Date: November 12, 2013
Description: Guidance for Bankers
This bulletin provides guidance and establishes standards that the Office of the Comptroller of the Currency (OCC) uses when it requires national banks, federal savings associations, or federal branches or agencies (collectively, banks) to employ independent consultants as part of an enforcement action to address significant violations of law, fraud, or harm to consumers.
The bulletin describes the OCC’s
- assessment of the need to require a bank to hire an independent consultant in an enforcement action.
- expectations for a bank’s due diligence process when retaining an independent consultant. A bank’s due diligence should establish that the consultant has sufficient independence, capacity, resources, and expertise and that the engagement contracts and work plans adequately address the OCC’s supervisory concerns.
- review of the qualifications of the proposed consultant and the proposed contractual terms of the engagement.
- oversight of the performance of the consultant.
Note for Community Banks
This bulletin applies to any bank subject to an enforcement action in which the OCC requires the bank to hire an independent consultant to address significant violations of law, fraud, or harm to consumers. This bulletin does not apply when the OCC requires the bank to hire a consultant to provide expertise needed to correct operational or management deficiencies. These types of “functional” engagements have been particularly valuable for community banks and do not raise the same level of concerns addressed in this bulletin. In these circumstances, banks should consult OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.”
Background and Scope
The OCC has used its enforcement authority to require banks to retain independent consultants in a significant number of cases and for a variety of purposes. For example, as part of enforcement actions, the OCC has required banks to retain independent consultants to assess the banks’ compliance with legal requirements in cases involving material violations of law. The agency also has required the use of independent consultants when banks are obligated to provide restitution for violations of consumer protection statutes. The OCC has ordered banks of all sizes to retain independent consultants to
- address significant deficiencies with banks’ programs related to compliance with Bank Secrecy Act and anti-money laundering laws and regulations (BSA), including reviews of banks’ BSA staffing, risk assessment, and internal controls. The OCC has also ordered reviews by independent consultants of the adequacy of actions already taken by banks to address the deficiencies in their BSA programs.
- review transaction activity to determine whether banks must file suspicious activity reports (SAR), whether SARs filed by banks need to be corrected or amended to meet regulatory requirements, or whether additional SARs should be filed to reflect continuing suspicious activity. The OCC has ordered similar reviews by independent consultants of banks’ currency transaction reporting.
- address significant consumer law violations, including violations of section 5 of the Federal Trade Commission Act regarding unfair or deceptive practices. Banks have also been required to hire independent consultants to identify affected consumers, monitor payments to such consumers, and provide written reports evaluating compliance with remedial provisions in enforcement actions.
- perform forensic audits in cases where the OCC has concerns about widespread fraud or systemic irregularities in banks’ books and records.
In addition, the OCC has required banks to retain independent consultants to provide expertise needed to correct operational and management deficiencies rather than to address significant violations of law, fraud, or harm to consumers. By retaining consultants to perform these “functional” engagements, banks gain the additional knowledge, experience, and resources required to address deficiencies identified through the supervisory process. These engagements have been particularly valuable for community banks that may lack the necessary expertise and resources to correct the problems on their own.
This bulletin focuses on enforcement actions that require the employment of an independent consultant to address significant violations of law, fraud, or harm to consumers. Because the use of a consultant to perform a functional engagement is not designed to address concerns related to significant violations, fraud, or harm to consumers, the level of OCC review and oversight is generally lower, and some of the concerns addressed in this bulletin—such as maintaining strict independence from bank management—may not be as critical. Nonetheless, the OCC expects a bank to conduct appropriate due diligence to ensure that an independent consultant performing a functional engagement has the necessary expertise and resources to provide the needed services.1
The use of an independent consultant does not absolve bank management or a bank’s board of directors of their responsibility for ensuring that all needed corrective actions are identified and implemented. Moreover, an independent consultant is not a substitute for the supervisory judgment of the OCC. The OCC retains sole responsibility for supervising banks, including overseeing and assessing banks’ compliance with enforcement actions.
OCC Supervisory Expectations and Review of Independent Consultants
OCC Assessment of the Need to Require Independent Consultants in an Enforcement Action
The OCC may require a bank to engage an independent consultant to ensure that independent judgment and the requisite expertise are employed when a bank determines the scope and cause of the underlying issues in an enforcement action or when remedial actions are needed. While the use of an independent consultant can help a bank achieve needed compliance, the OCC retains the final decision in determining whether the bank’s corrective actions are sufficient.
The OCC’s decision to require a bank to engage an independent consultant is an exercise of supervisory judgment and depends on the facts and circumstances of each bank, including examination conclusions. When determining whether to require an independent consultant, the OCC considers, among other factors,
- the severity of the violations or issues, including the impact of the violations on consumers, the bank, or others.
- the criticality of the function requiring remediation.
- confidence in management’s ability to perform or ensure that the necessary actions are taken to identify violations and take corrective action in a timely manner.
- the expertise, staffing, and resources of the bank to perform the necessary actions.
- actions already taken by the bank to address the violations or issues.
