OCC Bulletin 2016-13| April 27, 2016
Communications Technology: Guidance for Banks' Maintenance of Records, Records Retention, and Examiner Access
Chief Executive Officers and Chief Risk Officers of All National Banks and Federal Savings Associations, Department and Division Heads, All Examining Personnel, and Other Interested Parties
The Office of the Comptroller of the Currency (OCC) is issuing this bulletin to remind national banks and federal savings associations (collectively, banks) of their obligations related to the maintenance of records, records retention, and examiner access to records. The OCC has become aware of communications technology recently made available to banks that could prevent or impede OCC access to bank records through certain data deletion or encryption features. Use of communications technology in this manner is inconsistent with the OCC’s expectations regarding data retention and availability.
Note for Community Banks
This guidance applies to all OCC-supervised banks.
This guidance reminds banks that
- the OCC has full and unimpeded access to a bank’s books and records pursuant to its authority in 12 USC 481 (national banks) and 12 USC 1464(d)(1)(B)(ii) (federal savings associations).
- communications technology should not be used in a way that limits examiner access to bank records.
Maintenance of Records, Records Retention, and Examiner Access
The OCC has authority under 12 USC 481 to require prompt and complete access to all of a national bank’s relevant books, records, or documents of any type.1 For federal savings associations, the OCC’s authority is under 12 USC 1464(d)(1)(B)(ii).2 Also included within the scope of its authority is the ability of OCC examiners to communicate freely with a bank’s employees, officers, or directors.3 To meet their supervisory responsibilities, OCC examiners need timely access to bank records and need to communicate freely with bank personnel.
The OCC supports responsible innovation in the banking industry that is consistent with OCC expectations and safe and sound banking practices. Certain available communications technology contains data deletion and encryption features that can be used to prevent or impede OCC access to a bank’s books and records. For example, the OCC is aware that some chat and messaging platforms have touted an ability to “guarantee” the deletion of transmitted messages. The permanent deletion of internal communications, especially if occurring within a relatively short time frame, conflicts with OCC expectations of sound governance, compliance, and risk management practices as well as safety and soundness principles.
Bank management must ensure that its adoption of any communications technology continues to allow for examiner access to appropriate bank records. Record retention practices that are consistent with OCC expectations will enhance effective oversight by banks’ compliance and internal audit functions as well as comply with established governance, compliance, and risk management practices.
Please contact Lisa Vojtecky, Acting Director for Governance and Operational Risk Policy, at (202) 649-6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk
3 Failure to provide timely access, or efforts by the board of directors or bank management to impede the bank staff’s ability to provide such access, may result in enforcement action. Furthermore, examination obstruction may subject individuals to criminal prosecution. Refer to 18 USC 1517, “Obstructing Examination of Financial Institution.”