Penalties can add up quickly for ineffective vendor oversight of an insufficient compliance management system.
The OCC hit Morgan Stanley with a $60,000,000 civil penalty for not having proper oversight of decommissioning two data centers and deficiencies in vendor oversight. From the Consent Order:
“In 2016, the Bank failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the U.S. In connection with the decommissioning, the Bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices. The Bank failed to exercise adequate due diligence in selecting the third-party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.
In 2019, the Bank experienced similar vendor management control deficiencies in connection with the decommissioning of wide area application services devices.”
The OCC also assessed a $400,000,000 civil money penalty against Citibank for its “long-standing” failure to establish effect risk management and data governance programs and internal controls. Included in the findings was “For several years, the Bank has failed to implement and maintain an enterprise wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile.”
Along with the civil money penalty, Citibank also faces a cease and desist order from the OCC, which requires the bank to take “broad and comprehensive actions” to fix its systems.
The Federal Reserve Board also issued a cease and desist order that requires Citigroup to enhance its firm-wide risk management and internal controls. Among other things, the firm has not taken prompt and effective actions to correct practices previously identified by the Board in the areas of compliance risk management, data quality management, and internal controls.
If you are concerned about your institution’s vendor oversight or compliance management system, contact us. We can help.
Please be advised that CSG provides financial services compliance audit and consulting services to our clients. The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers. Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services. Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest. Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.