Consent Order issued by the Office of the Comptroller of the Currency, dated January 24, 2024

EX-10.1 2 d870968dex101.htm EX-10.1 EX-10.1

Exhibit 10.1

UNITED STATES OF AMERICA

DEPARTMENT OF THE TREASURY

OFFICE OF THE COMPTROLLER OF THE CURRENCY

 

 

In the Matter of:

   )   
   )   
Blue Ridge Bank, N.A.    )    AA-ENF-2023-68
Martinsville, VA    )   

 

   )   

CONSENT ORDER

WHEREAS, the Office of the Comptroller of the Currency (“OCC”) has supervisory authority over Blue Ridge Bank, N.A., Martinsville, Virginia (“Bank”);

WHEREAS, the OCC intends to initiate cease and desist proceedings against the Bank pursuant to 12 U.S.C. §§ 1818(b) and (s), through the issuance of a Notice of Charges, for unsafe or unsound practices, failure to correct previously reported problems in violation of 12 U.S.C. § 1818(s), and deficiencies in the Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) compliance program which resulted in violations of law, rule, or regulation, including 12 C.F.R. § 21.21 (Bank Secrecy Act/anti-money laundering (BSA/AML) program violation) and 31 C.F.R. § 1020.210(a)(2)(v);

WHEREAS, in the interest of cooperation and to avoid additional costs associated with administrative and judicial proceedings with respect to the above matter, the Bank, by and through its duly elected and acting Board of Directors (“Board”), consents to the issuance of this Consent Order (“Order”), by the OCC through the duly authorized representative of the Comptroller of the Currency (“Comptroller”), which replaces the Formal Agreement dated August 29, 2022; and

NOW, THEREFORE, pursuant to the authority vested in the OCC by Section 8(b) of the Federal Deposit Insurance Act, as amended, 12 U.S.C. § 1818(b), the OCC hereby orders that:

 

1


ARTICLE I

JURISDICTION

(1) The Bank is an “insured depository institution” as that term is defined in 12 U.S.C. § 1813(c)(2).

(2) The Bank is a national banking association within the meaning of 12 U.S.C. § 1813(q)(1)(A), and is chartered and examined by the OCC. See 12 U.S.C. § 1 et seq.

(3) The OCC is the “appropriate Federal banking agency” as that term is defined in 12 U.S.C. § 1813(q) and is therefore authorized to initiate and maintain this cease and desist action against the Bank pursuant to 12 U.S.C. § 1818(b).

ARTICLE II

COMPTROLLER’S FINDINGS

The Comptroller finds, and the Bank neither admits nor denies, the following:

(1) The Bank has failed to establish and maintain a reasonably designed BSA/AML compliance program (“BSA/AML Program”) that adequately covers the required BSA/AML Program components. Deficiencies include: (i) systemic internal controls breakdowns, (ii) weak independent testing, and (iii) insufficient BSA staffing. These deficiencies resulted in a BSA/AML program violation under 12 C.F.R. § 21.21 and additional violations of regulations, including 31 C.F.R. § 1020.210(a)(2)(v).

(2) The Bank has failed to correct problems in its BSA/AML Program that the OCC previously reported to the Bank relating to internal controls, independent testing, and BSA staffing.

 

2


(3) The Bank has engaged in unsafe or unsound practices, including those related to BSA/AML, capital ratios, capital and strategic planning, liquidity risk management, and information technology controls.

ARTICLE III

COMPLIANCE COMMITTEE

(1) The Board shall maintain a Compliance Committee of at least three (3) members of which a majority shall be directors who are not employees or officers of the Bank or any of its subsidiaries or affiliates. In the event of a change of the membership, the Board shall submit in writing to the OCC’s Assistant Deputy Comptroller within ten (10) days the name of any new or resigning committee member. The Compliance Committee shall monitor and oversee the Bank’s compliance with the provisions of this Order. The Compliance Committee shall meet at least quarterly and maintain minutes of its meetings.

(2) Within thirty (30) days from the submission of the BSA/AML Action Plan pursuant to Article IV below, and thereafter within thirty (30) days after each Compliance Committee meeting, the Compliance Committee shall submit to the Board a written progress report setting forth in detail:

 

  (a)

a description of the corrective actions needed to achieve compliance with each Article of this Order, and the party or parties responsible for the completion of outstanding corrective actions;

 

  (b)

the specific corrective actions undertaken to comply with each Article of this Order; and

 

  (c)

the results and status of the corrective actions.

 

3


(3) Upon receiving each written progress report, the Board shall forward a copy of the report, with any additional comments by the Board, to the Assistant Deputy Comptroller within ten (10) days of the first Board meeting following the Board’s receipt of such report.

ARTICLE IV

BSA/AML ACTION PLAN

(1) Within thirty (30) days from the date of this Order, the Bank shall submit to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable written plan detailing the remedial actions necessary to achieve and sustain compliance with the BSA, as amended (31 U.S.C. § 5311 et seq.), the regulations promulgated thereunder, and Articles V through XI of this Order, and to address all BSA/AML deficiencies, violations, and corrective actions communicated to the Bank (“BSA/AML Action Plan”). The BSA/AML Action Plan shall include at a minimum:

 

  (a)

a description of the corrective actions needed to achieve compliance with Articles V through XI of this Order;

 

  (b)

timelines as required by this Order for completing the corrective actions required by of Articles V through XI of this Order; and

 

  (c)

the person(s) responsible for completing the corrective actions required by Articles V through XI of this Order.

(2) The timelines contained in the BSA/AML Action Plan shall be consistent with any deadlines set forth in this Order, including any modifications to the Order pursuant to Article XVIII, Paragraph 6.

(3) In the event the Assistant Deputy Comptroller requires changes to the BSA/AML Action Plan, the Assistant Deputy Comptroller shall provide written notice of the required changes, and the Bank shall promptly incorporate the required changes into the BSA/AML Action Plan and submit the revised BSA/AML Action Plan to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

 

4


(4) Upon receipt of a written determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall timely adopt the BSA/AML Action Plan and verify that Bank management has timely implemented all corrective actions required by this Order. Bank management, subject to Board review and ongoing monitoring, shall thereafter ensure adherence to the BSA/AML Action Plan, including the timelines set forth within the BSA/AML Action Plan.

