On February 26, the Office of the Comptroller of the Currency (OCC) released its revised Policies and Procedures Manual policy for assessing civil money penalties (CMP Policies). The CMP Policies are used as a reference tool for examiners in assessing the severity of any identified unsafe and unsound banking practices, violations of laws, regulations, orders, conditions imposed in writing, and formal agreements (“violations”) by institutions and persons subject to OCC’s supervision (national banks, federal savings associations, federal branches and agencies, and bank service companies and service providers). The CMP Policies replace the prior OCC policies and procedures regarding civil money penalties (CMP Matrix) that were issued in 1993 and prior Office of Thrift Supervision policies for federal savings associations that were issued in 2009.


The CMP Policies—like the predecessor CMP Matrix used by the OCC—assigns a positive numerical score and a factor weight to each of 11 factors that are taken into account in determining whether to assess a CMP and the amount of the CMP (e.g., intent, concealment, financial gain, loss to the bank, or loss/harm to consumers or the public). In addition, the CMP Policies assign what is in effect a negative risk weighting to 3 specified mitigating factors—good faith, cooperation, and restitution. For each factor, the numerical score is multiplied by the factor weight to arrive at a component factor score, and the component scores are then summed to arrive at a composite CMP matrix score upon which the OCC relies in making its final CMP decision.

The CMP Policies make a number of changes to the CMP Matrix. Most notably, the CMP Policies make the following changes:

  • In contrast to the CMP Matrix, which contained one matrix used for both institutions and institution-affiliated parties (IAPs), the CMP Policies contain separate severity matrices for institutions and for IAPs that use substantively the same 11 positive (and 3 mitigating) factors, but with differing weights for these factors.
    • IAPs are generally defined to include directors, officers, employees, controlling shareholders, and other persons participating in a bank’s affairs. They also include independent contractors and service providers who knowingly or recklessly participate in violations, breaches of fiduciary duty, or unsafe or unsound practices that cause or are likely to cause more than a minimal financial loss to, or a significant adverse effect on, the bank.
  • For IAPs, the factor weights generally are lower than the same factor weights for institutions; in other words, the same factor in question generally carries a less-severe risk weighting for IAPs than it does for institutions. At the same time, (i) “Financial gain or other benefit as a result of violation” is given a higher factor weight for IAPs than for institutions, and (ii) restitution is given a higher factor weight as a mitigating factor for IAPs.
  • For institutions, the CMP Policies add a new factor, “Effectiveness of internal controls (IC) and compliance program (CP),” and Bank Secrecy Act violations are added into the factor “Loss or harm to consumers or the public.” For IAPs, the internal controls factor is stated in terms of the IAP’s responsibility for the internal controls environment. These additions are consistent with the OCC’s continued emphasis on Bank Secrecy Act compliance and the need for strong risk management oversight by financial institutions.
  • The separate matrix for IAPs places a materially higher degree of OCC enforcement and compliance focus on IAP activities and their impact on an institution.
    • The matrices in the CMP Policies contain more detailed violation levels for almost all factors than were contained in the CMP Matrix, making the analysis of each factor by the examiner more nuanced. For example, the only violation categories for duration and number of violations previously were “violation outstanding for long period” and “numerous violations.” The CMP Policies contain time bands for the amount of time a violation has been ongoing (from 6 months to more than 2 years) and the number of instances of a violation is divided into several groups, from 1-3 instances to more than 10 instances.
  • The Suggested Action tables have been substantially revised to make the following changes:
    • There are separate tables for institutions and IAPs.
    • The institutions table contains different suggested dollar figure penalties based on the total assets of the bank.
    • The thresholds that could trigger a CMP (instead of no referral, a supervisory letter, or a reprimand) are generally lowered.


Overall, the CMP Policies appear to increase the likelihood of the imposition of a CMP upon an institution or IAP upon identification of a violation, mostly due to the general upward adjustment of the factor weights and downward adjustment of the total score that would suggest a CMP or other corrective action be taken. This trend generally would be consistent with the increased emphasis that the OCC places on risk management and compliance. For this reason, among others, the new CMP Policies warrant careful attention. While the other federal banking agencies have not published similar guidance, the trend of increasing focus on regulatory enforcement has not been the exclusive province of the OCC, inasmuch as the Federal Reserve Board and the Federal Deposit Insurance Corporation have been trending in this direction as well.