Two banks associated with the Morgan Stanley company face a $60 million civil money penalty (CMP) for the banks’ shortcomings in decommissioning two “wealth management” business data centers in the U.S. four years ago, the regulator of national banks said Thursday.
According to the Office of the Comptroller of the Currency (OCC), the actions against Morgan Stanley Bank, N.A., and Morgan Stanley Private Bank, N.A., came as a result of the banks’ failure to “exercise proper oversight” when shutting down the two data centers in 2016.
In a release, the OCC said the banks failed to: effectively assess or address risks associated with decommissioning the hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.
This isn’t the first time the banks have been called out for such shortcomings. The OCC said that, in 2019, the banks experienced “similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data.”