I. INTRODUCTION
The Office of the Comptroller of the Currency (OCC) has issued a bulletin to remind national banks and federal savings associations (collectively, banks) of their obligations related to the maintenance of records, records retention, and examiner access to records. The OCC has become aware of communications technology made available to banks that could prevent or impede OCC access to bank records through certain data deletion or encryption features. Use of communications technology in this manner is inconsistent with the OCC’s expectations regarding data retention and availability.
The guidance reminds banks that:
II. MAINTENANCE OF RECORDS, RECORDS RETENTION, AND EXAMINER ACCESS
The OCC has authority under 12 USC 481 to require prompt and complete access to all of a national bank’s relevant books, records, or documents of any type. For federal savings associations, the OCC’s authority is under 12 USC 1464(d)(1)(B)(ii). Also included within the scope of its authority is the ability of OCC examiners to communicate freely with a bank’s employees, officers, or directors. To meet their supervisory responsibilities, OCC examiners need timely access to bank records and need to communicate freely with bank personnel.
The OCC supports responsible innovation in the banking industry that is consistent with OCC expectations and safe and sound banking practices. Certain available communications technology contains data deletion and encryption features that can be used to prevent or impede OCC access to a bank’s books and records. For example, the OCC is aware that some chat and messaging platforms have touted an ability to “guarantee” the deletion of transmitted messages. The permanent deletion of internal communications, especially if occurring within a relatively short time frame, conflicts with OCC expectations of sound governance, compliance, and risk management practices as well as safety and soundness principles.
Bank management must ensure that its adoption of any communications technology continues to allow for examiner access to appropriate bank records. Record retention practices that are consistent with OCC expectations will enhance effective oversight by banks’ compliance and internal audit functions as well as comply with established governance, compliance, and risk management practices.