Federal Deposit
Insurance Corporation

   [¶12,187] In the Matter of BAC Florida Bank, Coral Gables, Florida, Docket No. 04-083b (4-14-04).

   A cease and desist order was issued, based on findings by the FDIC that it had reason to believe that respondent was engaged in unsafe and unsound practices. (This order was terminated by order of the FDIC dated 12-22-05; see ¶16,450.)

   [.1] Violations of Law— Corrections of Violations Required

   [.2] Compliance Program—Written Compliance Plan Required

   [.3] Bank Operations—Adequate Staffing Required

   [.4] Compliance Program—Establishment of Directors' Committee Required

   [.5] Suspicious Activity Report—Policy Required

   [.6] Customer Due Diligence Program—Establishment Required

   [.7] Procedural Guidelines—Customer Due Diligence Program

   [.8] Procedural Guidelines—Foreign Correspondent Accounts

   [.9] KYC Policies and Procedures—Revise

   [.10] Audit—Revision of Policy Required

   [.11] Payable Through Account—Policy Revision

   [.12] Payable Through Account—Practice Procedures

   [.13] Master Account Holders—Information Required

   [.14] Bank Operations—Internal Review and Control Procedures—Establish

   [.15] Audit—Program Required

   [.16] Shareholders—Disclosure of Cease and Desist Order Required

   [.17] Progress Report—Written Report Required

In the Matter of
BAC FLORIDA BANK
CORAL GABLES, FLORIDA
(Insured State Nonmember Bank)
ORDER TO CEASE AND DESIST

FDIC-04-083b

   BAC Florida Bank, Coral Gables, Florida ("Bank"), having been advised of its right to a written Notice of Charges and of Hearing detailing the unsafe or unsound banking practices and violations of law and/or regulations alleged to have been committed by the Bank and of its right to a hearing on the alleged charges under section 8(b)(1) of the Federal Deposit Insurance Act ("Act"), 12 U.S.C. §1818(b)(1), and having waived those rights, entered into a STIPULATION AND CONSENT TO THE ISSUANCE OF AN ORDER TO CEASE AND DESIST ("CONSENT AGREEMENT") with a representative of the Legal Division of the Federal Deposit Insurance Corporation ("FDIC"), dated March 16, 2004, whereby solely for the purpose of this proceeding and without admitting or denying the alleged charges of unsafe or unsound banking practices and violations of law and/or regulations, the Bank consented to the issuance of an ORDER TO CEASE AND DESIST ("ORDER") by the FDIC.
{{6-30-04 p.C-6049}

   The FDIC considered the matter and determined that it had reason to believe that the Bank had engaged in unsafe or unsound banking practices and had committed violations of law and/or regulations.

   The FDIC, therefore, accepted the CONSENT AGREEMENT and issued the following:

   IT IS HEREBY ORDERED, that the Bank, its institution-affiliated parties, as such term is defined in section 3(u) of the Act, 12 U.S.C. Section 1813(u), and its successors and assigns cease and desist from the following unsafe or unsound banking practices and violations of laws and regulations:

   A. operating the Bank without effective Board of Directors and executive management supervision to prevent unsafe or unsound banking practices and violations of law and/or regulations of the Bank Secrecy Act ("BSA"), subchapter II of Chapter 53 of title 31 of the United States Code, and its implementing rules and regulations at 12 C.F.R. Part 326 and 31 C.F.R. Part 103 and Part 353 of the FDIC Rules and Regulations, 12 C.F.R. Part 353 ("Part 353");

   B. operating in violation of section 353.3 of the FDIC Rules and Regulations, 12 C.F.R. §353.3, as more fully described on page 20 of the FDIC's Report of Examination as of October 27, 2003 ("ROE");

   C. operating in violation of section 326.8 of the FDIC Rules and Regulations, 12 C.F.R. §326.8, as more fully described on page 20 of the ROE;

   D. operating in violation of section 103.121 of the Rules and Regulations of the Department of the Treasury, 31 C.F.R. §103.121 by failing to implement an effective customer identification program and/or effective "Know Your Customer" ("KYC") policies and procedures;

   E. failing to provide adequate supervision and direction over the operation of the Bank's "Payable Through Accounts" ("PTAs"), as that term is defined below;

   F. failing to implement effective internal controls and operating systems with regard to Master Account Holders ("MAHs"), as that term is defined below; and

   G. failing to document the nature and extent of foreign regulatory oversight of transactions between MAHs and Sub-Account Holders ("SAHs"), as that term is defined below, and the extent of risk to which the Bank is exposed by any potential gaps or weaknesses in such oversight and transactions between MAHs and SAHs.

