Anchorage Digital Bank Found Deficient in Anti-Money Laundering Compliance
Comptroller: “High standards” apply to traditional and crypto entities alike
Friday, May 13, 2022
By Jeffrey Kutler
Anchorage Digital Bank, which markets itself as “the first federally chartered digital asset bank,” has been ordered by the U.S. national bank regulator to correct anti-money laundering (AML) deficiencies.
The Office of the Comptroller of the Currency (OCC), while officially supportive of fintech and digital asset innovation at the institutions it regulates, “holds all nationally chartered banks to the same high standards, whether they engage in traditional or novel activities,” said acting Comptroller Michael J. Hsu. “When institutions fall short, we will take action and hold them accountable to ensure compliance with federal laws and regulations.”
Per the consent order disclosed on April 21, Anchorage Digital Bank neither admitted nor denied OCC findings that as of 2021 it “failed to adopt and implement” adequate Bank Secrecy Act/AML program elements, “in particular, internal controls for customer due diligence and procedures for monitoring suspicious activity, BSA officer and staff, and training.” Such deficiencies, OCC said, placed the bank in violation of its January 2021 operating agreement with the regulator, which that same month granted conditional approval of Anchorage’s national trust bank charter.
Acting Comptroller Michael Hsu
Taking a position common among digital asset and cryptocurrency ventures seeking regulatory supervision along with clarity in rulemaking, Anchorage issued a statement, reported by CoinDesk, that it “is proud to be held to the same standards as traditional federally chartered banks.” It added: “As the OCC acknowledged in the consent order, we have already been working to strengthen the areas identified and will continue to bolster these areas, reinforcing a new, digital asset standard for internal BSA/AML controls and procedures.”
Reaching for Flexibility
For Anchorage, headquartered in San Francisco and founded in 2017 by former employees of Square (now Block) as a digital asset custodian, the national charter was one of a series of milestones in assembling a multi-service institutional platform. It had a South Dakota charter but sought a federal one to be “on par with other national banks from a regulatory perspective, making it easier for traditional banks to offer highly sought after crypto services through sub-custody arrangements with us,” according to a December 2020 Medium post by general counsel Georgia Quinn.
“Second, a national bank charter would preempt existing piecemeal regulatory structure and certain requirements at the state level, eliminating the need to obtain money transfer licenses on a state-by-state basis,” Quinn wrote. “And third, a national bank charter significantly increases the flexibility of the products and services Anchorage can offer our existing clients.”
A $350 million Series D financing in December 2021 – led by KKR and with participation by Goldman Sachs, Andreessen Horowitz, Wellington Management and others – valued Anchorage Digital at over $3 billion. A month later came the hiring of Rachel Anderika as its crypto bank’s first chief risk officer. She is a former OCC bank examiner and spent eight years with IBM-affiliated consulting firm Promontory Financial Group.
On April 5, Anchorage co-founders Diogo Mónica and Nathan McCauley announced custody support for 11 new digital assets – among them Provenance, ParaSwap, Compound USDC and Compound Ether – saying, “Anchorage will keep improving our ability to support new assets, and we are honored to continue to provide both protocols and institutions the secure and regulated services of our federally chartered bank.”
Wary of Contagion
Since being appointed as acting Comptroller a year ago – a tenure that would end when a permanent Biden administration appointee is confirmed – Michael Hsu has maintained a relatively high profile, speaking frequently on digital assets, community reinvestment, bank mergers and other policy matters (see There’s an Opening at the Top of the OCC, but No Vacuum).
Weighing in recently on stablecoin architecture, for instance, Hsu said, “One question is whether to require all stablecoin issuers to comply with a fixed set of safety and soundness-like requirements (as is the case with banks), or to let them pick from a wider set of licensing options, each with distinct risk-reward tradeoffs. While there are pros and cons to consider, in my experience, the wider the variability, the more likely a risky issuer blows itself up, sparking contagion across peers.”
The Anchorage Digital Bank action came a month after the OCC, in a settlement coordinated with the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), assessed a $60 million civil money penalty against USAA Federal Savings Bank for BSA/AML noncompliance – underscoring Hsu’s message that both traditional and new-wave entities are under scrutiny and being held accountable.
Alleged flouting of AML rules also figured in the U.S. Department of Justice’s prosecution of the co-founders of the BitMEX exchange.
For Anchorage Digital Bank, the OCC’s requirements include creation of a compliance committee with a majority of non-employee board members and regular reporting to the regulator; a BSA/AML action plan specifying corrective actions, timelines and the people responsible for them; a qualified BSA officer with adequate staffing; and active board monitoring of the BSA/AML program and its staffing, customer due diligence, and suspicious activity identification, evaluation and reporting.
The board is to ensure that the bank “revises, adopts, and promptly implements and adheres to acceptable, appropriate risk-based policies and procedures for collecting customer due diligence information when opening new accounts and renewing or modifying existing accounts, and also when events indicate information is missing or incomplete, profiles need to be updated, or activity does not match the customer profile.” A further specification is “ongoing due diligence reviews for higher-risk-profile customers.”
The OCC also calls for a “written data governance program for BSA/AML-related management information systems [that] shall include effective data governance processes to help ensure that risk management-related management information systems are reliable, including information such as transaction volumes, customer risk ratings, customer business types, and suspicious activity monitoring data including alert volumes. The data governance program shall be reviewed at least annually and updated if necessary.”