- services to be provided by an independent consultant (for example, a full look-back or a validation of the bank’s look-back).
- alternatives to the engagement of an independent consultant.
OCC Review of the Proposed Consultant
When the OCC determines that an enforcement action requires the use of an independent consultant, the OCC requires the bank to submit information regarding the bank’s due diligence, including the proposed independent consultant’s2 qualifications and terms of engagement. This is a submission from the bank to the OCC requesting a written determination of supervisory no objection to the proposed independent consultant and contract. This requirement allows the OCC to assess whether the bank has conducted appropriate due diligence and whether the independent consultant has the requisite independence, expertise, capacity, and resources to satisfactorily complete the engagement. The OCC reviews the engagement contract to determine whether the scope of the work, the resources dedicated to the project, and the proposed timeline for completion are consistent with the enforcement action. The OCC’s determination to grant supervisory no objection to the proposed independent consultant is based on a full review of the matters addressed below and its informed supervisory judgment given the circumstances of the bank and the deficiencies that gave rise to the enforcement action.
The following is further guidance on three primary areas of consideration.
1. Due Diligence Expected of an Institution in Proposing to Use an Independent Consultant
A bank has an obligation to conduct appropriate due diligence before proposing to the OCC to use an independent consultant pursuant to a requirement in an enforcement action. In conducting due diligence, a bank should be guided by OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guide,” as well as by the guidance set forth in this bulletin.
The bank’s submission to the OCC requesting a determination of supervisory no objection to a proposed independent consultant should document its due diligence, including, as appropriate, its evaluation of the qualifications, independence, resources, expertise, capacity, reputation, information security and document custody practices, risk management and reporting, conflicts of interests, and financial viability of the consultant the bank considered. The bank should also require the independent consultant to disclose any professional disciplinary actions; if any have occurred, the bank’s submission should include an evaluation of the impact of such actions on the engagement.
2. Assessing the Independence of the Consultants
As part of its review, the OCC evaluates the bank’s assessment of the independence of the consultant. The objective of this review is to establish that the consultant can perform its work with a high level of objectivity such that the results of the engagement are free of any potential bias and that the work is based on the consultant’s own independent and expert judgment. The OCC’s determination of independence depends on the facts of each case. Any direct conflicts or facts that call into question the independent consultant’s integrity will cause the OCC to disqualify the consultant. Examples of such direct conflicts include the use of a consultant that has previously reviewed the transactions that are to be evaluated in the current review or that has previously assessed the specific policies and procedures related to the violations or practices at issue.
In addition to a direct conflict of interest, a bank should consider whether there is the potential for an appearance of a conflict of interest such that the consultant’s objectivity could be unduly influenced indirectly. In many complex cases, the number of qualified potential consultants may be limited. Accordingly, it may not be possible to ensure that there is no existing or previous relationship with a proposed consultant. In those cases, the OCC considers all material information related to past and present business relationships to ensure that the potential for undue influence does not exist.
The bank’s submission to the OCC should include its assessment of the proposed consultant’s independence by addressing any existing and prior relationships with the bank (and, as appropriate, affiliates or insiders), any potential conflicts of interest, and other relevant factors. The bank should request the independent consultant include in its submissions to the bank assurances that the proposed engagement will not breach any professional restrictions governing conflicts of interest to which it is subject.
When evaluating the independence of a consultant, including whether an actual or potential conflict of interest exists, the bank’s assessments should address, and the OCC considers, among other things, the following factors:
- Scope and volume of other contracts or services provided by the independent consultant to the bank. As part of its submission to the OCC, a bank should disclose all prior work performed by the consultant for the bank for at least the previous three years. This information allows the bank and the OCC to assess the nature of the contracts and whether the consultant has been involved in any work closely related to the engagement under consideration. The information also allows the bank and the OCC to assess whether the number of contracts or services the consultant has had or has with the bank may pose an inherent conflict of interest.
- Specialized expertise of the consultant and availability of other consultants, i.e., whether the bank evaluated other consultants with the requisite expertise and independence.
- Proposed mitigants to address any potential conflict or appearance of conflict. For example, when the proposed consultant already has a contractual relationship with the bank, a mitigant could include the creation or maintenance of effective barriers to the exchange of information by different teams of the proposed consultant with differing responsibilities to the bank. Any proposed mitigant must be well established and documented in the engagement contract as well as in ongoing documentation and practice.
- Any financial relationship, including the amount of fees to be paid, or previously paid to the person or company as a percentage of total revenue of that person or company, and any other financial interest between the bank and the proposed consultant.
- Any business or personal relationship of the consultant, or employees of the consultant, with a member of the board or executive officer of the bank.
- Prior employment of consultant staff by the bank.
- Other relevant facts and circumstances.
No single factor determines the outcome of the OCC’s assessment; rather, the OCC considers these factors collectively with the goal of ensuring that the services provided by the consultant, including its findings and recommendations, are expert and free of bias.
3. Engagement Contract and Work Plan
The OCC will review the proposed engagement contract and work plan to ensure that the terms are consistent with the requirements of the enforcement action. The OCC’s review includes an assessment of the expertise and resources that the independent consultant commits to the engagement.
