Bank Settles OCC Charges for Risk Management Deficiencies
Commentary by Thomas Delaney
A federal savings bank settled OCC charges for failing to address deficiencies in its compliance management system, risk governance framework and IT program.
According to the OCC Consent Order, the bank engaged in "unsafe or unsound practices," including those relating to management, earnings, IT, consumer compliance and internal audit. The OCC cited the bank for noncompliance with prior consent orders issued in 2019 and 2022, which required the bank to remediate unsafe or unsound practices.
The bank agreed to, among other things, (i) establish a compliance committee of at least three members, a majority of whom must be independent directors, to monitor and oversee the implementation of remedial actions; (ii) submit a comprehensive action plan within 90 days, detailing remedial actions, specific timelines and accountability for addressing deficiencies; (iii) develop and implement a risk governance framework; (iv) implement a compliance program that identifies and controls consumer compliance risks; (v) establish an IT risk management program; (vi) develop a fraud risk management program to conduct audits and ensure timely suspicious activity reporting; (vii) enhance its oversight of third-party, affiliate and shared service relationships; and (viii) ensure that incentive-based compensation reflects adverse risk outcomes. The bank also agreed that it will not introduce new products or services with medium or high risk without prior approval from the OCC and must assess compliance and operational risks for any changes in membership criteria or service offerings.
The Order remains effective until the OCC determines that all corrective actions have been successfully implemented and verified.
Commentary
In this matter, the Bank's inability, over a five-year period, to satisfy terms specified in prior OCC Consent Orders directed at the Bank's AML compliance program, led the OCC to issue this new Consent Order, which imposes significant punitive measures against the Bank. These include requiring the Bank to give prior notice to its Examiner-in-Charge before offering new products or services, and restricting incentive-based compensation that could be paid to certain senior executives.
The OCC Order imposes other important measures, including requiring the Board to appoint a new Compliance Committee of at least three members, the majority of whom are to be directors who are not employees or officers of the Bank or any of its subsidiaries or affiliates. Among other requirements, the Bank's Board must make sweeping improvements in its AML compliance program, including requiring the Bank to implement a strengthened risk governance framework that meets the safety and soundness guidelines set forth in 12 CFR Part 30, ("Interagency Guidelines"), an enhanced IT risk management program and an improved third-party, affiliate and shared service risk management program.
The Order preserves the OCC's right to impose civil money penalties if the Bank falls short in its compliance with any terms of the new order.