An official website of the United States government
Share This Page:
A federal savings association (bank) supervised by the Office of the Comptroller of the Currency (OCC) appealed to the Ombudsman the supervisory office’s (SO) conclusions in the most recent report of examination (ROE). Specifically, the bank appealed the following:
The appeal disagrees with the rating of 3 for IT and the supporting conclusions regarding the assessment of noncompliance with two related articles of the EA and the third-party risk management MRA. The appeal asserts that the ROE has numerous suppositions, errors, and is subjective regarding the perceived inherent risk in the bank’s systems as well as the credibility of its third-party providers. The appeal disagrees that IT and operational risk management practices are weak in relation to the bank’s size. The appeal asserts that the IT risk assessment includes all relevant IT risks and the IT audit is independent.
The appeal asserts that the IT article of the EA should be not in compliance – pending validation rather than past due. The appeal asserts that the program specifically addresses the requirements noted in the board letter communicating the conclusions from the previous interim examination. In addition, the appeal states that the only remaining outstanding item is to perform the “table-top” disaster recovery testing, which will be completed by year-end.
The appeal asserts the internal audit article of the EA should be not in compliance – pending validation rather than past due because the acceleration of the bank’s independent testing by a third party would satisfy the requirements. The appeal contends that the internal audit function governs the IT audit and the vendor completing the IT audit is independent. In addition, the appeal states that the external penetration testing and network review will occur at least every 30 months. In reference to the bank’s network, the appeal states that this vendor conducting the IT audit will “only maintain it on an ‘as needed’ basis.”
The appeal asserts that the facts stated in the new third-party risk management MRA regarding the bank’s IT vendor and its access to the bank’s network are incorrect. The appeal asserts that the vendor is not a high-risk vendor and is not subject to the provisions of the Graham–Leach– Bliley Act. The appeal notes that the MRA should be modified to focus on high-risk vendors.
The appeal disputes the 3 rating for consumer compliance, noting that its consumer compliance function is strong and the violations are incorrectly cited. The appeal asserts that the violations of 12 CFR 1026.19(e)(1)(vi)(c), “Mortgage loans - early disclosures; provision of disclosures” (violation 1) and 12 CFR 1026.19(e)(3)(i), “Mortgage loans – early disclosure; good faith determination for estimates of closing costs” (violation 2) are “de-minimis” and not a result of inadequate training. The appeal further asserts that one of the two loans cited in violation 2 is not a violation.
The appeal contends that the examiners misapplied and misinterpreted the TILA in citing violations of 12 CFR 1026.38(o)(2), “Content of disclosures for certain mortgage transactions; loan calculations; finance charge” (violation 3), and 12 CFR 1026.38(o)(3), “Content of disclosures for certain mortgage transactions; loan calculations; amount financed” (violation 4). The appeal states that the examiners did not understand bank requirements when originating consumer credit and the bank has fully complied with the provisions of the regulation.
The appeal disputes the STMR rating of 3 and the interest rate risk assessment. The appeal asserts that the STMR section of the ROE is entirely subjective, and the examiners did not understand the bank’s operations or balance sheet trends. The appeal notes that board-approved limits do not drive policy. The appeal further asserts that management and the board have excellent knowledge of their account base and a firm grasp on their interest rate assumptions and modeling.
The appeal disputes the 4 rating for management. The appeal disputes the characterization of management and the board as weak and insufficient throughout the ROE and asserts that accuracy and objectivity in the ROE are lacking. The appeal asserts that information and exhibits presented throughout the appeal demonstrate that management and the board is anything but weak.
The appeal disputes the rating of a weak audit program. The bank asserts that its audit program and controls for operations and IT are comprehensive and effective, both generally and granularly. The appeal disputes what is categorized as “significant risks” and states that examiners applied perceived risks to the bank. The appeal asserts the OCC handbooks state that it is for the regulated banks to determine programs, based on their own risk assessment.
The appeal disagrees with the high quantity of strategic risk and weak quality of strategic risk management. The appeal asserts that the SO accepted the strategic plan, and the article of the EA requiring it is in not in compliance – pending validation status. The appeal asserts that the board and management are well informed of the general economic climate and its effects on their depositor and borrower base. The appeal asserts that examiners did not recognize that the bank’s balance sheet risk is not new and that the board and management accept the risk and balance it with the steady deposit base. The appeal asserts that the ROE characterizes the current decreasing asset size as “deteriorating,” whereas the bank sees the asset levels as returning to the appropriate level after the short-term increase from an influx of Paycheck Protection Program lending to aid the community. The appeal also disputes the reputation risk assessment and asserts that the bank has an impeccable reputation in the community and practices daily what the OCC refers to as “reputation risk management.”
The Ombudsman conducted a comprehensive review of the appeal using the following supervisory standards in effect at the time of the examination:
The Ombudsman concurred with the bank that the SO did not sufficiently support citing one instance of the violation included in violation 2 of 12 CFR 1026 and removed any reference to it in the ROE. For all other issues appealed, the Ombudsman concurred with the SO but required additional edits to the ROE to improve balance and clarity of supervisory concerns.
