Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Bank Examinations > FDIC Enforcement Decisions and Orders




FDIC Enforcement Decisions and Orders

ED&O Home | Search Form | Text Search | ED&O Help


{{1-31-98 p.C-4425}}
   [11,453] In the Matter of Farmers and Merchants Bank, Eatonton,
Georgia, Docket No. FDIC 97-084b (11-12-97)

   Bank to cease and desist from such unsafe and unsound practices..(This order was terminated by order of the FDIC dated 5-28-99; see ¶16,625.)

   [.1] Management—Qualifications Specified
   [.2] Electronic Information Systems—Year 2000 Plan
   [.3] Electronic Information Systems—Replace
   [.4] Electronic Information Systems—Policy
   [.5] Audit—Minimum Procedures Specified
   [.6] Written Progress Reports Required

In the Matter of

FARMERS AND MERCHANTS BANK
EATONTON, GEORGIA
(Insured State Nonmember Bank)
ORDER TO CEASE AND DESIST
FDIC-97-084b

   The Farmers and Merchants Bank, Eatonton, Georgia ("Bank"), having been advised of its right to a written Notice of Charges and of Hearing detailing unsafe or unsound banking practices and violations of applicable laws and regulations alleged to have been committed by the Bank and of its right to a hearing regarding such alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. § 1818 (b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with a representative of the Legal Division of the Federal Deposit Insurance Corporation ("FDIC"), dated ____, 1997, whereby solely for the purpose of this proceeding and without admitting or denying any of the alleged charges of unsafe or unsound banking practices and violations of applicable laws and regulations, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.
   The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices and had committed violations of applicable laws and regulations.
   The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

ORDER TO CEASE AND DESIST

   IT IS HEREBY ORDERED, that the Bank, its institution-affiliated parties, as such term is defined in section 3(u) of the Act, 12 U.S.C. § 1813(u), and its successors and assigns cease and desist from the following unsafe or unsound banking practices and violations of laws and regulations:

       A. Failing to provide adequate supervision and direction over the affairs of the Bank by the board of directors of the Bank to prevent unsafe or unsound practices and violations of laws and regulations;
       B. Operating the Bank with management whose policies and practices with respect to electronic information systems are detrimental to the Bank and jeopardize the safety of its deposits;
       C. Operating the Bank with inadequate and unreliable electronic information systems;
       D. Operating the Bank with an inadequate and unreliable electronic information systems service provider;
       E. Failing to take appropriate measures to ensure that the electronic information systems and other automated systems that are utilized by the Bank are able to perform correctly automated processing operations involving dates later than December 31, 1999;
       F. Operating without appropriate audit practices and procedures with respect to the electronic information systems that are utilized by the Bank;
       G. Failing to require appropriate segregation of the duties of employees who operate the electronic information systems that are utilized by the Bank;
       H. Failing to require an appropriate number of employees to be trained to operate the electronic information systems that are utilized by the Bank;
       I. Utilizing electronic information sys- {{1-31-98 p.C-4426}}tems without an appropriate data processing policy;
       J. Failing to develop and test an appropriate disaster recovery plan with respect to the Bank's utilization of electronic information systems;
       K. Utilizing electronic information systems without appropriate policies, practices, and procedures with respect to logical, physical, and operational security;
       L. Failing to establish appropriate authority and controls over the Bank's information systems service provider;
       M. Operating microcomputer systems in the conduct of the Bank's business without an appropriate policy regarding the use of microcomputers by the Bank and its personnel;
       N. Failing to ensure that the electronic information systems that are utilized by the Bank employ applications software that is currently supported by the software vendor;
       O. Failing to ensure that the electronic information systems that are utilized by the Bank employ an operating system that is currently supported by the operating system vendor; and
       P. Failing to maintain written records, or to require the maintenance of written records, reflecting the operational performance of the information systems that are utilized by the Bank.
   IT IS FURTHER ORDERED that the Bank and its successors and assigns take affirmative action as follows:

