Case Study 2.1: Cornerstone's Eleven-Week Inquiry — Regulatory Architecture Under Stress

The Situation

Organization: Cornerstone Financial Group (fictional) Regulator: Office of the Comptroller of the Currency (OCC) Type of review: Targeted supervisory inquiry — AML program Duration: 11 weeks Outcome: No significant findings; material compliance burden

Background

The OCC's 2021 examination of Cornerstone Bank NA focused on the bank's AML program. This is standard supervisory practice — the OCC examines AML programs at national banks regularly, with the frequency and intensity calibrated to the bank's risk profile. Cornerstone Bank NA, with approximately $45 billion in assets and a commercial banking book spanning multiple industries and geographies, was subject to enhanced examination intensity.

The examination was triggered by three factors: a routine three-year examination cycle, the bank's recent acquisition of a specialty finance company that served cannabis-adjacent businesses (requiring assessment of whether the AML program adequately covered this higher-risk customer segment), and an industry-wide OCC initiative reviewing whether large bank AML programs were adequately calibrated for model risk — specifically, whether banks could demonstrate that their transaction monitoring scenarios were based on defensible risk assessment rather than legacy configuration.

The Complexity: Multi-Entity, Multi-Jurisdictional AML

The OCC's examination was focused on Cornerstone Bank NA — the US-chartered entity. But the AML program at a conglomerate like Cornerstone does not operate in a vacuum. The OCC examiners, in their preliminary information request, asked for documentation that cut across Cornerstone's entire group structure:

From Cornerstone Bank NA (US): Transaction monitoring system documentation, model risk assessment for monitoring scenarios, SAR filing statistics, enhanced due diligence procedures, beneficial ownership procedures (CTA compliance), training records, and the most recent internal audit findings on the AML program.

From Cornerstone Capital Markets (UK): Evidence of the group AML policy's application to the UK entity, documentation of the UK-specific controls required by the Proceeds of Crime Act 2002 and FCA guidance, and records of coordination with UK law enforcement on SAR filing.

From Cornerstone Securities (US broker-dealer): FINRA AML compliance documentation, broker-dealer specific SAR filing records, and documentation of the securities-specific AML typologies covered by the monitoring program.

From Cornerstone Asset Management (EU/Dublin): Evidence of 6AMLD implementation, beneficial ownership documentation for fund investors, and coordination records between the EU AML Officer and the group compliance function.

The problem: these four entities operated largely separate AML programs, coordinated at the level of group policy but implemented by different teams using different systems with different documentation standards. Assembling a coherent response to the OCC's information request required days of coordination across time zones, multiple systems, and organizational silos that did not normally communicate at this level of granularity.

The Eleven-Week Journey

Weeks 1–2: Information request receipt and triage

The OCC information request arrived on a Tuesday morning and was 23 pages long with 67 separate document requests and 14 "narrative questions" requiring analytical responses. The Chief AML Officer, Maria Santiago, spent the first two days doing nothing but categorizing the requests and identifying which teams would need to respond to which items.

Her assessment: at least 30% of the requested documentation would require production from scratch — it was either not documented in the form requested or was distributed across systems in ways that made aggregation non-trivial. Another 40% existed but would require significant quality review before submission. Only 30% was readily available.

Weeks 3–5: Documentation production

The production phase required 11 full-time equivalent staff over three weeks. This included: - Two compliance analysts from Cornerstone Bank NA's AML team, dedicated full-time to the response - One analyst from each of the three subsidiary compliance teams, contributing approximately 60% of their time - Maria Santiago and two of her direct reports, each contributing 30–50% of their time - Two data engineers, pulling and reformatting transaction monitoring data from two different systems - External legal counsel (two junior associates and a partner on standby), billing approximately 80 hours in the production period

Weeks 6–8: Quality review and narrative responses

The narrative questions were the most labor-intensive component. The OCC had asked Cornerstone to explain, in detail: - The methodology used to develop the bank's transaction monitoring scenarios - How scenario calibration was reviewed and updated - The statistical basis for the thresholds used in each scenario - How the bank assessed the effectiveness of its SAR filing program

Answering these questions accurately required not just documentation of what the bank did but analysis of why it was doing it in the current way — and in some cases, the honest answer was that legacy configurations had been inherited without full documentation of the original rationale.

The legal and compliance team spent two weeks preparing responses that were accurate without being unnecessarily damaging. They disclosed that certain scenario calibration methodology was not fully documented (an important concession) while demonstrating that the underlying approach was sound and that a remediation project was already underway.

Weeks 9–11: Final assembly, review, and submission

The final response ran to 847 pages of analysis, documentation, and supporting evidence. It was reviewed by the Chief Compliance Officer, the Chief Risk Officer, the General Counsel, and — for the executive attestation required — the CEO. The submission was made electronically through the OCC's examination management portal.

The Outcome

The OCC's examination concluded four months after submission. The findings letter identified: - No matters requiring immediate attention - Three "supervisory observations" (non-binding but requiring written response) - Two "recommended actions" (binding, requiring remediation and reporting back)

The two recommended actions: 1. Document the methodology underlying all transaction monitoring scenarios within six months 2. Implement a formal annual review cycle for scenario calibration with documented sign-off

Both had been identified as gaps internally before the examination — the examination simply formalized the expectation.

Total cost of the examination response: Maria Santiago's estimate was $2.1 million in staff time (direct and opportunity cost) and $380,000 in external legal fees.

Discussion Questions

1. The examination response cost approximately $2.5 million in total. The OCC found no significant violations. Was this money well spent? What are the alternatives?

2. The examination required documentation that "cut across" four different entities' AML programs. This is an argument for group-level compliance infrastructure — a shared technology platform, shared documentation standards, shared monitoring systems. What are the trade-offs of group centralization vs. local implementation for a multi-jurisdictional conglomerate?

3. The compliance team had to prepare responses that were "accurate without being unnecessarily damaging." Where is the line between appropriate framing and misleading regulators? What ethical framework governs this?

4. The OCC's recommended action to document scenario methodology was for something that should have been documented from the start. Why do institutions often have gaps in documentation for systems that functionally work? What organizational incentives create these gaps?

5. If you were designing a RegTech solution specifically to address the pain points revealed by this examination, what would it do? Which of the five RegTech families would be most relevant?

Key Concepts Illustrated

  • Multi-entity compliance: The complexity of maintaining consistent compliance standards across an enterprise with multiple regulated entities in multiple jurisdictions
  • Documentation as regulatory obligation: The principle that effective controls must be documented to be demonstrable to regulators
  • Examination response as a business risk: The direct cost and opportunity cost of regulatory examinations
  • The documentation gap: The common pattern of functionally sound controls without adequate underlying documentation
  • Proactive disclosure: The decision to disclose gaps proactively rather than allowing regulators to discover them