Community Federal Savings Bank, the $866 million-asset New York lender that backs Wise’s U.S. dollar accounts and Crypto.com’s prepaid card, is operating under a new OCC consent order for failures across its entire BSA/AML compliance stack.
The OCC’s core finding: the bank’s automated suspicious activity alert system was auto-closing “a very high percentage” of flags that should have triggered escalation. Those thresholds weren’t calibrated for the bank’s actual risk profile, which has grown sharply through payment processing since 2020. The regulator also cited failures in customer due diligence, staffing, and independent testing it called “weak.”
The PATRIOT Act violation adds a second layer. The OCC found Community Federal hadn’t determined whether it held correspondent accounts for foreign financial institutions, meaning the bank didn’t fully understand “the nature of certain of its customers’ businesses,” in the regulator’s own words. When a bank doesn’t know its customers, missed SARs aren’t an anomaly. They’re the expected output.
The OCC’s May 2026 announcement marks the second enforcement action in six years. The bank landed in “troubled condition” in February 2020 over strategic planning and earnings. That order required a compliance committee and a three-year strategic plan. Apparently, the 2020 plan didn’t build the AML infrastructure that payment processing growth demanded.
For other fintech sponsor banks, this is a read-across worth taking seriously. The OCC’s specific complaint: alert thresholds weren’t tuned to payment processing risk. That applies to any community bank that grew its fintech partner volume without scaling the surveillance infrastructure. Community Federal isn’t unique.
Community Federal has 90 days to submit a remediation roadmap. The bank says investments in its systems started in mid-2024, before the April 24 order was signed.
Marcus Webb