On May 23, 2024, the OCC announced that it reached an agreement with Comerica Bank & Trust in which Comerica agreed to implement a host of corrective measures to address the OCC's findings. In this post, we will cover the following:
- Three Steps to Help You Achieve Compliance
- Detailed Summary of Comerica's Consent Order
Three Steps to Help You Achieve Compliance
This enforcement action is another reminder of the consequences of non-compliance with regulatory requirements. It underscores the necessity for financial institutions to prioritize regulatory compliance and governance. To avoid enforcement actions like this one, financial institutions should consider the following key takeaways:
- Maintain robust compliance programs. By adhering to regulatory guidelines and implementing effective compliance programs, financial institutions can mitigate risks, maintain transparency, and build trust with their customers and regulators.
- Establish clear lines of oversight, foster a culture of compliance, and hold individuals accountable for their actions. Core accountability ensures ongoing compliance and mitigates risks.
- Proactively assess processes, policies, and controls identifying areas for improvement and implementing corrective measures to prevent compliance issues. Continuous improvement not only avoids unnecessary risks but also helps stave off enforcement actions.
Financial institutions that embrace a culture of compliance, transparency, and accountability better navigate regulatory complexities. Their people, processes, and systems are more agile enabling them to incorporate new compliance requirements more quickly, mitigating the risks of enforcement actions and fines. Part of this culture requires vigilance to stay abreast of the ever-changing regulatory landscape.
Stay tuned for more insights and updates on regulatory developments as we continue to explore the evolving landscape of financial compliance and enforcement actions. Become a part of our community where we share knowledge, collaborate on best practices, and design new methods to achieve and sustain regulatory compliance. Subscribe now.
Detailed Summary of Comerica’s Consent Order with the OCC
The OCC's agreement with Comerica Bank & Trust, National Association is intended to address the identified unsafe and unsound practices, including those related to Comerica’s risk governance framework and internal controls. Pursuant to this agreement, Comerica must implement the following corrective actions:
The OCC's agreement with Comerica Bank & Trust, National Association is intended to address the identified unsafe and unsound practices, including those related to Comerica’s risk governance framework and internal controls. Pursuant to this agreement, Comerica must implement a host of corrective actions.
Compliance Committee
By May 15, 2024, the Board shall appoint a Compliance Committee of at least three members, a majority of whom shall be directors who are not employees or officers of the Bank or any of its subsidiaries or affiliates. The Compliance Committee shall monitor and oversee the Bank’s compliance with the provisions of the Agreement.
Board Oversight and Corporate Governance Program
By June 30, 2024, the Bank shall provide an acceptable written program to provide the overall direction, oversight, and corporate governance of the Bank. The program shall include an effective corporate governance structure for the Bank, procedures to ensure the Board receives and reviews sufficient Bank information from management, risk management, and compliance management systems, procedures to ensure the Board monitors the Bank’s operations and performance, and procedures for the Board to periodically evaluate the size, composition, expertise, and independence of the Board.
Third-Party Risk Management Program
By June 30, 2024, the Bank shall provide an acceptable written program to effectively assess and manage the risks posed by third-party relationships. The program shall be commensurate with the level of risk and complexity of the Bank’s third-party relationships and shall address:
- Plans that outline the Bank’s strategy for third-party relationships, identify the inherent risks of the activities performed by the third parties, and detail how the Bank selects, assesses, and oversees third parties;
- Proper due diligence in selecting third parties;
- Written contracts that outline the rights and responsibilities of all parties and that adequately document and protect the Bank’s interests;
- Ongoing monitoring of third-party activities and performance, including third-party adherence to service level standards;
- Contingency plans for terminating third-party relationships in an effective manner;
- Clear roles and responsibilities for overseeing and managing third-party relationships and risk management;
- Documentation and reporting that facilitates Board and management oversight, accountability, monitoring, and risk management associated with third-party relationships; and,
- Independent reviews that allow Bank management to assess whether the Bank’s risk management processes aligns with its strategy and effectively manages risks associated with third-party relationships.
