Skip to main content

enforcement actions

OCC’s Heightened Standards [Part 2/2]: Use Key Risk Indicators to Unify Compliance

By Blog

In Part 1 of this writeup, we discussed the approach that the Office of the Comptroller of the Currency (OCC) has taken in recent enforcement actions related to the Heightened Standards guidelines.

In contextualizing their oversight, it’s worth noting that the OCC also recently issued the Director’s Book: Role of Directors for National Banks and Federal Savings Associations and, in so doing, referenced back to their other guidebook on Corporate and Risk Governance. As with other publications and advisories, these guidebooks are an opportunity for financial institutions and covered entities to conduct an impact analysis using Key Risk Indicators (KRI) to ensure that there are no gaps between their compliance programs and the updated guidance.

To that end, there are a few remaining facets of the OCC’s Q4 consent orders that may need to be factored into such a review.

READ MORE: OCC’s Heightened Standards [Part 1/2]

Dirty Data

Making Metrics Matter

There has been a recent trend in the enforcement action space for regulators to focus on data quality and more technological issues within those assessments, oftentimes noting the poor quality or lack of data validation and system integration. In both of the late-year consent orders, the OCC focused on data risk management and data governance.

The OCC also called out the need for processes in the collection, review, and dissemination of compliance-related metrics. Both KRIs and general metrics seem to be within scope in these consent orders, with the call of the consent orders’ articles speaking to the need to have processes and procedures to ensure that:

1) Compliance-related metrics are collected;

2) are robust;

3) support informed decision-making in regards to both the objective risks at issue, as well as the banks’ overall risk governance framework, and;

4) that there is senior management and board-level review of the same.  

Who Watches the Watchers?

Expectations of Senior Management

As noted in part one of this review, the OCC is focused on how staff throughout the organization support the risk governance framework. The consent orders flat out state that governance and oversight at the upper echelons of the organization are just as significant. While onlookers aren’t privy to the nature of the subjective findings at organizations, those of us in the analysis space can glean that either robust metrics were not being collected, were not of sufficient quality to support the risk governance framework, or were not being sufficiently reviewed at senior levels within the organization. Senior management, through boards or committees, should be apprised of risk-related metrics and KRIs. As stated in the consent orders, the metrics and KRIs themselves should be granular and have both warning lines and limits related to their subjective risk categories. Ostensibly, the OCC expects to see that there are:

1) Procedures for the collection and validation of risk governance framework-related metrics, which include the frequency of submission to and seniority levels of the reviewers;

2) Charters or other supporting documentation noting that those governing committees (or comparable entities) are in fact being given those metrics; and 

3) Minutes or other supporting information to show that senior management is providing credible evidence for the same.

LEARN MORE: How an integrated risk management approach transforms organizations


Many Hands Make Light Work

A More Connected Risk Management Framework

As with other areas of compliance, the risk governance framework is an all-hands endeavor. The gist of these enforcement actions is that certain areas of the organization may have been waning in their support of the banks’ compliance posture, without compensating from other areas. While the Corporate and Risk Governance expectations have been in place for over six years, the consent orders at issue were on a multi-hundred-million dollar scale, which should give any onlooker pause. 

As with other trigger events, this is an opportunity for financial institutions to pause and evaluate, for better or worse, where their compliance programs are in comparison to these reiterated expectations. Regulatory technology can help firms with this evaluation, connecting disparate systems and teams within their organizations, spotlighting areas of risk, and, in turn, enabling a more unified culture of compliance.

LEARN MORE: What is RegTech?


End-to-End Compliance with Ascent

When it comes to identifying the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use world-class AI to help firms rapidly and accurately identify their regulatory obligations, at the most granular level possible. This granularity, or precision, is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within your existing regulatory compliance framework. Ascent then keeps your obligations up to date automatically.

READ MORE: 3 Definitions of Regulatory Mapping


To help firms build a more connected risk governance framework, Ascent seamlessly integrates with GRC platforms. With a single source of regulatory truth, the three lines of defense can all work from the same data towards the same goals.

