Compliance Corner

Guidance on using third-party consultants during enforcement actions

By Kris Welch

As part of an enforcement action or when remedial actions are needed, the Office of the Comptroller of the Currency may require national banks and federal thrifts to engage an independent consultant to ensure that independent judgment and the requisite expertise are employed. In November, the OCC issued Bulletin 2013-33, which establishes standards and provides guidance to national banks and federal savings associations when engaging independent consultants as part of an enforcement action to address significant violations of law, fraud or harm to consumers.

The bulletin is not applicable when the OCC requires a bank to hire a consultant to provide expertise needed to correct operational or management deficiencies. In those circumstances, banks should review and implement the guidance outlined in OCC Bulletin 2013-29 titled “Third-Party Relationships.”

Through its enforcement authority, the OCC has ordered nationally chartered banks of all sizes to retain independent consultants. Such consultants have been engaged to:

  • assess the bank’s compliance with legal requirements in cases involving material violations of law;
  • assist in providing guidance for restitution for violations of consumer protection statues;
  • identify affected consumers, monitor payments to such consumers and provide written reports evaluating remediation regarding significant consumer law violations, which include Section 5 of the Federal Trade Commission Act regarding unfair or deceptive practices;
  • test and address significant deficiencies with a bank’s or thrift’s Bank Secrecy Act program (staffing, risk assessment and internal controls);
  • review transaction activity to determine whether banks must file Suspicious Activity Reports and whether such SARs filed require amendments;
  • review transaction activity to determine whether banks must file Currency Transaction Reports for large cash reporting; and
  • perform forensic audits in cases where the OCC has concerns about widespread fraud or systemic irregularities in bank records.

When the OCC determines that an enforcement action requires the use of an independent consultant, the agency now requires a bank to submit for review due diligence information on the consultant, including the proposed consultant’s qualifications and terms of service. The guidance outlines three primary areas of consideration for such conducting due diligence:

1. Due diligence expected for engaging a consultant. A bank should be guided by OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guide,” as well as by 2013-30 Guidance. A bank should submit its evaluations of a consultant’s qualifications, independence, resources, expertise, capacity, reputation, information security and document custody practices, risk management and reporting, and conflicts of interests. It should also provide information on the consultant’s financial viability and any professional disciplinary actions filed against the consultant and the potential impact of such actions on its evaluation.

2. Assessing the independence of the consultant. Assessing a consultant’s independence should include any existing or prior relationships with the bank, its affiliates or its insiders; any potential conflicts of interest; and any other relevant factors. The consultant should provide assurances that its proposed engagement will not breach any professional restrictions governing conflicts of interest to which the consultant is subject.

3. Engagement contract and work plan. The bank should ensure the proposed consultant engagement contract guarantees:

  • compliance with applicable laws and regulations (including those related to privacy and confidentiality);
  • maintenance of complete records;
  • availability of work papers, analysis, drafts and reports;
  • disagreements regarding material matters that cannot be resolved between the bank and the consultant are brought to the OCC’s immediate attention;
  • ongoing reporting requirements are identified and met;
  • the consultant is available to meet or discuss matters privately with the OCC;
  • the conclusions and recommendations provided by the consultant are based on its own independent and expert judgment, although the consultant may consider the bank’s views;
  • the institution’s board of directors receives a final report;
  • material modifications to the contract work plan must be approved by the OCC in writing;
  • any work covered by the engagement, which will be subcontracted will require written approval by the OCC; and
  • the contract shall be terminated by the institution upon written direction from the OCC to the institution without any objection or right of appeal by the consultant.

Considerations governing the OCC’s monitoring of a consultant’s work include (1) the nature of deficiencies or violations the independent consultant is engaged to identify including with respect to recommendations regarding remediation, (2) the scope and duration of work, and (3) the potential for a materiality of harm to consumers and the bank.

As part of the assessment of the bank’s compliance with the enforcement action, the OCC must determine whether the bank has addressed and corrected the violations or deficiencies that formed the basis for the enforcement action. The OCC will review the consultant’s final written report of its findings and recommendations. This review provides the OCC the opportunity to assess whether all matters defined in the enforcement action and reviewed by the consultant were adequately addressed.

Kris Welch ( is a vice president with Chartwell Compliance