facebook twitter linkedin google gplus pinterest mail share search arrow-right arrow-left arrow print vcard

OCC’s $15 Million Consent Judgment Against AmEx Is Latest Example of Regulators’ Focus on Insufficient Third-Party Affiliate Oversight in the Financial Industry


By Robert M. Horwitz

For federal regulators with oversight responsibilities over the banking and financial services industry, it is third-party time. On the heels of other recent enforcement actions involving inadequate oversight of third-party vendors and service providers, the Office of the Comptroller of the Currency (OCC) recently obtained a $15 million consent judgment against American Express National Bank (AmEx) for failing to govern and oversee a third-party affiliate and for regulation violations relating to certain efforts to retain small business customers.

Specifically, the OCC found AmEx failed to ensure its third-party affiliate had appropriate call monitoring controls and appropriate mechanisms to document and track customer complaints. Additionally, AmEx did not collect necessary consumer information and properly maintain and produce records to show compliance with Customer Identification Program regulations.

The OCC’s July 27, 2023, consent order against AmEx is just the latest example of a multi-agency focus on transgressions by affiliates and the risk to those that retain them if they lack an effective compliance management system (CMS), including a robust third-party oversight program. It also comes in the wake of extensive final guidance issued on June 6, 2023, by the OCC, the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation regarding management and oversight of third-party vendors. 

According to the OCC, the Interagency Guidance on Third-Party Relationships “is intended to assist banking organizations in identifying and managing risks associated with third-party relationships and in complying with applicable laws and regulations.” The guidance outlines the third-party risk management life cycle and identifies risk management principles applicable to each stage of the life cycle. It also describes sound risk management principles to consider when developing and implementing third-party risk management practices commensurate with the bank’s risk profile and complexity, as well as the criticality of the activity supported by the third party.

Maddin Hauser regularly works with clients in the financial services industry to develop and implement comprehensive internal and third-party compliance programs aligned with applicable guidance and best practices. If you would like to discuss your company’s compliance concerns, please contact Rob Horwitz at Maddin Hauser.