An official website of the United States government
Share This Page:
A branch supervised by the Office of the Comptroller of the Currency filed a formal appeal with the Ombudsman disagreeing with the supervisory office’s (SO) conclusions noted in the most recent report of examination (ROE). Specifically, the branch appealed the following:
The appeal disputes the past due status of the BSA/AML and OFAC methodology, sanctions screening system, and foreign correspondent bank customer due diligence and enhanced due diligence MRAs. The appeal argues that the branch made “acceptable substantial progress” with respect to the MRAs.
The appeal disputes the assessment of insufficient quality of BSA/AML risk management. The appeal asserts the branch self-identified and disclosed the alerts backlog and that criticism of the backlog is incorrect. The appeal argues the branch strengthened compliance oversight through various actions and did not receive credit for them in the ROE.
The appeal disagrees with the assessment of weak compliance risk management. The appeal argues that despite the implementation of significant improvements to compliance risk management since the prior ROE, the current ROE noted harsher findings. The appeal states that the internal control pillar violation was unwarranted and asserts that the branch’s self-identification of the backlog of alerts precludes an assessment of weak compliance risk management.
The appeal asserts the compliance rating should not be rated 3 because the comments in the ROE’s compliance section are consistent with a 2 rating. The appeal contends that the branch had strengthened the control environment since the issuance of the prior ROE and the two BSA-related violations are the only basis for the 3 rating.
The appeal disputes the past due status of the internal audit oversight MRA. The appeal argues that the MRA commitment date was after the as-of date of the examination, so the MRA could not be past due. The appeal further states that the OCC should have proactively extended the commitment date without a formal request from the branch.
The appeal disputes the insufficient rating for internal audit. The appeal states that the internal audit program complies with OCC guidance and the branch did not receive credit for actions taken to strengthen the program.
The appeal disagrees with the weak rating for internal controls. The appeal states that the branch implemented effective internal controls and took significant measures to enhance the system of internal controls.
The appeal disputes the assessment of high quantity and aggregate level of operational risk and weak quality of operational risk management. The appeal argues that weaknesses in risk management have nothing to do with the branch’s financial condition. Furthermore, the appeal states that the financial condition of both the branch and foreign bank were strong.
The appeal disagrees with the operational controls rating of 4. The appeal asserts that insufficient internal audit and information technology do not support downgrading operational controls to 4.
The appeal disagrees with the past due status of the management depth and succession MRA. The appeal asserts that the ROE comments regarding staffing turnover do not reflect the reality of the labor market. The appeal argues that the staffing analysis did not lack independence and a staffing analysis of an executive was not required by the MRA.
The appeal disputes the assessment of weak quality of strategic risk management. The appeal argues branch management did not receive credit for strategic decisions to control growth while enhancing branch risk management capacity.
The appeal disagrees with the assessment of weak quality of reputation risk management. The appeal states that the branch took numerous actions to enhance the compliance management system and contends that the only meaningful reputation risk is the possibility of a public enforcement action.
The appeal disagrees with the risk management rating of 4. The appeal argues that the risk assessment system components of strategic, reputation, operational, and compliance risk should not have been assessed as weak. The appeal also argues that branch management strengthened risk management systems after the prior ROE was issued.
The appeal disagrees with the assessment of moderate aggregate risk and insufficient quality of risk management for liquidity. The appeal asserts that the enhanced liquidity risk management policy and adherence to liquidity coverage ratios do not support the assessment of liquidity risk.
The appeal disagrees with the assessment of insufficient credit risk management. The appeal asserts the branch enhanced credit risk management by updating the loan policy and developing an independent review process. The appeal argues that the financial capacity assessments were not high level and country risk factors received sufficient consideration in risk ratings.
The appeal disagrees with the composite rating of 4. The appeal argues the rating does not reflect the branch’s efforts to address the findings from the prior supervisory activities. The appeal asserts that the numerical average of component ratings should be the starting place to determine the composite rating, and any deviation from the average must be justified.
The Ombudsman conducted a comprehensive review of the appeal using the following supervisory standards in effect at the time of the examination:
For the sanctions screening system MRA, the Ombudsman did not agree with either the branch or the SO on the status. For all other issues appealed, the Ombudsman concurred with the SO but required additional edits to the ROE for balance and clarity of supervisory concerns.
