The OCC said that it has directed its examiners and staff to cease screening banks for reputation risk which refers to the risk of potential scandals or any other type of negative publicity that can possibly emerge and negatively impact a bank’s business. The OCC expressed its disagreement with the examination as it placed too much judgmental and discretionary power in the hands of the examiners. Rather, it believes that more focus should be placed on more “transparent risk areas.”

“The OCC’s examination process has always been rooted in ensuring appropriate risk management processes for bank activities, not casting judgment on how a particular activity may fare with public opinion,” said Acting Comptroller of the Currency Rodney Hood. “The OCC has never used reputation risk as a catch-all justification for supervisory action. Focusing future examination activities on more transparent risk areas improves public confidence in the OCC’s supervisory process and makes clear that the OCC has not and does not make business decisions for banks.”

The OCC believes that by getting rid of reputation risk it will maintain strong risk management as well as fair customer treatment. The agency perceives the removal of such an risk assessment will ensure transparency and accountability within the OCC’s operations. According to the agency, the limitation of subjectiveness within the examination will enable the OCC to create a more effective regulatory environment.

OCC’s Move Receives Support From Banking Industry

This move has received much support from the banking industry. Financial Services Forum President and CEO Kevin Fromer called the OCC’s actions an “important step to create a more transparent and effective regulatory environment.” Greg Baer, president and CEO of the Bank Policy Institute added support to the agency’s actions in stating “Bank exams should be transparent and grounded in objective legal standards. This marks meaningful progress in refocusing oversight on material financial risk, rather than reputational risk, operational risk, corporate governance, vendor management and other matters that do not pose a material threat to safety and soundness.”

The OCC emphasized that while it is removing an aspect of the examination it will continue to regulate in a strict and efficient manner. “The removal of references to reputation risk from OCC handbooks and guidance issuances does not alter the OCC’s expectation that banks remain diligent and adhere to prudent risk management practices across all other risk areas,” according to its press release. “The OCC expects to complete its efforts to update its public documents in the coming weeks.”  

The post OCC Eliminates Reputation Risk Examinations for Banks appeared first on Compliance Chief 360.

The OCC initially charged Bank of America based on violations and unsafe practices relating to these programs, including a failure to timely file suspicious activity reports and failure to correct a previously identified deficiency related to its Customer Due Diligence processes. The order also identifies deficiencies in the internal controls, governance, independent testing, and training components of the bank’s BSA compliance program.

The order requires the bank to take corrective actions to enhance its BSA/anti—money laundering (“AML”) and sanctions compliance programs, including the hiring of an independent consultant to assess the bank’s BSA/AML and sanctions compliance programs and conduct reviews to ensure all suspicious activity was appropriately reported.

The OCC found that Bank of America “had a breakdown in its policies, procedures, and processes to identify, evaluate, and report suspicious activity, including the Bank’s systemic failure to ensure that it transaction monitoring system had appropriate thresholds for determining when transaction alerts should trigger a case investigation” and that it “failed to make acceptable substantial progress towards correcting a deficiency related to the Bank’s Customer Due Diligence processes that was previously reported to the Bank by the OCC.”

This settlement should not come as a surprise to investors as Bank of America disclosed in its October filing that it has been in contact with regulators about its compliance programs and could foresee potential enforcement actions charged against the bank.

This settlement represents the OCC’s effort in combatting deficient BSA/AML compliance programs. The OCC recently imposed a $450 million fine against TD Bank for its failure to develop and maintain a BSA/AML program reasonably designed to assure and monitor compliance with the BSA. As a result of the bank’s failure, may criminal groups such as drug cartels used it to launder more than $650 million in drug money.  

The post Bank of America Settles OCC Cease-and-Desist Order Over Compliance Deficiencies appeared first on Compliance Chief 360.

The penalties resulted from the Citi’s failure to resolve its “longstanding” risk management, data governance and internal controls deficiencies at the bank. The OCC said Wednesday that Citi failed “to meet remediation milestones and make sufficient and sustainable progress towards compliance with the 2020 order,” adding that it has amended the order“to ensure Citibank prioritizes the remediation work, including through the allocation of sufficient resources.”

