For the first time in over twenty years,1 the Office of the Comptroller of the Currency (OCC) has formally changed its policy governing civil money penalties (CMP) against national banks, federal savings associations, federal branches of foreign banks, and their service providers and institution affiliated parties (IAP).2

Key changes from the OCC's 1993 policy include: an explicit application of the CMP policy to service providers; a tiered approach to penalties based on the entity's total assets; the addition of CMP factors for the effectiveness of internal controls and the compliance program and for individual accountability; revised matrices for calculating CMP amounts; separate matrices for institutions and IAPs; additional guidance on the CMP factors; and increased risk weightings for certain CMP factors.

This new CMP policy formalizes many aspects of the OCC's practice for determining CMP amounts in recent years (such as total assets). The more clearly articulated standards will also provide institutions with new tools to advocate for smaller CMPs in the 15-Day Letter process, supplementing arguments based on the statutory mitigating factors. 

Background

The federal banking agencies' primary civil money penalty authority is 12 U.S.C. §1818(i).3 This provision provides for three penalty tiers, a procedure for the assessment and collection of the CMP, and a set of mitigating factors the agencies must take into account when determining the appropriate CMP amount. The banking agencies have long evaluated CMP amounts based upon a scored matrix of factors, and the OCC last announced a CMP matrix for tier 1 and tier 2 penalties in 1993. But developments in the banking system and the OCC's approach to enforcement appear to have led the OCC to formally revise the prior policy.   

Changes to the 1993 Policy

  • Extension to Service Providers. The revised policy states that it applies to service providers. However, the scope of the OCC's CMP authority over service providers is unclear, notwithstanding the fact that the revised policy states that the OCC may assess CMPs against service providers pursuant to 12 U.S.C. § 1861 et seq. (the Bank Service Company Act) and 12 U.S.C. § 1464(d)(7). In Grant Thornton v. Office of the Comptroller of the Currency, the DC Circuit held that the OCC must prove that the independent contractor was involved in “conducting the business or affairs of [a] bank” to meet the statutory jurisdictional requirements for an enforcement action for the purposes of imposing a CMP based on an unsafe or unsound practice.4
  • CMPs based on asset size of the institution. Another change is that the CMP matrix now includes penalty tiers based on the asset size of the institution. For example, a bank with total assets of $45 million could face a $10,000 CMP with a matrix score of 45, whereas the same matrix score could lead to a $15 million CMP for a bank with total assets over $100 billion. This appears to be a recognition of what has been unofficial policy, as an institution's asset size has long appeared to have been a factor in determining CMP penalty amounts. This revision also reflects the approach of other prudential regulators, which includes an asset-size factor as an element of its CMP calculation.
  • New CMP factor for compliance management system. While the “presence or absence of a compliance program and its effectiveness” was an enumerated CMP factor in the 1998 FFIEC CMP guidance,5 it is only now being officially incorporated into the OCC's CMP matrix. This incorporation underscores the OCC's focus on risk management, especially compliance risk management.6 An effective compliance program is now doubly important because it actually can reduce the CMP in addition to increasing the likelihood of early detection and resolution of a compliance issue and any resulting customer impact.
  • Separate CMP matrices for entities and individuals. The inclusion of a new and separate CMP matrix for IAPs may suggest increased enforcement focus on IAPs by the OCC. Indeed, the policy states that “A CMP against an IAP emphasizes the accountability of individuals.” This would be consistent with the broader movement across the federal government to hold individuals at financial institutions accountable for bad acts.7
  • Broader range of CMP matrix scores now subject to CMP. The OCC increased the relative factor weights of the CMP matrix such that the total possible “score” is now 200, whereas the total possible “score” under the 1993 Guidance was 172. Additionally, the suggested floor for a CMP was lowered from a 51 matrix score under the 1993 Guidance to a 41 matrix score under the revised policy. Thus, conduct that would have warranted a supervisory letter under the 1993 Guidance may warrant a CMP under the revised policy.
  • Bank Secrecy Act. This existing factor for loss or harm to the public has been expanded to reference violations of the Bank Secrecy Act. This is consistent with the continued enforcement emphasis on BSA, and the OCC's recently released additional guidance on its enforcement approach to BSA violations.8
  • Changes in relative weightings of risk factors. The risk weight factors increased for six of the existing components, declined for four of the risk factors, and stayed the same for two risk factors. The cumulative impact of these changes is to decrease the impact of mitigating factors on the CMP analysis9 and to decrease the relative weight of the impact of the violation in determining enforcement strategy.10

Conclusion

The revised CMP policy has been amended in such a way as to suggest that the OCC may be laying the groundwork to support increased enforcement activity, especially with respect to IAPs and service providers. The changes to the CMP matrix favor an increase in the likelihood and the amount of CMPs—under the revised policy the score threshold is lowered for considering CMPs, there is an increase in the opportunity for higher matrix scores, the potential impact of mitigating factors has been reduced, and larger CMPs are suggested for larger banks. Banks and their service providers, as well as IAPs, should ensure that they have established processes in place to quickly respond to enforcement communications from the OCC, including 15-Day Letters.