(5) The Bank shall not take any action that will cause a significant deviation from, or material change to, the BSA/AML Action Plan. Where the Bank considers a significant deviation from, or material change to, the BSA/AML Action Plan appropriate, the Bank shall submit a revised BSA/AML Action Plan containing the proposed modifications to the Assistant Deputy Comptroller for prior written determination of no supervisory objection. Upon receipt of a written determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall timely adopt the revised BSA/AML Action Plan and verify that Bank management has timely implemented all corrective actions required by this Order. Bank management, subject to Board review and ongoing monitoring, shall thereafter ensure adherence to the revised BSA/AML Action Plan, including the timelines set forth within the revised Action Plan.

ARTICLE V

THIRD-PARTY RISK MANAGEMENT

(1) Within thirty (30) days from the date of this Order, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall implement and thereafter adhere to a written program to effectively assess and manage the risks posed by third-party relationships (“Third-Party Risk Management Program”). Refer to OCC Bulletin 2023-17, “Third-Party Relationships: Interagency Guidance on Risk Management.” The term “third-party relationship” in this Order includes the Bank’s fintech partners and subpartners.

 

5


(2) The Third-Party Risk Management Program shall be commensurate with the level of risk and complexity of the Bank’s third-party relationships and shall, at a minimum, address the following for the Bank’s third-party relationships:

 

  (a)

written policies, procedures, and processes governing the Bank’s third- party relationships that, at a minimum:

 

  (i)

address how the Bank identifies and assesses the inherent risks of the products, services, and activities performed by the third-party relationship, including but not limited to BSA, compliance, operational, liquidity, interest rate risk, counterparty and credit risk as applicable;

 

  (ii)

detail how the Bank selects, assesses, and oversees each third-party relationship;

 

  (iii)

detail the Bank’s strategic plan for providing necessary resources, infrastructure, technology controls, and organizational capabilities to manage each third-party relationship in a safe and sound manner; and

 

  (iv)

establish criteria for Board review and approval of each third-party relationship;

 

6


  (b)

an assessment of BSA risk for each third-party relationship, including risk associated with BSA compliance, money laundering, terrorist financing, and sanctions risk, as well as each third-party relationship’s processes for mitigating such risks and complying with applicable laws and regulations;

 

  (c)

due diligence and risk assessment criteria for selecting and approving each third-party relationship that is appropriate and unique to the particular products, services, and activities provided by the third-party relationship; Refer to OCC Bulletin 2021-40, “Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks”;

 

  (d)

an effective compliance oversight program for third-party relationships to include:

 

  (i)

evaluation of the products, services, and activities offered through the Bank’s third-party relationship for compliance with applicable laws and regulations;

 

  (ii)

an effective internal compliance monitoring program; and

 

  (iii)

a process for addressing any third-party relationship’s activities identified as non-compliant or in violation of applicable laws and regulations;

 

  (e)

ongoing monitoring of third-party relationship’s activities and performance;

 

  (f)

contingency plans for terminating third-party relationship in an effective and timely manner;

 

7


  (g)

documentation, management information systems (“MIS”), and reporting that facilitates Board and management oversight, accountability, monitoring, and risk management associated with third-party relationships;

 

  (h)

an audit plan for independent reviews by a qualified auditor who is independent of day-to-day operations that allows Bank management to assess whether the Bank’s risk management practices align with the Bank’s policies, procedures, and processes. The audit plan must provide for effective independent reviews to assess internal controls as well as IT, compliance, and operational risk associated with third-party relationships;

 

  (i)

evaluation and implementation of adequate staffing to manage third-party relationships, including personnel with the requisite expertise to oversee and manage the risks associated with each third-party relationship; and

 

  (j)

full assessment of contracts with each third-party relationship to ensure the Bank’s interests are protected.

(3) Effective immediately and until the Bank complies with the BSA, the Bank shall not:

 

  (a)

onboard new third-party fintech relationship, sign a contract with a new fintech relationship, or offer new products or services or conduct new activities with or through existing third-party fintech relationship, unless the Board first obtains a written determination of no supervisory objection from the OCC. At a minimum, the Bank shall submit the due diligence package including supporting documentation, any proposed contract, and any management or board committee minutes approving the relationship to the OCC when making such a request.

 

8


(4) Within ten (10) days from the date of this Order, the Bank must provide to the OCC the criteria it is using for end user accounts to be approved for each third-party fintech relationship, including fintech subpartners.

(5) Effective immediately, the Bank must ensure that onboarding of new end user accounts within existing third-party fintech relationships and subpartners complies with BSA/AML requirements. Within ninety (90) days from the date of this Order, the Bank shall submit to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection adequate support that BSA/AML risk is effectively controlled for each of the Bank’s existing third-party fintech relationships and subpartners. If the Bank is unable to provide adequate support to the Assistant Deputy Comptroller that such BSA/AML risk is effectively controlled, it must obtain no supervisory objection from the Assistant Deputy Comptroller for each third-party fintech relationship and subpartner to continue onboarding end user accounts.

(6) The Board shall review the effectiveness of the Third-Party Risk Management Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the Third-Party Risk Management Program as needed or as directed by the OCC in writing.

 

9


ARTICLE VI

BANK SECRECY ACT RISK ASSESSMENT

(1) Within ninety (90) days from the date of this Order, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall implement and adhere to an effective written Bank Secrecy Act Risk Assessment Program (“BSA Risk Assessment Program”). The BSA Risk Assessment Program shall ensure BSA compliance risk assessments provide a comprehensive and accurate assessment of the Bank’s BSA compliance risk across all products, services, customers, entities, transaction types, countries or geographic locations of customers and transactions, accounts, and methods the Bank uses to interact with its customers (collectively, “activities”), including all activities provided by or through the Bank’s third-party relationships, and shall include, at a minimum:

 

  (a)

revised and updated policies, procedures, and processes designed to identify, measure, monitor, control, and manage the BSA/AML and Office of Foreign Assets Control (“OFAC”) risk, including risk arising from the Bank’s third-party relationships;

 

  (b)

inclusion of sufficient analysis and documentation to identify: (i) the quantity of risk associated with third-party activities, (ii) any control weaknesses and gaps, (iii) any deficiencies identified during independent testing, and (iv) mitigating factors related to identified weaknesses; and

 

  (c)

policies and procedures for developing accurate MIS reporting, including a Money Laundering Risk report, that provides sufficient information to identify and manage money laundering, terrorist financing, and other illicit finance risks related to the Bank’s third-party relationships.

