OCC Issues AML Consent Order Against Wise and Crypto.com Sponsor Bank

Federal bank regulators have ordered Community Federal Savings Bank, the small Woodhaven, Queens thrift that processes U.S. dollar payments for Wise and issues the prepaid card behind Crypto.com’s U.S. spending product, to rebuild its anti-money laundering program from scratch. The Office of the Comptroller of the Currency (OCC, the federal agency that charters and supervises national banks and federal savings associations) executed the consent order on April 24, 2026, and disclosed it in the agency’s May enforcement release. The bank reported $866 million in assets and $753 million in deposits as of December 31, 2025.

Six years ago, the OCC signed a formal agreement with the same institution requiring a strategic plan that specifically addressed Bank Secrecy Act (BSA, the federal law requiring financial institutions to detect and report suspicious transactions) and anti-money laundering (AML) risk. The bank wrote the plan. Between 2020 and 2026, it also grew the payment-processing line the plan was supposed to govern. The May 2026 consent order is the consequence of that combination.

What the OCC Found at Woodhaven

The OCC identified systemic breakdowns across four areas of Community Federal’s compliance infrastructure: customer due diligence, suspicious-activity monitoring, independent testing, and BSA staffing. The agency cited three regulations in the OCC’s May 2026 enforcement-actions release: 12 CFR 21.21, the BSA/AML program rule for national banks and savings associations; 12 CFR 163.180(d), the suspicious-activity reporting rule; and 31 CFR 1010.520(b)(3), the Section 314(a) information-sharing requirement under the USA PATRIOT Act. The docket number (AA-ENF-2025-21) indicates the underlying examination concluded during 2025, before the order’s April 24, 2026 execution date.

The OCC said the bank did not understand “the nature of certain of its customers’ businesses and the purpose of the transactions in the payment processing line, including risks related to foreign financial institutions.” In some cases, the bank failed to determine whether it even held correspondent accounts for foreign financial institutions. That threshold question controls whether a bank must apply enhanced due diligence requirements under the PATRIOT Act’s correspondent-banking provisions, a compliance trigger Community Federal was not consistently tracking.

The internal audit function added to the problem rather than catching it. The OCC found Community Federal’s auditor “failed to identify BSA/AML program weaknesses” and did not scope its testing into the bank’s highest-risk business areas. When the feedback loop designed to surface calibration errors in a monitoring system does not function, those errors compound quietly until a regulatory examination makes them visible.

Wise, Crypto.com and the Broader Fintech Roster

Community Federal’s partner list is outsized relative to its balance sheet. The bank provides U.S. dollar routing and account numbers for Wise, the London-based money-transfer company that processes international payments for millions of consumers and businesses. It also issues the physical prepaid card for Crypto.com’s U.S. prepaid card program, a general-purpose reloadable (GPR) card managed by Foris, Inc. and registered in the Consumer Financial Protection Bureau’s prepaid account agreement database. Beyond those two names, Community Federal acts as a payments-sponsor bank for a broader roster of fintech and card-issuing clients not individually identified in the order.

In late 2023, Wise migrated its U.S. dollar account-details service to Community Federal from Evolve Bank and Trust, its previous U.S. sponsor bank. That transition added volume to Community Federal’s payment-processing line at roughly the same period the bank’s compliance program was accumulating the gaps the OCC later cited. The consent order does not restrict new partner onboarding, impose a civil money penalty, or name any officer individually. A bank spokesperson said the order “does not impose restrictions on partner onboarding” and that Community Federal “continues to partner with new and existing fintech clients in a safe and sound manner.” The OCC also specified that its findings are “based on concerns largely unrelated to customers involved in digital assets activities,” drawing a line between the bank’s structural compliance failures and any crypto-specific conduct. What the order does reserve is the OCC’s right to pursue further enforcement on the same factual record, including against the bank’s institution-affiliated parties.

The 2020 Warning and Five Returning Signatories

Community Federal has operated under federal enforcement scrutiny before. An OCC formal agreement signed in February 2020 declared the bank in “troubled condition” and cited “unsafe or unsound practice(s), including those relating to the Bank’s strategic planning processes and earnings.” The agency required Community Federal to create a compliance committee and produce a three-year strategic plan containing, in the OCC’s words, “action plans and time frames to control risks where exposure is high,” with BSA/AML risk identified by name. The bank then grew the payment-processing line that the 2026 order found had outstripped its controls. Five of the seven directors who signed this month’s consent order were present for the 2020 agreement.

The enforcement history stretches further back. Before its functions were absorbed by the OCC, the Office of Thrift Supervision (OTS) issued a cease-and-desist order against Community Federal in 2011, restricting higher-risk lending, requiring a conforming business plan, and ordering revisions to the bank’s suspicious-activity-reporting policies. Three separate federal enforcement actions over roughly 15 years share a common thread: a compliance posture that does not expand commensurately with the institution’s actual business activities.

Other fintech-partner banks have navigated the same sequence. The OCC entered a consent order with Blue Ridge Bank, a Virginia-based institution, in January 2024 over BSA/AML program failures tied to its fintech partnerships, citing systemic internal controls breakdowns, weak independent testing, and insufficient compliance staffing. Blue Ridge ultimately shut down its entire banking-as-a-service (BaaS) program and was freed from that order in November 2025. The Federal Deposit Insurance Corp. (FDIC) entered a separate consent order with Cross River Bank in 2023 over its bank-fintech partnership program and fair lending compliance. Community Federal now sits in the same category of institutions whose growth strategy generated a compliance gap the regulator eventually formalized with a binding order.

