On October 14, the Office of the Comptroller of the Currency (OCC) issued a news release indicating its assessment of an $85M fine against a federal savings bank. The action was based on the bank’s failure to implement and maintain an effective compliance program, as well as its failure to implement an effective IT risk management program.
Per the associated consent order, the bank failed to implement appropriate compliance and risk management programs per their size, risk profile, and complexity. Their compliance programs displayed deficiencies in first-line business units, independent risk management, and internal audits. They further engaged in violations of the Military Lending Act and the Servicemembers Civil Relief Act. In general, the bank’s internal controls and IT systems were found to be out of compliance with OCC guidelines.
This OCC fine is one of multiple recent actions taken by the regulatory body in which IT, operational risk, and data privacy violations play a key role. For example, a national bank was recently fined $60M by the OCC for, among other things, failing to adequately decommission hardware devices and failing to maintain appropriate inventories of customer data stored on decommissioned devices. Similarly, another national bank was recently fined $400M by the OCC for deficiencies related to enterprise-wide risk management, data governance, compliance management, and internal controls.
Banks are advised to recognize the seriousness of OCC and other regulatory body interests in the appropriateness and implementation of cybersecurity and data privacy risk management, as key elements in overall compliance.
How We Help
ACA provides bank asset management groups engaged in trust, custody, and investment management activities with risk, compliance, cybersecurity, and internal audit consulting services leveraging techniques used by banking regulators and industry leaders. Our consultants have expertise at all levels of the firm, including prior regulatory experience at the OCC.
For More Information
For more information about these fines, or to find out more about ACA’s services for bank asset management groups, please reach out to your regular consultant or contact Roy Kim.