OCC fines American Express $15 million for third-party noncompliance

Bloomberg News

WASHINGTON — The Office of the Comptroller of the Currency has hit American Express National Bank with a $15 million civil money penalty for violations related to its oversight of one of its third-party affiliates.

The OCC said Tuesday that the bank did not ensure that its affiliate — which, according to American Express, refers to its Travel Related Services Company — implemented adequate call-monitoring controls and mechanisms for tracking customer complaints. The OCC also said American Express insufficiently collected and housed essential consumer data and records required to be in its customer identification program, a component of banks' anti-money-laundering compliance mandates.

"In the period 2015 to 2017, as part of large-scale efforts to retain small-business customers … the bank violated CIP regulations and recklessly engaged in unsafe or unsound practices," according to the OCC release.

As noted in its consent order to Amex, the OCC has supervisory authority over the national bank, and while it's been nearly a decade since the bank received an OCC consent order, Amex has faced fines for failing to manage third-party risks and for AML noncompliance in the past. The OCC noted in the consent order accompanying the release that the latest violations were part of a "pattern of misconduct" at the firm.

American Express told American Banker that as of the OCC's announcement, it had fully addressed and remediated the agency's concerns, including by providing customers redress.

"American Express will pay a $15 million civil money penalty to the OCC. We had fully reserved for the penalty in a prior period," they wrote in an email. "The matters covered by the settlement have been fully addressed, including updating card sales policies, enhancing training for sales employees, and providing customer remediation as appropriate."

Regulation and compliance

FDIC, Fed, OCC finalize guidance for banks' third-party partnerships

June 7, 2023 4:08 PM

In 2012, the OCC announced a $500,000 civil money penalty and $6 million in restitution to customers for Amex's failure to properly manage vendors that violated section 5 of the Federal Trade Commission Act by using deceptive collection practices. The OCC also fined Amex $3 million a year later in 2013 for unfair billing and deceptive marketing practices.

Tuesday's announcement comes just over a month after regulators issued updated guidance instructing banks to carefully monitor the risks they face from relationships with third party entities. In the guidance, regulators instructed banks to implement risk management commensurate with their size and complexity, as well as risk profile. 

The lead author of the revamped third-party guidance, acting Comptroller Michael J. Hsu, has repeatedly warned banks that the increasing prevalence of third-party partnerships, like those between banks and fintechs, could pose new compliance risks. The guidance makes clear that while offloading a banks' internal functions to third parties may increase efficiency, it does not absolve them of accountability and can expose firms to penalties if they fail to monitor their affiliates.

"It is important for a banking organization to understand how the arrangement with a third party, including a fintech company, is structured so that the banking organization may assess the types and levels of risks posed," the guidance states.