The Ombudsman concurred with the past due status of the MRAs for the BSA/AML and OFAC methodology, sanctions screening system, and foreign correspondent bank customer due diligence and enhanced due diligence. An MRA is past due if the branch did not implement the corrective action within the expected time frame, or if during the validation process, examiners determine that the corrective action is not effective or sustainable. Refer to page 47 of the BSP Handbook.
Branch management had not implemented corrective actions by the commitment date. The ROE noted that the branch made “acceptable substantial progress” in remediating the BSA/AML MRAs. While the conclusion of acceptable substantial progress affects the decision on whether to issue an enforcement action, it does not prevent the SO from assessing the MRAs as past due.
The Ombudsman concurred with the insufficient quality of risk management rating for BSA/AML. The branch had five outstanding BSA-related MRAs at the time of the examination, including the sanctions screening system MRA. In addition, the ROE cited two BSA-related violations of law, including an internal control pillar violation. Documentation the branch provided during the examination indicated that staffing was the primary cause of the backlog. While the ROE included various statements noting management actions to attempt to strengthen compliance oversight, actions taken did not effectively correct identified issues in the BSA/AML program.
The Ombudsman concurred with the weak quality of compliance risk management. Compliance risk is the risk to current or projected financial condition and resilience arising from violations of laws or regulations, or from nonconformance with prescribed practices, internal bank policies and procedures, or ethical standards. It encompasses not only risk of failure to comply with consumer protection-related laws and regulations but also risk of noncompliance with all laws and regulations. Refer to page 69 of the LBS Handbook.
Branch management did not correct 17 MRAs during the normal course of business and within agreed-upon corrective action dates, and improvements to the compliance risk management program have not proven effective. In addition, the ROE identified two BSA-related violations. Although management identified some compliance deficiencies, this does not mean that weaknesses in risk management do not exist. The assertion regarding the citing of the internal control pillar violation is not an appealable matter given that the Ombudsman previously issued a final agency decision when the SO first cited the violation and agreed with the SO.
The Ombudsman concurred with the compliance rating of 3. A 3 rating indicates deficiencies have produced an atmosphere in which significant compliance problems could and do occur. Refer to page 126 of the BSP Handbook. The ROE cited four new MRAs and two BSA violations, one of which was new. In addition, the Ombudsman concurred that quality of compliance risk management was weak and quality of BSA/AML risk management was insufficient. These findings support a compliance rating of 3. The branch argument that the control environment was strengthened since the previous examination is not supported. The internal control pillar violation is no longer an appealable issue since the Ombudsman previously issued a final agency decision on the issue.
The Ombudsman concurred with the past due status of the internal audit oversight MRA. The past due status is appropriate when management does not effectively implement corrective actions by the commitment date. Refer to page 136 of the BSP Handbook. While there may sometimes be valid reasons for a modified remediation date, management did not request one.
The Ombudsman concurred with the internal audit rating of insufficient. Management did not correct concerns identified in two audit MRAs issued in the prior ROE by the commitment dates. In addition, the SO issued a new MRA for internal audit oversight. Concerns identified in three outstanding MRAs for audit demonstrate that the branch does not adhere to sound risk management practices outlined in OCC guidance. The branch does not have a written audit program and lacks clearly defined roles in the audit process. While the ROE does acknowledge management actions to improve the audit program, weaknesses identified align with the insufficient definition for internal audit. Refer to page 93 of the LBS Handbook.
The Ombudsman concurred with the internal controls rating of weak. While the ROE states that management has taken modest corrective actions to address issues identified, the actions are insufficient to remedy root causes of issues, causing the issues to be repeated. The ROE identified past due concerns with internal controls surrounding enterprise-wide risk governance framework, audit issue management, and BSA/AML foreign correspondent bank customer due diligence. The ROE noted that the OCC, internal audit, and the internal controls department continue to identify instances of nonadherence to established policies and procedures. Examiners identified various reporting discrepancies that undermine the reliability of branch management information systems (MIS). The ROE documented that the effectiveness of BSA/AML staff and controls deteriorated since the previous examination. The internal controls rating of weak aligns with guidance from page 125 of the BSP Handbook.
The Ombudsman concurred with the assessment of high quantity of risk, weak quality of risk management, and high aggregate operational risk. An assessment of the quality of operational risk management is not limited to risk to financial condition. Page 63 of the LBS Handbook states that the ratings include consideration of the quality and effectiveness of the system of internal controls. The ROE correctly assessed internal controls as weak and internal audit as insufficient. These ratings are key factors in the quality of operational risk management. The examiners emphasized that the high complexity of branch operations, lack of an effective risk and control self-assessment process, and weak internal audit expose the branch to significant risk from fraud, errors, and execution issues or processing disruptions.