The Ombudsman concurred with the rating of 3 for the IT component. The bank exhibits some degree of supervisory concern because of a combination of moderate weaknesses. This aligns with the Uniform Rating System for Information Technology (URSIT) rating of 3 as defined in the “Bank Supervision Process” booklet of the Comptroller’s Handbook. These weaknesses are identified in two articles of the EA and an MRA for third-party risk management as follows:
The Ombudsman concurred that the IT article of the EA is not in compliance – past due. OCC Bulletin 2018-41 incorporates PPM 5310-3, which defines not in compliance – pending validation as “articles that are pending validation (that is, examiners verified that management implemented the corrective actions, but insufficient time has passed for the bank to demonstrate sustained performance under the corrective actions, examiners have not validated the sustainability of the corrective actions, or examiners determine additional testing is warranted.)”
The plan does not meet the requirements of the EA or the interim board letter. The appeal itself notes that certain disaster recovery testing remains outstanding; therefore, not all requirements of the article have been implemented. Additionally, other required actions need further implementation or improvement, including additional disaster recovery testing and improvements to the IT risk assessment and IT audit. Further, the IT audit schedule needs to align to the size, complexity, and risk present in the bank’s systems.
The Ombudsman concurred that the internal audit article of the EA is not in compliance – past due. The acceleration of testing does not meet the requirements of the article because it was not independent and the schedule for ongoing testing is not risk-based. The engagement of the vendor to conduct the IT audit and assurance testing does not constitute an independent evaluation because the vendor also works on the bank’s network. There is no contract or other formal documented statement of work that defines what “only maintain it on an ‘as needed’ basis” means in terms of the vendor’s work and access on the bank’s network. Therefore, the vendor’s independence to perform IT audits and assurance testing appears to be compromised as defined in the “Audit” booklet of the FFIEC IT Examination Handbook. Finally, additional weaknesses exist within the compliance audit function, as described in the consumer compliance component rating discussion below.
In addition, while not noted in the ROE, the Ombudsman determined that the board must address the lack of independence of the Chief Internal Auditor. The bank’s president serves as the bank’s Chief Internal Auditor. While it is oftentimes necessary and appropriate for members of senior management to hold multiple titles in smaller institutions, the internal audit function must remain independent. An independent internal audit function, along with an effective system of internal controls, forms the foundation for safe and sound operations, regardless of a bank’s size. The Chief Auditor should report directly to the bank board or audit committee, and the board should take extra measures to ensure that the internal auditor’s reporting relationships do not impair their independence or influence their work. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook. The Ombudsman expanded the “Additional Actions Required” section of this article assessment in the ROE to note the need to address the independence of the Chief Internal Auditor.
The Ombudsman concurred with the issuance of the third-party risk management MRA. The vendor has access to customer information and therefore is subject to the requirements of 12 CFR 30, Appendix B. The regulation requires, among other things, that high risk vendors have proper due diligence and a contract, as outlined in the MRA.
The Ombudsman concurred with the rating of 3 for the consumer compliance component. Management must update the policies and procedures, which refer to regulations that are no longer active. Compliance training is inadequate and not properly documented. Compliance audit and internal controls do not adequately identify and control risks to comply with consumer laws and regulations due to an inadequate scope of testing. The examiners identified multiple violations of TILA and repeat violations of 12 CFR 22, “Flood Disaster Protection Act” (FDPA). These deficiencies align with a 3 rating as defined in the “Bank Supervision Process” booklet of the Comptroller’s Handbook.
The Ombudsman concurred with the bank that there was only one instance of a violation of 12 CFR 1026 for the section referenced in violation 2. Upon further review of the information presented in the appeal, the SO agreed with the bank that one of the loans did not constitute a violation and was cited in error. The Ombudsman concurred with the remaining instances of violations 1 and 2, as cited. There is no exception for de-minimis violations for this section of the regulation. Examiners may consider one instance of a specific violation as an isolated incident. However, when combined with multiple violations in a separate section of the same regulation, support may exist for a pattern or practice of noncompliance due to inadequate audit, controls, and training over the TILA.
The Ombudsman concurred with the SO with the violations of 12 CFR 1026.38, as cited in violations 3 and 4, regarding the disclosure of the finance charge and the amount financed. Examiners understood the bank’s processes and determined that the disclosures of the finance charge and the amount financed on the loans cited in the violations did not comply with the regulation. The bank failed to include several charges, including fees related to closing protection letters (CPL), private mortgage insurance, and “title charges,” within the disclosed prepaid financed charges on the loans cited in the violations.
Examiners reviewed the CPLs and determined that fees related to these were prepaid finance charges as they are a fee to protect the bank from closing agents and should have been included. The appeal acknowledged that the bank should have included private mortgage insurance in the prepaid finance charges. All other fees charged were included under “title charges.” Examiners appropriately considered these “title charges” as prepaid finance charges because there was no evidence to determine the composition of the fees. Documentation showed that bank management explained to examiners that the title company prepared these charges, and the bank was not aware of the types of fees the title company included. It is bank management’s responsibility to know and understand the fees charged to determine whether they are finance charges or not.
