Sutton Bank entered an FDIC consent order on February 1, 2024 for BSA violations and unsafe banking practices related to its prepaid card and fintech partner operations, requiring a comprehensive AML/CFT program overhaul and a CIP lookback review of all customers onboarded since July 2020.

Sutton Bank — BSA/AML and Fintech Partnership Violations (2024)

Outcome: Attica, Ohio-based Sutton Bank entered a 10-page FDIC consent order on February 1, 2024 for Bank Secrecy Act violations and unsafe or unsound banking practices stemming from its banking-as-a-service prepaid card operations, with no stated monetary penalty but extensive remediation obligations.

Sutton Bank, headquartered in Attica, Ohio, operated a significant prepaid card business through fintech third-party partnerships. The FDIC's consent order (FDIC-23-0110b), issued February 1, 2024, charged the bank with unsafe or unsound banking practices and violations of the Bank Secrecy Act related to how it managed its fintech partner relationships, particularly around customer identity verification and suspicious activity monitoring.

The order's primary deficiency was Sutton's failure to maintain adequate customer identification procedures for customers onboarded through its third-party prepaid card partnerships. The FDIC directed the bank to conduct a "CIP lookback review" of all customers onboarded since July 1, 2020, to ensure the bank actually knew the true identities of those customers — a requirement reflecting that the bank had processed years of transactions without verified customer identity data.

Within 180 days of the order, Sutton was required to implement a fully revised AML/CFT program meeting BSA minimum standards. The bank was also directed to designate dedicated program managers responsible for customer identification programs, transaction monitoring, independent testing, and suspicious activity reporting for each individual fintech partnership. The board was required to maintain at least one BSA officer reporting directly to it and to establish a dedicated board compliance committee to oversee consent order adherence.

The enforcement action was part of a broader FDIC pattern of scrutinizing community banks that had rapidly expanded fintech BaaS partnerships without commensurate compliance infrastructure, issued the same month as a similar consent order against New York City's Piermont Bank.

Primary Source: FDIC Consent Order FDIC-23-0110b — Sutton Bank (February 1, 2024)