(2) The Board shall review the effectiveness of the BSA Risk Assessment Program at least annually and more frequently if necessary or if required by the OCC in writing, and amend the BSA Risk Assessment Program as needed or as directed by the OCC in writing. The Board shall document its review in the Board minutes.

 

10


(3) Bank management shall regularly update its money laundering, terrorist financing and other illicit financial activity risk assessment as needed when changes in risk factors, events, or operations occur that result in the existing risk assessment no longer accurately reflecting the Bank’s risk profile. Results of the risk assessment, including updates thereto, shall be timely provided to all relevant business lines across the Bank, the Board, and senior management.

ARTICLE VII

BSA AUDIT PROGRAM

(1) Within ninety (90) days from the date of this Order, the Board shall adopt a revised independent BSA audit program (“BSA Audit Program”) to test the Bank’s compliance with the BSA relative to its risk profile, and the overall adequacy of the Bank’s BSA/AML compliance program. The BSA/AML Audit Program should include an expanded scope and risk-based review of activities conducted through the Bank’s third-party relationships. The BSA Audit Program shall at a minimum, be sufficient to:

 

  (a)

establish an audit plan for independent reviews by a qualified auditor independent from day-to-day operations;

 

  (b)

determine the Bank’s compliance with applicable BSA/AML and OFAC laws, rules, and regulations;

 

  (c)

connect the BSA risk assessment to the scope of audit work performed;

 

  (d)

evaluate the Bank’s adherence to established policies, procedures, and processes, with particular emphasis directed to the Bank’s adherence to its policies for BSA/AML and OFAC compliance;

 

  (e)

establish sufficient audit transaction testing to validate the effectiveness of suspicious activity monitoring processes and support audit findings, particularly in areas of higher risk or concern. Transaction testing methodology must be documented in workpapers by including identification of the control population, sample size, sampling methodology, how the control will be tested, and what constitutes a successful test;

 

11


  (f)

maintain sufficient documentation to support audit findings and conclusions;

 

  (g)

clearly identify audit findings, risk rating findings, and the root cause of findings, and require substantive action that addresses the identified root cause; and

 

  (h)

address and determine whether management took appropriate and timely action to address any deficiencies previously noted by audit staff.

(2) All audits conducted by the internal or external auditor shall be engaged by, reviewed, and approved by the Audit Committee. All reports prepared by internal or external auditors shall be submitted in writing directly to the Audit Committee and reviewed by the Board.

(3) No less than quarterly, the Board or Audit Committee must review any outstanding BSA audit findings and ensure that corrective actions noted in the BSA audit reports are completed in a timely manner.

(4) The Board shall ensure the BSA Audit Program is adequately staffed, with respect to experience level, specialty expertise regarding BSA/AML compliance, and number of individuals employed, to execute the BSA Audit Program fully and promptly.

 

12


ARTICLE VIII

BANK SECRECY ACT COMPLIANCE PERSONNEL

(1) Within ninety (90) days from the date of this Order and no less than annually thereafter, the Board shall ensure that the Bank’s BSA Department is appropriately staffed with personnel that have requisite expertise, training, skills, and authority. The Board shall ensure that the Bank maintains a permanent, qualified, and experienced BSA Officer who shall be vested with sufficient executive authority, time, and resources to fulfill the duties and responsibilities of the position and ensure compliance with BSA/AML and OFAC laws and regulations and safe and sound operation of the Bank. The Board shall ensure the responsibilities of the BSA Officer be limited to overseeing and administering the development and implementation of an effective compliance program under the Bank Secrecy Act and OFAC laws and regulations.

(2) Within ninety (90) days from the date of this Order and no less than annually thereafter, the Board shall review and assess the capabilities and qualifications of the Bank’s BSA Officer and BSA Department staff to perform present and anticipated duties, and determine whether changes will be made, including but not limited to the need for additions to current BSA Department staff. The Board shall document its determinations in writing. The review shall evaluate and consider the effectiveness of the following:

 

  (a)

the leadership, knowledge, training, and skills of the BSA Officer and staff;

 

  (b)

the oversight and governance structures for BSA staff, including whether the Board and Bank management have the necessary knowledge to effectively oversee the Bank’s compliance with the BSA; and

 

13


  (c)

the staffing levels for the BSA/AML compliance function, consistent with the Bank’s money laundering, terrorist financing, and other illicit financial activity risk assessment, including anticipated risks from new or expanded lines of business, products, and services, and the effectiveness of the Bank’s BSA/AML program.

Upon completion, this review must be submitted to the Assistant Deputy Comptroller.

(3) In the event that the BSA Officer position is vacated, the Board shall promptly appoint a new BSA Officer. Prior to appointing a new BSA Officer, the Board shall submit to the Assistant Deputy Comptroller the following:

 

  (a)

the information sought in the “Changes in Directors and Senior Executive Officers” and “Background Investigations” booklets of the Comptroller’s Licensing Manual, together with a legible fingerprint card for the proposed individual;

 

  (b)

a written statement of the Board’s reasons for selecting the proposed officer;

 

  (c)

a written description of the proposed officer’s duties and responsibilities; and

 

  (d)

a written request for no supervisory objection to the proposed new BSA Officer.

(4) The BSA Officer shall provide timely and accurate periodic reporting to the Compliance Committee as established in Article II, Board and senior management about the status of the Bank’s BSA/ AML program, including compliance with the BSA and this Order.

