A national bank settled OCC charges for failing to properly oversee the decommissioning of two data centers involved with the bank’s wealth management business.
According to the OCC findings in the Consent Order, in 2016, the bank failed to adequately assess the risks involved in (i) decommissioning its hardware, (ii) using third party vendors without conducting sufficient due diligence in their selection, and (iii) failing to maintain an adequate customer data inventory. In 2019, the Bank “experienced similar vendor management control deficiencies in connection with the decommissioning of wide area application services devices.”
To settle the OCC’s charges, the bank notified potentially impacted customers of both incidents, agreed to undertake initial corrective actions, and agreed to pay a $60 million civil money penalty.