{{12-31-99 p.C-4693}}
[¶11,600] In the Matter of Bank of Lakewood, Lakewood, California, Docket No. 99-023b (3-9-99)
A cease and desist order was issued, based on findings by the FDIC that it had reason to believe that respondent had engaged in unsafe and unsound practices.(This order was terminated by order of the FDIC dated 10-29-99; see ¶16,244.)
[.1] Year 2000 Plan—Year 2000 Officer—Qualifications Specified
[.2] Year 2000 Plan—Status Reports Required
[.3] Year 2000 Plan—Electronic Information Systems Consultant Required
[.4] Year 2000 Plan—Budget
[.5] Year 2000 Plan—Preparation Required
[.6] Year 2000 Plan—Problem Assessment
[.7] Year 2000 Plan—Periodic Audits
[.8] Year 2000 Plan—Remediation Contingency Plan Required
[.9] Year 2000 Plan—Business Resumption Contingency Plan Required
[.10] Year 2000 Plan—Mission Critical Systems Tested
[.11] Year 2000 Plan—Future Testing and Verification Required
[.12] Year 2000 Plan—Year 2000 Liquidity Contingency Plan Required
[.13] Year 2000 Plan—Diligence Reviews
[.14] Shareholders—Disclosure of Cease and Desist Order Required
In the Matter of
BANK OF LAKEWOOD
LAKEWOOD, CALIFORNIA
(Insured State Nonmember Bank)
ORDER TO
CEASE AND DESIST
FDIC-99-023b
Bank of Lakewood, Lakewood, California ("Bank"), having been advised of its right to a Notice of Charges and of Hearing detailing the unsafe or unsound banking practices alleged to have been committed by the Bank and of its right to a hearing on the alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. §1818(b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with counsel for the Federal Deposit Insurance Corporation ("FDIC"), dated March 4, 1999, whereby solely for the purpose of this proceeding and
{{12-31-99 p.C-4694}}without admitting or denying the alleged charges of unsafe or unsound banking practices, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.
The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices. The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:
ORDER TO CEASE AND DESIST
IT IS HEREBY ORDERED, that the Bank, its institution-affiliated parties, as that term is defined in section 3(u) of the Act, 12 U.S.C. §1813(u), and its successors and assigns cease and desist from the following unsafe and unsound banking practices:
(a) operating with a board of directors and management which has failed to provide adequate supervision and direction to prevent unsafe and unsound practices with respect to the Bank's electronic information systems and other automated systems that are used by the Bank, or upon which the Bank depends for the conduct of its business ("Bank Information Systems");
(b) operating with inadequate and/or incomplete plans, policies and practices with respect to Bank Information Systems to the detriment of the Bank and which jeopardize the safety of its deposits; and
(c) failing to take appropriate measures to ensure that the Bank Information Systems are Year 2000 ready as defined in the Interagency Guidelines Establishing Year 2000 Safety and Soundness Standards (the "Guidelines") published in the Federal Register on October 15, 1998 and the FFIEC guidance papers referred to therein (the "FFIEC Guidance").
IT IS FURTHER ORDERED, that the Bank, its institution-affiliated parties, and its successors and assigns, take affirmative action as follows:
[.1] 1. (a) The Bank shall have and retain qualified management. The qualification of Bank management shall be assessed on its ability to:
(i) comply with the requirements of this ORDER; and
(ii) ascertain that the Bank Information Systems are fully Year 2000 ready and are appropriately tested to demonstrate such readiness.
(b) The Bank shall have and retain an executive officer as the Bank's Year 2000 Officer. The Year 2000 Officer shall possess the experience and qualifications necessary to achieve Year 2000 readiness and prepare the Bank for contingencies that may arise relating to the Year 2000. The Year 2000 Officer shall be provided the necessary written authority to implement the provisions of this ORDER relating to Year 2000 compliance.