 

14


ARTICLE IX

CUSTOMER DUE DILIGENCE, ENHANCED DUE DILIGENCE, AND HIGH RISK

CUSTOMER IDENTIFICATION

(1) Within sixty (60) days from the date of this Order, the Board shall adopt revised and expanded risk-based policies and Bank management, subject to Board review and ongoing monitoring, shall implement and adhere to revised and expanded risk-based policies, procedures, and processes (“CDD Program”) to obtain and analyze appropriate customer due diligence (“CDD”), enhanced due diligence (“EDD”), and beneficial ownership (“BO”) information for all Bank customers at the time of account opening and on an ongoing basis, and to effectively use this information to monitor and investigate suspicious or unusual activity. The CDD Program, at a minimum, must include:

 

  (a)

Written risk-based policies and procedures for conducting ongoing CDD to enable the Bank to: (i) identify, assess, and evaluate the Bank’s customers for purposes of compliance with the BSA; (ii) develop CDD processes that are commensurate with the Bank’s BSA/AML risk profile, with increased focus on higher risk customers and customer transactions; (iii) understand the nature and purpose of the customer relationship in order to develop a customer risk profile; (iv) collect, maintain, and update customer information for all customers, including information regarding the beneficial owner(s) of legal entity customers; (v) use customer information and the customer risk profile to understand the types of transactions a particular customer would be expected to engage in, and as a baseline against which suspicious transactions are identified; and (vi) conduct ongoing monitoring for the purpose of identifying and reporting suspicious transactions.

 

15


  (b)

effective processes for developing customer risk profiles that identify specific risks of individual customers or categories of customers;

 

  (c)

policies and procedures that define management and staff responsibilities for CDD, including authority and responsibility for decisions to open higher risk accounts and for reviewing and approving changes to a customer’s risk profile, as applicable;

 

  (d)

policies, procedures, and processes to identify customers that may pose higher risk for money laundering or terrorist financing that include whether and/or when, on the basis of risk, it is appropriate to obtain and review additional customer information such as customer’s products, services, and customers;

 

  (e)

policies, procedures, and processes for documenting the Bank’s analysis associated with the due diligence process, including the process for resolving issues when insufficient or inaccurate information is obtained;

 

  (f)

policies, procedures, and processes for determining how customer information, including beneficial ownership information for legal entity customers, is used to meet relevant regulatory requirements, including but not limited to, identifying suspicious activity, identifying nominal and beneficial owners of banking accounts, and determining OFAC sanctioned parties.

 

16


(2) The Board shall ensure that the Bank has processes, personnel, and control systems to implement and adhere to the CDD Program developed pursuant to this Article.

(3) Subject to Board review and ongoing monitoring, management shall ensure the Bank revises, adopts, and promptly implements and adheres to an adequate methodology for properly risk rating customer accounts at account opening and on an ongoing basis, and ensure that customer risk ratings are incorporated in the Bank’s overall risk assessment.

(4) Subject to Board review and ongoing monitoring, management shall conduct periodic risk-based reviews of customers identified as higher risk for money laundering. Upon adoption of the CDD Program, Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the CDD Program and any amendments thereto. The Board shall review the effectiveness of the CDD Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the CDD Program as needed or as directed by the OCC in writing. The Board shall forward a copy of the adopted CDD Program, and any subsequent amendments thereto, to the Assistant Deputy Comptroller within 30 days of adoption.

ARTICLE X

SUSPICIOUS ACTIVITY MONITORING AND REPORTING PROGRAM

(1) Within sixty (60) days from the date of this Order, the Board shall ensure Bank management develops, implements, and adheres to an enhanced written risk-based program, pursuant to 12 C.F.R. § 21.11, to ensure the timely identification, analysis, and suspicious activity monitoring and reporting for all lines of business, including accounts and sub-accounts provided by and through the Bank’s third-party relationships (“Suspicious Activity Monitoring and Reporting Program”).

 

17


(2) The Suspicious Activity Monitoring and Reporting Program shall include, at a minimum, for the Bank’s third-party relationships:

 

  (a)

an assessment/evaluation of the effectiveness of the Bank’s existing policies and procedures for suspicious activity monitoring and reporting, including the effectiveness of the Bank’s existing automated system for suspicious activity monitoring;

 

  (b)

revised and updated policies and procedures for review and documentation of suspicious activity that are commensurate with the Bank’s risk profile, with an action plan for the Bank to address any deficiencies and weaknesses identified with suspicious activity monitoring and reporting;

 

  (c)

procedures and processes for the Bank to quantify the volume of activities and transactions conducted by or through the accounts and sub-accounts of each of the Bank’s third-party relationships;

 

  (d)

procedures and processes that include a review for suspicious activity of cash transactions, Automated Clearing House (ACH), and wire activity conducted through the Bank;

 

  (e)

independent model validation of the Bank’s automated system for suspicious activity monitoring after enhancements are made to address concerns related to suspicious activity monitoring of activities generated by or through the Bank’s third-party relationships;

 

  (f)

standards for timely dispositioning different types of alerts that are reasonable, communicated in writing to relevant staff, and are adhered to by Bank staff;

 

18


  (g)

requirements for the BSA Department staff to consider appropriate CDD information when conducting alert reviews and suspicious activity investigations;

 

  (h)

requirements for the maintenance of adequate documentation to support the disposition of alerts and case investigations;

 

  (i)

procedures for an effective Suspicious Activity Report (“SAR”) decision- making process that require documenting individual decisions on whether to file SARs and key facts supporting each decision to not file a SAR;

 

  (j)

procedures to ensure SARs are filed timely, completely, and accurately, with a sufficient description of the suspicious activity and the basis for filing;

 

  (k)

procedures for reporting continuing suspicious activity and when to escalate issues or problems to the Board or Bank management identified as the result of repeat SAR filings on customers or accounts; and

 

  (l)

any backlogs in the suspicious activity monitoring and reporting program are promptly reported to the Board and management, in writing, for resolution.

(3) The Board shall review the effectiveness of the Suspicious Activity Monitoring and Reporting Program periodically, at a minimum annually, and amend the Suspicious Activity Monitoring and Reporting Program as needed or as directed by the OCC in writing.