Internal Audit Program
By June 30, 2024, the Bank shall provide an acceptable, independent, comprehensive, revised written internal audit program that adequately assesses controls and operations to allow the Board and management to understand the sufficiency of the Bank’s internal controls system. The program shall incorporate standards of safety and soundness that are commensurate with the Bank’s size, complexity, scope of activities, and risk profile. The program at a minimum, must:
- Provide an objective, independent review and evaluation of the Bank’s activities, internal controls, and management information systems;
- Require the development of an annual risk assessment of the Bank’s auditable areas, with annual documented Audit Committee approval of the risk assessment;
- Require the development of an internal audit plan that is risk-based and provides adequate audit scope, coverage, and frequency for all areas of the Bank, with annual documented Audit Committee approval of the internal audit plan and Audit Committee notification of any material variance from the plan;
- Address the use of third parties to complete any internal audit activities, including documented Audit Committee approval of selection and termination of third parties;
- Evaluate the reliability, adequacy, and effectiveness of the Bank’s internal controls system, whether operated by the Bank or a third party, and identify the root cause of identified deficiencies;
- Evaluate whether the Bank’s internal controls system results in prompt and accurate recording of transactions and proper safeguarding of assets;
- Determine whether the Bank complies with laws and regulations and adheres to its established policies, procedures, and processes;
- Require all internal audits to be supported through adequate transaction testing of Bank specific transactions, which includes documenting the transaction testing methodology, sample size, the accounts and names selected for testing, the documents reviewed as part of the testing, and the results of transaction testing;
- Require management to take appropriate and timely steps to address control deficiencies and audit report recommendations and report its validated progress to the Audit Committee on at least a quarterly basis and require the Audit Committee to make a documented determination of whether the actions taken by management are satisfactory;
- Require all internal audit reports to be in writing, limited to audit findings specific to the Bank, and distributed to the Audit Committee in a timely manner after audit completion; and,
- Require audit work papers and documentation that provides a meaningful audit trail and validation for audit findings, conclusions, and recommendations.
Asset Management Internal Controls Plan
By June 30, 2024, the Bank shall provide an acceptable written plan to improve the Bank’s asset management internal controls. The plan shall address:
- The implementation of sufficient controls to address self-identified risks and control gaps/weaknesses;
- Controls to ensure compliance with 12 C.F.R. Part 9 and strengthen oversight of approved third-party investment managers;
- The identification of all manual processes the Bank utilizes in asset management financial reporting and account administration and solutions to eliminate and automate manual processes; and,
- The establishment of policies, procedures, and practices covering the implementation of controls and solutions.
Data Management and Management Information Systems Plan
By June 30, 2024, the Bank shall provide an acceptable written Data Management and Management Information Systems Plan. The plan shall address:
- Measures to ensure the Bank maintains management information systems that accurately capture and report all fiduciary transactions, including overdrafts;
- Quality control/review processes to ensure the Bank identifies, investigates, monitors, and resolves variances and errors promptly;
- The processing and delivery of account statements upon data error remediation;
- Policies, procedures, and practices covering the required actions; and,
- The engagement of a qualified third-party to confirm actions are effective and sustainable.
Financial Accounting Plan
By June 30, 2024, the Bank shall provide an acceptable written Financial Accounting Plan. The plan shall include:
- The establishment and maintenance of separate Bank general ledger accounts including demand deposit and suspense accounts;
- Enhanced cash reconciliation controls and quality control processes to ensure the Bank identifies, investigates, monitors, and resolves variances and errors promptly; and,
- The engagement of a qualified third-party to confirm actions are effective and sustainable.
Financial Reporting Program
By June 30, 2024, the Bank shall provide an acceptable written Financial Reporting Program. The program shall include:
- Policies and procedures for the Bank’s collection of financial data and preparation of regulatory reports;
- Defined roles and responsibilities for regulatory reporting;
- Qualified staff responsible for regulatory reporting and overseeing the adequacy of reporting practices and adherence to established policies and procedures; and,
- Periodic training for regulatory reporting staff.
IT Asset EOL Program
By June 30, 2024, the Bank shall provide an acceptable written program to mitigate information technology asset end-of-life (EOL) risk. The program shall include:
- Policies and procedures addressing EOL management for existing and new technology assets;
- A comprehensive risk assessment of systems and applications and identification of compensating controls needed to mitigate EOL risk;
- Formalized plans to replace or upgrade EOL systems and applications;
- In cases where EOL systems or applications must remain in use, implementation of appropriate mitigating controls, which may include segregating the system or application from the network; and,
- Exception and risk acceptance approval processes that require management to obtain Board and/or appropriate committee approval to maintain EOL systems or applications on the network and for related upgrade or removal plans.
General Board Responsibilities
The Board shall ensure that the Bank has timely adopted and implemented all corrective actions required by this Agreement and shall verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this Agreement.