   IT IS FURTHER ORDERED that the Bank, its institution-affiliated parties, and its successors and assigns take affirmative action as follows:

   [.1] 1. Beginning with the effective date of this Order, the Bank shall take all necessary steps, consistent with the other provisions of this ORDER and sound banking practices, to eliminate or correct all violations of law and/or regulations cited on page 20 of the ROE. In addition, the Bank shall adopt appropriate procedures to ensure future compliance with all applicable laws and regulations.

   [.2] 2. Within sixty (60) days from the effective date of this ORDER, the Bank shall develop and put into action a written plan for the continued administration of the Bank's BSA Compliance Program and KYC policies and procedures designed to, among other things, ensure and maintain compliance with the BSA and the BSA rules and regulations ("Compliance Plan"). The Bank shall submit the Compliance Plan to the Regional Director of the FDIC's Atlanta Regional Office, Division of Supervision and Consumer Protection ("Regional Director") and to the Director of the Florida Office of Financial Regulation ("OFR Director") (collectively, "Supervisory Authorities") for review. Upon receipt of comments from the Supervisory Authorities, if any, the Bank's Board of Directors ("Board") shall review and approve the Compliance Plan. The Board's review and approval shall be recorded in the minutes. Thereafter, the Bank shall put into action the written Compliance Plan. At a minimum, the Compliance Plan shall:

   (a) provide for a system of internal controls sufficient to assure compliance by the Bank and/or its subsidiaries with the BSA, the BSA rules and regulations, the Bank's KYC policies and procedures, and Part 353 and establish a plan for implementing such internal controls;

   (b) provide for independent testing for compliance by the Bank and/or its subsidiaries with the BSA, the BSA rules and regulations, the reporting of suspicious transactions required to be reported pursuant to Part 353, and the Bank's KYC Policy and Procedure. The independent testing shall be performed by qualified Bank personnel or by an outside party on an annual basis in compliance with the procedures described in the FDIC's "Guidelines for Monitoring Bank Secrecy Act Compliance" and establish a plan for implementing such independent testing;

   (c) provide for a suitable training program to assure that the Bank's international agents, the Board and all appropriate Bank and/or Bank subsidiary personnel, including, without limitation, tellers, customer service representatives, lending officers, private and personal banking officers, and all other customer contact personnel are trained in all aspects of regulatory and internal policies and procedures related to the BSA, the BSA rules and regulations, Part 353, and the Bank's KYC policies and procedures, including High-Risk Accounts and Enhanced Due Diligence training and establish a plan to implement and document such training;

   (d) designate a senior Bank official responsible for coordinating and monitoring day-to-day compliance with the BSA, the BSA rules and regulations, Part 353, and the Bank's KYC policies and procedures.

   [.3] 3. Within thirty (30) days from the effective date of this ORDER, the Bank shall analyze and assess the Bank's staffing needs to provide an adequate number of qualified staff for the Bank's BSA Department. The BSA Department staff shall be evaluated to determine whether these individuals possesses the ability, experience, training and other necessary qualifications required to perform present and anticipated duties, including adherence to the Bank'S BSA Compliance Program, the requirements of the BSA, the BSA rules and regulations, Part 353, the Bank's KYC policies and procedures, and the provisions of this ORDER.

   [.4] 4. Within thirty (30) days from the effective date of this ORDER, the Board shall establish a Directors' committee to oversee the Bank's compliance with the BSA, the BSA rules and regulations, Part 353, and the Bank's KYC policies and procedures. The Directors' committee shall receive comprehensive monthly reports from the qualified officer appointed pursuant to paragraph 2(d) of this ORDER regarding the Bank's compliance with the BSA, the BSA rules and regulations, Part 353 and the Compliance Plan described in paragraph 2 above. The Directors' committee shall present a report regarding the Bank's compliance to the Board at each regularly scheduled meeting of the Board, which shall be recorded in appropriate minutes of the Board meeting and retained in the Bank's records.

   [.5] 5. (a) Within sixty (60) days from the effective date of this ORDER, the Bank shall establish and put into action monitoring and reporting procedures for Suspicious Activity Reports ("SARs") and Currency Transaction Reports to ensure that all appropriate Bank employees are aware of the procedures, including accurate recordkeeping, form completion and the detection and reporting of known and/or suspected criminal activity, and their responsibilities in implementing the procedures.

   (b) Within thirty (30) days from the effective date of this ORDER, the Bank shall review the unresolved exceptions generated by "Assist," the Bank's BSA monitoring software system, identified on page 15 of the ROE to verify that sufficient documentation exists to support the Bank's determination whether to file an SAR. Thereafter, the Bank shall review the exceptions at least monthly to verify that sufficient documentation exists to ensure the identification and timely, accurate and complete reporting of suspicious activity as required by Part 353.

