Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Operational Risk

What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships

On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.

Table of Contents

The OCC’s consent order against Community Federal Savings Bank landed on May 21, 2026, and the industry’s first read was predictable: a crypto-adjacent sponsor bank got caught with a bad BSA/AML program. The Crypto.com and Wise connection made it easy to frame as a digital asset story.

That framing is wrong, and it’s dangerous for institutions that take it at face value.

The OCC explicitly said the findings are “based on concerns largely unrelated to customers involved in digital assets activities.” What got CFSB written up wasn’t its crypto clients. It was a payment processing operation that grew significantly faster than the transaction monitoring, customer due diligence, and staffing infrastructure that should have scaled with it. The digital asset clients were incidental to the core finding: when payment volume grows and controls don’t, BSA/AML failures follow.

That’s an operational risk lesson every institution growing through fintech partnerships needs to sit with.

TL;DR

  • OCC consent order against Community Federal Savings Bank (May 21, 2026) cited BSA/AML failures tied to rapid payment processing growth—not to crypto or digital asset partners specifically
  • Three core deficiencies: automated alert system tuned for an earlier, lower-volume risk profile; CDD gaps leaving the bank without understanding of what was flowing through its payment processing line; and independent testing and staffing that never scaled with transaction growth
  • The order requires a SAR look-back consultant to review historical auto-closed alerts—a significant operational burden that could surface years of missed reportable activity
  • The operational risk lesson: controls that were adequate when the payment processing line launched may not be adequate now, and the gap between “adequate at launch” and “adequate today” is exactly what regulators are examining

Who Is Community Federal Savings Bank?

Community Federal Savings Bank is a single-branch federal savings association in Woodhaven, New York. Its asset base is small. What distinguishes it is the payment processing business it has built since approximately 2020—serving as the U.S. sponsor bank for Wise’s dollar-denominated accounts and as the issuer behind Crypto.com’s prepaid card product, among a broader roster of fintech and card-issuing clients.

This growth model—a small institution with a large payment processing operation—isn’t unusual. The fintech banking-as-a-service wave created a cohort of community banks and savings associations that grew their balance sheets and fee income through fintech partnerships, processing payment volumes far exceeding what their retail deposit franchise would suggest. The OCC examined CFSB and found what it has found at a number of these institutions: the payment processing growth was real; the compliance infrastructure wasn’t keeping up.

The consent order was publicly released May 21, 2026, docketed as AA-ENF-2025-21. It does not include a monetary penalty, which is notable—the OCC can impose civil money penalties for BSA/AML violations, and the absence of one suggests the OCC’s primary goal here is remediation, not punishment. That doesn’t make the order light. A consent order is still a public document, a matter of regulatory record, and an examiner deliverable that will follow the institution through its next several supervisory cycles.

The Three Operational Failures the OCC Found

1. Alert Auto-Closing That Was Suppressing the Signal

Most transaction monitoring systems are designed to generate alerts when transactions match risk patterns. Banks then triage alerts: some are investigated and filed as SARs, others are closed after review as benign. Alert “auto-closing” refers to system logic that closes certain alerts automatically—based on thresholds, customer type, prior transaction history, or other criteria—without requiring a human to review them.

Auto-closing is not inherently problematic. High-volume monitoring environments generate enormous alert counts, and some automated triage logic is necessary. The problem is when the triage criteria are calibrated for a risk profile that no longer matches the institution’s actual business.

The OCC found that CFSB’s automated suspicious activity alerting system had “filtering criteria and thresholds that were not adequately tuned to the payment-processing line, higher-risk products and services, and international exposures.” The system was auto-closing “a very high percentage” of alerts that should have been escalated for further review.

Think about what that means operationally. The bank had a system generating alerts. The system was then suppressing those alerts—automatically, without human judgment—at a rate the OCC found to be excessive. A human BSA analyst never saw the flagged transactions because the system had decided, based on outdated criteria, that they didn’t warrant review.

This is why the consent order requires a SAR look-back. The OCC needs to know how many of those auto-closed alerts, over what period, contained reportable suspicious activity that the bank failed to file. Look-backs are operationally expensive and can surface years of missed FinCEN filings that must now be made retroactively.

2. CDD Gaps on the Payment Processing Line

Customer due diligence at its core requires that a bank understand who its customers are and what transactions to expect from them. For a payment processor relationship, that means understanding: who is this fintech’s customer base? What business do they conduct? What kinds of transactions—volume, frequency, geography, counterparties—are normal for this relationship?

The OCC found that CFSB’s customer due diligence program was deficient and that the bank “did not understand the nature of certain customers’ businesses and the purpose of transactions flowing through its payment processing line, including risks related to foreign financial institutions.”

This isn’t a paperwork deficiency. A bank that doesn’t understand what’s flowing through its payment processing line cannot set meaningful monitoring thresholds, cannot identify when a customer’s transactions deviate from expected patterns, and cannot make a defensible SAR decision. CDD is the foundation of the transaction monitoring program—without it, you’re generating alerts from a baseline you’ve never validated.