In 2020, the OCC stated that Citi’s risk management policies and internal safeguards had been insufficient for a bank of its size and complexity for several years. The agency also criticized the bank’s senior leadership for providing “inadequate” oversight to ensure these issues were promptly addressed.

The OCC identified shortcomings in Citi’s infrastructure for risk control, data management, and compliance, noting that these flaws had, in some instances, “contributed to violations of law and regulations.” In the two years leading up to the 2020 enforcement action, the OCC fined Citi tens of millions of dollars for issues related to fair lending, flood insurance, and foreclosure holdings.

Citi CEO Jane Fraser said in a statement that there are areas where Citi hasn’t made progress quickly enough, despite progress in other areas such as simplifying the firm and addressing the consent orders. Fraser added that Citi has “intensified” its focus on data quality management over the last several months.

“We will get these areas where they need to be, as we have done in other areas of the transformation. As we’ve said from the beginning of this multi-year effort, we’re committed to spending what is necessary to address our consent orders, as our agreement with the OCC demonstrates,” Fraser said.

Federal Reserve Finds Citi’s Remedial Efforts To Be Inadequate

The Federal Reserve revealed that its assessment of Citi’s compliance program resulted in the discovery of “significant ongoing deficiencies … with respect to various areas of risk management and internal controls, including for data quality management and regulatory reporting, compliance risk management, capital planning and liquidity risk management.”

The Fed added that when evaluating Citi’s remediation efforts related to the 2020 order, the agency found that the bank’s progress in executing its plan to enhance its data quality management program inadequate.  

PHOTO BY ANTONIO VERNON, USED UNDER CC BY-SA 3.0

The post Citi Fined by OCC and Federal Reserve for Risk Management Failures appeared first on Compliance Chief 360.

In a separate case, Bank of America is setting aside $200 million to account for fines it expects the Securities and Exchange Commission and the Commodity Futures Trading Commission to impose for failing to monitor the use of unapproved personal devices by employees. The SEC has been looking into whether Wall Street banks have been adequately documenting employees’ work-related communications, such as text messages and emails, during the work-from-home period of the pandemic.

Last week, the Consumer Financial Protection Bureau (CFPB) ordered Bank of America to pay a $100 million penalty that “reflects the severity and scope of the consumer harm caused by the bank’s practices,” the CFPB stated. In a separate action, in coordination with the CFPB, the Office of the Comptroller of the Currency (OCC) fined the bank $125 million to be paid to the U.S. Treasury for violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices.

According to the findings of the CFPB’s investigation, “Bank of America automatically and unlawfully froze people’s accounts with a faulty fraud detection program and then gave them little recourse when there was, in fact, no fraud,” the CFPB stated.

In September 2020 and continuing through mid-2021, Bank of America changed its practices for investigating prepaid debit card fraud on the unemployment insurance benefit accounts, according to the CFPB. Instead of conducting investigations, the bank implemented a fraud filter that “set a low bar to freeze the unemployment insurance benefits of many people, harming thousands of legitimate cardholders needing the money,” the CFPB stated.

“The bank also retroactively applied its fraud filter to deny some notices of error submitted by prepaid debit cardholders that the bank had previously investigated and paid,” the CFPB stated.

Additionally, the bank made it difficult for consumers to unfreeze their prepaid debit cards or report fraudulent use of their cards. Those with unemployment insurance benefit prepaid debit cards could not make reports online or in person at bank branches.

Compliance Deficiencies
The OCC also found several compliance deficiencies, including inadequate risk management practices in both the front-line units and independent risk management, including ineffective oversight, risk assessment, monitoring, and reporting; inadequate internal controls, including those relating to contract management; inadequate oversight, risk management, and monitoring of prepaid card unemployment benefits vendors; and inadequate oversight and coverage by the bank’s independent audit function.

In addition to providing remediation to harmed consumers whose access to unemployment benefits was denied or delayed, the OCC order also requires Bank of America to “perform a comprehensive and holistic risk assessment … that shall address all significant risks to include at a minimum transaction and card volumes and trends; operational risks, including capacity limitations or obstacles with product service or delivery; requisite staffing skills and expertise; compliance with applicable consumer protection and information security laws and regulations; and fraud risk volume, fraud sources, and types of fraud.”

