An official website of the United States government
Share This Page:
A bank supervised by the Office of the Comptroller of the Currency (OCC) appealed to the District Deputy Comptroller the determinations in its most recent report of examination issued by the supervisory office. Specifically, the bank appealed
The appeal contended that management provided verbal reports to the board annually, as required by the Gramm-Leach-Bliley Act (GLBA), and disputed the Federal Financial Institution Examination Council's (FFIEC) policy that the report must be in writing. The appeal also asserted that management corrected the remaining concerns in the Information Security Program Management MRA during the examination.
The appeal stated that the Improve Cash Flow Analysis MRA is not warranted for agricultural loans. The appeal contended that an ongoing credit analysis is not required to update a borrower's repayment capacity upon receipt of updated financial information because the bank determined the borrower's credit worthiness at underwriting. The appeal also asserted that management did not agree to adjust a borrower's debt service coverage ratio upon receipt of financial information nor agree to update the loan policy to require an analysis of income tax return information upon receipt.
The Deputy Comptroller thoroughly reviewed the appeal using the following supervisory standards:
In regards to the violation, the Deputy Comptroller determined that the meeting minutes of the board served as sufficient evidence of the discussion of the information security and GLBA requirements. While the bank could enhance its board reporting, the Deputy Comptroller determined that this issue is more appropriately handled as a recommendation and removed the concern from the MRA. Additionally, the Deputy Comptroller found that the violation cited for nonconformance with 12 CFR 30, Appendix B was not appropriate given the bank's operating environment and risk profile and removed the violation from the supervisory record.
The Deputy Comptroller determined that the remaining concerns in the Information Security Program Management MRA were appropriate, but revised the corrective actions for one of the concerns. The six concerns in the MRA (patch management, vendor management, data confidentiality, information security, network diagram, and access management) relate to fundamental elements of a bank's technology program that require corrective action. The corrective actions regarding access management were revised to exclude two of the five corrective actions.
The Deputy Comptroller found that the Improve Cash Flow Analysis MRA was an appropriate application of OCC standards and guidance, but revised the corrective actions to only require the bank to update the borrower's debt service coverage ratio and the risk rating, as needed, upon receipt of updated borrower financial statements.