The bank should ensure the proposed engagement contract it submits for a determination of supervisory no objection guarantees
- compliance with applicable laws and regulations, including those related to the privacy and confidentiality of bank and bank customer information and non-public OCC information.
- maintenance of complete records.
- availability to the OCC upon request of all work papers, analyses, drafts, and reports.
- disagreements about material matters that cannot be resolved between the bank and the consultant are brought to the OCC’s immediate attention.
- ongoing reporting requirements are identified and met.
- the OCC may meet or discuss matters privately with the consultant.
- the conclusions and recommendations provided by the consultant will be based on its own independent and expert judgment, although the consultant may consider the bank’s views.
- the board of directors receives a final report.
- material modifications to the contract, work plan, or staffing must be approved in writing by the OCC.
- the subcontracting of any work covered by the engagement will be submitted to the OCC for a written determination of supervisory no objection.
- the contract shall be terminated by the bank upon written direction from the OCC to the bank without any objection or right of appeal by the consultant.
OCC Oversight of the Engagement
1. Ongoing or Periodic Oversight
The OCC oversees compliance with the enforcement action and therefore the progress of the engagement through its supervisory authority over the bank. The types and frequency of interactions between the OCC, the bank, and the independent consultant depend on the particular facts and circumstances covered by the enforcement action, expertise and resources of bank management, nature of the independent consultant’s engagement, and timeline for completion of the engagement. In establishing the supervisory strategy for evaluating the bank’s compliance with the enforcement action, the OCC evaluates and plans for appropriate and timely monitoring of the independent consultant’s work. Considerations governing the OCC’s monitoring include the
- nature of deficiencies or violations the independent consultant is engaged to identify including with respect to recommendations regarding remediation.
- scope and duration of work.
- potential for and materiality of harm to consumers and the bank.
For example, in some cases the independent consultant plays a limited role in the remedial steps the bank must take to comply with the enforcement action. In such circumstances, the appropriate oversight may involve a limited or moderate level of interaction with the OCC. In other cases, the seriousness of the violation(s) or the complexities involved may require more frequent monitoring and significant interactions among the OCC, the bank, and the independent consultant. These interactions could include periodic reports to and meetings with the OCC to ensure that the engagement is proceeding properly, that management is taking appropriate steps to correct the identified problems, and that the bank has sufficient expertise and appropriate processes to ensure that corrective actions are sustainable.
The OCC may examine the independent consultant’s supporting documentation, analyses, and work papers to ensure that the findings are accurate and complete. If the OCC identifies issues with the scope or progress of the work being performed, the OCC directs the bank to take appropriate remedial actions. In addition, if at any time the OCC determines that the work of the independent consultant is not consistent with the requirements of the enforcement action or the terms of the engagement, the OCC will assess whether to require the parties to modify or terminate the engagement or whether to take other action.
2. Verification or Validation of the Work of the Independent Consultant
As part of the assessment of the bank’s compliance with the enforcement action, the OCC must determine whether the bank has addressed and corrected the violations or deficiencies that formed the basis for the enforcement action. Accordingly, the OCC reviews the independent consultant’s final written report of findings and recommendations to the bank’s board of directors and management. This review gives the OCC the opportunity to assess whether all matters to be reviewed by the independent consultant were adequately addressed. If they were not, the OCC may require that additional work be performed by the bank or the independent consultant.
Once the independent consultant’s final written report and findings have been presented to the bank’s board and reviewed by the OCC, the bank should prepare a plan to address the findings of the independent consultant and to implement the board’s responses. Such plans should be approved by the bank’s board of directors and are subject to OCC review and a written determination of supervisory no objection before they can be implemented. This review allows the OCC to determine whether the underlying violations or deficiencies will be corrected, whether the bank will undertake appropriate remediation as called for in the enforcement action, and whether those corrective actions will be sustainable.3
An independent consultant can play a valuable role in assisting a bank’s management and board of directors in correcting significant violations of law, fraud, or harm to consumers. It is the OCC’s policy to carefully consider whether to require an independent consultant in these cases and, consistent with the standards and processes set forth in this bulletin, to evaluate the consultant’s independence, capacity, resources, and expertise and to monitor the consultant’s performance.
Please direct questions about this guidance to your supervisory office.
John C. Lyons Jr.
Senior Deputy Comptroller and Chief National Bank Examiner
1 Banks should be guided by OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” regarding the selection, contractual requirements, and ongoing relationship with independent consultants.
2 The guidance and standards established by the bulletin apply not only to direct consulting relationships between the bank and the independent consultant but also to any subcontracting consultant. Accordingly, if the proposed independent consultant intends to subcontract any part of the engagement, the bank’s due diligence and assessment of the subcontractor, and the contract with the subcontractor, must be included in the bank’s submission to the OCC.
3 Notwithstanding this review, the enforcement action remains in place until the bank is in compliance with all articles in the action. See PPM 5310-3 (REV), “Enforcement Action Policy,” dated September 9, 2011.