 

19


ARTICLE XI

SUSPICIOUS ACTIVITY REVIEW LOOK-BACK

(1) No later than thirty (30) days from the date of this Order, the Bank shall submit to the Assistant Deputy Comptroller, for review and prior written determination of no supervisory objection, a revised action plan (“Revised SAR Look-Back Action Plan”) to conduct an expanded review and provide a written report of the Bank’s suspicious activity monitoring (“SAR Look-Back”). The purpose of the SAR Look-Back is to determine whether SARs should be filed for any previously unreported suspicious activity pursuant to 12 C.F.R. § 21.11. The scope of the SAR Look-Back shall extend to include the review period from September 1, 2022 to August 31, 2023 and include high risk customer activity involving the Bank’s third-party relationships and areas specified in writing by the OCC.

(2) Upon receipt of no supervisory objection to the Revised SAR Look-Back Action Plan, the Bank shall implement the Revised SAR Look-Back Action Plan and complete the SAR Look-Back within the proposed timeframe. Upon completion of the SAR Look-Back, the Bank shall provide a report to the Board, with a copy to the OCC, of any previously unreported suspicious activity identified during the SAR Look-Back and file SARs in accordance with 12 C.F.R. § 21.11. The SAR Look-Back report should also describe:

 

  (a)

the methodologies and tools used in conducting the review;

 

  (b)

the process for investigating customers and customer activities;

 

  (c)

the number and types of customers and accounts reviewed;

 

  (d)

the number of customers that warranted SAR filings or modifications to existing SAR filings; and

 

  (e)

the number of customers where the Bank determined not to file a SAR.

 

20


(3) Based upon the results of the SAR Look-Back, the OCC, at its sole discretion, may expand the scope and time period of the SAR Look-Back.

ARTICLE XII

INFORMATION TECHNOLOGY CONTROL PROGRAM

(1) Within thirty (30) days from the date of this Order, Bank management shall implement and adhere an acceptable written program to effectively assess and manage the Bank’s information technology (“IT”) activities, including those activities conducted through and by the Bank’s third-party relationships (“IT Control Program”).

(2) The IT Control Program shall be commensurate with the level of risk and complexity of the Bank’s IT activities, including those activities conducted through the Bank’s third-party relationships, and shall, at a minimum, address the following:

 

  (a)

an updated effective IT risk governance program that establishes the roles, responsibilities, and accountability of the Board and management, and includes Board oversight of the information technology risk management of the Bank’s third-party relationships;

 

  (b)

an updated effective IT risk assessment process that includes: identification and measurement of risks to information and technology assets, within the Bank and/or controlled by third-party providers; mitigation of risks to an acceptable residual risk level in conformance with the board’s risk appetite; and monitoring risk levels with results reported to the board and senior management;

 

 

21


  (c)

an updated effective written program with standards and controls over data integrity, usage, and storage, including customer data processed and controlled by the Bank’s third-party relationships;

 

  (d)

an updated written, Board-approved, enterprise-wide business continuity management and resiliency process that includes the Bank’s third-party relationships (“Business Continuity Plan”); the Business Continuity Plan shall include a business impact analysis that assesses and prioritizes potential threat and disruption scenarios, including cyber events, based upon their impact on operations and probability of occurrence; periodic enterprise-wide tests; independent assessment of the tests; and, updating the plan regularly as needed; and

 

  (e)

an annual information security program report to the Board that includes a review and analysis of information technology security and risk management related to activities conducted through and by the Bank’s third-party relationships.

(3) The Board shall review the effectiveness of the IT Control Program at least annually, and more frequently if necessary or if required by the OCC in writing, and amend the IT Control Program as needed or as directed by the OCC in writing.

 

22


ARTICLE XIII

STRATEGIC PLAN

(1) Within ninety (90) days from the date of this Order, the Board shall submit to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable written strategic plan for the Bank, covering at least a three (3) year period (“Strategic Plan”). The Strategic Plan shall establish objectives for the Bank’s overall risk profile, use of third-party relationships, earnings performance, growth, balance sheet mix, off-balance sheet activities, liability structure, capital and liquidity adequacy, product line development, and market segments that the Bank intends to promote or develop, together with strategies to achieve those objectives. The Strategic Plan shall, at a minimum, include:

 

  (a)

a mission statement that forms the framework for the establishment of strategic goals and objectives;

 

  (b)

an assessment of the Bank’s strengths, weaknesses, opportunities and threats that impact its strategic goals and objectives;

 

  (c)

an identification and assessment of the present and planned product lines (assets and liabilities) and the identification of appropriate risk management systems to identify, measure, monitor, and control risks within the product lines;

 

  (d)

concentration limits commensurate with the Bank’s strategic goals and objectives and risk profile;

 

  (e)

the strategic goals and objectives to be accomplished, including key financial indicators, risk tolerances, and realistic strategies to improve the overall condition of the Bank;

 

  (f)

an evaluation of the Bank’s internal operations, staffing requirements, board and management information systems and policies for their adequacy and contribution to the accomplishment of the strategic goals and objectives developed under paragraph (1)(e) of this Article;

 

23


  (g)

a risk profile that evaluates credit, interest rate, liquidity, price, operational, compliance, strategic, and reputation risks in relation to capital;

 

  (h)

an identification, measurement, monitoring, and control of the Bank’s liquidity risk exposure, emphasizing the importance of cash flow projections, diversified funding sources, a cushion of highly liquid assets, and a formal, well-developed contingency funding plan as primary tools for measuring and managing liquidity risk;

 

  (i)

an assessment of the risks related to uninsured and volatile deposits;

 

  (j)

a management employment and succession plan designed to promote adequate staffing and continuity of capable management;

 

  (k)

a realistic and comprehensive budget that corresponds to the Strategic Plan’s goals and objectives;

 

  (l)

an action plan to improve and sustain the Bank’s earnings and accomplish identified strategic goals and objectives;

 

  (m)

a financial forecast to include projections for significant balance sheet and income statement accounts and desired financial ratios over the period covered by the Strategic Plan;

 

  (n)

assigned roles, responsibilities, and accountability for the strategic planning process; and

 

  (o)

a description of systems and metrics designed to monitor the Bank’s progress in meeting the Strategic Plan’s goals and objectives.

 

24


(2) If there is a change in the initiatives in the Strategic Plan under paragraph (1) of this Article, the Strategic Plan shall, at a minimum, address the steps that shall be taken and the associated timeline to effect the implementation of the alternative necessitated by such change in the initiatives in the Strategic Plan.

