The US Office of the Comptroller of the Currency has imposed a civil money penalty on Morgan Stanley Bank and Morgan Stanley Private Bank for failing to do enough to oversee the decommissioning of two wealth management business data centres located in the USA in 2016.
In its consent order the regulator says that the bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware, failed to do enough to assess the risks involved in using third-party vendors, including subcontractors; and failed to maintain an appropriate inventory of customers' data stored on the devices. It also allegedly failed to "exercise adequate due diligence in selecting the third-party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance." In 2019, the bank experienced similar vendor management control deficiencies in connection with the decommissioning of wide-area application service devices. The bank neither admits nor denies the OCC's assertions.
In doing all this, the regulator says that the bank failed to comply with 12 CFR Part 30, Appendix B, entited “Interagency Guidelines Establishing Information Security Standards,” and engaged in unsafe or unsound practices that were part of a pattern of misconduct. CFR is the US Code of Federal Regulations.