The Office of the Comptroller of the Currency (OCC) on Monday issued MUFG Union Bank a cease-and-desist order for “unsafe or unsound practices regarding technology and operational risk management.”

The order alleges MUFG is not in compliance with Federal Reserve guidelines on information security standards. In an accompanying press release, the OCC stated it will pursue enforcement against MUFG if the deficiencies identified are not remediated in a timely manner.

Key requirements: MUFG’s board has until Oct. 20 to appoint a three-member compliance committee primarily comprised of directors who are not affiliated with the bank in any capacity, the order states. The bank must develop a written action plan that details the remedial actions necessary to address the deficiencies noted by the OCC.

MUFG must outline how it intends to improve:

  • Reporting to the board and senior management on the bank’s technology and operations risk;
  • Technology risk assessment processes, internal controls, and staffing deficiencies;
  • Policies, procedures, processes, and internal controls within its technology and operations environments; and
  • Data management and reporting practices to ensure accurate risk, regulatory, and other reporting.

In its order, the OCC noted MUFG “has begun corrective action and has committed resources to remediate the deficiencies.”

Board responsibilities: The consent order further imposes responsibilities upon the board of MUFG, including that it:

  • Authorize, direct, and adopt corrective actions on behalf of the bank as may be necessary to perform the obligations and undertakings imposed by the order;
  • Ensure the bank has sufficient processes, management, personnel, control systems, and corporate and risk governance to implement and adhere to all provisions of the order;
  • Require management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from the order and hold them accountable for executing their duties and responsibilities; and
  • Require appropriate, adequate, and timely reporting to the board by management of corrective actions and address any noncompliance with those corrective actions in a timely and appropriate manner.

Of note: U.S. Bancorp on Tuesday announced it has entered into a definitive agreement to acquire MUFG’s core regional banking franchise from Mitsubishi UFJ Financial Group. In the announcement, U.S. Bank acknowledged the consent order, noting it “evaluated and incorporated these regulatory concerns into all aspects of the deal process, including due diligence, integration planning and valuation.

“The company believes it can successfully remediate the issues applicable to MUFG Union Bank in connection with the transaction, and that the order will not restrict U.S. Bancorp’s ability to operate and grow its business as planned.”

The transaction, subject to regulatory approval, is expected to close in the first half of 2022.