(c) The Year 2000 Officer shall have the authority to appoint additional Bank personnel to assist in complying with the provisions in this ORDER relating to Year 2000 readiness.
(d) As long as this ORDER remains in effect, the Bank shall notify the Regional Director of the FDIC's San Francisco Regional Office ("Regional Director") in writing of any vacancy in the position, or change in the person filling the position. Such notification shall include the names and qualifications of any replacement personnel and shall be provided at least 10 days prior to any individual assuming the new position.
[.2] 2. The Year 2000 Officer shall provide monthly status reports to the Bank's board of directors. Such reports shall detail the Bank's progress in implementing the plan for achieving Year 2000 readiness ("Year 2000 Plan"). At a minimum, the reports shall include such information as described for quarterly board reports in the FFIEC Safety and Soundness Guidelines Concerning the Year 2000 Business Risk dated December 17, 1997. The Bank shall submit copies of the monthly progress reports to the Regional Director. The minutes of the board of directors meetings shall reflect the review of such reports and any material action taken by the board of directors to address any Year 2000 problems.
[.3] 3. Within 30 days from the effective date of this ORDER, and thereafter for as long as this ORDER shall remain in effect, the Bank shall retain the services of a qualified electronic information systems consultant who is acceptable to the Regional Director. Such consultant shall participate directly in the creation, and in all phases of the implementation, of the Bank's Year 2000 Plan as described in Paragraphs 5 through 15 of this ORDER. Not less frequently than monthly, such consultant shall report to the Bank's board of directors regarding the status of the Bank's Year 2000 Plan. Such re-
{{5-31-99 p.C-4695}}ports shall be recorded in the minutes of the Bank's board of directors meetings.
[.4] 4. Within 15 days for the effective date of this ORDER, the Bank shall identify the resources that will be needed to achieve Year 2000 readiness, and establish a budget and time frames for achieving the same. The budget shall be reviewed and approved by the Bank's board of directors prior to adoption, and such review and approval shall be recorded in the minutes of the Bank's board of directors meeting. Immediately following the adoption of the Bank's budget, the Bank shall submit a copy of the budget to the Regional Director. The budget and its implementation shall be in a form and manner acceptable to the Regional Director as determined at subsequent examinations and/or visitations.
[.5] 5. (a) Within 30 days from the effective date of this ORDER, the Bank shall revise, expand, adopt and implement its Year 2000 Plan which details how the Bank shall assess, renovate, and test all Bank Information Systems to establish that they are fully Year 2000 ready. The Bank's Year 2000 Plan shall contain provisions to address all of the requirements of this ORDER and shall be in accordance with the Guidelines and FFIEC Guidance including, but not limited to, the FFIEC May 5, 1997, Interagency Statement on Year 2000 Project Management Awareness and other statements and guidelines by the FFIEC regarding Year 2000 readiness and contingency planning ("FFIEC issuances"). Further, the Bank's Year 2000 Plan shall address all items of criticism contained in the Year 2000 Readiness Phase II Assessment as of January 6, 1999. Specifically, the Bank's Year 2000 Plan shall contain provisions that address the following items of criticism:
(i) The Year 2000 Plan shall contain clearly defined objectives and deadlines, documenting the specific tasks to be accomplished, the individuals assigned to the tasks, and the specific dates for completion.
(ii) The Year 2000 Plan shall contain a customer awareness program which is in compliance with the applicable FFIEC Interagency Statements.
(iii) The Year 2000 Plan shall contain adequate procedures for monitoring and conducting ongoing communication with service providers and software vendors.
(b) The Year 2000 Plan shall also incorporate any items of identified by the written assessment in accordance with Paragraph 6 of this ORDER.
(c) The Year 2000 Plan shall be reviewed and approved by the Bank's board of directors prior to adoption, and such review and approval shall be recorded in the minutes of the Bank's board of directors meeting. Immediately following the adoption of the Bank's Year 2000 Plan, the Bank shall submit a copy of the plan to the Regional Director. The Bank's board of directors shall consider any comments on the Year 2000 Plan from the FDIC and shall amend the Year 2000 Plan as necessary.
