financial institution angle is worth particular attention. CFSB “failed to determine whether it held correspondent accounts for foreign financial institutions.” Under the USA PATRIOT Act, banks that hold correspondent accounts for foreign financial institutions have specific enhanced due diligence obligations. CFSB’s OCC consent order cites a violation of 31 CFR 1010.520(b)(3)—the information sharing requirement—for this failure. This is a threshold error: the bank wasn’t even asking the question of whether its payment processing relationships involved foreign financial institutions as counterparties.
3. Independent Testing and Staffing That Didn’t Scale
The OCC found that CFSB had “weak independent testing” and insufficient BSA staffing.
BSA/AML independent testing—sometimes called the BSA audit function—is one of the four pillars of a BSA compliance program under 12 CFR 21.21. It requires periodic testing by a party independent of the BSA function (internal audit or an outside consultant) to verify that the transaction monitoring system is working, that SAR decisions are sound, and that the CDD program is adequate.
When payment processing volume grows significantly, the independent testing program should reflect that growth—in frequency, in scope, and in the expertise of testers. The OCC’s finding suggests CFSB’s testing program didn’t keep pace. Neither did staffing: the bank’s BSA personnel weren’t sized for the payment processing volume being reviewed.
This is a common pattern. An institution that built a BSA program for a $200M community bank, then added a fintech payment processing line that now processes hundreds of millions in annual wire and ACH volume, often doesn’t revisit whether its BSA team headcount and its testing budget match its current risk profile. The OCC has seen this at enough institutions that it now asks directly: does your staffing reflect the volume and complexity of your current business?
The SAR Look-Back Problem
The OCC’s requirement that CFSB hire a SAR look-back consultant is worth dwelling on because it illustrates how operational failures compound.
A look-back is not a prospective fix. It’s a retroactive investigation of whether the bank missed reportable suspicious activity over some historical period. The scope is determined by when the monitoring failures began and how far back the OCC needs to go to have confidence in the institution’s historical SAR filing record.
For CFSB, the payment processing line began growing significantly around 2020. If the alert auto-closing and CDD deficiencies date to the early growth period, the look-back scope could cover five or more years of transactions. Every auto-closed alert in scope must be re-evaluated. Where the re-evaluation reveals reportable activity, a SAR must be filed retroactively. The FinCEN filings then become a public matter, and each one is a data point that could lead to additional regulatory or law enforcement inquiry.
This is the cost of letting monitoring gaps accumulate. Fixing the monitoring program prospectively is manageable. The retroactive look-back—which can require months of consultant time and hundreds of thousands of dollars—is the penalty for not catching the gap sooner.
The Operational Risk Frame Most Institutions Are Missing
Most BSA/AML compliance programs are managed by the BSA officer, not by operational risk. That’s appropriate for day-to-day program management. But the failures in the CFSB consent order are operational risk failures—and they need to be visible to the risk function, not just the BSA team.
Consider what an RCSA—a risk and control self-assessment—of the BSA function at CFSB would have surfaced if it had been run rigorously:
- The transaction monitoring system has not been recalibrated since [year]. The auto-closure rate has not been validated against current business mix. Control: not effective.
- CDD documentation for payment processing customers does not include expected transaction patterns. The baseline for what’s “normal” is not documented. Control: not effective.
- BSA staffing is [X] FTEs against a transaction volume of [Y] wires and [Z] ACH transactions annually. Staffing has not increased since [year] despite volume growing [%]. Control gap identified.
- Independent testing was last conducted [date]. The scope did not include the payment processing line, which now represents [%] of total transaction volume. Control: insufficient.
None of those findings require a regulatory examination to surface. They require someone to ask the question.
Running an RCSA on your BSA/AML program isn’t a box to check for the examiner. It’s how you find out whether the controls that were adequate when the program was built still match the risk you’re actually running today. For institutions that have grown payment volume through fintech partnerships, that question has likely never been formally asked.