To learn more about Ascent and its API integrations, contact us directly. For more information about risk and compliance strategies such as IRM and the technology that powers them, subscribe to our monthly newsletter Cliff Notes below.



OCC’s Heightened Standards [Part 1/2]: What Recent Enforcement Actions Signal for Firms

By Blog

2020 was a year that was remarkable for one very obvious reason. However, with the exception of one multi-billion dollar fine handed out by the Securities and Exchange Commission and another more unique fine from New York regulators related to the nefarious Jeffrey Epstein, it was a relatively quiet year in the financial compliance enforcement space. Yet, late in the year, the Office of the Comptroller of the Currency (OCC) issued some enforcement actions that caught the industry’s attention. 

What was interesting about these particular consent orders was that they provided a rare insight into the OCC’s view of the Heightened Standards for Large Financial Institutions and how gaps in risk and compliance might be potentially treated. Unlike enforcement actions related to financial crime or anti-money laundering compliance, these two consent orders did not provide comprehensive statements of fact.  As a result, while onlookers must extrapolate and deduce what the OCC was focused on, a few salient points can be drawn.

READ MORE: OCC’s Heightened Standards [Part 2/2]

Stricter Definitions on the Three Lines of Defense

The consent orders focused very heavily on covered financial institutions’ delineation of the three lines of defense—front-line units, independent risk management, and independent testing. Effectively, the consent order serves as a reminder to financial institutions to establish and routinely evaluate the roles and responsibilities of those divisions within the organization, in order to ensure that they support the company’s risk governance framework. Calling out responsibilities at the more granular level, this might require an evaluation of the role or job descriptions, team functions, and overall organizational structure to ensure that risks are adequately monitored and escalated as necessary.

The inference from these consent orders, and therefore regulatory expectation, is that each role-holder and team understand what risk management means to their function, and where that fits into the overall picture. One callout from the consent orders is the need to train staff on their relationship to the risk governance framework as another means to ensure better ongoing alignment.  

READ MORE: How an Integrated Risk Management Approach Transforms Organizations

Strong Governance Expected Over Policies and Procedures

While it again would have been useful to see more details around the institutions at issue and what the regulator’s underlying concerns were, further extrapolations can be found in the available language. An additional highlight of these enforcement actions, and more broadly, to the expectations of Heightened Standards, is the objective and subjective nature of policies and procedures. 

The OCC makes clear that covered entities should have strong governance over policies and procedures, which includes time-bound and trigger event-driven reviews of policies and procedures, documented ownership of those documents, and processes to ensure that all affected teams/functions within the company are fully aware of those updates. 

LEARN MORE: How to Fuel Your GRC with Ascent Data


As with the roles and responsibilities of individual staff, the OCC goes further to state that, subjectively speaking, policies and procedures are meant to be aligned to and show support of their relative compliance risks as well as the company’s overall risk governance framework. Casual observers do not, and will not, know whether or not the penalized organization had what regulators considered to be “arbitrary” or “detached” policies/procedures, but the implication is clear—connectivity and risk management must be the common thread.  

In our next post, we will make further inferences from the Heightened Standards around: 

  • Data and Metrics
  • Senior Management Oversight

READ MORE: SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard


Track and Manage Your Changing OCC Obligations

With enforcement actions continuing to be issued by the OCC and other regulators, financial firms can’t afford to miss a regulatory obligation or rule change.  

Ascent is a regulatory automation solution that automatically generates regulatory obligations targeted to your firm, surfaces relevant rule changes, then updates your obligations accordingly. With an API integration, you can also fuel your GRC or other workflow systems with Ascent data, allowing you to trigger change alerts and map regulatory changes to your controls, policies and procedures. 

Spend less time analyzing dense legal text and more time implementing compliance throughout the business. 

READ MORE: Behind the Scenes: Ascent’s RegulationAI and Why It’s Different


To learn how Ascent can help you identify your regulatory obligations and changes, contact us.

For more articles like these, subscribe to our monthly Cliff Notes newsletter below. 



[pardot-form id=”323″ title=”Cliff Notes Subscriber Form”]