An official website of the United States government
Parts of this site may be down for maintenance from Friday, May 29, 9:00 p.m. to Sunday, May 31, 9:00 a.m. (Eastern).
Share This Page:
A bank supervised by the Office of the Comptroller of the Currency (OCC) filed a formal appeal with the Deputy Comptroller, disputing the supervisory office’s (SO) conclusions in its most recent report of examination (ROE). Specifically, the bank appealed the following:
The appeal disputed the SO’s conclusions concerning oversight responsibilities for affiliated and unaffiliated third parties. The appeal asserted the bank was not responsible for safeguarding certain personally identifiable information for customers accessed through third-party systems. The appeal questioned the citation of noncompliance with 12 CFR 30, Appendix B, and challenged the OCC’s authority to enforce TPRM guidance. The appeal also asserted that extensive due diligence was unnecessary when working with affiliated third parties and claimed that the TPRM MRA was not supported by a fair or accurate assessment. The appeal stated that the bank’s vendor management policy addressed key program elements, such as risk assessments, vendor selection, regulatory compliance, and monitoring, and these controls were commensurate with the bank’s size and risk profile.
The appeal asserted that the MRA related to credit card operations assurance testing and reporting was based on a misapplication of supervisory standards. The appeal maintained that the bank was not solely responsible for legal compliance related to accounts issued by third parties and that its compliance testing and auditing were commensurate with the size and risk of the portfolio.
The appeal asserted the examination rating downgrades were directly tied to the MRAs and violation of law; therefore, removal of those findings should result in ratings remaining unchanged from the prior examination.
The Deputy Comptroller’s office conducted a comprehensive review of the appeal using the following supervisory standards in effect at the time of the examination:
The Deputy Comptroller concurred with the SO on all issues appealed.
The Deputy Comptroller found that the citation of noncompliance with 12 CFR 30, Appendix B, was appropriate. The bank did not demonstrate adequate oversight of service providers and failed to provide evidence that it was monitoring or conducting due diligence on certain third parties . Discrepancies across vendor lists further underscored gaps in oversight. In addition, the SO appropriately cited enforceable regulation, not merely supervisory guidance.
The Deputy Comptroller concurred with the MRA related to TPRM. While a vendor management policy existed, the bank had not identified or assessed the risk of all affiliated third-party relationships nor had it demonstrated ongoing supervision. Several third parties were not included on internal vendor lists, and available documentation was insufficient to determine whether risk designations were appropriate. These deficiencies were inconsistent with expectations outlined in OCC Bulletin 2023-17 for continuous oversight of third-party relationships.
The Deputy Comptroller agreed with the issuance of the MRA for credit card operations assurance testing and reporting. The audit function lacked a robust risk assessment, resulting in incomplete audit coverage. The bank’s audit universe omitted key servicing functions, and periodic reporting to the audit committee failed to include details related to regulatory compliance. Outsourcing did not absolve the bank of its responsibilities. Banks remain accountable to comply with applicable laws and fulfill contractual obligations.
The Deputy Comptroller concurred with the rating of 2 for management. The identified weaknesses in TPRM, internal controls, and audit oversight were inconsistent with the expectations for a 1 rating.
The Deputy Comptroller affirmed the composite rating of 2, concluding that while the bank is fundamentally sound, the identified weaknesses require corrective action by the board and management.
