The OCC recently entered into an $80 million consent order with a national bank for its failure to safeguard consumer financial data. The OCC found that the bank failed to establish appropriate risk assessment and management processes in the transfer and maintenance of consumer financial data on a cloud operating system.
The OCC also found that the internal audit conducted by the bank was inadequate because it failed to uncover exposures associated with the bank’s use of the cloud operating system, including the lack of appropriate network security controls, data loss prevention controls, and alert dispositioning. The audit also failed to effectively report and highlight exposures identified during the review. For certain exposures that were raised by the audit, the OCC found that the bank’s board of directors failed to take timely corrective action to hold bank management accountable. Although the bank agreed to the penalty, it did not admit or deny the OCC’s findings.
As part of the consent order, the bank is to develop a comprehensive action plan that contains remedial measures relating to board and management oversight, risk assessment, cloud operations risk management, independent risk management, internal controls testing, and internal audits. The objectives of these measures are to improve the bank’s monitoring, oversight and reporting functions and risk assessment and management processes.