   [.1] 1. (a) Within 30 days from the effective date of this ORDER, the Bank shall have and retain qualified management. At a minimum, and in addition to the requirements of any other Order(s) with respect to the management of the Bank, such management shall include an Information Systems Officer who shall possess the experience and qualifications necessary to provide appropriate oversight over both the daily operation of the information systems utilized by the Bank and the Bank's longer term provisions for its electronic information system needs. Such Information Systems Officer shall be provided the necessary written authority to implement the provisions of this ORDER. The qualifications of the Information Systems Officer shall be assessed on such officer's ability to (i) comply with the requirements of this ORDER, (ii) cause the Bank's electronic information systems utilization to be conducted in a safe and sound manner, (iii) ensure that the Bank, and not its electronic information systems service provider, exercises control over the Bank's utilization of electronic information systems; and (iv) ascertain that all electronic systems that are utilized by the Bank are able to perform correctly all automated processing operations involving dates later than December 31, 1999 and are appropriately tested to demonstrate such capability. As long as this ORDER remains in effect, the Bank shall notify the Regional Director of the FDIC's Atlanta Regional Office ("Regional Director") and the Commissioner of the Georgia Department of Banking and Finance ("Commissioner") in writing of any change in the identity of the Bank's Information Systems Officer. Such notification shall be in addition to any application and prior approval requirements established by section 32 of the Act, 12 U.S.C. § 1831i, and implementing regulations; must include the names and qualifications of any replacement personnel; and must be provided at least 30 days prior to the individual assuming the new position.

   [.2] 2. Within 30 days from the effective date of this ORDER, the Bank shall develop and adopt a plan ("Year 2000 Plan") for ascertaining that all electronic information systems that are utilized by the Bank, or upon which the Bank depends for the conduct of its business, are able to perform correctly all automated processing operations involving dates later than December 31, 1999 and are tested to demonstrate such capability. Prior to the adoption of the Bank's Year 2000 Plan, such Plan shall be reviewed and approved by the Bank's board of directors, and such review and approval shall be recorded in the minutes of the Bank's board of directors. Thereafter, the Bank shall implement the Year 2000 Plan. Immediately following the adoption of the Bank's Year 2000 Plan, the Bank shall submit a copy of the Plan to the Regional Director and to the Commissioner. At a minimum, the Bank's Year 2000 Plan shall provide for:

    a) Measures, to be taken beginning no later than 45 days from the effective date of this ORDER, to communicate to the Bank's personnel, its information systems service providers, any providers of services to the Bank that involve embedded microprocessors or telecommunications links, and any customers or service pro- {{1-31-98 p.C-4427}}viders with whom the Bank conducts business by exchange of information in electronic form, the nature of the Year 2000 Problem, as described in the Federal Financial Institutions Examination Council's May 5, 1997 Interagency Statement on Year 2000 Project Management Awareness, and the need for the Bank, its service providers, and its customers to identify and correct any deficiencies in the Bank's capability to process correctly all transactions involving dates later than December 31, 1999. Such measures shall be reviewed and approved by the Bank's board of directors, and such review and approval shall be recorded in the minutes of the board of directors;
    b) A written assessment, to be completed within 60 days from the effective date of this ORDER, of the extent of the actual and potential Year 2000 problems that are posed by the electronic information systems and other automated systems that are utilized by the Bank. Such assessment shall include the identification of all information systems hardware, operating systems software, application software, data files, telecommunications technologies, and other automated systems that are utilized by the Bank. Such assessment shall also identify all interdependencies between the Bank's automated systems and those of its vendors, its service providers, and its customers. Such assessment shall evaluate the capability of all such systems to conduct correctly all operations involving dates later than December 31, 1999. Such assessment shall also evaluate the Bank's information systems service provider, and any service provider that is utilized by the Bank's service provider, to determine such providers' awareness of, and ability to correct, any Year 2000 problems with respect to information systems services that are provided to the Bank. In addition, such assessment shall address each of the potential Year 2000 problem issues that are identified in the Interagency Statement on Year 2000 Project Management Awareness. Finally, the Bank's written assessment shall identify the resources that will be needed to correct any Year 2000 problems that are identified in the systems that are utilized by the Bank, and shall establish time frames for correcting such problems. The Bank's written assessment shall be reviewed and approved by the Bank's board of directors, and such review and approval shall be recorded in the minutes of the Bank's board of directors. Immediately thereafter, a copy of such written assessment shall be provided to the Regional Director and to the Commissioner.
    c) A written assessment, to be completed within 120 days from the effective date of this ORDER, of the level of potential credit risk to the Bank that results from the reliance of the Bank's commercial loan customers on electronic information systems and other automated systems to conduct the loan customers' businesses. Such assessment shall include reasonable inquiry into the exposure of the Bank's commercial loan customers to Year 2000 problems that might jeopardize the timely repayment of loans. Such assessment shall be reviewed by the Bank's board of directors, and such review shall be recorded in the minutes of the Bank's board of directors;
    d) The renovation, to be completed within 270 days from the effective date of this ORDER, of all electronic information systems and other automated systems that are utilized by the Bank, to the extent that such renovation is necessary to correct all Year 2000 compliance deficiencies that are identified in the assessment phase of the Bank's Year 2000 Plan;
    e) A validation phase, to be completed by no later than December 31, 1998, which shall include comprehensive testing of all electronic information systems and other automated systems that are utilized by the Bank to ascertain that all such systems are in fact capable, after the completion of the renovation phase of the Bank's Year 2000 Plan, of performing correctly all operations involving dates later than December 31, 1999. Such testing shall include testing of all changes to hardware and software that occur in the renovation phase of the Bank's Year 2000 Plan, testing of all aspects of interconnectivity and interoperation of the Bank's electronic information systems with other systems, and determinations by internal users and by external users that at the completion of the renovation phase of the Bank's Year 2000 Plan, all of the electronic systems utilized by the Bank are capable of performing all operations that involve dates later than December 31, 1999. To the ex- {{1-31-98 p.C-4428}}tent that any aspect of any electronic information system or other automated system that is utilized by the Bank as of December 31, 1998 cannot be proven to be fully Year 2000 compliant, the validation phase of the Bank's Year 2000 Plan shall include the identification in writing of all such systems and of the nature of such systems' failure to be fully Year 2000 compliant. Such written identification shall be reviewed by the Bank's board of directors by no later than December 31, 1998, and such review shall be recorded in the minutes of the Bank's board of directors. Within 15 days thereafter, the Bank shall develop and implement a plan to replace, by no later than July 1, 1999, any system that is identified as of December 31, 1998 as not having been proven to be Year 2000 compliant; and
    f) The implementation by the Bank, by no later than July 1, 1999, only of electronic information systems and other automated systems that are fully capable of performing all operations involving dates later than December 31, 1999. Such implementation shall include a written determination by the Bank that the electronic information systems that are utilized by the Bank have been tested successfully to determine that such systems are fully capable of performing all operations involving dates later than December 31, 1999.