The foreign financial institution angle is worth particular attention. CFSB “failed to determine whether it held correspondent accounts for foreign financial institutions.” Under the USA PATRIOT Act, banks that hold correspondent accounts for foreign financial institutions have specific enhanced due diligence obligations. CFSB’s OCC consent order cites a violation of 31 CFR 1010.520(b)(3)—the information sharing requirement—for this failure. This is a threshold error: the bank wasn’t even asking the question of whether its payment processing relationships involved foreign financial institutions as counterparties.

3. Independent Testing and Staffing That Didn’t Scale

The OCC found that CFSB had “weak independent testing” and insufficient BSA staffing.

BSA/AML independent testing—sometimes called the BSA audit function—is one of the four pillars of a BSA compliance program under 12 CFR 21.21. It requires periodic testing by a party independent of the BSA function (internal audit or an outside consultant) to verify that the transaction monitoring system is working, that SAR decisions are sound, and that the CDD program is adequate.

When payment processing volume grows significantly, the independent testing program should reflect that growth—in frequency, in scope, and in the expertise of testers. The OCC’s finding suggests CFSB’s testing program didn’t keep pace. Neither did staffing: the bank’s BSA personnel weren’t sized for the payment processing volume being reviewed.

This is a common pattern. An institution that built a BSA program for a $200M community bank, then added a fintech payment processing line that now processes hundreds of millions in annual wire and ACH volume, often doesn’t revisit whether its BSA team headcount and its testing budget match its current risk profile. The OCC has seen this at enough institutions that it now asks directly: does your staffing reflect the volume and complexity of your current business?

The SAR Look-Back Problem

The OCC’s requirement that CFSB hire a SAR look-back consultant is worth dwelling on because it illustrates how operational failures compound.

A look-back is not a prospective fix. It’s a retroactive investigation of whether the bank missed reportable suspicious activity over some historical period. The scope is determined by when the monitoring failures began and how far back the OCC needs to go to have confidence in the institution’s historical SAR filing record.

For CFSB, the payment processing line began growing significantly around 2020. If the alert auto-closing and CDD deficiencies date to the early growth period, the look-back scope could cover five or more years of transactions. Every auto-closed alert in scope must be re-evaluated. Where the re-evaluation reveals reportable activity, a SAR must be filed retroactively. The FinCEN filings then become a public matter, and each one is a data point that could lead to additional regulatory or law enforcement inquiry.

This is the cost of letting monitoring gaps accumulate. Fixing the monitoring program prospectively is manageable. The retroactive look-back—which can require months of consultant time and hundreds of thousands of dollars—is the penalty for not catching the gap sooner.

The Operational Risk Frame Most Institutions Are Missing

Most BSA/AML compliance programs are managed by the BSA officer, not by operational risk. That’s appropriate for day-to-day program management. But the failures in the CFSB consent order are operational risk failures—and they need to be visible to the risk function, not just the BSA team.

Consider what an RCSA—a risk and control self-assessment—of the BSA function at CFSB would have surfaced if it had been run rigorously:

  • The transaction monitoring system has not been recalibrated since [year]. The auto-closure rate has not been validated against current business mix. Control: not effective.
  • CDD documentation for payment processing customers does not include expected transaction patterns. The baseline for what’s “normal” is not documented. Control: not effective.
  • BSA staffing is [X] FTEs against a transaction volume of [Y] wires and [Z] ACH transactions annually. Staffing has not increased since [year] despite volume growing [%]. Control gap identified.
  • Independent testing was last conducted [date]. The scope did not include the payment processing line, which now represents [%] of total transaction volume. Control: insufficient.

None of those findings require a regulatory examination to surface. They require someone to ask the question.

Running an RCSA on your BSA/AML program isn’t a box to check for the examiner. It’s how you find out whether the controls that were adequate when the program was built still match the risk you’re actually running today. For institutions that have grown payment volume through fintech partnerships, that question has likely never been formally asked.

CFSB is not an outlier in the sponsor bank space. Since 2020, the OCC has intensified scrutiny of fintech-bank partnership models—not because fintech partnerships are inherently problematic, but because rapid growth in these models has repeatedly outpaced the compliance and risk infrastructure that should scale alongside them.

The OCC’s enforcement record in this space includes consent orders against Cross River Bank, Evolve Bank & Trust, Piermont Bank, Choice Financial Group, and Lineage Bank—all involving deficiencies in BSA/AML, third-party oversight, or consumer compliance that the OCC traced back to fintech partnership growth that moved faster than the bank’s program capacity.

CFSB’s consent order follows the same pattern. The payment processing line grew. The monitoring thresholds didn’t change. The CDD program didn’t adapt. The testing scope didn’t expand. The staffing didn’t scale. The regulator eventually arrived and found exactly what it found at the others.

