The Office of the Comptroller of the Currency (OCC) has hit Morgan Stanley with a $60 million penalty for failing to properly decommission two wealth management data centres in 2016.
The OCC says that Morgan Stanley failed to "effectively assess or address risks" associated with decommissioning its hardware at the two US sites.
The bank is also accused of not doing its due diligence in selecting a vendor to carry out the decommissioning work and then failing to monitor the vendor's performance and of failing to maintain appropriate inventory of customer data stored on the decommissioned hardware.
In addition, the OCC says Morgan Stanley had similar vendor management issues in 2019 when it decommissioned other devices storing customer data.
The bank says it does not believe any client information has been accessed but that it has boosted its security procedures and informed clients of the lapse.