The OCC and the Federal Reserve Bank (FRB) of New York recently settled with a registered bank holding company and its subsidiary national bank for the failed risk management and internal control programs of the national bank. The national bank will also pay $400 million in civil money penalties.
The OCC identified ongoing deficiencies with the bank’s enterprise-wide risk management and compliance risk management program, in violation of OCC Guidelines. The FRB also identified long-standing deficiencies with its risk management and internal controls, in violation of Regulation YY of the Board of Governors, which were previously identified in prior consent orders.
Under the Consent Order with the OCC, the bank will have to submit a Consent Order Action Plan and Data Governance Plan (DGP) based on gaps identified in the Data Governance Gap Analysis Report. The DGP will address how the bank will ensure that the data it collects is accurate, consistent, timely, and complete. The DGP will also include the Enterprise-Wide Risk Management Plan and Compliance Risk Management Plan that address board control and oversight, risk management and mitigation, and internal controls and auditing.
Under the Cease and Desist Order with the FRB, the holding company will submit a plan that describes the bank’s efforts to improve board control and oversight as it relates, in part, to remediation plans and senior management. It will also submit a Gap Analysis Remediation Plan that outlines how it will address the gaps identified in its Gap Analysis. The Gap Analysis Remediation Plan will also address (i) how the bank will enhance its data quality management program, aimed at collecting timely and accurate data; and (ii) how it will enhance its compliance risk management program, which, amongst other things, should identify material risk factors, review and assess its risk management program, and improve risk monitoring and reporting schemes.