Payment Processing Grew; Controls Did Not

Alert Filters Set for the Wrong Risk Profile

Since 2020, the OCC order states, Community Federal “significantly grew its payment processing line, relative to its size, resulting in significant annual wire and ACH (automated clearing house, the electronic network for domestic credit transfers and direct deposits) activity, including cross-border activity involving foreign financial institutions.” Despite that volume growth, the bank’s automated monitoring system ran with filters that were not calibrated to its actual payment-processing risk profile or its expanding international exposure. The system auto-closed a very high percentage of all ingested alerts, a rate the OCC found inconsistent with what a program built for Community Federal’s specific business should be producing.

Automated alert systems in BSA compliance programs are designed to flag potentially suspicious transactions for human review. The threshold at which an alert is auto-closed versus escalated to a compliance analyst is a calibration decision that must reflect the institution’s actual customer base, transaction types, and geographic footprint. Community Federal’s filters, the OCC found, did not account for its fintech and crypto-card partners or the international transaction volume those partnerships generated. Transactions that should have reached a human reviewer were instead closed without one, building a backlog of uninspected activity that an outside SAR (suspicious activity report, a standardized filing banks must submit to the Financial Crimes Enforcement Network when they identify potentially illegal transactions) look-back consultant will now need to assess and potentially correct.

Correspondent Accounts and PATRIOT Act Gaps

A separate gap emerged around correspondent banking. When a U.S. bank holds accounts for foreign financial institutions, it becomes subject to enhanced due diligence requirements under Title III of the USA PATRIOT Act, including verifying the identity of the foreign institution, assessing money-laundering risk in its home jurisdiction, and in some cases identifying beneficial owners. Community Federal, the OCC found, was not consistently determining whether it held such accounts at all. The threshold question for applying enhanced due diligence was going unanswered in parts of the payment-processing operation, which meant the protections those requirements exist to provide were not being applied systematically.

The OCC’s Novel Bank Supervision office, the unit within the agency that oversees institutions with nontraditional business models including fintech-focused banks and payment processors, signed the order through its assistant deputy comptroller. That supervisory unit has been at the center of several of the most significant fintech-bank enforcement actions in recent years. The unit’s involvement signals that this order is being treated as a structural issue within a recognized problem category, not an isolated lapse at an otherwise conventional savings bank. Separately, the OCC’s concurrent proposed rulemaking on AML/CFT program requirements would require all supervised banks to formalize risk-based assessment processes across their full product and customer portfolios. Community Federal is now required to build exactly that under binding order rather than under guidance.

What the Bank Must Rebuild Before August

The OCC’s remediation calendar runs tighter than the bank’s self-described timeline suggests. The consent order sets specific deadlines keyed to its April 24 execution date:

1. Within 15 days: appoint a compliance committee with a majority of independent directors
2. Within 90 days: submit a written action plan describing corrective steps and timelines
3. Hire an outside consultant to conduct an end-to-end review of the entire AML program
4. Hire a second outside consultant to review historical suspicious-activity monitoring and recommend whether the bank should file new SAR look-back reports for previously unreported activity or correct prior filings
5. Build a written customer due diligence program, separately from any existing informal processes
6. Build a separate written program for screening transactions against Section 314(a) information-sharing requests from law enforcement
7. Overhaul the independent testing program to cover high-risk business areas the current auditor did not scope
8. Submit any future BSA compliance officer candidates to the OCC for pre-clearance if the current officer’s position becomes vacant

The order imposes no civil money penalty, no growth cap, and no restriction on new fintech partnerships. The bank’s current BSA compliance officer joined after the examination period underlying the findings, and a spokesperson said that officer “has been instrumental in ongoing remediation efforts.” Community Federal told American Banker it “began enhancing its compliance framework well before the Consent Order was issued” and has made “significant investments” in its systems since mid-2024, with remediation described as “well underway.” The 90-day action plan deadline falls in late July, setting the next formal checkpoint before partners begin asking harder questions about the bank’s recovery schedule. Under the OCC’s community bank BSA/AML examination procedures effective since February 2026, the agency had been moving to reduce routine compliance burden for smaller institutions. Community Federal’s order makes clear that streamlining does not extend to institutions that have already accumulated documented program failures across multiple examination cycles.

A bank spokesperson declined to say whether Community Federal has selected either outside consultant. The look-back examiner’s scope will cover historical alerts the automated system closed without human review, and its recommendations will reach all the way to whether new SARs need to be filed with FinCEN (the Financial Crimes Enforcement Network, the Treasury bureau that maintains the national suspicious-activity report database) for transactions the bank’s system previously passed over without action.

The SAR look-back consultant holds the most consequential variable left in this story. If the review of historically auto-closed alerts produces a large volume of newly recommended filings, the OCC’s reserved right to pursue further enforcement on the same facts becomes a live question rather than a standard reservation in the order’s boilerplate. If the look-back finds the auto-closure rate missed only a small fraction of genuinely suspicious transactions, the bank’s “over the coming months” resolution timeline becomes more credible. Community Federal and its fintech partners will know which version is closer to the truth by the time the 90-day action plan lands on the OCC’s desk in late July.

Disclaimer: This article is for informational purposes only and does not constitute investment, legal, or financial advice. The regulatory status of Community Federal Savings Bank and the terms of the OCC consent order are reported based on public disclosures accurate as of the date of publication. Holders of Wise accounts or Crypto.com prepaid cards with questions about their accounts should consult the relevant financial institutions or a qualified professional.