OCC Issues Enforcement Action Against First National Bank of Pasco

On October 16, 2025, the Office of the Comptroller of the Currency (OCC) announced a Formal Agreement against First National Bank of Pasco. The OCC’s summary cites unsafe or unsound practices tied to board oversight and corporate governance, strategic and capital planning, BSA/AML risk management and suspicious activity reporting, plus violations of law and regulation, including 12 C.F.R. § 21.11 (SARs) and 31 C.F.R. § 1010.610 (due diligence for correspondent accounts for foreign financial institutions). 

The full, 32-page Agreement (Docket No. AA-SO-2025-46) lays out detailed remedial steps and tight timelines across governance, risk, and BSA/AML program components. If you run or advise a community bank, it’s a must-read because the expectations apply regardless of asset size. 

Core takeaways of the new OCC Agreement

Below are the major themes with practical translation for community banks.

1) Board accountability isn’t optional. Document it, staff it, and work it

What the order requires: A Board-level Compliance Committee (majority independent) within 60 days, meeting monthly, producing quarterly progress reports; a written Board Oversight & Corporate Governance Program within 90 days that defines risk appetite/limits, strategic goals, and how the Board evaluates itself, management information, and independence from dominant executives. 

Why it matters: Examiners want to see an active, inquisitive Board that engages on risk, and leaves a paper trail. Minutes, dashboards, challenge logs, and follow-ups all matter. If “risk” shows up only at audit exit meetings, you’re late.

2) Strategy and capital must fit your risk profile and your controls

What the order requires: A revised Strategic Plan and Capital Plan (three-year horizon) with realistic budgets, stress-aware targets, concentration limits, and quarterly performance evaluations. Any significant deviations from plan require prior supervisory non-objection. 

Why it matters: Growth, product expansion, and new partnerships (especially payments or cross-border) must be supported by staffing, systems, data, and controls. The OCC now routinely links strategy to BSA/AML capacity and model risk governance.

3) BSA/AML leadership, staffing, and independence are foundational

What the order requires: Within 90 days, the bank must maintain a qualified, independent BSA Officer with sufficient authority and resources, supported by appropriately skilled staff, and produce regular program reporting to management and the Board. Annual adequacy reviews are mandated and must be documented. 

Why it matters: Titles aren’t enough. Examiners look for the authority to say no, budget control, training, and demonstrable impact (e.g., backlog reduction, credible escalation, and metrics that drive decisions).

4) Internal controls: Build the BSA/AML program like a system, not a binder

What the order requires: Within 90 days, adopt a BSA/AML Internal Controls Program with clear lines of authority, monitoring of all relevant products and channels, meaningful alert dispositions, and robust management information reporting. 

Why it matters: “Policies on paper” won’t pass. Examiners expect end-to-end design: (data,  monitoring, investigations, SARs, QA/validation, reporting) and proof it works.

5) CDD, risk ratings, and beneficial ownership: Refresh, calibrate, and use

What the order requires: Within 90 days, implement a Customer Due Diligence & Risk Identification Program aligned to 31 C.F.R. § 1020.220 (CIP), CDD, and beneficial ownership rules. It must define risk categories, a method to assign customer risk across the entire relationship, and ensure those ratings feed the enterprise BSA/AML risk assessment and monitoring. 

Why it matters: Many banks “collect” CDD but don’t use it. The OCC wants a living customer risk profile that informs thresholds, investigative depth, and periodic reviews.

6) SAR program hygiene: Timeliness, quality, and model governance

What the order requires: Within 90 days, a Suspicious Activity Monitoring & Reporting Program covering alert identification/triage standards, complete case files, documented SAR decisions (including why not to file), ongoing monitoring, and procedures for continuing activity SARs. It also calls for ongoing independent validation of alert triggers/parameters and remediation of validation findings that explicitly reference OCC model risk guidance.

Why it matters: The examiner lens on SARs is sharper than ever: timeliness, narrative quality, and model evidence (data inputs, thresholds, coverage of products/services/geographies) are under the microscope.

7) Independent testing that actually tests

What the order requires: A BSA/AML Audit Program that determines whether the risk assessment captures the bank’s profile, the program meets regulatory requirements, and the SAR process is effective; it references FFIEC guidance and expects testing depth tied to risk. 

Why it matters: Checklists are out; risk-based sampling is in. If testing never finds anything material, examiners will question the tester—not the program.