   [.3] 3. By no later than December 31, 1997, the Bank shall replace the electronic information systems hardware, operating systems, and application software that were being utilized by the Bank as its mainframe data processing system on June 20, 1997, as described in the FDIC's Report of Examination—Information Systems of the Bank as of June 20, 1997. In determining how to replace such electronic information systems, the Bank shall perform or obtain a comprehensive analysis of the costs and benefits to the Bank if the Bank directly purchases or leases electronic information systems, as opposed to entering into a contract or contracts with an information systems service provider. In addition, if the Bank chooses to replace its electronic information systems through an electronic information systems service provider, prior to entering any contract or agreement with any provider for the replacement of the Bank's electronic information systems, the Bank shall perform or obtain a cost-benefit analysis of potential information systems service providers including potential providers that are not affiliates of the Bank as the term "affiliate" is defined in section 23A or 23B of the Federal Reserve Act. The cost-benefit analyses that are required by this Paragraph shall be reviewed by the Bank's board of directors, and such review shall be recorded in the minutes of the bank's board of directors.
   4. Beginning on the effective date of this ORDER, and for so long as this ORDER shall remain in effect, the Bank shall acquire or contract for the use of electronic information systems hardware, operating systems, and/or applications software only if such hardware, systems software, and/or applications software has been successfully tested for Year 2000 compliance prior to utilization by the Bank and thus is capable of performing correctly all operations (including interactions or interdependencies with other automated systems utilized by the Bank, its customers, its affiliates, and its vendors in the conduct of the Bank's business) involving dates later than December 31, 1999.
   5. Beginning on the effective date of this ORDER, and for as long as this ORDER shall remain in effect, the Bank shall establish authority and controls over any information systems service provider(s) that the Bank may utilize sufficient to assure the effective and timely completion of all hardware and software testing that is needed to complete the Validation Phase of the Bank's Year 2000 Plan as described above in Paragraph 2(e) of this ORDER.
   6. No later than 30 days from the effective date of this ORDER, the Bank shall have, and thereafter the Bank shall continuously have, for as long as this ORDER remains in effect, a fully functional backup electronic information system that is fully compatible with the Bank's primary electronic information system and is immediately available for the Bank's use in the event that the Bank's primary electronic information system is inoperable or unavailable. For so long as this ORDER shall remain in effect, the Bank shall conduct, or cause to be conducted, a test of the backup electronic information system at least once in every calendar year. The results of such testing shall be reported to and reviewed by the Bank's board of directors, and such review shall be recorded in the minutes of the Bank's board of directors.
   7. Beginning on the effective date of this ORDER and for so long as this ORDER {{1-31-98 p.C-4429}}shall remain in effect, the Bank shall not enter into, or remain party to, any agreement or arrangement for the provision of electronic information services unless such agreement or arrangement specifically provides for the Bank to retain the following powers: a) to establish, either alone or in conjunction with affiliates of the Bank that obtain electronic information systems services from the same provider, a committee that shall have the responsibility and the authority to define the functional and technical specifications for the electronic information processing systems to be used by the Bank; b) to withhold payment under any electronic information systems service agreement if the information systems service provider violates or causes the Bank to violate any provision of this ORDER; c) to terminate without notice any electronic information systems service agreement if such agreement causes the Bank or its service provider to be cited in any Report of Examination for an apparent violation of section 23A or 23B of the Federal Reserve Act.

   [.4] 8. Within 60 days from the effective date of this ORDER, the Bank shall develop and implement an appropriate Information Systems Policy. At a minimum, such Information Systems Policy shall:

    a) Define the authority and responsibility of each member of the Bank's management with respect to the Bank's electronic information systems function, including the responsibility and authority for defining the Bank's information processing needs and the identification of information systems and/or service providers to meet such needs;
    b) Establish appropriate operational procedures for the Bank's electronic information systems; and
    c) Provide for the establishment of appropriate controls in the operation of the Bank's electronic information systems, including, at a minimum, provisions regarding the following: i) Virus protection software shall be installed on each computer and shall be periodically updated; ii) Appropriate controls on access to computer based information shall be established and maintained, including, at a minimum, password protection of access to computer based programs and data files, encryption of employee passwords whenever such passwords are maintained in an electronic file or displayed visually on a computer screen, appropriate segregation of duties to ensure that employees are not responsible for assigning or knowing customers' personal identification numbers ("PINs") or passwords, and appropriate protections with respect to the confidentiality of data regarding the Bank's customers; and iii) The privileges, duties and responsibilities of employees with respect to the use of the Bank's computer systems shall be defined with specificity.
The Bank's Information Systems Policy shall be reviewed and approved by the Bank's board of directors prior to the implementation of such policy. Such review and approval shall be recorded in the minutes of the Bank's board of directors. Thereafter, for so long as this ORDER shall remain in effect, the Bank shall adhere to the Information Systems Policy and any subsequent modifications thereof. Immediately following the adoption of the Bank's Information Systems Policy, the Bank shall submit a copy of the Policy to the Regional Director and to the Commissioner.
   9. Beginning on the effective date of this ORDER and for so long as this ORDER shall remain in effect, the Bank shall maintain in its files documentation that reflects the operational performance of the electronic information systems that are utilized by the Bank. At a minimum, such documentation shall include a listing of problems (a "Problem Log") which shall include a description of the nature of every problem or failure in the operation of any electronic information system utilized by the Bank that is not clearly attributable to operator error, the date and time at which such problem or failure occurs, the date and time when such problem or failure is corrected, a description of the steps taken to correct such problem or failure, and a description of the impact of such problem or failure upon the conduct of the Bank's business. Each problem or failure in the operation of the electronic information systems utilized by the Bank shall be recorded in the Problem Log within 24 hours after the occurrence of such problem or failure.
   10. Within 90 days from the effective date of this ORDER, the Bank shall develop and implement an appropriate disaster recovery plan with respect to the Bank's utilization of electronic information systems. In developing such disaster recovery plan, the Bank shall consider Chapter 10 of the Federal Fi- {{1-31-98 p.C-4430}}nancial Institutions Examination Council ("FFIEC") Information System Examination Handbook, "Corporate Contingency Planning." The Bank's board of directors shall review and approve the Bank's disaster recovery plan prior to the Bank's implementation of such plan. Such review shall be recorded in the minutes of the Bank's board of directors. Thereafter, for so long as this ORDER shall remain in effect, the Bank shall continue to maintain an appropriate disaster recovery plan with respect to its electronic information systems.
   11. Within 90 days from the effective date of this ORDER, the Bank shall develop and implement a policy regarding the acquisition and use of microcomputers in the conduct of the Bank's business (a "Microcomputer Policy"). In developing its Microcomputer Policy, the Bank shall consider Chapter 16 of the FFIEC Information System Examination Handbook, "End-User Computing." The Bank's board of directors shall review and approve the Microcomputer Policy prior to the Bank's implementation of such policy. Such review shall be recorded in the minutes of the Bank's board of directors. Thereafter, for as long as this ORDER shall remain in effect, the Bank shall adhere to the Microcomputer Policy and to any subsequent amendments thereto.
   12. Within 60 days of the effective date of this ORDER, and for so long as this ORDER shall remain in effect, the Bank shall take, and shall cause its information systems service provider(s), if any, to take, appropriate measures to segregate the duties of personnel so that no single employee of the Bank and/or of the Bank's service provider both conducts a business transaction on behalf of the Bank and performs data processing tasks, such as data entry, proofing, or data reconciliation, with respect to the same transaction.
   13. Within 60 days from the effective date of this ORDER, the Bank shall develop and begin to implement a plan to ensure that an appropriate number of employees are fully trained and duly authorized to operate the electronic information systems that are utilized by the Bank. Such plan shall be reviewed and approved by the Bank's board of directors prior to the Bank's implementation of such plan, and such review and approval shall be recorded in the minutes of the Bank's board of directors. By no later than 180 days from the effective date of this ORDER, and for so long as this ORDER shall remain in effect, the Bank shall ensure at all times that an appropriate number of employees are fully trained and duly authorized to operate the electronic information systems that are utilized by the Bank.