   [.6] 6. Within sixty (60) days from the effective date of this ORDER, the Bank shall develop, adopt and put into action a written customer due diligence program. Such program and its implementation shall be in a manner acceptable to the Supervisory Authorities as determined at subsequent examinations and/or visitations of the Bank. At a minimum, the customer due diligence program shall provide for the following:

   (a) a risk focused assessment of the customer base of the Bank to determine the appropriate level of enhanced due diligence necessary for those categories of customers that the Bank has reason to believe pose a heightened risk of illicit activities at the Bank;

   (b) for those customers whose transactions require Enhanced Due Diligence, procedures to:

   (i) determine the appropriate documentation necessary to confirm the identity and business activity of the customer;

   (ii) understand the normal and expected transactions of the customer; and

   (iii) reasonably ensure the identification and timely, accurate and complete reporting of known or suspected criminal activity against or involving the Bank to law enforcement and the Supervisory Authorities, as required by the suspicious activity reporting provisions of Part 353.

   [.7] 7. Within ninety (90) days from the effective date of this ORDER, the Bank shall develop and put into action procedural guidelines for BSA Department staff and the Bank's Account Officers in connection with the customer due diligence program required by paragraph 6 of this Order, that address, at a minimum:

   (a) proper documentation and enhanced due diligence procedures for Money Service Businesses, PTAs and correspondent accounts;

   (b) time limits for Account Officers to respond to account activity exceptions;

   (c) time limits for determining if exceptions require a SAR;

   (d) identification of customers requiring site visitations and frequency of visitations;

   (e) identification of the ownership of personal investment companies;

   (f) regular updating of background information on all international agents, regardless of how long they have worked with the Bank;

   (g) independent confirmation of profiles of moderate and low risk account customers referred by international agents; and

   (h) identification and proper risk-coding of all Money Service Businesses, brokerage and exchange houses, bearer share accounts, and privately owned investment companies.

   [.8] 8. Within ninety (90) days from the effective date of this ORDER, the Bank shall develop and put into action due diligence procedures and guidelines for the BSA Department staff and Account Officers in connection with the Bank's foreign correspondent accounts, which shall include, at a minimum:

   (a) regular, periodic, comprehensive on-site visitations of the foreign correspondent;

   (b) regular, periodic review and written assessment of the foreign correspondent's anti-money laundering program;

   (c) regular, periodic review and written assessment of the foreign government's supervision of the foreign correspondent; and

   (d) compliance with the New York Clearing House guidelines regarding Enhanced Due Diligence for foreign correspondent banks.

   [.9] 9. (a) Within ninety (90) days from the effective date of this ORDER, the Bank shall revise its current KYC policies and procedures. The Bank shall establish revised procedures for identifying and verifying the type and dollar volume of transactions in each deposit account that exceeded customer expected levels of cash or wire transfer activity.

   (b) Within ninety (90) days from the effective date of this ORDER, the Bank shall develop and put into action internal control procedures requiring regular periodic comparison of actual activity in each account identified in 9(a) above against expected or anticipated activity. Such internal control procedures shall include procedures for identifying and documenting significant variances between anticipated and actual activity and for reporting variances to Bank management and, when appropriate the filing of SARs.

   [.10] 10. Within sixty (60) days from the effective date of this ORDER, the Bank shall amend its audit policies, procedures, and practices, both with regard to internal audits and with regard to external audits, so that the Bank's compliance with the BSA, the BSA rules and regulations, Part 353, and the Bank's KYC policies and procedures are subject to periodic review as part of the Bank's routine auditing. Thereafter, the Bank's internal and external audits shall include reviews of these areas, with significant exceptions reported directly to the Bank's Board of Directors.
{{6-30-04 p.C-6052}

   11. For purposes of this ORDER:

   (a) PTA means any deposit account established by the Bank pursuant to any agreement under the terms of which the Bank establishes a master account for a MAH, subdivides the master account into sub-accounts for use by SAHs, and permits the master account to be accessed via the sub-accounts by SAHs.

   (b) MAH means a person or entity in whose name a PTA master account is established or maintained by the Bank.

   (c) SAH means any person or entity that is assigned a sub-account through which the person or entity is permitted to deposit funds into a PTA and write checks against a PTA or make withdrawals from a PTA.

