Share This Page

Violations of Laws and Regulations: Updated Guidance

May 23, 2017 / Source: OCC

Subject: Violations of Laws and Regulations
Date: May 23, 2017
To: Chief Executive Officers of All National Banks and Federal Savings Associations, Department and Division Heads, All Examining Personnel, and Other Interested Parties

Description: Updated Guidance


The Office of the Comptroller of the Currency (OCC) updated today its policies and procedures regarding violations of laws and regulations. This policy is effective on July 1, 2017. These updates are reflected in the “Bank Supervision Process,” “Community Bank Supervision,” “Federal Branches and Agencies,” and “Large Bank Supervision”booklets and other sections of the Comptroller’s Handbook and internal guidance.

The OCC’s updated policies and procedures on violations of laws and regulations address recommendations in “An International Review of OCC’s Supervision of Large and Midsize Institutions” (International Peer Review report) and support the agency’s mission of ensuring a safe and sound federal banking system by emphasizing timely detection and correction of violations before they affect a bank’s condition. The updated policies and procedures also provide the agency with guidelines on consistent terminology, communication, format, follow-up, analysis, documentation, and reporting of violations.

Note for Community Banks

The updated policies and procedures apply to examinations of all national banks, federal savings associations, and federal branches and agencies (collectively, banks).


The OCC’s updated guidance highlights the principles important in implementing the agency’s mission of ensuring safe and sound bank operations. Here are the goals and practices the agency is implementing:

  • Ensure consistency of the purpose, processes, and procedures within and across all OCC lines of business, including community, midsize, and large banks; federal branches and agencies; and banks overseen by the OCC’s Special Supervision group.
  • Communicate violations using a consistent format:
    • Legal citation and description
    • Summary of relevant statutory or regulatory requirements
    • Facts supporting the violation and root cause(s)
    • Corrective action(s) required
    • Board and management’s commitment(s) to corrective action
  • Reinforce the importance of timely and thorough follow-up and tracking of bank management’s corrective actions and milestones to those actions.
  • Convey the relationship of violations to matters requiring attention, CAMELS/ITCC or ROCA ratings,1 and the bank’s risk appetite and profile.
  • Emphasize the need for examiners to communicate effectively and in a timely manner with the bank’s board of directors, the bank’s management team, and OCC supervisors.


In December 2013, the International Peer Review report recommended that the OCC analyze the effectiveness of the agency’s process for handling matters requiring attention and consider, for example, developing controls to better manage the process. In October 2014, the OCC issued Bulletin 2014-52, “Matters Requiring Attention,” to address the report’s concerns. The OCC determined that the agency could benefit from similar processes regarding violations of laws and regulations.

The OCC’s analysis of its violations process sets the following goals:

  • Enhance standard processes for communicating, tracking, and resolving violations.
  • Ensure the OCC overall and all lines of business individually analyze the volume and trends in violations to determine whether risks are changing.
  • Use consistent terms and monitoring within and across lines of business.

This bulletin is an extension of OCC Bulletin 2014-52.

Communication With Board and Management

Examiners must communicate all OCC-identified violations to facilitate timely and effective corrective action by the board and management. Examiners must communicate substantive violations to the bank in a report of examination (ROE) or supervisory letter, including substantive self-identified violations in certain circumstances. Examiners must communicate less substantive OCC-identified violations in a separate written document if the examiners do not include them in an ROE or supervisory letter. Examiners may use discretion to determine whether less substantive, self-identified violations warrant communication in a separate written document.

The OCC expects the board and management to take timely and effective correction of all violations regardless of how they are communicated. If management fails to correct a violation previously communicated in a separate written document by the OCC, the examiner should include the violation in the next ROE or supervisory letter.

The first time an examiner communicates a violation to a bank, the examiner must label the violation with one or more of the following attributes:

  • New: Label violations as “new” when the OCC has not previously communicated the same or substantially similar violations in writing during the previous five-year period.
  • Self-identified: Label violations as “self-identified” when there is evidence that the board or management is aware of the violation and documented and disclosed the violation to the OCC before or during the examination. A self-identified violation can arise from various sources, including customer complaints, risk and control self-assessments, independent risk management, internal audit reviews, or third-party reviews.
  • Repeat: Label the violation as “repeat” when the OCC communicated the violation (even if self-identified) in writing during the previous five-year period and new violations of the same or substantially similar regulation or law occur subsequent to the board or management receiving notification. Repeat violations may be substantive or an indication that management failed to remediate the deficient practices that led to the violation, management lacks the commitment or ability to ensure prompt correction and prevention of the violations, or the board has not exercised appropriate oversight or held management accountable for remediation of the causative deficient practices.

Upon completing a follow-up activity, examiners must determine whether to label a violation as past due, pending validation, or closed.

  • Past due: During verification, examiners determine the bank has not implemented the expected corrective actions for the violation within the required time frame, or, during validation, examiners determine that the corrective action is not effective or sustainable. Once a violation is deemed past due, it continues to be past due until it is closed.2
  • Pending validation: The OCC verified that the bank implemented the corrective actions, but insufficient time has passed for the bank to demonstrate sustained performance under the corrective actions, and the OCC has not validated the sustainability of the corrective actions, or the OCC determines that additional testing is warranted.
  • Closed: The bank has corrected the violation, and the OCC has verified and validated the bank’s corrective actions; a change in the bank’s circumstances corrected the violation; or the violation is otherwise deemed uncorrectable. Closed violations should be communicated as closed in the subsequent ROE, supervisory letter, or written list of violations.

Further Information

All banks should contact their OCC supervisory offices or Large Bank examiners-in-charge with any questions.

Grace E. Dailey
Senior Deputy Comptroller and Chief National Bank Examiner

1 A bank’s composite rating under the Uniform Financial Institutions Rating System, or CAMELS, integrates ratings from six component areas: capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk. Evaluations of the component areas take into consideration the bank’s size and sophistication, the nature and complexity of its activities, and its risk profile. ITCC refers to ratings on information technology, trust, consumer compliance, and the Community Reinvestment Act. ROCA is the interagency uniform supervisory rating system for federal branches and agencies of foreign banking organizations. The ROCA system’s four components are risk management, operational controls, compliance, and asset quality. The overall or composite rating under ROCA indicates whether, in the aggregate, the operations of the branch or agency may present supervisory concerns and the extent of any concerns.

2 A violation may be simultaneously past due and pending validation if the examiner has verified the bank’s corrective action but insufficient time has passed for the bank to demonstrate sustained performance under the corrective actions, and the OCC has not validated the sustainability of the corrective actions.