The OCC consent order further orders the bank to conduct a program gap analysis that, at a minimum, “shall address the adequacy of operational controls, fraud investigations, fraud rules and/or strategies, claims intake and processing, accounting practices, complaints management, claims and complaints quality assurance processes, systems and data management, and program vendor risk management.”

Unapproved Communications
The bank is still waiting on final action from the SEC on the improper use of personal devices by BofA employees to conduct official business. Regulators require banks to keep records of all business-related communications. To comply, financial firms typically ban the use of personal email, text messaging, and social media channels for work purposes, although bankers do not always follow those rules.

Late last year, the SEC and the CFTC fined J.P. Morgan Securities $200 million for “widespread” failures to preserve employee communications on personal devices, such as mobile phones, and messaging apps and email systems. Other top banks including Morgan Stanley and Citigroup have also put aside cash to cover similar expected regulatory fines, the banks have stated.

History of Misconduct at Bank of America
Bank of America has a history of misconduct and engaging in fraudulent practices: In April 2014, the CFPB ordered Bank of America to pay $727 million in redress to consumers harmed by the bank’s deceptive marketing and unfair credit card billing practices; In August 2014, Bank of America reached a $16.65 billion settlement—the largest civil settlement with a single entity in U.S. history­—for financial fraud that played a central role in the 2008 financial crisis; and in May 2022, the CFPB ordered Bank of America to pay a $10 million civil penalty for processing illegal, out-of-state garnishment orders against its customers’ bank accounts. 

PHOTO: BANK OF AMERICA (RESIZED), BY MIKE MOZART, USED UNDER CC BY 2.0

Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.

The post BofA Faces $425 Million in Penalties from Two Enforcement Actions appeared first on Compliance Chief 360.

Staffing struggles in the banking industry come at a time when compliance risk remains heightened “as banks navigate the current operational environment, regulatory changes, and policy initiatives,” the OCC stated.

“A lack of access to subject-matter expertise may result in increased compliance and operational risks, particularly if existing compliance processes, controls, testing, and training become subject to funding cutbacks or limitations, or if future compliance management program enhancements and maintenance are delayed,” the OCC stated in its report.

Compliance and operational risk may increase or evolve if banks begin using, or expand their current use of, third parties to support or fill critical compliance roles, “especially if banks do not conduct appropriate due diligence on third parties or select inexperienced or unqualified third parties,” the OCC warned. “Such risk also may increase if banks expand the use of telework either to remain competitive or retain employees; or if they hire from different geographical areas to fill openings.”

Operational risks
The OCC report also discussed elevated operational risks due to evolving cyberattacks. To mitigate cyber risk, banks should “maintain heightened threat and vulnerability monitoring processes and implement more stringent security measures, including the use of multifactor authentication, hardening of systems configurations, and timely patch management,” the OCC advised in its report. “Banks should also consider how to effectively implement, regularly test, and isolate system backups from network connections to provide operational resilience.”

Cyberattacks are also increasingly threatening global supply chains. “These attacks demonstrate the importance of banks assessing the risks emanating from their third parties, inclusive of the supply chain, and developing a comprehensive approach to operational resilience,” the OCC stated.

Climate-related risks
The OCC report also discussed climate-related financial risks facing banks. The OCC said it “views climate-related financial risks as raising significant risk management issues due to their impact on bank safety and soundness and financial stability,” and that it will “continue to monitor the development of climate-related financial risk management frameworks at large banks.”

As banks’ climate-related financial risk management practices continue to evolve, with many still being in their early stages, “bank management should continue to ensure that their public statements about their institutions’ climate risk management efforts are consistent with their institutions’ actions,” the OCC stated. “OCC supervisory activities at these large banks will focus on safety and soundness considerations and integration of climate-related financial risk into bank risk management frameworks.” 

Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.

The post Banks Struggling on Compliance Hiring, Says OCC Report appeared first on Compliance Chief 360.