On May 23, 2017 the Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2017-18 to update its policies and procedures regarding violations of laws and regulations. The updated guidance:

  • Communicate violations using a consistent format:
  • Legal citation and description
  • Summary of relevant statutory or regulatory requirements
  • Facts supporting the violation and root cause(s)
  • Corrective action(s) required
  • Board and management’s commitment(s) to corrective action
  • Reinforce the importance of timely and thorough follow-up and tracking of bank management’s corrective actions and milestones to those actions.
  • Convey the relationship of violations to matters requiring attention, CAMELS/ITCC or ROCA ratings,1and the bank’s risk appetite and profile.
  • Emphasize the need for examiners to communicate effectively and in a timely manner with the bank’s board of directors, the bank’s management team, and OCC supervisors.

The first time an examiner communicates a violation to a bank, the examiner must label the violation with one or more of the following attributes:

  • New:Label violations as “new” when the OCC has not previously communicated the same or substantially similar violations in writing during the previous five-year period.
  • Self-identified:Label violations as “self-identified” when there is evidence that the board or management is aware of the violation and documented and disclosed the violation to the OCC before or during the examination. A self-identified violation can arise from various sources, including customer complaints, risk and control self-assessments, independent risk management, internal audit reviews, or third-party reviews.
  • Repeat:Label the violation as “repeat” when the OCC communicated the violation (even if self-identified) in writing during the previous five-year period and new violations of the same or substantially similar regulation or law occur subsequent to the board or management receiving notification. Repeat violations may be substantive or an indication that management failed to remediate the deficient practices that led to the violation, management lacks the commitment or ability to ensure prompt correction and prevention of the violations, or the board has not exercised appropriate oversight or held management accountable for remediation of the causative deficient practices.

Upon completing a follow-up activity, examiners must determine whether to label a violation as past due, pending validation, or closed.

  • Past due:During verification, examiners determine the bank has not implemented the expected corrective actions for the violation within the required time frame, or, during validation, examiners determine that the corrective action is not effective or sustainable. Once a violation is deemed past due, it continues to be past due until it is closed.2
  • Pending validation:The OCC verified that the bank implemented the corrective actions, but insufficient time has passed for the bank to demonstrate sustained performance under the corrective actions, and the OCC has not validated the sustainability of the corrective actions, or the OCC determines that additional testing is warranted.
  • Closed:The bank has corrected the violation, and the OCC has verified and validated the bank’s corrective actions; a change in the bank’s circumstances corrected the violation; or the violation is otherwise deemed uncorrectable. Closed violations should be communicated as closed in the subsequent ROE, supervisory letter, or written list of violations.

Examiners must communicate:

  • All OCC-identified violations to facilitate timely and effective corrective action by the board and management.
  • Substantive violations to the bank in a report of examination (ROE) or supervisory letter, including substantive self-identified violations in certain circumstances.
  • Less substantive OCC-identified violations in a separate written document if the examiners do not include them in an ROE or supervisory letter. Examiners may use discretion to determine whether less substantive, self-identified violations warrant communication in a separate written document.

The OCC expects the board and management to take timely and effective correction of all violations regardless of how they are communicated. If management fails to correct a violation previously communicated in a separate written document by the OCC, the examiner should include the violation in the next ROE or supervisory letter.”
The updated guidance takes effect July 1, 2017.
OCC Bulletin 2017-18
1 A bank’s composite rating under the Uniform Financial Institutions Rating System, or CAMELS, integrates ratings from six component areas: capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk. Evaluations of the component areas take into consideration the bank’s size and sophistication, the nature and complexity of its activities, and its risk profile. ITCC refers to ratings on information technology, trust, consumer compliance, and the Community Reinvestment Act. ROCA is the interagency uniform supervisory rating system for federal branches and agencies of foreign banking organizations. The ROCA system’s four components are risk management, operational controls, compliance, and asset quality. The overall or composite rating under ROCA indicates whether, in the aggregate, the operations of the branch or agency may present supervisory concerns and the extent of any concerns.
2 A violation may be simultaneously past due and pending validation if the examiner has verified the bank’s corrective action but insufficient time has passed for the bank to demonstrate sustained performance under the corrective actions, and the OCC has not validated the sustainability of the corrective actions.