8) Cross-border/correspondent risk: Don’t underestimate “small but complex”

What the order flags: Violations tied to 31 C.F.R. § 1010.610 (due diligence for correspondent accounts for foreign financial institutions). The message is clear: if you have any such exposure, you need bespoke due diligence and monitoring scaled to the actual risk, not the bank’s brand or size. 

Why it matters: Community banks that dabble in higher-risk products/partners (payments FinTechs, crypto-adjacent merchants, MSBs, cross-border wires) often underestimate the control lift required.

Five important lessons for community banks

Lesson 1: “We’re small” is not a control

OCC expectations are risk-based, not size-based. If your offerings or partners elevate BSA/AML risk, you need the governance, staffing, data, and models to match. The Formal Agreement reads like a blueprint of what “credible” looks like, even for smaller charters. 

Lesson 2: The Board must lead the fix

Deadlines (30/60/90 days) appear throughout the Agreement, with Board-delivered plans, approvals, and quarterly performance reviews. Treat remediation like a capital project: owner, budget, milestones, risk register, and Board reporting. 

Lesson 3: Convert CDD into decisions

CDD and customer risk ratings must feed your monitoring rules, investigative depth, QA, and SAR triage. If ratings don’t change alerts or workflow, they’re ornamental and examiners will notice. 

Lesson 4: Model governance for AML is mainstream

Independent validation, data lineage, threshold rationale, and backlog governance are now table stakes for AML systems. Build model files like credit risk teams do. 

Lesson 5: Cross-border/correspondent exposure needs bespoke controls

A single correspondent relationship or foreign-facing product can change your risk profile overnight. Implement 1010.610 due diligence (and where relevant, EDD under 1010.610(b)) with tailored monitoring and SAR typologies. 

An action plan to start this quarter

1. Map your risk to reality. Refresh the enterprise BSA/AML risk assessment to reflect current products, partners, and geographies; explicitly link each risk to control owners, systems, and metrics you already have (or need). Put the deltas in a Board-visible remediation plan. 
2. Resource the BSA Officer. Document the BSA Officer’s reporting line, authority to escalate/stop onboarding, and budget control. Benchmark staffing (analysts, QA, investigators) against alert volumes and case-closure SLAs; include peak traffic and vendor performance.
3. Tighten CDD & risk rating mechanics. Define risk categories, calibrate weightings (industry, geography, products, expected activity), and set event-driven refresh triggers (e.g., activity spikes, adverse media hits, ownership changes). Ensure ratings re-tune monitoring thresholds.
4. Upgrade SAR program hygiene. Standardize alert disposition codes, require investigators to cite the specific signals reviewed, and enforce timeliness checkpoints. For each “no-SAR” decision, require a short rationale with references. Track repeat filer logic for continuing activity SARs.
5. Treat AML scenarios as models. Maintain model inventories, data dictionaries, threshold rationales, back-testing results, and independent validation reports. Track validation findings to closure with due dates and accountable owners.
6. Right-size correspondent/foreign risk controls. If you have foreign correspondent exposure, document 1010.610 due diligence: ownership, control, business purpose, expected activity, nested/third-party risks, and termination triggers. Align transaction monitoring scenarios to those patterns.
7. Make independent testing bite. Ask internal audit (or external testers) to design risk-based samples that mirror your true exposure (e.g., high-velocity merchants, FinTech partners, cross-border wires) and to test data inputs, scenarios, case files, and SAR narratives end-to-end.

What to tell your team and Board today

• This isn’t a paperwork issue; it’s a systems issue. The OCC’s language is about effectiveness, independence, validation, and outcomes, not just documentation. 
• Timelines matter. The Agreement is full of 30/60/90-day deliverables; even if you’re not under an action, adopt similar cadences for your internal plan. 
• Your strategy must “buy” the controls. If you pursue higher-risk corridors, partners, or products, expect to fund the data, staffing, and analytics to match, before the examiner asks. 

Community banks are absolutely on the radar

The OCC’s October release makes it plain: formal enforcement isn’t reserved for the largest banks, and the bar for BSA/AML governance is consistent across the system. If your bank’s risk profile includes higher-risk products, partnerships, foreign correspondents, or rapid growth, the expectations in this Agreement are the minimum you should benchmark against, even if you never see an enforcement action.