The Ombudsman concurred with the operational controls rating of 4. Page 125 of the BSP Handbook states that a rating of 4 signifies that the branch or agency system of operational controls has serious deficiencies that require substantial improvement. The ROE identified serious deficiencies in internal audit, internal controls, IT-related controls, and risk management practices in the form of nine MRAs, with six assessed as past due. Internal controls are weak with deficiencies noted in multiple areas, including BSA/AML, MIS, and account reconciliations. Senior management did not make sufficient progress to address internal control deficiencies identified by the OCC.
The Ombudsman concurred with the past due status of the management depth and succession MRA. Management did not effectively implement all required actions associated with the MRA by the commitment date. Refer to page 136 of the BSP Handbook. Management limited the scope of the required staffing analysis by excluding two key members of senior management, which did not align with the corrective action. In addition, one of the staffing assessments lacked independence as the evaluator was not independent of employees assessed. The Ombudsman also directed the SO to add context to the ROE regarding branch efforts to augment staff.
The Ombudsman concurred with weak quality of strategic risk management. The ROE said the strategic plan lacked reasonable milestones necessary to achieve growth in a controlled manner and the growth strategy was not conservative. Branch MIS do not measure transaction volumes against tolerance levels or risk appetite. Policies are insufficient, and risk limits identified in the risk appetite policy are inconsistent with risk indicators monitored in the daily and weekly dashboard. Insufficient level and depth of the technical expertise of staff resulted in recurring control gaps. The branch experienced a high level of turnover since the previous examination, and the management depth and succession planning MRA is past due. The strategic risk management rating of weak aligns with guidance on page 32 of the LBS Handbook.
The Ombudsman concurred with the weak quality of reputation risk management. A rating of weak reputation risk management indicates that management does not take timely or appropriate actions in response to changes in market, technology, or regulatory environments and that branch management may have a poor record of corrective actions to address problems. Refer to page 36 of the LBS Handbook. The ROE included a high number of open and past due MRAs and two violations of law. Policies, processes, and systems protecting confidential information have weaknesses. The ROE also issued two new MRAs for access management and MIS. Examiners determined branch MIS were unreliable.
The Ombudsman concurred with the risk management rating of 4. The ROE included 17 MRAs, 11 of which were assessed as past due. The high number of past due MRAs provide support that management has failed to correct identified risk management deficiencies in a timely manner. The SO assessed the quality of risk management for multiple risk assessment system categories as weak (reputation, strategic, operational, and compliance risks) and insufficient (credit, liquidity, and BSA/AML risks). The risk management rating of 4 aligns with guidance on page 123 of the BSP Handbook. While branch management took some actions to improve certain risk management practices, actions taken did not effectively mitigate risks.
The Ombudsman concurred with the credit risk management rating of insufficient. The ROE included a new MRA for loan approval and review processes. The loan policy lacked key information related to credit underwriting, and loan review lacked independence. In addition, a prior MRA on credit risk management was past due because of lack of financial analysis and over-reliance on ratings from credit rating agencies. The risk management assessment of insufficient aligns with guidance on pages 41 and 42 of the LBS Handbook.
The Ombudsman concurred with the moderate aggregate level of risk and insufficient quality of risk management for liquidity. The ROE assessed the liquidity risk management MRA as past due. The MRA included criticism of the contingency funding plan. The appeal assertion regarding compliance with liquidity coverage ratios is indicative of the quantity of risk, which the SO assessed as low. However, the moderate aggregate level of risk is a result of the low quantity of risk and insufficient quality of risk management. The liquidity risk assessment is consistent with guidance on page 26 of the BSP Handbook.
The Ombudsman concurred with the composite rating of 4. The ROCA composite rating is the interagency uniform supervisory rating system for federal branches and agencies of foreign banking organizations. The composite rating should not merely be an arithmetic average of the component ratings, and some components often carry more weight than others. The risk management and operational controls components were correctly rated 4 in the ROE. It included 17 MRAs, 11 of which were assessed as past due, and two violations of law, including a BSA pillar violation. The SO appropriately placed significant reliance on the risk management and operational control ratings when assessing the composite rating according to guidance on page 122 of the BSP Handbook.