[.6] 6. Within 30 days of the effective date of this ORDER, the Bank shall develop a written assessment that identifies the extent of the actual and potential Year 2000 problems facing the institution. The items identified in this assessment shall be addressed in the Bank's Year 2000 Plan. The Bank's written assessment shall be reviewed and approved by the Bank's board of directors, and such review and approval shall be recorded in the minutes of the Bank's board of directors meeting. Immediately thereafter, a copy of such written assessment and the amended Year 2000 Plan shall be provided to the Regional Director. Such assessment shall:
(a) Identify all information systems hardware, operating systems software, application software, data files, automated teller machines, telecommunications technologies, environmental systems, and other automated systems that are used by the Bank;
(b) Identify all interdependencies between the Bank Information Systems and those of its service providers, software vendors, other entities with which the Bank regularly exchanges data electronically, and material Bank customers;
(c) Conduct due diligence of the Bank's service providers, any service provider that is used by the Bank's service providers, and software vendors, in accordance with the Guidelines and the FFIEC Guidance, to determine such service provider's or software vendor's awareness of, and ability to correct, any Year 2000 readiness problems;
(d) Evaluate the effect of implementation of the Year 2000 Plan on data exchange between the Bank and its service provid-
{{5-31-99 p.C-4696}}ers and other entities with which the Bank regularly exchanges data;
(e) Establish priorities for renovation, validation, and implementation of Bank information systems which are most critical to the Bank's operations, as discussed in the Guidelines and the FFIEC Guidance ("Internal Mission Critical Systems"); and
(f) Evaluate the potential Year 2000 problems that mergers & acquisitions, major systems development, and corporate alliances may have on existing Bank Information Systems and the potential Year 2000 readiness issues that may arise from acquired systems.
[.7] 7. Within 30 days from the effective date of this ORDER, the Bank shall amend its internal and external audit policies to require bi-monthly audits of the Bank's Year 2000 Plan and its implementation, in accordance with the Guidelines and the FFIEC Guidance. Thereafter, the Bank shall perform bi-monthly audits of the Year 2000 Plan and its implementation. The written results of the audits shall be reviewed by the Bank's board of directors, and such reviews shall be noted in the minutes of the board of directors meetings.
[.8] 8. Within 30 days of the effective date of this ORDER, the Bank shall develop a Remediation Contingency Plan, in accordance with the Guidelines and FFIEC Guidance. The Remediation Contingency Plan shall set forth the Bank's alternate plans to assure continuity of operations in the event the Bank must retain Year 2000 ready replacement Internal Mission Critical Systems, service providers or software vendors, or obtain Year 2000 ready replacement computer hardware or software from alternate sources. Such Remediation Contingency Plan shall be provided to the Regional Director for his review and comment. The Bank's board of directors shall review any comments from the FDIC and shall amend the Remediation Contingency Plan as necessary.
[.9] 9. By June 30, 1999, the Bank shall develop a Business Resumption Contingency Plan, in accordance with the Guidelines and the FFIEC Guidance. The Business Resumption Contingency Plan shall set forth the Bank's plans to mitigate risks associated with the failure of its systems at critical dates. The Business Resumption Contingency Plan shall include identification of the Bank's core business processes and a specific recovery plan for the possible failure of each core business process. The Bank shall provide a copy of the Business Resumption Contingency Plan to the Regional for his review and comment. The Bank's board of directors shall review any comments from the FDIC and shall amend the Business Resumption Contingency Plan as necessary.
[.10] 10. By no later than June 30, 1999, the Bank shall have in place Internal and External Mission-Critical Systems that are fully Year 2000 ready. Such implementation shall include a written determination by the Bank that the Internal and External Mission-Critical Systems have been tested successfully to determine that such systems are fully Year 2000 ready. A copy of such written determination shall be provided to the Regional Director.
