Appeal of a Violation of Law and Matters Requiring Attention (First Quarter 2017)
A bank supervised by the Office of the Comptroller of the Currency (OCC) appealed to the District Deputy Comptroller the determinations in its most recent report of examination issued by the supervisory office. Specifically, the bank appealed
- a violation of 12 CFR 30, Appendix (B)(III)(F), "Interagency Guidelines Establishing Information Security Standards – Report to the Board," and corresponding matter requiring attention (MRA);
- six new concerns in the Information Security Program Management MRA; and
- a past due concern in the Improve Cash Flow Analysis MRA.
The appeal contended that management provided verbal reports to the board annually, as required by the Gramm-Leach-Bliley Act (GLBA), and disputed the Federal Financial Institution Examination Council's (FFIEC) policy that the report must be in writing. The appeal also asserted that management corrected the remaining concerns in the Information Security Program Management MRA during the examination.
The appeal stated that the Improve Cash Flow Analysis MRA is not warranted for agricultural loans. The appeal contended that an ongoing credit analysis is not required to update a borrower's repayment capacity upon receipt of updated financial information because the bank determined the borrower's credit worthiness at underwriting. The appeal also asserted that management did not agree to adjust a borrower's debt service coverage ratio upon receipt of financial information nor agree to update the loan policy to require an analysis of income tax return information upon receipt.
The Deputy Comptroller thoroughly reviewed the appeal using the following supervisory standards:
- The "Bank Supervision Process" booklet of the Comptroller's Handbook, September 2007, updated May 2013.
- The "Rating Credit Risk" booklet of the Comptroller's Handbook, April 2001.
- The "Information Security" booklet of the FFIEC Information Technology Examination Handbook, September 2016.
- OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," October 2013.
In regards to the violation, the Deputy Comptroller determined that the meeting minutes of the board served as sufficient evidence of the discussion of the information security and GLBA requirements. While the bank could enhance its board reporting, the Deputy Comptroller determined that this issue is more appropriately handled as a recommendation and removed the concern from the MRA. Additionally, the Deputy Comptroller found that the violation cited for nonconformance with 12 CFR 30, Appendix B was not appropriate given the bank's operating environment and risk profile and removed the violation from the supervisory record.
The Deputy Comptroller determined that the remaining concerns in the Information Security Program Management MRA were appropriate, but revised the corrective actions for one of the concerns. The six concerns in the MRA (patch management, vendor management, data confidentiality, information security, network diagram, and access management) relate to fundamental elements of a bank's technology program that require corrective action. The corrective actions regarding access management were revised to exclude two of the five corrective actions.
The Deputy Comptroller found that the Improve Cash Flow Analysis MRA was an appropriate application of OCC standards and guidance, but revised the corrective actions to only require the bank to update the borrower's debt service coverage ratio and the risk rating, as needed, upon receipt of updated borrower financial statements.