Skip to main content

2020 was a year that was remarkable for one very obvious reason. However, with the exception of one multi-billion dollar fine handed out by the Securities and Exchange Commission and another more unique fine from New York regulators related to the nefarious Jeffrey Epstein, it was a relatively quiet year in the financial compliance enforcement space. Yet, late in the year, the Office of the Comptroller of the Currency (OCC) issued some enforcement actions that caught the industry’s attention. 

What was interesting about these particular consent orders was that they provided a rare insight into the OCC’s view of the Heightened Standards for Large Financial Institutions and how gaps in risk and compliance might be potentially treated. Unlike enforcement actions related to financial crime or anti-money laundering compliance, these two consent orders did not provide comprehensive statements of fact.  As a result, while onlookers must extrapolate and deduce what the OCC was focused on, a few salient points can be drawn.

READ MORE: OCC’s Heightened Standards [Part 2/2]

Stricter Definitions on the Three Lines of Defense

The consent orders focused very heavily on covered financial institutions’ delineation of the three lines of defense—front-line units, independent risk management, and independent testing. Effectively, the consent order serves as a reminder to financial institutions to establish and routinely evaluate the roles and responsibilities of those divisions within the organization, in order to ensure that they support the company’s risk governance framework. Calling out responsibilities at the more granular level, this might require an evaluation of the role or job descriptions, team functions, and overall organizational structure to ensure that risks are adequately monitored and escalated as necessary.

The inference from these consent orders, and therefore regulatory expectation, is that each role-holder and team understand what risk management means to their function, and where that fits into the overall picture. One callout from the consent orders is the need to train staff on their relationship to the risk governance framework as another means to ensure better ongoing alignment.  

READ MORE: How an Integrated Risk Management Approach Transforms Organizations

Strong Governance Expected Over Policies and Procedures

While it again would have been useful to see more details around the institutions at issue and what the regulator’s underlying concerns were, further extrapolations can be found in the available language. An additional highlight of these enforcement actions, and more broadly, to the expectations of Heightened Standards, is the objective and subjective nature of policies and procedures. 

The OCC makes clear that covered entities should have strong governance over policies and procedures, which includes time-bound and trigger event-driven reviews of policies and procedures, documented ownership of those documents, and processes to ensure that all affected teams/functions within the company are fully aware of those updates. 

LEARN MORE: How to Fuel Your GRC with Ascent Data


As with the roles and responsibilities of individual staff, the OCC goes further to state that, subjectively speaking, policies and procedures are meant to be aligned to and show support of their relative compliance risks as well as the company’s overall risk governance framework. Casual observers do not, and will not, know whether or not the penalized organization had what regulators considered to be “arbitrary” or “detached” policies/procedures, but the implication is clear—connectivity and risk management must be the common thread.  

In our next post, we will make further inferences from the Heightened Standards around: 

  • Data and Metrics
  • Senior Management Oversight

READ MORE: SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard


Track and Manage Your Changing OCC Obligations

With enforcement actions continuing to be issued by the OCC and other regulators, financial firms can’t afford to miss a regulatory obligation or rule change.  

Ascent is a regulatory automation solution that automatically generates regulatory obligations targeted to your firm, surfaces relevant rule changes, then updates your obligations accordingly. With an API integration, you can also fuel your GRC or other workflow systems with Ascent data, allowing you to trigger change alerts and map regulatory changes to your controls, policies and procedures. 

Spend less time analyzing dense legal text and more time implementing compliance throughout the business. 

READ MORE: Behind the Scenes: Ascent’s RegulationAI and Why It’s Different


To learn how Ascent can help you identify your regulatory obligations and changes, contact us.

For more articles like these, subscribe to our monthly Cliff Notes newsletter below. 



[pardot-form id=”323″ title=”Cliff Notes Subscriber Form”]