(3) Within sixty (60) days following the Board’s receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the Strategic Plan or to any subsequent update or amendment to the Strategic Plan, the Board shall adopt and Bank management, subject to Board review and ongoing monitoring, shall immediately implement and thereafter ensure adherence to the Strategic Plan. The Board shall review the effectiveness of the Strategic Plan and update the Strategic Plan to cover the next three (3) year period at least annually, and more frequently if necessary or if required by the OCC in writing. The Board shall amend the Strategic Plan as needed or as directed by the OCC in writing. Any update or amendment to the Strategic Plan must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

(4) The Bank may not initiate any action that significantly deviates from a Strategic Plan (that has received written determination of no supervisory objection from the Assistant Deputy Comptroller and has been adopted by the Board) without a prior written determination of no supervisory objection from the Assistant Deputy Comptroller.

(5) Any request by the Bank for prior written determination of no supervisory objection to a significant deviation described in paragraph (4) of this Article shall be submitted in writing to the Assistant Deputy Comptroller at least sixty (60) days in advance of the proposed significant deviation. Such written request by the Bank shall include an assessment of the effects of such proposed change on the Bank’s condition and risk profile, including a profitability analysis and an evaluation of the adequacy of the Bank’s organizational structure, staffing, management information systems, internal controls, and written policies and procedures to identify, measure, monitor, and control the risks associated with the proposed change.

 

25


(6) For purposes of this Article, changes that may constitute a significant deviation include, but are not limited to, a change in the Bank’s markets, marketing strategies, products and services, marketing partners, underwriting practices and standards, credit administration, account management, collection strategies or operations, fee structure or pricing, accounting processes and practices, asset composition and size, or funding strategy, any of which, alone or in the aggregate, may have a material effect on the Bank’s operations or financial performance; or any other changes in personnel, operations, third-party relationships, or external factors that may have a material effect on the Bank’s operations or financial performance.

(7) Within sixty (60) days after the end of each quarter after the Strategic Plan has been adopted, a written evaluation of the Bank’s performance against the Strategic Plan shall be prepared by Bank management and submitted to the Board. Within thirty (30) days after submission of the evaluation, the Board shall review the evaluation and determine the corrective actions the Board will require Bank management to take to address any identified shortcomings. The Board’s review of the evaluation and discussion of any required corrective actions to address any identified shortcomings shall be documented in the Board’s meeting minutes. Upon completion of the Board’s review, the Board shall submit to the Assistant Deputy Comptroller a copy of the evaluation as well as a detailed description of the corrective actions the Board will require the Bank to take to address any identified shortcomings.

 

26


ARTICLE XIV

CAPITAL PLAN AND HIGHER MINIMUMS

(1) Effective as of the date of this Order, the Bank shall achieve and thereafter maintain the following minimum capital ratios as defined in 12 C.F.R. § 3.10(b) and as calculated in accordance with 12 C.F.R. Part 31:

 

  (a)

a total capital ratio at least equal to thirteen percent (13%); and

 

  (b)

a leverage ratio at least equal to ten percent (10%).

(2) Notwithstanding any election to use the community bank leverage ratio (“CBLR”) framework under 12 C.F.R. § 3.12, the Bank is subject to the minimum capital levels prescribed in paragraph (1) of this Article pursuant to the OCC’s authority to impose affirmative corrective actions pursuant to 12 U.S.C. § 1818(b)(6). If the Bank elects to use the CBLR framework, it must demonstrate compliance with the minimum capital levels prescribed in paragraph (1) of this Article by completing Schedule RC-R to the Consolidated Reports of Condition and Income in accordance with the instructions for Banks that have not made the CBLR framework election in addition to Schedule RC-R, CBLR.

(3) The requirement in this Order to meet and maintain a specific capital level for any capital measure means that the Bank may not be deemed to be “well capitalized” for purposes of 12 U.S.C. § 1831o and 12 C.F.R. Part 6, pursuant to 12 C.F.R. § 6.4.2

 

 

1 

For purposes of the capital conservation buffer set forth at 12 C.F.R. § 3.11, the Bank’s minimum total capital ratio, minimum tier 1 capital ratio, and minimum common equity tier 1 capital ratio requirements are deemed to be those that are set forth in 12 C.F.R. § 3.10.

2 

The Bank may not solicit, accept, renew, or roll over any brokered deposit (as defined in 12 C.F.R. § 337.6(a)(2)) except in compliance with the applicable restrictions of 12 U.S.C. § 1831f and 12 C.F.R. § 337.6.

 

27


(4) Within ninety (90) days from the date of this Order, the Board shall submit to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection an acceptable written capital plan for the Bank, consistent with the Strategic Plan required by Article XIII, covering at least a three (3) year period (“Capital Plan”). Refer to “Capital and Dividends” booklet of the Comptroller’s Handbook.

(5) The Bank’s Capital Plan shall, at a minimum:

 

  (a)

include specific plans for the achievement and maintenance of adequate capital, which shall in no event be less than the requirements of paragraph (1) of this Article;

 

  (b)

identify and evaluate all material risks;

 

  (c)

determine the Bank’s capital needs in relation to material risks and strategic direction in connection with the Strategic Plan required by Article XIII;

 

  (d)

identify and establish a strategy to maintain capital and strengthen capital if necessary and establish a contingency or back-up capital plan commensurate with the Bank’s overall risk and complexity;

 

  (e)

include detailed quarterly financial projections which shall be consistent with the Strategic Plan required by Article XIII; and

 

  (f)

include specific plans detailing how the Bank will comply with restrictions or requirements set forth in this Order that will have an impact on the Bank’s capital.

(6) Upon the Board’s receipt of the Assistant Deputy Comptroller’s written determination of no supervisory objection to the Capital Plan, the Board shall monitor and oversee the Capital Plan to assess the Bank’s capital adequacy in relation to its overall risks and to ensure maintenance of appropriate capital levels, which shall in no event be less than the

 

28


requirements of paragraph (1) of this Article. Thereafter, management shall implement, and the Board shall verify, no less than annually, adherence to the capital planning process. The capital planning process shall be consistent with safe and sound practices and ensure the integrity, objectivity, and consistency of the process through adequate governance. Refer to the “Capital and Dividends” booklet of the Comptroller’s Handbook. The Board shall document the initial capital planning process and thereafter review and document the capital planning process at least annually or more frequently, if appropriate, or required by the Assistant Deputy Comptroller in writing. Any amendment to the Capital Plan must be submitted to the Assistant Deputy Comptroller for review and prior written determination of no supervisory objection.

