Morgan Stanley agreed to pay US$60 million to settle accusations that the bank didn’t properly handle the decommissioning of data centres tied to its wealth-management business, the Office of the Comptroller of the Currency said in a Thursday statement.
The lender “failed to effectively assess or address risks associated with decommissioning its hardware,” including improper assessment of the risks of subcontracting the work and failing to keep appropriate tabs on customer data stored on obsolete devices, the regulator said. The fine doesn’t come with additional business restrictions.
The OCC detailed two instances -- one in 2016 and another in 2019 -- in which Morgan Stanley didn’t meet expectations for overseeing contractors, though no breach of customer information was implied. Four years ago, the lender decommissioned two data centres associated with its U.S. wealth-management operations, and it failed to properly oversee the contractor’s handling of the hardware, according to the consent order. A similar issue arose in 2019 regarding the decommissioning of other hardware.
“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” Morgan Stanley said in a Thursday statement. “Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”
Morgan Stanley announced Thursday that it would expand its wealth-management business through a US$7 billion acquisition of Eaton Vance Corp. Last week, Morgan Stanley received approval from the Federal Reserve to acquire E*Trade Financial Corp. The deal adds a broad new base of retail customers to Morgan Stanley’s brokerage business.