OCC Consent Order Signals Increased Regulatory Access to Independent Consultant Work Product

The Office of the Comptroller of the Currency's (“OCC’s”) recent Consent Order against Community Federal Savings Bank contains a provision that may warrant close attention from financial institutions that utilize independent consultants to assess compliance, risk management, Bank Secrecy Act/Anti-Money Laundering ("BSA/AML"), or other regulatory programs.

Among other remedial measures, the Consent Order requires the bank to provide the OCC with broad access to materials generated by the independent compliance consultants retained under the Order, including preliminary findings, presentation materials, supporting documentation, and consultant work papers associated with required BSA/AML assessments and remediation efforts. The Consent Order states:

(5) When providing its written report to the Bank, the Program Consultant shall promptly provide a copy of the report to the Assistant Deputy Comptroller. Any presentations made to the Bank regarding the report, or any preliminary or final findings or recommendations contained therein, shall promptly be made to the Assistant Deputy Comptroller, and a copy of any presentation materials shall promptly be provided to the Assistant Deputy Comptroller. All supporting materials and work papers associated with the BSA Program Assessment, as well as personnel of the Program Consultant, shall be made available to the OCC upon written request.

While regulators have long required financial institutions subject to enforcement actions to engage independent consultants and provide final reports and recommendations to supervisory agencies, sometimes including requirements to disclose preliminary drafts, the breadth of this Consent Order – requiring disclosure of the consultant's final conclusions, recommendations, and implementation plans – appears to go beyond many traditional consultant-review requirements, raising several practical considerations for financial institutions.

First, institutions should recognize that independent consultants retained pursuant to a formal enforcement action may increasingly be viewed by regulators as part of the remediation process rather than as confidential advisors engaged for management's benefit. As a result, communications, presentations, and draft analyses prepared during the course of a review may ultimately become subject to supervisory scrutiny.

Second, the prospect of broad regulatory access to consultant work product may affect how institutions structure consultant engagements, document remediation efforts, and coordinate communications among management, consultants, boards of directors, and legal counsel – a complicating dynamic that has a potential unwelcome chilling effect.   All institution personnel who are involved in such matters, whether or not directly with the regulator, will need to carefully consider the wording of their correspondence so as not to create a discoverable record that could have unintended consequences if taken out of context.   Although legal privileges may not limit regulator access to such materials in their exercise of supervisory authority – i.e., for examination purposes – it nevertheless may be best practice to involve legal personnel to guide the scope, content, and flow of correspondence and other materials that may be subject to disclosure in connection with a consultant’s work product.

Third, financial institutions negotiating enforcement-related consultant provisions should carefully consider the scope of any required disclosures. Particular attention should be paid to the treatment of draft materials, work papers, attorney-client privileged communications, consultant interactions with counsel, and other sensitive materials that may not traditionally have been expected to be shared with regulators.   Legal privileges may protect such information from disclosure to third parties in the context of their claims against the institution and broad release of such information to the agency could increase the chance that it will be exposed to discovery by such parties.  

The Consent Order also reflects a broader supervisory trend. In recent years, federal banking agencies have demonstrated an increasing willingness to obtain direct visibility into third-party reviews, validation testing, remediation efforts, and consultant analyses, particularly in areas involving BSA/AML compliance, payments activities, fintech partnerships, third-party risk management, and other operationally complex business lines.

Financial institutions should anticipate continued regulatory focus on the quality, independence, and transparency of consultant-led remediation efforts and should evaluate whether their governance, documentation, and engagement practices are appropriate in light of evolving supervisory expectations.  They will need to cautiously guide and oversee those who prepare and share information relating to a consultant engagement, including institution and consultant personnel who often are motivated by a desire to share information, lack objective awareness of the potential legal consequences of their communications, and are not intimately familiar with requirements in a consulting agreement that seeks to reasonably limit the creation and flow of information that is not essential to the consultant’s (or regulator’s) mission and purpose.  This speaks to the need for a thorough planning-stage discussion among all parties – with appropriate guidance by legal counsel – at the outset of a consulting engagement, whether it is undertaken for a regulatory project or otherwise.

For institutions operating in the fintech, payments, digital assets, or Banking-as-a-Service sectors, the Consent Order serves as a reminder that regulators may expect not only corrective action, but also comprehensive visibility into the process by which that corrective action is developed and validated.

Finally, the provision in the Consent Order may have implications beyond BSA/AML. The same approach could appear in future regulatory enforcement actions involving third-party risk management, fintech partnerships, consumer compliance, operational resilience, cybersecurity, or digital asset activities, where regulators increasingly rely on independent consultants as a supervisory tool rather than merely as advisors to management.  The Consent Order is particularly instructive for financial institutions experiencing significant and rapid growth: The OCC found that since 2020, Community Federal had "significantly grown its payment processing line, relative to its size, resulting in significant annual wire and ACH activity, including cross-border activity involving foreign financial institutions.”  While this growth occurred, the OCC found that the bank’s compliance and payment processing capabilities, while adequate when initially designed, did not keep up, resulting in systemic failures in transaction monitoring, alert disposition, customer due diligence, staffing, and independent testing.  One reflection of this mismatch resulted from the failure of the bank to adequately tune the filtering criteria and thresholds of its automated suspicious activity alerting system to the risk profile of its payment processing line; with deficiencies in the logic, data, and methodology of its automated alert triage system, Community Federal’s system auto-closed a very high percentage of all ingested alerts, including alerts that should have been escalated for further review.

Although financial institutions must oblige their regulators with full examination transparency, the Consent Order indicates that when consultants are brought in to address a deficiency, their presence may require a level of transparency that is effectively the same as if the regulator itself were present for all bank and consultant communications.

For Further Information

If you have any questions about the Consent Order or the utilization of independent consultants generally, please feel free to contact Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenllp.com, Patrick Quinn at (516) 357-3826 or via email at pquinn@cullenllp.com, Elizabeth A. Murphy at (516) 296-9154 or via email at emurphy@cullenllp.com, David Curatolo at (516) 357-3773 or via email at dcuratolo@cullenllp.com, or Gabriela Morales at (516) 357-3850 or via email at gmorales@cullenllp.com.

This advisory provides a brief overview of the most significant changes in the law and does not constitute legal advice. Nothing herein creates an attorney-client relationship between the sender and recipient.