(7) The Bank may declare or pay a dividend or make a capital distribution only:

 

  (a)

when the Bank is in compliance with its Board-approved Capital Plan and would remain in compliance with such Capital Plan immediately following the declaration or payment of any dividend or capital distribution;

 

  (b)

when the dividend or capital distribution would comply with 12 U.S.C. §§ 56, 60 and 1831o(d)(1) and 12 C.F.R. § 3.11(a)(4); and

 

  (c)

following the Assistant Deputy Comptroller’s prior written determination of no supervisory objection to the dividend or capital distribution.

(8) At least quarterly, the Board shall review financial reports and earnings analyses that evaluate the Bank’s performance against the goals and objectives established in the Capital Plan, as well as the Bank’s written explanation of significant differences between the actual and projected balance sheet, income statement, and expense accounts, including a description of any extraordinary and/or nonrecurring items. This review shall include a description of the actions

 

29


the Board and management will take to address any deficiencies. At least quarterly, management shall prepare, and the Board shall review, a written evaluation of the Bank’s performance against the Capital Plan, which shall include a description of the actions the Board and management will take to address any deficiencies. The Board’s quarterly reviews and quarterly written evaluations shall be documented in the Board meeting minutes. The Board shall forward a copy of these quarterly reviews and quarterly written evaluations and Board meeting minutes to the Assistant Deputy Comptroller within thirty (30) days of completion of its quarterly reviews and quarterly written evaluations, respectively.

(9) If the Bank fails to achieve and maintain the capital ratios required by paragraph (1) of this Article, or fails to submit a Capital Plan as required by paragraph (4) of this Article, or fails to implement a Capital Plan to which the Assistant Deputy Comptroller has provided a written determination of no supervisory objection, then the Bank may, in the Assistant Deputy Comptroller’s sole discretion, be deemed undercapitalized for purposes of this Order. Following written notification from the Assistant Deputy Comptroller that the Bank is deemed undercapitalized for purpose of this Order, the Bank shall take such corrective measures as the OCC may direct in writing from among the provisions applicable to undercapitalized depository institutions under 12 U.S.C. § 1831o(e) and 12 C.F.R. Part 6. For purposes of this requirement, an action “necessary to carry out the purpose of this section” under 12 U.S.C. § 1831o(e)(5) shall include restoration of the Bank’s capital to the minimum ratios required by paragraph (1) of this Article, and any other action deemed necessary by the OCC to address the Bank’s capital deficiency or the safety and soundness of its operations.

 

30


ARTICLE XV

GENERAL BOARD RESPONSIBILITIES

(1) The Board shall ensure that the Bank has timely adopted and implemented all corrective actions required by this Order, and shall verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this Order.

(2) In each instance in which this Order imposes responsibilities upon the Board, it is intended to mean that the Board shall:

 

  (a)

authorize, direct, and adopt corrective actions on behalf of the Bank as may be necessary to perform the obligations and undertakings imposed on the Board by this Order;

 

  (b)

ensure the Bank has sufficient processes, management, personnel, control systems, and corporate and risk governance to implement and adhere to all provisions of this Order;

 

  (c)

require that Bank management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from this Order;

 

  (d)

hold Bank management and personnel accountable for executing their duties and responsibilities pertaining to or resulting from this Order;

 

  (e)

require appropriate, adequate, and timely reporting to the Board by Bank management of corrective actions directed by the Board to be taken under the terms of this Order; and

 

  (f)

address any noncompliance with corrective actions in a timely and appropriate manner.

 

31


ARTICLE XVI

WAIVERS

(1) The Bank, by executing and consenting to this Order, waives:

 

  (a)

any and all rights to the issuance of a Notice of Charges pursuant to 12 U.S.C. § 1818;

 

  (b)

any and all procedural rights available in connection with the issuance of this Order;

 

  (c)

any and all rights to a hearing and a final agency decision pursuant to 12 U.S.C. § 1818 and 12 C.F.R. Part 19;

 

  (d)

any and all rights to seek any type of administrative or judicial review of this Order;

 

  (e)

any and all claims for fees, costs, or expenses against the OCC, or any of its officers, employees, or agents related in any way to this enforcement matter or this Order, whether arising under common law or under the terms of any statute, including, but not limited to, the Equal Access to Justice Act, 5 U.S.C. § 504 and 28 U.S.C. § 2412;

 

  (f)

any and all rights to assert these proceedings, the consent to and/or the issuance of this Order, as the basis for a claim of double jeopardy in any pending or future proceedings brought by the United States Department of Justice or any other governmental entity; and

 

  (g)

any and all rights to challenge or contest the validity of this Order.

 

32


ARTICLE XVII

OTHER PROVISIONS

(1) As a result of this Order, pursuant to 12 C.F.R. § 5.51(c)(7)(ii), the Bank is in “troubled condition,” and is not an “eligible bank” for purposes of 12 C.F.R. § 5.3, unless otherwise informed in writing by the OCC.

(2) This Order supersedes all prior OCC communications issued pursuant to 12 C.F.R. §§ 5.3, 5.51(c)(7)(ii), and 24.2(e)(4).

ARTICLE XVIII

CLOSING

(1) This Order is a settlement of the cease and desist proceedings against the Bank contemplated by the OCC, based on the unsafe or unsound practices and violations of law described in the Comptroller’s Findings set forth in Article II of this Order. The OCC releases and discharges the Bank from all potential liability for a cease and desist order that has been or might have been asserted by the OCC based on the practices and/or violations described in Article II of this Order, to the extent known to the OCC as of the effective date of this Order. The OCC expressly reserves its right to assess civil money penalties or take other enforcement actions if the OCC determines that the Bank has continued, or failed to correct, the practices and/or violations described in Article II of this Order or that the Bank otherwise is violating or has violated this Order.