   [.11] 12. Within 180 days from the effective date of this ORDER, for any PTAs that remain open, the Bank shall:

   (a) prepare or obtain with regard to each MAH a written description of the institutions, mechanisms, systems, and/or procedures through which such MAH, its agents, and/or its affiliates obtain and process funds that are ultimately deposited into the Bank's PTAs;

   (b) take all reasonable steps to verify the accuracy of the descriptions required by subparagraph 12(a);

   (c) obtain certification from an authorized officer of each MAH that the MAH, its agents, and its affiliates operate in conformity with the applicable laws and regulations of all foreign jurisdictions in which the MAH, its agents, and/or its affiliates obtain and/or process funds that are ultimately deposited in the Bank's PTAs; and

   (d) obtain with regard to each MAH a written description of the extent to which the institutions, mechanisms, systems, and procedures through which the MAH, its agents, and/or its affiliates obtain and/or process funds that are ultimately deposited into the Bank's PTAs are subject to foreign regulatory oversight by the foreign countries in which such MAH is chartered or is otherwise subject to bank regulatory authorities.

   [.12] 13. Within 180 days from the effective date of this ORDER, for any PTAs that remain open, the Bank shall develop and put into practice procedures for routine, periodic independent verification of information provided to the Bank by MAHs regarding said MAHs and/or SAHs.

   [.13] 14. (a) Within 180 days from the effective date of this ORDER, for any PTAs that remain open, the Bank shall obtain or prepare, as appropriate, the following information regarding each MAH:

   (i) Articles of Incorporation or other organizational or chartering documents;

   (ii) current By-laws or their equivalent;

   (iii) documents establishing the scope of authority for each individual who transacts PTA activity with the Bank;

   (iv) current MAH policies and procedures for opening sub-accounts;

   (v) biographical information, including the experience, education, capacity, and integrity of each officer or employee authorized to open sub-accounts or authorized to conduct transactions involving sub-accounts;

   (vi) current credit information of the type on which the Bank would rely in the ordinary course of business if it were extending credit to the MAH;

   (vii) an appropriate credit analysis by the Bank if the PTA agreement between the Bank and the MAH provides for the possibility of an extension of credit to the MAH;

   (viii) an unaudited financial statement of the most recent fiscal quarter and an audited financial statement for the most recent fiscal year;

   (ix) a corporate resolution relating to the existence and operation of the PTA;

   (x) a site visitation by the Bank to the administrative headquarters and/or operations center; and

   (xi) an assessment by the Bank of foreign government oversight.

   (b) The Bank shall periodically update the information obtained pursuant to subparagraph 14(a) and shall retain the information for a period of five (5) years following the closing of the PTA involving such MAH.

   [.14] 15. Within thirty (30) days from the effective date of this ORDER, the Bank shall develop and put into action internal control procedures that shall include, at a minimum:

   (a) regular periodic comparison of actual PTA activity in each sub-account against expected or anticipated activity;

   (b) routine and/or automated procedures and systems for documenting variances between anticipated and actual PTA activity;

   (c) reporting such variances to Bank management and, as appropriate, the Supervisory Authorities and/or law enforcement.

   [.15] 16. Within sixty (60) days from the effective date of this ORDER, the Bank shall amend its internal and external audit policies, procedures, and practices so that the Bank's PTA activities are subject to periodic review as part of the Bank's routine audits.

   [.16] 17. Following the effective date of this ORDER, the Bank shall send to its shareholders or otherwise furnish a description of this ORDER (i) in conjunction with the Bank's next written shareholder communication; and (ii) in conjunction with its notice or proxy statement preceding the Bank's next shareholder meeting. The description shall fully describe this ORDER in all material respects. The description and any accompanying communication, statement or notice shall be sent to the FDIC, Registration and Disclosure Section, 550 17th Street, N.W., Washington, D.C. 20429, and to the OFR, 200 East Gaines Street, Tallahassee, Florida 32399-0371, for review at least twenty (20) days prior to dissemination to shareholders. Any changes requested to be made by the FDIC or the OFR shall be made prior to dissemination of the description, communication, notice or statement.

   [.17] 18. Within ninety (90) days from the effective date of this ORDER, and within thirty (30) days following the end of each calendar quarter while this ORDER is in effect, the Bank shall furnish written progress reports to the Regional Director and to the OFR detailing the form and manner of all actions taken to secure compliance with this ORDER and the results of such actions. Such reports may be discontinued when the corrections required by this ORDER have been accomplished and the Regional Director and the OFR have released the Bank in writing from making further reports. All progress reports and other written responses to this ORDER shall be reviewed by the Board and made a part of the minutes of the appropriate Board meeting.

   The effective date of this ORDER shall be ten (10) days from the date of its issuance. This Order shall be binding upon the Bank, its institution-affiliated parties, and its successors and assigns. Further, the provisions of this ORDER shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this ORDER shall have been modified, terminated, suspended, or set aside by the FDIC.

   Pursuant to delegated authority.

   Dated this 14th day of April, 2004.