Today, the Office of the Comptroller of the Currency (OCC) announced a $15 million civil money penalty against American Express National Bank (American Express). The penalty is a result of American Express failing to govern and oversee a third-party affiliate and for violations of regulations relating to certain efforts to retain small business customers. This is the first CMP issued since the agencies released their interagency guidance on June, 9th.
The OCC found that American Express failed to ensure that its third-party affiliate had appropriate call monitoring controls and appropriate mechanisms to document and track customer complaints. Additionally, American Express failed to collect necessary consumer information and properly maintain and produce records to show compliance with Customer Identification Program regulations.
Specifically, the OCC found between 2015 to 2017, as part of large-scale efforts to retain small business customers they:
- Failed to properly govern and oversee the efforts of a third-party affiliate utilized to retain customers, including the third-party affiliate’s call monitoring and documentation processes and its tracking, and monitoring of customer complaints,
- Failed to gather employer identification numbers for certain customers and properly maintain records regarding compliance with the Customer Identification Program (“CIP”) regulations; and
- Failed to properly maintain records related effort to retain customers and, later, produce them in response to OCC requests.
- The Bank violated CIP regulations and recklessly engaged in unsafe or unsound practices. Such violations and practices were part of a pattern of misconduct.
The OCC has been the leading agency in establishing third-party risk life-cycle management. Releasing nearly annual guidance since 2019. This latest enforcement action is likely the first of many dominoes to fall, as the spotlight of third-party governance and control is being focused on financial institutions.
This risk management nightmare needs to be addressed by all financial institutions, regardless of their size. For this reason, Compliance Resource has scheduled a three-part webinar series on Third-Party Management. Join us, beginning on October 26th, to ensure you’re taking the proper steps in controlling and governing your third-party relationships.