(2) Nothing in this Order, however, shall prevent the OCC from:

 

  (a)

instituting enforcement actions other than a cease and desist order against the Bank based on the Comptroller’s Findings set forth in Article II of this Order;

 

33


  (b)

instituting enforcement actions against the Bank based on any other findings, including if the OCC determines that the Bank has continued, or failed to correct, the practices and/or violations described in Article II of this Order or that the Bank otherwise is violating or has violated this Order;

 

  (c)

instituting enforcement actions against institution-affiliated parties (as defined by 12 U.S.C. § 1813(u)) based on the Comptroller’s Findings set forth in Article II of this Order, or any other findings; or

 

  (d)

utilizing the Comptroller’s Findings set forth in Article II of this Order in future enforcement actions against the Bank or its institution-affiliated parties to establish a pattern or the continuation of a pattern.

(3) Nothing in this Order is a release, discharge, compromise, settlement, dismissal, or resolution of any actions, or in any way affects any actions that may be or have been brought by any other representative of the United States or an agency thereof, including, without limitation, the United States Department of Justice.

(4) This Order is:

 

  (a)

a “cease-and-desist order issued upon consent” within the meaning of 12 U.S.C. § 1818(b);

 

  (b)

a “cease-and-desist order which has become final” within the meaning of 12 U.S.C. § 1818(e);

 

  (c)

an “order issued with the consent of the depository institution” within the meaning of 12 U.S.C. § 1818(h)(2);

 

  (d)

an “effective and outstanding . . . order” within the meaning of 12 U.S.C. § 1818(i)(1); and

 

  (e)

a “final order” within the meaning of 12 U.S.C. § 1818(i)(2) and (u).

 

34


(5) This Order is effective upon its issuance by the OCC, through the Comptroller’s duly authorized representative. Except as otherwise expressly provided herein, all references to “days” in this Order shall mean calendar days and the computation of any period of time imposed by this Order shall not include the date of the act or event that commences the period of time.

(6) The provisions of this Order shall remain effective except to the extent that, and until such time as, such provisions are amended, suspended, waived, or terminated in writing by the OCC, through the Comptroller’s duly authorized representative. If the Bank seeks an extension, amendment, suspension, waiver, or termination of any provision of this Order, the Board or a Board-designee shall submit a written request to the Assistant Deputy Comptroller asking for the desired relief. Any request submitted pursuant to this paragraph shall include a statement setting forth in detail the circumstances that warrant the desired relief or prevent the Bank from complying with the relevant provision(s) of the Order, and shall be accompanied by relevant supporting documentation. The OCC’s decision concerning a request submitted pursuant to this paragraph, which will be communicated to the Board in writing, is final and not subject to further review.

(7) The Bank will not be deemed to be in compliance with this Order until it has adopted, implemented, and adhered to all of the corrective actions set forth in each Article of this Order; the corrective actions are effective in addressing the Bank’s deficiencies; and the OCC has verified and validated the corrective actions. An assessment of the effectiveness of the corrective actions requires sufficient passage of time for the Bank to demonstrate the sustained effectiveness of the corrective actions.

 

35


(8) This Order is not a contract binding on the United States, the United States Treasury Department, the OCC, or any officer, employee, or agent of the OCC and neither the Bank nor the OCC intends this Order to be a contract.

(9) Each citation, issuance, or guidance referenced in this Order includes any subsequent citation, issuance, or guidance that replaces, supersedes, amends, or revises the referenced cited citation, issuance, or guidance.

(10) This Order applies to the Bank and all its subsidiaries.

(11) No separate promise or inducement of any kind has been made by the OCC, or by its officers, employees, or agents, to cause or induce the Bank to consent to the issuance of this Order.

(12) All reports, plans, or programs submitted to the OCC pursuant to this Order shall be forwarded via BankNet to the following:

Aaron Liechenstein, Assistant Deputy Comptroller

Office of the Comptroller of the Currency

(13) The terms of this Order, including this paragraph, are not subject to amendment or modification by any extraneous expression, prior agreements, or prior arrangements between the parties, whether oral or written.

 

36


IN TESTIMONY WHEREOF, the undersigned, authorized by the Comptroller as his duly authorized representative, has hereunto set his signature on behalf of the Comptroller.

 

/s/ Amanda Edwards

  

January 24, 2024

Amanda Edwards    Date
Assistant Deputy Comptroller   
Roanoke Office   

IN TESTIMONY WHEREOF, the undersigned, as the duly elected and acting Board of Directors of Blue Ridge Bank have hereunto set their signatures on behalf of the Bank.

/s/ G. William Beale

  

January 24, 2024

G. William Beale, Director    Date

/s/ Hunter H. Bost

  

January 24, 2024

Hunter H. Bost, Director    Date

/s/ Heather Cozart

  

January 24, 2024

Heather Cozart, Director    Date

/s/ Elizabeth H. Crowther

  

January 24, 2024

Elizabeth H. Crowther, Director    Date

/s/ Mensel D. Dean, Jr.

  

January 24, 2024

Mensel D. Dean, Jr., Director    Date

/s/ Larry Dees

  

January 24, 2024

Larry Dees, Director    Date

/s/ Richard A. Farmar, III

  

January 24, 2024

Richard A. Farmar, III, Director    Date

/s/ Judy C. Gavant

  

January 24, 2024

Judy C. Gavant, Director    Date

/s/ Andrew C. Holzwarth

  

January 24, 2024

Andrew C. Holzwarth, Director    Date

/s/ Otis Jones

  

January 23, 2024

Otis Jones, Director    Date

 

37


/s/ Julien B. Patterson

  

January 23, 2024

Julien B. Patterson, Director    Date

/s/ Randolph N. Reynolds, Jr.

  

January 24, 2024

Randolph N. Reynolds, Jr., Director    Date

/s/ Robert S. Janney

  

January 24, 2024

Robert S. Janney, Director    Date

/s/ Vance Spilman

  

January 24, 2024

Vance Spilman, Director    Date

/s/ William W. Stokes

  

January 24, 2024

William W. Stokes, Director    Date

/s/ Carolyn J. Woodruff

  

January 23, 2024

Carolyn J. Woodruff, Director    Date

 

38