New York-based Metropolitan Commercial Bank (MCB) was assessed nearly $30 million in penalties by federal and state banking regulators for failing to properly oversee a third-party program manager whose prepaid cards were a popular target of fraud during the Covid-19 pandemic.

MCB agreed to pay $15 million as part of a settlement with the New York State Department of Financial Services (NYDFS) and was fined an additional $14.5 million by the Federal Reserve Board, the agencies announced Thursday. The regulators faulted the bank for deficient third-party risk management (TPRM) practices and other Bank Secrecy Act (BSA) violations.

The details: MCB sponsored the MovoCash Digital Prepaid Visa Card Program, which processed government stimulus funds and expanded unemployment insurance benefits during the pandemic. Prior to the start of the pandemic in March 2020, senior compliance staff at MCB were aware the prepaid card program could be vulnerable to fraudulent account openings, according to the NYDFS’s consent order.

“Specifically, senior compliance personnel observed that the primary complaint received by the bank in connection with these programs was that fraud actors opened these prepaid card accounts using another individual’s identity and directed payments, including direct deposit payroll payments and government benefits, onto the fraudulently opened cards,” the NYDFS said. MovoCash claimed to have addressed this and other red flags, which were raised in January 2020, and MCB allegedly took no further steps to verify the enhancements.

With the passage of the CARES Act in March 2020, MCB observed a surge of fraudulent MovoCash account openings. Despite MovoCash’s weak controls and inability to address the issue, MCB continued its relationship with the third party. The bank finally terminated the arrangement in August 2020.

“The bank’s failure to act sooner helped facilitate more than $300 million in pandemic unemployment benefits to be misdirected to the MCB-sponsored MovoCash accounts of unidentified, third-party fraud actors,” said the NYDFS.

Compliance considerations: The Fed’s order requires MCB to improve its customer identification, customer due diligence, and TPRM programs.

The bank was cited for violating the customer identification rules of the BSA and failing to maintain a compliant anti-money laundering program.

The NYDFS faulted MCB further for not immediately reporting the apparent fraud upon discovery.

Bank response: MCB said in a statement it was able to freeze approximately $100 million in fraudulent payments for return to government authorities.

“The imposed fines are covered by a provision taken in prior periods,” the bank said. “Since 2020, the bank has been actively working to enhance its processes and procedures to more effectively and efficiently address the concerns that arose.”