Two information collections up for renewal – one on money laundering risk (MLR) assessments and the other on guidance regarding data breaches – will be proposed by the federal regulator of national banks as early as Friday.
The Office of the Comptroller of the Currency (OCC), in filings with the Federal Register, said its MLR assessment helps its examiners (and bank management) identify and evaluate sanctions risks for banks’ products, services, customers, and locations under Bank Secrecy Act/anti-money laundering (BSA/AML) requirements, as well as those by Treasury’s Office of Foreign Assets Control (OFAC).
“As new products and services are introduced, existing products and services change, and banks expand through mergers and acquisitions, banks’ evaluation of money laundering and terrorist financing risks should evolve as well,” the agency wrote in its notice, noting that, consequently, the MLR risk assessment is an important tool for the OCC’s supervision program.
This agency added that the risk assessment is critical in protecting U.S. banks and financial institutions of all sizes from potential abuse from money laundering and terrorist financing. “An appropriate risk assessment allows applicable control to be effectively implemented for the lines of business, products, or entities that would elevate Bank Secrecy Act/Money Laundering and OFAC compliance risks,” it wrote, adding that the agency will collect MLR information for community banks it supervises.
Regarding guidance for data breaches (formally: “unauthorized access to customer information”), the OCC said security guidelines adopted by federal regulators (which implement that section of the Gramm-Leach-Bliley Act on safeguards at financial institutions) requires banks and financial institutions supervised by the OCC to consider and adopt response programs that specify the actions to take when unauthorized individuals are detected (or suspected of) gaining access to customer information systems.
The guidance the agency wants to renew specifies that an institution that identifies or suspects a breach incident must (at a minimum) follow three procedures: Assess the nature and scope of the incident, notify the primary federal regulator as soon as possible following (or during) the incident, and take appropriate steps to contain and control the incident. Customers must also be notified “when warranted,” the guidance states.
“When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that the information has been misused,” the notice states. “If the institution determines that the misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.”
Both the MLR and data breach guidance information collection renewal proposals were issued with 30-day comment periods.