The Ombudsman concurred with the 3 rating for the STMR component, a downgrade from the previous full scope examination. The Ombudsman concurred with the moderate aggregate interest rate risk (IRR) and weak quality of IRR management. These ratings remained unchanged from the previous examination. There were no documented indicators that would support improved ratings. The bank has been operating outside of board-approved limits. There was no evidence demonstrating that operating outside of the board-approved limits was a strategic decision based on knowledge of the bank’s market and deposit base. The board and management should review risk exposure reports to evaluate the trade-offs between risk levels and performance. When management considers major interest rate strategies (including no action), it should assess the impact of potential risk (an adverse rate movement) against that of the potential reward (a favorable rate movement). Refer to page 23 of the “Interest Rate Risk” booklet of the Comptroller’s Handbook. The board minutes do not reflect discussion of the risks or associated strategies and considerations to control the risk, as expected of an institution operating outside of board-approved limits.
Further, while progress is noted, management must take additional action to fully address the board and management oversight of STMR MRA that is not yet due. The appeal did not dispute this MRA. Earnings are deficient, indicating they lack the ability to absorb any reduction in income caused by movements in interest rates. These weaknesses align with the definition of a 3 rating as defined in the “Bank Supervision Process” booklet of the Comptroller’s Handbook.
The Ombudsman concurred with the 4 rating for the management component. Weaknesses and deficiencies are noted in the management of IT, consumer compliance, STMR, and audit. Problems in these areas are significant and have led to MRAs, violations of law and regulations, and an EA. Earnings are deficient. This is an excessive level of problems and risk exposure. Weaknesses and deficiencies have not been self-identified, corrective actions have been slow, and the adequacy and independence of the internal audit function is lacking. The president holds multiple roles, including Chief Internal Auditor, Compliance Officer, IT Officer, and Treasurer. He is the senior management officer over the areas with noted weaknesses and deficiencies. It is the board’s responsibility to ensure proper management of all areas of the bank and independence of all audit functions. Board minutes document few questions by outside directors, which are rarely responded to with in-depth discussion or follow-up questions. This indicates that strengthening management or the board may be necessary.
The appeal is correct that examiners expect banks to determine programs based on their own risk assessments. However, examiners also determine whether those programs are sufficient to manage the risk as determined by independent assessments through the examination process. The Ombudsman noted that the ROE described management as weak or insufficient only when referring to the applicable management component rating or when discussing the quality of risk management for applicable areas rated as weak.
The Ombudsman concurred with high aggregate strategic risk and weak quality of risk management, which remain unchanged since 2021. The appeal acknowledges that the bank’s capital and strategic plan received “no supervisory objection” from the SO. The capital and strategic plan article of the EA remains in not in compliance – pending validation status, meaning insufficient time has passed for the bank to demonstrate sustained performance under the plan. Deficient earnings, noncompliance with the EA, and new supervisory concerns increase the risk to effectively implementing the strategic plan. The ROE did not criticize the bank for its decreasing asset size, but points to the lack of asset growth as a mitigant to increasing strategic risk. See the “Bank Supervision Process” booklet of the Comptroller’s Handbook for details on the risk assessment system.
The Ombudsman concurred with the reputation risk assessment of moderate quantity and aggregate risk, insufficient quality of risk management, and increasing direction. These ratings have not changed since 2021. There is no clear indication that the level of reputation risk has decreased or reputation risk management has improved since the previous examination, indicating that the current ratings are appropriate. The bank has factors that align to both low and moderate levels of reputation risk. Examiner judgement is necessary to assess all factors affecting reputation risk to determine the appropriate rating. An “Outstanding” rating for the Community Reinvestment Act, no consumer complaints, and no loan losses reflect a low level of reputation risk. However, an increasing number of violations and regulatory concerns and deficient earnings reflect a moderate level of reputation risk. The appeal does not dispute the weak quality of operational risk. Concerns with information security and weak or insufficient operational risk ratings affect the quality of reputation risk management. Refer to the “Community Bank Supervision” booklet of the Comptroller’s Handbook.
The Ombudsman concurred with the conclusion of a weak audit program. As previously stated, the President is also the Chief Internal Auditor. This role includes engaging external vendors to perform audits and assessments, reviewing the work of these external vendors, and helping them complete their audits and assessments from multiple perspectives as the President, IT Officer, Data Security Coordinator, and Compliance Officer. The President also conducts all operational audits. These practices conflict with ensuring an independent audit function. Refer to the “Internal and External Audits” booklet of the Comptroller’s Handbook.
Further, the IT audit is not independent, the IT audit schedule is not commensurate with IT risks, and the violations identified during the examination demonstrate that the compliance audit scope was inadequate. The SO noted implementation of improvements to the internal audit tracking as well as correction of the internal control concerns noted in the external audit. However, the actions taken to address the internal control concerns only corrected the immediate concerns and did not address any policy or control changes to address the root cause.