What the Consent Order Means for the Broader Sponsor Bank Ecosystem
CFSB is not an outlier in the sponsor bank space. Since 2020, the OCC has intensified scrutiny of fintech-bank partnership models—not because fintech partnerships are inherently problematic, but because rapid growth in these models has repeatedly outpaced the compliance and risk infrastructure that should scale alongside them.
The OCC’s enforcement record in this space includes consent orders against Cross River Bank, Evolve Bank & Trust, Piermont Bank, Choice Financial Group, and Lineage Bank—all involving deficiencies in BSA/AML, third-party oversight, or consumer compliance that the OCC traced back to fintech partnership growth that moved faster than the bank’s program capacity.
CFSB’s consent order follows the same pattern. The payment processing line grew. The monitoring thresholds didn’t change. The CDD program didn’t adapt. The testing scope didn’t expand. The staffing didn’t scale. The regulator eventually arrived and found exactly what it found at the others.
For every institution operating in this space, the relevant question is not “is CFSB’s situation unusual?” It’s: “if an OCC examiner ran a transaction monitoring calibration review against our current payment processing mix tomorrow, what would they find?”
If the BSA/AML KRI metrics you’re tracking don’t include auto-closure rate, alert-to-SAR conversion rate, and CDD documentation rate for payment processing customers, you’re not measuring the controls that matter most for this risk.
So What?
The CFSB consent order is worth reading even if you’re not a sponsor bank, not a community bank, and not in the payment processing business. The operational risk pattern it documents—controls built for one risk profile, business grown into a different one, gap never formally assessed—shows up across BSA/AML, third-party risk, model risk, and virtually every other risk domain in financial services.
The detection mechanism is an RCSA that asks, genuinely, whether controls are effective for the business you’re running today—not the business you were running when the program was built. An RCSA that documents control gaps with specificity, assigns owners, and drives remediation creates a paper trail that demonstrates the institution is managing its risks. One that hasn’t been updated since the business model changed doesn’t.
The OCC found the gap at CFSB. The question for every other institution is whether they find it first.
Sources:
- OCC Announces Enforcement Actions for May 2026
- OCC cites AML deficiencies at NY bank that partners with fintechs — Banking Dive
- CFSB Hit With BSA/AML Enforcement Action — Fintech Business Weekly
- The OCC’s Recent Consent Order Is a Warning for Community Banks in the Fintech Partnership Space — National Law Review
- OCC Orders Community Federal Savings Bank to Address BSA/AML Compliance Deficiencies — ACAMS
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What did the OCC's consent order against Community Federal Savings Bank require?
What BSA/AML violations did the OCC cite against Community Federal Savings Bank?
Does this enforcement action mean the OCC is targeting crypto-related fintech partnerships?
What does 'alert auto-closing' mean and why did the OCC flag it?
What is a SAR look-back and when is one required?
What should fintech sponsor banks do if their payment processing volume has grown significantly since they last calibrated their monitoring system?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
RCSA (Risk & Control Self-Assessment)
141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.
◆ Keep reading
Related posts.
Operational Risk
1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.
Jul 8, 2026
Operational Risk
The 2026 CRE Loan Maturity Wall: How Community Banks Should Stress-Test Their Commercial Real Estate Portfolios Right Now
More than $1.5 trillion in commercial real estate loans mature in 2026. Roughly 31% of all U.S. banks are CRE-concentrated. Here's the stress-testing methodology community banks need — before examiners ask for it.
Jul 6, 2026
Operational Risk
Liquidity Risk KRIs Beyond LCR and NSFR: The 12 Early Warning Metrics That Give You Days, Not Hours
LCR and NSFR tell regulators you're compliant. Liquidity KRIs tell you when you're three days from a crisis. Here are the 12 metrics every risk manager should be tracking — and what SVB's 31 open MRAs reveal about what happens when early warning breaks down.
Jul 2, 2026