Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

ANALYSIS: Ongoing Risk Management Failures Bring Major Fines

Nov. 2, 2020, 7:29 PM

Significant fines against big banks serve as important reminders that ongoing failures to correct longstanding compliance and risk management deficiencies will have consequences.

In October, the Office of the Comptroller of the Currency (OCC) issued significant fines against three major banks for compliance and risk management failures.


On Oct. 7, the OCC walloped Citibank with a $400 million penalty for longstanding deficiencies involving the bank’s enterprise-wide risk management, compliance, data governance, and internal controls — shortcomings that its parent company, Citigroup, is also being held accountable for by the Federal Reserve.

Check back shortly for my follow-up analysis as I dig into this matter more closely.

Morgan Stanley

On Oct. 8, the OCC hit Morgan Stanley with a $60 million fine for risk management problems tied to a 2016 data breach. The breach involved failures by the bank to decommission two data centers properly. In dismantling these centers, the bank employed inadequate risk management measures to assess or address:

— the disposal of hardware containing sensitive data;
— screening and oversight of vendors engaged to remove customer data; and
— customer data stored on the devices.

While the OCC did not impose any additional undertakings on Morgan Stanley, it did compel the bank to notify potentially impacted customers of the 2016 incident (now the subject of a pair of class-action lawsuits). The bank experienced similar issues in 2019, but it voluntarily notified customers of the 2019 incident.


On Oct. 14, the OCC assessed an $85 million civil penalty against USAA Federal Savings Bank, a bank that serves U.S. military members. The charges stem from the bank’s failure to implement and maintain effective compliance risk management controls and an information technology risk governance program. The penalty follows a 2019 OCC consent order against the bank for similar control and IT failures.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT<GO> in order to access the hyperlinked content.