[.11] 11. Upon the effective date of this ORDER, and for so long as this ORDER shall remain in effect, the Bank shall acquire or contract for the use of electronic information systems hardware, operating systems, and applications software only if such hardware, systems, and software have been successfully tested for Year 2000 readiness prior to use by the Bank. The Bank shall also ensure that any new Bank Information Systems and modifications to existing Bank Information Systems which have been previously verified as Year 2000 ready are Year 2000 ready.
12. Within 30 days from the effective date of this ORDER, and every 30 days thereafter, the Bank shall prepare a written assessment of the Bank's risk from Year 2000 noncompliance by the Bank's material customers' information systems. The written assessment shall be in accordance with the Guidelines and the FFIEC Guidance. The Bank shall use this assessment in its quarterly analysis of the risk in its loan portfolio, the adequacy of its allowance for loan and lease losses, and its liquidity position. The assessment shall be reviewed by the Bank's board of directors, and such review shall be recorded in the minutes of the Bank's board of directors meeting. The Bank shall develop and implement appropriate risk controls to manage and mitigate the risks posed by their customers' Year 2000 readiness status.
[.12] 13. Within 30 days of the effective date of this ORDER, the Bank shall develop and adopt a Year 2000 Liquidity Contingency Plan which addresses potential liquidity concerns relating to the Year 2000. Such plan shall be in accordance with the Guidelines and the FFIEC Guidance and shall spe-
{{5-31-99 p.C-4697}}cifically address all items of concern set forth on page 18 of the FDIC's Year 2000 Phase II Assessment dated January 6, 1999. The plan shall be provided to the Regional Director for his review and comment. The Bank's board of directors shall review any comments from the FDIC and shall amend the Year 2000 Liquidity Contingency Plan as necessary.
[.13] 14. (a) Within 30 days from the effective date of this ORDER, the Bank shall perform due diligence reviews to determine whether the Year 2000 readiness procedures of its service providers and software vendors, and the time frames for implementation of those procedures, are adequate. The Bank's due diligence reviews shall be conducted in accordance with the Guidelines and the FFIEC Guidance.
(b) By March 31, 1999, the Bank shall implement an on-line testing or verification process for internal and external systems, in accordance with the Guidelines and the FFIEC Guidance, to establish that its service providers are Year 2000 ready. Such testing shall be substantially completed by May 31, 1999. If a service provider is not Year 2000 ready by June 30, 1999, the Bank shall immediately implement the relevant provisions of its Remediation Contingency Plan.
[.14] 15. Following the effective date of this ORDER, the Bank shall send to its shareholders or otherwise furnish a description of this ORDER in conjunction with the Bank's next shareholder communication and also in conjunction with its notice or proxy statement preceding the Bank's next shareholder meeting. The description shall fully describe the ORDER in all material respects. The description and any accompanying communication, statement, or notice shall be sent to the FDIC, Registration and Disclosure Section, 550 - 17th Street, N.W., Washington, D.C. 20429, at least fifteen (15) days prior to dissemination to shareholders. Any changes requested to be made by the FDIC shall be made prior to dissemination of the description, communication, notice, or statement.
16. On the tenth day of the first month following the effective date of this ORDER, and on the tenth day of every month thereafter, the Bank shall furnish written progress reports to the Regional Director detailing the form and manner of any actions taken to secure compliance with this ORDER and the results thereof. Such reports may be discontinued when the corrections required by this ORDER have been accomplished and the Regional Director and the Acting Commissioner has released the Bank in writing from making further reports.
This ORDER shall become effective ten (10) days from the date of its issuance.
The provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this ORDER shall have been modified, terminated, suspended, or set aside by the FDIC.
Pursuant to delegated authority.
Dated at San Francisco, California, this 9th day of March, 1999.
