Third-Party Risk Management
In Re: Metropolitan Commercial Bank
Date: Oct. 16, 2023
Issue: Metropolitan Commercial Bank (MCB)’s settlement with the Federal Reserve Board (Fed) and New York Department of Financial Services (NYDFS) over third-party risk management practices.
Case Summary: Metropolitan Commercial Bank agreed to pay $30 million to resolve allegations from the Federal Reserve Board and New York Department of Financial Services that it violated customer identification rules and had deficient third-party risk management practices relating to the bank’s issuance of prepaid card accounts.
MCB sponsored the MovoCash Digital Prepaid Visa Card Program, which processed government stimulus funds and expanded unemployment insurance benefits during the pandemic. According to the Fed’s cease-and-desist order, MCB opened MovoCash accounts for illicit actors, who then used the accounts to collect illegally-obtained state unemployment insurance benefits. By opening these prepaid accounts through a third-party program manager, without having adequate procedures for verifying each applicant’s true identity, the Fed alleged MCB violated customer identification rules of the Bank Secrecy Act.
According to NYDFS, in March 2020, senior compliance staff at MCB knew the prepaid card program was vulnerable to fraudulent account openings. While MovoCash claimed to have addressed red flags in January 2020, the Fed alleged MCB took no further steps to verify the enhancements. As described by NYDFS, “MCB’s failure to act sooner facilitated more than $300 in pandemic unemployment benefits to be misdirected to MCB-sponsored MovoCash accounts of unidentified, third-party fraud actors.”
The Fed’s order requires MCB to improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include: policies and procedures to ensure third-party service providers are complying with federal and state law; a third-party risk management oversight program; policies and procedures to ensure the bank’s chief compliance officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and a comprehensive identity theft prevention program. The Fed also required MCB to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay a $15 million civil monetary penalty, and to submit remediation and program reporting.
Bottom Line: MCB did not admit to or deny the agencies’ findings.