For every institution operating in this space, the relevant question is not “is CFSB’s situation unusual?” It’s: “if an OCC examiner ran a transaction monitoring calibration review against our current payment processing mix tomorrow, what would they find?”

If the BSA/AML KRI metrics you’re tracking don’t include auto-closure rate, alert-to-SAR conversion rate, and CDD documentation rate for payment processing customers, you’re not measuring the controls that matter most for this risk.

So What?

The CFSB consent order is worth reading even if you’re not a sponsor bank, not a community bank, and not in the payment processing business. The operational risk pattern it documents—controls built for one risk profile, business grown into a different one, gap never formally assessed—shows up across BSA/AML, third-party risk, model risk, and virtually every other risk domain in financial services.

The detection mechanism is an RCSA that asks, genuinely, whether controls are effective for the business you’re running today—not the business you were running when the program was built. An RCSA that documents control gaps with specificity, assigns owners, and drives remediation creates a paper trail that demonstrates the institution is managing its risks. One that hasn’t been updated since the business model changed doesn’t.

The OCC found the gap at CFSB. The question for every other institution is whether they find it first.


Sources:

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What did the OCC's consent order against Community Federal Savings Bank require?
The consent order (docketed as AA-ENF-2025-21, publicly released May 21, 2026) required CFSB to: appoint a BSA/AML compliance committee to oversee the order's requirements; submit a written remediation plan within 90 days; engage two outside consultants—including a SAR look-back consultant to review historical transactions where the bank's automated alert system auto-closed alerts that should have been escalated; improve its customer due diligence program; recalibrate the automated suspicious activity alerting system for its actual payment processing risk profile; and develop an adequate independent testing program with sufficient BSA staffing. The order does not include a monetary penalty.
What BSA/AML violations did the OCC cite against Community Federal Savings Bank?
The OCC cited violations of three provisions: 12 CFR 21.21 (the BSA/AML program rule requiring financial institutions to develop and maintain an effective BSA/AML compliance program); 12 CFR 163.180(d) (the suspicious activity reporting violation, for failing to identify and report suspicious transactions); and 31 CFR 1010.520(b)(3), the USA PATRIOT Act's information sharing requirement. The USA PATRIOT Act violation is notable—CFSB failed to determine whether it held correspondent accounts for foreign financial institutions, a threshold obligation that triggers enhanced due diligence requirements.
Does this enforcement action mean the OCC is targeting crypto-related fintech partnerships?
The OCC's consent order explicitly states that its findings are 'based on concerns largely unrelated to customers involved in digital assets activities.' The deficiencies found were in CFSB's payment processing line broadly—not specifically in its Crypto.com relationship or its handling of digital asset customers. The order relates to payment velocity growing faster than the monitoring, CDD, and staffing infrastructure that should accompany it. Institutions growing payment processing through any fintech partnership—crypto-adjacent or not—face the same underlying risk.
What does 'alert auto-closing' mean and why did the OCC flag it?
Most transaction monitoring systems generate alerts when transactions match certain patterns—high-volume wire activity, cross-border transfers, unusual transaction timing. Banks then triage these alerts: some are investigated and reported as SARs, others are closed after review as not suspicious. Alert 'auto-closing' refers to system logic that automatically closes certain alerts without human review—based on thresholds, customer type, or other criteria built into the monitoring platform. The OCC found CFSB's auto-triage logic was closing 'a very high percentage' of alerts that should have been escalated for manual review. This is an operational risk failure: the bank was generating alerts but suppressing the signal before a human ever saw it.
What is a SAR look-back and when is one required?
A SAR look-back is a retrospective review of historical transactions to determine whether suspicious activity that should have been reported to FinCEN was missed—either because the monitoring system auto-closed alerts that warranted investigation, or because the bank's SAR decision-making process failed to identify and report reportable transactions. The OCC required CFSB to hire an independent consultant specifically to conduct this look-back. Banks required to perform look-backs face significant operational burden: all transactions in scope must be re-evaluated against current SAR policies, and any previously missed suspicious activity must be reported to FinCEN. Look-backs are typically required when regulators find systemic monitoring or reporting failures, not isolated lapses.
What should fintech sponsor banks do if their payment processing volume has grown significantly since they last calibrated their monitoring system?
Three immediate actions: First, request current transaction monitoring calibration reports from your compliance team or BSA officer—specifically the auto-closure rate, alert-to-SAR conversion rate, and the percentage of alerts closed without investigation. If those numbers haven't changed substantially despite growing volume, the system is probably not being recalibrated. Second, assess your BSA staffing against current transaction volumes—the OCC has consistently found that BSA staffing grows at a fraction of the rate of transaction volume in high-growth payment processing contexts. Third, review your CDD documentation for your highest-volume payment processing customers to confirm you understand what transactions are expected and why. These are the three areas the CFSB consent order identified as deficient.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

RCSA (Risk & Control Self-Assessment)

141 pre-populated fintech risks with control assessments, questionnaire framework, and testing calendar.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.