   [.5] 14. Within 60 days from the effective date of this ORDER, the Bank shall develop and implement revised audit policies and procedures in a manner that ensures that the Bank shall conduct effective audits of all aspects of its operations, including its electronic information systems. At a minimum, the Bank's revised audit procedures shall provide that: a) the Bank's internal and external auditors shall include the Bank's electronic information systems within the scope of periodic audits of the Bank; b) all audit reports that are presented by the Bank's internal and external auditors shall be reviewed by the Bank's board of directors within 30 days of the Bank's receipt of such audit reports, and such review shall be recorded in the minutes of the Bank's board of directors; c) within 60 days from the receipt of each and every report from its internal or external auditor(s), the Bank shall prepare a written response to such audit report, such written response shall be reviewed and approved by the Bank's board of directors, and such review and approval shall be recorded in the minutes of the Bank's board of directors; d) the Bank's internal auditor(s) shall have training and experience that is appropriate and sufficient to enable such internal auditor(s) to conduct appropriate audits of all aspects of the Bank's operations, including electronic information systems; e) the duties of the Bank's internal auditor(s) shall be defined to avoid potential conflicts involving the interests of the Bank, the Bank's holding company, and any subsidiary of the Bank's holding company; and f) internal and external audits of the Bank shall be conducted at regular intervals, the length of which shall be specified in the Bank's revised audit policy and procedures. Prior to the Bank's implementation of such revised audit policy and procedures, the Bank's board of directors shall review and approve such revised policy and procedures, and such review and approval shall be recorded in the minutes of the Bank's board of directors. Subsequently, for so long as this ORDER shall remain in effect, the Bank shall adhere to such revised audit policies and procedures and to any subsequent modifications thereof.
   15. Within 30 days from the effective date {{1-31-98 p.C-4431}}of this ORDER, and thereafter for as long as this ORDER shall remain in effect, the Bank shall retain the services of a qualified electronic information systems consultant who is acceptable to the Regional Director and to the Commissioner. Such consultant shall participate directly in the creation, and in all phases of the implementation, of the Bank's Year 2000 Plan as described in Paragraph 2 of this ORDER. Not less frequently than monthly, such consultant shall report to the Bank's board of directors regarding the status of the Bank's Year 2000 Plan. Such reports shall be recorded in the minutes of the Bank's board of directors.
   16. Following the effective date of this ORDER, the Bank shall send to its shareholders or otherwise furnish a description of this ORDER (1) in conjunction with the Bank's next shareholder communication and also (2) in conjunction with its notice or proxy statement preceding the Bank's next shareholder meeting. The description shall fully describe this ORDER in all material respects. The description and any accompanying communication, statement or notice shall be sent to the FDIC, Registration and Disclosure Section, Washington, D.C. 20429, and to the Commissioner, for review at least 20 days prior to dissemination to shareholders. Any changes requested to be made by the FDIC or the Commissioner shall be made prior to dissemination of the description, communication, notice or statement.

   [.6] 17. Within 90 days from the effective date of this ORDER, and within 15 days following the end of each calendar quarter thereafter, the Bank shall furnish written progress reports to the Regional Director and the Commissioner detailing the form and manner of any actions taken to secure compliance with this ORDER and the results thereof. Such reports may be discontinued when the corrections required by this ORDER have been accomplished and the Regional Director and the Commissioner have released the Bank in writing from making further reports. All progress reports and other written responses to this ORDER shall be reviewed by the board of directors of the Bank and made a part of the minutes of the appropriate board meeting.
   18. The provisions of this ORDER shall become effective ten (10) days from the date of its issuance and shall be binding upon the Bank, its successors and assigns, and to the extent provided in section 8(i) of the Act, 12 U.S.C. § 1818(i), its institution-affiliated parties. Further, the provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provision of this ORDER shall have been modified, terminated, suspended, or set aside by the FDIC.
   19. The provisions of this ORDER are separate from, and in addition to, the provisions of any other ORDER(S) with respect to the Bank.
   Pursuant to delegated authority.
   Dated at Atlanta, Georgia, this 12th day of November, 1997.

ED&O Home | Search Form | Text Search | ED&O Help

Last Updated 6/6/2003 legal@fdic.gov