Banking and Finance Law Daily Bank must improve ‘unsafe practices’ regarding technology and operational risk management
Tuesday, September 21, 2021

Bank must improve ‘unsafe practices’ regarding technology and operational risk management

By Sherri M. Schroeder, J.D.

A cease-and-desist order issued by the OCC requires MUFG Union Bank to take remedial action to correct alleged noncompliance with the “Interagency Guidelines Establishing Information Security Standards.”

The Office of the Comptroller of the Currency has issued a cease-and-desist consent order against San Francisco-based MUFG Union Bank, National Association, a wholly owned subsidiary of MUFG Americas Holding Corporation, which is incorporated in Delaware with its principal executive offices located in New York City. The consent order settles proceedings against MUFG pursuant to 12 U.S.C. Section 1818(b) for “engaging in unsafe or unsound practices and its noncompliance with 12 CFR Part 30, Appendix B.” Although MUFG neither admitted nor denied that it was in noncompliance with the “Interagency Guidelines Establishing Information Security Standards” and engaged in unsafe or unsound practices regarding technology and operational risk management, the bank has already begun corrective action and committed resources to remediate the alleged deficiencies.

Under the consent order, the MUFG agreed it will, within 90 days of Sept. 20, 2021, do the following:

  • Develop and adhere to a comprehensive Action Plan that details the remedial action necessary to achieve compliance with the consent order and address the unsafe or unsound practices and noncompliance with 12 CFR Part 30, Appendix B;
  • File written Action Plan progress reports quarterly;
  • Submit a Board and Management Oversight Plan to improve reporting to the Board and senior management on the Bank’s level of risk in the technology and operations environment, including how remediating the issue impacts the level of risk;
  • Develop a Technology Risk Assessment Plan to improve MUFG’s technology risk assessment process;
  • Submit an IT and Operational Risk Governance Plan to timely and effectively implement the Bank’s information technology (IT) and operational risk governance frameworks and supporting programs;
  • Submit an Operations and Internal Controls Plan to improve policies, procedures, processes, and internal controls within the Bank’s technology and operations environments, commensurate with the level of risk and complexity of the Bank’s activities;
  • Update its Information Security Program Implementation Plan, along with a plan to effectively implement it at the Bank;
  • Submit a Staffing Plan to hire and retain sufficient staff to support MUFG’s remediation of IT and operational risk issues and “business-as-usual” activities; and
  • Submit a Data Management and Reporting Plan to improve data management and reporting practices to ensure accurate risk, regulatory, and other reporting.
  • The order requires the plans be in writing and reviewed at least annually for effectiveness, and more frequently if necessary or if required by the OCC. Any changes to the plans must be submitted to the Examiner-in-Charge for review and prior written determination of no supervisory objection.

As a result of the order, MUFG is not precluded from being treated as an “eligible bank” for the purposes of 12 C.F.R. Part 5 or 12 C.F.R. Part 24, unless it fails to meet any of the requirements contained in subparagraphs (1) – (4) of 12 C.F.R. Section 5.3 or 12 C.F.R. Section 24.2(e)(1) – (3), respectively. In addition, MUFG is not subject to the restrictions in 12 C.F.R. Section 5.51 requiring prior notice to the OCC of changes in directors and senior executive officers or the limitation on golden parachute payments set forth in 12 C.F.R Part 359, unless it is otherwise subject to such requirements pursuant to 12 C.F.R. Section 5.51(c)(7)(i) and (iii).

Nothing in the consent order releases, discharges, compromises, settles, dismisses, or resolves any action, or in any way affects any actions, that may be or have been brought by any other representative of the United States or its agencies, including the Department of Justice. The order’s provisions will remain in effect and enforceable until the OCC amends, suspends, waives, or terminates the order in writing.

Companies: MUFG Americas Holding Corporation; MUFG Union Bank

MainStory: TopStory BankingOperations CaliforniaNews CyberPrivacyFeed DataSecurity DelawareNews DirectorsOfficersEmployers EnforcementActions FinancialStability FinTech GCNNews NewYorkNews Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.